1 / 31

访问控制列表 Access Control List

访问控制列表 Access Control List. 深圳职业技术学院计算机系网络专业. 教学目标( Objectives ). 1. 访问控制列表( Access Control List ) 2. 配置标准访问控制列表 ( Configure standard IP access lists ) 3. 配置扩展访问控制列表 ( Configure extended IP access lists ) 4. 配置命名访问控制列表 ( Configure named IP access lists ) 5. 验证和监视 ACL

lila-martin
Download Presentation

访问控制列表 Access Control List

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 访问控制列表Access Control List 深圳职业技术学院计算机系网络专业

  2. 教学目标( Objectives) • 1. 访问控制列表(Access Control List) • 2.配置标准访问控制列表 • ( Configure standard IP access lists) • 3. 配置扩展访问控制列表 • ( Configure extended IP access lists) • 4.配置命名访问控制列表 • ( Configure named IP access lists) • 5. 验证和监视ACL • ( Verify and monitor IP access lists)

  3. 当网络访问增长时,管理IP通信 Manage IP traffic as network access grows 当数据包通过路由器时,起到过滤作用 Filter packets as they pass through the router 为什么使用ACL?(Why Use Access Control Lists?) 172.16.0.0 Internet 172.17.0.0

  4. ACL作用(Function of ACL ) • 1.限制网络流量、提高网络性能。 • Limit network traffic and increase network performance. • 2.提供对通信流量的控制手段。 • Provide traffic flow control. • 3.提供网络访问的基本安全手段。 • Provide a basic level of security for network access. • 4.在路由器接口处,决定哪种类型的通信流量被转发、哪种类型的通信流量被阻塞。 • Decide which types of traffic are forwarded or blocked at the router interfaces.

  5. ACL如何工作(ACLHow to work)

  6. ACL条件顺序(The order in which ACL statements are placed)

  7. ACL条件顺序(The order in which ACL statements are placed) Cisco IOS按照各描述语句在ACL中的顺序,根据各描述语句的判断条件,对数据包进行检查。一旦找到了某一匹配条件,就结束比较过程,不再检查以后的其他条件判断语句。 • The Cisco IOS software tests the packet against each condition statement in order from the top of the list to the bottom. Once a match is found in the list, the accept or reject action is performed and no other ACL statements are checked

  8. Source 什么是ACL?(What Are Access Lists?) Access List Processes fa0/0 Outgoing Packet Incoming Packet Permit? S0/0 • 标准 ACL( Standard ACL) • 检查源地址(Checks Source address ) • 允许或拒绝整个协议族(Generally permits or denies entire protocol suite)

  9. Source and Destination 什么是ACL?(What Are Access Lists?) Access List Processes Fa0/0 Outgoing Packet Protocol Incoming Packet Permit? s0/0 • 扩展 ACL( Extended ACL ) • 检查源和目的地址 ( Checks Source and Destination address) • 通常允许或拒绝特定的协议 (Generally permits or denies specific protocols)

  10. 用扩展ACL检查数据包(Check Packets with Extended ACL)

  11. 常见端口号(Known Port Number)

  12. ACL表号(ACL Number)

  13. 通配符掩码(Wildcard Mask) • 1.是一个32比特位的数字字符串(A wildcard mask is a 32-bit quantity) • 2.0表示“检查相应的位”,1表示“不检查(忽略)相应的位” • A zero means let the value through to be checked, the X’s (1’s) mean block the value from being compared.

  14. 特殊的通配符掩码(Special Wildcard Mask) • 1. Any • 0.0.0.0 255.255.255.255 • 2. Host • 172.30.16.29 0.0.0.0 • Host 172.30.16.29

  15. Access List 命令( Access List Command) Step 1:定义访问控制列表(Define the ACL) Router(config)# access-list access-list-number { permit | deny } { testconditions } Router(config)#access-list 1 permit 10.0.0.0 0.255.255.255

  16. Router(config-if)#ip access-group 1 out Access List 命令( Access List Command) Step 2:将访问控制列表应用到某一接口上 (Apply ACL to a Interface) Router(config-if)# { protocol } access-group access-list-number {in | out}

  17. 标准IP ACL实例1(Standard IP ACL Example 1) Non- 172.16.0.0 172.16.3.0 172.16.4.0 S0 172.16.4.13 E0 E1 access-list 1 permit 172.16.0.00.0.255.255 (implicit deny all - not visible in the list) (access-list 1 deny 0.0.0.0 255.255.255.255) interface ethernet 0 ip access-group 1 out interface ethernet 1 ip access-group 1 out • 仅允许我的网络(Permit my network only)

  18. 标准IP ACL实例2(Standard IP ACL Example 2) Non- 172.16.0.0 172.16.3.0 172.16.4.0 S0 172.16.4.13 E0 E1 access-list 1 deny 172.16.4.13 0.0.0.0 access-list 1 permit 0.0.0.0 255.255.255.255 (implicit deny all) (access-list 1 deny 0.0.0.0 255.255.255.255) interface ethernet 0 ip access-group 1 out • 拒绝特定的主机(Deny a specific host)

