© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Module 7

© 2007 Cisco Systems, Inc. All rights reserved. ICND2 v1.0—6-1

Access Control Lists

Module 7


Why Use ACLs?

过滤 : 管理通过路由器的 IP 数据包分类 : 识别特殊的流量


ACL Applications: 过滤

允许、拒绝数据包通过路由器允许、拒绝 Telnet 会话的建立没有设置访问列表时，所有的数据包都会在网络上传输


基于数据包检测的特殊数据通讯应用

ACL Applications


Outbound ACL Operation

如果没有 ACL 能够匹配 , 则丢弃数据包 .


A List of Tests: Deny or Permit

Packets to Interface(s)in the Access Group

Packet Discard Bucket

Y

Interface(s)

Destination

Deny

Y

MatchFirstTest

?

Permit

N

Deny PermitMatchNext

Test(s)?

DenyMatchLastTest

?

YY

N

YY Permit

Implicit Deny

If no matchdeny allDeny

N


Types of ACLs

标准 ACL– 检查源地址– 一般情况下允许或拒绝所有协议

扩展 ACL– 检查源地址和目标地址– 一般允许或拒绝单个协议或应用

两种方式配置访问控制列表 :– 编号的访问控制列表– 命名的访问控制列表


How to Identify ACLs

标准访问列表检查 IP 数据包的源地址 . Expanded range (1300–1999).

扩展访问列表检查源地址和目的地址、具体的 TCP/IP 协议和目的端口。 Expanded range (2000–2699).


ACL 配置指南访问列表的编号指明了使用何种协议的访问列表每个端口、每个方向、每条协议只能对应于一条访问列表访问列表的内容决定了数据的控制顺序具有严格限制条件的语句应放在访问列表所有语句的最上面在访问列表的最后有一条隐含声明： deny any －每一条正确的访问列表都至少应该有一条允许语句 ACL 被创建后应用在接口的入方向或出方向上 . 一个 ACL 可以过滤通过路由器或者到达路由器的数据 , 但是不能够过滤从本路由器发出去的流量 . 何时应用访问控制列表 :

– 在靠近源端时使用扩展的访问控制列表– 在靠近目的端时使用标准的访问控制列表


Reflexive ACLs

Reflexive ACLs: Used to allow outbound traffic and limit inbound traffic in response to sessions that originate inside the router


Time-Based ACLs

Time-based ACLs: Allow for access control based on the time of day and week


Dynamic ACLs

Dynamic ACLs (lock-and-key): Users that want to traverse the router are blocked until they use Telnet to connect to the router and areauthenticated.


Wildcard Bits: How to Check the Corresponding Address Bits

0 means to match the value of the corresponding address bit 1 means to ignore the value of the corresponding address bit


Match for IP subnets 172.30.16.0/24 to 172.30.31.0/24.

Wildcard Bits to Match IP Subnets

Address and wildcard mask:172.30.16.0 0.0.15.255


172.30.16.29 0.0.0.0 matches all of the address bits

Abbreviate this wildcard mask using the IP address preceded by the keyword host (host 172.30.16.29)

Wildcard Bit Mask Abbreviations

0.0.0.0 255.255.255.255 ignores all address bits

Abbreviate expression with the keyword any


Testing Packets with Numbered Standard IPv4 ACLs


将 ACL 应用在接口上 . 选择是在近的方向还是在出的方向 . no ip access-group access-list-number {in | out} 在接口上取消 ACL 的应

用 .

ip access-group access-list-number {in | out}

access-list-number 的范围是 1-99 最先配置的 ACL 列表项编号为 10, 之后每次依次加 10. 默认情况下 wildcard mask 为 0.0.0.0 (only standard ACL). no access-list access-list-number 删除 ACL remark 用于描述这个访问控制列表 .

access-list access-list-number {permit | deny | remark} source [mask]

RouterX(config)#

RouterX(config-if)#

Numbered Standard IPv4 ACL Configuration


Permit my network only

Numbered Standard IPv4 ACLExample 1

RouterX(config)# access-list 1 permit 172.16.0.0 0.0.255.255(implicit deny all - not visible in the list)(access-list 1 deny 0.0.0.0 255.255.255.255)

RouterX(config)# interface ethernet 0RouterX(config-if)# ip access-group 1 outRouterX(config)# interface ethernet 1RouterX(config-if)# ip access-group 1 out


Deny a specific host

Numbered Standard IPv4 ACL Example 2

RouterX(config)# access-list 1 deny 172.16.4.13 0.0.0.0 RouterX(config)# access-list 1 permit 0.0.0.0 255.255.255.255(implicit deny all)(access-list 1 deny 0.0.0.0 255.255.255.255)

RouterX(config)# interface ethernet 0RouterX(config-if)# ip access-group 1 out


Deny a specific subnet

Numbered Standard IPv4 ACL Example 3

RouterX(config)# access-list 1 deny 172.16.4.0 0.0.0.255RouterX(config)# access-list 1 permit any(implicit deny all)(access-list 1 deny 0.0.0.0 255.255.255.255)



