信息點間通信,內(nèi)外網(wǎng)絡的通信都是企業(yè)網(wǎng)絡中必不可少的業(yè)務需求,但是為了保證內(nèi)網(wǎng)的安全性,需要通過課件_第1頁
信息點間通信,內(nèi)外網(wǎng)絡的通信都是企業(yè)網(wǎng)絡中必不可少的業(yè)務需求,但是為了保證內(nèi)網(wǎng)的安全性,需要通過課件_第2頁
信息點間通信,內(nèi)外網(wǎng)絡的通信都是企業(yè)網(wǎng)絡中必不可少的業(yè)務需求,但是為了保證內(nèi)網(wǎng)的安全性,需要通過課件_第3頁
信息點間通信,內(nèi)外網(wǎng)絡的通信都是企業(yè)網(wǎng)絡中必不可少的業(yè)務需求,但是為了保證內(nèi)網(wǎng)的安全性,需要通過課件_第4頁
信息點間通信,內(nèi)外網(wǎng)絡的通信都是企業(yè)網(wǎng)絡中必不可少的業(yè)務需求,但是為了保證內(nèi)網(wǎng)的安全性,需要通過課件_第5頁
已閱讀5頁,還剩61頁未讀, 繼續(xù)免費閱讀

下載本文檔

版權說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權,請進行舉報或認領

文檔簡介

ObjectivesUponcompletionofthischapter,youwillbeabletoperformthefollowingtasks:IdentifythekeyfunctionsandspecialprocessingofIPaccesslistsConfigurestandardIPaccesslistsControlvirtualterminalaccesswithaccessclassConfigureextendedIPaccesslistsVerifyandmonitorIPaccesslistsManageIPTrafficasnetworkaccessgrowsWhyUseAccessLists?InternetManageIPtrafficasnetworkaccessgrowsFilterpacketsastheypassthroughtherouterWhyUseAccessLists?AccessListApplicationsPermitordenypacketsmovingthroughtherouterPermitordenyvtyaccesstoorfromtherouterWithoutaccesslistsallpacketscouldbetransmittedontoallpartsofyournetworkVirtualterminallineaccess(IP)TransmissionofpacketsonaninterfaceQueue

ListPriorityandcustomqueuingOtherAccessListUsesDial-on-demandroutingSpecialhandlingfortrafficbasedonpackettestsOtherAccessListUsesRoutefilteringRouting

TableQueue

ListPriorityandcustomqueuingDial-on-demandroutingSpecialhandlingfortrafficbasedonpackettests

WhatAreAccessLists?StandardChecksSourceaddressGenerallypermitsordeniesentireprotocolsuiteExtendedChecksSourceandDestinationaddressGenerallypermitsordeniesspecificprotocolsOutgoingPacketE0S0IncomingPacketAccessListProcessesPermit?Sourceand

DestinationProtocol

StandardChecksSourceaddressGenerallypermitsordeniesentireprotocolsuiteExtendedChecksSourceandDestinationaddressGenerallypermitsordeniesspecificprotocolsInboundorOutbound

WhatAreAccessLists?OutgoingPacketE0S0IncomingPacketAccessListProcessesPermit?Sourceand

DestinationProtocolInbound

InterfacePacketsNYPacketDiscardBucketChooseInterface

NAccessList

?RoutingTable

Entry

?YOutbound

InterfacesPacketS0OutboundAccessListsOutbound

InterfacesPacketNYPacketDiscardBucketChooseInterface

RoutingTable

Entry

?NPacketTestAccessListStatementsPermit

?YOutboundAccessListsAccessList

?YS0E0Inbound

InterfacePacketsNotifySenderOutboundAccessListsIfnoaccessliststatementmatchesthendiscardthepacketNYPacketDiscardBucketChooseInterface

RoutingTable

Entry

?NYTestAccessListStatementsPermit

?YAccessList

?DiscardPacketNOutbound

InterfacesPacketPacketS0E0Inbound

InterfacePacketsAListofTests:DenyorPermitPacketstointerfacesintheaccessgroupPacket

