说明讲稿ccna笔记8-1acl

1、ACL(Access Control List)访问控制列表为什么要用ACL？ACL两大功能流量控制匹配感兴趣流量ACL的应用: Filtering允许或拒绝通过路由器移动的包。允许或拒绝访问或从路由器VTY。没有ACL，所有数据包可以发送到您的网络的所有部分。Special handling for traffic based on packet testsACL的应用: Classification入方向的ACL的操作NYPermit?YACL ?NRouting TableEntry？出方向的ACL的操作If no ACL statement matches, discard the p

2、acket. ACL的匹配: Deny or PermitACL的类型 标准 ACLChecks source address；Generally permits or denies entire protocol suite； 扩展 ACLChecks source and destination address；Generally permits or denies specific protocols and applications； Two methods used to identify standard and extended ACLs:Numbered ACLs use a

3、number for identificationNamed ACLs use a descriptive name or number for identificationACLs如何标识？Numbered standard IPv4 lists (199) test conditions of all IP packets for source addresses. Expanded range (13001999).Numbered extended IPv4 lists (100199) test conditions of source and destination address

4、es, specific TCP/IP protocols, and destination ports. Expanded range (20002699). Named ACLs identify IP standard and extended ACLs with an alphanumeric string (name). IP访问控制列表序列号 Requires Cisco IOS Release 12.3Allows you to edit the order of ACL statements using sequence numbersIn software earlier t

5、han Cisco IOS Release 12.3, a text editor is used to create ACL statements, then the statements are copied into the router in the correct order.Allows you to remove a single ACL statement from the list using a sequence numberWith named ACLs in software earlier than Cisco IOS Release 12.3, you must u

6、se no deny | permit protocol source source-wildcard destination destination-wildcard to remove an individual statement.With numbered ACLs in software earlier than Cisco IOS Release 12.3, you must remove the entire ACL to remove a single ACL statement.ACL配置向导Standard or extended indicates what can be

7、 filtered.Only one ACL per interface, per protocol, and per direction is allowed.The order of ACL statements controls testing, therefore, the most specific statements go at the top of the list.The last ACL test is always an implicit deny everything else statement, so every list needs at least one pe

8、rmit statement.ACLs are created globally and then applied to interfaces for inbound or outbound traffic.An ACL can filter traffic going through the router, or traffic to and from the router, depending on how it is applied.When placing ACLs in the network: Place extended ACLs close to the source Plac

9、e standard ACLs close to the destinationDynamic ACLsDynamic ACLs (lock-and-key): Users that want to traverse the router are blocked until they use Telnet to connect to the router and areauthenticated. Reflexive ACLsReflexive ACLs: Used to allow outbound traffic and limit inbound traffic in response

10、to sessions that originate inside the routerTime-Based ACLsTime-based ACLs: Allow for access control based on the time of day and week反掩码0 means to match the value of the corresponding address bit 1 means to ignore the value of the corresponding address bitMatch for IP subnets /24 to 172.

11、30.31.0/24.反掩码匹配IP子网Address and wildcard mask: 559 matches all of the address bits Abbreviate this wildcard mask using the IP address preceded by the keyword host (host 9)反掩码缩写 55 ignores all address bitsAbbreviate expression with the keyword anyConfiguring ACL配置ACL标准的数字IPV4访问控制列表Activates the list

12、on an interface.Sets inbound or outbound testing.no ip access-group access-list-number in | out removes the ACL from the interface.ip access-group access-list-number in | outUses 1 to 99 for the access-list-number.The first entry is assigned a sequence number of 10, and successive entries are increm

13、ented by 10. Default wildcard mask is (only standard ACL).no access-list access-list-number removes the entire ACL.remark lets you add a description to the ACL.access-list access-list-number permit | deny | remark source maskRouter(config)#Router(config-if)#标准的数字IPV4访问控制列表的配置Permit my network only标准

