ACL访问控制列表

访问控制列表AccessControlList 深圳职业技术学院计算机系网络专业 教学目标 Objectives 1 访问控制列表 AccessControlList 2 配置标准访问控制列表 ConfigurestandardIPaccesslists 3 配置扩展访问控制列表 ConfigureextendedIPaccesslists 4 配置命名访问控制列表 ConfigurenamedIPaccesslists 5 验证和监视ACL VerifyandmonitorIPaccesslists 172 16 0 0 172 17 0 0 Internet 当网络访问增长时 管理IP通信ManageIPtrafficasnetworkaccessgrows当数据包通过路由器时 起到过滤作用Filterpacketsastheypassthroughtherouter 为什么使用ACL WhyUseAccessControlLists ACL作用 FunctionofACL 1 限制网络流量 提高网络性能 Limitnetworktrafficandincreasenetworkperformance 2 提供对通信流量的控制手段 Providetrafficflowcontrol 3 提供网络访问的基本安全手段 Provideabasiclevelofsecurityfornetworkaccess 4 在路由器接口处 决定哪种类型的通信流量被转发 哪种类型的通信流量被阻塞 Decidewhichtypesoftrafficareforwardedorblockedattherouterinterfaces ACL如何工作 ACLHowtowork ACL条件顺序 TheorderinwhichACLstatementsareplaced ACL条件顺序 TheorderinwhichACLstatementsareplaced CiscoIOS按照各描述语句在ACL中的顺序 根据各描述语句的判断条件 对数据包进行检查 一旦找到了某一匹配条件 就结束比较过程 不再检查以后的其他条件判断语句 TheCiscoIOSsoftwareteststhepacketagainsteachconditionstatementinorderfromthetopofthelisttothebottom Onceamatchisfoundinthelist theacceptorrejectactionisperformedandnootherACLstatementsarechecked 什么是ACL WhatAreAccessLists 标准ACL StandardACL 检查源地址 ChecksSourceaddress 允许或拒绝整个协议族 Generallypermitsordeniesentireprotocolsuite OutgoingPacket fa0 0 S0 0 IncomingPacket AccessListProcesses Permit 扩展ACL ExtendedACL 检查源和目的地址 ChecksSourceandDestinationaddress 通常允许或拒绝特定的协议 Generallypermitsordeniesspecificprotocols OutgoingPacket Fa0 0 s0 0 IncomingPacket AccessListProcesses Permit Protocol 什么是ACL WhatAreAccessLists 用扩展ACL检查数据包 CheckPacketswithExtendedACL 常见端口号 KnownPortNumber ACL表号 ACLNumber 通配符掩码 WildcardMask 1 是一个32比特位的数字字符串 Awildcardmaskisa32 bitquantity 2 0表示 检查相应的位 1表示 不检查 忽略 相应的位 Azeromeansletthevaluethroughtobechecked theX s 1 s meanblockthevaluefrombeingcompared 特殊的通配符掩码 SpecialWildcardMask 1 Any0 0 0 0255 255 255 2552 Host172 30 16 290 0 0 0Host172 30 16 29 AccessList命令 AccessListCommand Step1 定义访问控制列表 DefinetheACL access listaccess list number permit deny testconditions Router config Router config access list1permit10 0 0 00 255 255 255 Step2 将访问控制列表应用到某一接口上 ApplyACLtoaInterface protocol access groupaccess list number in out Router config if AccessList命令 AccessListCommand Router config if ipaccess group1out 仅允许我的网络 Permitmynetworkonly access list1permit172 16 0 00 0 255 255 implicitdenyall notvisibleinthelist access list1deny0 0 0 0255 255 255 255 interfaceethernet0ipaccess group1outinterfaceethernet1ipaccess group1out 标准IPACL实例1 StandardIPACLExample1 172 16 3 0 172 16 4 0 172 16 4 13 E0 S0 E1 Non 172 16 0 0 access list1deny172 16 4 130 0 0 0access list1permit0 0 0 0255 255 255 255 implicitdenyall access list1deny0 0 0 0255 255 255 255 interfaceethernet0ipaccess group1out 标准IPACL实例2 StandardIPACLExample2 172 16 3 0 172 16 4 0 172 16 4 13 E0 S0 E1 Non 172 16 