Access Control List (i)

Access Control List (i)

? TCP and UDP protocol

There are two main transport layer protocols for TCP/IP protocol family: TCP (transmission, Transmission Control Protocol) and UDP (user Datagram Protocol, subscriber Data hold protocol).

? TCP Protocol

TCP is a connection-oriented, reliable protocol for process-to-process communication. TCP provides a full duplex service where data can be transmitted in both directions at the same time, and each TCP has a send cache and an accept cache, which is used to temporarily store the data.

1. TCP message Segment

TCP makes a grouping of several bytes, called a message segment (Segment). TCP message segments are encapsulated in IP data segments.

The header length is 20-60 bytes, and the following are the meanings of each field:

? Source port: It is a 16-bit field that corresponds to the port number of the sender process

? Target port number: It is a 16-bit field, which corresponds to the process of the receiving side, after the receiving end receives the data segment, according to this port number to determine which application to send the data to the process.

? ordinal: When TCP receives data bytes from the process, it stores them in the send cache and numbers each byte. The characteristics of the numbering are as follows:

The u number does not have to start at 0, usually produces dust a random number as the 1th byte number, called the initial ordinal (ISN), the range is 0~232-1.

The number of each direction of the U-TCP is independent of each other.

U when the bytes are numbered, TCP assigns a sequence number to each segment, which is the number of the 1th byte in the message segment.

When the data arrives at the destination, the receiving end will rearrange the data according to the serial number to ensure the correctness of the data.

? Confirmation Number: Confirmation number is the confirmation of the sender, use it to tell the sender of the serial number before the data section has been received, such as the confirmation number is x, that is, the previous X-1 data segment has been received.

? Header Length: use it to determine the byte length of the header data structure. In general, the TCP header is 20 bytes, but the first ministerial degree can be extended to 60 bytes maximum.

? Reserved: This part of the reserved bit is used for future expansion functions and is not yet available.

? control bit: These six bits have a very important role, TCP connection, transmission and disconnection are subject to six control for the command. You have the following meanings:

U URG: Emergency pointer effective bit. (Specify a packet fast transfer (important data priority transfer))

U ACK: Confirm the serial Number field is valid only when ack=1. The confirmation number field is invalid when ack=0. (Consent to connect)

U PSH: When the flag bit is 1, the receiver is required to deliver the data segment to the application layer as soon as possible. (Does not enter the cache)

U rst: The TCP connection is re-established when the RST value is 1 o'clock.

U SYN: Synchronize serial number. This value is set to 1 when TCP needs to establish a connection.

U FIN: The sending side completes the sending task, and when TCP completes the data transfer needs to disconnect, the party that proposes the disconnection sets the value to 1.

? window Value: It shows the number of locally available data segments, the size of which is variable, when the network is unobstructed when the window value is larger to speed up the transfer speed, when the network is unstable, reduce this value can guarantee the reliable transmission of network data, The flow control mechanism in TCP protocol is realized by changing the size of window.

? Checksum: It is used for error control, unlike IP checksum, the calculation of TCP checksum includes TCP header, data, and other padding bytes. When a TCP data segment is sent, the checksum is computed by the sending side, and once the destination is reached, a checksum is computed. If these two times the checksum is consistent, then the data is basically correct. Otherwise, the data is considered corrupted and the receiving side discards the data.

? Emergency pointers: and Urg configurations are used when urg=1 is in effect.

? option: The TCP header can have up to 40 bytes of optional information.

2. TCP Connection

TCP is a connection-oriented protocol that establishes a virtual connection between the source and the endpoint.

Before data communication, the sender and receiver must first establish a connection. After the data is sent, the two sides are disconnected again. Each side of a TCP connection is made up of an IP address and a port number.

