ICND第八章访问列表.ppt

第八章访问列表访问列表的应用允许、拒绝数据包通过路由器允许、拒绝Telnet会话的建立没有设置访问列表时，所有的数据包都会在网络上传输虚拟会话虚拟会话(IP)端口上的数据传输端口上的数据传输 标准检查源地址通常允许、拒绝的是完整的协议OutgoingPacketE0S0IncomingPacketAccess List ProcessesPermit?Source什么是访问列表 标准检查源地址通常允许、拒绝的是完整的协议扩展检查源地址和目的地址通常允许、拒绝的是某个特定的协议OutgoingPacketE0S0IncomingPacketAccess List ProcessesPermit?Sourceand DestinationProtocol什么是访问列表 标准检查源地址通常允许、拒绝的是完整的协议扩展检查源地址和目的地址通常允许、拒绝的是某个特定的协议进方向和出方向 OutgoingPacketE0S0IncomingPacketAccess List ProcessesPermit?Sourceand DestinationProtocol什么是访问列表InboundInterfacePacketsNYPacket Discard BucketChooseInterfaceNAccessList?RoutingTable Entry?YOutbound InterfacesPacketS0出端口方向上的访问列表出端口方向上的访问列表 Outbound InterfacesPacketNYPacket Discard BucketChooseInterfaceRoutingTable Entry?NPacketTestAccess ListStatementsPermit?Y出端口方向上的访问列表AccessList?YS0E0InboundInterfacePacketsNotify Sender出端口方向上的访问列表If no access list statement matches then discard the packet NYPacket Discard BucketChooseInterfaceRoutingTable Entry?NYTestAccess ListStatementsPermit?YAccessList?Discard PacketNOutbound InterfacesPacketPacketS0E0InboundInterfacePackets访问列表的测试：允许和拒绝Packets to interfacesin the access groupPacket Discard BucketYInterface(s)DestinationDenyDenyYMatchFirstTest?Permit访问列表的测试：允许和拒绝Packets to Interface(s)in the Access GroupPacket Discard BucketYInterface(s)DestinationDenyDenyYMatchFirstTest?PermitNDenyPermitMatchNextTest(s)?YY访问列表的测试：允许和拒绝Packets to Interface(s)in the Access GroupPacket Discard BucketYInterface(s)DestinationDenyDenyYMatchFirstTest?PermitNDenyPermitMatchNextTest(s)?DenyMatchLastTest?YYNYYPermit访问列表的测试：允许和拒绝Packets to Interface(s)in the Access GroupPacket Discard BucketYInterface(s)DestinationDenyYMatchFirstTest?PermitNDenyPermitMatchNextTest(s)?DenyMatchLastTest?YYNYYPermitImplicit DenyIf no matchdeny allDenyN访问列表设置命令Step 1:设置访问列表测试语句的参数设置访问列表测试语句的参数access-list access-list-number permit|deny test conditions Router(config)#Step 1:设置访问列表测试语句的参数设置访问列表测试语句的参数Router(config)#Step 2:在端口上应用访问列表在端口上应用访问列表 protocol access-group access-list-number in|out Router(config-if)#访问列表设置命令IP 访问列表的标号为 1-99 和 100-199access-list access-list-number permit|deny test conditions 如何识别访问列表编号范围编号范围访问列表类型访问列表类型IP 1-99Standard标准访问列表(1 to 99)检查 IP 数据包的源地址编号范围编号范围访问列表类型访问列表类型如何识别访问列表IP 1-99100-199StandardExtended标准访问列表(1 to 99)检查 IP 数据包的源地址扩展访问列表(100 to 199)检查源地址和目的地址、具体的 TCP/IP 协议和目的端口编号范围编号范围IP 1-99100-199Name(Cisco IOS 11.2 and later)800-899900-9991000-1099Name(Cisco IOS 11.2.F and later)StandardExtendedSAP filtersNamedStandardExtendedNamed访问列表类型访问列表类型IPX如何识别访问列表标准访问列表(1 to 99)检查 IP 数据包的源地址扩展访问列表(100 to 199)检查源地址和目的地址、具体的 TCP/IP 协议和目的端口其它访问列表编号范围表示不同协议的访问列表SourceAddressSegment(for example,TCP header)DataPacket(IP header)Frame Header(for example,HDLC)DenyPermit Useaccess list statements1-99 用标准访问列表测试数据DestinationAddressSourceAddressProtocolPortNumberSegment(for example,TCP header)DataPacket(IP header)Frame Header(for example,HDLC)Useaccess list statements1-99 or 100-199 to test thepacket DenyPermitAn Example from a