CCNA1220-第20章访问控制列表

上传人：快*** IP属地：江西上传时间：2022-05-03 格式：PPT 页数：69 大小：1.10MB 积分：12 举报 版权申诉

已阅读5页，还剩64页未读，继续免费阅读

版权说明：本文档由用户提供并上传，收益归属内容提供方，若内容存在侵权，请进行举报或认领

文档简介

1、 1999, Cisco Systems, Inc. 10-1第第20章章访问控制列表访问控制列表 1999, Cisco Systems, Inc. ICND10-2主要内容主要内容介绍如何使用介绍如何使用ACL 。 1999, Cisco Systems, Inc. ICND10-3ObjectivesUpon completion of this chapter, you will be able to perform the following tasks: Identify the key functions and special processing of IP access l

2、ists Configure standard IP access lists Control virtual terminal access with access class Configure extended IP access lists Verify and monitor IP access lists 1999, Cisco Systems, Inc. ICND10-420.1 ACL 概述概述ACL，access control lists，访问控制列表用处：网络访问安全控制 1999, Cisco Systems, Inc. ICND10-5FDDI Manage IP

3、 Traffic as network access growsTokenRing1、 Why Use ACL? 1999, Cisco Systems, Inc. ICND10-6FDDITokenRingInternet Manage IP traffic as network access grows Filter packets as they pass through the router1、 Why Use ACL? 1999, Cisco Systems, Inc. ICND10-72、Access List Applications Pe

4、rmit or deny packets moving through the router Permit or deny vty access to or from the router Without access lists all packets could be transmitted onto all parts of your networkVirtual terminal line access (IP)Transmission of packets on an interface 1999, Cisco Systems, Inc. ICND10-8QueueListPrior

5、ity and custom queuingOther Access List UsesSpecial handling for traffic based on packet tests 1999, Cisco Systems, Inc. ICND10-9QueueListPriority and custom queuingOther Access List UsesDial-on-demand routingSpecial handling for traffic based on packet tests 1999, Cisco Systems, Inc. ICND10-10Other

6、 Access List UsesRoute filteringRoutingTableQueueListPriority and custom queuingDial-on-demand routingSpecial handling for traffic based on packet tests 1999, Cisco Systems, Inc. ICND10-11Other Access List UsesRoute filteringRoutingTableQueueListPriority and custom queuingDial-on-demand routingSpeci

7、al handling for traffic based on packet testsFire Wall 1999, Cisco Systems, Inc. ICND10-12 3、 What Are Access Lists? Standard Checks Source address Generally permits or denies entire protocol suiteOutgoingPacketE0S0IncomingPacketAccess List ProcessesPermit?Source 1999, Cisco Systems, Inc. ICND10-13

8、3、What Are Access Lists? Standard Checks Source address Generally permits or denies entire protocol suite Extended Checks Source and Destination address Generally permits or denies specific protocolsOutgoingPacketE0S0IncomingPacketAccess List ProcessesPermit?Sourceand DestinationProtocol 1999, Cisco

9、 Systems, Inc. ICND10-14 Standard Checks Source address Generally permits or denies entire protocol suite Extended Checks Source and Destination address Generally permits or denies specific protocols Inbound or Outbound 3、What Are Access Lists?OutgoingPacketE0S0IncomingPacketAccess List ProcessesPer

10、mit?Sourceand DestinationProtocol 1999, Cisco Systems, Inc. ICND10-15InboundInterfacePacketsNYPacket Discard BucketChooseInterfaceNAccessList?RoutingTable Entry?YOutbound InterfacesPacketS04、Outbound Access Lists 1999, Cisco Systems, Inc. ICND10-16Outbound InterfacesPacketNYPacket Discard BucketChoo

11、seInterfaceRoutingTable Entry?NPacketTestAccess ListStatementsPermit?Y4、Outbound Access Lists AccessList?YS0E0InboundInterfacePackets 1999, Cisco Systems, Inc. ICND10-17Notify Sender4、Outbound Access Lists If no access list statement matches then discard the packet NYPacket Discard BucketChooseInter

12、faceRoutingTable Entry?NYTestAccess ListStatementsPermit?YAccessList?Discard PacketNOutbound InterfacesPacketPacketS0E0InboundInterfacePackets 1999, Cisco Systems, Inc. ICND10-18A List of Tests: Deny or PermitPackets to interfacesin the access groupPacket Discard BucketYInterface(s)DestinationDenyDe

13、nyYMatchFirstTest?Permit 1999, Cisco Systems, Inc. ICND10-19A List of Tests: Deny or PermitPackets to Interface(s)in the Access GroupPacket Discard BucketYInterface(s)DestinationDenyDenyYMatchFirstTest?PermitNDenyPermitMatchNextTest(s)?YY 1999, Cisco Systems, Inc. ICND10-20A List of Tests: Deny or P