14、的数字IPV4访问控制列表-举例 1Router(config)# access-list 1 permit 55(implicit deny all - not visible in the list)(access-list 1 deny 55)Router(config)# interface ethernet 0Router(config-if)# ip access-group 1 outRouter(config)# interface ethernet 1Router(config-if)# ip access-group 1 outDeny a specific host标准的

15、数字IPV4访问控制列表-举例 2Router(config)# access-list 1 deny 3 Router(config)# access-list 1 permit 55(implicit deny all)(access-list 1 deny 55)Router(config)# interface ethernet 0Router(config-if)# ip access-group 1 outDeny a specific subnet标准的数字IPV4访问控制列表-举例 3Router(config)# access-list 1 deny 55Router(con

16、fig)# access-list 1 permit any(implicit deny all)(access-list 1 deny 55)Router(config)# interface ethernet 0Router(config-if)# ip access-group 1 outPermits only hosts in network 55 to connect to the router vty linesaccess-list 12 permit 55(implicit deny any) !line vty 0 4 access-class 12 inExample:a

17、ccess-class access-list-number in | outRestricts ing or outgoing connections between a particular vty and the addresses in an ACLRouter(config-line)#采用标准的ACL控制VTY的接入扩展的数字IPV4访问控制列表ip access-group access-list-number in | outActivates the extended list on an interfaceSets parameters for this list entr

18、yaccess-list access-list-number permit | deny protocol source source-wildcard operator port destination destination-wildcard operator port established logRouter(config)#Router(config-if)#扩展的数字IPV4访问控制列表的配置扩展的数字IPV4访问控制列表-举例 1Router(config)# access-list 101 deny tcp 55 55 eq 21Router(config)# access-

19、list 101 deny tcp 55 55 eq 20Router(config)# access-list 101 permit ip any any(implicit deny all)(access-list 101 deny ip 55 55)Router(config)# interface ethernet 0Router(config-if)# ip access-group 101 outDeny FTP traffic from subnet to subnet out E0 Permit all other traffic扩展的数字IPV4访问控制列表-举例 2Rout

20、er(config)# access-list 101 deny tcp 55 any eq 23Router(config)# access-list 101 permit ip any any(implicit deny all)Router(config)# interface ethernet 0Router(config-if)# ip access-group 101 outDeny only Telnet traffic from subnet out E0Permit all other trafficip access-list standard | extended nam

21、esequence-number permit | deny ip access list test conditionspermit | deny ip access list test conditionsip access-group name in | out 命名的IPV4访问控制列表的配置Alphanumeric name string must be uniqueIf not configured, sequence numbers are generated automatically starting at 10 and incrementing by 10no sequen

22、ce number removes the specific test from the named ACLActivates the named IP ACL on an interfaceRouter(config std- | ext-nacl)#Router(config-if)#Router(config)#Deny a specific host命名的IPV4访问控制列表-举例 1Router(config)#ip access-list standard troublemakerRouter(config-std-nacl)#deny host 3Router(config-st

23、d-nacl)#permit 55Router(config-std-nacl)#interface e0Router(config-if)#ip access-group troublemaker out Deny Telnet from a specific subnet命名的IPV4访问控制列表-举例 2Router(config)#ip access-list extended badgroupRouter(config-ext-nacl)#deny tcp 55 any eq 23Router(config-ext-nacl)#permit ip any anyRouter(conf

24、ig-ext-nacl)#interface e0Router(config-if)#ip access-group badgroup out解释ACL的配置access-list access-list-number remark remark ip access-list standard|extended name Creates a named ACL commentCreates a numbered ACL commentRouter(config std- | ext-nacl)#Router(config)#remark remark Router(config)#Create

25、s a named ACLOr查看ACL的配置Router# show access-lists access-list number|nameRouter# show access-lists Standard IP access list SALES 10 deny , wildcard bits 55 20 permit 30 permit 40 permit Extended IP access list ENG 10 permit tcp host any eq telnet (25 matches) 20 permit tcp host any eq ftp 30 permit tcp ho