Introduction to ingress access control mechanism

This article introduces the ingress access control mechanism. It is believed that each network management system will involve access control when setting a router. Today, we will introduce the ingress router to you in this regard, this section focuses on context-based access control. Www.2cto.com
Generally, a route can only check packets at the network layer or transport layer. CBAC can intelligently filter TCP and UDP-based sessi on at the application layer, CBAC can open a temporary channel in firewall access-list to allow external connections originating from the internal network and check sessions in both internal and external directions. 1. Data Packets arrive at the firewall's external interface. 2. Check whether data packets are allowed to pass through outbound access-list by this interface. If data packets fail, they are discarded here. Do not perform the following steps. 3. The data packet checked through the access list is determined and recorded by the CBAC check. This information is recorded in a new status list to provide a quick channel for the next connection. 4. If CBAC does not define a telnet application check, data packets can be sent directly from this interface. 5. Based on the status information obtained in step 3, CBAC inserts a temporary access list entry in inbound access list of s0, this temporary channel is defined to allow incoming data packets from the outside. 6. The next External inbound data packet reaches s0, which is part of the previously sent telnet session connection, after the access list check on the s0 port, enter the temporary channel established in step 5. 7. The data packets that are allowed to enter are checked by CBAC, and the connection status list is updated as needed based on the updated status information, the inbound access list temporary channel is also modified to allow only valid data packets to enter. 8. all incoming and outgoing s0 packets belonging to the current connection are checked to update the status list and modify the access list of the temporary channel as needed. At the same time, data packets are allowed to pass through s0 ports. 9. The current connection is terminated or timed out. The connection status list entry is deleted, and the access list entry temporarily opened is also deleted. All required applications, including those that want to be checked by CBAC, must be allowed to pass the configured port, but all applications that require CBAC check must be disabled.