14、ermitPackets to Interface(s)in the Access GroupPacket Discard BucketYInterface(s)DestinationDenyDenyYMatchFirstTest?PermitNDenyPermitMatchNextTest(s)?DenyMatchLastTest?YYNYYPermit 1999, Cisco Systems, Inc. ICND10-21A List of Tests: Deny or PermitPackets to Interface(s)in the Access GroupPacket Disca

15、rd BucketYInterface(s)DestinationDenyYMatchFirstTest?PermitNDenyPermitMatchNextTest(s)?DenyMatchLastTest?YYNYYPermitImplicit DenyIf no matchdeny allDenyN 1999, Cisco Systems, Inc. ICND10-225、 Access List Configuration Guidelines Access list numbers indicate which protocol is filtered One access list

16、 per interface, per protocol, per direction The order of access list statements controls testing Most restrictive statements should be at the top of list There is an implicit deny any as the last access list testevery list should have at least one permit statement Create access lists before applying

17、 them to interfaces Access list, filter traffic going through the router; they do not apply to traffic originated from the router 1999, Cisco Systems, Inc. ICND10-236、Access List Command OverviewStep 1: Set parameters for this access list test statement (which can be one of several statements)access

18、-list access-list-number permit | deny test conditions Router(config)# 1999, Cisco Systems, Inc. ICND10-24Step 1: Set parameters for this access list test statement (which can be one of several statements)Router(config)#Step 2: Enable an interface to use the specified access list protocol access-gro

19、up access-list-number in | out Router(config-if)#6、Access List Command OverviewIP Access lists are numbered 1-99 or 100-199access-list access-list-number permit | deny test conditions 1999, Cisco Systems, Inc. ICND10-257、How to Identify Access ListsNumber Range/IdentifierAccess List TypeIP 1-99Stand

20、ard Standard IP lists (1 to 99) test conditions of all IP packets from source addresses 1999, Cisco Systems, Inc. ICND10-26Number Range/IdentifierAccess List Type7、How to Identify Access ListsIP 1-99100-199StandardExtended Standard IP lists (1 to 99) test conditions of all IP packets from source add

21、resses Extended IP lists (100 to 199) can test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports 1999, Cisco Systems, Inc. ICND10-27Number Range/IdentifierIP 1-99100-199Name (Cisco IOS 11.2 and later)800-899900-9991000-1099Name (Cisco IOS 11.2. F and la

22、ter)StandardExtendedSAP filtersNamedStandardExtendedNamedAccess List TypeIPX7、How to Identify Access Lists Standard IP lists (1 to 99) test conditions of all IP packets from source addresses Extended IP lists (100 to 199) can test conditions of source and destination addresses, specific TCP/IP proto

23、cols, and destination ports Other access list number ranges test conditions for other networking protocols 1999, Cisco Systems, Inc. ICND10-28SourceAddressSegment(for example, TCP header)DataPacket(IP header)Frame Header(for example, HDLC)DenyPermit Useaccess list statements1-99 8、Testing Packets wi

24、th Standard Access Lists 1999, Cisco Systems, Inc. ICND10-29DestinationAddressSourceAddressProtocolPortNumberSegment(for example, TCP header)DataPacket(IP header)Frame Header(for example, HDLC) Useaccess list statements1-99 or 100-199 to test thepacket DenyPermitAn Example from a TCP/IP Packet9、Test

25、ing Packets with Extended Access Lists 1999, Cisco Systems, Inc. ICND10-30 0 means check corresponding address bit value 1 means ignore value of corresponding address bitdo not check address (ignore bits in octet)=001111111286432168421=00000000=00001111=11111100=11111111Octet bit position and addres

26、s value for bitignore last 6 address bitscheck all address bits(match all)ignore last 4 address bitscheck last 2 address bitsExamplesWildcard Bits: How to Check the Corresponding Address Bits 1999, Cisco Systems, Inc. ICND10-31 Example 9 checks all the address bits Abbreviate this

27、 wildcard mask using the IP address preceded by the keyword host (host 9)Test conditions: Check all the address bits (match all) (checks all bits)An IP host address, for example:Wildcard mask:Wildcard Bits to Match a Specific IP Host Address 1999, Cisco Systems, Inc. IC

28、ND10-32 Accept any address: 55 Abbreviate the expression using the keyword anyTest conditions: Ignore all the address bits (match any) 55(ignore all)Any IP addressWildcard mask:Wildcard Bits to Match Any IP Address 1999, Cisco Systems, Inc. ICND10-33Check for

