30选5玩法|福彩30选5开奖结果321|
 

标签:acl

acl 教程

No Comments 网络技术

幻灯片 1

clip_image002

幻灯片 2

clip_image004

幻灯片 3

clip_image006

幻灯片 4

clip_image008

Purpose: This figure explains the history of TCP/IP.

Emphasize: In the mid-1970s, DARPA established a packet-switched network to provide electronic communication between research institutions in the United States. DARPA and other government organizations understood the potential of packet-switched technology and were just beginning to face the problem virtually all companies with networks now have—how to establish communication between dissimilar computer systems.

幻灯片 5

clip_image010

幻灯片 6

clip_image012

幻灯片 7

clip_image014

幻灯片 8

clip_image016

Slide 1 of 3

Purpose: This figure (One of three layers) shows in more detail how an outbound access lists operate in a router.

Emphasize:

Transition: Shows packets coming in an inbound interface. This portion of the flowchart illustrates generic packet handling with or without access lists. The key outcome for the next layer is knowing which interface on the routing table indicates the best or next path.

Is an access list associated with the interface? If not, the packet can route directly, for example, out the upper outgoing interface (the upper arrow). Note: The graphic does not mean that only interfaces with no access group can output packets; based on source and destination addresses, and other parameters, other packets could also pass the access list and be routed out on an interface.

幻灯片 9

clip_image018

Slide 2 of 3

Purpose:

Emphasize: Shows the larger diamond. It contains words to summarize access list statements and permit/deny logic. This layer illustrates a permitted packet now sent to the outbound interface buffer for output (the lower arrow).

幻灯片 10

clip_image020

Slide 3 of 3

Purpose:

Emphasize: Shows a deny result of the access list test. Now the packet is discarded into the packet discard bucket. The unwanted packet has been denied access to the outbound interface.

The Notify Sender message shows a process like ICMP, returning an “administratively prohibited” message back to the sender.

幻灯片 11

clip_image022

Slide 1 of 4

Purpose:

Emphasize: This graphic explains in more detail the processes access list statements perform. Use the graphic’s diamond expanded from an earlier page to show individual access list statements.

Shows packets coming into the large diamond. It represents an expanded graphical view from the previous page. Inside, smaller diamonds represent access list statements. They occur in sequential, logical order. Tell students the graphic represents a single access list. There can be only one access list per protocol per per direction per interface.

幻灯片 12

clip_image024

Slide 2 of 4

Purpose:

Emphasize: Adds the next test diamond.

幻灯片 13

clip_image026

Slide 3 of 4

Purpose:

Emphasize: Adds the third diamond as the next test.

Discuss the logical, ordered testing of packet conditions. One recommendation for the sequence of access list statements begins with the most specific of conditions to match at the beginning of the list; then continue with matches involving a larger group, such as entire subnets or networks. Finish with statements matching still larger groups.

幻灯片 14

clip_image028

Slide 4 of 4

Purpose:

Emphasize: Shows the implicit “deny all.” Describe the final access list test to match any packets not covered by earlier access list statements. All remaining packets match the “Implicit Deny” and are discarded into the bit bucket.

幻灯片 15

clip_image030

Slide 3 of 3

Purpose:

Emphasize: Layer 3—Adds the Novell IPX access lists covered in the IPX chapter and the number ranges for these types of access lists. As of Release 11.2.4(F), IPX also supports named access lists.

Point out that number ranges generally allow 100 different access lists per type of protocol. When a given hundred-number range designates a standard access list, the rule is that the next hundred-number range is for extended access lists for that protocol.

Exceptions to the numbering classification scheme include AppleTalk and DECnet, where the same number range can identify various access list types.

For the most part, number ranges do not overlap between different protocols.

Note: With IOS 12.0, the IP access-lists range has been expanded to also include:

<1300-1999> IP standard access list (expanded range)

<2000-2699> IP extended access list (expanded range)

幻灯片 16

clip_image032

Slide 1 of 1

Purpose:

Emphasize: This graphic gives an overview of the type of TCP/IP packet tests standard access lists can filter. It uses the encapsulation graphic and diamond decision graphic to remind students of material presented earlier in this course.

幻灯片 17

clip_image034

Slide 1 of 1

Purpose:

Emphasize: This graphic gives an overview of the type of TCP/IP packet tests extended access lists can filter. It uses the encapsulation graphic and diamond decision graphic to remind students of material presented earlier in this course.

幻灯片 18

clip_image036

Slide 2 of 2

Purpose:

Emphasize: Layer 2—Adds the general form of the interface command. This links the previously specified interface to a group that will handle its packet for the protocol in the manner specified by the global access list statements.

