① Category: Flag traffic special treatment, by filtration through a route packets to manage IP routing traffic crawling ②
Category:
Standards the ACL: check the source address, typically allow or reject the entire protocol suite
extended the ACL: check the source and destination addresses, typically allow or deny the particular application and protocol
standards and is extensible in two ACL ACL labeling method: the
number using the number for ACL Flag
named ACL used for descriptive name or number designated
ACL with alphanumeric string (name) identifying the named standard IP ACL and an extended ACL
named ACL can delete a single statement without disrupting the order of the entire list; you can also write numbers in front of the newly added statement, the statement is inserted into the specified location, when there is no written number of default added to the last row.
Standard ACL format
Rl (config) # Access-List Access-List-Number {the remark | the permit | the deny} Source Source-wildcard [log]
Rl (config) # Access-List No. policy source address
table number: Standard ACL range, 1-99,1300-1999.
Strategy: permit (permit); deny (reject).
Source Address: The IP network segment: IP address wildcard +; single host address: Host; arbitrary address: any.
Description:
① "Use the remark" option: for access control list to add notes, and enhance the readability of the list.
Source address field ②: any option indicates that any IP address, equivalent to 0.0.0.0 255.255.255.255; host option to place a mask 0.0.0.0.
③ optional parameter "log": a log of information for matching a data packet messages generated and sent to the console.
Extended ACL format
Rl (config) # Access-List Access-List-Number {the remark | the permit | the deny} Protocol Source [Source-mask]
[operator the operand] Where do you want [Where do you want-mask] [operator the operand] [ESTABLISHED] [log]
R1 (config) # access-list table No. tactics protocol source address destination address source port destination port
table number: ACL extended range, 100-199,2000-2699.
Strategy: permit (permit); deny (reject).
Protocol: protocol-specific packet inspection, such as TCP, UDP, ICMP, IP and the like.
Source Address: The IP network segment: IP address wildcard +; single host address: Host; arbitrary address: any.
Source port: and can be omitted, lt, gt, eq, neq ( less than, greater than, equal to, not equal).
Destination address: IP network segment: IP address wildcard +; single host address: Host; arbitrary address: any.
Destination port: and can be omitted, lt, gt, eq, neq ( less than, greater than, equal to, not equal).
Description: "establishe" option for TCP protocol, indicating that the connection has been established.
1, the implicit rejection of all, not visible in the list
2, from top to bottom to match ACL
. 3, if the ACL will not match the tube behind the
ACL can limit network traffic and improve network performance; basic access network security means; router ports may be blocked decide which type of communications traffic is forwarded or, wide range of applications, such as: route filtering, Qos, NAT, router-map , VTY and so on.
3P principle:
each protocol (Per Protocol) interface (Per Interface) for each direction of each (Per Direction) can configure only one ACL.
Each protocol a ACL: To control traffic on the interface, the interface must be enabled for each protocol on the definition of the appropriate ACL.
One for each direction ACL: ACL only a flow in one direction on the interface control. To control the inbound and outbound traffic, two ACL must be defined separately.
Per interface ACL: ACL only a control interface (such as Fast Ethernet F0 / 0) on the traffic.
Direction: in-matched for all inbound data; OUT to match the data of all the stations.
根据下面网络图配置好IP:
首先要使整个网络互通。前面讲过的多种方法都可以实现互通。
1、rip
2、eigrp
3、ospf
4、静态路由
配个静态路由比较省事。
R1#
ip route 0.0.0.0 0.0.0.0 fa 0/0静态路由指定fa 0/0端口
或(ip route 0.0.0.0 0.0.0.0 12.1.1.2默认路由下一跳12.1.1.2)
当然也可以把需要访问的网段192.160.4.0 5.0 6.0 23.1.1.0 都做静态路由,这样比较复杂,因为只有一个出口,直接做一个就可以了。
R3#
ip route 0.0.0.0 0.0.0.0 fa 1/0
或(ip route 0.0.0.0 0.0.0.0 23.1.1.2)
R2#Router (config) #ip route 192.160.4.0 255.255.255.0 23.1.1.3
To access the 192.160.4.0 network on the route to 23.1.1.3.
Router (config) #ip route 192.160.5.0 255.255.255.0 23.1.1.3
Router (config ) #ip route 192.160.6.0 255.255.255.0 23.1.1.3
Router (config) #ip route 192.160.1.0 255.255.255.0 12.1.1.1
Router (config) #ip route 192.160.2.0 255.255.255.0 12.1.1.1
Router (config) # ip route 192.160.3.0 255.255.255.0 12.1.1.1
so the entire network can pass.
Example 1: reject a particular host such as 192.160.1.2
R3 #
Access-List 1 the deny 192.160.1.2 0.0.0.0
(the deny Host Access-List 1 192.160.1.2)
denied access road with 1.2 host
access-list 1 permit 0.0.0.0 255.255. 255.255
(access-list 1 in permit the any) implicitly denied all, is not visible in the list, it must be added to allow access to all hosts.
interface FA 1/0
ip-access Group 1 in
discovery 192.160.1.2 was rejected, not ping pass 4.0 5.0 6.0 segment, and may further communicate 192.160.1.1.
