ACL訪問控制列表-文檔資料

1、 2006, Shenzhen Polytechnic. All rights reserved.1訪問控制列表訪問控制列表Access Control List深圳職業(yè)技術(shù)學(xué)院計算機(jī)系網(wǎng)絡(luò)專業(yè)深圳職業(yè)技術(shù)學(xué)院計算機(jī)系網(wǎng)絡(luò)專業(yè) 2006, Shenzhen Polytechnic. All rights reserved.2教學(xué)目標(biāo)（教學(xué)目標(biāo)（ Objectives ）1. 訪問控制列表（訪問控制列表（Access Control List）2.配置標(biāo)準(zhǔn)訪問控制列表配置標(biāo)準(zhǔn)訪問控制列表（ Configure standard IP access lists ） 3. 配置擴(kuò)展訪問控制列表配置擴(kuò)

2、展訪問控制列表（ Configure extended IP access lists ）4.配置命名訪問控制列表配置命名訪問控制列表（ Configure named IP access lists ）5. 驗(yàn)證和監(jiān)視驗(yàn)證和監(jiān)視ACL（ Verify and monitor IP access lists ） 2006, Shenzhen Polytechnic. All rights reserved.3FDDITokenRingInternet 當(dāng)網(wǎng)絡(luò)訪問增長時，管理當(dāng)網(wǎng)絡(luò)訪問增長時，管理IP通信通信 Manage IP traffic as ne

3、twork access grows 當(dāng)數(shù)據(jù)包通過路由器時，起到過濾作用當(dāng)數(shù)據(jù)包通過路由器時，起到過濾作用 Filter packets as they pass through the router為什么使用為什么使用ACL？（Why Use Access Control Lists?） 2006, Shenzhen Polytechnic. All rights reserved.4ACL作用（作用（ Function of ACL ）1限制網(wǎng)絡(luò)流量、提高網(wǎng)絡(luò)性能。限制網(wǎng)絡(luò)流量、提高網(wǎng)絡(luò)性能。 Limit network traffic and increase network perfo

4、rmance. 2提供對通信流量的控制手段。提供對通信流量的控制手段。Provide traffic flow control. 3提供網(wǎng)絡(luò)訪問的基本安全手段。提供網(wǎng)絡(luò)訪問的基本安全手段。Provide a basic level of security for network access. 4在路由器接口處，決定哪種類型的通信流量被轉(zhuǎn)發(fā)、哪種在路由器接口處，決定哪種類型的通信流量被轉(zhuǎn)發(fā)、哪種類型的通信流量被阻塞。類型的通信流量被阻塞。 Decide which types of traffic are forwarded or blocked at the router interface

5、s. 2006, Shenzhen Polytechnic. All rights reserved.5ACL如何工作（如何工作（ACL How to work） 2006, Shenzhen Polytechnic. All rights reserved.6ACL條件順序條件順序（The order in which ACL statements are placed ） 2006, Shenzhen Polytechnic. All rights reserved.7ACL條件順序條件順序（The order in which ACL statements are placed ）Cis

6、co IOS按照各描述語句在按照各描述語句在ACL中的順序，根據(jù)各描中的順序，根據(jù)各描述語句的判斷條件，對數(shù)據(jù)包進(jìn)行檢查。述語句的判斷條件，對數(shù)據(jù)包進(jìn)行檢查。一旦找到了某一旦找到了某一匹配條件，就結(jié)束比較過程一匹配條件，就結(jié)束比較過程，不再檢查以后的其他條，不再檢查以后的其他條件判斷語句。件判斷語句。The Cisco IOS software tests the packet against each condition statement in order from the top of the list to the bottom. Once a match is found in th

7、e list, the accept or reject action is performed and no other ACL statements are checked 2006, Shenzhen Polytechnic. All rights reserved.8 什么是什么是ACL？（？（What Are Access Lists?） 標(biāo)準(zhǔn)標(biāo)準(zhǔn) ACL （ Standard ACL ） 檢查源地址（檢查源地址（Checks Source address ） 允許或拒絕整個協(xié)議族（允許或拒絕整個協(xié)議族（Generally permits or denies entire proto

8、col suite）OutgoingPacketfa0/0S0/0IncomingPacketAccess List ProcessesPermit?Source 2006, Shenzhen Polytechnic. All rights reserved.9 擴(kuò)展擴(kuò)展 ACL （ Extended ACL ） 檢查源和目的地址檢查源和目的地址（ Checks Source and Destination address） 通常允許或拒絕特定的協(xié)議通常允許或拒絕特定的協(xié)議 （Generally permits or denies specific protocols）OutgoingPack

9、etFa0/0s0/0IncomingPacketAccess List ProcessesPermit?Sourceand DestinationProtocol什么是什么是ACL？（？（What Are Access Lists?） 2006, Shenzhen Polytechnic. All rights reserved.10用擴(kuò)展用擴(kuò)展ACL檢查數(shù)據(jù)包檢查數(shù)據(jù)包（Check Packets with Extended ACL） 2006, Shenzhen Polytechnic. All rights reserved.11常見端口號常見端口號（Known Port Number

