访问控制列表(ACL)
访问控制列表概述
读取第三层,第四层包头信息
根据预先定义好的规则对包进行过滤
访问控制列表的工作原理
访问控制列表在接口应用的方向
出:已经过路由器的处理,正离开路由器接口的数据包
入:已经到达路由器接口的数据包,将被路由器处理
访问控制列表的处理过程
当数据包从接口通过时,由于接口启用了ACL,此时路由器会对报文进行检查,做出相应的处理,若匹配到允许方通,则放行;若匹配到拒绝,则丢弃;若未匹配到,则匹配下一条。
ACL种类
基本ACL(2000-2999):只能匹配源ip地址
高级ACL(3000-3999):可以匹配源IP,目标IP,源端口,目标端口等三层四层的字段
二层ACL(4000-4999):根据数据包的源MAC地址,目的MAC地址,802.1q优先级,二层协议类型等二层信息制定规则。
ACL的应用原则:
基本ACL尽量用在靠近目的点
高级ACL尽量用在靠近源的地方(可以保护带宽和其他资源)
ACL应用规则
一个接口的同一方向只能调用一个ACL
一个ACL里可以有多个rule规则,按照从小到大,从上往下的规则依次执行,一旦匹配到则不再向下匹配
ACL实例
1.仅允许PC1访问192.168.2.0/24网络
2.禁止192.168.1.0/24网络ping web服务器
3.仅允许Client1访问Web服务器的ww服务
AR1设置
The device is running!
########################
<Huawei>
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname R1
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 192.168.1.254 24
[R1-GigabitEthernet0/0/0]undo shutdown
Info: Interface GigabitEthernet0/0/0 is not shutdown.
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 192.168.3.254 24
[R1-GigabitEthernet0/0/1]undo shutdown
Info: Interface GigabitEthernet0/0/1 is not shutdown.
[R1-GigabitEthernet0/0/1]int g0/0/2
[R1-GigabitEthernet0/0/2]ip add 192.168.2.254 24
[R1-GigabitEthernet0/0/2]undo shutdown
Info: Interface GigabitEthernet0/0/2 is not shutdown.
[R1-GigabitEthernet0/0/2]q
[R1]acl 2000
[R1-acl-basic-2000]rule permit source 192.168.1.1 0
[R1-acl-basic-2000]rule deny
[R1-acl-basic-2000]q
[R1]int g0/0/2
[R1-GigabitEthernet0/0/2]traffic-filter outbound acl 2000
[R1]acl 3000
[R1-acl-adv-3000]rule deny icmp source 192.168.1.0 0.0.0.255 destination 192.168
.3.1 0
[R1-acl-adv-3000]q
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
[R1]acl 3000
[R1-acl-adv-3000]rule permit tcp source 192.168.1.3 0 destination 192.168.3.1 0
destination-port eq 80
[R1-acl-adv-3000]rule deny tcp source any
PC1访问192.168.2.0/24结果
Welcome to use PC Simulator!
PC>ping 192.168.2.1
Ping 192.168.2.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.2.1: bytes=32 seq=2 ttl=127 time=31 ms
From 192.168.2.1: bytes=32 seq=3 ttl=127 time=32 ms
From 192.168.2.1: bytes=32 seq=4 ttl=127 time=46 ms
From 192.168.2.1: bytes=32 seq=5 ttl=127 time=16 ms
--- 192.168.2.1 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 0/31/46 ms
192.168.1.0/24网络ping web服务器
PC>ping 192.168.3.1
Ping 192.168.3.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 192.168.3.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
仅允许Client1访问Web服务器的ww服务结果
NAT——网络地址转换
用于实现私有网络和公有网络之间的互访
公有网络地址是指在互联网上全球唯一的IP地址。
私有网络地址是指内部网络或主机的IP地址。
NAT的工作原理
NAT用来将内网地址和端口号转换成合法的公网地址和端口号,建立一个会话,与公网主机进行通信。
NAT功能
1.宽带共享:这是NAT主机的最大功能
2.功能防护:NAT之内的PC联机到Interent上面时,他所显示的IP是NAT主机的公网IP,隐藏并保护网络内部的计算机,有效的避免了外部的入侵。
优点:节省公有合法IP地址,处理地址重叠,增强灵活性,安全性。
缺点:延迟增大,配置和维护的复杂性,不支持某些应用(如VPN)
静态NAT
静态NAT实现私网地址和公网地址的一对一转换,有多少个私网地址就需要配置多少个公网地址,静态NAT不能节约公网地址,但可以起到隐藏内部网络的作用。
静态NAT直接在接口上声明nat static 配置测试
The device is running!
