第06章 路由交换机管理和ACL

1、,路由器安全 n在路由器上配置一个本地登录帐户和加密口 令。 Router(config)# username root secret My$Password n在路由器上配置一个本地登录帐户和明文口令。 Router(config)# username root password My$Password,路由器安全 配置了用户名后，必须启用使用该用户名来认 证登陆连接。 Router(config)# line con 0 Router(config-line)# login local Router(config)# line aux 0 Router(config-line)# logi

2、n local Router(config)# line vty 0 4 Router(config-line)# login local,路由器安全 在路由器上配置一个域名 Router-Branch-23(config)# ip domain name 禁用Web服务 Cisco路由器还在缺省情况下启用了Web服务，它是一个安全风险，最好将它关闭。举例如下： Router(config)# no ip http server,路由器安全 为进入特权模式设置口令 设置进入特权模式的口令enable secret命令 。 这个命令用MD5加密方法加密口令，所以提示符不以明文显示。举例如下：Ro

3、uter(config)# enable secret My$Password,路由器安全 加密路由器口令 Cisco路由器缺省情况下在配置中不加密口令。可以使用以下命令加密所有明文口令：Router(config)# service password- encryption,路由器安全 在管理路由器的时候，可以通过console端口，AUX端口，或Telnet进入路由器，通常遇到两个口令 1）进入路由器的口令 2）从一般用户模式进入超级权限模式的口令 多级权限配置可以实现路由器的多级管理： 缺省条件下，Cisco IOS只有一个超级权限的口令，可以配置Cisco IOS有多达16个级别的权限

4、及其口令。可以设置通过某个级别的口令登录的用户只允许使用某些命令。,如何设置多级管理 设置某条命令属于某个级别，在全局设置模式 下 privilege 模式 level级别命令关键字 注意：Cisco IOS 可以定制0-15个级别权限。0-15级别中，数字越大，权限越高，权限高的级别继承低权限的所有命令，用户模式是1级，特权模式是15级，2-14级定制权限. 设置某个级别的口令 enable secret level 级别口令,多极管理配置案例 enable secret level 2 5$1$XvWZ$1rd0j5SjVd3172mBzd16e1 privilege configure

5、level 2 line privilege configure level 2 ip route privilege configure level 2 interface privilege configure level 2 ip routing privilege configure level 15 ip privilege exec level 2 start-chat privilege exec level 2 copy running-config startup- config privilege exec level 2 copy running-config privi

6、lege exec level 2 copy privilege exec level 2 configure terminal privilege exec level 2 configure,ACL原理 n为什么要使用 ACLs? Filtering: Manage IP traffic by filtering packets passing through a router Classification: Identify traffic for special handling,1 ACL原理 ACL 应用: 过滤 Permit or deny packets moving thro

7、ugh the router. Permit or deny vty access to or from the router. Without ACLs, all packets could be transmitted to all parts of your network.,1 ACL原理 ACL 应用: 分类 Special handling for traffic based on packet tests,1 ACL原理 出方向 ACL 原理 If no ACL statement matches, discard the packet.,1 ACL原理 匹配列表: Deny o

8、r Permit,1 ACL原理 ACLs类型 Standard ACL n Checks source address n Generally permits or denies entire protocol suite Extended ACL n Checks source and destination address n Generally permits or denies specific protocols and applications Two methods used to identify standard and extended ACLs: n Numbered

9、ACLs use a number for identification n Named ACLs use a descriptive name or number for identification,1 ACL原理 如何识别ACLs Numbered standard IPv4 lists (199) test conditions of all IP packets for source addresses. Expanded range (13001999). Numbered extended IPv4 lists (100199) test conditions of source

10、 and destination addresses, specific TCP/IP protocols, and destination ports. Expanded range (20002699). Named ACLs identify IP standard and extended ACLs with an alphanumeric string (name).,1 ACL原理 IP Access List 条目序列号 nRequires Cisco IOS Release 12.3 nAllows you to edit the order of ACL statements

11、 using sequence numbers n In software earlier than Cisco IOS Release 12.3, a text editor is used to create ACL statements, then the statements are copied into the router in the correct order. nAllows you to remove a single ACL statement from the list using a sequence number n With named ACLs in soft

12、ware earlier than Cisco IOS Release 12.3, you must use no deny | permit protocol source source-wildcard destination destination- wildcard to remove an individual statement. n With numbered ACLs in software earlier than Cisco IOS Release 12.3, you must remove the entire ACL to remove a single ACL sta

13、tement.,1 ACL原理 ACL配置注意事项 n Standard or extended indicates what can be filtered. n Only one ACL per interface, per protocol, and per direction is allowed. n The order of ACL statements controls testing, therefore, the most specific statements go at the top of the list. n The last ACL test is always

14、an implicit deny everything else statement, so every list needs at least one permit statement. n ACLs are created globally and then applied to interfaces for inbound or outbound traffic. n An ACL can filter traffic going through the router, or traffic to and from the router, depending on how it is a

15、pplied. n When placing ACLs in the network: n Place extended ACLs close to the source n Place standard ACLs close to the destination,1 ACL原理 动态ACLs Dynamic ACLs (lock-and-key): Users that want to traverse the router are blocked until they use Telnet to connect to the router and are authenticated.,1