DiscardBucketYInterface(s)DestinationDenyDenyYMatchFirstTest?PermitAListofTests:DenyorPermitPacketstoInterface(s)intheAccessGroupPacket

DiscardBucketYInterface(s)DestinationDenyDenyYMatchFirstTest?PermitNDenyPermitMatchNextTest(s)?DenyMatchLastTest

?YYNYYPermitAListofTests:DenyorPermitPacketstoInterface(s)intheAccessGroupPacket

DiscardBucketYInterface(s)DestinationDenyYMatchFirstTest?PermitNDenyPermitMatchNextTest(s)?DenyMatchLastTest

?YYNYYPermitImplicitDenyIfnomatchdenyallDenyNAccessListCommandOverviewStep1:Setparametersforthisaccesslisttest

statement(whichcanbeoneofseveralstatements)access-listaccess-list-number{permit|deny}{test

conditions}Router(config)#Step1:Setparametersforthisaccesslisttest

statement(whichcanbeoneofseveralstatements)Router(config)#Step2:Enableaninterfacetousethespecified

accesslist{protocol}access-groupaccess-list-number{in|out}Router(config-if)#AccessListCommandOverviewIPAccesslistsarenumbered1-99or100-199access-listaccess-list-number{permit|deny}{test

conditions}HowtoIdentifyAccessListsNumberRange/IdentifierAccessListTypeIP

1-99StandardStandardIPlists(1to99)testconditionsofallIPpacketsfromsourceaddressesNumberRange/IdentifierAccessListTypeHowtoIdentifyAccessListsIP

1-99100-199StandardExtendedStandardIPlists(1to99)testconditionsofallIPpacketsfromsourceaddressesExtendedIPlists(100to199)cantestconditionsofsourceanddestinationaddresses,specificTCP/IPprotocols,anddestinationportsNumberRange/IdentifierIP

1-99100-199,1300-1999,2000-2699Name(CiscoIOS11.2andlater)800-899900-9991000-1099Name(CiscoIOS11.2.Fandlater)StandardExtendedSAPfiltersNamedStandardExtendedNamedAccessListTypeIPXHowtoIdentifyAccessListsStandardIPlists(1to99)testconditionsofallIPpacketsfromsourceaddressesExtendedIPlists(100to199)cantestconditionsofsourceanddestinationaddresses,specificTCP/IPprotocols,anddestinationportsOtheraccesslistnumberrangestestconditionsforothernetworkingprotocolsSourceAddressSegment(forexample,

TCPheader)DataPacket(IPheader)FrameHeader(forexample,

HDLC)DenyPermitUseaccessliststatements1-99TestingPacketswith

StandardAccessLists0meanscheckcorrespondingaddressbitvalue1meansignorevalueofcorrespondingaddressbitdonotcheckaddress

(ignorebitsinoctet)=001111111286432168421=00000000=00001111=11111100=11111111Octetbitpositionandaddressvalueforbitignorelast6addressbitscheckalladdressbits(matchall)ignorelast4addressbitschecklast2addressbitsExamplesWildcardBits:HowtoChecktheCorrespondingAddressBitsExample9checksallthe

addressbitsAbbreviatethiswildcardmaskusingtheIPaddress

precededbythekeywordhost(host9)Testconditions:Checkalltheaddressbits(matchall)9

(checksallbits)AnIPhostaddress,forexample:Wildcardmask:WildcardBitstoMatchaSpecificIPHostAddressCheckforIPsubnets/24to/24Network.host

00010000Wildcardmask: 00001111 |<----match---->|<-----don’tcare----->|

00010000 = 16

00010001 = 17

00010010 = 18 : :

00011111 = 31Addressandwildcardmask:

55WildcardBitstoMatchIPSubnets?1999,CiscoSystems,Inc.10-31ConfiguringStandardIPAccessListsStandardIPAccessListConfigurationaccess-listaccess-list-number{permit|deny}source[mask]Router(config)#SetsparametersforthislistentryIPstandardaccesslistsuse1to99Defaultwildcardmask=“noaccess-listaccess-list-number”removesentireaccess-listaccess-listaccess-list-number{permit|deny}source[mask]Router(config)#ActivatesthelistonaninterfaceSetsinboundoroutboundtestingDefault=Outbound