  19. 标准IP ACL实例3(Standard IP ACL Example 3) Non- 172.16.0.0 172.16.3.0 172.16.4.0 S0 172.16.4.13 E0 E1 access-list 1 deny 172.16.4.0 0.0.0.255 access-list 1 permit any (implicit deny all)(access-list 1 deny 0.0.0.0 255.255.255.255) interface ethernet 0 ip access-group 1 out • 拒绝特定的子网(Deny a specific subnet)

  20. 标准ACL与扩展ACL比较(Standard versus External ACL) 标准(Standard) 扩展(Extended) 过滤基于源和目的( Filters Based on Source and destination.) 过滤基于源 (Filters Based onSource.) 允许或拒绝整个协议族(Permit or deny entire TCP/IP protocol suite.) 允许或拒绝特定的IP协议或端口 (Specifies a specific IP protocol and port number.) 范围(1-99) Range is 1 through 99 范围(100-199) Range is 100 through 199.

  21. CASE STUDY 首先使得PC1所在的网络不能通过路由器R1访问PC2所在的网络。

  22. 扩展ACL配置(Extended IP ACL Configuration) Router(config)# access-listaccess-list-number{ permit | deny } protocol source source-wildcard [operator port]destination destination-wildcard [ operator port ] [ established ][log]

  23. 拒绝从172.16.3.0到172.16.3.0的经过E0出方向的FTP流量拒绝从172.16.3.0到172.16.3.0的经过E0出方向的FTP流量 Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0 允许其他所有的流量 Permit all other traffic 扩展ACL实例1 (Extended ACL Example 1) Non- 172.16.0.0 172.16.3.0 172.16.4.0 S0 172.16.4.13 E0 E1 access-list 101 deny tcp 172.16.4.00.0.0.255 172.16.3.0 0.0.0.255 eq 21 access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20 access-list 101 permit ip any any (implicit deny all) (access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255) interface ethernet 0 ip access-group 101 out

  24. 仅拒绝子网172.16.4.0 在E0出方向的流量 Deny only Telnet from subnet 172.1 172.16.4.0 6.4.0 out of E0 允许其他流量(Permit all other traffic) Extended Access List Example 2 Non- 172.16.0.0 172.16.3.0 172.16.4.0 S0 172.16.4.13 E0 E1 access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23 access-list 101 permit ip any any (implicit deny all) interface ethernet 0 ip access-group 101 out

  25. 使用命名IP ACL(Using Named IP ACL) • IOS11.2 以后支持的特征 • Feature for Cisco IOS Release 11.2 or later Router(config)# ip access-list { standard | extended } name • 名字字符串要唯一 • Name string must be unique

  26. 使用命名IP ACL(Using Named IP ACL) Router(config {std- | ext-}nacl)# { permit | deny } { ip access list test conditions } { permit | deny } { ip access list test conditions } no { permit | deny } { ip access list test conditions } • 允许或拒绝陈述条件前没有表号 • Permit or deny statements have no prepended number • 可以用“NO”命令移去特定的陈述 • "no" removes the specific test from the named access list

  27. Router(config-if)# ip access-group name { in | out } 使用命名IP ACL(Using Named IP ACL) • 在接口上激活命名ACL • Activates the IP named access list on an interface

  28. 扩展ACL靠近源 Place extended access lists close to the source 标准ACL靠近目的 Place standard access lists close to the destination 放置ACL( Placing IP Access Lists) S0 E0 B S0 E0 S1 C S1 A E0 D E0 To0 E1

  29. 验证ACL (Verifying ACL) wg_ro_a#show ip int e0 Ethernet0 is up, line protocol is up Internet address is 10.1.1.11/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 1 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Feature Fast switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled <text ommitted>

  30. wg_ro_a#show {protocol} access-list {access-list number} 监视ACL陈述条件(Monitoring Access List Statements) • wg_ro_a#show access-lists {access-list number} • wg_ro_a#show access-lists • Standard IP access list 1 • permit 10.2.2.1 • permit 10.3.3.1 • permit 10.4.4.1 • permit 10.5.5.1 • Extended IP access list 101 • permit tcp host 10.22.22.1 any eq telnet • permit tcp host 10.33.33.1 any eq ftp • permit tcp host 10.44.44.1 any eq ftp-data

  31. 思考题(Questions) • 1.访问控制列表的功能是什么? • 2.ACL有哪两种类型?各有什么区别? • 3.当我们应用访问控制列表时,如何区分in和out方向? • 4.ACL的隐含是什么? • 5.Any的含义是什么? • 6.host的含义是什么? • 7.标准ACL应该靠近源还是目的地址? • 8.扩展ACL应该靠近源还是目的地址? • 9.标准ACL的编号范围是多少? • 10.扩展ACL的编号范围是多少?

More Related