访问列表,第九章,Copyright ?1998, Cisco Systems, Inc.,ICRC_revision_11.3,为什么使用访问列表?,172.16.0.0,172.17.0.0,Internet,为什么使用访问列表?,172.16.0.0,172.17.0.0,Internet,为什么使用访问列表?,数据包 到达,S0,Public Switched Telephone Network,为什么使用访问列表?,数据包 到达,S0,为这些流量拨号?,Public Switched Telephone Network,为什么使用访问列表?,Outgoing Packet,E0,S0,Incoming Packet,Access List Processes,Permit?,什么是访问列表?,标准访问表 简单的地址说明 允许或禁止整个协议组,标准访问表 简单的地址说明 允许或禁止整个协议组 扩展访问表 更复杂的地址说明 允许或禁止指定的协议,Optional Dialer,什么是访问列表?,访问列表怎样工作,Inbound Interface,Outbound Interfaces,Packets,Packet Discard Bucket,Packet,N,Choose Interface,N,Y,Y,Routing Table Entry ?,Inbound Interface,Outbound Interfaces,Packets,Packet Discard Bucket,Packet,Packet,Y,N,Choose Interface,N,Y,Y,Routing Table Entry ?,访问列表怎样工作,Unwanted Packet,Inbound Interface,Outbound Interfaces,Packets,Packet Discard Bucket,Packet,Packet,Y,N,Choose Interface,N,Y,Y,N,Notify Sender,Routing Table Entry ?,访问列表怎样工作,Packets to Interface(s) in the Access Group,Packet Discard Bucket,Y,Interface(s),Destination,Y,访问表的测试: Deny or Permit,Packets to Interface(s) in the Access Group,Packet Discard Bucket,Y,Interface(s),Destination,Y,N,Y,Y,访问表的测试: Deny or Permit,Packets to Interface(s) in the Access Group,Packet Discard Bucket,Y,Interface(s),Destination,Y,N,Y,Y,Y,N,Y,访问表的测试: Deny or Permit,Packets to Interface(s) in the Access Group,Packet Discard Bucket,Y,Interface(s),Destination,Y,N,Y,Y,Y,N,Y,N,Implicit Deny,访问表的测试: Deny or Permit,Step 1: 设置访问表语句参数,访问列表命令,Step 2: 在一个接口上使用指定的访问列表,访问列表命令,Step 1: 设置访问表语句参数,Number Range/Identifier,IP,1-99 100-199,How to Identify Access Lists,Number identifies the protocol and type,Standard Extended,Access List Type,Number Range/Identifier,IP,1-99 100-199 Named (Cisco IOS 11.2 and later),How to Identify Access Lists,Number identifies the protocol and type,Standard Extended,Access List Type,Number Range/Identifier,IP,1-99 100-199 Named (Cisco IOS 11.2 and later),How to Identify Access Lists,Number identifies the protocol and type,800-899 900-999 1000-1099 Named (Cisco IOS 11.2. F and later),Standard Extended SAP filters,Standard Extended,Access List Type,IPX,Number Range/Identifier,IP,1-99 100-199 Named (Cisco IOS 11.2 and later),怎样识别访问列表,通过访问列表号识别访问列表的协议和类型,800-899 900-999 1000-1099 Named (Cisco IOS 11.2. F and later),Standard Extended SAP filters,Standard Extended,Access List Type,600-699,IPX,AppleTalk,Segment (for example, TCP header),Data,Packet (IP header),Frame Header (for example, HDLC),Destination Address,Source Address,Protocol,Port Number,Use access list statements 1-99 or 100-199 to test the packet,一个 TCP/IP包,怎样识别访问列表,访问表1到99（标准）的测试条件是IP包的源地址 访问表100到199（扩展）的测试条件是 源地址和目的地址 指定的 TCP/IP协议组 目的端口 通配掩码的各位指示怎样检测地址对应为是否检测(0=检测, 1=忽略)。,关键概念,0 说明检测对应位的值 1 说明忽略相应位的值,do not check address (ignore bits in octet),=,0,0,0,0,0,0,0,0,ignore last 6 address bits,check all address bits (match all),ignore last 4 address bits,check last 2 address bits,Examples,怎样使用通配掩码位,IP 访问表的测试条件: 检查子网 172.30.16.0 到 172.30.31.0,network.host 172.30.16.00,0000 1111,check ignore,通配掩码匹配位:,地址和通配掩码: 172.30.16.0 0.0.15.255,怎样使用通配掩码位,接受任何地址: 0.0.0.0 255.255.255.255; 其缩写表达式使用关键字any,匹配任意 IP地址,172.30.16.29 0.0.0.0用于检查地址中所有位 缩写通配掩码在地址前面使用关键字 host,匹配指定的IP地址,IP 标准访问表的配置,Sets parameters for this list entry IP standard access lists use 1 to 99,Activates the list on an interface,Sets parameters for this list entry IP standard access lists use 1 to 99,IP 标准访问表的配置,标准访问表，例 1,只允许自己的网络,172.16.3.0,172.16.4.0,172.16.4.13,E0,S0,E1,Non- 172.16.0.0,access-list 1 permit 172.16.0.0 0.0.255.255 (在访问表的最后隐含deny all) (access-list 1 deny 0.0.0.0 255.255.255.255) interface ethernet 0 ip access-group 1 out interface ethernet 1 ip access-group 1 out,禁止一台指定主机,172.16.3.0,172.16.4.0,172.16.4.13,E0,S0,E1,Non- 172.16.0.0,标准访问表，例 2,禁止一个指定子网,172.16.3.0,172.16.4.0,172.16.4.13,E0,S0,E1,Non- 172.16.0.0,标准访问表，例 3,允许更多的筛选条件 检查源和目的IP地址 指定一个可选IP协议和端口数 访问列表数字范围 100 to 199,扩展IP访问表,扩展访问表的配置,Sets parameters for this list entry IP uses a list number in range 100 to 199,Sets parameters for this list entry IP uses a list number in range 100 to 199 Activates the extended list on an interface,扩展访问表的配置,Deny FTP for E0,172.16.3.0,172.16.4.0,172.16.4.13,E0,S0,E1,Non- 172.16.0.0,扩展访问表，例 1,Deny only Telnet out of E0 Permit all other traffic,172.16.3.0,172.16.4.0,172.16.4.13,E0,S0,E1,Non- 172.16.0.0,扩展访问表，例2,访问列表的命名,Feature for Cisco IOS Release 11.2 or later,字母数字串必须唯一,Feature for Cisco IOS Release 11.2 or later,Permit or deny statements have no prepended number no removes the specific test from the named access list,访问列表的命名,字母数字串必须唯一,Feature for Cisco IOS Release 11.2 or later,Permit or deny statements have no prepended number no removes the specific test from the named access list,Activates the IP named access list on an interface