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname R1
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 192.168.1.254 24
[R1-GigabitEthernet0/0/0]undo shutdown
Info: Interface GigabitEthernet0/0/0 is not shutdown.
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 12.0.0.254 24
[R1-GigabitEthernet0/0/1]undo shutdown
Info: Interface GigabitEthernet0/0/1 is not shutdown.
[R1-GigabitEthernet0/0/1]q
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]nat static global 8.8.8.8 inside 192.168.1.0
[R1-GigabitEthernet0/0/1]q
[R1]dis nat static
Static Nat Information:
Interface : GigabitEthernet0/0/1
Global IP/Port : 8.8.8.8/----
Inside IP/Port : 192.168.1.0/----
Protocol : ----
VPN instance-name : ----
Acl number : ----
Netmask : 255.255.255.255
Description : ----
Total : 1
连通性测试
pc1与外网
PC>ping 12.0.0.1
Ping 12.0.0.1: 32 data bytes, Press Ctrl_C to break
From 12.0.0.1: bytes=32 seq=1 ttl=254 time=62 ms
From 12.0.0.1: bytes=32 seq=2 ttl=254 time=47 ms
From 12.0.0.1: bytes=32 seq=3 ttl=254 time=47 ms
From 12.0.0.1: bytes=32 seq=4 ttl=254 time=31 ms
From 12.0.0.1: bytes=32 seq=5 ttl=254 time=31 ms
--- 12.0.0.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/43/62 ms
PC2与外网
PC>ping 12.0.0.1
Ping 12.0.0.1: 32 data bytes, Press Ctrl_C to break
From 12.0.0.1: bytes=32 seq=1 ttl=254 time=62 ms
From 12.0.0.1: bytes=32 seq=2 ttl=254 time=47 ms
From 12.0.0.1: bytes=32 seq=3 ttl=254 time=47 ms
From 12.0.0.1: bytes=32 seq=4 ttl=254 time=46 ms
From 12.0.0.1: bytes=32 seq=5 ttl=254 time=32 ms
--- 12.0.0.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 32/46/62 ms
动态NAT
多个私网IP地址对应多个公网IP地址,基于地址池一对一映射
动态NAT配置
The device is running!
<Huawei>
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname R1
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 192.168.1.254 24
[R1-GigabitEthernet0/0/0]undo shutdown
Info: Interface GigabitEthernet0/0/0 is not shutdown.
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 12.0.0.254 24
[R1-GigabitEthernet0/0/1]undo shutdown
Info: Interface GigabitEthernet0/0/1 is not shutdown.
[R1-GigabitEthernet0/0/1]q
[R1]nat address-group 1 12.0.0.100 12.0.0.200
[R1]acl 2000
[R1-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255
[R1-acl-basic-2000]q
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1 no-pat
[R1-GigabitEthernet0/0/1]dis this
[V200R003C00]
#
interface GigabitEthernet0/0/1
ip address 12.0.0.254 255.255.255.0
nat outbound 2000 address-group 1 no-pat
#
return
PAT端口多路复用
PAT又称为NAPT,他实现一个公网地址和多个私网地址之间的映射,因此可以节省公网地址。PAT的基本原理是将不同私网地址的报文的源IP地址转换为同一公网地址,但他们被转换为该地址的不同端口号,因而仍然能够共享同一地址。
PAT的作用
1.改变数据包的IP地址和端口号
2.能够大量节约公网IP地址
PAT的类型
1.动态PAT,包括 NAPT和Easy ip
2.静态PAT, 包括NAT Server
NAPT
多个私网IP地址对应固定外网IP地址
NAPT配置
The device is running!
<Huawei>
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname R1
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 192.168.1.254 24
[R1-GigabitEthernet0/0/0]undo shutdown
Info: Interface GigabitEthernet0/0/0 is not shutdown.
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 12.0.0.254 24
[R1-GigabitEthernet0/0/1]undo shutdown
Info: Interface GigabitEthernet0/0/1 is not shutdown.
[R1-GigabitEthernet0/0/1]q
[R1]nat address-group 1 12.0.0.100 12.0.0.200
[R1]acl 2000
[R1-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255
[R1-acl-basic-2000]q
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1