It can help student understanding to learn a generalized command as a simplified template common to most access list processes. However, the details for specific access lists vary widely.

As you present the global access list command material that follows in this chapter, return to the template term “test conditions” if it helps your students associate variations to the general elements of this model.

Emphasize that “test conditions” is an abstraction for this course. Use this abstraction as a generalization to assist teaching and learning. The words “test conditions” are not a Cisco IOS argument or parameter.

Cisco IOS software also offers many variations for the second interface command. As you present these variations, refer your students to the template term “access group” and emphasize how each variation performs a link of the access list test conditions met and the interfaces that packets can use as a result.

幻灯片 19

clip_image038

Slide 1 of 2

Purpose:

Emphasize: Introduce the wildcard bit process. Tell students the wildcard bit matching process is different than the IP subnet addressing mask covered earlier.

This graphic describes the binary wildcard masking process. Illustrate how wildcard masking works using the examples shown in the graphic table.

The term wildcard masking is a nickname for this access list mask-bit-matching process. This nickname comes from an analogy of a wildcard that matches any other card in a poker game.

Emphasize the contrast between wildcard masks and subnet masks stated in the student guide note. The confusion over wildcard and subnet masks can be a key obstacle to learning if students fail to understand the different uses of binary 0 and binary 1 in the two mask types.

Point out that the 1 bits in a wild card mask need not be contiguou while the 1 bits in a subnet mask need to be contiguous.

Wildcard is like the DOS “*” character.

幻灯片 20

clip_image040

Slide 1 of 1

Purpose:

Emphasize: This graphic shows students how to use the host abbreviation in the extended access list wildcard mask.

This abbreviation means check the bit value in all bit positions, which has the effect of matching only the specified IP host address in all bit positions.

幻灯片 21

clip_image042

Slide 1 of 1

Purpose:

Emphasize: This graphic shows students how to use the wildcard any abbreviation.

This abbreviation means ignore any bit value in all bit positions, which has the effect of matching anything in all bit positions.

幻灯片 22

clip_image044

Slide 1 of 1

Purpose: This slide describes an example of how wildcard mask bits will match all hosts on subnets 172.30.16.0/24 to 172.30.31.0/24.

Emphasize: This process requires a thorough understanding of binary numbering, what values to use in the power of two bit positions, and how to convert a number from decimal to binary.

If some of your students seem to lack this understanding, tell them that responsibility for complex access list design is an advanced configuration skill. Later, this course offers a hands-on lab to allow practice designing simple access lists.

If you feel that your students need another example to improve their understanding of the process, prepare another example as a chalk talk. Consider having students volunteer to help as you solve your own example that lines up the binary bits of the address and the binary bits of the wildcard mask.

幻灯片 23

clip_image046

Slide 1 of 2

Purpose: This slide gives the specific command syntax for TCP/IP standard access list configuration. The access-list command creates an entry in a standard access list.

Emphasize: The access-list field descriptions:

list—identifies the list to which the entry belongs; a number from 1 to 99.

address—source IP address.

wildcard-mask—identifies which bits in the address field are matched. It has a 1 in
positions indicating “don’t care” bits, and a 0 in any position which is to be strictly
followed.

幻灯片 24

clip_image048

Slide 2 of 2

Purpose: This layer shows the ip access-group command.

Emphasize: The ip access-group command links an access list to an interface. Only one access list per interface per direction per protocol is allowed.

The ip access-group field descriptions:

list—number of the access-list to be linked to this interface.

direction – default in outbound.
Note: Create the access-list first before applying it to the interface. If it is applied to the interface before it is created, the action will be to permit all traffic. However, as soon as you create the first statement in the access list, the access list will be active on the interface. Since there is the implicit deny all at the end of every access list, the access-list may cause most traffic to be blocked on the interface.
To remove an access-list, remove it from all the interfaces first, then remove the access-list. In older version of IOS, removing the access-list without removing it from the interface can cause problems.

幻灯片 25

clip_image050

Slide 1 of 2

Purpose: This slide gives a specific TCP/IP example of a standard access list configuration.

Emphasize: Describe each part of the standard access list to your students. The blue statements represent the implicit deny all.

A good way to teach this material is to start with another similar configuration on the board. Set goals that will result in the example and have students tell you how to configure it. Have the students tell you what to write. After the configuration correct on the board, use the slide to review.

幻灯片 26

clip_image052

Slide 2 of 2

Purpose:

Emphasize: Because of the implicit deny all, all non 172.16.x.x traffic are blocked going out E0 and E1.