1) Connection Setup

The process of establishing a connection for TCP is called a three-time handshake:

	650) this.width=650; "Style=" background-image:none;border-bottom:0px; border-left:0px;margin:0px;padding-left:0px;padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; " Title= "clip_image001" border= "0" alt= "clip_image001" src= "http://s3.51cto.com/wyfs02/M01/77/8F/ Wkiol1zpipksu5caaaalvz6pwu0644.png "height="/>		650) this.width=650; " Style= "background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px;padding-right:0px; border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image002 "border=" 0 "alt=" clip_image002 "src=" http:/ /s3.51cto.com/wyfs02/m02/77/90/wkiom1zpipkhh-slaaaemngylys786.png "height="/>
		650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image003 "border=" 0 "alt=" clip_ image003 "src=" Http://s3.51cto.com/wyfs02/M01/77/90/wKiom1ZpiPKwsT0HAAAEtyobl10450.png "height=" 244 "/>		650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image004 "border=" 0 "alt=" clip_ image004 "src=" Http://s3.51cto.com/wyfs02/M02/77/90/wKiom1ZpiPPQIJygAAAA_vtdBU0910.png "height=" 244 "/>

PC1 Server

1. 650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image005 "border=" 0 "alt=" clip_ image005 "src=" Http://s3.51cto.com/wyfs02/M02/77/8F/wKioL1ZpiPSBPvqDAAAIWvUDxKc272.png "height=" "/> Send SYN message

(seq=x,syn=1)

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image006 "border=" 0 "alt=" clip_ image006 "src=" Http://s3.51cto.com/wyfs02/M00/77/90/wKiom1ZpiPTjrhJ6AAAJWPGOlWo025.png "height=" "/> 2. Send syn+ ACK Message

(Seq=y,ack=x+1,

syn=1,ack=1)

3. Sending ACK messages

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image007 "border=" 0 "alt=" clip_ image007 "src=" http://s3.51cto.com/wyfs02/M01/77/90/wKiom1ZpiPTSifgUAAAIiS2EKPs757.png "height="/> (seq=x+ 1,ack=y+1,

ack=1)

? handshake for the first time:

The PC1 uses a random port number to send a connection request to the PC2 80 port, a typical sign of TCP's SYN control bit 1, and the other five controls all 0.

? Second handshake:

is actually done in two parts.

(1) PC2 received PC1 request, to PC1 reply to a confirmation message, the typical sign of this process is the TCP ACK control bit is 1, the other five control bits are all 0, and the confirmation sequence number is PC1 the initial sequence number plus 1.

(2) PC2 also sends a request to PC1 to establish a connection, the typical sign of this process is the same as the first handshake, that is, the TCP STN control is 1, the other five controls are all 0.

In order to improve efficiency, these two parts are generally merged into a single packet.

? Third handshake:

PC1 received PC2 reply (including request and confirmation), also to PC2 reply to a confirmation message, this process is a typical sign of TCP ACK control bit is 1, the other five control bits are all 0, and confirm that the serial number is PC2 the initial sequence number plus 1.

Attention:

? netstat command to display protocol statistics and the current TCP/IP network connection.

? The parameter-a displays all connections and listening ports, and-n displays the address and port number in digital form.

? Use netstat/to see detailed instructions.

From the above demonstration, the TCP three handshake can be summarized as follows: The SEQ in the figure represents the request sequence number, the ACK indicates the acknowledgement sequence number, and the SYN and ACK are control bits.

As you can see, the SYN control bit is set to 1 only when the connection is requested.

TCP uses connection-oriented communication, which greatly improves the reliability of the data transmission, so that the sending and receiving end before the formal transmission of the information has the interaction, for the formal transmission of data to lay a reliable foundation.

