© 1999, Cisco Systems, Inc. ICND—10-1 Chapter 8 IP 访问控制列表

© 1999, Cisco Systems, Inc. ICND—10-2 当网络增长时，管理 IP 网络流量 为什么使用 IP 访问控制列表 ?

© 1999, Cisco Systems, Inc. ICND— Internet 当网络增长时，管理 IP 网络流量 当数据包经过 Router 时，对数据进行筛选 为什么使用 IP 访问控制列表 ?

© 1999, Cisco Systems, Inc. ICND—10-4 IP 访问控制列表应用 Permit or deny packets moving through the router Permit or deny vty access to or from the router Without access lists all packets could be transmitted onto all parts of your network Virtual terminal line access (IP) Transmission of packets on an interface

© 1999, Cisco Systems, Inc. ICND—10-5 标准访问控制列表 – 按照源地址控制 – 通常允许或拒绝整个协议栈 Outgoing Packet E0 S0 Incoming Packet Access List Processes Permit? Source 访问控制列表

© 1999, Cisco Systems, Inc. ICND—10-6 标准访问控制列表 – 检验源地址 – 通常允许或拒绝整个协议栈 扩展访问控制列表 – 检验源地址、目的地址 – 通常允许或拒绝某个单独的协议 Outgoing Packet E0 S0 Incoming Packet Access List Processes Permit? Source and Destination Protocol 访问控制列表

© 1999, Cisco Systems, Inc. ICND—10-7 标准访问控制列表 – 检验源地址 – 通常允许或拒绝整个协议栈 扩展访问控制列表 – 检验源地址、目的地址 – 通常允许或拒绝某个单独的协议 Inbound 和 Outbound 两个方向 Outgoing Packet E0 S0 Incoming Packet Access List Processes Permit? Source and Destination Protocol 访问控制列表

© 1999, Cisco Systems, Inc. ICND—10-8 Inbound Interface Packets N Y Packet Discard Bucket Choose Interface N Access List ? Routing Table Entry ? Y Outbound Interfaces Packet S0 Outbound 访问控制列表

© 1999, Cisco Systems, Inc. ICND—10-9 Outbound Interfaces Packet N Y Packet Discard Bucket Choose Interface Routing Table Entry ? N Packet Test Access List Statements Permit ? Y Outbound 访问控制列表 Access List ? Y S0 E0 Inbound Interface Packets

© 1999, Cisco Systems, Inc. ICND—10-10 Notify Sender Outbound 访问控制列表 If no access list statement matches then discard the packet N Y Packet Discard Bucket Choose Interface Routing Table Entry ? N Y Test Access List Statements Permit ? Y Access List ? Discard Packet N Outbound Interfaces Packet S0 E0 Inbound Interface Packets

© 1999, Cisco Systems, Inc. ICND—10-11 A List of Tests: Deny or Permit Packets to interfaces in the access group Packet Discard Bucket Y Interface(s) Destination Deny Y Match First Test ? Permit

© 1999, Cisco Systems, Inc. ICND—10-12 A List of Tests: Deny or Permit Packets to Interface(s) in the Access Group Packet Discard Bucket Y Interface(s) Destination Deny Y Match First Test ? Permit N DenyPermit Match Next Test(s) ? YY The order of access list statements controls testing

© 1999, Cisco Systems, Inc. ICND—10-13 A List of Tests: Deny or Permit Packets to Interface(s) in the Access Group Packet Discard Bucket Y Interface(s) Destination Deny Y Match First Test ? Permit N DenyPermit Match Next Test(s) ? Deny Match Last Test ? YY N YY Permit

© 1999, Cisco Systems, Inc. ICND—10-14 A List of Tests: Deny or Permit Packets to Interface(s) in the Access Group Packet Discard Bucket Y Interface(s) Destination Deny Y Match First Test ? Permit N DenyPermit Match Next Test(s) ? Deny Match Last Test ? YY N YY Permit Implicit Deny If no match deny all Deny N

© 1999, Cisco Systems, Inc. ICND—10-15 访问控制列表配置的一般原则 访问控制列表编号指明每接口、每协议、每方向一个 访问控制列表。 最严格的语句放在列表最上面。 访问控制列表末尾有一个隐含的拒绝。 先创建访问控制列表，后绑定到接口。 访问控制列表只过滤通过 router 的流量 ; 不过滤由此 router 自己发出的数据。

© 1999, Cisco Systems, Inc. ICND—10-16 访问控制列表配置命令 Step 1: 设置访问控制列表 语句 ( 可以有多条语句 ) access-list access-list-number { permit | deny } { test conditions } Router(config)#

© 1999, Cisco Systems, Inc. ICND—10-17 Step 1: 设置访问控制列表 语句 ( 可以有多条语句 ) Router(config)# Step 2: 在指定的接口启用访问控制列表 { protocol } access-group access-list-number {in | out} Router(config-if)# 访问控制列表配置命令 IP Access lists are numbered 1-99 or access-list access-list-number { permit | deny } { test conditions }

© 1999, Cisco Systems, Inc. ICND—10-18 访问控制列表类型 Number Range/Identifier Access List Type IP 1-99 Standard Standard IP lists (1 to 99) test conditions of all IP packets from source addresses

