© 1999, cisco systems, inc. icnd—10-1 chapter 8 ip 访问控制列表
TRANSCRIPT
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-1
Chapter 8
IP 访问控制列表
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-2
FDDI
• 当网络增长时,管理 IP 网络流量
TokenRing
为什么使用 IP 访问控制列表 ?为什么使用 IP 访问控制列表 ?
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-3
FDDI
172.16.0.0
172.17.0.0
TokenRing
Internet
• 当网络增长时,管理 IP 网络流量• 当数据包经过 Router 时,对数据进行筛选
为什么使用 IP 访问控制列表 ?为什么使用 IP 访问控制列表 ?
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-4
IP 访问控制列表应用
• Permit or deny packets moving through the router
• Permit or deny vty access to or from the router
• Without access lists all packets could be transmitted onto all parts of your network
Virtual terminal line access (IP)
Transmission of packets on an interface
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-5
• 标准访问控制列表– 按照源地址控制– 通常允许或拒绝整个协议栈
OutgoingPacket
E0
S0
IncomingPacket
Access List Processes
Permit?
Source
访问控制列表访问控制列表
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-6
• 标准访问控制列表– 检验源地址– 通常允许或拒绝整个协议栈
• 扩展访问控制列表– 检验源地址、目的地址– 通常允许或拒绝某个单独的协议
OutgoingPacket
E0
S0
IncomingPacket
Access List Processes
Permit?
Sourceand
Destination
Protocol
访问控制列表访问控制列表
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-7
• 标准访问控制列表– 检验源地址– 通常允许或拒绝整个协议栈
• 扩展访问控制列表– 检验源地址、目的地址– 通常允许或拒绝某个单独的协议
• Inbound 和 Outbound 两个方向
OutgoingPacket
E0
S0
IncomingPacket
Access List Processes
Permit?
Sourceand
Destination
Protocol
访问控制列表访问控制列表
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-8
InboundInterfacePackets
N
Y
Packet Discard Bucket
ChooseInterface
NAccessList
?
RoutingTable Entry
?
Y
Outbound Interfaces
Packet
S0
Outbound 访问控制列表Outbound 访问控制列表
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-9
Outbound Interfaces
Packet
N
Y
Packet Discard Bucket
ChooseInterface
RoutingTable Entry
?N Packet
TestAccess ListStatements
Permit?
Y
Outbound 访问控制列表Outbound 访问控制列表
AccessList
?
Y
S0
E0
InboundInterfacePackets
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-10
Notify Sender
Outbound 访问控制列表Outbound 访问控制列表
If no access list statement matches then discard the packet
N
Y
Packet Discard Bucket
ChooseInterface
RoutingTable Entry
?N
Y
TestAccess ListStatements
Permit?
Y
AccessList
?
Discard Packet
N
Outbound Interfaces
Packet
Packet
S0
E0
InboundInterfacePackets
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-11
A List of Tests: Deny or PermitA List of Tests: Deny or Permit
Packets to interfacesin the access group
Packet Discard Bucket
Y
Interface(s)
Destination
Deny
Deny
Y
MatchFirstTest
?
Permit
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-12
A List of Tests: Deny or PermitA List of Tests: Deny or Permit
Packets to Interface(s)in the Access Group
Packet Discard Bucket
Y
Interface(s)
Destination
Deny
Deny
Y
MatchFirstTest
?
Permit
N
Deny PermitMatchNext
Test(s)?
YY
• The order of access list statements controls testing
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-13
A List of Tests: Deny or PermitA List of Tests: Deny or Permit
Packets to Interface(s)in the Access Group
Packet Discard Bucket
Y
Interface(s)
Destination
Deny
Deny
Y
MatchFirstTest
?
Permit
N
Deny PermitMatchNext
Test(s)?
DenyMatchLastTest
?
YY
N
YYPermit
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-14
A List of Tests: Deny or PermitA List of Tests: Deny or Permit
Packets to Interface(s)in the Access Group
Packet Discard Bucket
Y
Interface(s)
Destination
Deny
Y
MatchFirstTest
?
Permit
N
Deny PermitMatchNext
Test(s)?
DenyMatchLastTest
?