2) termination of connection

Either party (client or server) that participates in the exchange of data can close the connection. A TCP disconnect is four steps, also known as a four-time handshake :

	650) this.width=650; "Style=" background-image:none;border-bottom:0px; border-left:0px;margin:0px;padding-left:0px;padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; " Title= "clip_image001[1]" border= "0" alt= "clip_image001[1" "src=" http://s3.51cto.com/wyfs02/M02/77/90/ Wkiom1zpipttqijkaaalvz6pwu0662.png "height="/>		650) this.width=650; " Style= "background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px;padding-right:0px; border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image002[1] "border=" 0 "alt=" clip_image002[1] "src=" Http://s3.51cto.com/wyfs02/M00/77/90/wKiom1ZpiPXBNX39AAAEMNGyLYs058.png "height="/>
		650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image008 "border=" 0 "alt=" clip_ image008 "src=" Http://s3.51cto.com/wyfs02/M02/77/8F/wKioL1ZpiPaAIiqVAAAEcCS5L5E401.png "height=" 244 "/>		650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image009 "border=" 0 "alt=" clip_ image009 "src=" Http://s3.51cto.com/wyfs02/M01/77/90/wKiom1ZpiPaz6IiIAAABA-j5fDg566.png "height=" 244 "/>

PC1 Server

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image010 "border=" 0 "alt=" clip_ image010 "src=" Http://s3.51cto.com/wyfs02/M01/77/8F/wKioL1ZpiPei4bwCAAAIZucfi8g272.png "height=" "/>1. Send fin/ ACK Message

(fin=1,ack=1)

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image011 "border=" 0 "alt=" clip_ image011 "src=" Http://s3.51cto.com/wyfs02/M02/77/90/wKiom1ZpiPewVNZ1AAAJXr7rjEM398.png "height=" "2"/>. Send ACK Message

(ack=1)

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image012 "border=" 0 "alt=" clip_ image012 "src=" Http://s3.51cto.com/wyfs02/M01/77/8F/wKioL1ZpiPeScSL3AAAJVR_bCdk853.png "height=" "/>3. Send fin/ ACK Message

(fin=1,ack=1)

4. Sending ACK messages

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image013 "border=" 0 "alt=" clip_ image013 "src=" http://s3.51cto.com/wyfs02/M00/77/90/wKiom1ZpiPfBs3D9AAAIhebrO8E859.png "height="/> (ack=1)

(1) The server sends a TCP message segment of fin and ACK position 1 to the client.

(2) The client returns the TCP segment of the ACK location 1 to the server.

(3) The client sends a TCP message segment of fin and ACK position 1 to the server.

(4) The server returns the TCP segment of the ACK location 1 to the client.

During the TCP disconnection process, there is a concept of a semi-shutdown. The TCP party (usually the client) can terminate the sending of data, but it can still accept the data, which is called half-closed . Described below:

? The client sends a fin segment, which is semi-closed, and the server sends an ACK segment to accept the semi-shutdown.

? The server continues to send data, and the client sends only ACK confirmations, and no more data is sent.

? When the server has sent all the data, the fin segment is sent, and the customer sends the ACK segment so that the TCP connection is closed.

TCP has a wide range of applications in the network, mainly used in the high reliability of data transmission environment, such as familiar with the web browsing, it uses the HTTP protocol is relying on TCP to provide reliability. When using the TCP protocol, the communication party has a high reliability requirement for the data, even though it is acceptable to reduce a bit of data transfer rate.

TCP Ports and Applications

Port Protocol Description

FTP FTP Server is open to the control port

The remote Telnet is used to remotely control the management of the target computer

SMTP SMTP server open port for sending mail

HTTP Hypertext Transfer Protocol

POP3 for acceptance of messages

? UDP Protocol

UDP is a non-connected, not guarantee the reliability of the Transport layer protocol, that is, the sending side does not care whether the data sent to the target host, data errors, etc., the host receives the data will not tell the sender whether the data received, its reliability is guaranteed by the upper layer protocol.

The first structure of UDP is simple, it can achieve the minimum overhead when transmitting data, and if the process wants to send a short message without concern for reliability, UDP is used. When sending a very short message using UDP, the interaction between the sending and receiving ends is much less than using TCP.

The meanings of each field are as follows:

? Source port number: The process used to identify the sending side of the data, similar to the TCP protocol's port number.

