zoukankan      html  css  js  c++  java

  • ACL访问控制列表

    ACL主要功能

    • 流量控制

    • 匹配感兴趣流量

    • 是路由器和交换机接口的指令列表,用来控制接口进出的数据包

    • 这张表包含里匹配关系,条件和查询条件,表只是一个框架结构,其目的是为了对某种访问进行控制。

    ACL分类

    • 1-99和1300-1999:标准IP ACL。基于源ip地址过滤

    • 100-199和2000-2699:扩展IP ACL.

      基于源,目的IP地址;源,目的TCP/UDP端口号

    • AppleTalk:600-699

    • IPX:800-899

    配置ACL的3个原则

    1,基于每种协议配置一个ACL(per protocol)

    2,基于每个方向配置一个ACL(per direction)

    3,基于每个接口配置一个ACL(per interface)

    ACL工作种类:

    入站ACL:在路由器的入接口就挂上ACL。由于没经过路由器,效率高。

    出战ACL:无条件进入到路由器,路由器处理完后,到了出接口,在出接口挂上ACL.

    ACL工作原理:

    ACL表项的匹配顺序是从上到下,只要匹配到任意一个表项,后面的表项就不去匹配了,直接执行并退出。

    ACL实验1

    在R1的入站接口f0/0上挂ACL,只让R2可以ping通1.1.1.1,R3和R4ping不通1.1.1.1

    R2,R3,R3虽然是PC图标,但实际是路由器。但是会把它们的路由功能关闭,并指定网关(在全局模式指定网关),路由器默认是不需要指定网关的,因为路由条目里的下一跳就相当于网关了。

    关闭路由功能的命令:在全局模式下no ip routing

    指定网关的命令:在全局模式下ip default-gateway 192.168.1.1

    R1配置:

    使用扩展ACL
    R1(config)#int f0/0
R1(config-if)#ip add 192.168.1.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int lo0
R1(config-if)#ip add 1.1.1.1 255.255.255.255
#使用扩展ACL
R1(config)#access-list 100 permit ?
  <0-255>  An IP protocol number
  ahp      Authentication Header Protocol
  eigrp    Cisco's EIGRP routing protocol
  esp      Encapsulation Security Payload
  gre      Cisco's GRE tunneling
  icmp     Internet Control Message Protocol
  igmp     Internet Gateway Message Protocol
  ip       Any Internet Protocol
  ipinip   IP in IP tunneling
  nos      KA9Q NOS compatible IP over IP tunneling
  ospf     OSPF routing protocol
  pcp      Payload Compression Protocol
  pim      Protocol Independent Multicast
  tcp      Transmission Control Protocol
  udp      User Datagram Protocol
  
#由于ping使用的协议是icmp,所以选择icmp,后面接源地址
R1(config)#access-list 100 permit icmp ?
  A.B.C.D  Source address
  any      Any source host
  host     A single source host

    access-list 100 permit icmp ?后面可以是单个主机,也可以是个网段,也可以是所有(any)

    • 单个主机的写法:access-list 100 permit icmp host xxx.xxx.xxx.xxx。不需要写反掩码。
    • 网段的写法:access-list 100 permit icmp xxx.xxx.xxx.xxx 反掩码。

    icmp协议里,不止ping一个报文,所以要精确到ping的话,必须指定出哪个代表ping,echo代表ping的request

    R1(config)#access-list 100 permit icmp host 192.168.1.10 host 1.1.1.1 ?
  <0-255>                      ICMP message type
  administratively-prohibited  Administratively prohibited
  alternate-address            Alternate address
  conversion-error             Datagram conversion
  dod-host-prohibited          Host prohibited
  dod-net-prohibited           Net prohibited
  dscp                         Match packets with given dscp value
  echo                         Echo (ping)
  echo-reply                   Echo reply
  fragments                    Check non-initial fragments
  general-parameter-problem    Parameter problem
  host-isolated                Host isolated
  host-precedence-unreachable  Host unreachable for precedence
  host-redirect                Host redirect
  host-tos-redirect            Host redirect for TOS
  host-tos-unreachable         Host unreachable for TOS
  host-unknown                 Host unknown
  host-unreachable             Host unreachable
  information-reply            Information replies
  information-request          Information requests
  log                          Log matches against this entry
R1(config)#access-list 100 permit icmp host 192.168.1.10 host 1.1.1.1 echo
R1(config)#access-list 100 deny icmp any host 1.1.1.1 echo

