ACL--访问控制列表
配置了ACL的网络设备,根据事先设定好的报文匹配规则,对经过该设备的流量按照规则进行匹配,对匹配上的流量执行设定好的动作
ACL的功能:
1.访问控制:在路由器流量流入或者流出的接口上,匹配流量,然后执行设定好的动作。
-- permit(允许),deny(拒绝)
2.抓举感兴趣流:ACL和其他的服务结合使用,ACL负责匹配对应的流量,而其他的服务对匹配到的流量执行相应的动作(流量控制--ACL和Qos--服务质量技术)
ACL控制列表的匹配规则:
自上而下逐一匹配,匹配上,按照对应的动作执行,不再向下匹配(匹配第一个)
如果是思科体系设备:在ACL访问列表的末尾隐含一条拒绝所有的规则
如果是华为体系设备:在ACL访问列表的末尾隐含一条允许所有的规则
ACL分类:
基本ACL:仅关注数据包中的源ip(只看你是谁)
高级ACL:除了关注数据包中的源ip以外,还会关注数据包中的目标ip,协议和端口号(不光看你是谁,还看你去哪里和干什么)
二级ACL
用户自定义ACL
[R2]acl ?
INTEGER<2000-2999> Basic access-list(add to current using rules)
INTEGER<3000-3999> Advanced access-list(add to current using rules)
INTEGER<4000-4999> Specify a L2 acl group
ipv6 ACL IPv6
name Specify a named ACL
number Specify a numbered ACL
//2000-2999为基础ACL
//3000-3999为高级ACL
//4000-4999为二级ACL———————————————开始配置————————————————————————
此时在PC1如果想要去连接PC3,需要经过四个端口点:R1的G0/0/0和G0/0/1和R2的G0/0/0和G0/0/1
eg1:如果想要PC1不能ping通2.0网段,此时设置ACL关卡在R2的G0/0/0的设置deng口拒绝PC1的ip地址
第一步:设置ACL策略
[R2-acl-basic-2000]rule deny source 192.168.1.3 0.0.0.0
[R2-acl-basic-2000]rule permit source any
//ACL策略一般设置是从上到下遍历
//意思就是:如果已经遍历了第一条是PC1拦截,第二条是PC1通过,那么只会执行PC1拦截!!!查看ACL列表:(一般华为以步调5为自动添加规则序号,方便在其中插入规则)
[R2-acl-basic-2000]rule 7 deny source 192.168.1.2 0.0.0.0
[R2-acl-basic-2000]q
[R2]display acl 2000
Basic ACL 2000, 3 rules
Acl's step is 5
rule 5 deny source 192.168.1.3 0
rule 7 deny source 192.168.1.2 0
rule 10 permit 第二步:在接口上调用ACL列表
[R2-GigabitEthernet0/0/0]traffic-filter out
[R2-GigabitEthernet0/0/0]traffic-filter outbound acl 2000
//此时有两种ACL方式,outbound和inbound(outbound为输出,inbound为输入)!!!一个接口的一个方向只能配置一张ACL列表!!!(outbound一张,inbound一张)
此时用PC1去尝试pingR2的端口地址和PC3的地址
PC>PC>ping 192.168.2.1
Ping 192.168.2.1: 32 data bytes, Press Ctrl_C to break
From 192.168.2.1: bytes=32 seq=1 ttl=254 time=62 ms
From 192.168.2.1: bytes=32 seq=2 ttl=254 time=32 ms
From 192.168.2.1: bytes=32 seq=3 ttl=254 time=46 ms
From 192.168.2.1: bytes=32 seq=4 ttl=254 time=32 ms
From 192.168.2.1: bytes=32 seq=5 ttl=254 time=47 ms
--- 192.168.2.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00066D1CF0acket loss
round-trip min/avg/max = 32/43/62 ms
PC>ping 192.168.2.3
Ping 192.168.2.3: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 192.168.2.3 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.0018818558acket loss
Invalid command!eg2:要求PC1可以ping通PC3,但是无法去ping通PC4
分析,此时已经给出了具体的数据地址
[R1]acl name lxb ?
INTEGER<2000-2999> Basic access-list(add to current using rules)
INTEGER<3000-3999> Advanced access-list(add to current using rules)
INTEGER<4000-4999> Specify a L2 acl group
advance Advanced acl
basic Basic acl
link Link acl
match-order Set ACL's match order
<cr> Please press ENTER to execute command
[R1]acl name lxb 3000
[R1-acl-adv-lxb]rule deny ?
<1-255> Protocol number
gre GRE tunneling(47)
icmp Internet Control Message Protocol(1)
igmp Internet Group Management Protocol(2)
ip Any IP protocol
ipinip IP in IP tunneling(4)
ospf OSPF routing protocol(89)
tcp Transmission Control Protocol (6)
udp User Datagram Protocol (17)
//这一步是为了确认拒绝什么协议(ping包是icmp包)
[R1-acl-adv-lxb]rule deny icmp s
[R1-acl-adv-lxb]rule deny icmp source 192.168.1.2 0.0.0.0 d
[R1-acl-adv-lxb]rule deny icmp source 192.168.1.2 0.0.0.0 destination 192.168.2.2 0.0.0.0
//ACL高级协议需要给出源和目标!!!