Note: The red arrows represent the access-list is applied as an outbound access-list.

幻灯片 27

clip_image054

Slide 1 of 3

Purpose: This slide gives another specific TCP/IP example of a standard access list configuration.

Emphasize:

Note: The wildcard mask of 0.0.0.0 is the default wildcard mask. It does not have to be specified.

幻灯片 28

clip_image056

Slide 2 of 3

Purpose:

Emphasize: Each access-list should have at least one permit statement in it to make it meaningful because of the implicit deny all statement at the end.

幻灯片 29

clip_image058

Slide 3 of 3

Purpose:

Emphasize: Only host 172.16.4.13 is blocked from going out on E0 to subnet 172.16.3.0.

------中间广告---------

Ask the students what will happen if the access-list is placed as an input access-list on E1 instead – Host 172.16.4.13 will be blocked from going out to the Non 172.16.0.0 cloud as well as to subnet 172.16.3.0.

Note: The red arrows represent the access-list is applied as an outbound access-list.

幻灯片 30

clip_image060

Slide 1 of 2

Purpose: This slide gives another specific TCP/IP example of a standard access list configuration.

Emphasize: This example features the use of the wildcard abbreviation any.

幻灯片 31

clip_image062

Slide 2 of 2

Purpose:

Emphasize: All hosts on subnet 172.16.4.0 is blocked from going out on E0 to subnet 172.16.3.0.
Note: The red arrows represent the access-list is applied as an outbound access-list.

幻灯片 32

clip_image064

Slide 1 of 2

Purpose: The access-list command creates an entry in complex traffic filter list.

Emphasize: The access-list field descriptions:

list—a number between 100 and 199

protocol—ip, tcp, udp, icmp, igrp, eigrp, ospf and etc…….
ip = any internet protocol

(see note below)

source—ip address

source-mask—wildcard-mask of address bits that must match. 0s indicate bits that must match, 1s are "don’t care".

destination—ip address

destination-mask—wildcard-mask

operator—lt, gt, eq, neq

operand—a port number or application name (i.e. “23” or “telnet”)

established-only allow established tcp session coming in (ack or rst bit must be set)

log-generates a console message when a packet matches the access-list statement

Note:

If the protocol number is not listed, you may enter the protocol number between 1-255.

幻灯片 33

clip_image066

Slide 2 of 2

Purpose: Layer 2—Adds the access-group command for IP.

Emphasize:

The list number must match the number (100 to 199) you specified in the access-list command.

幻灯片 34

clip_image068

Slide 1 of 3

Purpose: This 3 layers slide shows an example of an extended IP access list.

Emphasize:

幻灯片 35

clip_image070

Slide 2 of 3

Purpose:

Emphasize:. Don’t forget to include the permit statement to permit all other IP traffic out on E0.

幻灯片 36

clip_image072

Slide 3 of 3

Purpose:

Emphasize:

幻灯片 37

clip_image074

Slide 1 of 3

Purpose: This slide gives another example of an extended IP access list configuration.

Emphasize: Notice this example of an IP extended access list specifies a source subnet address and any destination address.

幻灯片 38

clip_image076

Slide 2 of 3

Purpose:

Emphasize: Don’t forget to include the permit statement to permit all other IP traffic out on E0.

幻灯片 39

clip_image078

Slide 3 of 3

Purpose:

Emphasize:

幻灯片 40

clip_image080

Slide 1 of 3

Purpose: Layer 1—Shows the command syntax to declare a named IP access list.

Emphasize: Show how to use named access lists, a new approach to configuring access lists in Cisco IOS software.

幻灯片 41

clip_image082

Slide 2 of 3

Purpose: Layer 2—Adds the new configuration environment for this form of access list entry.

Emphasize: Note the new prompter form shown. Enter all test condition statements without an initial access list number.

The statement that begins with the word no shows how you can delete a specific test condition for IP named access lists, which is much more flexible than earlier forms.

With numbered access lists, the entire list and all its statements are considered an entity. With numbered access lists, to change or delete a statement, you would first need to delete the entire numbered access list, then reenter the statements you want to keep.

Example:

RouterB(config)#ip access-list standard test

RouterB(config-std-nacl)#permit 10.1.1.1

RouterB(config-std-nacl)#end

RouterB#sh ip access-list

Standard IP access list test

permit 10.1.1.1

幻灯片 42

clip_image084

Slide 3 of 3

Purpose: Layer 3—Finishes with the new form of the access group command, now able to refer to an IP access list name as well as an access list number.

Emphasize: Introduced with Cisco IOS Release 11.2, named access lists:

Intuitively identify IP access lists using alphanumeric identifiers.