? Destination port number: The process used to identify the receiving end of the data, similar to the TCP protocol's port number.

? UDP Length: used to indicate the total length of UDP, the first part plus data.

? checksum: used to complete the error checking of UDP data, and its calculation is similar to the TCP checksum. This is the only reliable mechanism provided by the UDP protocol.

UDP protocol in the actual work of the scope of application is also very wide, such as chat tool QQ in the processing of sending short messages is the use of UDP. It is not difficult to imagine that sending a more than 10-word short message using a TCP protocol for a series of validations will result in a much lower transfer rate. Who would like to use a "unresponsive" software for online chatting? In the rapid development of the network today, network technology is changing rapidly, for the commonly used simple data transmission, UDP is a good choice. The UDP protocol is also useful in network services, and some common ports used by UDP are listed as follows:

UDP Some common ports that are used

Port Protocol Description

The TFTP Simple File Transfer Protocol

111 RPC Remote Procedure Call

123 NTP Network Time Protocol

n Overview of access control lists

An Access control list (ACL) is a list of instructions (that is, rules) that are applied to the router interface. These instruction lists are used to tell the router which packets can be received and which packets need to be rejected. Its basic principle: the ACL uses including the technology, on the router reads the OSI seven layer model 3rd layer and the 4th layer Baotou the information, such as the source address, the destination address, the source port, the destination port and so on, according to the pre-defined rule, the packet filtering, thus achieves the access control goal.

ACLs can be divided into the following two basic types:

? Standard access Control list: Check the source address of the packet. The results are based on the source network/subnet/host IP address to determine whether to allow or deny forwarding of packets. It uses numbers between 1-99 as the table number.

? Extended access Control List: checks both the source and destination addresses of the packets. It can also check for specific protocols, port numbers, and other parameters. It uses numbers between 100-199 as the table number.

n How Access control lists work

An ACL is a set of rules that is applied to an interface on a router. For a router interface, the access control list has two directions:

? out: packets that have been processed by the router and are leaving the router interface.

? Inbound: packets that have reached the router interface will be processed by the router.

If an access control list is applied to the interface, which means that the interface applies a set of rules, the router will check the group rules in order for the packet to be applied.

? If the 1th rule is matched , no further checks are made, and the router determines whether the packet is allowed to pass through or deny.

? If the 1th rule is not matched , then check down until any of the rules match, and the router will determine whether the packet is allowed to pass through or deny it.

? if no rule matches at the end , the router discards the packet according to the default rule.

This shows that the packet is either allowed or rejected.

According to the above check rules, it is important to put the order of each rule in the ACL. Once a matching rule is found, the comparison process is ended and other rules are no longer checked.

n types of access control lists

1. standard access Control list

The standard access control list allows or denies packets based on the source IP address of the packet. The Access control list number for the standard access control list is 1-99.

2. Extending the Access control list

Extended access control lists allow or deny packets based on the source IP address, destination IP address, specified protocol, port, and flag of the packet. The Access control list number for the Extended access control list is 100-199.

3. naming access control lists

Named access control lists allow names to be used instead of table numbers in standard and extended access control lists.

N configuration of standard access control lists

1. Creating ACLs

The command syntax is as follows:

Router (config) # access-list Access-list-number {permit | deny} source [Source-wildcard]

The following is a detailed description of the command parameters

? Access-list-number : access Control List table number, which is a number in 1-99 for standard ACLs.

? Permit|deny : The traffic is allowed/denied if the test condition is met.

? Source : The source address of the packet, which can be either a host address or a network address.

? Source-wildcard : wildcard mask, also called anti-code. When represented in binary 0 and 1, if a bit is 1, it indicates that this bit does not require a matching operation, and if it is 0, this bit requires a strict match.

