第八章 用访问列表初步管理 IP流量

本章目标 通过本章的学习，您应该掌握以下内容： 识别 IP 访问列表的主要作用和工作流程 配置标准的 IP 访问列表 利用访问列表控制虚拟会话的建立 配置扩展的 IP 访问列表 查看 IP 访问列表 Slide 1 of 1 Purpose: Discuss the objectives of this chapter with your students. Emphasize: They will learn to: Identify common situations and goals for access lists. They will distinguish key functional differences between standard and extended access lists. Summarize packet flows and parameter test processes, and permit or deny outcomes on a generic access list. Define key arguments and wildcard-matching to specify permit-or-deny criteria for traffic. Determine the preferred location for placing an extended access list in a multirouter environment. Configure and then test standard and extended access lists to control IP network traffic. Configure access class entries on vty terminals to control Telnet traffic. Transition: The first section of the chapter presents an overview of access list applications and uses.

为什么要使用访问列表 管理网络中逐步增长的 IP 数据 Slide 1 of 2 Purpose: Emphasize: This graphic discusses the main reason a network administrator would employ access lists. Layer 1—Shows a single Ethernet, a Token Ring LAN, and a FDDI ring. The single workstation represents the administrator’s console to the router; begin by discussing the historical situation of LAN/WAN management on much smaller internets. 管理网络中逐步增长的 IP 数据

为什么要使用访问列表 管理网络中逐步增长的 IP 数据 当数据通过路由器时进行过滤 172.16.0.0 Internet Slide 2 of 2 Purpose: Emphasize: Access list is a mechanism for identifying particular traffic. One application of access list is for filtering traffic into or out of a router interface. 172.17.0.0 管理网络中逐步增长的 IP 数据 当数据通过路由器时进行过滤

访问列表的应用 允许、拒绝数据包通过路由器 允许、拒绝Telnet会话的建立 没有设置访问列表时，所有的数据包都会在网络上传输 端口上的数据传输 虚拟会话 (IP) Slide 1 of 1 Purpose: This figure illustrates common uses for IP access lists. Emphasize: While this chapter focuses on IP access lists, the concept of access lists as mechanisms to control traffic in a network applies to all protocols. Note: An improved security solution is the lock-and-key access feature, which is available only with IP extended access lists. Lock-and-key access allows you to set up dynamic access lists that grant access per user to a specific source/destination host through a user authentication process. You can allow user access through a firewall dynamically, without compromising security restrictions. Transition: The following figure is the first of a 3-layer build that presents other uses of access lists specific to Cisco IOS features. 允许、拒绝数据包通过路由器 允许、拒绝Telnet会话的建立 没有设置访问列表时，所有的数据包都会在网络上传输

访问列表的其它应用 基于数据包检测的特殊数据通讯应用 优先级判断 Queue List Slide 1 of 3 Purpose: This figure is the first of a 3-layer sequence. This layer presents the uses of access lists to prioritize and sort traffic for priority and custom queuing. Emphasize: Access lists are used to define input traffic to other technologies such as priority and custom queuing and to control the transmission of packets on serial interfaces. Note: NAT also uses access-list. Transition: The following figure is layer 2 of this build and adds DDR as a technology supported by access lists. 基于数据包检测的特殊数据通讯应用

访问列表的其它应用 基于数据包检测的特殊数据通讯应用 优先级判断 按需拨号 Queue List Slide 2 of 3 Purpose: This figure is layer 2 of the build sequence. Emphasize: Access lists are used to define input traffic to select the interesting traffic that initiates a DDR connection. DDR will be covered in the ISDN chapter. Transition: The following figure is the last layer of the build and adds route filtering. 基于数据包检测的特殊数据通讯应用

访问列表的其它应用 基于数据包检测的特殊数据通讯应用 优先级判断 按需拨号 路由表过滤 Routing Table Queue List Slide 3 of 3 Purpose: This figure is the last layer of the build for other uses of access lists. Emphasize: Access lists are used to define input traffic for route filtering to restrict the contents of routing updates. Transition: The following figure is a 2-layer build to show the difference between inbound and outbound access lists. Routing Table 基于数据包检测的特殊数据通讯应用

什么是访问列表 标准 检查源地址 通常允许、拒绝的是完整的协议 Access List Processes E0 S0 Outgoing Packet Incoming Packet Source Permit? S0 标准 检查源地址 通常允许、拒绝的是完整的协议 Slide 1 of 3 Purpose: Emphasize: This is a 3 layers slide. The first layer describe a Standard IP access list. The second layer describe an Extended IP access list. The third layer shows that an access list can be applied as an input or output access list on an interface.