Remove the limit on the number of access lists (previously 99 for IP standard and 100 for IP extended access lists).

Allow per-access-list-statement deletions (previously the entire numbered access list needed to be deleted as a single entity).

Require Cisco IOS Release 11.2 or later.

幻灯片 43

clip_image086

Slide 1 of 1

Purpose:

Emphasize: Explain the basic rules on where to configure standard and extended access lists.

Describe how the extended access list can eliminate unwanted traffic across the serial lines.

幻灯片 44

clip_image088

Slide 1 of 1

Purpose: This slide shows how to verify an access list.

Emphasize: Lists IP interface information. Indicates whether outgoing access list is set.

Review the output of the show ip interface command. The highlighted text shows details about access list settings in the show command output.

幻灯片 45

clip_image090

Slide 1 of 1

Purpose: This slide introduces the show access-lists command used to verify access lists.

Emphasize: This is the most consolidated method for seeing several access lists.

Note, the implicit deny all statement is not displayed unless it is explicitly entered in the access-list.

幻灯片 46

clip_image092

Slide 1 of 1

Purpose:

Emphasize: Instead of applying a standard access-list to a physical interface, now we will apply a standard access-list to the router’s vty ports. A vty port is a logical port on the router that can accept telnet sessions.

Note:

Access-class is used to filter incoming telnet session into the router’s vty ports and to filter outgoing telnet session from the router’s vty port.

Access-class always use standard access-list to match the source address of the incoming telnet session and the destination address of the outgoing telnet session.

The 2500 series router by default has 5 vty ports (vty 0 through 4).

To configure more vty ports, use the following global configuration command:

RouterB(config)#line vty 0 ?

<1-188> Last Line number

<cr>

幻灯片 47

clip_image094

Slide 1 of 1

Purpose:

Emphasize: To filter incoming and outgoing telnet sessions to and from the router’s vty ports, standard access-list is used.

If this is to block incoming telnet sessions into a router’s vty port, the standard access-list is used to match the source address of the host trying to telnet into the router’s vty port.

If this is to block outgoing telnet sessions from the router’s vty ports to a host, the standard access-list is used to match the destination address of the host the router is trying to telnet into from its vty ports.

幻灯片 48

clip_image096

Slide 1 of 1

Purpose:

Emphasize: Use “access-class” to apply the standard access-list to the vty port. The next slide will show a configuration example.

幻灯片 49

clip_image098

Slide 1 of 1

Purpose: This example shows how to restrict incoming telnet sessions to the router’s vty ports.

Emphasize: The access-class is applied as an input filter.

Note: Ask the student the effect of changing the direction of the access-class to outbound instead of inbound.

Now the router can accept incoming telnet sessions to its vty ports from all hosts but will block outgoing telnet sessions from its vty ports to all hosts except hosts in network 192.89.55.0.

Once a user is telneted into a router’s vty port, the outbound access-class filter will prevent the user from telneting to other hosts as specified by the standard access-list.

Remember, when an access-list is applied to an interface, it only block or permit traffic going through the router, it does not block or permit traffic initiated from the router itself.

幻灯片 50

clip_image100

Slide 1 of 1

Purpose:

Emphasize:

幻灯片 51

clip_image102

Slide 1 of 1

Purpose:

Emphasize:

acl基本配置指南

No Comments CISCO ,

基于源或者目的地址过滤

提问 阻止来 自某地址或者发送至某地址的数据包

回答

使用标准控制列表来阻止特定源地址的数据包

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 50 deny host 10.2.2.2

Router1(config)#access-list 50 permit any

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group 50 in

Router1(config-if)#exit

Router1(config)#end

Router1#

使用扩展控制列表来阻止特定源地址和目的地址的数据包

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 150 deny ip host 10.2.2.2 host 172.25.25.1

Router1(config)#access-list 150 permit ip any any

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group 150 in

Router1(config-if)#exit

Router1(config)#end

Router1#

注释

19.2.  给ACL添加注释

提问 给控制列表添加注释方便阅读

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 50 remark Authorizing thy trespass with compare Router1(config)#access-list 50 deny host 10.2.2.2

Router1(config)#access-list 50 permit 10.2.2.0 0.0.0.255

Router1(config)#access-list 50 permit any

Router1(config)#end

Router1#

或者

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#ip access-list standard TESTACL

Router2(config-std-nacl)#remark Authorizing thy trespass with compare

Router2(config-std-nacl)#deny host 10.2.2.2

Router2(config-std-nacl)#permit 10.2.2.0 0.0.0.255

Router2(config-std-nacl)#permit any

Router2(config-std-nacl)#end

Router2#

注释 在show access list命令中是看不到注释的

19.3.  基于应用过滤

提问 根据不同的应用来进行过滤

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 151 permit tcp any any eq www

