>> Here are examples of actual ACL statements.To permit a single IP address, you can use any of these three statements.The first uses a wildcard mask of 000 following the source IP addresswhich means check all 32 bits of the IP address to match the statement.The second leaves off the wildcard mask which is valid syntax for a standard ACLand assumes a wildcard mask of 0000.The third uses the keyword host before the source IP address.The statement to permit traffic originating from the 129.21.52.0 subnet would like this.Notice the wildcard mask has 0s in the first three octets.This means check all bits in the first 3 octets of the source IP address.The wildcard mask's last octet is all 1s in binary or 255 in base 10.This means don't check any bits in the fourth octet because once we establish the host ison 129.21.52.0/24, we don't care what the specific host portion of the address is.Although technical any value can be used for the fourth octet of the source IP address.The standard is to place a 0 there.In fact, if you put any value there since the wildcard mask is 255 in that octet,most routers will automatically change it to 0 in the configuration.Remember there's an implicit deny any at the end of every ACL.So if you have an ACL with a single permit statement,any traffic that doesn't match that statement will be filtered.What do you think will happen if we want to block traffic from one subnet cominginto our network and we come up with the following one line ACL?Well, that actually blocks all traffic coming into our network.Traffic sourced from 129.21.86.0/24 will meet the statement and will be blocked.Traffic not sourced by 129.21.86.0/24 will not meet the statement.Since there are no other manually configured statements in our ACL,the packet will meet the implicit deny any and will be filtered.What we would have to do in that case is add one more line to our ACL?The wildcard mask of 255 255 255 means don't check any of the 32 bits in the IP address.Alternatively, the statement can be written simply as 'permit any' the keyword any takesthe place of 000 255 255 255 and it's much easier to type.Now when traffic is sourced from 129.21.86.0 it will still be denied from statement onein our ACL but traffic sourced from any other address will meet statement number twoand won't be filtered.The implicit deny any in this case will never be reached since all packets are now guaranteedto match one of our explicitly configured statements.
转载于:https://www.cnblogs.com/sec875/articles/10028620.html
相关资源:JAVA上百实例源码以及开源项目