“noipaccess-groupaccess-list-number”removesaccess-listfromtheinterfaceRouter(config-if)#ipaccess-groupaccess-list-number{in|out}SetsparametersforthislistentryIPstandardaccesslistsuse1to99Defaultwildcardmask=“noaccess-listaccess-list-number”removesentireaccess-listStandardIPAccessListConfiguration3E0S0E1Non-StandardIPAccessList

Example1access-list1permit

55(implicitdenyall-notvisibleinthelist)(access-list1deny55)Permitmynetworkonlyaccess-list1permit

55(implicitdenyall-notvisibleinthelist)(access-list1deny55)interfaceethernet0ipaccess-group1outinterfaceethernet1ipaccess-group1outStandardIPAccessList

Example13E0S0E1Non-DenyaspecifichostStandardIPAccessList

Example23E0S0E1Non-access-list1deny3StandardIPAccessList

Example23E0S0E1Non-Denyaspecifichostaccess-list1deny3access-list1permit55(implicitdenyall)(access-list1deny55)access-list1deny3access-list1permit55(implicitdenyall)(access-list1deny55)interfaceethernet0ipaccess-group1outStandardIPAccessList

Example23E0S0E1Non-DenyaspecifichostDenyaspecificsubnetStandardIPAccessList

Example33E0S0E1Non-access-list1deny55access-list1permitany(implicitdenyall)

(access-list1deny55)access-list1deny55access-list1permitany(implicitdenyall)

(access-list1deny55)interfaceethernet0ipaccess-group1outStandardIPAccessList

Example33E0S0E1Non-Denyaspecificsubnet?1999,CiscoSystems,Inc.10-41ControlvtyAccessWithAccessClassFilterVirtualTerminal(vty)AccesstoaRouterFivevirtualterminallines(0through4)Filteraddressesthatcanaccessintotherouter’svtyportsFiltervtyaccessoutfromtherouter01234Virtualports(vty0through4)Physicalporte0(Telnet)Consoleport(directconnect)consolee0HowtoControlvtyAccess01234Virtualports(vty0through4)Physicalport(e0)(Telnet)SetupIPaddressfilterwithstandardaccessliststatementUselineconfigurationmodetofilteraccesswiththeaccess-classcommandSetidenticalrestrictionsonallvtysRouter#e0VirtualTerminalLineCommandsEntersconfigurationmodeforavtyorvtyrangeRestrictsincomingoroutgoingvtyconnectionsforaddressintheaccesslistaccess-classaccess-list-number{in|out}linevty{vty#|vty-range}Router(config)#Router(config-line)#VirtualTerminalAccessExamplePermitsonlyhostsinnetworktoconnect totherouter’svtysaccess-list12permit55!linevty04access-class12inControllingInboundAccess?1999,CiscoSystems,Inc.10-46ConfiguringExtendedIPAccessListsStandardversusExternalAccessListStandardExtendedFiltersBasedon

Source.FiltersBasedon

Sourceanddestination.PermitordenyentireTCP/IPprotocolsuite.SpecifiesaspecificIPprotocolandportnumber.Rangeis100through199.Rangeis1through99ExtendedIPAccessListConfigurationRouter(config)#Setsparametersforthislistentryaccess-listaccess-list-number{permit|deny}protocolsource

source-wildcard[operatorport]

destinationdestination-wildcard

[operatorport][established][log]Router(config-if)#ipaccess-groupaccess-list-number{in|out}ExtendedIPAccessListConfigurationActivatestheextendedlistonaninterfaceSetsparametersforthislistentryRouter(config)#access-listaccess-list-number

{permit|deny}protocolsourcesource-wildcard[operatorport]

destinationdestination-wildcard[operatorport][established][log]DenyFTPfromsubnettosubnetoutofE0Permitallothertraffic3E0S0E1Non-ExtendedAccessList