© 1999, Cisco Systems, Inc. ICND—10-19 Number Range/Identifier Access List Type 访问控制列表类型 IP Standard Extended Standard IP lists (1 to 99) test conditions of all IP packets from source addresses Extended IP lists (100 to 199) can test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports

© 1999, Cisco Systems, Inc. ICND—10-20 Number Range/Identifier IP Name (Cisco IOS 11.2 and later) Name (Cisco IOS F and later) Standard Extended SAP filters Named Standard Extended Named Access List Type IPX 访问控制列表类型 Standard IP lists (1 to 99) test conditions of all IP packets from source addresses Extended IP lists (100 to 199) can test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports Other access list number ranges test conditions for other networking protocols

© 1999, Cisco Systems, Inc. ICND—10-21 Source Address Segment (for example, TCP header) Data Packet (IP header) Frame Header (for example, HDLC) DenyPermit Use access list statements 1-99 标准访问控制列表

© 1999, Cisco Systems, Inc. ICND—10-22 Destination Address Source Address Protocol Port Number Segment (for example, TCP header) Data Packet (IP header) Frame Header (for example, HDLC) Use access list statements 1-99 or to test the packet DenyPermit An Example from a TCP/IP Packet 扩展访问控制列表

© 1999, Cisco Systems, Inc. ICND— ：检查相对应的地址位 1 ：忽略相对应的地址位 do not check address (ignore bits in octet) = = = = = Octet bit position and address value for bit ignore last 6 address bits check all address bits (match all) ignore last 4 address bits check last 2 address bits Examples 应用 Wildcard Bits 指定 IP 地址

© 1999, Cisco Systems, Inc. ICND—10-24 Example checks all the address bits Abbreviate this wildcard mask using the IP address preceded by the keyword host (host ) Test conditions: Check all the address bits (match all) (checks all bits) An IP host address, for example: Wildcard mask: 应用 Wildcard Bits 指定单个 IP 地址

© 1999, Cisco Systems, Inc. ICND—10-25 Accept any address: Abbreviate the expression using the keyword any Test conditions: Ignore all the address bits (match any) (ignore all) Any IP address Wildcard mask: 应用 Wildcard Bits 指定任 意 IP 地址

© 1999, Cisco Systems, Inc. ICND—10-26 Check for IP subnets /24 to /24 Network Network.host Wildcard mask: | | | = = =18 : =31 Address and wildcard mask: 应用 Wildcard Bits 指定一个 IP 地址范围

© 1999, Cisco Systems, Inc 配置标准访问控制列表

© 1999, Cisco Systems, Inc. ICND—10-28 配置标准访问控制列表 access-list access-list-number {permit|deny} source [mask] Router(config)# Sets parameters for this list entry IP standard access lists use 1 to 99 Default wildcard mask = “no access-list access-list-number” removes entire access-list

© 1999, Cisco Systems, Inc. ICND—10-29 access-list access-list-number {permit|deny} source [mask] Router(config)# Activates the list on an interface Sets inbound or outbound testing Default = Outbound “no ip access-group access-list-number” removes access-list from the interface Router(config-if)# ip access-group access-list-number { in | out } Sets parameters for this list entry IP standard access lists use 1 to 99 Default wildcard mask = “no access-list access-list-number” removes entire access-list 配置标准访问控制列表

© 1999, Cisco Systems, Inc. ICND— E0 S0 E1 Non 配置标准访问控制列表 Example 1 access-list 1 permit (implicit deny all - not visible in the list) (access-list 1 deny )

© 1999, Cisco Systems, Inc. ICND—10-31 Permit 只允许本地网络的访问 access-list 1 permit (implicit deny all - not visible in the list) (access-list 1 deny ) interface ethernet 0 ip access-group 1 out interface ethernet 1 ip access-group 1 out E0 S0 E1 Non 配置标准访问控制列表 Example 1

© 1999, Cisco Systems, Inc. ICND—10-32 Deny 一个特定主机 配置标准访问控制列表 Example E0 S0 E1 Non access-list 1 deny

© 1999, Cisco Systems, Inc. ICND—10-33 配置标准访问控制列表 Example E0 S0 E1 Non Deny 一个特定主机 access-list 1 deny access-list 1 permit (implicit deny all) (access-list 1 deny )

© 1999, Cisco Systems, Inc. ICND—10-34 access-list 1 deny access-list 1 permit (implicit deny all) (access-list 1 deny ) interface ethernet 0 ip access-group 1 out 配置标准访问控制列表 Example E0 S0 E1 Non Deny 一个特定主机

© 1999, Cisco Systems, Inc. ICND—10-35 Deny 一个特定子网 配置标准访问控制列表 Example E0 S0 E1 Non access-list 1 deny access-list 1 permit any (implicit deny all) (access-list 1 deny )

© 1999, Cisco Systems, Inc. ICND—10-36 access-list 1 deny access-list 1 permit any (implicit deny all) (access-list 1 deny ) interface ethernet 0 ip access-group 1 out 配置标准访问控制列表 Example E0 S0 E1 Non Deny 一个特定子网

