Chapter Three has no rules inadequate surrounding area-aclv1

Access Control List ACLs (access controls lists) It's all about dividing the ingredients and then deciding on fate.

Components are described according to the source address, destination address, port number, etc. of the packet.

Principle Description

ACL manages all the rules for user Configuration and provides a rule matching algorithm. The business operates according to a matching rule action ("Allow" or "deny").

ACLthe matching of the rules

Rule matching: Refers to the presence of ACLs and the rules in the ACL that meet the criteria, whether "allow" or "deny", are matched.

Rule mismatch: Refers to the absence of an ACL or an ACL in which no rules are found or all rules under the ACL are not matched to match conditions.

ACLthe rule matching process

· If an ACL is present and the message needs to be checked against the rule, look for all the rules in that ACL and find a suitable one to marry no longer.

· If there is an ACL and the business matches only the source address information, destination address information, IP-hosted protocol type, TCP source port, destination port, and some options in the ICMP protocol type, all ACLs are looked up according to business requirements for rule matching. The first match is notified to the business and no longer continues to find subsequent rules.

ACLthe rule matching order

The rule display order determines the matching order. When a rule is matched, it is searched sequentially. That is, the rule is easier to match before it gets closer.

There are two factors that determine the order in which a rule is displayed: rule id and rule matching.

There are two ways to match rules: Configuration order and automatic order.

· If this is the order of configuration , match the ACL rules of the User Configuration in succession. The rule ID can be configured by the user, or it can be automatically generated by the system according to the step size (step spacing interpolation rules). This is democracy, first come first serve.

· in the case of automatic ordering, the rule ID is automatically assigned by the system, and the highest-precision rule is prioritized according to the "depth first" rule. This can be achieved by comparing the wildcard character of the address, the smaller the wildcard, the smaller the scope of the specified host. This is leadership priority.

§  for the statements of Basic access control rules , sort by the following rules:

§  VPN instance > source IP address range > Configuration Order

§  Interface Rules The rules thatare configured with "any" are followed, and others are in the order of configuration;

§  for advanced access control rules, sort by the following rules:

§  VPN instance > source/Destination IP address range >tcp/udp Port number > Configuration Order

Applicationusing ACLs in route filtering

ACL it can be applied in various dynamic routing protocols to filter the routing information that the routing protocol publishes and receives.

using ACLs in QoS

An ACL is used to treat a message with a certain attribute in a QoS way.

interface-based ACL (interface-based ACL) interface-based access control lists can specify rules based on the interface of the receiving message.

The base ACL (basic ACL ) Base access control list can only use source address information as an element that defines access control list rules.

Advanced ACL advanced ACL access control lists can use the source address information of the packet, the destination address information, the protocol type, the source port of TCP, the destination port, the type of ICMP protocol, the message code of the ICMP message, and other elements to define the rules.

ACL based on the Ethernet frame header (Ethernet frame header-based ACL ) The access control list based on the Ethernet frame header can filter messages based on the source MAC address of the message, the destination MAC address, and the Ethernet frame protocol type.

MPLS-based ACL (mpls-based ACL) MPLS-based ACLs filter packets based on the EXP value, label value, and TTL value of MPLS packets.

This article is from the "Digital Kid" blog, please make sure to keep this source http://dcboy.blog.51cto.com/8059630/1794778

Chapter Three has no rules inadequate surrounding area-aclv1