YY
N
YYPermit
Implicit Deny
If no matchdeny allDeny
N
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-15
访问控制列表配置的一般原则访问控制列表配置的一般原则
• 访问控制列表编号指明每接口、每协议、每方向一个访问控制列表。• 最严格的语句放在列表最上面。• 访问控制列表末尾有一个隐含的拒绝。• 先创建访问控制列表,后绑定到接口。• 访问控制列表只过滤通过 router 的流量 ; 不过滤由此
router 自己发出的数据。
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-16
访问控制列表配置命令
Step 1: 设置访问控制列表 语句 ( 可以有多条语句 )
access-list access-list-number { permit | deny } { test conditions }
Router(config)#
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-17
Step 1: 设置访问控制列表 语句 ( 可以有多条语句 )
Router(config)#
Step 2: 在指定的接口启用访问控制列表
{ protocol } access-group access-list-number {in | out} Router(config-if)#
访问控制列表配置命令
IP Access lists are numbered 1-99 or 100-199
access-list access-list-number { permit | deny } { test conditions }
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-18
访问控制列表类型访问控制列表类型
Number Range/IdentifierAccess List Type
IP 1-99Standard
• Standard IP lists (1 to 99) test conditions of all IP packets from source addresses
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-19
Number Range/IdentifierAccess List Type
访问控制列表类型访问控制列表类型
IP 1-99100-199
StandardExtended
• Standard IP lists (1 to 99) test conditions of all IP packets from source addresses
• Extended IP lists (100 to 199) can test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-20
Number Range/Identifier
IP 1-99100-199Name (Cisco IOS 11.2 and later)
800-899900-9991000-1099Name (Cisco IOS 11.2. F and later)
StandardExtendedSAP filtersNamed
StandardExtendedNamed
Access List Type
IPX
访问控制列表类型访问控制列表类型
• Standard IP lists (1 to 99) test conditions of all IP packets from source addresses
• Extended IP lists (100 to 199) can test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports
• Other access list number ranges test conditions for other networking protocols
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-21
SourceAddress
Segment(for example, TCP header)
DataPacket(IP header)
Frame Header(for example, HDLC)
Deny Permit
Useaccess
list statements1-99
标准访问控制列表标准访问控制列表
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-22
DestinationAddress
SourceAddress
Protocol
PortNumber
Segment(for example, TCP header)
DataPacket(IP header)
Frame Header(for example, HDLC)
Useaccess
list statements1-99 or 100-199 to
test thepacket Deny Permit
An Example from a TCP/IP Packet
扩展访问控制列表扩展访问控制列表
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-23
• 0 :检查相对应的地址位• 1 :忽略相对应的地址位
do not check address (ignore bits in octet)
=0 0 1 1 1 1 1 1
128 64 32 16 8 4 2 1
=0 0 0 0 0 0 0 0
=0 0 0 0 1 1 1 1
=1 1 1 1 1 1 0 0
=1 1 1 1 1 1 1 1
Octet bit position and address value for bit
ignore last 6 address bits
check all address bits(match all)
ignore last 4 address bits
check last 2 address bits
Examples
应用 Wildcard Bits 指定 IP 地址应用 Wildcard Bits 指定 IP 地址
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-24
• Example 172.30.16.29 0.0.0.0 checks all the address bits
• Abbreviate this wildcard mask using the IP address preceded by the keyword host (host 172.30.16.29)
Test conditions: Check all the address bits (match all)
172.30.16.29
0.0.0.0(checks all bits)
An IP host address, for example:
Wildcard mask:
应用 Wildcard Bits 指定单个 IP 地址
应用 Wildcard Bits 指定单个 IP 地址
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-25
• Accept any address: 0.0.0.0 255.255.255.255
• Abbreviate the expression using the keyword any
Test conditions: Ignore all the address bits (match any)
0.0.0.0
255.255.255.255(ignore all)
Any IP address
Wildcard mask:
应用 Wildcard Bits 指定任意 IP 地址
应用 Wildcard Bits 指定任意 IP 地址
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-26
Check for IP subnets 172.30.16.0/24 to 172.30.31.0/24
Network Network .host 172.30.16172.30.16.0
00 00 00 11 0 0 0 0Wildcard mask: 0 0 0 0 1 1 1 1
|<---- match ---->|<----- don’t care ----->|
0 0 0 1 0 0 0 0 = 16
0 0 0 1 0 0 0 1 = 17
0 0 0 1 0 0 1 0 = 18
: :
0 0 0 1 1 1 1 1 = 31
Address and wildcard mask:
172.30.16.0 0.0.15.255
应用 Wildcard Bits 指定一个 IP 地址范围
应用 Wildcard Bits 指定一个 IP 地址范围
© 1999, Cisco Systems, Inc. www.cisco.com 10-27
配置标准访问控制列表
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-28
配置标准访问控制列表配置标准访问控制列表
access-list access-list-number {permit|deny} source [mask]