10、）端口號端口號( (Port NumberPort Number) )2020文件傳輸協(xié)議（文件傳輸協(xié)議（FTPFTP）數(shù)據(jù)）數(shù)據(jù)2121文件傳輸協(xié)議（文件傳輸協(xié)議（FTPFTP）程序）程序2323遠(yuǎn)程登錄（遠(yuǎn)程登錄（TelnetTelnet）2525簡單郵件傳輸協(xié)議（簡單郵件傳輸協(xié)議（SMTPSMTP）6969普通文件傳送協(xié)議（普通文件傳送協(xié)議（TFTPTFTP）80超文本傳輸協(xié)議超文本傳輸協(xié)議(HTTP)5353域名服務(wù)系統(tǒng)（域名服務(wù)系統(tǒng)（DNSDNS） 2006, Shenzhen Polytechnic. All rights reserved.12ACL表號（表號（ACL Numbe

11、r ） 協(xié)議（協(xié)議（ProtocolProtocol）ACLACL表號的取表號的取值范圍（值范圍（ACL ACL RangeRange）IPIP（InternetInternet協(xié)議）協(xié)議）1-991-99Extended IP(Extended IP(擴(kuò)展擴(kuò)展InternetInternet協(xié)議協(xié)議) )100-199100-199AppleTalkAppleTalk600-699600-699IPXIPX（互聯(lián)網(wǎng)數(shù)據(jù)包交換）（互聯(lián)網(wǎng)數(shù)據(jù)包交換）800-899800-899Extended IPX(Extended IPX(擴(kuò)展互聯(lián)網(wǎng)數(shù)據(jù)包交換擴(kuò)展互聯(lián)網(wǎng)數(shù)據(jù)包交換) ) 900-999900

12、-999IPX service Advertising IPX service Advertising Protocol(IPXProtocol(IPX服務(wù)通告協(xié)議服務(wù)通告協(xié)議) )1000-10991000-1099 2006, Shenzhen Polytechnic. All rights reserved.13通配符掩碼（通配符掩碼（Wildcard Mask ） 1.1.是一個是一個3232比特位的數(shù)字字符串比特位的數(shù)字字符串( (A wildcard mask is a 32-bit quantity) )2.02.0表示表示“檢查相應(yīng)的位檢查相應(yīng)的位”,1,1表示表示“不檢查（忽

13、略）相應(yīng)的位不檢查（忽略）相應(yīng)的位”A zero means let the value through to be checked, the Xs (1s) mean block the value from being compared. 2006, Shenzhen Polytechnic. All rights reserved.14特殊的通配符掩碼（特殊的通配符掩碼（Special Wildcard Mask ） 1. Any 552. Host9 Host 9 2006, Shenzh

14、en Polytechnic. All rights reserved.15Access List 命令（命令（ Access List Command ）Step 1:定義訪問控制列表（定義訪問控制列表（Define the ACL）access-list access-list-number permit | deny test conditions Router(config)#Router(config)#access-list 1 permit 55 2006, Shenzhen Polytechnic. All rights reserved

15、.16Step 2:將訪問控制列表應(yīng)用到某一接口上將訪問控制列表應(yīng)用到某一接口上（Apply ACL to a Interface） protocol access-group access-list-number in | out Router(config-if)#Access List 命令（命令（ Access List Command ）Router(config-if)#ip access-group 1 out 2006, Shenzhen Polytechnic. All rights reserved.17 僅允許我的網(wǎng)絡(luò)（僅允許我的網(wǎng)絡(luò)（Permit my network

16、only）access-list 1 permit 55(implicit deny all - not visible in the list)(access-list 1 deny 55)interface ethernet 0ip access-group 1 outinterface ethernet 1ip access-group 1 out標(biāo)準(zhǔn)IP ACL實(shí)例1（Standard IP ACL Example 1）3E0S0E1Non-17

17、 2006, Shenzhen Polytechnic. All rights reserved.18access-list 1 deny 3 access-list 1 permit 55(implicit deny all)(access-list 1 deny 55)interface ethernet 0ip access-group 1 out標(biāo)準(zhǔn)標(biāo)準(zhǔn)IP ACL實(shí)例實(shí)例2（Standard IP ACL Example 2）17

18、3E0S0E1Non- 拒絕特定的主機(jī)（拒絕特定的主機(jī)（Deny a specific host） 2006, Shenzhen Polytechnic. All rights reserved.19access-list 1 deny 55access-list 1 permit any(implicit deny all)(access-list 1 deny 55)interface ethernet 0ip access-group 1 out標(biāo)準(zhǔn)標(biāo)準(zhǔn)I

19、P ACL實(shí)例實(shí)例3（Standard IP ACL Example 3）3E0S0E1Non- 拒絕特定的子網(wǎng)（拒絕特定的子網(wǎng)（Deny a specific subnet） 2006, Shenzhen Polytechnic. All rights reserved.20標(biāo)準(zhǔn)標(biāo)準(zhǔn)ACL與擴(kuò)展與擴(kuò)展ACL比較比較（Standard versus External ACL）標(biāo)準(zhǔn)（標(biāo)準(zhǔn)（Standard）擴(kuò)展（擴(kuò)展（Extended）過濾基于源過濾基于源（Filters Based onSource.）過濾基于源和

