访问控制列表 access control list
DESCRIPTION
访问控制列表 Access Control List. 深圳职业技术学院计算机系网络专业. 教学目标( Objectives ). 1. 访问控制列表( Access Control List ) 2. 配置标准访问控制列表 ( Configure standard IP access lists ) 3. 配置扩展访问控制列表 ( Configure extended IP access lists ) 4. 配置命名访问控制列表 ( Configure named IP access lists ) 5. 验证和监视 ACL - PowerPoint PPT PresentationTRANSCRIPT
© 2006, Shenzhen Polytechnic. All rights reserved. 1
访问控制列表Access Control List
深圳职业技术学院计算机系网络专业
© 2006, Shenzhen Polytechnic. All rights reserved. 2
教学目标( Objectives )
1. 访问控制列表( Access Control List )2. 配置标准访问控制列表( Configure standard IP access lists ) 3. 配置扩展访问控制列表( Configure extended IP access lists )4. 配置命名访问控制列表( Configure named IP access lists )5. 验证和监视 ACL
( Verify and monitor IP access lists )
© 2006, Shenzhen Polytechnic. All rights reserved. 3
FDDI
172.16.0.0
172.17.0.0
TokenRing
Internet
• 当网络访问增长时,管理 IP 通信• Manage IP traffic as network access grows
• 当数据包通过路由器时,起到过滤作用• Filter packets as they pass through the router
为什么使用 ACL ?( Why Use Access Control Lists? )
© 2006, Shenzhen Polytechnic. All rights reserved. 4
ACL 作用( Function of ACL )
1 .限制网络流量、提高网络性能。 Limit network traffic and increase network performance. 2 .提供对通信流量的控制手段。Provide traffic flow control. 3 .提供网络访问的基本安全手段。Provide a basic level of security for network access. 4 .在路由器接口处,决定哪种类型的通信流量被转发、哪种类型的通信流量被阻塞。 Decide which types of traffic are forwarded or blocked at the router interfaces.
© 2006, Shenzhen Polytechnic. All rights reserved. 5
ACL 如何工作( ACL How to work )
© 2006, Shenzhen Polytechnic. All rights reserved. 6
ACL 条件顺序( The order in which ACL statements are placed
)
© 2006, Shenzhen Polytechnic. All rights reserved. 7
ACL 条件顺序( The order in which ACL statements are placed
)
Cisco IOS 按照各描述语句在 ACL 中的顺序,根据各描述语句的判断条件,对数据包进行检查。一旦找到了某一匹配条件,就结束比较过程,不再检查以后的其他条件判断语句。The Cisco IOS software tests the packet against each condition statement in order from the top of the list to the bottom. Once a match is found in the list, the accept or reject action is performed and no other ACL statements are checked
© 2006, Shenzhen Polytechnic. All rights reserved. 8
什么是 ACL ?( What Are Access Lists? )
• 标准 ACL ( Standard ACL )– 检查源地址( Checks Source address )– 允许或拒绝整个协议族( Generally permits or denies
entire protocol suite )
OutgoingPacket
fa0/0
S0/0
IncomingPacket
Access List Processes
Permit?
Source
© 2006, Shenzhen Polytechnic. All rights reserved. 9
• 扩展 ACL ( Extended ACL )– 检查源和目的地址( Checks Source and Destination address )– 通常允许或拒绝特定的协议 ( Generally permits or de
nies specific protocols )
OutgoingPacket
Fa0/0
s0/0
IncomingPacket
Access List Processes
Permit?