16、ACL原理 反射 ACLs Reflexive ACLs: Used to allow outbound traffic and limit inbound traffic in response to sessions that originate inside the router,1 ACL原理 基于时间 ACLs Time-based ACLs: Allow for access control based on the time of day and week,1 ACL原理 反掩码: 如何校验匹配位 0 means to match the value of the corresp

17、onding address bit 1 means to ignore the value of the corresponding address bit,1 ACL原理 反掩码位匹配 IP Subnets Match for IP subnets /24 to /24. Address and wildcard mask: 55,1 ACL原理 Wildcard Bit Mask 特例 9 matches all of the address bits Abbrevi

18、ate this wildcard mask using the IP address preceded by the keyword host (host 9) 55 ignores all address bits Abbreviate expression with the keyword any,2 ACL配置与排错 标准 IPv4 ACLs匹配包,2 ACL配置与排错 Numbered Standard IPv4 ACL 配置 RouterX(config)# access-list access-list-number

19、 permit | deny | remark source mask Uses 1 to 99 for the access-list-number. The first entry is assigned a sequence number of 10, and successive entries are incremented by 10. Default wildcard mask is (only standard ACL). no access-list access-list-number removes the entire ACL. remark lets

20、you add a description to the ACL. RouterX(config-if)# ip access-group access-list-number in | out Activates the list on an interface. Sets inbound or outbound testing. no ip access-group access-list-number in | out removes the ACL from the in,2 ACL配置与排错 Standard IPv4 ACL 示例1 RouterX(config)# access-

21、list 1 deny 3 RouterX(config)# access-list 1 permit 55 (implicit deny all),(access-list 1 deny 55),RouterX(config)# interface ethernet 0 RouterX(config-if)# ip access-group 1 out Deny a specific host,2 ACL配置与排错 Standard IPv4 ACL 示例 2 Router

22、X(config)# access-list 1 deny 55 RouterX(config)# access-list 1 permit any (implicit deny all),(access-list 1 deny 55),RouterX(config)# interface ethernet 0 RouterX(config-if)# ip access-group 1 out Deny a specific subnet,Standard ACLs to Control vty 访 2 ACL配置与

23、排错 问 RouterX(config-line)# access-class access-list-number in | out Restricts incoming or outgoing connections between a particular vty and the addresses in an ACL Example: access-list 12 permit 55 (implicit deny any) ! line vty 0 4 access-class 12 in Permits only hosts in network

24、 55 to connect to the router vty lines,2 ACL配置与排错 Extended IPv4 ACLs,Numbered Extended IPv4 ACL 配 2 ACL配置与排错 置 RouterX(config)# access-list access-list-number permit | deny protocol source source-wildcard operator port destination destination-wildcard operator port established log

25、 Sets parameters for this list entry RouterX(config-if)# ip access-group access-list-number in | out Activates the extended list on an interface,Numbered Extended IPv4 ACL 示 2 ACL配置与排错例1 RouterX(config)# access-list 101 deny tcp 55 any eq 23 RouterX(config)# access-list 101 permit

26、ip any any (implicit deny all) RouterX(config)# interface ethernet 0 RouterX(config-if)# ip access-group 101 out Deny only Telnet traffic from subnet out E0 Permit all other traffic,2 ACL配置与排错 Named IP ACL 配置 RouterX(config)# ip access-list standard | extended name Alphanumeric name strin

27、g must be unique RouterX(config std- | ext-nacl)# sequence-number permit | deny ip access list test conditions permit | deny ip access list test conditions If not configured, sequence numbers are generated automatically starting at 10 and incrementing by 10 no sequence number removes the specific te

28、st from the named ACL RouterX(config-if)# ip access-group name in | out Activates the named IP ACL on an interface,2 ACL配置与排错 Named Standard IPv4 ACL 示例 RouterX(config)#ip access-list standard troublemaker RouterX(config-std-nacl)#deny host 3 RouterX(config-std-nacl)#permit 0.0.

29、0.255 RouterX(config-std-nacl)#interface e0 RouterX(config-if)#ip access-group troublemaker out Deny a specific host,2 ACL配置与排错 Named Extended IPv4 ACL 示例 RouterX(config)#ip access-list extended badgroup RouterX(config-ext-nacl)#deny tcp 55 any eq 23 RouterX(config-ext-nacl)#permit

30、 ip any any RouterX(config-ext-nacl)#interface e0 RouterX(config-if)#ip access-group badgroup out Deny Telnet from a specific subnet,2 ACL配置与排错 标记 ACL RouterX(config)# ip access-list standard|extended name Creates a named ACL RouterX(config std- | ext-nacl)# remark remark Creates a named ACL comment

31、 Or RouterX(config)# access-list access-list-number remark remark Creates a numbered ACL comment,2 ACL配置与排错 监控 ACL Statements RouterX# show access-lists access-list number|name RouterX# show access-lists Standard IP access list SALES,10 deny , wildcard bits 55,20 permit 30 pe