20、目的（過濾基于源和目的（ Filters Based on Source and destination.）允許或拒絕整個協(xié)議族（允許或拒絕整個協(xié)議族（Permit or deny entire TCP/IP protocol suite.）允許或拒絕特定的允許或拒絕特定的IP協(xié)議或端口協(xié)議或端口（Specifies a specific IP protocol and port number.）范圍（范圍（100-199）Range is 100 through 199.范圍（范圍（1-99）Range is 1 through 99 2006, Shenzhen Polytechnic.

21、All rights reserved.21CASE STUDY首先使得首先使得PC1所在的網(wǎng)絡(luò)不能通過路由器所在的網(wǎng)絡(luò)不能通過路由器R1訪問訪問PC2所所在的網(wǎng)絡(luò)。在的網(wǎng)絡(luò)。 2006, Shenzhen Polytechnic. All rights reserved.22擴(kuò)展擴(kuò)展ACL配置（配置（Extended IP ACL Configuration）Router(config)# access-listaccess-list access-list-numberaccess-list-number permit | denypermit | deny protocol source

22、 source-wildcard operator protocol source source-wildcard operator portport destination destination-wildcard destination destination-wildcard operator portoperator port established established loglog參數(shù)參數(shù)描述access-list-number訪問控制列表表號permit|deny如果滿足條件，允許或拒絕后面指定特定地址的通信流量protocol用來指定協(xié)議類型，如IP、TCP、UDP、ICMP

23、等source and destination分別用來標(biāo)識源地址和目的地址source-mask通配符掩碼，跟源地址相對應(yīng)destination-mask通配符掩碼，跟目的地址相對應(yīng)operator lt,gt,eq,neq(小于，大于，等于，不等于) operand一個端口號established如果數(shù)據(jù)包使用一個已建立連接，便可允許TCP信息通過 2006, Shenzhen Polytechnic. All rights reserved.23access-list 101 deny tcp 55 55 eq 21a

24、ccess-list 101 deny tcp 55 55 eq 20access-list 101 permit ip any any(implicit deny all)(access-list 101 deny ip 55 55)interface ethernet 0ip access-group 101 out 拒絕從拒絕從到到的經(jīng)過的經(jīng)過E0出方向的出方向的FTP流量流量 Deny FTP

25、 from subnet to subnet out of E0 允許其他所有的流量允許其他所有的流量 Permit all other traffic擴(kuò)展擴(kuò)展ACL實(shí)例實(shí)例1 （Extended ACL Example 1）3E0S0E1Non- 2006, Shenzhen Polytechnic. All rights reserved.24access-list 101 deny tcp 55 any eq 23access-l

26、ist 101 permit ip any any(implicit deny all)interface ethernet 0ip access-group 101 out 僅拒絕子網(wǎng)僅拒絕子網(wǎng) 在在E0出方向的流量出方向的流量 Deny only Telnet from subnet 172.1 6.4.0 out of E0 允許其他流量（允許其他流量（Permit all other traffic）Extended Access List Example 23E0S0E1Non-17

27、 2006, Shenzhen Polytechnic. All rights reserved.25使用命名使用命名IP ACL（Using Named IP ACL）Router(config)#ip access-list standard | extended name IOS11.2 以后支持的特征以后支持的特征 Feature for Cisco IOS Release 11.2 or later 名字字符串要唯一名字字符串要唯一 Name string must be unique 2006, Shenzhen Polytechnic. All rights re

28、served.26使用命名使用命名IP ACL（Using Named IP ACL） permit | deny ip access list test conditions permit | deny ip access list test conditions no permit | deny ip access list test conditions Router(config std- | ext-nacl)# 允許或拒絕陳述條件前沒有表號允許或拒絕陳述條件前沒有表號 Permit or deny statements have no prepended number 可以用可以用

29、“NO”命令移去特定的陳述命令移去特定的陳述 no removes the specific test from the named access list 2006, Shenzhen Polytechnic. All rights reserved.27Router(config-if)# ip access-group name in | out 使用命名使用命名IP ACL（Using Named IP ACL） 在接口上激活命名在接口上激活命名ACL Activates the IP named access list on an interface 2006, Shenzhen P

30、olytechnic. All rights reserved.28 擴(kuò)展擴(kuò)展ACL靠近源靠近源 Place extended access lists close to the source 標(biāo)準(zhǔn)標(biāo)準(zhǔn)ACL靠近目的靠近目的 Place standard access lists close to the destinationE0E0E1S0To0S1S0S1E0E0TokenRing放置放置ACL（ Placing IP Access Lists） 2006, Shenzhen Polytechnic. All rights reserved.29wg_ro_a#show ip int e

31、0Ethernet0 is up, line protocol is up Internet address is 1/24 Broadcast address is 55 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 1 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never