Sourceand
Destination
Protocol
什么是 ACL ?( What Are Access Lists? )
© 2006, Shenzhen Polytechnic. All rights reserved. 10
用扩展 ACL 检查数据包( Check Packets with Extended ACL )
© 2006, Shenzhen Polytechnic. All rights reserved. 11
常见端口号( Known Port Number )
端口号 (Port Number)
20 文件传输协议( FTP )数据
21 文件传输协议( FTP )程序
23 远程登录( Telnet )
25 简单邮件传输协议( SMTP )
69 普通文件传送协议( TFTP )
80 超文本传输协议 (HTTP)
53 域名服务系统( DNS )
© 2006, Shenzhen Polytechnic. All rights reserved. 12
ACL 表号( ACL Number )
协议( Protocol ) ACL 表号的取值范围( ACL Range )
IP ( Internet 协议) 1-99
Extended IP( 扩展 Internet 协议 ) 100-199
AppleTalk 600-699
IPX (互联网数据包交换) 800-899
Extended IPX( 扩展互联网数据包交换 )
900-999
IPX service Advertising Protocol(IPX 服务通告协议 )
1000-1099
© 2006, Shenzhen Polytechnic. All rights reserved. 13
通配符掩码( Wildcard Mask )
1. 是一个 32 比特位的数字字符串 (A wildcard mask is a 32-bit quantity)2.0 表示“检查相应的位” ,1 表示“不检查(忽略)相应的位”A zero means let the value through to be checked, the X’s (1’s) mean block the value from being compared.
© 2006, Shenzhen Polytechnic. All rights reserved. 14
特殊的通配符掩码( Special Wildcard Mask )
1. Any
0.0.0.0 255.255.255.255
2. Host
172.30.16.29 0.0.0.0
Host 172.30.16.29
© 2006, Shenzhen Polytechnic. All rights reserved. 15
Access List 命令( Access List Command )
Step 1: 定义访问控制列表( Define the ACL )
access-list access-list-number { permit | deny } { test conditions }
Router(config)#
Router(config)#access-list 1 permit 10.0.0.0 0.255.255.255
© 2006, Shenzhen Polytechnic. All rights reserved. 16
Step 2: 将访问控制列表应用到某一接口上( Apply ACL to a Interface )
{ protocol } access-group access-list-number {in | out}
Router(config-if)#
Access List 命令( Access List Command )
Router(config-if)#ip access-group 1 out
© 2006, Shenzhen Polytechnic. All rights reserved. 17
• 仅允许我的网络( Permit my network only )
access-list 1 permit 172.16.0.0 0.0.255.255(implicit deny all - not visible in the list)(access-list 1 deny 0.0.0.0 255.255.255.255)
interface ethernet 0ip access-group 1 outinterface ethernet 1ip access-group 1 out
标准 IP ACL 实例 1 ( Standard IP ACL Example 1 )标准 IP ACL 实例 1 ( Standard IP ACL Example 1 )
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
© 2006, Shenzhen Polytechnic. All rights reserved. 18
access-list 1 deny 172.16.4.13 0.0.0.0 access-list 1 permit 0.0.0.0 255.255.255.255(implicit deny all)(access-list 1 deny 0.0.0.0 255.255.255.255)
interface ethernet 0ip access-group 1 out
标准 IP ACL 实例 2 ( Standard IP ACL Example 2)
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
• 拒绝特定的主机( Deny a specific host )
© 2006, Shenzhen Polytechnic. All rights reserved. 19
access-list 1 deny 172.16.4.0 0.0.0.255access-list 1 permit any(implicit deny all)(access-list 1 deny 0.0.0.0 255.255.255.255)
interface ethernet 0ip access-group 1 out
标准 IP ACL 实例 3 ( Standard IP ACL Example 3)
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
• 拒绝特定的子网( Deny a specific subnet )
© 2006, Shenzhen Polytechnic. All rights reserved. 20
标准 ACL 与扩展 ACL 比较( Standard versus External ACL )
标准( Standard ) 扩展( Extended )
过滤基于源
( Filters Based onSource. )过滤基于源和目的( Filters Based o
n Source and destination. )
允许或拒绝整个协议族( Permit or deny entire TCP/IP protocol suite.
)
允许或拒绝特定的 IP 协议或端口
( Specifies a specific IP protocol and port number. )
范围( 100-199 )
Range is 100 through 199.
