ACL访问控制列表-文档资料_第1页
ACL访问控制列表-文档资料_第2页
ACL访问控制列表-文档资料_第3页
ACL访问控制列表-文档资料_第4页
ACL访问控制列表-文档资料_第5页
已阅读5页,还剩26页未读 继续免费阅读

下载本文档

版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领

文档简介

1、 2006, Shenzhen Polytechnic. All rights reserved.1访问控制列表访问控制列表Access Control List深圳职业技术学院计算机系网络专业深圳职业技术学院计算机系网络专业 2006, Shenzhen Polytechnic. All rights reserved.2教学目标(教学目标( Objectives )1. 访问控制列表(访问控制列表(Access Control List)2.配置标准访问控制列表配置标准访问控制列表( Configure standard IP access lists ) 3. 配置扩展访问控制列表配置扩

2、展访问控制列表( Configure extended IP access lists )4.配置命名访问控制列表配置命名访问控制列表( Configure named IP access lists )5. 验证和监视验证和监视ACL( Verify and monitor IP access lists ) 2006, Shenzhen Polytechnic. All rights reserved.3FDDITokenRingInternet 当网络访问增长时,管理当网络访问增长时,管理IP通信通信 Manage IP traffic as ne

3、twork access grows 当数据包通过路由器时,起到过滤作用当数据包通过路由器时,起到过滤作用 Filter packets as they pass through the router为什么使用为什么使用ACL?(Why Use Access Control Lists?) 2006, Shenzhen Polytechnic. All rights reserved.4ACL作用(作用( Function of ACL )1限制网络流量、提高网络性能。限制网络流量、提高网络性能。 Limit network traffic and increase network perfo

4、rmance. 2提供对通信流量的控制手段。提供对通信流量的控制手段。Provide traffic flow control. 3提供网络访问的基本安全手段。提供网络访问的基本安全手段。Provide a basic level of security for network access. 4在路由器接口处,决定哪种类型的通信流量被转发、哪种在路由器接口处,决定哪种类型的通信流量被转发、哪种类型的通信流量被阻塞。类型的通信流量被阻塞。 Decide which types of traffic are forwarded or blocked at the router interface

5、s. 2006, Shenzhen Polytechnic. All rights reserved.5ACL如何工作(如何工作(ACL How to work) 2006, Shenzhen Polytechnic. All rights reserved.6ACL条件顺序条件顺序(The order in which ACL statements are placed ) 2006, Shenzhen Polytechnic. All rights reserved.7ACL条件顺序条件顺序(The order in which ACL statements are placed )Cis

6、co IOS按照各描述语句在按照各描述语句在ACL中的顺序,根据各描中的顺序,根据各描述语句的判断条件,对数据包进行检查。述语句的判断条件,对数据包进行检查。一旦找到了某一旦找到了某一匹配条件,就结束比较过程一匹配条件,就结束比较过程,不再检查以后的其他条,不再检查以后的其他条件判断语句。件判断语句。The Cisco IOS software tests the packet against each condition statement in order from the top of the list to the bottom. Once a match is found in th

7、e list, the accept or reject action is performed and no other ACL statements are checked 2006, Shenzhen Polytechnic. All rights reserved.8 什么是什么是ACL?(?(What Are Access Lists?) 标准标准 ACL ( Standard ACL ) 检查源地址(检查源地址(Checks Source address ) 允许或拒绝整个协议族(允许或拒绝整个协议族(Generally permits or denies entire proto

8、col suite)OutgoingPacketfa0/0S0/0IncomingPacketAccess List ProcessesPermit?Source 2006, Shenzhen Polytechnic. All rights reserved.9 扩展扩展 ACL ( Extended ACL ) 检查源和目的地址检查源和目的地址( Checks Source and Destination address) 通常允许或拒绝特定的协议通常允许或拒绝特定的协议 (Generally permits or denies specific protocols)OutgoingPack

9、etFa0/0s0/0IncomingPacketAccess List ProcessesPermit?Sourceand DestinationProtocol什么是什么是ACL?(?(What Are Access Lists?) 2006, Shenzhen Polytechnic. All rights reserved.10用扩展用扩展ACL检查数据包检查数据包(Check Packets with Extended ACL) 2006, Shenzhen Polytechnic. All rights reserved.11常见端口号常见端口号(Known Port Number