0 0 拒绝特定的主机 Denyaspecifichost access list1deny172 16 4 00 0 0 255access list1permitany implicitdenyall access list1deny0 0 0 0255 255 255 255 interfaceethernet0ipaccess group1out 标准IPACL实例3 StandardIPACLExample3 172 16 3 0 172 16 4 0 172 16 4 13 E0 S0 E1 Non 172 16 0 0 拒绝特定的子网 Denyaspecificsubnet 标准ACL与扩展ACL比较 StandardversusExternalACL 标准 Standard 扩展 Extended 过滤基于源 FiltersBasedonSource 过滤基于源和目的 FiltersBasedonSourceanddestination 允许或拒绝整个协议族 PermitordenyentireTCP IPprotocolsuite 允许或拒绝特定的IP协议或端口 SpecifiesaspecificIPprotocolandportnumber 范围 100 199 Rangeis100through199 范围 1 99 Rangeis1through99 CASESTUDY 首先使得PC1所在的网络不能通过路由器R1访问PC2所在的网络 扩展ACL配置 ExtendedIPACLConfiguration Router config access listaccess list number permit deny protocolsourcesource wildcard operatorport destinationdestination wildcard operatorport established log access list101denytcp172 16 4 00 0 0 255172 16 3 00 0 0 255eq21access list101denytcp172 16 4 00 0 0 255172 16 3 00 0 0 255eq20access list101permitipanyany implicitdenyall access list101denyip0 0 0 0255 255 255 2550 0 0 0255 255 255 255 interfaceethernet0ipaccess group101out 拒绝从172 16 3 0到172 16 3 0的经过E0出方向的FTP流量DenyFTPfromsubnet172 16 4 0tosubnet172 16 3 0outofE0允许其他所有的流量Permitallothertraffic 扩展ACL实例1 ExtendedACLExample1 172 16 3 0 172 16 4 0 172 16 4 13 E0 S0 E1 Non 172 16 0 0 access list101denytcp172 16 4 00 0 0 255anyeq23access list101permitipanyany implicitdenyall interfaceethernet0ipaccess group101out 仅拒绝子网172 16 4 0在E0出方向的流量DenyonlyTelnetfromsubnet172 1172 16 4 06 4 0outofE0允许其他流量 Permitallothertraffic ExtendedAccessListExample2 172 16 3 0 172 16 4 0 172 16 4 13 E0 S0 E1 Non 172 16 0 0 使用命名IPACL UsingNamedIPACL Router config ipaccess list standard extended name IOS11 2以后支持的特征FeatureforCiscoIOSRelease11 2orlater 名字字符串要唯一Namestringmustbeunique 使用命名IPACL UsingNamedIPACL permit deny ipaccesslisttestconditions permit deny ipaccesslisttestconditions no permit deny ipaccesslisttestconditions Router config std ext nacl 允许或拒绝陈述条件前没有表号Permitordenystatementshavenoprependednumber可以用 NO 命令移去特定的陈述 no removesthespecifictestfromthenamedaccesslist 使用命名IPACL UsingNamedIPACL 在接口上激活命名ACLActivatestheIPnamedaccesslistonaninterface 扩展ACL靠近源Placeextendedaccesslistsclosetothesource标准ACL靠近目的Placestandardaccesslistsclosetothedestination E0 E0 E1 S0 To0 S1 S0 S1 E0 E0 B A C 放置ACL PlacingIPAccessLists D wg ro a showipinte0Ethernet0isup lineprotocolisupInternetaddressis10 1 1 11 24Broadcastaddressis255 255 255 255AddressdeterminedbysetupcommandMTUis1500bytesHelperaddressisnotsetDirectedbroadcastforwardingisdisabledOutgoingaccesslistisnotsetInboundaccesslistis1ProxyARPisenabledSecuritylevelisdefaultSplithorizonisenabledICMPredirectsarealwayssentICMPunreachablesarealwayssentICMPmaskrepliesareneversentIPfastswitchingisenabledIPfastswitchingonthesameinterfaceisdisabledI