什么是访问列表 标准 检查源地址 通常允许、拒绝的是完整的协议 扩展 检查源地址和目的地址 通常允许、拒绝的是某个特定的协议 E0 Access List Processes Outgoing Packet Protocol Incoming Packet Source and Destination Permit? S0 标准 检查源地址 通常允许、拒绝的是完整的协议 扩展 检查源地址和目的地址 通常允许、拒绝的是某个特定的协议 Slide 2 of 3 Purpose: Describe IP extended access list. Emphasize:

什么是访问列表 标准 检查源地址 通常允许、拒绝的是完整的协议 扩展 检查源地址和目的地址 通常允许、拒绝的是某个特定的协议 进方向和出方向 E0 Access List Processes Outgoing Packet Protocol Incoming Packet Source and Destination Permit? S0 标准 检查源地址 通常允许、拒绝的是完整的协议 扩展 检查源地址和目的地址 通常允许、拒绝的是某个特定的协议 进方向和出方向 Slide 3 of 3 Purpose: Describe inbound versus outbound access list on an interface. Emphasize:

出端口方向上的访问列表 Packet Choose S0 Interface Inbound Interface Packets Y Outbound Interfaces Routing Table Entry ? Access List ? N N Slide 1 of 3 Purpose: This figure (One of three layers) shows in more detail how an outbound access lists operate in a router. Emphasize: Transition: Shows packets coming in an inbound interface. This portion of the flowchart illustrates generic packet handling with or without access lists. The key outcome for the next layer is knowing which interface on the routing table indicates the best or next path. Is an access list associated with the interface? If not, the packet can route directly, for example, out the upper outgoing interface (the upper arrow). Note: The graphic does not mean that only interfaces with no access group can output packets; based on source and destination addresses, and other parameters, other packets could also pass the access list and be routed out on an interface. Y Packet Discard Bucket

出端口方向上的访问列表 Packet Choose S0 Interface Inbound Interface Packets Y Outbound Interfaces Test Access List Statements Routing Table Entry ? E0 Packet Access List ? N N Y Slide 2 of 3 Purpose: Emphasize: Shows the larger diamond. It contains words to summarize access list statements and permit/deny logic. This layer illustrates a permitted packet now sent to the outbound interface buffer for output (the lower arrow). Permit ? Y Packet Discard Bucket

If no access list statement matches then discard the packet 出端口方向上的访问列表 Packet Choose Interface S0 Inbound Interface Packets Y Outbound Interfaces Test Access List Statements Routing Table Entry ? E0 Packet Access List ? N N Slide 3 of 3 Purpose: Emphasize: Shows a deny result of the access list test. Now the packet is discarded into the packet discard bucket. The unwanted packet has been denied access to the outbound interface. The Notify Sender message shows a process like ICMP, returning an “administratively prohibited” message back to the sender. Y Permit ? Y N Discard Packet Notify Sender Packet Discard Bucket If no access list statement matches then discard the packet

访问列表的测试：允许和拒绝 Packets to interfaces in the access group Deny Permit Match First Test ? Packets to interfaces in the access group Y Y Deny Permit Destination Slide 1 of 4 Purpose: Emphasize: This graphic explains in more detail the processes access list statements perform. Use the graphic’s diamond expanded from an earlier page to show individual access list statements. Shows packets coming into the large diamond. It represents an expanded graphical view from the previous page. Inside, smaller diamonds represent access list statements. They occur in sequential, logical order. Tell students the graphic represents a single access list. There can be only one access list per protocol per per direction per interface. Interface(s) Packet Discard Bucket Deny

访问列表的测试：允许和拒绝 Packets to Interface(s) in the Access Group Deny Permit Match First Test ? Packets to Interface(s) in the Access Group Y Y N Deny Permit Match Next Test(s) ? Y Y Deny Permit Destination Slide 2 of 4 Purpose: Emphasize: Adds the next test diamond. Interface(s) Packet Discard Bucket Deny

访问列表的测试：允许和拒绝 Packets to Interface(s) in the Access Group Deny Permit Match First Test ? Packets to Interface(s) in the Access Group Y Y N Deny Permit Match Next Test(s) ? Y Y Deny Permit Destination N Slide 3 of 4 Purpose: Emphasize: Adds the third diamond as the next test. Discuss the logical, ordered testing of packet conditions. One recommendation for the sequence of access list statements begins with the most specific of conditions to match at the beginning of the list; then continue with matches involving a larger group, such as entire subnets or networks. Finish with statements matching still larger groups. Interface(s) Match Last Test ? Y Y Deny Permit Packet Discard Bucket Deny

访问列表的测试：允许和拒绝 Packets to Interface(s) in the Access Group Deny Permit Match First Test ? Packets to Interface(s) in the Access Group Y Y N Deny Permit Match Next Test(s) ? Y Y Deny Permit Destination N Slide 4 of 4 Purpose: Emphasize: Shows the implicit “deny all.” Describe the final access list test to match any packets not covered by earlier access list statements. All remaining packets match the “Implicit Deny” and are discarded into the bit bucket. Interface(s) Match Last Test ? Y Y Deny Permit N Implicit Deny Packet Discard Bucket If no match deny all Deny

访问列表配置指南 访问列表的编号指明了使用何种协议的访问列表 每个端口、每个方向、每条协议只能对应于一条访问列表 访问列表的内容决定了数据的控制顺序 具有严格限制条件的语句应放在访问列表所有语句的最上面 在访问列表的最后有一条隐含声明：deny any－每一条正确的访问列表都至少应该有一条允许语句 先创建访问列表，然后应用到端口上 访问列表不能过滤由路由器自己产生的数据 Slide 1 of 1 Purpose: Emphasize:

访问列表设置命令 Step 1: 设置访问列表测试语句的参数 Router(config)# access-list access-list-number { permit | deny } { test conditions } Slide 1 of 2 Purpose: Emphasize: This graphic give your students a simplified perspective on how to use the two generalized commands in an access list process. Layer 1—Shows the general form of the global access list command. This declares the number of the list (which indicates the protocol and type of the list), the permit or deny treatment for packets that pass the test conditions, and the one or more test conditions themselves. In practice, you enter one or more of these statements.