Router1(config)#access-list 151 deny tcp any any gt 1023

Router1(config)#access-list 151 permit icmp any any

Router1(config)#access-list 151 permit udp any any eq ntp

Router1(config)#access-list 151 deny ip any any

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group 151 in

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 无

19.4.  基于TCP头标签过滤

提问 根据TCP头字段中的标签位进行过滤

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 161 deny tcp any any ack fin psh rst syn urg

Router1(config)#access-list 161 deny tcp any any rst syn

Router1(config)#access-list 161 deny tcp any any rst syn fin

Router1(config)#access-list 161 deny tcp any any rst syn fin ack

Router1(config)#access-list 161 deny tcp any any syn fin

Router1(config)#access-list 161 deny tcp any any syn fin ack

Router1(config)#end

Router1#

从12.3(4)T以后开始启用新的命令格式

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#ip access-list extended TCPFLAGFILTER

Router2(config-ext-nacl)#deny tcp any any match-all +ack +fin +psh +rst +syn +urg     

Router2(config-ext-nacl)#deny tcp any any match-all +rst +syn                   

Router2(config-ext-nacl)#deny tcp any any match-all +rst +syn +fin

Router2(config-ext-nacl)#deny tcp any any match-all +rst +syn +fin +ack

Router2(config-ext-nacl)#deny tcp any any match-all +syn +fin         

Router2(config-ext-nacl)#deny tcp any any match-all +syn +fin +ack

Router2(config-ext-nacl)#end

Router2#

注释 TCP头字段中有六种标签位设置ACK,SYN,FIN,RST,PSH和URG。在新的命令格式中引入了match-all和match-any两个关键词,match-any和传统过滤方式一致,只关心特定标志位设置而不管其他标志位设置,match-all必须符合特定的标志位设置。

19.5.  限制TCP会话的方向

提问 过滤TCP会话 只允许客户端发起应用

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 148 permit tcp any eq telnet any established

Router1(config)#access-list 148 deny ip any any

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip access-group 148 in

Router1(config-if)#exit

Router1(config)#end

Router1#

注释

19.6.  基于多端口应用的过滤

提问 过滤某些开启多端口的应用

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 152 permit tcp any any eq ftp

Router1(config)#access-list 152 permit tcp any any eq ftp-data established

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip access-group 152 in

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 对于其他多端口?#30446;?#20197;使用下面的格式

Router1(config)#access-list 154 permit udp any any range 6000 6063

Router1(config)#access-list 155 deny udp any any gt 1023

Router1(config)#access-list 156 permit udp any any lt 1024

Router1(config)#access-list 157 permit udp any any neq 666

19.7.  基于DSCP和TOS的过滤

提问 根据IP服务质量信息进行过滤

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 162 permit ip any any dscp af11

Router1(config)#end

或者

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 162 permit ip any any tos max-reliability

Router1(config)#end

注释

19.8.  记录触发?#30446;?#21046;列表

提问 记录触发控制列表的包信息

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 150 permit ip any any log

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group 150 in

Router1(config-if)#exit

Router1(config)#end

Router1#

更详细点的信息

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 150 permit tcp any any log-input

Router1(config)#access-list 150 permit ip any any

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group 150 in

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 第一个例子的日志信息

Feb  6 : %SEC-6-IPACCESSLOGRP: list 150 permitted ospf 10.1.1.1 -> 224.0.0.5, 9 packets

Feb  6 : %SEC-6-IPACCESSLOGDP: list 150 permitted icmp 10.1.1.1 -> 10.1.1.2 (0/0), 4 packets

第二个例子的日志信息

Feb  6 : %SEC-6-IPACCESSLOGP: list 150 permitted tcp 172.25.1.1(0) (FastEthernet0/0.1 0010.4b09.5700) -> 172.25.25.1(0), 1 packet

注意的是log-input?#38382;?#21482;能适应于扩展控制列表

19.9.  记录TCP会话

提问 记录TCP会话数目

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 122 permit tcp any any eq telnet established

Router1(config)#access-list 122 permit tcp any any eq telnet

Router1(config)#access-list 122 permit ip any any

Router1(config)#interface Serial0/0

Router1(config-if)#ip access-group 122 in

Router1(config-if)#exit

Router1(config)#end

Router1#

或者

 

 

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 121 permit tcp any any eq telnet syn