29、 IP subnets /24 to /24.host .00000Wildcard mask: 0 0 0 0 1 1 1 1 | 0 0 0 1 0 0 0 0 = 16 0 0 0 1 0 0 0 1 =17 0 0 0 1 0 0 1 0 =18: : 0 0 0 1 1 1 1 1 =31Address and wildcard mask: 55Wildcard Bits to Match IP Subnets 1999, Cisco Systems, Inc. 10-3420.2 Configuri

30、ng Standard IP Access Lists 1999, Cisco Systems, Inc. ICND10-35Standard IP Access List Configurationaccess-list access-list-number permit|deny source maskRouter(config)# Sets parameters for this list entry IP standard access lists use 1 to 99 Default wildcard mask = “no access-list access-li

31、st-number” removes entire access-list 1999, Cisco Systems, Inc. ICND10-36access-list access-list-number permit|deny source maskRouter(config)# Activates the list on an interface Sets inbound or outbound testing Default = Outbound “no ip access-group access-list-number” removes access-list from the i

32、nterfaceRouter(config-if)#ip access-group access-list-number in | out Sets parameters for this list entry IP standard access lists use 1 to 99 Default wildcard mask = “no access-list access-list-number” removes entire access-listStandard IP Access List Configuration 1999, Cisco Systems, Inc.

33、 ICND10-373E0S0E1Non-Standard IP Access List Example 1access-list 1 permit 55(implicit deny all - not visible in the list)(access-list 1 deny 55) 1999, Cisco Systems, Inc. ICND10-38Permit my network onlyaccess-list 1 pe

34、rmit 55(implicit deny all - not visible in the list)(access-list 1 deny 55)interface ethernet 0ip access-group 1 outinterface ethernet 1ip access-group 1 outStandard IP Access List Example 13E0S0E1Non- 1999, Cisco Syste

35、ms, Inc. ICND10-39Deny a specific hostStandard IP Access List Example 23E0S0E1Non-access-list 1 deny 3 1999, Cisco Systems, Inc. ICND10-40Standard IP Access List Example 23E0S0E1Non-Deny a specific host

36、access-list 1 deny 3 access-list 1 permit 55(implicit deny all)(access-list 1 deny 55) 1999, Cisco Systems, Inc. ICND10-41access-list 1 deny 3 access-list 1 permit 55(implicit deny all)(access-list 1 d

37、eny 55)interface ethernet 0ip access-group 1 outStandard IP Access List Example 23E0S0E1Non-Deny a specific host 1999, Cisco Systems, Inc. ICND10-42Deny a specific subnetStandard IP Access List Example 33E0S0E

38、1Non-access-list 1 deny 55access-list 1 permit any(implicit deny all)(access-list 1 deny 55) 1999, Cisco Systems, Inc. ICND10-43access-list 1 deny 55access-list 1 permit any(implicit deny all)(access-list 1 deny

39、55)interface ethernet 0ip access-group 1 outStandard IP Access List Example 33E0S0E1Non-Deny a specific subnet 1999, Cisco Systems, Inc. 10-4420.3 Control vty Access With Access Class 1999, Cisco Systems, Inc. ICND10-45Filter Virtual Terminal (vty) Access to a

40、 Router Five virtual terminal lines (0 through 4) Filter addresses that can access into the routers vty ports Filter vty access out from the router01 234Virtual ports (vty 0 through 4)Physical port e0 (Telnet)Console port (direct connect)consolee0 1999, Cisco Systems, Inc. ICND10-46How to Control vt

41、y Access01 234Virtual ports (vty 0 through 4)Physical port (e0) (Telnet) Setup IP address filter with standard access list statement Use line configuration mode to filter access with the access-class command Set identical restrictions on all vtysRouter#e0 1999, Cisco Systems, Inc. ICND10-47Virtual T

42、erminal Line Commands Enters configuration mode for a vty or vty range Restricts incoming or outgoing vty connections for address in the access listaccess-class access-list-number in|outline vty#vty# | vty-rangeRouter(config)#Router(config-line)# 1999, Cisco Systems, Inc. ICND10-48Virtual Terminal A

43、ccess ExamplePermits only hosts in network to connect to the routers vtysaccess-list 12 permit 55!line vty 0 4 access-class 12 inControlling Inbound Access 1999, Cisco Systems, Inc. 10-4920.4 Configuring Extended IP Access Lists 1999, Cisco Systems, Inc. ICND10-50Stand

44、ard versus External Access ListStandardExtendedFilters Based onSource.Filters Based onSource and destination.Permit or deny entire TCP/IP protocol suite.Specifies a specific IP protocol and port number.Range is 100 through 199.Range is 1 through 99 1999, Cisco Systems, Inc. ICND10-51Extended IP Acce

45、ss List ConfigurationRouter(config)# Sets parameters for this list entryaccess-list access-list-number permit | deny protocol source source-wildcard operator port destination destination-wildcard operator port established log 1999, Cisco Systems, Inc. ICND10-52Router(config-if)# ip access-group acce

