nullnull
ACL(Access Control List)
访问控制列
表
关于同志近三年现实表现材料材料类招标技术评分表图表与交易pdf视力表打印pdf用图表说话 pdf
为什么要用ACL?为什么要用ACL?Filtering: Manage IP traffic by filtering packets passing through a router
Classification: Identify traffic for special handlingACL的应用: FilteringACL的应用: FilteringPermit or deny packets moving through the router.
Permit or deny vty access to or from the router.
Without ACLs, all packets could be transmitted to all parts of your network.ACL的应用: ClassificationACL的应用: ClassificationSpecial handling for traffic based on packet tests入方向的ACL的操作入方向的ACL的操作NYPermit ?YACL ? NRouting Table
Entry?出方向的ACL的操作出方向的ACL的操作If no ACL statement matches, discard the packet. ACL的匹配: Deny or PermitACL的匹配: Deny or PermitACL的类型ACL的类型 Standard ACL
Checks source address;
Generally permits or denies entire protocol suite;
Extended ACL
Checks source and destination address;
Generally permits or denies specific protocols and applications;
Two methods used to identify standard and extended ACLs:
Numbered ACLs use a number for identification
Named ACLs use a descriptive name or number for identificationACLs如何标识?ACLs如何标识?Numbered standard IPv4 lists (1–99) test conditions of all IP packets for source addresses. Expanded range (1300–1999).
Numbered extended IPv4 lists (100–199) test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports. Expanded range (2000–2699).
Named ACLs identify IP standard and extended ACLs with an alphanumeric string (name). IP访问控制列表序列号 IP访问控制列表序列号 Requires Cisco IOS Release 12.3
Allows you to edit the order of ACL statements using sequence numbers
In software earlier than Cisco IOS Release 12.3, a text editor is used to create ACL statements, then the statements are copied into the router in the correct order.
Allows you to remove a single ACL statement from the list using a sequence number
With named ACLs in software earlier than Cisco IOS Release 12.3, you must use no {deny | permit} protocol source source-wildcard destination destination-wildcard to remove an individual statement.
With numbered ACLs in software earlier than Cisco IOS Release 12.3, you must remove the entire ACL to remove a single ACL statement.ACL配置向导ACL配置向导Standard or extended indicates what can be filtered.
Only one ACL per interface, per protocol, and per direction is allowed.
The order of ACL statements controls testing, therefore, the most specific statements go at the top of the list.
The last ACL test is always an implicit deny everything else statement, so every list needs at least one permit statement.
ACLs are created globally and then applied to interfaces for inbound or outbound traffic.
An ACL can filter traffic going through the router, or traffic to and from the router, depending on how it is applied.
When placing ACLs in the network:
Place extended ACLs close to the source
Place standard ACLs close to the destination
Dynamic ACLsDynamic ACLsDynamic ACLs (lock-and-key): Users that want to traverse the router are blocked until they use Telnet to connect to the router and are authenticated. Reflexive ACLsReflexive ACLsReflexive ACLs: Used to allow outbound traffic and limit inbound traffic in response to sessions that originate inside the routerTime-Based ACLsTime-Based ACLsTime-based ACLs: Allow for access control based on the time of day and week反掩码反掩码0 means to match the value of the corresponding address bit
1 means to ignore the value of the corresponding address bit反掩码匹配IP子网反掩码匹配IP子网Match for IP subnets 172.30.16.0/24 to 172.30.31.0/24.Address and wildcard mask:
172.30.16.0 0.0.15.255反掩码缩写反掩码缩写172.30.16.29 0.0.0.0 matches all of the address bits
Abbreviate this wildcard mask using the IP address preceded by the keyword host (host 172.30.16.29)0.0.0.0 255.255.255.255 ignores all address bits
Abbreviate expression with the keyword anynull
Configuring ACL
配置ACL
标准
excel标准偏差excel标准偏差函数exl标准差函数国标检验抽样标准表免费下载红头文件格式标准下载
的数字IPV4访问控制列表
标准的数字IPV4访问控制列表标准的数字IPV4访问控制列表的配置标准的数字IPV4访问控制列表的配置Activates the list on an interface.
Sets inbound or outbound testing.
no ip access-group access-list-number {in | out} removes the ACL from the interface.ip access-group access-list-number {in | out}Uses 1 to 99 for the access-list-number.
The first entry is assigned a sequence number of 10, and successive entries are incremented by 10.
