Two advanced options of the extended access control list

1. Overview: This article discusses the following two questions: understanding and using the fragment option of the extended access control list; understanding and using the established option of the extended access control list. 2. Use the fragment option: (1) When an ACL contains only three layers of information, all packages are controlled. (2) When the frament option is not used

1. Overview: This article discusses the following two questions: understanding and using the fragment option of the extended access control list; understanding and using the established option of the extended access control list. 2. Use the fragment option: (1) When an ACL contains only three layers of information, all packages are controlled. (2) When the frament option is not used

1. Overview:

This article discusses the following two questions:

Understanding and using Extension Access Control ListFragment Option;

Understanding and using Extension Access Control ListEstablished Option.

2. Use fragmentOption:

(1) When an ACL contains only three layers of information Control.

(2) When frament is not used OptionAn acl entry that contains layer-3 and layer-4 Information performs the following operations on all data packets: Control:

If it is a nonfragmented packet or the first fragment of the multipart packet (initial fragment), it will be performed according to the normal ACL. Control(Permit or deny ).

If it is a subsequent shard (noninitial fragment) of the multipart data packet, only the three layers (Protocol Number, source, and destination) in the ACL entry are checked ). If the layer-3 match and it is permit ControlThe slice is allowed to pass through. If the layer-3 match and it is deny ControlTo check the next ACL entry (and the normal ACL Control).

(3) When fragment is used OptionAn acl entry only performs the noninitial fragment ControlAnd the ACL entries cannot contain layer-4 information.

Accesskeysecret 101 permit <协议> <源> <目的> Fragment

3. Use establishedOptionACL entry:

Access-list 101 permit tcp <源> <目的> Established

The OptionIt can only be used for the tcp protocol to implement code based on the tcp Data Segment (4-layer pdu) ControlBit Flag for session ControlFor example, only the traffic of established tcp sessions is allowed (the feature is ACK or RST flag is set ).

For example, suppose you want to implement the following ControlOnly allow all hosts of Net A to initialize TCP communication to Net B, but do not allow the host of NetB to initialize TCP communication to Net A. You can use the following ACL.

Hostname R1

Interface ethernet0

Ip access-group 102 in

Access-list 102 permit tcp any gt 1023 established

4. Summary

Only by a good understanding of the format and content of data units at each layer of the TCP/IP protocol can we correctly use various types of ACL Advanced OptionFunction.