Router(config)#
• Sets parameters for this list entry
• IP standard access lists use 1 to 99
• Default wildcard mask = 0.0.0.0
• “no access-list access-list-number” removes entire access-list
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-29
access-list access-list-number {permit|deny} source [mask]
Router(config)#
• Activates the list on an interface
• Sets inbound or outbound testing
• Default = Outbound
• “no ip access-group access-list-number” removes access-list from the interface
Router(config-if)#
ip access-group access-list-number { in | out }
• Sets parameters for this list entry
• IP standard access lists use 1 to 99
• Default wildcard mask = 0.0.0.0
• “no access-list access-list-number” removes entire access-list
配置标准访问控制列表配置标准访问控制列表
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-30
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
配置标准访问控制列表Example 1
配置标准访问控制列表Example 1
access-list 1 permit 172.16.0.0 0.0.255.255(implicit deny all - not visible in the list)(access-list 1 deny 0.0.0.0 255.255.255.255)
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-31
Permit 只允许本地网络的访问
access-list 1 permit 172.16.0.0 0.0.255.255(implicit deny all - not visible in the list)(access-list 1 deny 0.0.0.0 255.255.255.255)
interface ethernet 0ip access-group 1 outinterface ethernet 1ip access-group 1 out
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
配置标准访问控制列表Example 1
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-32
Deny 一个特定主机
配置标准访问控制列表Example 2
配置标准访问控制列表Example 2
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
access-list 1 deny 172.16.4.13 0.0.0.0
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-33
配置标准访问控制列表Example 2
配置标准访问控制列表Example 2
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
Deny 一个特定主机
access-list 1 deny 172.16.4.13 0.0.0.0 access-list 1 permit 0.0.0.0 255.255.255.255(implicit deny all)(access-list 1 deny 0.0.0.0 255.255.255.255)
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-34
access-list 1 deny 172.16.4.13 0.0.0.0 access-list 1 permit 0.0.0.0 255.255.255.255(implicit deny all)(access-list 1 deny 0.0.0.0 255.255.255.255)
interface ethernet 0ip access-group 1 out
配置标准访问控制列表Example 2
配置标准访问控制列表Example 2
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
Deny 一个特定主机
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-35
Deny 一个特定子网
配置标准访问控制列表Example 3
配置标准访问控制列表Example 3
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
access-list 1 deny 172.16.4.0 0.0.0.255access-list 1 permit any(implicit deny all)(access-list 1 deny 0.0.0.0 255.255.255.255)
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-36
access-list 1 deny 172.16.4.0 0.0.0.255access-list 1 permit any(implicit deny all)(access-list 1 deny 0.0.0.0 255.255.255.255)
interface ethernet 0ip access-group 1 out
配置标准访问控制列表Example 3
配置标准访问控制列表Example 3
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
Deny 一个特定子网
© 1999, Cisco Systems, Inc. www.cisco.com 10-37
用访问控制列表控制VTY 线路访问
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-38
过滤 VTY 访问过滤 VTY 访问
• 5 条 VTY 线路 (0 —— 4)
• 筛选能够到达 Router 端口的地址• 筛选 Router vty out 方向的流量
0 1 2 3 4
Virtual ports (vty 0 through 4)
Physical port e0 (Telnet)Console port (direct connect)
console e0
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-39
如何控制 vty 访问如何控制 vty 访问
0 1 2 3 4
Virtual ports (vty 0 through 4)
Physical port (e0) (Telnet)
• Setup IP address filter with standard access list statement
• Use line configuration mode to filter access with the access-class command
• Set identical restrictions on all vtys
Router#
e0
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-40
Virtual Terminal Line Commands
Virtual Terminal Line Commands
• Enters configuration mode for a vty or vty range
• Restricts incoming or outgoing vty connections for address in the access list
access-class access-list-number {in|out}
line vty#{vty# | vty-range}
Router(config)#
Router(config-line)#
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-41
Virtual Terminal Access Example
Virtual Terminal Access Example
Permits only hosts in network 192.89.55.0 to connect to the router’s vtys
access-list 12 permit 192.89.55.0 0.0.0.255
!