范围( 1-99)
Range is 1 through 99
© 2006, Shenzhen Polytechnic. All rights reserved. 21
CASE STUDY
首先使得 PC1所在的网络不能通过路由器 R1 访问 PC2所在的网络。
© 2006, Shenzhen Polytechnic. All rights reserved. 22
扩展 ACL 配置( Extended IP ACL Configuration )
Router(config)# access-list access-list-number { permit | deny } protocol source source-wildcard [operator port] destination destination-wildcard [ operator port ] [ established ] [log]
参数 参数描述access-list-number 访问控制列表表号permit|deny 如果满足条件,允许或拒绝后面指定特定地址的通信流量protocol 用来指定协议类型,如 IP 、 TCP 、 UDP 、 ICMP 等source and destination 分别用来标识源地址和目的地址source-mask 通配符掩码,跟源地址相对应destination-mask 通配符掩码,跟目的地址相对应operator lt,gt,eq,neq( 小于,大于,等于,不等于 ) operand 一个端口号established 如果数据包使用一个已建立连接,便可允许 TCP 信息通
过
© 2006, Shenzhen Polytechnic. All rights reserved. 23
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20access-list 101 permit ip any any(implicit deny all)(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)
interface ethernet 0ip access-group 101 out
• 拒绝从172.16.3.0 到 172.16.3.0 的经过 E0出方向的 FTP 流量• Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0 • 允许其他所有的流量• Permit all other traffic
扩展 ACL 实例 1 ( Extended ACL Example 1 )
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
© 2006, Shenzhen Polytechnic. All rights reserved. 24
access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23access-list 101 permit ip any any(implicit deny all)
interface ethernet 0ip access-group 101 out
• 仅拒绝子网 172.16.4.0 在 E0出方向的流量• Deny only Telnet from subnet 172.1 172.16.4.0 6.4.0 o
ut of E0
• 允许其他流量( Permit all other traffic )
Extended Access List Example 2
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
© 2006, Shenzhen Polytechnic. All rights reserved. 25
使用命名 IP ACL ( Using Named IP ACL )
Router(config)#
ip access-list { standard | extended } name
• IOS11.2 以后支持的特征• Feature for Cisco IOS Release 11.2 or later
• 名字字符串要唯一 • Name string must be unique
© 2006, Shenzhen Polytechnic. All rights reserved. 26
使用命名 IP ACL ( Using Named IP ACL )
{ permit | deny } { ip access list test conditions }{ permit | deny } { ip access list test conditions } no { permit | deny } { ip access list test conditions }
Router(config {std- | ext-}nacl)#
• 允许或拒绝陈述条件前没有表号• Permit or deny statements have no prepended number • 可以用“ NO” 命令移去特定的陈述• "no" removes the specific test from the named access li
st
© 2006, Shenzhen Polytechnic. All rights reserved. 27
Router(config-if)# ip access-group name { in | out }
使用命名 IP ACL ( Using Named IP ACL )
• 在接口上激活命名 ACL• Activates the IP named access list on an interface
© 2006, Shenzhen Polytechnic. All rights reserved. 28
• 扩展 ACL靠近源• Place extended access lists close to the source
• 标准 ACL靠近目的• Place standard access lists close to the destination
E0
E0
E1
S0
To0
S1S0
S1
E0
E0TokenRing
BB
AACC
放置 ACL ( Placing IP Access Lists )
DD
© 2006, Shenzhen Polytechnic. All rights reserved. 29
wg_ro_a#show ip int e0Ethernet0 is up, line protocol is up Internet address is 10.1.1.11/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 1 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Feature Fast switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled <text ommitted>
验证 ACL ( Verifying ACL )
© 2006, Shenzhen Polytechnic. All rights reserved. 30
监视 ACL陈述条件( Monitoring Access List Statements )
wg_ro_a#show access-lists Standard IP access list 1 permit 10.2.2.1 permit 10.3.3.1 permit 10.4.4.1 permit 10.5.5.1Extended IP access list 101 permit tcp host 10.22.22.1 any eq telnet permit tcp host 10.33.33.1 any eq ftp permit tcp host 10.44.44.1 any eq ftp-data
wg_ro_a#show {protocol} access-list {access-list number}
wg_ro_a#show access-lists {access-list number}
© 2006, Shenzhen Polytechnic. All rights reserved. 31
1 .访问控制列表的功能是什么?2 . ACL有哪两种类型?各有什么区别?3 .当我们应用访问控制列表时,如何区分 in 和 out方向?4 . ACL 的隐含是什么?5 . Any 的含义是什么?6 . host 的含义是什么?7 .标准 ACL 应该靠近源还是目的地址?8 .扩展 ACL 应该靠近源还是目的地址?9 .标准 ACL 的编号范围是多少?10 .扩展 ACL 的编号范围是多少?
思考题( Questions )