Cisco-acl Details (II.)

iv. Dynamic ACLsdynamic ACL is a kind of technology that uses the authentication mechanism of router Telnet to dynamically establish temporary ACL so that users can temporarily access the intranet.   command:

access-list {100-199} dynamic username [timeout minutes] permit any DEST-IP dest-wildcard

username must be a user on the router;Timeout is the absolute timeout period;It is best to define DEST-IP as the IP of the server to be accessed by the extranet.  Example:1:username lyl Password lyl set up user for user authentication      2:access-list 101 Permit TCP any host 10.10.1.1 eqTelnet service that allows extranet users to access the out-of-router port for authenticationaccess-list 101 Permit TCP any host 10.10.1.1 eq 3001allow extranet users to access 3001 ports on the out-of-router port for Telnetaccess-list 101 Dynamic lyl Timeout 8 permit ip any host 192.168.2.3 reference the lyl user on the router to establish a dynamic ACL3, line vty 0 3login Local to define authentication locallyAutocommand access-enable host Timeout 3for dynamic ACL authentication users, there is absolutely no host here, and if not, the dynamic ACL source address will be any, then the dynamic ACL is meaninglessLine vty 4Login LocalRotary 1 with Telnet management, port is 30014, int s1/0IP Add 10.10.1.1 255.255.255.252No shutIP access-group 101 in  v. Reflexive ACLSBasic idea: Intranet can access the external network, but the outside network does not allow access to the intranet, intranet access to the response data can be Example:One, IP access-list extended outbound create ACL for data outpermit TCP Any any reflect Cisco TCP traffic can come in, but is created dynamically when there is internal TCP traffic going outSecond, IP access-list extended inbound Create ACLs that come in datapermit ICMP any any to allow ICMP-based data such as Echo-requestevaluate Cisco allowed to go out of the ACL with the TCP traffic coming in Cisco correspondence statementThird,int s1/0 s1/0 is the port of the router's extranetIP access-group Outbound outIP access-group Inbound in Note: The corresponding names behind reflect and Evalute should be the same, in this case the Cisco Reverse Access Control list:We use Access control lists in addition to reasonable management of network access, there is a more important aspect, that is, to protect against viruses, we can use the usual common virus propagation of the port used to filter, the use of these ports to discard packets. This can effectively prevent the virus attack. 　　However, even if the scientific access Control list rules may be invalid due to the spread of unknown viruses, after all, the unknown virus uses a port that we can not estimate, and with the increase in the number of virus protection will cause excessive access control list rules, to some extent, affect the speed of network access. At this point we can use the reverse control list to solve the above problem. Purpose and format of the reverse access control list the use of Reverse access control lists the reverse access Control list is an advanced application of ACLs. He can effectively prevent the virus.　　By configuring the reverse ACL, you can guarantee that the computers of the AB two network segment can ping Ping,a B and B cannot ping a. What is more popular is that the transmission of data can be divided into two processes, the first is the source host to the destination host to send connection requests and data, and then the destination host after the two sides to establish a good connection to send data to the source host.　　The reverse ACL controls the connection request mentioned above. Second, reverse access Control list format of the Reverse access Control list format is very simple, as long as the configured extended access list at the end of the established can be added. We will explain it through examples. The network structure used. The router is connected to two network segments, respectively 172.16.4.0/24,172.16.3.0/24.　　The computers in the 172.16.4.0/24 network segment are servers, and we protect these servers against virus attacks from this segment of 172.16.3.0 with reverse ACL settings.　　Configuration example: Prohibit the virus from 172.16.3.0/24 this network segment spread to 172.16.4.0/24 this server network segment. Router configuration command: Access-list 101 permit TCP 172.16.3.0 0.0.0.255 172.16.4.0 0.0.0.255 established definition ACL101, allowing all calculations from 172.16.3.0 network segments Machine accesses the computer in the 172.16.4.0 network segment, provided that the TCP connection has been established.　　172.16.3.0 access to 172.16.4.0 is not allowed when the TCP connection is not established. int e 1 enters the E1 port IP access-group 101 out will ACL101 announce that the virus will not easily propagate from 172.16.3.0 to 172.16.4.0 server area after the setting is complete.　　