访问列表设置命令 IP 访问列表的标号为 1-99 和 100-199 Step 1:设置访问列表测试语句的参数 Router(config)# access-list access-list-number { permit | deny } { test conditions } Step 2: 在端口上应用访问列表 Slide 2 of 2 Purpose: Emphasize: Layer 2—Adds the general form of the interface command. This links the previously specified interface to a group that will handle its packet for the protocol in the manner specified by the global access list statements. It can help student understanding to learn a generalized command as a simplified template common to most access list processes. However, the details for specific access lists vary widely. As you present the global access list command material that follows in this chapter, return to the template term “test conditions” if it helps your students associate variations to the general elements of this model. Emphasize that “test conditions” is an abstraction for this course. Use this abstraction as a generalization to assist teaching and learning. The words “test conditions” are not a Cisco IOS argument or parameter. Cisco IOS software also offers many variations for the second interface command. As you present these variations, refer your students to the template term “access group” and emphasize how each variation performs a link of the access list test conditions met and the interfaces that packets can use as a result. Router(config-if)# { protocol } access-group access-list-number {in | out} IP 访问列表的标号为 1-99 和 100-199

如何识别访问列表 访问列表类型 编号范围 IP Standard 1-99 标准访问列表 (1 to 99) 检查 IP 数据包的源地址 Slide 1 of 3 Purpose: Emphasize: This graphic orients your students to the common numbering classification scheme. Layer 1—Shows the IP standard access lists and the number ranges for these types of access lists. 标准访问列表 (1 to 99) 检查 IP 数据包的源地址

如何识别访问列表 访问列表类型 编号范围 IP Standard Extended 1-99 100-199 Slide 2 of 3 Purpose: Emphasize: Layer 2—Adds the IP extended access lists and the number ranges for these types of access lists. These are the most commonly used form of access list. This layer also adds the method for identifying IP access lists using an alphanumeric name rather than a number. An IP named access list can refer to either a standard or an extended IP access list. 标准访问列表 (1 to 99) 检查 IP 数据包的源地址 扩展访问列表 (100 to 199) 检查源地址和目的地址、具体的 TCP/IP 协议和目的端口

如何识别访问列表 其它访问列表编号范围表示不同协议的访问列表 访问列表类型 编号范围 IP Standard Extended Named 1-99 100-199 Name (Cisco IOS 11.2 and later) IPX Standard Extended SAP filters Named 800-899 900-999 1000-1099 Name (Cisco IOS 11.2. F and later) Slide 3 of 3 Purpose: Emphasize: Layer 3—Adds the Novell IPX access lists covered in the IPX chapter and the number ranges for these types of access lists. As of Release 11.2.4(F), IPX also supports named access lists. Point out that number ranges generally allow 100 different access lists per type of protocol. When a given hundred-number range designates a standard access list, the rule is that the next hundred-number range is for extended access lists for that protocol. Exceptions to the numbering classification scheme include AppleTalk and DECnet, where the same number range can identify various access list types. For the most part, number ranges do not overlap between different protocols. Note: With IOS 12.0, the IP access-lists range has been expanded to also include: <1300-1999> IP standard access list (expanded range) <2000-2699> IP extended access list (expanded range) 标准访问列表 (1 to 99) 检查 IP 数据包的源地址 扩展访问列表 (100 to 199) 检查源地址和目的地址、具体的 TCP/IP 协议和目的端口 其它访问列表编号范围表示不同协议的访问列表

用标准访问列表测试数据 Use access list statements 1-99 Frame Header (for example, HDLC) Packet (IP header) Segment (for example, TCP header) Data Slide 1 of 1 Purpose: Emphasize: This graphic gives an overview of the type of TCP/IP packet tests standard access lists can filter. It uses the encapsulation graphic and diamond decision graphic to remind students of material presented earlier in this course. Source Address Use access list statements 1-99 Deny Permit

用扩展访问列表测试数据 An Example from a TCP/IP Packet Use access list statements Frame Header (for example, HDLC) Packet (IP header) Segment (for example, TCP header) Data Port Number Protocol Use access list statements 1-99 or 100-199 to test the packet Slide 1 of 1 Purpose: Emphasize: This graphic gives an overview of the type of TCP/IP packet tests extended access lists can filter. It uses the encapsulation graphic and diamond decision graphic to remind students of material presented earlier in this course. Source Address Destination Address Deny Permit

