【理论6-1】ACL.ppt

1、ACL(Access Control List) 访问控制列表,为什么要用ACL？,Filtering: Manage IP traffic by filtering packets passing through a router Classification: Identify traffic for special handling,ACL的应用: Filtering,Permit or deny packets moving through the router. Permit or deny vty access to or from the router. Without ACLs

2、, all packets could be transmitted to all parts of your network.,Special handling for traffic based on packet tests,ACL的应用: Classification,入方向的ACL的操作,N,Y,Permit?,Y,ACL ?,N,Routing Table Entry？,出方向的ACL的操作,If no ACL statement matches, discard the packet.,ACL的匹配: Deny or Permit,ACL的类型,Standard ACL Chec

3、ks source address； Generally permits or denies entire protocol suite； Extended ACL Checks source and destination address； Generally permits or denies specific protocols and applications； Two methods used to identify standard and extended ACLs: Numbered ACLs use a number for identification Named ACLs

4、 use a descriptive name or number for identification,ACLs如何标识？,Numbered standard IPv4 lists (199) test conditions of all IP packets for source addresses. Expanded range (13001999). Numbered extended IPv4 lists (100199) test conditions of source and destination addresses, specific TCP/IP protocols, a

5、nd destination ports. Expanded range (20002699). Named ACLs identify IP standard and extended ACLs with an alphanumeric string (name).,IP访问控制列表序列号,Requires Cisco IOS Release 12.3 Allows you to edit the order of ACL statements using sequence numbers In software earlier than Cisco IOS Release 12.3, a

6、text editor is used to create ACL statements, then the statements are copied into the router in the correct order. Allows you to remove a single ACL statement from the list using a sequence number With named ACLs in software earlier than Cisco IOS Release 12.3, you must use no deny | permit protocol

7、 source source-wildcard destination destination-wildcard to remove an individual statement. With numbered ACLs in software earlier than Cisco IOS Release 12.3, you must remove the entire ACL to remove a single ACL statement.,ACL配置向导,Standard or extended indicates what can be filtered. Only one ACL p

8、er interface, per protocol, and per direction is allowed. The order of ACL statements controls testing, therefore, the most specific statements go at the top of the list. The last ACL test is always an implicit deny everything else statement, so every list needs at least one permit statement. ACLs a

9、re created globally and then applied to interfaces for inbound or outbound traffic. An ACL can filter traffic going through the router, or traffic to and from the router, depending on how it is applied. When placing ACLs in the network: Place extended ACLs close to the source Place standard ACLs clo

10、se to the destination,Dynamic ACLs,Dynamic ACLs (lock-and-key): Users that want to traverse the router are blocked until they use Telnet to connect to the router and areauthenticated.,Reflexive ACLs,Reflexive ACLs: Used to allow outbound traffic and limit inbound traffic in response to sessions that

11、 originate inside the router,Time-Based ACLs,Time-based ACLs: Allow for access control based on the time of day and week,反掩码,0 means to match the value of the corresponding address bit 1 means to ignore the value of the corresponding address bit,Match for IP subnets /24 to /24.

12、,反掩码匹配IP子网,Address and wildcard mask: 55,9 matches all of the address bits Abbreviate this wildcard mask using the IP address preceded by the keyword host (host 9),反掩码缩写, 55 ignores all address bits Abbreviate expression with the

13、keyword any,Configuring ACL 配置ACL,标准的数字IPV4访问控制列表,Activates the list on an interface. Sets inbound or outbound testing. no ip access-group access-list-number in | out removes the ACL from the interface.,ip access-group access-list-number in | out,Uses 1 to 99 for the access-list-number. The first en

14、try is assigned a sequence number of 10, and successive entries are incremented by 10. Default wildcard mask is (only standard ACL). no access-list access-list-number removes the entire ACL. remark lets you add a description to the ACL.,access-list access-list-number permit | deny | remark s

15、ource mask,Router(config)#,Router(config-if)#,标准的数字IPV4访问控制列表的配置,Permit my network only,标准的数字IPV4访问控制列表-举例 1,Router(config)# access-list 1 permit 55 (implicit deny all - not visible in the list) (access-list 1 deny 55) Router(config)# interface ethernet 0 Rou