line vty 0 4
access-class 12 in
Controlling Inbound Access
© 1999, Cisco Systems, Inc. www.cisco.com 10-42
配置扩展访问控制列表
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-43
标准 VS 扩展访问控制列表标准 VS 扩展访问控制列表
Standard Extended
基于源地址筛选 基于源地址、目的地址筛选
Permit 、 deny 整个 TCP/IP 协议栈 .
可以指定某个 TCP/IP 协议 与端口号
编号 100~199编号 1~99
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-44
配置扩展访问控制列表配置扩展访问控制列表
Router(config)#
• Sets parameters for this list entry
access-list access-list-number { permit | deny } protocol source source-wildcard [operator port] destination destination-wildcard [ operator port ] [ established ] [log]
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-45
Router(config-if)# ip access-group access-list-number { in | out }
配置扩展访问控制列表配置扩展访问控制列表
• Activates the extended list on an interface
• Sets parameters for this list entry
Router(config)# access-list access-list-number { permit | deny } protocol source source-wildcard [operator port] destination destination-wildcard [ operator port ] [ established ] [log]
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-46
• Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0
• Permit all other traffic
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
扩展访问控制列表Example 1
扩展访问控制列表Example 1
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-47
• Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0
• Permit all other traffic
扩展访问控制列表Example 1
扩展访问控制列表Example 1
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20access-list 101 permit ip any any(implicit deny all)(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-48
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20access-list 101 permit ip any any(implicit deny all)(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)
interface ethernet 0ip access-group 101 out
• Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0 • Permit all other traffic
扩展访问控制列表Example 1
扩展访问控制列表Example 1
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-49
• Deny only Telnet from subnet 172.16.4.0 out of E0• Permit all other traffic
扩展访问控制列表Example 2
扩展访问控制列表Example 2
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-50
• Deny only Telnet from subnet 172.16.4.0 out of E0• Permit all other traffic
扩展访问控制列表Example 2
扩展访问控制列表Example 2
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23access-list 101 permit ip any any(implicit deny all)
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-51
access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23access-list 101 permit ip any any(implicit deny all)
interface ethernet 0ip access-group 101 out
• Deny only Telnet from subnet 172.16.4.0 out of E0• Permit all other traffic
扩展访问控制列表Example 2
扩展访问控制列表Example 2
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-52
• 将扩展访问控制列表靠近源地址• 将标准访问控制列表靠近目的地址
E0
E0
E1
S0
To0
S1S0
S1
E0
E0TokenRing
BB
AACC
在哪里放置访问控制列表在哪里放置访问控制列表
Recommended:
DD
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-53
wg_ro_a#show ip int e0Ethernet0 is up, line protocol is up Internet address is 10.1.1.11/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 1 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Feature Fast switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled <text ommitted>
验证访问控制列表验证访问控制列表
© 1999, Cisco Systems, Inc. www.cisco.com ICND—10-54
查看访问控制列表语句查看访问控制列表语句
wg_ro_a#show access-lists Standard IP access list 1 permit 10.2.2.1 permit 10.3.3.1 permit 10.4.4.1 permit 10.5.5.1Extended IP access list 101 permit tcp host 10.22.22.1 any eq telnet permit tcp host 10.33.33.1 any eq ftp permit tcp host 10.44.44.1 any eq ftp-data
wg_ro_a#show {protocol} access-list {access-list number}
wg_ro_a#show access-lists {access-list number}