通配符：如何检查相应的地址位 0 表示检查与之对应的地址位的值 1表示忽略与之对应的地址位的值 = = = = = 128 64 32 16 Octet bit position and address value for bit 128 64 32 16 8 4 2 1 Examples check all address bits (match all) = = 1 ignore last 6 address bits = 1 ignore last 4 address bits = 1 Slide 1 of 2 Purpose: Emphasize: Introduce the wildcard bit process. Tell students the wildcard bit matching process is different than the IP subnet addressing mask covered earlier. This graphic describes the binary wildcard masking process. Illustrate how wildcard masking works using the examples shown in the graphic table. The term wildcard masking is a nickname for this access list mask-bit-matching process. This nickname comes from an analogy of a wildcard that matches any other card in a poker game. Emphasize the contrast between wildcard masks and subnet masks stated in the student guide note. The confusion over wildcard and subnet masks can be a key obstacle to learning if students fail to understand the different uses of binary 0 and binary 1 in the two mask types. Point out that the 1 bits in a wild card mask need not be contiguou while the 1 bits in a subnet mask need to be contiguous. Wildcard is like the DOS “*” character. check last 2 address bits = 1 do not check address (ignore bits in octet) 0 表示检查与之对应的地址位的值 1表示忽略与之对应的地址位的值

通配符掩码指明特定的主机 例如 172.30.16.29 0.0.0.0 检查所有的地址位 Test conditions: Check all the address bits (match all) An IP host address, for example: 172.30.16.29 Wildcard mask: 0.0.0.0 (checks all bits) 例如 172.30.16.29 0.0.0.0 检查所有的地址位 可以简写为 host (host 172.30.16.29) Slide 1 of 1 Purpose: Emphasize: This graphic shows students how to use the host abbreviation in the extended access list wildcard mask. This abbreviation means check the bit value in all bit positions, which has the effect of matching only the specified IP host address in all bit positions.

通配符掩码指明所有主机 所有主机: 0.0.0.0 255.255.255.255 可以用 any 简写 Test conditions: Ignore all the address bits (match any) Any IP address 0.0.0.0 Wildcard mask: 255.255.255.255 (ignore all) 所有主机: 0.0.0.0 255.255.255.255 可以用 any 简写 Slide 1 of 1 Purpose: Emphasize: This graphic shows students how to use the wildcard any abbreviation. This abbreviation means ignore any bit value in all bit positions, which has the effect of matching anything in all bit positions.

通配符掩码和IP子网的 对应 Address and wildcard mask: 172.30.16.0 0.0.15.255 Check for IP subnets 172.30.16.0/24 to 172.30.31.0/24 Address and wildcard mask: 172.30.16.0 0.0.15.255 Network .host 172.30.16.0 1 Slide 1 of 1 Purpose: This slide describes an example of how wildcard mask bits will match all hosts on subnets 172.30.16.0/24 to 172.30.31.0/24. Emphasize: This process requires a thorough understanding of binary numbering, what values to use in the power of two bit positions, and how to convert a number from decimal to binary. If some of your students seem to lack this understanding, tell them that responsibility for complex access list design is an advanced configuration skill. Later, this course offers a hands-on lab to allow practice designing simple access lists. If you feel that your students need another example to improve their understanding of the process, prepare another example as a chalk talk. Consider having students volunteer to help as you solve your own example that lines up the binary bits of the address and the binary bits of the wildcard mask. Wildcard mask: 0 0 0 0 1 1 1 1 |<---- match ---->|<----- don’t care ----->| 0 0 0 1 0 0 0 0 = 16 0 0 0 1 0 0 0 1 = 17 0 0 0 1 0 0 1 0 = 18 : : 0 0 0 1 1 1 1 1 = 31

配置标准的 IP 访问列表 © 1999, Cisco Systems, Inc. www.cisco.com 10-31

标准IP访问列表的配置 Router(config)# access-list access-list-number {permit|deny} source [mask] 为访问列表设置参数 IP 标准访问列表编号 1 到 99 缺省的通配符掩码 = 0.0.0.0 “no access-list access-list-number” 命令删除访问列表 Slide 1 of 2 Purpose: This slide gives the specific command syntax for TCP/IP standard access list configuration. The access-list command creates an entry in a standard access list. Emphasize: The access-list field descriptions: list—identifies the list to which the entry belongs; a number from 1 to 99. address—source IP address. wildcard-mask—identifies which bits in the address field are matched. It has a 1 in positions indicating “don't care” bits, and a 0 in any position which is to be strictly followed.

标准IP访问列表的配置 Router(config)# Router(config-if)# 在端口上应用访问列表 指明是进方向还是出方向 access-list access-list-number {permit|deny} source [mask] 为访问列表设置参数 IP 标准访问列表编号 1 到 99 缺省的通配符掩码 = 0.0.0.0 “no access-list access-list-number” 命令删除访问列表 Router(config-if)# Slide 2 of 2 Purpose: This layer shows the ip access-group command. Emphasize: The ip access-group command links an access list to an interface. Only one access list per interface per direction per protocol is allowed. The ip access-group field descriptions: list—number of the access-list to be linked to this interface. direction - default in outbound. Note: Create the access-list first before applying it to the interface. If it is applied to the interface before it is created, the action will be to permit all traffic. However, as soon as you create the first statement in the access list, the access list will be active on the interface. Since there is the implicit deny all at the end of every access list, the access-list may cause most traffic to be blocked on the interface. To remove an access-list, remove it from all the interfaces first, then remove the access-list. In older version of IOS, removing the access-list without removing it from the interface can cause problems. ip access-group access-list-number { in | out } 在端口上应用访问列表 指明是进方向还是出方向 缺省 = 出方向 “no ip access-group access-list-number” 命令在端口上删除访问列表