Router1(config)#access-list 121 permit tcp any any eq telnet

Router1(config)#access-list 121 permit ip any any

Router1(config)#interface Serial0/0

Router1(config-if)#ip access-group 121 in

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 对于第一个例子

Router1#show access-list 122

Extended IP access list 122

    permit tcp any any eq telnet established (3843 matches)

    permit tcp any any eq telnet (6 matches)

    permit ip any any (31937 matches)

Router1#

从输出可以看到总共有六个Telnet会话通过接口,3,843 + 6 = 3,849 个Telnet数据包

19.10.  分析ACL日志条目

注释 使用脚本来分析生成的ACL日志,暂略

19.11.  使用命名和单反控制列表

提问 在命名控制列表中使用一个单反控制列表

回答

一个基本的命名控制列表类似数字控制列表

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#ip access-list standard STANDARD-ACL

Router1(config-std-nacl)#remark This is a standard ACL

Router1(config-std-nacl)#permit any log

Router1(config-std-nacl)#exit

Router1(config)#ip access-list extended EXTENDED-ACL

Router1(config-ext-nacl)#remark This is an extended ACL

Router1(config-ext-nacl)#deny tcp any any eq www

Router1(config-ext-nacl)#permit ip any any log

Router1(config-ext-nacl)#exit

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group STANDARD-ACL in

Router1(config-if)#exit

Router1(config)#end

Router1#

下面是在其中内嵌单反控制列表来允许单反向的Ping

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#ip access-list extended PING-OUT

Router1(config-ext-nacl)#permit icmp any any reflect ICMP-REFLECT timeout 15

Router1(config-ext-nacl)#permit ip any any

Router1(config-ext-nacl)#exit

Router1(config)#ip access-list extended PING-IN

Router1(config-ext-nacl)#evaluate ICMP-REFLECT

Router1(config-ext-nacl)#deny icmp any any log

Router1(config-ext-nacl)#permit ip any any

Router1(config-ext-nacl)#exit

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group PING-OUT out

Router1(config-if)#ip access-group PING-IN in

Router1(config-if)#end

Router1#

注释 在例子中单反控制列表可以对返回的ICMP Response进行控制

19.12.  处理被动模式FTP

提问 对被动模式的FTP来进行区分

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 144 permit tcp any gt 1023 any eq ftp

Router1(config)#access-list 144 permit tcp any gt 1023 any gt 1023

Router1(config)#access-list 144 deny ip any any

Router1(config)#interface Serial0/0.1   

Router1(config-subif)#ip access-group 144 in

Router1(config-subif)#exit

Router1(config)#end

Router1#

注释 被动模式下的FTP,客户端会再对服务器发送一个高于1024端口的链接,所以对于此类会话必须开启所有高于1024的端口,例子中的配置虽然能够解决此问题,但是减少了安全性,在以后的章节会介绍更?#34892;?#30340;处理方式

19.13.  使用基于时间?#30446;?#21046;列表

提问 对应用基于时间段进行控制

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#time-range NOSURF

Router1(config-time-range)# periodic weekdays

Router1(config-time-range)#exit

Router1(config)#ip access-list extended NOSURFING

Router1(config-ext-nacl)# deny   tcp any any eq www time-range NOSURF

Router1(config-ext-nacl)# permit ip any any

Router1(config-ext-nacl)#exit

Router1(config)#interface FastEthernet0/1

Router1(config-if)#ip access-group NOSURFING in

Router1(config-if)#end

Router1#

注释 在时间段的配置上你可以配置多个periodic,

19.14.  基于非连续端口的过滤

提问 配置一?#25351;?#25928;的非连续端口的过滤

回答

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#ip access-list extended OREILLY

Router2(config-ext-nacl)#permit tcp any host 172.25.100.100 eq 80 23 25 110 514 21

Router2(config-ext-nacl)#end

Router2#

注释 通常对于连续端口的过滤可以使用permit tcp any any range 20 25此类的命令,而对于非连续端口的过滤则要使用多个类似permit tcp any host 172.25.100.100 eq 80 的命令,?#28304;?2.3(7)T以后则可以使用上例中的配置方式来进行简化。

19.15.  控制列表编辑

提问 直接对控制列表进行编辑

回答

插入一个条目至现有?#30446;?#21046;列表中

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#ip access-list extended OREILLY   

Router2(config-ext-nacl)#12 permit tcp any host 172.25.100.100 eq 20

Router2(config-ext-nacl)#end

Router2#

重新对控制列表序列号进行调整

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#ip access-list resequence OREILLY 10 10

Router2(config)#end

Router2#

删除特定?#30446;?#21046;列表条目

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#ip access-list extended OREILLY

