ACL访问控制列表.ppt

1、访问控制列表Access Control List,深圳职业技术学院计算机系网络专业,教学目标（ Objectives ）,1. 访问控制列表（Access Control List） 2.配置标准访问控制列表 （ Configure standard IP access lists ） 3. 配置扩展访问控制列表 （ Configure extended IP access lists ） 4.配置命名访问控制列表 （ Configure named IP access lists ） 5. 验证和监视ACL （ Verify and monitor IP access lists ）,17

2、,,Internet,当网络访问增长时，管理IP通信 Manage IP traffic as network access grows 当数据包通过路由器时，起到过滤作用 Filter packets as they pass through the router,为什么使用ACL？（Why Use Access Control Lists?）,ACL作用（ Function of ACL ）,1限制网络流量、提高网络性能。 Limit network traffic and increase network performance. 2提供对通信流量的控

3、制手段。 Provide traffic flow control. 3提供网络访问的基本安全手段。 Provide a basic level of security for network access. 4在路由器接口处，决定哪种类型的通信流量被转发、哪种类型的通信流量被阻塞。 Decide which types of traffic are forwarded or blocked at the router interfaces.,ACL如何工作（ACL How to work）,ACL条件顺序（The order in which ACL statements are place

4、d ）,ACL条件顺序（The order in which ACL statements are placed ）,Cisco IOS按照各描述语句在ACL中的顺序，根据各描述语句的判断条件，对数据包进行检查。一旦找到了某一匹配条件，就结束比较过程，不再检查以后的其他条件判断语句。 The Cisco IOS software tests the packet against each condition statement in order from the top of the list to the bottom. Once a match is found in the list,

5、the accept or reject action is performed and no other ACL statements are checked,什么是ACL？（What Are Access Lists?）,标准 ACL （ Standard ACL ） 检查源地址（Checks Source address ） 允许或拒绝整个协议族（Generally permits or denies entire protocol suite）,Outgoing Packet,fa0/0,S0/0,Incoming Packet,Access List Processes,Permit

6、?,扩展 ACL （ Extended ACL ） 检查源和目的地址 （ Checks Source and Destination address） 通常允许或拒绝特定的协议 （Generally permits or denies specific protocols）,Outgoing Packet,Fa0/0,s0/0,Incoming Packet,Access List Processes,Permit?,Protocol,什么是ACL？（What Are Access Lists?）,用扩展ACL检查数据包（Check Packets with Extended ACL）,常见端

7、口号（Known Port Number）,ACL表号（ACL Number ）,通配符掩码（Wildcard Mask ）,1.是一个32比特位的数字字符串(A wildcard mask is a 32-bit quantity) 2.0表示“检查相应的位”,1表示“不检查（忽略）相应的位” A zero means let the value through to be checked, the Xs (1s) mean block the value from being compared.,特殊的通配符掩码（Special Wildcard Mask ）,1. Any

8、 55 2. Host 9 Host 9,Access List 命令（ Access List Command ）,Step 1:定义访问控制列表（Define the ACL）,access-list access-list-number permit | deny test conditions ,Router(config)#,Router(config)#access-list 1 permit 55,Step 2:将访问控制列表应用到某一接口上 （Apply

9、 ACL to a Interface）, protocol access-group access-list-number in | out,Router(config-if)#,Access List 命令（ Access List Command ）,Router(config-if)#ip access-group 1 out,仅允许我的网络（Permit my network only）,access-list 1 permit 55 (implicit deny all - not visible in the list) (access-l

10、ist 1 deny 55) interface ethernet 0 ip access-group 1 out interface ethernet 1 ip access-group 1 out,标准IP ACL实例1（Standard IP ACL Example 1）,,,3,E0,S0,E1,Non- ,access-list 1 deny 3 access-list 1 permit 255.255.255.

11、255 (implicit deny all) (access-list 1 deny 55) interface ethernet 0 ip access-group 1 out,标准IP ACL实例2（Standard IP ACL Example 2）,,,3,E0,S0,E1,Non- ,拒绝特定的主机（Deny a specific host）,access-list 1 deny 55 access-list 1 permit

12、 any (implicit deny all)(access-list 1 deny 55) interface ethernet 0 ip access-group 1 out,标准IP ACL实例3（Standard IP ACL Example 3）,,,3,E0,S0,E1,Non- ,拒绝特定的子网（Deny a specific subnet）,标准ACL与扩展ACL比较（Standard versus External ACL）,标准（Standard）,扩

13、展（Extended）,过滤基于源 （Filters Based onSource.）,过滤基于源和目的（ Filters Based on Source and destination.）,允许或拒绝整个协议族（Permit or deny entire TCP/IP protocol suite.）,允许或拒绝特定的IP协议或端口 （Specifies a specific IP protocol and port number.）,范围（100-199） Range is 100 through 199.,范围（1-99） Range is 1 through 99,CASE STUDY

14、,首先使得PC1所在的网络不能通过路由器R1访问PC2所在的网络。,扩展ACL配置（Extended IP ACL Configuration）,Router(config)# access-list access-list-number permit | deny protocol source source-wildcard operator port destination destination-wildcard operator port established log,access-list 101 deny tcp 55

15、55 eq 21 access-list 101 deny tcp 55 55 eq 20 access-list 101 permit ip any any (implicit deny all) (access-list 101 deny ip 55 55) interface ethernet 0 ip access-group 101 out,拒绝从到的经过E0出方向的FTP流量

16、 Deny FTP from subnet to subnet out of E0 允许其他所有的流量 Permit all other traffic,扩展ACL实例1 （Extended ACL Example 1）,,,3,E0,S0,E1,Non- ,access-list 101 deny tcp 55 any eq 23 access-list 101 permit ip any any (implicit deny all

17、) interface ethernet 0 ip access-group 101 out,仅拒绝子网 在E0出方向的流量 Deny only Telnet from subnet 172.1 6.4.0 out of E0 允许其他流量（Permit all other traffic）,Extended Access List Example 2,,,3,E0,S0,E1,Non- ,使用命名IP ACL（Using Named IP ACL）,Router(conf

18、ig)#,ip access-list standard | extended name,IOS11.2 以后支持的特征 Feature for Cisco IOS Release 11.2 or later,名字字符串要唯一 Name string must be unique,使用命名IP ACL（Using Named IP ACL）, permit | deny ip access list test conditions permit | deny ip access list test conditions no permit | deny ip access list test

19、conditions ,Router(config std- | ext-nacl)#,允许或拒绝陈述条件前没有表号 Permit or deny statements have no prepended number 可以用“NO”命令移去特定的陈述 no removes the specific test from the named access list,使用命名IP ACL（Using Named IP ACL）,在接口上激活命名ACL Activates the IP named access list on an interface,扩展ACL靠近源 Place extended

20、 access lists close to the source 标准ACL靠近目的 Place standard access lists close to the destination,E0,E0,E1,S0,To0,S1,S0,S1,E0,E0,B,A,C,放置ACL（ Placing IP Access Lists）,D,wg_ro_a#show ip int e0 Ethernet0 is up, line protocol is up Internet address is 1/24 Broadcast address is 55 Ad

21、dress determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 1 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same inte