46、ss-list-number in | out Extended IP Access List Configuration Activates the extended list on an interface Sets parameters for this list entryRouter(config)# access-list access-list-number permit | deny protocol source source-wildcard operator port destination destination-wildcard operator port estab

47、lished log 1999, Cisco Systems, Inc. ICND10-53 Deny FTP from subnet to subnet out of E0 Permit all other traffic3E0S0E1Non-Extended Access List Example 1access-list 101 deny tcp 55 55 eq 21access-list 1

48、01 deny tcp 55 55 eq 20 1999, Cisco Systems, Inc. ICND10-54 Deny FTP from subnet to subnet out of E0 Permit all other trafficExtended Access List Example 13E0S0E1Non-access-list 101 deny tcp

49、55 55 eq 21access-list 101 deny tcp 55 55 eq 20access-list 101 permit ip any any(implicit deny all)(access-list 101 deny ip 55 55) 1999, Cisco Systems, Inc. ICND10-55access-list 101 deny tcp 172.16

50、.4.0 55 55 eq 21access-list 101 deny tcp 55 55 eq 20access-list 101 permit ip any any(implicit deny all)(access-list 101 deny ip 55 55)interface ethernet 0ip access-group 101 out Deny FTP from subn

51、et to subnet out of E0 Permit all other trafficExtended Access List Example 13E0S0E1Non- 1999, Cisco Systems, Inc. ICND10-56 Deny only Telnet from subnet out of E0 Permit all other trafficExtended Access List Example 2172.16.3.

52、03E0S0E1Non-access-list 101 deny tcp 55 any eq 23 1999, Cisco Systems, Inc. ICND10-57 Deny only Telnet from subnet out of E0 Permit all other trafficExtended Access List Example 23E0S0E1Non-access-list

53、 101 deny tcp 55 any eq 23access-list 101 permit ip any any(implicit deny all) 1999, Cisco Systems, Inc. ICND10-58access-list 101 deny tcp 55 any eq 23access-list 101 permit ip any any(implicit deny all)interface ethernet 0ip access-group 101 out Deny only Telnet

54、from subnet out of E0 Permit all other trafficExtended Access List Example 23E0S0E1Non- 1999, Cisco Systems, Inc. ICND10-5920.5 Using Named IP Access ListsRouter(config)#ip access-list standard | extended name Feature for Cisco IOS Release 11.2 or l

55、ater Alphanumeric name string must be unique 1999, Cisco Systems, Inc. ICND10-60Using Named IP Access ListsRouter(config)#ip access-list standard | extended name permit | deny ip access list test conditions permit | deny ip access list test conditions no permit | deny ip access list test conditions

56、Router(config std- | ext-nacl)# Feature for Cisco IOS Release 11.2 or later Alphanumeric name string must be unique Permit or deny statements have no prepended number no removes the specific test from the named access list 1999, Cisco Systems, Inc. ICND10-61Router(config)# ip access-list standard |

57、extended nameRouter(config std- | ext-nacl)# permit | deny ip access list test conditions permit | deny ip access list test conditions no permit | deny ip access list test conditions Router(config-if)# ip access-group name in | out Using Named IP Access Lists Feature for Cisco IOS Release 11.2 or la

58、ter Alphanumeric name string must be unique Permit or deny statements have no prepended number no removes the specific test from the named access list Activates the IP named access list on an interface 1999, Cisco Systems, Inc. ICND10-62Access List Configuration Principles Order of access list state

59、ments is crucialRecommended: use a text editor on a TFTP server or use PC to cut and paste Top-down processingPlace more specific test statements first No reordering or removal of statementsUse no access-list number command to remove entire access listException: Named access lists permit removal of

60、individual statements Implicit deny allUnless access list ends with explicit permit any 1999, Cisco Systems, Inc. ICND10-63 Place extended access lists close to the source Place standard access lists close to the destinationE0E0E1S0To0S1S0S1E0E0TokenRing20.6 Where to Place IP Access ListsRecommended

人人文库> 全部分类> 教育资料 > 课设设计

温馨提示

1. 本站所有资源如无特殊说明，都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
2. 本站的文档不包含任何第三方提供的附件图纸等，如果需要附件，请联系上传者。文件的所有权益归上传用户所有。
3. 本站RAR压缩包中若带图纸，网页内容里面会有图纸预览，若没有图纸预览就没有图纸。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 人人文库网仅提供信息存储空间，仅对用户上传内容的表现方式做保护处理，对用户上传分享的文档内容本身不做任何修改或编辑，并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容，请与我们联系，我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

CCNA1220-第20章访问控制列表

文档简介

温馨提示

最新文档

评论

CCNA1220-第20章 访问控制列表

文档简介

温馨提示

最新文档

评论

相关文档

CCNA1220-第20章访问控制列表