    192.168.1.10是源ip;1.1.1.1是目的ip

    access-list 100 permit icmp host 192.168.1.10 host 1.1.1.1 echo:允许192.168.1.1的pc能ping通1.1.1.1

    access-list 100 deny icmp any host 1.1.1.1 echo:不允许任何pc能ping通1.1.1.1

    到此为止,指定了协议,但还没有指定接口和方向

    把刚才的定义的ACL表项挂到R1的f0/0上,并指明是入方向:

    R1(config-if)#ip access-group 100 ?
  in   inbound packets
  out  outbound packets

R1(config-if)#ip access-group 100 in

    到此,ACL才生效,我们实验一下,分别从R2,R3,R4ping1.1.1.1。结果是符合预期的。

    R2#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/64/72 ms

R3#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

R4#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

    但是,从R2,3,4ping192.168.1.1确ping不通了,这是为什么?

    • 查询ACL表项:

      R1#show access-lists
Extended IP access list 100
    10 permit icmp host 192.168.1.10 host 1.1.1.1 echo (15 matches)
    20 deny icmp any host 1.1.1.1 echo (30 matches)

      发现当ping192.168.1.1时,ACL表项里的2个表项都不能匹配此次ping,所以就走到了最后面的隐藏语句。隐藏语句让所用源不能访问任何地方,所以导致不能ping通192.168.1.1

      解决思路:就是在到达最后的隐藏表项之前,让一个表项能够匹配上,所以就在每个ACL表里的最后添加一条表项:access-list 100 per ip any any

      R1(config)#access-list 100 permit ip any any
R1#show access-lists
Extended IP access list 100
    10 permit icmp host 192.168.1.10 host 1.1.1.1 echo (30 matches)
    20 deny icmp any host 1.1.1.1 echo (60 matches)
    30 permit ip any any (45 matches)

      加上这条表项后,就永远不会走到隐藏表项了,所以R2,3,4就能ping通192.168.1.1了。

    使用标准ACL

    一条就搞定了。因为标准不支持协议,也不支持目的ip,只支持源ip

    access-list 1 permit host 192.168.1.10

    R2配置:关闭路由功能,并指定网关

    R2(config)#int f0/0
R2(config-if)#ip add 192.168.1.10 255.255.255.0
R2(config-if)#no sh
R2(config-if)#exit
R2(config)#no ip routing
R2(config)#ip default-gateway 192.168.1.1

    R3配置:关闭路由功能,并指定网关

    R3(config)#int f0/0
R3(config-if)#ip add 192.168.1.20 255.255.255.0
R3(config-if)#no sh
R3(config-if)#exit
R3(config)#no ip routi
R3(config)#no ip routing
R3(config)#ip def
R3(config)#ip default-g
R3(config)#ip default-gateway 192.168.1.1

    R4配置:关闭路由功能,并指定网关

    R4(config)#int f0/0
R4(config-if)#ip add 192.168.1.30 255.255.255.0
R4(config-if)#no sh
R4(config-if)#exit
R4(config)#no ip routing
R4(config)#ip default-gateway 192.168.1.1