标准访问列表举例 1 Non- 172.16.0.0 172.16.3.0 172.16.4.0 S0 172.16.4.13 E0 E1 access-list 1 permit 172.16.0.0 0.0.255.255 (implicit deny all - not visible in the list) (access-list 1 deny 0.0.0.0 255.255.255.255) Slide 1 of 2 Purpose: This slide gives a specific TCP/IP example of a standard access list configuration. Emphasize: Describe each part of the standard access list to your students. The blue statements represent the implicit deny all. A good way to teach this material is to start with another similar configuration on the board. Set goals that will result in the example and have students tell you how to configure it. Have the students tell you what to write. After the configuration correct on the board, use the slide to review.

标准访问列表举例 1 Permit my network only 172.16.3.0 172.16.4.0 S0 172.16.4.13 Non- 172.16.0.0 172.16.3.0 172.16.4.0 S0 172.16.4.13 E0 E1 Slide 2 of 2 Purpose: Emphasize: Because of the implicit deny all, all non 172.16.x.x traffic are blocked going out E0 and E1. Note: The red arrows represent the access-list is applied as an outbound access-list. access-list 1 permit 172.16.0.0 0.0.255.255 (implicit deny all - not visible in the list) (access-list 1 deny 0.0.0.0 255.255.255.255) interface ethernet 0 ip access-group 1 out interface ethernet 1 Permit my network only

标准访问列表举例 2 Deny a specific host 172.16.3.0 172.16.4.0 S0 172.16.4.13 Non- 172.16.0.0 172.16.3.0 172.16.4.0 S0 172.16.4.13 E0 E1 access-list 1 deny 172.16.4.13 0.0.0.0 Slide 1 of 3 Purpose: This slide gives another specific TCP/IP example of a standard access list configuration. Emphasize: Note: The wildcard mask of 0.0.0.0 is the default wildcard mask. It does not have to be specified. Deny a specific host

标准访问列表举例 2 Deny a specific host 172.16.3.0 172.16.4.0 S0 172.16.4.13 Non- 172.16.0.0 172.16.3.0 172.16.4.0 S0 172.16.4.13 E0 E1 access-list 1 deny 172.16.4.13 0.0.0.0 access-list 1 permit 0.0.0.0 255.255.255.255 (implicit deny all) (access-list 1 deny 0.0.0.0 255.255.255.255) Slide 2 of 3 Purpose: Emphasize: Each access-list should have at least one permit statement in it to make it meaningful because of the implicit deny all statement at the end. Deny a specific host

标准访问列表举例 2 Deny a specific host 172.16.3.0 172.16.4.0 S0 172.16.4.13 Non- 172.16.0.0 172.16.3.0 172.16.4.0 S0 172.16.4.13 E0 E1 Slide 3 of 3 Purpose: Emphasize: Only host 172.16.4.13 is blocked from going out on E0 to subnet 172.16.3.0. Ask the students what will happen if the access-list is placed as an input access-list on E1 instead - Host 172.16.4.13 will be blocked from going out to the Non 172.16.0.0 cloud as well as to subnet 172.16.3.0. Note: The red arrows represent the access-list is applied as an outbound access-list. access-list 1 deny 172.16.4.13 0.0.0.0 access-list 1 permit 0.0.0.0 255.255.255.255 (implicit deny all) (access-list 1 deny 0.0.0.0 255.255.255.255) interface ethernet 0 ip access-group 1 out Deny a specific host

标准访问列表举例 3 Deny a specific subnet 172.16.3.0 172.16.4.0 S0 172.16.4.13 Non- 172.16.0.0 172.16.3.0 172.16.4.0 S0 172.16.4.13 E0 E1 access-list 1 deny 172.16.4.0 0.0.0.255 access-list 1 permit any (implicit deny all) (access-list 1 deny 0.0.0.0 255.255.255.255) Slide 1 of 2 Purpose: This slide gives another specific TCP/IP example of a standard access list configuration. Emphasize: This example features the use of the wildcard abbreviation any. Deny a specific subnet

标准访问列表举例 3 Deny a specific subnet 172.16.3.0 172.16.4.0 S0 172.16.4.13 Non- 172.16.0.0 172.16.3.0 172.16.4.0 S0 172.16.4.13 E0 E1 access-list 1 deny 172.16.4.0 0.0.0.255 access-list 1 permit any (implicit deny all) (access-list 1 deny 0.0.0.0 255.255.255.255) interface ethernet 0 ip access-group 1 out Slide 2 of 2 Purpose: Emphasize: All hosts on subnet 172.16.4.0 is blocked from going out on E0 to subnet 172.16.3.0. Note: The red arrows represent the access-list is applied as an outbound access-list. Deny a specific subnet

