使用包过滤技术
在路由器上读取三层及四层报头的信息如源地址、目的地址、源端口、目的端口
根据预先定义好的规则对包进行过滤
三种类型:
1.标准ACL:表号范围1-99或1300-1999.仅对源IP地址进行过滤
2.扩展ACL:表号范围100-199或2000-2699.可以对包括协议类型、源地址、目的地址、源端口、目的端口、TCP连接建立等进行过滤。
3.命名ACL:以名称代替编号,同样包括标准和扩展两种列表。
两个术语:
1.通配符掩码:1表示忽略IP地址中对应的位,0表示该位必须匹配
2.Inbound和Outbound,指明ACL应用于流入数据还是流出数据
0.无访问控制列表
1.标准访问控制列表
2.扩展访问控制列表
3.命名访问控制列表
enable
conf t
no ip do lo
enable pass cisco
line con 0
logg sync
exec-t 0 0
line vty 0 4
pass cisco
logg sync
exit
host
0.无访问控制列表
------------------------------------------------------------------------------------------------
R1:
int f0/0
ip add 12.1.1.1 255.255.255.0
no shut
exit
int l0
ip add 11.1.1.1 255.255.255.0
no shut
exit
int l1
ip add 11.1.2.1 255.255.255.0
no shut
exit
router eigrp 1
no auto-summary
network 12.1.1.0 0.0.0.255
network 11.1.1.0 0.0.0.255
network 11.1.2.0 0.0.0.255
exit
R2:
int f0/0
ip add 12.1.1.2 255.255.255.0
no shut
exit
int f1/0
ip add 23.1.1.2 255.255.255.0
no shut
exit
router eigrp 1
no auto-summary
network 12.1.1.0 0.0.0.255
network 23.1.1.0 0.0.0.255
exit
R3:
int f0/0
ip add 23.1.1.3 255.255.255.0
no shut
exit
int l0
ip add 33.1.1.1 255.255.255.0
no shut
exit
router eigrp 1
no auto-summary
network 23.1.1.0 0.0.0.255
network 33.1.1.0 0.0.0.255
exit
R1:
end
ping 33.1.1.1 source 11.1.2.1
conf t
1.标准Access List
---------------------------------------------------------------------------------------
R2:
access-list 10 deny 11.1.2.0 0.0.0.255
access-list 10 permit any
int f1/0
ip access-group 10 out
exit
R3:
access-list 11 permit 11.1.1.1
line vty 0 4
access-class 11 in
exit
R2:
end
telnet 33.1.1.1
conf t
R1:
end
telnet 33.1.1.1
telnet 33.1.1.1 /source-int l0
2.扩展Access List
------------------------------------------------------------------------------------------
R2:
access-list 100 deny icmp host 11.1.1.1 any echo
access-list 100 deny icmp host 11.1.1.1 any echo-reply
access-list 100 permit tcp host 11.1.1.1 any eq telnet
access-list 100 deny tcp any any eq telnet
access-list 100 permit ip any any
end
show access-lists
conf t
int f0/0
ip access-group 100 in
exit
R1:
end
ping 12.1.1.2 source 11.1.1.1
telnet 12.1.1.2 /source-int l0
conf t
3.命名Access List
-----------------------------------------------------------------------------------
R2:
ip access-list standard yeslab
deny 11.1.2.0 0.0.0.255
permit any
exit
int f1/0
ip access-group yeslab out
exit
R3:
ip access-list standard yeslab
permit 11.1.1.1
exit
line vty 0 4
access-class yeslab in
exit
R2:
ip access-list extended yeslab1
deny icmp host 11.1.1.1 any echo
deny icmp host 11.1.1.1 any echo-reply
permit tcp host 11.1.1.1 any eq telnet
deny tcp any any eq telnet
permit ip any any
exit
int f0/0
ip access-group yeslab1 in
exit