© 1999, Cisco Systems, Inc 用访问控制列表控制 VTY 线路访问

© 1999, Cisco Systems, Inc. ICND—10-38 过滤 VTY 访问 5 条 VTY 线路 (0 —— 4) 筛选能够到达 Router 端口的地址 筛选 Router vty out 方向的流量 Virtual ports (vty 0 through 4) Physical port e0 (Telnet) Console port (direct connect) console e0

© 1999, Cisco Systems, Inc. ICND—10-39 如何控制 vty 访问 Virtual ports (vty 0 through 4) Physical port (e0) (Telnet) Setup IP address filter with standard access list statement Use line configuration mode to filter access with the access-class command Set identical restrictions on all vtys Router# e0

© 1999, Cisco Systems, Inc. ICND—10-40 Virtual Terminal Line Commands Enters configuration mode for a vty or vty range Restricts incoming or outgoing vty connections for address in the access list access-class access-list-number {in|out} line vty#{vty# | vty-range} Router(config)# Router(config-line)#

© 1999, Cisco Systems, Inc. ICND—10-41 Virtual Terminal Access Example Permits only hosts in network to connect to the router’s vtys access-list 12 permit ! line vty 0 4 access-class 12 in Controlling Inbound Access

© 1999, Cisco Systems, Inc 配置扩展访问控制列表

© 1999, Cisco Systems, Inc. ICND—10-43 标准 VS 扩展访问控制列表 StandardExtended 基于源地址筛选 基于源地址、目的地址筛选 Permit 、 deny 整个 TCP/IP 协议栈. 可以指定某个 TCP/IP 协议 与端口号 编号 100~199 编号 1~99

© 1999, Cisco Systems, Inc. ICND—10-44 配置扩展访问控制列表 Router(config)# Sets parameters for this list entry access-list access-list-number { permit | deny } protocol source source-wildcard [operator port] destination destination-wildcard [ operator port ] [ established ] [log]

© 1999, Cisco Systems, Inc. ICND—10-45 Router(config-if)# ip access-group access-list- number { in | out } 配置扩展访问控制列表 Activates the extended list on an interface Sets parameters for this list entry Router(config)# access-list access-list-number { permit | deny } protocol source source-wildcard [operator port] destination destination-wildcard [ operator port ] [ established ] [log]

© 1999, Cisco Systems, Inc. ICND—10-46 Deny FTP from subnet to subnet out of E0 Permit all other traffic E0 S0 E1 Non 扩展访问控制列表 Example 1 access-list 101 deny tcp eq 21 access-list 101 deny tcp eq 20

© 1999, Cisco Systems, Inc. ICND—10-47 Deny FTP from subnet to subnet out of E0 Permit all other traffic 扩展访问控制列表 Example E0 S0 E1 Non access-list 101 deny tcp eq 21 access-list 101 deny tcp eq 20 access-list 101 permit ip any any (implicit deny all) (access-list 101 deny ip )

© 1999, Cisco Systems, Inc. ICND—10-48 access-list 101 deny tcp eq 21 access-list 101 deny tcp eq 20 access-list 101 permit ip any any (implicit deny all) (access-list 101 deny ip ) interface ethernet 0 ip access-group 101 out Deny FTP from subnet to subnet out of E0 Permit all other traffic 扩展访问控制列表 Example E0 S0 E1 Non

© 1999, Cisco Systems, Inc. ICND—10-49 Deny only Telnet from subnet out of E0 Permit all other traffic 扩展访问控制列表 Example E0 S0 E1 Non access-list 101 deny tcp any eq 23

© 1999, Cisco Systems, Inc. ICND—10-50 Deny only Telnet from subnet out of E0 Permit all other traffic 扩展访问控制列表 Example E0 S0 E1 Non access-list 101 deny tcp any eq 23 access-list 101 permit ip any any (implicit deny all)

© 1999, Cisco Systems, Inc. ICND—10-51 access-list 101 deny tcp any eq 23 access-list 101 permit ip any any (implicit deny all) interface ethernet 0 ip access-group 101 out Deny only Telnet from subnet out of E0 Permit all other traffic 扩展访问控制列表 Example E0 S0 E1 Non

© 1999, Cisco Systems, Inc. ICND—10-52 将扩展访问控制列表靠近源地址 将标准访问控制列表靠近目的地址 E0 E1 S0 To0 S1 S0 S1 E0 B A C 在哪里放置访问控制列表 Recommended: D

© 1999, Cisco Systems, Inc. ICND—10-53 wg_ro_a#show ip int e0 Ethernet0 is up, line protocol is up Internet address is /24 Broadcast address is Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 1 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Feature Fast switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled 验证访问控制列表

© 1999, Cisco Systems, Inc. ICND—10-54 查看访问控制列表语句 wg_ro_a#show access-lists Standard IP access list 1 permit permit permit permit Extended IP access list 101 permit tcp host any eq telnet permit tcp host any eq ftp permit tcp host any eq ftp-data wg_ro_a#show {protocol} access-list {access-list number} wg_ro_a#show access-lists {access-list number}