16、ter(config-if)# ip access-group 1 out Router(config)# interface ethernet 1 Router(config-if)# ip access-group 1 out,Deny a specific host,标准的数字IPV4访问控制列表-举例 2,Router(config)# access-list 1 deny 3 Router(config)# access-list 1 permit 55 (implicit deny all) (acces

17、s-list 1 deny 55) Router(config)# interface ethernet 0 Router(config-if)# ip access-group 1 out,Deny a specific subnet,标准的数字IPV4访问控制列表-举例 3,Router(config)# access-list 1 deny 55 Router(config)# access-list 1 permit any (implicit deny all)(access-list 1 deny 0.0

18、.0.0 55) Router(config)# interface ethernet 0 Router(config-if)# ip access-group 1 out,Permits only hosts in network 55 to connect to the router vty lines,access-list 12 permit 55 (implicit deny any) ! line vty 0 4 access-class 12 in,Example:,access

19、-class access-list-number in | out,Restricts incoming or outgoing connections between a particular vty and the addresses in an ACL,Router(config-line)#,采用标准的ACL控制VTY的接入,扩展的数字IPV4访问控制列表,ip access-group access-list-number in | out,Activates the extended list on an interface,Sets parameters for this li

20、st entry,access-list access-list-number permit | deny protocol source source-wildcard operator port destination destination-wildcard operator port established log,Router(config)#,Router(config-if)#,扩展的数字IPV4访问控制列表的配置,扩展的数字IPV4访问控制列表-举例 1,Router(config)# access-list 101 deny tcp 55

21、 55 eq 21 Router(config)# access-list 101 deny tcp 55 55 eq 20 Router(config)# access-list 101 permit ip any any (implicit deny all) (access-list 101 deny ip 55 55) Router(config)# interface ethernet 0 Rou

22、ter(config-if)# ip access-group 101 out,Deny FTP traffic from subnet to subnet out E0 Permit all other traffic,扩展的数字IPV4访问控制列表-举例 2,Router(config)# access-list 101 deny tcp 55 any eq 23 Router(config)# access-list 101 permit ip any any (implicit deny all) Rout

23、er(config)# interface ethernet 0 Router(config-if)# ip access-group 101 out,Deny only Telnet traffic from subnet out E0 Permit all other traffic,ip access-list standard | extended name,sequence-number permit | deny ip access list test conditions permit | deny ip access list test condition

24、s,ip access-group name in | out,命名的IPV4访问控制列表的配置,Alphanumeric name string must be unique,If not configured, sequence numbers are generated automatically starting at 10 and incrementing by 10 no sequence number removes the specific test from the named ACL,Activates the named IP ACL on an interface,Ro

25、uter(config std- | ext-nacl)#,Router(config-if)#,Router(config)#,Deny a specific host,命名的IPV4访问控制列表-举例 1,Router(config)#ip access-list standard troublemakerRouter(config-std-nacl)#deny host 3Router(config-std-nacl)#permit 55Router(config-std-nacl)#interface e0Router(confi

26、g-if)#ip access-group troublemaker out,Deny Telnet from a specific subnet,命名的IPV4访问控制列表-举例 2,Router(config)#ip access-list extended badgroupRouter(config-ext-nacl)#deny tcp 55 any eq 23Router(config-ext-nacl)#permit ip any anyRouter(config-ext-nacl)#interface e0Router(config-if)#ip

27、 access-group badgroup out,解释ACL的配置,access-list access-list-number remark remark,ip access-list standard|extended name,Creates a named ACL comment,Creates a numbered ACL comment,Router(config std- | ext-nacl)#,Router(config)#,remark remark,Router(config)#,Creates a named ACL,Or,查看ACL的配置,Router# show

28、 access-lists access-list number|name,Router# show access-lists Standard IP access list SALES 10 deny , wildcard bits 55 20 permit 30 permit 40 permit Extended IP access list ENG 10 permit tcp host any eq telnet (25 matches) 20 permit tcp host any eq ftp