[R1-acl-adv-lxb]q
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]t
[R1-GigabitEthernet0/0/0]tracert
[R1-GigabitEthernet0/0/0]traffic-filter in
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl name
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl name lxb 此时PC1尝试去pingPC3
PC>ping 192.168.2.2
Ping 192.168.2.2: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 192.168.2.2 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
PC>ping 192.168.2.3
Ping 192.168.2.3: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.2.3: bytes=32 seq=2 ttl=126 time=78 ms
From 192.168.2.3: bytes=32 seq=3 ttl=126 time=78 ms
From 192.168.2.3: bytes=32 seq=4 ttl=126 time=79 ms
From 192.168.2.3: bytes=32 seq=5 ttl=126 time=62 ms
--- 192.168.2.3 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 0/74/79 ms
成功
eg3:PC1可以ping通R2,但是不能telent R2
telnet-- 远程登录协议
带内管理 -- 通过网络对设备进行管理控制
通过telnet/SSH管理设备
通过web(192.168.1.1)进行设备管理
通过SNMP协议进行设备管理)
带外管理 -- 不需要通过网络对设备进行
通过console口进行管理
通过AUX接口进行管理
telnet远程登录的两个必要条件:
1.登录设备和被登录设备网络可达
2.被登录设备必须开启telnet服务
telnet -- 典型的C/S架构的协议 -- TCP 23
登录设备扮演telent客户端的角色,被登录设备扮演telent服务器的角色
路由器开启telnet服务方法:
1.键入aaa服务 ---专门存储和管理账号的服务
2.创建登录用的用户名和密码
//R2配置telent(设置了一个用户名,密码,当其他设备要登录这个设备时,权限为15)
[R2]aaa
[R2-aaa]loc
[R2-aaa]local-user lxb pr
[R2-aaa]local-user lxb privilege l
[R2-aaa]local-user lxb privilege level 15 p
[R2-aaa]local-user lxb privilege level 15 password c
[R2-aaa]local-user lxb privilege level 15 password cipher 123456
Info: Add a new user.
[R2-aaa]l
[R2-aaa]local-user lxb s
[R2-aaa]local-user lxb service-type t
[R2-aaa]local-user lxb service-type telnet
[R2-aaa]q
[R2]use
[R2]user-interface vt
//选择5个端口,然后选择aaa模式
[R2]user-interface vty 0 4
[R2-ui-vty0-4]au
[R2-ui-vty0-4]authentication-mode aaa
//R1的接口上配置不能进入R2的接口如:G0/0/0和G0/0/1
[R1]acl 3000
[R1-acl-adv-3000]ru
[R1-acl-adv-3000]rule de
[R1-acl-adv-3000]rule deny tcp
[R1-acl-adv-3000]rule deny tcp s
[R1-acl-adv-3000]rule deny tcp source 192.168.1.2 0.0.0.0 d
[R1-acl-adv-3000]rule deny tcp source 192.168.1.2 0.0.0.0 destination-por
t
[R1-acl-adv-3000]rule deny tcp source 192.168.1.2 0.0.0.0 dscp
[R1-acl-adv-3000]rule deny tcp source 192.168.1.2 0.0.0.0 destination 19
2.168.3.2 0.0.0.0 d
[R1-acl-adv-3000]rule deny tcp source 192.168.1.2 0.0.0.0 destination 19
2.168.3.2 0.0.0.0 destination-port ?
eq Equal to given port number
gt Greater than given port number
lt Less than given port number
range Between two port numbers
//这里是设置端口范围(eq为等于,gt是大于,lt是小于)
[R1-acl-adv-3000]rule deny tcp source 192.168.1.2 0.0.0.0 destination 19
2.168.3.2 0.0.0.0 destination-port eq ?
<0-65535> Port number
CHARgen Character generator (19)
bgp Border Gateway Protocol (179)
cmd Remote commands (rcmd, 514)
daytime Daytime (13)
discard Discard (9)
domain Domain Name Service (53)
echo Echo (7)
exec Exec (rsh, 512)
finger Finger (79)
ftp File Transfer Protocol (21)
ftp-data FTP data connections (20)
gopher Gopher (70)
hostname NIC hostname server (101)
irc Internet Relay Chat (194)
klogin Kerberos login (543)
kshell Kerberos shell (544)
login Login (rlogin, 513)
lpd Printer service (515)
nntp Network News Transport Protocol (119)
pop2 Post Office Protocol v2 (109)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
sunrpc Sun Remote Procedure Call (111)
tacacs TAC Access Control System (49)
talk Talk (517)
telnet Telnet (23)
//查看端口信息,telent为23号端口
[R1-acl-adv-3000]rule deny tcp source 192.168.1.2 0.0.0.0 destination 19
2.168.3.2 0.0.0.0 destination-port eq 23
//接口堵塞成功
[R1-acl-adv-3000]q
[R1]int
[R1]interface g0/0/1
[R1-GigabitEthernet0/0/1]t
[R1-GigabitEthernet0/0/1]traffic-filter in
[R1-GigabitEthernet0/0/1]traffic-filter inbound acl
[R1-GigabitEthernet0/0/1]traffic-filter inbound acl 3000此时ping为成功,但是telent 无法实现
//telent成功为
<PC1>telnet 192.168.3.2
Press CTRL_] to quit telnet mode
Trying 192.168.3.2 ...
//此为尝试telent但是没有成功(R2的192.168.3.2端口)
<PC1>
<PC1>tel
<PC1>telnet 192.168.2.2
Press CTRL_] to quit telnet mode
Trying 192.168.2.2 ...
Connected to 192.168.2.2 ...
Login authentication
Username:lxb
Password:
<R2>q
//telent成功,此时成功联通,输入username和password,前面的R2已经设置完成的权限给予