用访问列表控制vty访问 © 1999, Cisco Systems, Inc. www.cisco.com 10-41

在路由器上过滤vty 五个虚拟通道 (0 到 4) 路由器的vty端口可以过滤数据 在路由器上执行vty访问的控制 4 1 3 2 console e0 4 1 2 3 Console port (direct connect) Physical port e0 (Telnet) Virtual ports (vty 0 through 4) Slide 1 of 1 Purpose: Emphasize: Instead of applying a standard access-list to a physical interface, now we will apply a standard access-list to the router’s vty ports. A vty port is a logical port on the router that can accept telnet sessions. Note: Access-class is used to filter incoming telnet session into the router’s vty ports and to filter outgoing telnet session from the router’s vty port. Access-class always use standard access-list to match the source address of the incoming telnet session and the destination address of the outgoing telnet session. The 2500 series router by default has 5 vty ports (vty 0 through 4). To configure more vty ports, use the following global configuration command: RouterB(config)#line vty 0 ? <1-188> Last Line number <cr> 五个虚拟通道 (0 到 4) 路由器的vty端口可以过滤数据 在路由器上执行vty访问的控制

Physical port (e0) (Telnet) Virtual ports (vty 0 through 4) 4 1 2 3 Physical port (e0) (Telnet) Router# Virtual ports (vty 0 through 4) Slide 1 of 1 Purpose: Emphasize: To filter incoming and outgoing telnet sessions to and from the router’s vty ports, standard access-list is used. If this is to block incoming telnet sessions into a router’s vty port, the standard access-list is used to match the source address of the host trying to telnet into the router’s vty port. If this is to block outgoing telnet sessions from the router’s vty ports to a host, the standard access-list is used to match the destination address of the host the router is trying to telnet into from its vty ports. 使用标准访问列表语句 用 access-class 命令应用访问列表 在所有vty通道上设置相同的限制条件

Router(config-line)# 虚拟通道的配置 Router(config)# line vty#{vty# | vty-range} 指明vty通道的范围 Router(config-line)# Slide 1 of 1 Purpose: Emphasize: Use “access-class” to apply the standard access-list to the vty port. The next slide will show a configuration example. access-class access-list-number {in|out} 在访问列表里指明方向

Controlling Inbound Access 虚拟通道访问举例 Controlling Inbound Access access-list 12 permit 192.89.55.0 0.0.0.255 ! line vty 0 4 access-class 12 in Slide 1 of 1 Purpose: This example shows how to restrict incoming telnet sessions to the router’s vty ports. Emphasize: The access-class is applied as an input filter. Note: Ask the student the effect of changing the direction of the access-class to outbound instead of inbound. Now the router can accept incoming telnet sessions to its vty ports from all hosts but will block outgoing telnet sessions from its vty ports to all hosts except hosts in network 192.89.55.0. Once a user is telneted into a router’s vty port, the outbound access-class filter will prevent the user from telneting to other hosts as specified by the standard access-list. Remember, when an access-list is applied to an interface, it only block or permit traffic going through the router, it does not block or permit traffic initiated from the router itself. 只允许网络192.89.55.0 内的主机连接路由器的 vty 通道

扩展 IP 访问列表的配置 © 1999, Cisco Systems, Inc. www.cisco.com 10-46

标准访问列表和扩展访问列表 比较 标准 扩展 基于源地址 基于源地址和目标地址 允许和拒绝完整的 TCP/IP协议 Slide 1 of 1 Purpose: This slide begins the discussion on extended IP access lists. Emphasize: Distinguish the aspects of the extended IP access list from the standard access list. Your students will perform labs using extended access lists commands. For both standard and extended IP access lists, enter an address mask that identifies which bits in the address field you want the access list to match that will be “don’t care” bit positions. For both types of access lists, the access-group command allows packet filtering into or out of the router. 指定TCP/IP的特定协议 和端口号 编号范围 1 到 99 编号范围 100 到 199.

扩展 IP 访问列表的配置 设置访问列表的参数 Router(config)# access-list access-list-number { permit | deny } protocol source source-wildcard [operator port] destination destination-wildcard [ operator port ] [ established ] [log] 设置访问列表的参数 Slide 1 of 2 Purpose: The access-list command creates an entry in complex traffic filter list. Emphasize: The access-list field descriptions: list—a number between 100 and 199 protocol—ip, tcp, udp, icmp, igrp, eigrp, ospf and etc……. ip = any internet protocol (see note below) source—ip address source-mask—wildcard-mask of address bits that must match. 0s indicate bits that must match, 1s are "don't care". destination—ip address destination-mask—wildcard-mask operator—lt, gt, eq, neq operand—a port number or application name (i.e. “23” or “telnet”) established-only allow established tcp session coming in (ack or rst bit must be set) log-generates a console message when a packet matches the access-list statement Note: If the protocol number is not listed, you may enter the protocol number between 1-255.