10、)端口号端口号( (Port NumberPort Number) )2020文件传输协议(文件传输协议(FTPFTP)数据)数据2121文件传输协议(文件传输协议(FTPFTP)程序)程序2323远程登录(远程登录(TelnetTelnet)2525简单邮件传输协议(简单邮件传输协议(SMTPSMTP)6969普通文件传送协议(普通文件传送协议(TFTPTFTP)80超文本传输协议超文本传输协议(HTTP)5353域名服务系统(域名服务系统(DNSDNS) 2006, Shenzhen Polytechnic. All rights reserved.12ACL表号(表号(ACL Numbe

11、r ) 协议(协议(ProtocolProtocol)ACLACL表号的取表号的取值范围(值范围(ACL ACL RangeRange)IPIP(InternetInternet协议)协议)1-991-99Extended IP(Extended IP(扩展扩展InternetInternet协议协议) )100-199100-199AppleTalkAppleTalk600-699600-699IPXIPX(互联网数据包交换)(互联网数据包交换)800-899800-899Extended IPX(Extended IPX(扩展互联网数据包交换扩展互联网数据包交换) ) 900-999900

12、-999IPX service Advertising IPX service Advertising Protocol(IPXProtocol(IPX服务通告协议服务通告协议) )1000-10991000-1099 2006, Shenzhen Polytechnic. All rights reserved.13通配符掩码(通配符掩码(Wildcard Mask ) 1.1.是一个是一个3232比特位的数字字符串比特位的数字字符串( (A wildcard mask is a 32-bit quantity) )2.02.0表示表示“检查相应的位检查相应的位”,1,1表示表示“不检查(忽

13、略)相应的位不检查(忽略)相应的位”A zero means let the value through to be checked, the Xs (1s) mean block the value from being compared. 2006, Shenzhen Polytechnic. All rights reserved.14特殊的通配符掩码(特殊的通配符掩码(Special Wildcard Mask ) 1. Any 552. Host9 Host 9 2006, Shenzh

14、en Polytechnic. All rights reserved.15Access List 命令(命令( Access List Command )Step 1:定义访问控制列表(定义访问控制列表(Define the ACL)access-list access-list-number permit | deny test conditions Router(config)#Router(config)#access-list 1 permit 55 2006, Shenzhen Polytechnic. All rights reserved

15、.16Step 2:将访问控制列表应用到某一接口上将访问控制列表应用到某一接口上(Apply ACL to a Interface) protocol access-group access-list-number in | out Router(config-if)#Access List 命令(命令( Access List Command )Router(config-if)#ip access-group 1 out 2006, Shenzhen Polytechnic. All rights reserved.17 仅允许我的网络(仅允许我的网络(Permit my network

16、only)access-list 1 permit 55(implicit deny all - not visible in the list)(access-list 1 deny 55)interface ethernet 0ip access-group 1 outinterface ethernet 1ip access-group 1 out标准IP ACL实例1(Standard IP ACL Example 1)3E0S0E1Non-17

17、 2006, Shenzhen Polytechnic. All rights reserved.18access-list 1 deny 3 access-list 1 permit 55(implicit deny all)(access-list 1 deny 55)interface ethernet 0ip access-group 1 out标准标准IP ACL实例实例2(Standard IP ACL Example 2)17

18、3E0S0E1Non- 拒绝特定的主机(拒绝特定的主机(Deny a specific host) 2006, Shenzhen Polytechnic. All rights reserved.19access-list 1 deny 55access-list 1 permit any(implicit deny all)(access-list 1 deny 55)interface ethernet 0ip access-group 1 out标准标准I

19、P ACL实例实例3(Standard IP ACL Example 3)3E0S0E1Non- 拒绝特定的子网(拒绝特定的子网(Deny a specific subnet) 2006, Shenzhen Polytechnic. All rights reserved.20标准标准ACL与扩展与扩展ACL比较比较(Standard versus External ACL)标准(标准(Standard)扩展(扩展(Extended)过滤基于源过滤基于源(Filters Based onSource.)过滤基于源和

20、目的(过滤基于源和目的( Filters Based on Source and destination.)允许或拒绝整个协议族(允许或拒绝整个协议族(Permit or deny entire TCP/IP protocol suite.)允许或拒绝特定的允许或拒绝特定的IP协议或端口协议或端口(Specifies a specific IP protocol and port number.)范围(范围(100-199)Range is 100 through 199.范围(范围(1-99)Range is 1 through 99 2006, Shenzhen Polytechnic.