TCP/IP Packet用扩展访问列表测试数据0 表示检查与之对应的地址位的值1表示忽略与之对应的地址位的值do not check address(ignore bits in octet)=001111111286432168421=00000000=00001111=11111100=11111111Octet bit position and address value for bitignore last 6 address bitscheck all address bits(match all)ignore last 4 address bitscheck last 2 address bitsExamples反掩码：如何检查相应的地址位例如 检查所有的地址位 可以简写为 host(host 172.30.16.29)Test conditions:Check all the address bits(match all)172.30.16.29(checks all bits)An IP host address,for example:Wildcard mask:反掩码指明特定的主机所有主机:可以用 any 简写Test conditions:Ignore all the address bits(match any)0.0.0.0(ignore all)Any IP addressWildcard mask:反掩码指明所有主机 1999,Cisco Systems,Inc.10-23配置标准的 IP 访问列表标准IP访问列表的配置access-list access-list-number permit|deny source maskRouter(config)#为访问列表设置参数为访问列表设置参数IP 标准访问列表编号标准访问列表编号 1 到到 99“no access-list access-list-number”命令删除访问列表命令删除访问列表access-list access-list-number permit|deny source maskRouter(config)#在端口上应用访问列表指明是进方向还是出方向缺省=出方向“no ip access-group access-list-number”命令在端口上删除访问列表Router(config-if)#ip access-group access-list-number in|out 为访问列表设置参数为访问列表设置参数IP 标准访问列表编号标准访问列表编号 1 到到 99“no access-list access-list-number”命令删除访问列表命令删除访问列表标准IP访问列表的配置E0E0S0S0E1E1Non-Non-标准访问列表举例 1 (implicit deny all-not visible in the list)(implicit deny all-not visible in the list)(access-list 1 deny 0.0.0.0 255.255.255.255)(access-list 1 deny 0.0.0.0 255.255.255.255)只允许本网络 (implicit deny all-not visible in the list)(implicit deny all-not visible in the list)(access-list 1 deny 0.0.0.0 255.255.255.255)(access-list 1 deny 0.0.0.0 255.255.255.255)interface ethernet 0interface ethernet 0ip access-group 1 outip access-group 1 outinterface ethernet 1interface ethernet 1ip access-group 1 outip access-group 1 outE0E0S0S0E1E1Non-Non-标准访问列表举例 1拒绝一个指定的主机标准访问列表举例 2E0E0S0S0E1E1Non-Non-access-list 1 deny 172.16.4.13 0.0.0.0 access-list 1 deny 172.16.4.13 0.0.0.0 标准访问列表举例 2E0E0S0S0E1E1Non-Non-拒绝一个指定的主机access-list 1 deny 172.16.4.13 0.0.0.0 access-list 1 deny 172.16.4.13 0.0.0.0 access-list 1 permit 0.0.0.0 access-list 1 permit 0.0.0.0 (implicit deny all)(implicit deny all)(access-list 1 deny 0.0.0.0 255.255.255.255)(access-list 1 deny 0.0.0.0 255.255.255.255)access-list 1 deny 172.16.4.13 0.0.0.0 access-list 1 deny 172.16.4.13 0.0.0.0 access-list 1 permit 0.0.0.0 access-list 1 permit 0.0.0.0 (implicit deny all)(implicit deny all)(access-list 1 deny 0.0.0.0 255.255.255.255)(access-list 1 deny 0.0.0.0 255.255.255.255)interface ethernet 0interface ethernet 0ip access-group 1 outip access-group 1 out标准访问列表举例 2E0E0S0S0E1E1Non-Non-拒绝一个指定的主机拒绝一个指定的网络标准访问列表举例 3E0E0S0S0E1E1Non-Non-access-list 1 deny 172.16.4.0 access-list 1 deny 172.16.4.0 access-list 1 permit anyaccess-list 1 permit any(implicit deny all)(implicit deny all)(access-list 1 deny 0.0.0.0 255.255.255.255)(access-list 1 deny 0.0.0.0 255.255.255.255)access-list 1 deny 172.16.4.0 access-list 1 deny 172.16.4.0 access-list 1 permit anyaccess-list 1 permit any(implicit deny all)(implicit deny all)(access-list 