扩展 IP 访问列表的配置 设置访问列表的参数 在端口上应用访问列表 Router(config)# access-list access-list-number { permit | deny } protocol source source-wildcard [operator port] destination destination-wildcard [ operator port ] [ established ] [log] 设置访问列表的参数 Slide 2 of 2 Purpose: Layer 2—Adds the access-group command for IP. Emphasize: The list number must match the number (100 to 199) you specified in the access-list command. Router(config-if)# ip access-group access-list-number { in | out } 在端口上应用访问列表

扩展访问列表应用举例 1 Non- 172.16.0.0 172.16.3.0 172.16.4.0 S0 172.16.4.13 E0 E1 access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21 access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20 Slide 1 of 3 Purpose: This 3 layers slide shows an example of an extended IP access list. Emphasize: 拒绝子网172.16.4.0 的数据使用路由器e0口ftp到子网172.16.3.0 允许其它数据

扩展访问列表应用举例 1 Non- 172.16.0.0 172.16.3.0 172.16.4.0 S0 172.16.4.13 E0 E1 Slide 2 of 3 Purpose: Emphasize:. Don’t forget to include the permit statement to permit all other IP traffic out on E0. access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21 access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20 access-list 101 permit ip any any (implicit deny all) (access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255) 拒绝子网172.16.4.0 的数据使用路由器e0口ftp到子网172.16.3.0 允许其它数据

扩展访问列表应用举例 1 Non- 172.16.0.0 172.16.3.0 172.16.4.0 S0 172.16.4.13 E0 E1 access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21 access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20 access-list 101 permit ip any any (implicit deny all) (access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255) interface ethernet 0 ip access-group 101 out Slide 3 of 3 Purpose: Emphasize: 拒绝子网172.16.4.0 的数据使用路由器e0口ftp到子网172.16.3.0 允许其它数据

扩展访问列表应用举例 2 拒绝子网 172.16.4.0 内的主机使用路由器的 E0 端口建立Telnet会话 允许其它数据 Non- 172.16.0.0 172.16.3.0 172.16.4.0 S0 172.16.4.13 E0 E1 Slide 1 of 3 Purpose: This slide gives another example of an extended IP access list configuration. Emphasize: Notice this example of an IP extended access list specifies a source subnet address and any destination address. access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23 拒绝子网 172.16.4.0 内的主机使用路由器的 E0 端口建立Telnet会话 允许其它数据

扩展访问列表应用举例 2 拒绝子网 172.16.4.0 内的主机使用路由器的 E0 端口建立Telnet会话 允许其它数据 Non- 172.16.0.0 172.16.3.0 172.16.4.0 S0 172.16.4.13 E0 E1 access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23 access-list 101 permit ip any any (implicit deny all) Slide 2 of 3 Purpose: Emphasize: Don’t forget to include the permit statement to permit all other IP traffic out on E0. 拒绝子网 172.16.4.0 内的主机使用路由器的 E0 端口建立Telnet会话 允许其它数据

扩展访问列表应用举例 2 拒绝子网 172.16.4.0 内的主机使用路由器的 E0 端口建立Telnet会话 允许其它数据 Non- 172.16.0.0 172.16.3.0 172.16.4.0 S0 172.16.4.13 E0 E1 access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23 access-list 101 permit ip any any (implicit deny all) interface ethernet 0 ip access-group 101 out Slide 3 of 3 Purpose: Emphasize: 拒绝子网 172.16.4.0 内的主机使用路由器的 E0 端口建立Telnet会话 允许其它数据

使用名称访问列表 适用于IOS版本号为11.2以后 所使用的名称必须一致 Router(config)# ip access-list { standard | extended } name 所使用的名称必须一致 Slide 1 of 3 Purpose: Layer 1—Shows the command syntax to declare a named IP access list. Emphasize: Show how to use named access lists, a new approach to configuring access lists in Cisco IOS software.

使用名称访问列表 适用于IOS版本号为11.2以后 所使用的名称必须一致 允许和拒绝语句不需要访问列表编号 “no” 命令删除访问列表 Router(config)# ip access-list { standard | extended } name 所使用的名称必须一致 Router(config {std- | ext-}nacl)# { permit | deny } { ip access list test conditions } no { permit | deny } { ip access list test conditions } Slide 2 of 3 Purpose: Layer 2—Adds the new configuration environment for this form of access list entry. Emphasize: Note the new prompter form shown. Enter all test condition statements without an initial access list number. The statement that begins with the word no shows how you can delete a specific test condition for IP named access lists, which is much more flexible than earlier forms. With numbered access lists, the entire list and all its statements are considered an entity. With numbered access lists, to change or delete a statement, you would first need to delete the entire numbered access list, then reenter the statements you want to keep. Example: RouterB(config)#ip access-list standard test RouterB(config-std-nacl)#permit 10.1.1.1 RouterB(config-std-nacl)#end RouterB#sh ip access-list Standard IP access list test permit 10.1.1.1 允许和拒绝语句不需要访问列表编号 “no” 命令删除访问列表

