Article Directory
Preface
ACL means access control, which filters packets according to pre-defined rules.
NET means network address translation, which is used to implement mutual access between private and public networks.
One, ACL
1. Principle
When a data packet passes through an interface, because the interface is enabled with ACL, the router checks and processes the packet at this time.
2. Type
Basic: can only match the source IP address range of 2000-2999, try to use it as close to the destination point as possible.
Advanced: can match the source IP, destination IP, source port, and destination port. The third layer and the fourth layer protocol range is 3000-3999. Try to use it on the
second layer of the source location. :The range is 4000-4999 and there are few applications
3 role
1 Do access control on data packets.
2 Combine with other protocols to match the range.
4 Application rules
1 Only one ACL can be called in the same direction of an interface.
2 There can be multiple rules in an ACL. According to the rules, the ip address is executed from small to large and executed from top to bottom.
3 Once a data packet is matched by a certain rule, it cannot continue to When the next match
4 is used for data packet access control, the default is to implicitly let all (Huawei exclusive)
command
Divided into basic and advanced.
For example, only allowing pc1 to access pc3 can be achieved through ACL. The general steps are 1. Configure an address on the router interface
2. Define ACL rules
3. Apply rules on outbound and inbound interfaces
acl 2000 creates acl2000
rule permit source 192.168.1.1 0 to allow requests with an address of 192.168.1.1, 0 is the reverse mask, which means that a host source is the source
rule deny source any deny other requests to access
int g0/0/1 this is out Interface
traffic-filter outbound acl 2000 applies rules on the interface.
The result is
The acl advanced rules support the third layer and the fourth layer protocol, for example, prohibiting ping servers on the 192.168.1.0/24 network segment
The result is
that the network segment of 192.168.1.0/24 cannot ping the server at this time.
ACL can also define the protocol to connect to the port to connect to the service, such as the wed service and FTP service connected to the server.
Partial commands
rule permit/deny tcp source 192.168.1.3 0 destinaction 192.168.3.1 0 destination-port eq 80 allow/deny. 3 host access Server wed port 80 can be replaced by www.
display this View the
int interface
ip address 192.168.2.254 24 Configure the IP address
traffic-filter inbound/oubound inbound/outbound interface direction application.
undo traffic-filter inbound/outbound inbound/outbound direction cancel acl application
NET
1## Principle
The internal network address and port number are converted into a legal public network address and port number, and a session is established to communicate with the host. The host outside the net cannot communicate with the host inside the net. If the host inside the net wants to communicate, it must actively communicate with an ip on the public network. The router is responsible for establishing a mapping relationship to realize data forwarding.
2 function
Solve the problem of insufficient IP addresses, avoid intrusions from outside the network, and hide and protect computers inside the network.
1 Broadband sharing: the maximum function of the net host.
2 Security protection
advantages: save public IP addresses, deal with address overlap, and enhance flexibility of
disadvantages: delay increases, the complexity of configuration and maintenance, do not support certain applications (vpn)
3 categories
Static NET: Realize one-to-one conversion between internal network and external network address, which can not save public network IP, but can hide the function of internal network.
Dynamic NET: Multiple private network ips correspond to multiple public network ip addresses, based on a pair of address pool One mapping
4 configuration
Static NET is divided into two types: set globally and directly declared on the interface
int g0/0/0 Enter the internal network port
ip add 192.168.1.254 24 Configure the internal network address
int g0/0/1 Enter the external network port
ip add 12.0.0.1 24 Configure the external network IP address
nat static global 8.8.8.8 inside 192.168. 1.2 Convert the internal network address to the external network address
nat static enable Start the nat static
interface on the network port . The statement is similar, just enter the interface nat static global 8.8.8.8 inside 192.168.1.2.
Dynamic is based on the one-to-one mapping of the address pool. The
method is
to first configure the IP address on the port
nat address-group 1 200.0.0.100 200.0.0.200 Define an IP address pool
acl 2000 Create acl rule
rule permit source 192.168.1.0 0.0.0.255
rule permit source 12.0.0.0 0.0.0.255 allows two port data to pass through
int g0/0/1 external network port
no-pat performs IP address conversion on the network port
no-pat does not perform port conversion, only ip. The default is pat
dis this outbound to view information.
PAT
It means port multiplexing, also called napt, which realizes the mapping between one public network address and multiple private network addresses, which can save public network addresses.
PAT has two functions:
1. Changing the IP address and port number of the data packet.
2. It can save a lot of public network IP addresses.
Types of
dynamic PAT: including NAPT and easy ip
static PAT including NAT server (port mapping)
NAPT: multiple private network addresses correspond to fixed external network ip addresses.
Configure
nat address-group 2 100.0.0.1 100.0.0.100 to define the address pool
acl 2000 to create a
rule permit source 192.168.1.0 0.0.0.255 to allow the source address 192.168.1.0 /24 network segment to pass the
nat outbound 2000 address-group 2 outside IP address translation on the network port
EASY IP: The configuration method of multiple private network ip addresses corresponding to the external network port IP address is similar to the above
Port Mapping
Map the private network IP address port to the public network address to realize the internal network server for external users to access
int g/0/0/1
nat server protocol tcp global 8.8.8.8 80 inside 192.168.1.100 80 Network server address and public network address are bound by nat mapping.
NET server protocol tcp global current-interface 8080 inside 12.0.0.1 www Connect the private network ip and the external network interface as a pair of NET mapping binding on the port connected to the external network.
nat server protocol tcp global current-interface 2121 inside 10.0.0.2 ftp port is 21, you can directly use ftp instead