1 deny 0.0.0.0 255.255.255.255)(access-list 1 deny 0.0.0.0 255.255.255.255)interface ethernet 0interface ethernet 0ip access-group 1 outip access-group 1 out标准访问列表举例 3E0E0S0S0E1E1Non-Non-拒绝一个指定的网络 1999,Cisco Systems,Inc.10-33用访问列表控制vty访问在路由器上过滤vty五个VTY(0 到 4)路由器的vty端口可以过滤连接在路由器上执行vty访问的控制01 234Virtual ports(vty 0 through 4)Physical port e0(Telnet)Console port(direct connect)consolee0如何控制vty访问01 234Virtual ports(vty 0 through 4)Physical port(e0)(Telnet)使用标准访问列表语句用 access-class 命令应用访问列表在所有vty通道上设置相同的限制条件Router#e0VTY的配置指明vty通道的范围在访问列表里指明方向access-class access-list-number in|outline vty#vty#|vty-rangeRouter(config)#Router(config-line)#VTY访问举例只允许网络192.89.55.0 内的主机连接路由器的 vty 通道!line vty 0 4 access-class 12 inControlling Inbound Access 1999,Cisco Systems,Inc.10-38扩展 IP 访问列表的配置标准访问列表和扩展访问列表比较标准标准扩展扩展基于源地址基于源地址基于源地址和目标地址基于源地址和目标地址允许和拒绝完整的允许和拒绝完整的TCP/IP协议协议指定指定TCP/IP的特定协议的特定协议和端口号和端口号编号范围编号范围 100 到到 199.编号范围编号范围 1 到到 99扩展 IP 访问列表的配置Router(config)#设置访问列表的参数access-list access-list-number permit|deny protocol source source-wildcard operator port destination destination-wildcard operator port established logRouter(config-if)#ip access-group access-list-number in|out 扩展 IP 访问列表的配置在端口上应用访问列表在端口上应用访问列表设置访问列表的参数Router(config)#access-list access-list-number permit|deny protocol source source-wildcard operator port destination destination-wildcard operator port established log拒绝子网172.16.4.0 的数据使用路由器e0口ftp到子网172.16.3.0 允许其它数据E0E0S0S0E1E1Non-Non-扩展访问列表应用举例 1access-list 101 access-list 101 deny tcpdeny tcp 0.0.0.255 172.16.3.0 0.0.0.255 eq 210.0.0.255 172.16.3.0 0.0.0.255 eq 21access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20拒绝子网172.16.4.0 的数据使用路由器e0口ftp到子网172.16.3.0 允许其它数据扩展访问列表应用举例 1E0E0S0S0E1E1Non-Non-access-list 101 access-list 101 deny tcpdeny tcp 0.0.0.255 172.16.3.0 0.0.0.255 eq 210.0.0.255 172.16.3.0 0.0.0.255 eq 21access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20access-list 101 permit ip any anyaccess-list 101 permit ip any any(implicit deny all)(implicit deny all)(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)access-list 101 access-list 101 deny tcpdeny tcp 0.0.0.255 172.16.3.0 0.0.0.255 eq 210.0.0.255 172.16.3.0 0.0.0.255 eq 21access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20access-list 101 permit ip any anyaccess-list 101 permit ip any any(implicit deny all)(implicit deny all)(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)interface ethernet 0interface ethernet 0ip access-group 101 outip access-group 101 out拒绝子网172.16.4.0 的数据使用路由器e0口ftp到子网172.16.3.0 允许其它数据扩展访问列表应用举例 1E0E0S0S0E1E1Non-Non-拒绝子网 172.16.4.0 内的主机使用路由器的 E0 端口建立Telnet会话允许其它数据扩展访问列表应用举例 2E0E0S0S0E1E1Non-Non-access-list 101 deny tcp 172.16.4.0 access-list 101 deny tcp 172.16.4.0 0.0.0.255 0.0.0.255 any eq 23 any eq 23拒绝子网 172.16.4.0 内的主机使用路由器的 E0 端口建立Telnet会话允许其它数据扩展访问列表应用举例 2E0E0S0S0E1E1Non-Non-access-list 101 deny tcp 172.16.4.0 access-list 101 deny tcp 172.16.4.0 0.0.0.255 0.0.0.255 any eq 23 any eq 23access-list 101 permit