For example , to allow traffic from the network 192.168.1.0/24 and host 192.168.2.2 to pass, the standard ACL command is:

Router (config) # access-list 1 Permit 192.168.1.0 0.0.0.255

Router (config) # access-list 1 Permit 192.168.2.2 0.0.0.0

192.168.1. 0/24 Subnet Mask is 255.255.255.0, then its inverse code can be 255.255.255.255 minus 255.2553.255.0 to get 0.0.0.255.

Similarly, the host 192.168.2.2 subnet mask is 255.255.255.255, then its anti-code can be 255.255.255.255 minus 255.255.255.255 to get 0.0.0.0.

1) implied deny statement

Each ACL has an implied deny statement, rejecting all traffic, with the following statement:

Router (config) # access-list 1 deny 0.0.0.0 255.255.255.255

2) keyword host, any

In the example above, 192.168.2.2 0.0.0.0 can be represented by "host 192.168.2.2", and the corresponding ACL can be rewritten as:

Router (config) # access-list 1 Permit host 192.168.1.2

The 0.0.0.0 255.255.255.255 can be expressed using the keyword "any", and the corresponding ACL can be rewritten as:

Router (config) # access-list 1 Deny any

3) remove a standard ACL that has been established

The syntax is as follows:

Router (config) # no access-list access-list-number

For standard ACLs, you cannot delete a single ACL statement, only the entire ACL. This means that if you want to change one or several ACL statements, you must first delete the entire ACL and then enter the ACL statement you want.

2. apply ACLs to interfaces

After an ACL is created, the ACL will not take effect until the ACL is applied to the interface.

The command syntax is described as follows:

Router (config-if) # IP access-group access-list-number {in| out}

The parameter in|out is used to indicate whether the ACL is applied to an inbound interface (in) or an outbound interface (out).

To remove an ACL application on an interface, you can use the following command:

Router (config-if) # no IP access-group access-list-number {in| out}

Note: There can be only one ACL in each direction, that is, there can be up to two ACLs per interface: One into the direction ACL, and one out-directional ACL.

N configuration instances for standard ACLs

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image015 "border=" 0 "alt=" clip_ image015 "src=" Http://s3.51cto.com/wyfs02/M00/77/8F/wKioL1ZpiPnRig5rAAAwQHMr9kE780.png "height=" "/>

Experimental requirements:

The topology diagram, as shown above, requires the router to implement the following functions, all the Finance department's host (192.168.2.0) does not have access to the Internet, the marketing department only the manager's host (192.168.1.0) can access the Internet.

Specific steps:

1. Analyze which interface applies the standard ACL

What is the difference between a standard ACL that can be applied to an inbound interface or an outbound interface?

The router checks in the access control list to the incoming packet, queries the routing table for packets that are allowed to be transmitted, and the outgoing packet queries the routing table before the Access control list is determined by the target interface. Therefore, the access control list should be applied to the inbound interface as much as possible, because it is more efficient than applying to the outbound interface: packets that are going to be discarded are rejected before the router makes the routing table query.

2. Configure full Network interoperability

3. Configure the standard ACL and apply it to the interface.

The commands are as follows:

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image016 "border=" 0 "alt=" clip_ image016 "src=" http://s3.51cto.com/wyfs02/M01/77/90/wKiom1ZpiPnSREakAAAv5B2lgs8494.png "height="/>

4. View and verify the configuration

? Use the show access-list command to view the ACL configuration as follows:

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image017 "border=" 0 "alt=" clip_ image017 "src=" http://s3.51cto.com/wyfs02/M02/77/90/wKiom1ZpiPmjB8hrAAAqWY7fBog596.png "height="/>

? Verifying the configuration

The Finance Department host (192.168.2.2) cannot ping the 192.168.4.2, and the manager host (192.168.1.2) can ping 192.168.4.2.

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image018 "border=" 0 "alt=" clip_ image018 "src=" Http://s3.51cto.com/wyfs02/M00/77/8F/wKioL1ZpiPrSZBNUAABVyEeTsD4768.png "height=" 158 "/>

Access Control List (i)