32、rmit 40 permit Extended IP access list ENG 10 permit tcp host any eq telnet (25 matches) 20 permit tcp host any eq ftp 30 permit tcp host any eq ftp-data Displays all access lists,2 ACL配置与排错 查看 ACLs RouterX# show ip interfaces e0 Ethernet0 is up, li

33、ne protocol is up Internet address is 1/24 Broadcast address is 55 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 1 Proxy ARP is enabled Security lev

34、el is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Feature Fast switching turbo vector IP multicast fast switching is enabled IP m

35、ulticast distributed fast switching is disabled ,2 ACL配置与排错 排除ACL 故障 Error 1: Host has no connectivity with .,2 ACL配置与排错 排除ACL 故障 (续) Error 2: The network cannot use TFTP to connect to .,3 NAT和PAT 网络地址转换 An IP address is either local or global. Local IPv4

36、 addresses are seen in the inside network. Global IPv4 addresses are seen in the outside network.,3 NAT和PAT 转换内部源地址,3 NAT和PAT 配置和查看静态转换 RouterX(config)# ip nat inside source static local-ip global-ip Establishes static translation between an inside local address and an inside global address RouterX(

37、config-if)# ip nat inside Marks the interface as connected to the inside RouterX(config-if)# ip nat outside Marks the interface as connected to the outside RouterX# show ip nat translations Displays active translations,3 NAT和PAT 启用静态NAT配置示例 interface s0 ip address ip nat ou

38、tside ! interface e0 ip address ip nat inside ! ip nat inside source static RouterX# show ip nat translations Pro Inside global Inside local Outside local Outside global,- -,3 NAT和PAT 配置和验证动态地址转换 RouterX(config)# ip nat pool name start-i

39、p end-ip netmask netmask | prefix-length prefix-length Defines a pool of global addresses to be allocated as needed RouterX(config)# access-list access-list-number permit source source-wildcard Defines a standard IP ACL permitting those inside local addresses that are to be translated RouterX(config

40、)# ip nat inside source list access-list-number pool name Establishes dynamic source translation, specifying the ACL that was defined in the previous step RouterX# show ip nat translations Displays active translations,3 NAT和PAT 动态地址转换示例 RouterX# show ip nat translations Pro Inside global Inside loca

41、l Outside local Outside global,- 09 00-,- 10 01-,3 NAT和PAT 端口地址转换,3 NAT和PAT 内部全局地址超载,3 NAT和PAT 配置超载 RouterX(config)# access-list access-list-number permit source source-wildcard Defines a standard IP ACL that will permit the inside local addresses that a

42、re to be translated RouterX(config)# ip nat inside source list access-list-number interface interface overload Establishes dynamic source translation, specifying the ACL that was defined in the previous step RouterX# show ip nat translations Displays active translations,3 NAT和PAT 超载示例,hostname Route

43、rX ! interface Ethernet0 ip address ip nat inside ! interface Ethernet1 ip address ip nat inside ! interface Serial0 description To ISP ip address ip nat outside ! ip nat inside source list 1 interface Serial0 overload ! i

44、p route Serial0 ! access-list 1 permit 55 access-list 1 permit 55 !,RouterX# show ip nat translations Pro Inside globalInside localOutside localOutside global TCP :1050 :1050 :23:23 TCP :1776 192.1

45、68.4.12:1776 :25:25,3 NAT和PAT 清除 NAT Translation Table RouterX# clear ip nat translation * Clears all dynamic address translation entries RouterX# clear ip nat translation inside global-ip local-ip outside local-ip global-ip Clears a simple dynamic translation entry that contains an

46、inside translation or both an inside and outside translation RouterX# clear ip nat translation outside local-ip global-ip Clears a simple dynamic translation entry that contains an outside translation RouterX# clear ip nat translation protocol inside global-ip global-port local-ip local-port outside

47、 local-ip local-port global-ip global-port Clears an extended dynamic translation entry (PAT entry),3 NAT和PAT show and debug 命令查看信息 RouterX# debug ip nat NAT: s=5-09, d=32 6825 NAT: s=32, d=09-5 21852 NAT: s=5-0

48、9, d=61 6826 NAT*: s=61, d=09-5 23311 NAT*: s=5-09, d=61 6827 NAT*: s=5-09, d=61 6828 NAT*: s=61, d=09-5 23312 NAT*: s=61, d=09-192.168.

49、1.95 23313 RouterX# show ip nat statistics Total active translations: 1 (1 static, 0 dynamic; 0 extended) Outside interfaces: Ethernet0, Serial2 Inside interfaces: Ethernet1 Hits: 5 Misses: 0 ,故障示例: Cannot Ping Remote 3 NAT和PAT Host,故障示例: Cannot Ping Remote 3 NAT和PAT Host (Cont.) RouterA# show ip na

50、t translations Pro Inside global Inside local Outside local Outside global,-,-,There are no translations in the table.,故障示例: Cannot Ping Remote 3 NAT和PAT Host (Cont.),故障示例: Cannot Ping Remote 3 NAT和PAT Host (Cont.) RouterA# show access-list Standard IP access list 20 10 permit , wildcard bits Pings are still failing