>> ACLs come in two flavors, standard and extended.Standard ACLs can only permit or deny by the source IP address in a packet header.Extended ACLs permit or deny by source IP address as well but they can also use 2or 3 other criteria: destination IP address, protocol, and port.Interestingly enough, if you're using an extended ACL you must use the source IP address,the destination IP address, and the protocol.The only optional parameters is port.When I say source IP address or destination IP address,it can actually mean three different things.It can be an actual IPV [phonetic] for address assigned to a client's server or device.For example, 129.21.140 which is actually the IP address of the RIT web server.It could be a classable that all subnets inside of an autonomous system start off with.For example, RIT was one of the privileged organizations to receive a class V address backin the days of classable addressing, 129.21.00/16.We have many internal networks here at RIT.They all start off with the same first two octets of 129.21.It can be a specific subnet.As we just mentioned, 129.21.00/16 represents all RIT networks but an ACL can dealwith just a specific subnet using that subnet's network ID.For example, 129.21.10/24.Now you might be wondering, if an extended ACL can do what a standard ACL can do and then some,what's the purpose of having a standard ACL?That's a good question.And I've got a good answer.If you wanted to permit or deny based on an IP address whether it's an actual host address,a classable address, or a subnet and network ID,the router implementing the stateless packet filter just needs to check one fieldin the IP header, source IP address.This is basically white listing a legitimate device or black listing [inaudible] device.Once you start to add an other criteria to check like destination IP address, protocol, and port,the latency increases as each packet will be put up against multiple linesof instructions and multiple tests at each line.It will take much more time for packets to go inbound to a router and outbound from a router.Now three or four fields need to be checked for each ACL statement instead of one.Of course, in some cases, this is needed.Let's say I'm at home and the doorbell rings.It's my wife holding lots of shopping bags.She can't reach for her key.I don't need her to tell me that she wants to come in the house like a destination IP addressand go to the kitchen like a destination port to put away the groceries like a protocol.I'm just checking the source IP address, who she isand permitting her into the house based on that.That's the purpose of a standard ACL.
转载于:https://www.cnblogs.com/sec875/articles/10028603.html
相关资源:JAVA上百实例源码以及开源项目