ACL访问控制列表

Slide Title,Body Text,Second Level,Third Level,Fourth Level,Fifth Level,2006,Shenzhen Polytechnic.All rights reserved.,*,2006,Shenzhen Polytechnic.All rights reserved.,*,Slide Title,Body Text,Second Level,Third Level,Fourth Level,Fifth Level,访问控制列表,Access Control List,深圳职业技术学院计算机系网络专业,教学目标（,Objectives,）,1.,访问控制列表（,Access Control List,）,2.,配置标准访问控制列表,（,Configure standard IP access lists,）,3.,配置扩展访问控制列表,（,Configure extended IP access lists,）,4.,配置命名访问控制列表,（,Configure named IP access lists,）,5.,验证和监视,ACL,（,Verify and monitor IP access lists,）,Internet,当网络访问增长时，管理,IP,通信,Manage IP traffic as network access grows,当数据包通过路由器时，起到过滤作用,Filter packets as they pass through the router,为什么使用,ACL,？（,Why Use Access Control Lists?,）,ACL,作用（,Function of ACL,）,1,限制网络流量、提高网络性能。,Limit network traffic and increase network performance.,2,提供对通信流量的控制手段。,Provide traffic flow control.,3,提供网络访问的基本安全手段。,Provide a basic level of security for network access.,4,在路由器接口处，决定哪种类型的通信流量被转发、哪种类型的通信流量被阻塞。,Decide which types of traffic are forwarded or blocked at the router interfaces.,ACL,如何工作（,ACL,How to work,）,ACL,条件顺序（,The order in which ACL statements are placed,）,ACL,条件顺序（,The order in which ACL statements are placed,）,Cisco IOS,按照各描述语句在,ACL,中的顺序，根据各描述语句的判断条件，对数据包进行检查。,一旦找到了某一匹配条件，就结束比较过程,，不再检查以后的其他条件判断语句。,The Cisco IOS software tests the packet against each condition statement in order from the top of the list to the bottom.Once a match is found in the list,the accept or reject action is performed and no other ACL statements are checked,什么是,ACL,？（,What Are Access Lists?,）,标准,ACL,（,Standard ACL,）,检查源地址（,Checks Source address,）,允许或拒绝整个协议族（,Generally permits or denies entire protocol suite,）,Outgoing,Packet,fa0/0,S0/0,Incoming,Packet,Access List Processes,Permit?,Source,扩展,ACL,（,Extended ACL,）,检查源和目的地址,（,Checks Source and Destination address,）,通常允许或拒绝特定的协议（,Generally permits or denies specific protocols,）,Outgoing,Packet,Fa0/0,s0/0,Incoming,Packet,Access List Processes,Permit?,Source,and Destination,Protocol,什么是,ACL,？（,What Are Access Lists?,）,用扩展,ACL,检查数据包（,Check Packets with Extended ACL,）,常见端口号（,Known Port Number,）,端口号,(,Port Number,),20,文件传输协议（,FTP,）数据,21,文件传输协议（,FTP,）程序,23,远程登录（,Telnet,）,25,简单邮件传输协议（,SMTP,）,69,普通文件传送协议（,TFTP,）,80,超文本传输协议,(,HTTP,),53,域名服务系统（,DNS,）,ACL,表号（,ACL Number,）,协议（,Protocol,）,ACL,表号的取值范围（,ACL Range,）,IP,（,Internet,协议）,1-99,Extended IP(,扩展,Internet,协议,),100-199,AppleTalk,600-699,IPX,（互联网数据包交换）,800-899,Extended IPX(,扩展互联网数据包交换,),900-999,IPX service Advertising Protocol(IPX,服务通告协议,),1000-1099,通配符掩码（,Wildcard Mask,）,1.,是一个,32,比特位的数字字符串,(,A wildcard mask is a 32-bit quantity,),2.0,表示“检查相应的位”,1,表示“不检查（忽略）相应的位”,A zero means let the value through to be checked,the Xs(1s)mean block the value from being compared.,特殊的通配符掩码（,Special,Wildcard Mask,）,1.,Any,2.,Host,172.30.16.29,Host,Access List,命令（,Access List Command,）,Step 1:,定义访问控制列表（,Define the ACL,）,access-list,access-list-number,permit|deny ,test,conditions,Router(config)#,Router(config)#,Step 2:,将访问控制列表应用到某一接口上,（,Apply ACL to a Interface,）,protocol,access-group,access-list-number,in|out,Router(config-if)#,Access List,命令（,Access List Command,）,Router(config-if)#,ip access-group 1 out,仅允许我的网络（,Permit my network only,）,(implicit deny all-not visible in the list),(access-list 1 deny 0.0.0.0 255.255.255.255),interface ethernet 0,ip access-group 1 out,interface ethernet 1,ip access-group 1 out,标准,IP ACL,实例,1,（,Standard IP ACL Example 1,）,E0,S0,E1,Non-,access-list 1 deny 172.16.4.13 0.0.0.0,access-list 1 permit 0.0.0.0,2,(implicit deny all),(access-list 1 deny 0.0.0.0 255.255.255.255),interface ethernet 0,ip access-group 1 out,标准,IP ACL,实例,2,（,Standard IP ACL Example 2,）,E0,S0,E1,Non-,拒绝特定的主机（,Deny a specific host,）,access-list 1 deny 172.16.4.0,access-list 1 permit any,(implicit deny all),(access-list 1 deny 0.0.0.0 255.255.255.255),interface ethernet 0,ip access-group 1 out,标准,IP ACL,实例,3,（,Standard IP ACL Example 3,）,E0,S0,E1,Non-,拒绝特定的子网（,Deny a specific subnet,）,标准,ACL,与扩展,ACL,比较（,Standard versus External ACL,）,标准（,Standard,）,扩展（,Extended,）,过滤基于源,（,Filters Based onSource.,）,过滤基于源和目的（,Filters Based on Source and destination.,）,允许或拒绝整个协议族（,Permit or deny entire TCP/IP protocol suite.,）,允许或拒绝特定的,IP,协议或端口,（,Specifies a specific IP protocol and port number.,）,范围（,100-199,）,Range is 100 through 199.,范围（,1-99,）,Range is 1 through 99,CASE STUDY,首先使得,PC1,所在的网络不能通过路由器,R1,访问,PC2,所在的网络。,扩展,ACL,配置（,Extended IP ACL Configuration,）,Router(config)#,access-list,access-list-number,permit|deny,protocol source source-wildcard operator port,destination destination-wildcard,operator port,established,log,参数,参数描述,access-list-number,访问控制列表表号,permit|deny,如果满足条件，允许或拒绝后面指定特定地址的通信流量,protocol,用来指定协议类型，如,IP,、,TCP,、,UDP,、,ICMP,等,source and destination,分别用来标识源地址和目的地址,source-mask,通配符掩码，跟源地址相对应,destination-mask,通配符掩码，跟目的地址相对应,operator,lt,gt,eq,neq(,小于，大于，等于，不等于,),operand,一个端口号,established,如果数据包使用一个已建立连接，便可允许,TCP,信息通过,access-list 101,0.0.0.255 172.16.3.0 0.0.0.255 eq 21,access-list 101 deny tcp 172.16.4.0 0.0.0