Scribd Logo
Upload

Welcome to Scribd!

  • X00060100 第27章 用访问控制列表实现包过滤

    Uploaded by

    JJamesran
    8 views33 pages
    第27章 用访问控制列表实现包过滤

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    第27章 用访问控制列表实现包过滤

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    8 views33 pages

    X00060100 第27章 用访问控制列表实现包过滤

    Uploaded by

    JJamesran
    第27章 用访问控制列表实现包过滤

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 33

    http://ccieh3c.taobao.

    com
    ISSUE 1.0





    ACLACL

    ACL



    ACL

    ACL

    ACL

    ACL

    ACL

    ACL
    ACL
    ACL
    ACL
    ACL
    ACL

    ACLAccess Control List



    ACL

    NATNetwork Address Translation

    QoSQuality of Service


    www.h3c.com

    ACL
    ACL
    ACL
    ACL
    ACL
    ACL


    ACL


    ACL

    www.h3c.com


    No
    ACL

    Yes

    Deny Permit

    No

    Deny Permit

    No

    Deny Permit

    No

    Default Deny Default Permit


    www.h3c.com


    No
    ACL

    Yes

    Deny Permit

    No

    Deny Permit

    No

    Deny Permit

    No

    Default Deny Default Permit


    www.h3c.com

    IP


    0
    1


    0.0.0.255 24
    0.0.3.255 22
    0.255.255.255 8

    www.h3c.com

    IP

    192.168.0.1 0.0.0.255 192.168.0.0/24

    192.168.0.1 0.0.3.255 192.168.0.0/22

    192.168.0.1 0.255.255.255 192.0.0.0/8

    192.168.0.1 0.0.0.0 192.168.0.1

    192.168.0.1 255.255.255.255 0.0.0.0/0

    192.168.0.1 0.0.2.255 192.168.0.0/24192.168.2.0/24

    www.h3c.com

    ACL
    ACL
    ACL
    ACL
    ACL
    ACL

    20002999
    30003999
    40004999
    50005999

    www.h3c.com
    ACL
    IP

    1.1.1.0/24
    2.2.2.0/28


    DA=3.3.3.3 SA=1.1.1.1

    DA=3.3.3.3 SA=2.2.2.1

    www.h3c.com
    ACL
    IPIP
    IP

    1.1.1.0/243.3.3.1TCP80
    1.1.1.0/242.2.2.1TCP23

    DA=3.3.3.1, SA=1.1.1.1
    TCP, DP=80, SP=2032

    DA=2.2.2.1, SA=1.1.1.1
    TCP, DP=23, SP=3176

    www.h3c.com
    ACLACL

    ACLMACMAC
    802.1p

    ACL

    IP

    www.h3c.com

    ACL
    ACL
    ACL
    ACL
    ACL
    ACL


    ACL


    Permit/Deny)
    ACL
    /

    www.h3c.com

    [sysname] firewall enable



    permit

    [sysname] firewall default { permit | deny }

    www.h3c.com
    ACL

    ACLACL
    IPv4 ACL20002999

    [sysname] acl number acl-number


    IP
    permitdeny

    [sysname-acl-basic-2000] rule [ rule-id ] { deny | permit }


    [ fragment | logging | source { sour-addr sour-wildcard | any } |
    time-range time-name ]

    www.h3c.com
    ACL
    IPv4 ACLACL
    IPv4 ACL30003999

    [sysname] acl number acl-number


    IPIPIP

    permitdeny

    [sysname-acl-adv-3000] rule [ rule-id ] { deny | permit } protocol


    [ destination { dest-addr dest-wildcard | any } | destination-port
    operator port1 [ port2 ] established | fragment | source { sour-addr
    sour-wildcard | any } | source-port operator port1 [ port2 ] | time-range
    time-name]

    www.h3c.com
    ACL
    ACLACL
    ACL40004999

    [sysname] acl number acl-number


    MACMAC802.1p

    permitdeny

    [sysname-acl-ethernetframe-3000] rule [ rule-id ] { deny | permit }


    [ cos vlan-pri | dest-mac dest-addr dest-mask | lsap lsap-code lsap-
    wildcard | source-mac sour-addr source-mask | time-range time-name]

    www.h3c.com
    ACL

    ACLACL

    Outbound
    Inbound
    [sysname-Serial2/0 ] firewall packet-filter { acl-
    number | name acl-name } { inbound | outbound }

    www.h3c.com
    ACL

    display firewall-statistics { all |


    interface interface-type interface-
    number}

    display firewall ethernet-frame-


    filter { all | dlsw | interface
    interface-type interface-number }

    reset firewall-statistics { all |


    interface interface-type interface-
    number}

    IPv4 ACL display acl { acl-number | all}

    IPv4 ACL reset acl counter { acl-number | all |}

    www.h3c.com

    ACL
    ACL
    ACL
    ACL
    ACL
    ACL
    ACL
    ACL
    config

    auto

    ACL

    [sysname] acl number acl-number [ match-order


    { auto | config } ]

    www.h3c.com

    acl number 2000 match-order config
    rule permit source 1.1.1.0 0.0.0.255
    rule deny source 1.1.1.1 0


    DA=3.3.3.3 SA=1.1.1.1

    acl number 2000 match-order auto


    rule permit source 1.1.1.0 0.0.0.255
    rule deny source 1.1.1.1 0


    DA=3.3.3.3 SA=1.1.1.1

    www.h3c.com
    ACL

    ACL

    ACL
    ACL

    ACL
    ACL
    ACL

    www.h3c.com
    ACL
    PCANetworkA
    NetworkB
    NetworkB NetworkC NetworkD
    192.168.1.0/24 192.168.2.0/24 192.168.3.0/24

    NetworkA E0/0 E0/1 E0/1 E0/0


    192.168.0.0/24
    RTA RTB RTC PCA
    172.16.0.1

    [RTC] firewall enable


    [RTC] acl number 3000
    [RTC-acl-adv-3000] rule deny ip source 172.16.0.1 0 destination
    192.168.0.0 0.0.1.255
    [RTC-Ethernet0/0] firewall packet-filter 3000 inbound

    www.h3c.com
    ACL
    PCANetworkA
    NetworkB
    NetworkB NetworkC NetworkD
    192.168.1.0/24 192.168.2.0/24 192.168.3.0/24

    NetworkA E0/0 E0/1 E0/1 E0/0


    192.168.0.0/24
    RTA RTB RTC PCA
    172.16.0.1

    [RTA] firewall enable


    [RTA] acl number 2000
    [RTA-acl-basic-2000] rule deny source 172.16.0.1 0
    [RTA-Ethernet0/1] firewall packet-filter 2000 inbound

    www.h3c.com
    ACL
    ACL



    ACL

    www.h3c.com

    ACLACLNAT
    QoS

    ACLIPACLIP
    IP

    ACL

    ACL


    www.h3c.com

    You might also like