HUAWEI TECHNOLOGIES CO., LTD.www.huawei.comHUAWEI Confidential Security Level: DP500001 访问控制列 表和地址转换原理ISSUE 1.0InternalEvaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.HUAWEI TECHNOLOGIES CO., LTD.HUAWEI Confidential l学习完本课程，您应该能够：理解访问控制列表的 基本原理理解地址转换的基本 原理Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.HUAWEI TECHNOLOGIES CO., LTD.HUAWEI Confidential IP包过滤技术介绍l对路由器需要转发的数据包，先获取包头信息，然后和设定的 规则进行比较，根据比较的结果对数据包进行转发或者丢弃。而实 现包过滤的核心技术是访问控制列表。Internet公司总部内部网络未授权用户办事处Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.HUAWEI TECHNOLOGIES CO., LTD.HUAWEI Confidential 访问控制列表的作用l访问控制列表可以用于防火墙；l访问控制列表可以用于Qos（Quality of Service），对数据流量 进行控制；l在DCC中，访问控制列表还可用来规定触发拨号的条件；l访问控制列表还可以用于地址转换；l在配置路由策略时，可以利用访问控制列表来作路由信息的过 滤。Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.HUAWEI TECHNOLOGIES CO., LTD.HUAWEI Confidential 访问控制列表是什么？l一个IP数据包如下图所示（图中IP所承载的上层协议为 TCP/UDP）：IP报头TCP/UDP报头数据协议号源地址目的地址源端口目的端口对于TCP/UDP来说，这5个 元素组成了一个TCP/UDP相 关，访问控制列表就是利用 这些元素定义的规则Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.HUAWEI TECHNOLOGIES CO., LTD.HUAWEI Confidential 如何标识访问控制列表？l利用数字标识访问控制列表l利用数字范围标识访问控制列表的种类列表的种类类数字标识标识 的范围围IP standard list2000-2999IP extended list3000-3999Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.HUAWEI TECHNOLOGIES CO., LTD.HUAWEI Confidential 标准访问控制列表l标准访问控制列表只使用源地址描述数据，表明是允许还是拒 绝。从202.110.10.0/24来 的数据包可以通过！从192.110.10.0/24来 的数据包不能通过！路由器Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.HUAWEI TECHNOLOGIES CO., LTD.HUAWEI Confidential 标准访问控制列表的配置l配置标准访问列表的命令格式如 下：acl acl-number match-order auto | config rule normal | special permit | deny source source-addr source-wildcard | any 怎样利用 IP 地址 和 反掩码wildcard-mask 来表示 一个网段?Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.HUAWEI TECHNOLOGIE