ip any anyaccess-list 101 permit ip any any(implicit deny all)(implicit deny all)access-list 101 deny tcp 172.16.4.0 access-list 101 deny tcp 172.16.4.0 0.0.0.255 0.0.0.255 any eq 23 any eq 23access-list 101 permit ip any anyaccess-list 101 permit ip any any(implicit deny all)(implicit deny all)interface ethernet 0interface ethernet 0ip access-group 101 outip access-group 101 out拒绝子网 172.16.4.0 内的主机使用路由器的 E0 端口建立Telnet会话允许其它数据扩展访问列表应用举例 2E0E0S0S0E1E1Non-Non-使用命名访问列表Router(config)#ip access-list standard|extended name适用于适用于IOS版本号为版本号为11.2以后以后所使用的命名必须一致所使用的命名必须一致使用命名访问列表Router(config)#ip access-list standard|extended name permit|deny ip access list test conditions permit|deny ip access list test conditions no permit|deny ip access list test conditions Router(config std-|ext-nacl)#适用于适用于IOS版本号为版本号为11.2以后以后所使用的命名必须一致所使用的命名必须一致允许和拒绝语句不需要访问列表编号允许和拒绝语句不需要访问列表编号“no”命令删除访问列表命令删除访问列表Router(config)#ip access-list standard|extended nameRouter(config std-|ext-nacl)#permit|deny ip access list test conditions permit|deny ip access list test conditions no permit|deny ip access list test conditions Router(config-if)#ip access-group name in|out 使用命名访问列表适用于适用于IOS版本号为版本号为11.2以后以后所使用的命名必须一致所使用的命名必须一致允许和拒绝语句不需要访问列表编号允许和拒绝语句不需要访问列表编号“no”命令删除访问列表命令删除访问列表在端口上应用访问列表在端口上应用访问列表访问列表配置准则访问列表中限制语句的位置是至关重要的将限制条件严格的语句放在访问列表的最上面使用 no access-list number 命令将删除整个访问列表例外:命名访问列表可以删除单独的语句隐含声明 deny all在设置的访问列表中要有一句 permit any将扩展访问列表置于离源设备较近的位置将标准访问列表置于离目的设备较近的位置E0E0E1S0To0S1S0S1E0E0B BA AC C访问列表的放置原则推荐：推荐：D Dwg_ro_a#show ip int e0wg_ro_a#show ip int e0Ethernet0 is up,line protocol is upEthernet0 is up,line protocol is up Address determined by setup command Address determined by setup command MTU is 1500 bytes MTU is 1500 bytes Helper address is not set Helper address is not set Directed broadcast forwarding is disabled Directed broadcast forwarding is disabled Outgoing access list is not set Outgoing access list is not set Inbound access list is 1 Inbound access list is 1 Proxy ARP is enabled Proxy ARP is enabled Security level is default Security level is default Split horizon is enabled Split horizon is enabled ICMP redirects are always sent ICMP redirects are always sent ICMP unreachables are always sent ICMP unreachables are always sent ICMP mask replies are never sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching is enabled IP fast switching on the same interface is disabled IP fast switching on the same interface is disabled IP Feature Fast switching turbo vector IP Feature Fast switching turbo vector IP multicast fast switching is enabled IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP multicast distributed fast switching is disabled 查看访问列表查看访问列表的语句wg_ro_a#show access-lists Standard IP access list 1Extended IP access list 101 permit tcp host 10.22.22.1 any eq telnet permit tcp host 10.33.33.1 any eq ftp permit tcp host 10.44.44.1 any eq ftp-datawg_ro_a#show protocol access-list access-list number wg_ro_a#show access-lists access-list number