Permits only hosts in network 192.168.1.0 0.0.0.255 to connect to the router vty lines

access-list 12 permit 192.168.1.0 0.0.0.255(implicit deny any) !line vty 0 4 access-class 12 in

Example:

access-class access-list-number {in | out} 在访问列表里指明方向RouterX(config-line)#

Standard ACLs to Control vty Access


Testing Packets with Numbered Extended IPv4 ACLs


ip access-group access-list-number {in | out}

• 在端口上应用访问列表

设置访问列表的参数

access-list access-list-number {permit | deny} protocol source source-wildcard [operator port] destination destination-wildcard [operator port] [established] [log]

RouterX(config)#

RouterX(config-if)#

Numbered Extended IPv4 ACL Configuration


Numbered Extended IPv4 ACL Example 1

RouterX(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21RouterX(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20RouterX(config)# access-list 101 permit ip any any(implicit deny all)(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)


Deny FTP traffic from subnet 172.16.4.0 to subnet 172.16.3.0 out E0 Permit all other traffic


Numbered Extended IPv4 ACL Example 2

RouterX(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23RouterX(config)# access-list 101 permit ip any any(implicit deny all)


Deny only Telnet traffic from subnet 172.16.4.0 out E0 Permit all other traffic


ip access-list {standard | extended} name

[sequence-number] {permit | deny} {ip access list test conditions}{permit | deny} {ip access list test conditions}

ip access-group name {in | out}

Named IP ACL Configuration

Alphanumeric name string must be unique

If not configured, sequence numbers are generated automatically starting at 10 and incrementing by 10

no sequence number removes the specific test from the named ACL

Activates the named IP ACL on an interface

RouterX(config {std- | ext-}nacl)#

RouterX(config-if)#

RouterX(config)#


Deny a specific host

Named Standard IPv4 ACL Example

RouterX(config)#ip access-list standard troublemakerRouterX(config-std-nacl)#deny host 172.16.4.13RouterX(config-std-nacl)#permit 172.16.4.0 0.0.0.255RouterX(config-std-nacl)#interface e0RouterX(config-if)#ip access-group troublemaker out


Deny Telnet from a specific subnet

Named Extended IPv4 ACL Example

RouterX(config)#ip access-list extended badgroupRouterX(config-ext-nacl)#deny tcp 172.16.4.0 0.0.0.255 any eq 23RouterX(config-ext-nacl)#permit ip any anyRouterX(config-ext-nacl)#interface e0RouterX(config-if)#ip access-group badgroup out


Commenting ACL Statements

access-list access-list-number remark remark

ip access-list {standard|extended} name

Creates a named ACL comment

Creates a numbered ACL comment

RouterX(config {std- | ext-}nacl)#

RouterX(config)#

remark remark

RouterX(config)#

Creates a named ACL

Or


Monitoring ACL Statements

RouterX# show access-lists {access-list number|name}

RouterX# show access-lists Standard IP access list SALES 10 deny 10.1.1.0, wildcard bits 0.0.0.255 20 permit 10.3.3.1 30 permit 10.4.4.1 40 permit 10.5.5.1Extended IP access list ENG 10 permit tcp host 10.22.22.1 any eq telnet (25 matches) 20 permit tcp host 10.33.33.1 any eq ftp 30 permit tcp host 10.44.44.1 any eq ftp-data

Displays all access lists


Verifying ACLsRouterX# show ip interfaces e0Ethernet0 is up, line protocol is up Internet address is 10.1.1.11/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 1 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Feature Fast switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled <text ommitted>


Troubleshooting Common ACL Errors

Error 1: Host 10.1.1.1 has no connectivity with 10.100.100.1.


Error 2: The 192.168.1.0 network cannot use TFTP to connect to10.100.100.1.

Troubleshooting Common ACL Errors (Cont.)


Error 3: 172.16.0.0 network can use Telnet to connect to 10.100.100.1,but this connection should not be allowed.



Error 4: Host 10.1.1.1 can use Telnet to connect to 10.100.100.1,but this connection should not be allowed.



Error 5: Host 10.100.100.1 can use Telnet to connect to 10.1.1.1,but this connection should not be allowed.

A B



Error 6: Host 10.1.1.1 can use Telnet to connect into router B, but this connection should not be allowed.

BA



Visual Objective 6-1: Implementing and Troubleshooting ACLs

WG Router s0/0/0 Router fa0/0 Switch

A 10.140.1.2 10.2.2.310.2.2.11B 10.140.2.2 10.3.3.310.3.3.11C 10.140.3.2 10.4.4.310.4.4.11D 10.140.4.2 10.5.5.310.5.5.11E 10.140.5.2 10.6.6.310.6.6.11F 10.140.6.2 10.7.7.310.7.7.11G 10.140.7.2 10.8.8.310.8.8.11H 10.140.8.2 10.9.9.310.9.9.11

SwitchH


Summary

标准的访问控制列表允许基于源地址控制数据流 . 扩展的访问控制列表可以基于源地址 , 目标地址 , 协议 , 端口号控制数据流 . 命名方式配置的访问控制列表允许删除单个的列表项 . 可以使用 show access-lists and show ip interface 查看 ACL的配置 .


Documents

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Module 7