21、All rights reserved.21CASE STUDY首先使得首先使得PC1所在的网络不能通过路由器所在的网络不能通过路由器R1访问访问PC2所所在的网络。在的网络。 2006, Shenzhen Polytechnic. All rights reserved.22扩展扩展ACL配置(配置(Extended IP ACL Configuration)Router(config)# access-listaccess-list access-list-numberaccess-list-number permit | denypermit | deny protocol source

22、 source-wildcard operator protocol source source-wildcard operator portport destination destination-wildcard destination destination-wildcard operator portoperator port established established loglog参数参数描述access-list-number访问控制列表表号permit|deny如果满足条件,允许或拒绝后面指定特定地址的通信流量protocol用来指定协议类型,如IP、TCP、UDP、ICMP

23、等source and destination分别用来标识源地址和目的地址source-mask通配符掩码,跟源地址相对应destination-mask通配符掩码,跟目的地址相对应operator lt,gt,eq,neq(小于,大于,等于,不等于) operand一个端口号established如果数据包使用一个已建立连接,便可允许TCP信息通过 2006, Shenzhen Polytechnic. All rights reserved.23access-list 101 deny tcp 55 55 eq 21a

24、ccess-list 101 deny tcp 55 55 eq 20access-list 101 permit ip any any(implicit deny all)(access-list 101 deny ip 55 55)interface ethernet 0ip access-group 101 out 拒绝从拒绝从到到的经过的经过E0出方向的出方向的FTP流量流量 Deny FTP

25、 from subnet to subnet out of E0 允许其他所有的流量允许其他所有的流量 Permit all other traffic扩展扩展ACL实例实例1 (Extended ACL Example 1)3E0S0E1Non- 2006, Shenzhen Polytechnic. All rights reserved.24access-list 101 deny tcp 55 any eq 23access-l

26、ist 101 permit ip any any(implicit deny all)interface ethernet 0ip access-group 101 out 仅拒绝子网仅拒绝子网 在在E0出方向的流量出方向的流量 Deny only Telnet from subnet 172.1 6.4.0 out of E0 允许其他流量(允许其他流量(Permit all other traffic)Extended Access List Example 23E0S0E1Non-17

27、 2006, Shenzhen Polytechnic. All rights reserved.25使用命名使用命名IP ACL(Using Named IP ACL)Router(config)#ip access-list standard | extended name IOS11.2 以后支持的特征以后支持的特征 Feature for Cisco IOS Release 11.2 or later 名字字符串要唯一名字字符串要唯一 Name string must be unique 2006, Shenzhen Polytechnic. All rights re

28、served.26使用命名使用命名IP ACL(Using Named IP ACL) permit | deny ip access list test conditions permit | deny ip access list test conditions no permit | deny ip access list test conditions Router(config std- | ext-nacl)# 允许或拒绝陈述条件前没有表号允许或拒绝陈述条件前没有表号 Permit or deny statements have no prepended number 可以用可以用

29、“NO”命令移去特定的陈述命令移去特定的陈述 no removes the specific test from the named access list 2006, Shenzhen Polytechnic. All rights reserved.27Router(config-if)# ip access-group name in | out 使用命名使用命名IP ACL(Using Named IP ACL) 在接口上激活命名在接口上激活命名ACL Activates the IP named access list on an interface 2006, Shenzhen P

30、olytechnic. All rights reserved.28 扩展扩展ACL靠近源靠近源 Place extended access lists close to the source 标准标准ACL靠近目的靠近目的 Place standard access lists close to the destinationE0E0E1S0To0S1S0S1E0E0TokenRing放置放置ACL( Placing IP Access Lists) 2006, Shenzhen Polytechnic. All rights reserved.29wg_ro_a#show ip int e

31、0Ethernet0 is up, line protocol is up Internet address is 1/24 Broadcast address is 55 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 1 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never

人人文库> 全部分类> 专业文献 > 工程机械

温馨提示

  • 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
  • 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
  • 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
  • 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
  • 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
  • 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
  • 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

最新文档

评论

0/150

提交评论