Router2(config-ext-nacl)#no 60

Router2(config-ext-nacl)#end

Router2#

注释 从12.3(2)T以后路由器增加了对控制列表条目序列号的支持,缺省10递增,这样可以方便对控制列表进行编辑

Router2#show ip access-lists OREILLY

Extended IP access list OREILLY

10 permit tcp any host 172.25.100.100 eq www

20 permit tcp any host 172.25.100.100 eq telnet

30 permit tcp any host 172.25.100.100 eq smtp

40 permit tcp any host 172.25.100.100 eq pop3

50 permit tcp any host 172.25.100.100 eq cmd

<!–[if !supportLists]–>19.16.       <!–[endif]–>基于IPv6过滤

提问 对Ipv6的数据包进行过滤

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#ipv6 access-list EXAMPLES

Router1(config-ipv6-acl)#permit ipv6 AAAA:5::/64 any

Router1(config-ipv6-acl)#permit ipv6 host AAAA:5::FE:1 any

Router1(config-ipv6-acl)#permit tcp any any eq telnet established

Router1(config-ipv6-acl)#deny tcp any any eq telnet syn

Router1(config-ipv6-acl)#sequence 55 permit udp any any eq snmp

Router1(config-ipv6-acl)#remark this is a comment

Router1(config-ipv6-acl)#sequence 66 remark this comment has a sequence number

Router1(config-ipv6-acl)#permit icmp any any reflect ICMP-REFLECT

Router1(config-ipv6-acl)#deny ipv6 any host AAAA:6::1 log

Router1(config-ipv6-acl)#deny ipv6 any any log-input

Router1(config-ipv6-acl)#exit

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ipv6 traffic-filter EXAMPLES in

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 Ipv6过滤只能使用命名式控制列表,当然?#24067;?#25215;了命名式控制列表的所有优点

基于MAC地址的扩展访问列表

No Comments 网络技术

Switch(config)Mac access-list extended MAC10
#定义一个MAC地址访问控制列表并且命名该列表名为MAC10    (转载注明出处n et130)
Switch(config)permit host 0009.6bc4.d4bf any
#定义MAC地址为0009.6bc4.d4bf的主机可以访问?#25105;?#20027;机
Switch(config)permit any host 0009.6bc4.d4bf
#定义所有主机可以访问MAC地址为0009.6bc4.d4bf的主机
Switch(config-if )interface Fa0/20
#进入配置具体端口的模式
Switch(config-if )mac access-group MAC10 in
#在该端口上应用名为MAC10的访问列表(即前面我们定义的访问策略)
Switch(config)no mac access-list extended MAC10
#清除名为MAC10的访问列表
此功能与应用一大体相同,但它是基于端口做的MAC地址访问控制列表限制,可以限定特定源MAC地址与目的地址?#27573;А?
注意:
以上功能在思科2950、3550、4500、6500系列交换机上可以实现,但是需要注意的是2950、3550需要交换机运行增强的软件镜像(Enhanced Image)。

基于MAC的访问控制列表 详解

No Comments CISCO ,

 

Creating Named MAC Extended ACLs

Step 1 configure terminal Enter global configuration mode.
Step 2 mac access-list extended name Define an extended MAC access list using a name.

Step 3

{deny | permit}

{any | host source MACaddress | source MAC address mask}

{any |host destination MAC address | destination
MAC address mask} [type mask | lsap lsap mask
| aarp | amber | dec-spanning | decnet-iv |
diagnostic | dsm | etype-6000 | etype-8042 | lat
| lavc-sca | mop-console | mop-dump | msdos |
mumps | netbios | vines-echo |vines-ip |
xns-idp | 0-65535
]

[cos cos]

Step 4 end Return to privileged EXEC mode.
Step 5 show access-lists [number | name] Show the access list configuration.
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.

This example shows how to create and display an access list named mac1, denying only EtherType
DECnet Phase IV traffic, but permitting all other types of traffic.
Switch(config)# mac access-list extended mac1
Switch(config-ext-macl)# deny any any decnet-iv
Switch(config-ext-macl)# permit any any
Switch(config-ext-macl)# end
Switch # show access-lists
Extended MAC access list mac1
10 deny any any decnet-iv
20 permit any any

acl配置案例

No Comments CISCO ,

配置:
   access-list 100 deny ip host150.4.y.1 any   拒绝外部流量
                   per ip any any
   access-list 101 per tcp 10.10.0.0 0.0.255.255 host 150.4.y.1   eq 23   允许内部流量tel         
                   deny ip any host 150.4.y.1                           拒绝ip到主机的流量
                   per ip any any                                        允许其他的流量

    ip inspect name cisco telnet timeout 1800

int e0/1
   ip acce-group out
   ip acce-group in
ip inspect cisco in                                                监控去的和允许回程的流量  
ip inspect audit-trail                                              开启审计功能
logging buffer                                                      开启日志缓存