Example1access-list101denytcp

5555eq21access-list101denytcp5555eq20DenyFTPfromsubnettosubnetoutofE0PermitallothertrafficExtendedAccessList

Example13E0S0E1Non-access-list101denytcp

5555eq21access-list101denytcp5555eq20access-list101permitipanyany(implicitdenyall)(access-list101denyip5555)access-list101denytcp

5555eq21access-list101denytcp5555eq20access-list101permitipanyany(implicitdenyall)(access-list101denyip5555)interfaceethernet0ipaccess-group101outDenyFTPfromsubnettosubnetoutofE0PermitallothertrafficExtendedAccessList

Example13E0S0E1Non-DenyonlyTelnetfromsubnetoutofE0PermitallothertrafficExtendedAccessList

Example23E0S0E1Non-access-list101denytcp55anyeq23DenyonlyTelnetfromsubnetoutofE0PermitallothertrafficExtendedAccessList

Example23E0S0E1Non-access-list101denytcp55anyeq23access-list101permitipanyany(implicitdenyall)access-list101denytcp55anyeq23access-list101permitipanyany(implicitdenyall)interfaceethernet0ipaccess-group101outDenyonlyTelnetfromsubnetoutofE0PermitallothertrafficExtendedAccessList

Example23E0S0E1Non-UsingNamedIPAccessListsRouter(config)#ipaccess-list{standard|extended}nameFeatureforCiscoIOSRelease11.2orlaterAlphanumericnamestringmustbeuniqueUsingNamedIPAccessListsRouter(config)#ipaccess-list{standard|extended}name{permit|deny}{ipaccesslisttestconditions}{permit|deny}{ipaccesslisttestconditions}no{permit|deny}{ipaccesslisttestconditions}Router(config{std-|ext-}nacl)#FeatureforCiscoIOSRelease11.2orlaterAlphanumericnamestringmustbeuniquePermitordenystatementshavenoprependednumber"no"removesthespecifictestfromthenamedaccesslistRouter(config)#ipaccess-list{standard|extended}nameRouter(config{std-|ext-}nacl)#{permit|deny}

{ipaccesslisttestconditions}{permit|deny}{ipaccesslisttestconditions}no{permit|deny}{ipaccesslisttestconditions}Router(config-if)#ipaccess-groupname{in|out}UsingNamedIPAccessListsFeatureforCiscoIOSRelease11.2orlaterAlphanumericnamestringmustbeuniquePermitordenystatementshavenoprependednumber"no"removesthespecifictestfromthenamedaccesslistActivatestheIPnamedaccesslistonaninterfaceAccessListConfigurationPrinciplesOrderofaccessliststatementsiscrucialRecommended:useatexteditoronaTFTPserverorusePCtocutandpasteTop-downprocessingPlacemorespecificteststatementsfirstNoreorderingorremovalofstatementsUsenoaccess-listnumbercommandtoremoveentireaccesslistException:NamedaccesslistspermitremovalofindividualstatementsImplicitdenyallUnlessaccesslistendswithexplicitpermitanyPlaceextendedaccesslistsclosetothesourcePlacestandardaccesslistsclosetothedestinationE0E0E1S0To0S1S0S1E0E0BACWheretoPlaceIPAccessListsRecommended:Dwg_ro_a#showipinte0Ethernet0isup,lineprotocolisupInternetaddressis1/24Broadcastaddressis55AddressdeterminedbysetupcommandMTUis1500bytesHelperaddressisnotsetDirectedbroadcastforwardingisdisabledOutgoingaccesslistisnotsetInboundaccesslistis1ProxyARPisenabledSecuritylevelisdefaultSplithorizonisena

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預覽,若沒有圖紙預覽就沒有圖紙。
  • 4. 未經(jīng)權益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負責。
  • 6. 下載文件中如有侵權或不適當內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準確性、安全性和完整性, 同時也不承擔用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

評論

0/150

提交評論