ACL访问控制列表ppt课件

访问控制列表AccessControlList,深圳职业技术学院计算机系网络专业,教学目标（Objectives）,1.访问控制列表（AccessControlList）2.配置标准访问控制列表（ConfigurestandardIPaccesslists）3.配置扩展访问控制列表（ConfigureextendedIPaccesslists）4.配置命名访问控制列表（ConfigurenamedIPaccesslists）5.验证和监视ACL（VerifyandmonitorIPaccesslists）,,,Internet,当网络访问增长时，管理IP通信ManageIPtrafficasnetworkaccessgrows当数据包通过路由器时，起到过滤作用Filterpacketsastheypassthroughtherouter,为什么使用ACL？（WhyUseAccessControlLists?）,ACL作用（FunctionofACL）,1限制网络流量、提高网络性能。Limitnetworktrafficandincreasenetworkperformance.2提供对通信流量的控制手段。Providetrafficflowcontrol.3提供网络访问的基本安全手段。Provideabasiclevelofsecurityfornetworkaccess.4在路由器接口处，决定哪种类型的通信流量被转发、哪种类型的通信流量被阻塞。Decidewhichtypesoftrafficareforwardedorblockedattherouterinterfaces.,ACL如何工作（ACLHowtowork）,ACL条件顺序（TheorderinwhichACLstatementsareplaced）,ACL条件顺序（TheorderinwhichACLstatementsareplaced）,CiscoIOS按照各描述语句在ACL中的顺序，根据各描述语句的判断条件，对数据包进行检查。一旦找到了某一匹配条件，就结束比较过程，不再检查以后的其他条件判断语句。TheCiscoIOSsoftwareteststhepacketagainsteachconditionstatementinorderfromthetopofthelisttothebottom.Onceamatchisfoundinthelist,theacceptorrejectactionisperformedandnootherACLstatementsarechecked,什么是ACL？（WhatAreAccessLists?）,标准ACL（StandardACL）检查源地址（ChecksSourceaddress）允许或拒绝整个协议族（Generallypermitsordeniesentireprotocolsuite）,OutgoingPacket,fa0/0,S0/0,IncomingPacket,AccessListProcesses,Permit?,扩展ACL（ExtendedACL）检查源和目的地址（ChecksSourceandDestinationaddress）通常允许或拒绝特定的协议（Generallypermitsordeniesspecificprotocols）,OutgoingPacket,Fa0/0,s0/0,IncomingPacket,AccessListProcesses,Permit?,Protocol,什么是ACL？（WhatAreAccessLists?）,用扩展ACL检查数据包（CheckPacketswithExtendedACL）,常见端口号（KnownPortNumber）,ACL表号（ACLNumber）,通配符掩码（WildcardMask）,1.是一个32比特位的数字字符串(Awildcardmaskisa32-bitquantity)2.0表示“检查相应的位”,1表示“不检查（忽略）相应的位”Azeromeansletthevaluethroughtobechecked,theXs(1s)meanblockthevaluefrombeingcompared.,特殊的通配符掩码（SpecialWildcardMask）,1.Any552.HostHost9,AccessList命令（AccessListCommand）,Step1:定义访问控制列表（DefinetheACL）,access-listaccess-list-numberpermit|denytestconditions,Router(config)#,Router(config)#access-list1permit55,Step2:将访问控制列表应用到某一接口上（ApplyACLtoaInterface）,protocolaccess-groupaccess-list-numberin|out,Router(config-if)#,AccessList命令（AccessListCommand）,Router(config-if)#ipaccess-group1out,仅允许我的网络（Permitmynetworkonly）,access-list1permit55(implicitdenyall-notvisibleinthelist)(access-list1deny55)interfaceethernet0ipaccess-group1outinterfaceethernet1ipaccess-group1out,标准IPACL实例1（StandardIPACLExample1）,,,3,E0,S0,E1,Non-,access-list1denyaccess-list1permit55(implicitdenyall)(access-list1deny55)interfaceethernet0ipaccess-group1out,标准IPACL实例2（StandardIPACLExample2）,,,3,E0,S0,E1,Non-,拒绝特定的主机（Denyaspecifichost）,access-list1deny55access-list1permitany(implicitdenyall)(access-list1deny55)interfaceethernet0ipaccess-group1out,标准IPACL实例3（StandardIPACLExample3）,,,3,E0,S0,E1,Non-,拒绝特定的子网（Denyaspecificsubnet）,标准ACL与扩展ACL比较（StandardversusExternalACL）,标准（Standard）,扩展（Extended）,过滤基于源（FiltersBasedonSource.）,过滤基于源和目的（FiltersBasedonSourceanddestination.）,允许或拒绝整个协议族（PermitordenyentireTCP/IPprotocolsuite.）,允许或拒绝特定的IP协议或端口（SpecifiesaspecificIPprotocolandportnumber.）,范围（100-199）Rangeis100through199.,范围（1-99）Rangeis1through99,CASESTUDY,首先使得PC1所在的网络不能通过路由器R1访问PC2所在的网络。,扩展ACL配置（ExtendedIPACLConfiguration）,Router(config)#access-listaccess-list-numberpermit|denyprotocolsourcesource-wildcardoperatorportdestinationdestination-wildcardoperatorportestablishedlog,access-list101denytcp5555eq21access-list101denytcp5555eq20access-list101permitipanyany(implicitdenyall)(access-list101denyip555)interfaceethernet0ipaccess-group101out,拒绝从到的经过E0出方向的FTP流量DenyFTPfromsubnettosubnetoutofE0允许其他所有的流量Permitallothertraffic,扩展ACL实例1（ExtendedACLExample1）,,,3,E0,S0,E1,Non-,access-list101denytcp55anyeq23access-list101permitipanyany(implicitdenyall)interfaceethernet0ipaccess-group101out,仅拒绝子网在E0出方向的流量DenyonlyTelnetfromsubnet172.16.4.0outofE0允许其他流量（Permitallothertraffic）,ExtendedAccessListExample2,,,3,E0,S0,E1,Non-,使用命名IPACL（UsingNamedIPACL）,Router(config)#,ipaccess-liststandard|extendedname,IOS11.2以后支持的特征FeatureforCiscoIOSRelease11.2orlater,名字字符串要唯一Namestringmustbeunique,使用命名IPACL（UsingNamedIPACL）,permit|denyipaccesslisttestconditionspermit|denyipaccesslisttestconditionsnopermit|denyipaccesslisttestconditions,Router(configstd-|ext-nacl)#,允许或拒绝陈述条件前没有表号Permitordenystatementshavenoprependednumber可以用“NO”命令移去特定的陈述noremovesthespecifictestfromthenamedaccesslist,使用命名IPACL（UsingNamedIPACL）,在接口上激活命名ACLActivatestheIPnamedaccesslistonaninterface,扩展ACL靠近源Placeextendedaccesslistsclosetothesource标准ACL靠近目的Placestandardaccesslistsclosetothedestination,E0,E0,E1,S0,To0,S1,S0,S1,E0,E0,B,A,C,放置ACL（PlacingIPAccessLists）,D,wg_ro_a#showipinte0Ethernet0isup,lineprotocolisupInternetaddressis1/24Broadcastaddressis55AddressdeterminedbysetupcommandMTUis1500bytesHelperaddressisnotsetDirectedbroadcastforwardingisdisabledOutgoingaccesslistisnotsetInboundaccesslistis1ProxyARPisenabledSecuritylevelisdefaultSplithorizonisenabledICMPredirectsarealwayssentICMPunreachablesarealwayssentICMPmaskrepliesareneversentIPfastswitchingisenabledIPfastswitchingonthesameinterfacei