H3C 对通过SNMP访问交换机的用户的ACL控制配置

 

配置举例1. 组网需求

仅允许来自10.110.100.52和10.110.100.46的SNMP用户访问交换机。

2. 组网图

clip_image001

图3-3 对Switch的SNMP用户进行ACL控制

3. 配置步骤

# 定义基本访问控制列表和子规则。

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] acl number 2000 match-order config

[H3C-acl-baisc-2000] rule 1 permit source 10.110.100.52 0

[H3C-acl-baisc-2000] rule 2 permit source 10.110.100.46 0

[H3C-acl-basic-2000] rule 3 deny source any

[H3C-acl-baisc-2000] quit

# 引用访问控制列表。

[H3C] snmp-agent community read H3C acl 2000

[H3C] snmp-agent group v3 H3Cgroup acl 2000

[H3C] snmp-agent usm-user v3 H3Cuser H3Cgroup acl 2000

H3C配置对SSH/Telnet 用户的ACL 控制

No Comments 网络技术 , , ,

配置对Telnet/SSH 用户的ACL 控制通过配置对telnet 或ssh 用户的acl 控制,可以在登录用户进行口令?#29616;?#20043;前将一些恶意或者不合法的连接请求过滤掉,保证设备的安全。

    4.2.1 配置准备

    用户对telnet 或ssh 方式登录交换机进行了正确配置。

    4.2.2 配置过程

    缺省情况下,不对用户界面的呼入(inbound)/ 呼出(outbound)进行限制。

    telnet 或ssh 用户的acl 控制功能只能引用基于数字标识的访问控制列表。

    telnet 或ssh 用户引用基本访问控制列表或高级访问控制列表时,基于源ip或目的ip 地址对呼入/呼出进行限制。因此引用基本访问控制列表和高级访问控制列表子规则时,只有源ip 及其掩码、目的ip 及其掩码、time-range ?#38382;行А?#31867;似的,telnet 和ssh 用户引用二层访问控制列表时,基于源mac 地址对呼入/呼出进行限制。因此引用二层访问控制列表子规则时,只有源mac 及其掩码、time-range ?#38382;行А?

    基于二层访问控制列表对telnet、ssh 用户进行控制时,只能限制呼入。

    对由于受acl 限制而被拒绝登录的用户,会记录一次访问失败日志信息。日志内容包括该用户的ip 地址、登录方式、登入用户界面索引值和登录失败原因。

    4.2.3 二层acl 控制配置举例

    1. 组网需求

    仅允许源mac 地址为00e0-fc01-0101 和00e0-fc01-0303 的telnet 用户访问交换机。

    2. 组网图

    3. 配置步骤

    # 定义二层访问控制列表。

    [h3c] system-view

    system view: return to user view with ctrl+z.

    [h3c] acl number 4000 match-order config

    # 定义子规则。

    [h3c-acl-link-4000] rule 1 permit ingress 00e0-fc01-0101 0000-0000-0000 [h3c-acl-link-4000] rule 2 permit ingress 00e0-fc01-0303 0000-0000-0000 [h3c-acl-link-4000] rule 3 deny ingress any

    [h3c-acl-link-4000] rule 3 deny ingress any

    [h3c-acl-link-4000] quit

    # 进入用户界面视图。

    [h3c] user-interface vty 0 4

    # 引用二层访问控制列表,对用户界面的呼入进行限制。

    [h3c-user-interface-vty0-4] acl 4000 inbound

    4.2.4 基本acl 控制配置举例

    1. 组网需求

    仅允许来自10.110.100.52 和10.110.100.46 的telnet 用户访问交换机。

    2. 组网图

    3. 配置步骤

    # 定义基本访问控制列表。

    [h3c] system-view

    system view: return to user view with ctrl+z.

    [h3c] acl number 2000 match-order config

    # 定义子规则。

    [h3c-acl-basic-2000] rule 1 permit source 10.110.100.52 0

    [h3c-acl-basic-2000] rule 2 permit source 10.110.100.46 0

    [h3c-acl-basic-2000] rule 3 deny source any

    [h3c-acl-basic-2000] quit

    # 进入用户界面视图。

    [h3c] user-interface vty 0 4

    # 引用访问控制列表。

    [h3c-user-interface-vty0-4] acl 2000 inbound

30选5玩法