第7章 访问控制列表 访问控制列表概述 标准、扩展及命名的访问控制列表 ACL执行 通配符掩码 配置访问控制列表 控制Telnet会话 第7章 访问控制列表 访问控制列表概述 标准、扩展及命名的访问控制列表 ACL执行 通配符掩码 配置访问控制列表 控制Telnet会话 ACL指南 验证ACL配置的命令 2018/12/8

访问控制列表概述-用途 按照优先级或用户队列处理数据包 检查和过滤数据包 限制对路由器虚拟终端的访问 对数据流进行限制以提高网络性能 定义发起DDR呼叫的数据 检查和过滤数据包 对数据流进行限制以提高网络性能 限制或减少路由更新的内容 2018/12/8

访问控制列表概述-类型 Standard Checks source address Generally permits or denies entire protocol suite Extended Checks source and destination address Generally permits or denies specific protocols 2018/12/8

访问控制列表概述-类型区分 Standard IP lists (1-99) test conditions of all IP packets from source addresses. Extended IP lists (100-199) test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports. Standard IP lists (1300-1999) (expanded range). Extended IP lists (2000-2699) (expanded range). Other access list number ranges test conditions for other networking protocols. 2018/12/8

标准访问控制列表 2018/12/8

扩展访问控制列表 2018/12/8

出口ACL执行 如ACL中没有匹配语句，丢弃包（inbound:入站） 2018/12/8

ACL内部执行顺序 2018/12/8

通配符掩码(Wildcard Mask) 通配符掩码为0表示检查数据包的IP地址相对应的比特位 2018/12/8

通配符掩码(Wildcard Mask) Check all the address bits (match all). Verify an IP host address, for example: For example, 172.30.16.29 0.0.0.0 checks all the address bits. Abbreviate this wildcard mask using the IP address preceded by the keyword host (host 172.30.16.29). 2018/12/8

通配符掩码(Wildcard Mask) Ignore all the address bits (match any). An IP host address, for example: Accept any address: any Abbreviate the expression using the keyword any. 2018/12/8

通配符掩码(Wildcard Mask) Address and wildcard mask: 172.30.16.0 0.0.15.255 Check for IP subnets 172.30.16.0/24 to 172.30.31.0/24. 2018/12/8

配置访问控制列表 Step 1: Set parameters for this access list test statement (which can be one of several statements). Router(config)#access-list access-list-number {permit | deny} {test conditions} Step 2: Enable an interface to use the specified access list. Router(config-if)#{protocol} access-group access-list-number {in | out} Standard IP lists (1-99) Extended IP lists (100-199) Standard IP lists (1300-1999) (expanded range) Extended IP lists (2000-2699) (expanded range) 2018/12/8

配置访问控制列表-标准 Sets parameters for this list entry Router(config)#access-list access-list-number {permit | deny | remark} source [mask] Sets parameters for this list entry IP standard access lists use 1 to 99 Default wildcard mask = 0.0.0.0 no access-list access-list-number removes entire access list remark option lets you add a description for the access list Router(config-if)#ip access-group access-list-number {in | out} Activates the list on an interface Sets inbound or outbound testing Default = outbound no ip access-group access-list-number removes access list from the interface 2018/12/8

配置访问控制列表-标准-例 禁止来自外部网络的数据流通过（允许内部主机访问外网） 2018/12/8

配置访问控制列表-标准-例 禁止来自某台主机的数据流通过（拒绝主机172.16.4.13访问网络172.16.3.0） 2018/12/8

配置访问控制列表-标准-例 禁止来自某个子网的数据流通过 2018/12/8

配置访问控制列表-扩展 Sets parameters for this list entry Router(config)#access-list access-list-number {permit | deny} protocol source source-wildcard [operator port] destination destination-wildcard [operator port] [established] [log] Sets parameters for this list entry Router(config-if)#ip access-group access-list-number {in | out} Activates the extended list on an interface 2018/12/8

配置访问控制列表-扩展-例 禁止来自子网 172.16.4.0 且前往子网172.16.3.0 的FTP数据流通过接口 E0. Permit all other traffic. 2018/12/8

配置访问控制列表-扩展-例 禁止来自特定子网的Telnet数据流通过. Permit all other traffic. 2018/12/8

命名的访问控制列表 Alphanumeric name string must be unique. Router(config)#ip access-list {standard | extended} name Alphanumeric name string must be unique. Router(config {std- | ext-}nacl)#{permit | deny} {ip access list test conditions} {permit | deny} {ip access list test conditions} no {permit | deny} {ip access list test conditions} Permit or deny statements have no prepended number. “no” removes the specific test from the named access list. Router(config-if)#ip access-group name {in | out} Activates the IP named access list on an interface. 2018/12/8

命名的访问控制列表 禁止来自特定子网的Telnet数据流通过的命名扩展访问列表 Router(config)#ip access-list extended screen Router(config-ext-nacl)#deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 23 Router(config-ext-nacl)#permit ip any any Router(config-ext-nacl)#interface ethernet 0 Router(config-if)#ip access-group out 禁止来自特定子网的Telnet数据流通过的命名扩展访问列表 2018/12/8

控制Telnet会话 物理接口上设置访问控制列表？繁锁 在Telnet所使用的虚拟端口上设置ACL 2018/12/8

控制Telnet会话 创建一标准ACL，只允许所希望的主机能Telnet至路由器 进入vty配置模式 Router(config)#line vty {vty# | vty-range} 进入vty配置模式 Router(config-line)#access-class access-list-number {in | out} 使用access-class命令将ACL应用到VTY线路 2018/12/8

控制Telnet会话-例 仅允许 192.168.1.0 网络中主机过程登录到路由器 access-list 12 permit 192.168.1.0 0.0.0.255 (implicit deny all) ! line vty 0 4 access-class 12 in 仅允许 192.168.1.0 网络中主机过程登录到路由器 2018/12/8

ACL指南 每个接口、每个方向、每个协议只能有一个ACL 除了命名的ACL外，不能单独删除ACL中某个条件语句。可使用no access-list number删除整个列表 应把标准ACL放在靠近数据目标地址的路由器上，把扩展ACL放在靠近数据源发地的路由器上。 2018/12/8

ACL指南 ACL应放在边界路由器或防火墙上 2018/12/8

验证访问列表配置的命令 wg_ro_a#show ip interfaces e0 Ethernet0 is up, line protocol is up Internet address is 10.1.1.11/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 1 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Feature Fast switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled <text ommitted> 2018/12/8

验证访问列表配置的命令 wg_ro_a#show access-lists {access-list number} Standard IP access list 1 permit 10.2.2.1 permit 10.3.3.1 permit 10.4.4.1 permit 10.5.5.1 Extended IP access list 101 permit tcp host 10.22.22.1 any eq telnet permit tcp host 10.33.33.1 any eq ftp permit tcp host 10.44.44.1 any eq ftp-data 2018/12/8