ACL 访问控制列表

ddiou
2 ℃
2020-01-29

整理文档很辛苦，赏杯茶钱您下走！

还剩 ... 页未读，继续阅读 >>

免费阅读已结束，点击下载阅读编辑剩下 ... 页

阅读已结束，您可以下载文档离线阅读编辑

资源描述

©2006CiscoSystems,Inc.Allrightsreserved.ICNDv2.3—4-1ACL配置IPACLs©2006CiscoSystems,Inc.Allrightsreserved.ICNDv2.3—4-2访问列表配置指南•访问列表的编号指明了使用何种协议的访问列表•每个端口、每个方向只能对应于一条访问列表•访问列表的内容决定了数据的控制顺序•具有严格限制条件的语句应放在访问列表所有语句的最上面•在访问列表的最后有一条隐含声明：denyany－每一条正确的访问列表都至少应该有一条允许语句•先创建访问列表，然后应用到端口上•访问列表不能过滤由路由器自己产生的数据©2006CiscoSystems,Inc.Allrightsreserved.ICNDv2.3—4-3Step1:设置访问列表测试语句的参数Router(config)#Step2:在端口上应用访问列表Ipaccess-groupaccess-list-number{in|out}Router(config-if)#IP访问列表设置命令IP访问列表的标号为1-99和100-199access-listaccess-list-number{permit|deny}{testconditions}©2006CiscoSystems,Inc.Allrightsreserved.ICNDv2.3—4-4•0表示检查与之对应的地址位的值•1表示忽略与之对应的地址位的值donotcheckaddress(ignorebitsinoctet)=001111111286432168421=00000000=00001111=11111100=11111111Octetbitpositionandaddressvalueforbitignorelast6addressbitscheckalladdressbits(matchall)ignorelast4addressbitschecklast2addressbitsExamples通配符：如何检查相应的地址位©2006CiscoSystems,Inc.Allrightsreserved.ICNDv2.3—4-5•例如172.30.16.290.0.0.0检查所有的地址位•可以简写为host(host172.30.16.29)Testconditions:Checkalltheaddressbits(matchall)172.30.16.290.0.0.0(checksallbits)AnIPhostaddress,forexample:Wildcardmask:通配符掩码指明特定的主机©2006CiscoSystems,Inc.Allrightsreserved.ICNDv2.3—4-6•所有主机:0.0.0.0255.255.255.255•可以用any简写Testconditions:Ignorealltheaddressbits(matchany)0.0.0.0255.255.255.255(ignoreall)AnyIPaddressWildcardmask:通配符掩码指明所有主机©2006CiscoSystems,Inc.Allrightsreserved.ICNDv2.3—4-7CheckforIPsubnets172.30.16.0/24to172.30.31.0/24Network.host172.30.16.000010000Wildcardmask:00001111----match------------don’tcare----00010000=1600010001=1700010010=18::00011111=31Addressandwildcardmask:172.30.16.00.0.15.255通配符掩码和IP子网的对应©2006CiscoSystems,Inc.Allrightsreserved.ICNDv2.3—4-8标准IP访问列表的配置access-listaccess-list-number{permit|deny}source[mask]Router(config)#•为访问列表设置参数•IP标准访问列表编号1到99•缺省的通配符掩码=0.0.0.0•“noaccess-listaccess-list-number”命令删除访问列表©2006CiscoSystems,Inc.Allrightsreserved.ICNDv2.3—4-9access-listaccess-list-number{permit|deny}source[Wildcard]Router(config)#•在端口上应用访问列表•指明是进方向还是出方向•缺省=出方向•“noipaccess-groupaccess-list-number”命令在端口上删除访问列表Router(config-if)#ipaccess-groupaccess-list-number{in|out}•为访问列表设置参数•IP标准访问列表编号1到99•缺省的通配符掩码=0.0.0.0•“noaccess-listaccess-list-number”命令删除访问列表标准IP访问列表的配置©2006CiscoSystems,Inc.Allrightsreserved.ICNDv2.3—4-10172.16.3.0172.16.4.0172.16.4.13E0S0E1Non-172.16.0.0标准访问列表举例1access-list1permit172.16.0.00.0.255.255(implicitdenyall-notvisibleinthelist)(access-list1deny0.0.0.0255.255.255.255)©2006CiscoSystems,Inc.Allrightsreserved.ICNDv2.3—4-11Permitmynetworkonlyaccess-list1permit172.16.0.00.0.255.255(implicitdenyall-notvisibleinthelist)(access-list1deny0.0.0.0255.255.255.255)interfaceethernet0ipaccess-group1outinterfaceethernet1ipaccess-group1out172.16.3.0172.16.4.0172.16.4.13E0S0E1Non-172.16.0.0标准访问列表举例1©2006CiscoSystems,Inc.Allrightsreserved.ICNDv2.3—4-12Denyaspecifichost标准访问列表举例2172.16.3.0172.16.4.0172.16.4.13E0S0E1Non-172.16.0.0access-list1deny172.16.4.130.0.0.0©2006CiscoSystems,Inc.Allrightsreserved.ICNDv2.3—4-13标准访问列表举例2172.16.3.0172.16.4.0172.16.4.13E0S0E1Non-172.16.0.0Denyaspecifichostaccess-list1deny172.16.4.130.0.0.0access-list1permit0.0.0.0255.255.255.255(implicitdenyall)(access-list1deny0.0.0.0255.255.255.255)©2006CiscoSystems,Inc.Allrightsreserved.ICNDv2.3—4-14access-list1deny172.16.4.130.0.0.0access-list1permit0.0.0.0255.255.255.255(implicitdenyall)(access-list1deny0.0.0.0255.255.255.255)interfaceethernet0ipaccess-group1out标准访问列表举例2172.16.3.0172.16.4.0172.16.4.13E0S0E1Non-172.16.0.0Denyaspecifichost©2006CiscoSystems,Inc.Allrightsreserved.ICNDv2.3—4-15Denyaspecificsubnet标准访问列表举例3172.16.3.0172.16.4.0172.16.4.13E0S0E1Non-172.16.0.0access-list1deny172.16.4.00.0.0.255access-list1permitany(implicitdenyall)(access-list1deny0.0.0.0255.255.255.255)©2006CiscoSystems,Inc.Allrightsreserved.ICNDv2.3—4-16access-list1deny172.16.4.00.0.0.255access-list1permitany(implicitdenyall)(access-list1deny0.0.0.0255.255.255.255)interfaceethernet0ipaccess-group1out标准访问列表举例3172.16.3.0172.16.4.0172.16.4.13E0S0E1Non-172.16.0.0Denyaspecificsubnet©2006CiscoSystems,Inc.Allrightsreserved.ICNDv2.3—4-17在路由器上过滤vty•五个虚拟通道(0到4)•路由器的vty端口可以过滤数据•在路由器上执行vty访问的控制01234Virtualports(vty0through4)Physicalporte0(Telnet)Consoleport(directconnect)consolee0©2006CiscoSystems,Inc.Allrightsreserved.ICNDv2.3—4-18如何控制vty访问01234Virtualports(vty0through4)Physicalport(e0)(Telnet)•使用标准访问列表语句•用access-class命令应用访问列表•在所有vty通道上设置相同的限制条件Router#e0©2006CiscoSystems,Inc.Allrightsreserved.ICNDv2.3—4-19虚拟通道的配置•指明vty通道的范围•在访问列表里指明方向access-classaccess-list-number{in|out}linevty#{vty#|vty-range}Router(config)#Router(config-line)#©2006CiscoSystems,Inc.Allrightsreserved.ICNDv2.3—4-20虚拟通道访问举例只允许网络192.89.55.0内的主机连接路由器的vty通道access-list12permit192.89.55.00.0.0.255!linevty04access-class12inControllingInboundAccess©2006CiscoSystems,Inc.Allrightsreserved.ICNDv2.3—4-21标准访问列表和扩展访问列表比较标准扩展基于源地址基于源地址和目标地址允许和拒绝完整的TCP/IP协议指定TCP/IP的特定协议和端口号编号范围100到199.编号范围1到99©2006CiscoSystems,Inc.Allrightsreserved.ICNDv2.3—4-22扩展IP访问列表的配置Router(config)#•设置访问列表的参数access-listaccess-list-number{permit|deny}protocols