    删除/添加ACl表里的某个表项

    默认编号是10,20...。这样做的目的是,当你想在10和20间添加条目时,可以不改变后面的编号,直接添加一个11或19等,很方便。

    R1(config)#ip access-list ?
  扩展ACL:extended    Extended Access List 
  log-update  Control access list log updates
  logging     Control access list logging
  resequence  Resequence Access List
  标准ACL:standard    Standard Access List
R1(config)#ip access-list extended 100
R1(config-ext-nacl)#do show ip access-list
Extended IP access list 100
    10 permit icmp host 192.168.1.10 host 1.1.1.1 echo (30 matches)
    20 deny icmp any host 1.1.1.1 echo (60 matches)
    30 permit ip any any (45 matches)
R1(config-ext-nacl)#no 20
R1(config-ext-nacl)#do show ip access-list
Extended IP access list 100
    10 permit icmp host 192.168.1.10 host 1.1.1.1 echo (30 matches)
    30 permit ip any any (45 matches
R1(config-ext-nacl)#20 deny icmp any host 1.1.1.1 echo
R1(config-ext-nacl)#do show ip access-list
Extended IP access list 100
    10 permit icmp host 192.168.1.10 host 1.1.1.1 echo (30 matches)
    20 deny icmp any host 1.1.1.1 echo
    30 permit ip any any (45 matches)
R1(config-ext-nacl)#5 permit icmp host 192.168.1.10 host 1.1.1.1
R1(config-ext-nacl)#do show ip access-list
Extended IP access list 100
    5 permit icmp host 192.168.1.10 host 1.1.1.1
    10 permit icmp host 192.168.1.10 host 1.1.1.1 echo (30 matches)
    20 deny icmp any host 1.1.1.1 echo
    30 permit ip any any (45 matches)

    删除ACL整张表

    R1(config)#no access-list 100
R1(config)#do show ip access-list

R1(config)#

    实验2

    R1:设置让别的路由器能够实验telnet协议登录到我自己。

    R1(config)#line vty 0 4
R1(config-line)#password 123
R1(config-line)#login
R1(config-line)#exit
R1(config)#enable password 123

    R2:登录到R1

    R2#telnet 1.1.1.1
Trying 1.1.1.1 ... Open


User Access Verification

Password:
R1>
R1>enable
Password:
R1#
R1#exit

[Connection to 1.1.1.1 closed by foreign host]
R2#

    R1:添加ACL表项

    eq是跟在ip后面的端口号,源ip后面可以有,目的后面也可以有。23是telenet协议的端口号。

    R1(config-ext-nacl)#5 permit tcp host 192.168.1.10 host 1.1.1.1 eq
R1(config-ext-nacl)#5 permit tcp host 192.168.1.10 host 1.1.1.1 eq 23
R1(config-ext-nacl)#8 deny tcp any host 1.1.1.1 eq 23
R1(config-ext-nacl)#10 permit ip any any
R1(config-ext-nacl)#do show access-list
Extended IP access list 100
    5 permit tcp host 192.168.1.10 host 1.1.1.1 eq telnet
    8 deny tcp any host 1.1.1.1 eq telnet
    10 permit ip any any

    实验R2,R3,R4能否telnet上R1,发现只有R2可以telnet上1.1.1.1,当R2,3能telnet上192.1.1.1。但都能ping通1.1.1.1

    R2#telnet 1.1.1.1
Trying 1.1.1.1 ... Open


User Access Verification

Password:
R1>enable
R1>enable
Password:
R1#exit

[Connection to 1.1.1.1 closed by foreign host]
R2#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!

R3#telnet 1.1.1.1
Trying 1.1.1.1 ...
% Destination unreachable; gateway or host down

R3#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!

R4#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/52/68 ms
R4#telnet 1.1.1.1
Trying 1.1.1.1 ...
% Destination unreachable; gateway or host down
    # c/c++ 学习互助QQ群:877684253 ![](https://img2018.cnblogs.com/blog/1414315/201811/1414315-20181106214320230-961379709.jpg) # 本人微信:xiaoshitou5854
  • 相关阅读:
    mysql 函数在源码中的定义
    mydumper工作原理 :myownstars专家
    drop table big_table 调试
    debugfs恢复文件
    Linux内核里的DebugFS
    在Linux环境中使用Ext3文件系统
    strace
    通过blktrace, debugfs分析磁盘IO
    block_dump观察Linux IO写入的具体文件(mysqld)
    Centos下的IO监控与分析
  • 原文地址:https://www.cnblogs.com/xiaoshiwang/p/12195447.html
Copyright © 2011-2022 走看看