Because the virus wants to propagate is the active TCP connection, because the router uses the reverse ACL to prohibit the 172.16.3.0 network segment TCP Active connection, therefore the virus cannot propagate smoothly. Tip: An easy way to check whether a reverse ACL is configured smoothly is to take 172.16.4.0 in a server ping in 172.16.3.0If you can ping the computer and then use the 172.16.3.0 computer to PING172.16.4.0 the server, the ping rule indicates that the ACL is configured successfully. With the reverse ACL configured above, there is a problem, that is, 172.16.3.0 computer can not access the server's services, fake 172.16.4.13 provide the WWW service can not be normal access. The workaround is to add an extended ACL rule at the front of the established, for example: Access-list 101 Permit TCP 172.16.3.0 0.0.0.255 172.16.4.13 0.0.0.0 eq www So according to the "most The principle of near-controlled objects "is to check ACL rules in the top-down in the ACL of the detection, as long as the conditions are found to forward immediately, and do not continue to detect the following ACL statement." 172.16.3.0 's computer will be able to access the server's WWW service, and the following established anti-Virus command can also be effective.   time-based access control list: The standard ACLs and extended ACLs have been introduced before, in fact we have mastered both of these access control lists to meet the requirements of most filtering network packets. However, there are always some high-level tips on ACLs that some people in the real world are going to ask, such or demanding. Time-based access control lists are among the advanced techniques.   A, time-based access control List uses: May be the company will encounter such a situation, the need to work hours can not be on the QQ, off work or usually cannot visit a website only to the weekend can. The time-based access control list comes into being when it is not possible to completely eliminate the problem of illegal use of employees by issuing notification rules only.   Second, time-based access control list format: Time-based access control lists consist of two parts, the first part defines the time period, and the second part defines the rules with extended access control lists. Here we mainly explain the definition of time period, the specific format is as follows:   time-range     time period name    absolute start [hours: minutes] [Sun Moon year] [end] [hours: minutes] [Sun Moon Year]    Example: Time-range softer               absolute start 0:00 1 May 2005 End 1 June 2005    means a time period is defined, the name is softer, and the time period is set to start at May 1, 2005 0 o'clock and the end time is 12 o'clock noon on June 1, 2005. We can specify a time-based access control list that is open for your company's time period by combining this time period with the rules of the extended ACL. Of course, we can also define weekdays and weekends, specifically using the periodic command.　　We will introduce you in detail in the following configuration examples.　　Configuration instance: To make time-based ACLs effective we need to configure two commands: 1, define the time period and the time range.　　2, the ACL itself configuration, the detailed rules will be added to the ACL. 3. Declare the ACL and add the set ACL to the appropriate port.   Network environment: We use the network structure. The router is connected to two network segments, respectively 172.16.4.0/24,172.16.3.0/24.　　 In the 172.16.4.0/24 network segment, there is one server that provides the FTP service with an IP address of 172.16.4.13. Configuration tasks:Only allow users of the 172.16.3.0 network segment to access the FTP resources on the 172.16.4.13 at weekends, and the FTP resource cannot be downloaded during working hours. Router configuration commands:Time-range softer defines a time period name of softer periodic weekend 00:00 to 23:59 that defines a specific time range of 0 to 23:59 per week for weekends (6, day).　　Of course, you can use periodic weekdays to define weekdays or define specific weeks with the day of the week.　　Access-list 101 deny TCP any 172.16.4.13 0.0.0.0 eq FTP time-range Softer set ACLs that prohibit access to softer FTP services within the time period 172.16.4.13 range.　　Access-list 101 Permit IP Any any set ACL, allowing normal access under other time periods and other conditions.　　int e 1 enters the E1 port.　　IP Access-group 101 out announces ACL101. Time-based ACLs are better suited for time-period management, and users with the above settings can only access the FTP resources provided by the server on weekends, 172.16.3.0. access Control list traffic recordsNetwork administrator is to be able to reasonably manage the company's network, as the saying goes to the enemy can victorious, so effective record ACL traffic information can be the first time to understand the network traffic and the way the virus is transmitted.　　The following article briefly describes how to save the traffic information for an access control list by adding the log command at the end of the extended ACL rule. Implementation method: Log 192.168.1.1 for the router to specify a log server address, the address is 192.168.1.1 Access-list 101 permit tcp any 172.16.4.13 0.0.0.0 eq www log in the hope of monitoring The extended ACL is finally added with the log command, which will save the information that satisfies the condition to the specified log server 192.168.1.1. Tips:If the extension ACL is finally added with Log-input, not only will the traffic information be saved, but also the port information passed by the packet will be saved. using log to record data traffic that satisfies access control list rules, you can query the company network where the traffic is large and where there is a virus. A simple command has done a lot of professional tools to complete the work.

Cisco-acl Details (II.)