Default wildcard mask is 0.0.0.0 (only standard ACL).
no access-list access-list-number removes the entire ACL.
remark lets you add a description to the ACL.access-list access-list-number {permit | deny | remark} source [mask]Router(config)#Router(config-if)#标准的数字IPV4访问控制列表-举例 1标准的数字IPV4访问控制列表-举例 1Permit my network onlyRouter(config)# access-list 1 permit 172.16.0.0 0.0.255.255
(implicit deny all - not visible in the list)
(access-list 1 deny 0.0.0.0 255.255.255.255)
Router(config)# interface ethernet 0
Router(config-if)# ip access-group 1 out
Router(config)# interface ethernet 1
Router(config-if)# ip access-group 1 out标准的数字IPV4访问控制列表-举例 2标准的数字IPV4访问控制列表-举例 2Deny a specific hostRouter(config)# access-list 1 deny 172.16.4.13 0.0.0.0
Router(config)# access-list 1 permit 0.0.0.0 255.255.255.255
(implicit deny all)
(access-list 1 deny 0.0.0.0 255.255.255.255)
Router(config)# interface ethernet 0
Router(config-if)# ip access-group 1 out标准的数字IPV4访问控制列表-举例 3标准的数字IPV4访问控制列表-举例 3Deny a specific subnetRouter(config)# access-list 1 deny 172.16.4.0 0.0.0.255
Router(config)# access-list 1 permit any
(implicit deny all) (access-list 1 deny 0.0.0.0 255.255.255.255)
Router(config)# interface ethernet 0
Router(config-if)# ip access-group 1 out采用标准的ACL控制VTY的接入采用标准的ACL控制VTY的接入Permits only hosts in network 192.168.1.0 0.0.0.255 to connect to the router vty linesaccess-list 12 permit 192.168.1.0 0.0.0.255
(implicit deny any)
!
line vty 0 4
access-class 12 inExample:access-class access-list-number {in | out}Restricts incoming or outgoing connections between a particular vty and the addresses in an ACLRouter(config-line)#扩展的数字IPV4访问控制列表扩展的数字IPV4访问控制列表扩展的数字IPV4访问控制列表的配置扩展的数字IPV4访问控制列表的配置ip access-group access-list-number {in | out}Activates the extended list on an interfaceSets parameters for this list entryaccess-list access-list-number {permit | deny} protocol source source-wildcard [operator port] destination destination-wildcard [operator port] [established] [log]Router(config)#Router(config-if)#扩展的数字IPV4访问控制列表-举例 1扩展的数字IPV4访问控制列表-举例 1Router(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
Router(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20
Router(config)# access-list 101 permit ip any any
(implicit deny all)
(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)
Router(config)# interface ethernet 0
Router(config-if)# ip access-group 101 outDeny FTP traffic from subnet 172.16.4.0 to subnet 172.16.3.0 out E0
Permit all other traffic扩展的数字IPV4访问控制列表-举例 2扩展的数字IPV4访问控制列表-举例 2Router(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23
Router(config)# access-list 101 permit ip any any
(implicit deny all)
Router(config)# interface ethernet 0
Router(config-if)# ip access-group 101 outDeny only Telnet traffic from subnet 172.16.4.0 out E0
Permit all other traffic命名的IPV4访问控制列表的配置命名的IPV4访问控制列表的配置ip access-list {standard | extended} name[sequence-number] {permit | deny} {ip access list test conditions}
{permit | deny} {ip access list test conditions}ip access-group name {in | out} Alphanumeric name string must be uniqueIf not configured, sequence numbers are generated automatically starting at 10 and incrementing by 10
no sequence number removes the specific test from the named ACLActivates the named IP ACL on an interfaceRouter(config {std- | ext-}nacl)#Router(config-if)#Router(config)#命名的IPV4访问控制列表-举例 1命名的IPV4访问控制列表-举例 1Deny a specific hostRouter(config)#ip access-list standard troublemaker
Router(config-std-nacl)#deny host 172.16.4.13
Router(config-std-nacl)#permit 172.16.4.0 0.0.0.255
Router(config-std-nacl)#interface e0
Router(config-if)#ip access-group troublemaker out 命名的IPV4访问控制列表-举例 2命名的IPV4访问控制列表-举例 2Deny Telnet from a specific subnetRouter(config)#ip access-list extended badgroup Router(config-ext-nacl)#deny tcp 172.16.4.0 0.0.0.255 any eq 23 Router(config-ext-nacl)#permit ip any any Router(config-ext-nacl)#interface e0 Router(config-if)#ip access-group badgroup out解释ACL的配置解释ACL的配置access-list access-list-number remark remark ip access-list {standard|extended} name Creates a named ACL commentCreates a numbered ACL commentRouter(config {std- | ext-}nacl)#Router(config)#remark remark Router(config)#Creates a named ACLOr查看ACL的配置查看ACL的配置Router# show access-lists {access-list number|name}Router# show access-lists
Standard IP access list SALES
10 deny 10.1.1.0, wildcard bits 0.0.0.255
20 permit 10.3.3.1
30 permit 10.4.4.1
40 permit 10.5.5.1
Extended IP access list ENG
10 permit tcp host 10.22.22.1 any eq telnet (25 matches)
20 permit tcp host 10.33.33.1 any eq ftp
30 permit tcp host 10.44.44.1 any eq ftp-dataDisplays all access lists查看ACL的配置查看ACL的配置Router# show ip interfaces e0
Ethernet0 is up, line protocol is up
Internet address is 10.1.1.11/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 1
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
ACL的故障排除ACL的故障排除Error 1: Host 10.1.1.1 has no connectivity with 10.100.100.1.ACL的故障排除ACL的故障排除Error 2: The 192.168.1.0 network cannot use TFTP to connect to 10.100.100.1.null