例2:拒绝特定子网192.160.2.0
R3#
access-list 1 deny 192.160.2.0 0.0.0.255反掩码
access-list 1 permit any
interface fa 1/0
ip access-group 1 in
发现192.160.2.0网段被拒绝了,无法ping 通4.0 5.0 6.0网段,而192.160.1.1等还可以连通。
例3:拒绝从192.160.3.0网段到192.160.4.0网段访问的telnet流量,允许所有其它流量
R3#
no access-list 1删除上面的list 1 所有ACL规则
access-list 101 deny tcp 192.160.3.0 0.0.0.255 192.160.4.0 0.0.0.255 eq 23
access-list 101 permit ip any any
interface fa 1/0
ip access-group 101 in
发现3.0网段无法访问4.0网段的telnet服务了,但是可以ping 通。
而其它网段可以。
例4:拒绝从192.160.2.0网段ping通192.160.4.0网段,允许所有其它服务
access-list 102 deny icmp 192.160.1.0 0.0.0.255 192.160.4.0 0.0.0.255
access-list 102 permit ip any any
interface fa 1/0
ip access-group 102 in
例5:拒绝192.160.4.0网段访问外部网络,允许访问特定主机192.160.1.2.
R3#
configure terminal
ip access-list extended deny4.0创建扩展ACL命名为deny4.0
permit ip 192.160.4.0 0.0.0.255 192.160.1.2 0.0.0.0允许4.0访问1.2
deny ip 192.160.4.0 0.0.0.255 any拒绝4.0访问外面所有
permit ip any any 允许所有所有
interface fa 1/0进入端口
ip access-group deny4.0 out 对deny4.0 出站数据进行匹配
end
show ip access-list 查看ACL表
现在要3.1可以ping通4.0、而不能有其它服务;3.2可以telnet 4.0但不能有其它服务;3.0网段其它均不能访问,允许1.2 可以telnet 4.0网段,但不允许其它服务.
R3#
show ip access-list 查看ACL表
Router#show ip access-list
Extended IP access list deny4.0
10 permit ip 192.160.4.0 0.0.0.255 host 192.160.1.2 (8 match(es))
20 deny ip 192.160.4.0 0.0.0.255 any (20 match(es))
30 permit ip any any
configure terminal
ip access-list extended deny4.0进入名为deny4.0的ACL
no 10删除序列号为10的这一条
Router#show ip access-lists
Extended IP access list deny4.0
20 deny ip 192.160.4.0 0.0.0.255 any (187 match(es))
30 permit ip any any (1 match(es))
configure terminal
ip access-list extended deny4.0进入名为deny4.0的ACL
5 permit icmp 192.160.4.0 0.0.0.255 host 192.160.3.1 允许3.1能ping通4.0网段,序号为5
10 permit tcp 192.160.4.0 0.0.0.255 eq 23 host 192.160.3.2允许3.2能telnet 4.0网段,序号为10
15 permit tcp 192.160.4.0 0.0.0.255 eq 23 host 192.160.1.2允许1.2能telnet 4.0网段,序号为15
Router#show access-lists Extended IP access list deny4.0
5 permit icmp 192.160.4.0 0.0.0.255 host 192.160.3.1
10 permit tcp 192.160.4.0 0.0.0.255 eq telnet host 192.160.3.2
15 permit tcp 192.160.4.0 0.0.0.255 eq telnet host 192.160.1.2 (2 match(es))
20 deny ip 192.160.4.0 0.0.0.255 any (216 match(es))
30 permit ip any any (1 match(es))
发现己经重新加入了ACL
R3#
ip access-list resequence deny4.0 100 20
100开始,20递增法重新排列序号
Router#show access-lists Extended IP access list deny4.0
100 permit icmp 192.160.4.0 0.0.0.255 host 192.160.3.1
120 permit tcp 192.160.4.0 0.0.0.255 eq telnet host 192.160.3.2
140 permit tcp 192.160.4.0 0.0.0.255 eq telnet host 192.160.1.2 (2 match(es))
160 deny ip 192.160.4.0 0.0.0.255 any (216 match(es))
180 permit ip any any (1 match(es))
<< Remove ACL entry Note:
Show-IP Access Lists view ACL table
ip access-list standard (extended) 102 standard or extended into the ACL 102
NO 10 to delete the first 10 (SEQ ID numbers in front) of the
NO 20 to delete the first 20 (front of the numbers serial number) of Article >>
Now the situation is detected just configured, are found in accordance with the requirements of 3.1 can ping 4.200, but not remotely connected; and 3.2,1.2 can connect remotely 4.200, but can not ping; no other configuration of IP and network
segments are not 4.0 access network segment. The other segments are normal.