使用名称访问列表 适用于IOS版本号为11.2以后 所使用的名称必须一致 允许和拒绝语句不需要访问列表编号 “no” 命令删除访问列表 Router(config)# ip access-list { standard | extended } name 所使用的名称必须一致 Router(config {std- | ext-}nacl)# { permit | deny } { ip access list test conditions } { permit | deny } { ip access list test conditions } no { permit | deny } { ip access list test conditions } Slide 3 of 3 Purpose: Layer 3—Finishes with the new form of the access group command, now able to refer to an IP access list name as well as an access list number. Emphasize: Introduced with Cisco IOS Release 11.2, named access lists: Intuitively identify IP access lists using alphanumeric identifiers. Remove the limit on the number of access lists (previously 99 for IP standard and 100 for IP extended access lists). Allow per-access-list-statement deletions (previously the entire numbered access list needed to be deleted as a single entity). Require Cisco IOS Release 11.2 or later. 允许和拒绝语句不需要访问列表编号 “no” 命令删除访问列表 Router(config-if)# ip access-group name { in | out } 在端口上应用访问列表

访问列表配置准则 访问列表中限制语句的位置是至关重要的 将限制条件严格的语句放在访问列表的最上面 使用 no access-list number 命令删除完整的访问列表 例外: 名称访问列表可以删除单独的语句 隐含声明 deny all 在设置的访问列表中要有一句 permit any Slide 1 of 1 Purpose: Emphasize:

访问列表的放置原则 推荐： 将扩展访问列表置于离源设备较近的位置 将标准访问列表置于离目的设备较近的位置 S0 E0 S0 E0 S1 S1 B S0 E0 S1 C A S1 E0 D E0 To0 E1 Slide 1 of 1 Purpose: Emphasize: Explain the basic rules on where to configure standard and extended access lists. Describe how the extended access list can eliminate unwanted traffic across the serial lines. 推荐： 将扩展访问列表置于离源设备较近的位置 将标准访问列表置于离目的设备较近的位置

查看访问列表 wg_ro_a#show ip int e0 Ethernet0 is up, line protocol is up Internet address is 10.1.1.11/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 1 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Feature Fast switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled <text ommitted> Slide 1 of 1 Purpose: This slide shows how to verify an access list. Emphasize: Lists IP interface information. Indicates whether outgoing access list is set. Review the output of the show ip interface command. The highlighted text shows details about access list settings in the show command output.

查看访问列表的语句 wg_ro_a#show {protocol} access-list {access-list number} wg_ro_a#show access-lists {access-list number} wg_ro_a#show access-lists Standard IP access list 1 permit 10.2.2.1 permit 10.3.3.1 permit 10.4.4.1 permit 10.5.5.1 Extended IP access list 101 permit tcp host 10.22.22.1 any eq telnet permit tcp host 10.33.33.1 any eq ftp permit tcp host 10.44.44.1 any eq ftp-data Slide 1 of 1 Purpose: This slide introduces the show access-lists command used to verify access lists. Emphasize: This is the most consolidated method for seeing several access lists. Note, the implicit deny all statement is not displayed unless it is explicitly entered in the access-list.

练 习 © 1999, Cisco Systems, Inc. www.cisco.com 10-63

可视化目标 X X X X Pod wg_ro’s s0 wg_ro’s e0 wg_sw wg_pc_a 10.2.2.12 Pod wg_ro’s s0 wg_ro’s e0 wg_sw A 10.140.1.2 10.2.2.3 10.2.2.11 B 10.140.2.2 10.3.3.3 10.3.3.11 C 10.140.3.2 10.4.4.3 10.4.4.11 D 10.140.4.2 10.5.5.3 10.5.5.11 E 10.140.5.2 10.6.6.3 10.6.6.11 F 10.140.6.2 10.7.7.3 10.7.7.11 G 10.140.7.2 10.8.8.3 10.8.8.11 H 10.140.8.2 10.9.9.3 10.9.9.11 I 10.140.9.2 10.10.10.3 10.3.3.11 J 10.140.10.2 10.11.11.3 10.11.11.11 K 10.140.11.2 10.12.12.3 10.12.12.11 L 10.140.12.2 10.13.13.3 10.13.13.11 X TFTP e0/1 e0/2 e0 wg_ro_a 10.2.2.3 s0 10.140.1.2 wg_sw_a 10.2.2.11 X wg_pc_l 10.13.13.12 Telnet X wg_ro_l e0/1 Slide 1 of 1 Purpose: Emphasize: Note: Refer to the lab setup guide for lab instructions. TFTP e0/2 e0 s0 10.140.12.2 LL 10.13.13.3 wg_sw_l 10.13.13.11 X Telnet s1/0 - s2/3 ... 10.140.1.1 … 10.140.12.1 fa0/24 fa0/23 fa0/0 core_ server 10.1.1.1 core_sw_a 10.1.1.2 core_ro 10.1.1.3

本章总结 完成本章的学习后，你应该能够掌握： 了解IP访问列表的工作过程 配置标准的 IP 访问列表 用访问列表控制 vty 访问 Slide 1 of 1 Purpose: Emphasize: Use the summary page items to review the chapter material you presented.

问题回顾 1. IP 访问列表有哪两种类型? 2. 在访问列表的最后有哪一个语句是隐含的? 3. 在应用访问控制vty通道时，使用什么命令? Slide 1 of 1 Purpose: Emphasize: Notes: Refer to the appendix for answer to the review questions.