ACL 原理和配置
ACL 原理和配置
ACL
ACL: 访问控制列表,可以对数据,报文流量进行过滤控制访问的一种工具.
ACL 分类
1. 基本 ACL: 2000-2999 可以根据报文中的源 IP 地址对数据进行控制
2. 高级 ACL: 3000-3999 可以根据五元组 (源 IP 地址,目的 IP 地址,源端口,目的端口,协议)
3. 二层 ACL: 4000-4999 源目 MAC 地址以及二层协议类型
ACL 规则
1.ACL 可以由多条规则组成,其中规则由”permit” 和”deny” 语句组成
2. 设备收到数据流后会逐条匹配 ACL 规则
3. 如果不匹配则继续向下匹配,一旦找到匹配的规则执行该规则的动作,并且不再继续与后续的规则匹配
4.ACL 规则按照编号从小到大匹配
5. 默认情况下,编号步长为 5
ACL 调用方向
入站 (inbound): 数据流进入路由器的方向
出站 (outbound): 数据流发出的方向
shell
acl number 2000 rule 5 permit source 192.168.1.0 0.0.0.255 rule 10 deny source 192.168.2.0 0.0.0.255 # interface GigabitEthernet0/0/0 traffic-filter outbound acl 2000
|
[R1]acl 2000 [R1-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255 [R1-acl-basic-2000]rule deny source 192.168.2.0 0.0.0.255 [R1-acl-basic-2000]dis th [V200R003C00] # acl number 2000 rule 5 permit source 192.168.1.0 0.0.0.255 rule 10 deny source 192.168.2.0 0.0.0.255 # return [R1-acl-basic-2000] [R1-acl-basic-2000]rule ? INTEGER<0-4294967294> ID of ACL rule deny Specify matched packet deny permit Specify matched packet permit [R1-acl-basic-2000]rule permit ? fragment Check fragment packet none-first-fragment Check the subsequence fragment packet source Specify source address time-range Specify a special time vpn-instance Specify a VPN-Instance <cr> Please press ENTER to execute command
|
R1# sysname R1 # acl number 2000 rule 5 permit source 192.168.1.0 0.0.0.255 rule 10 deny source 192.168.2.0 0.0.0.255 # interface GigabitEthernet0/0/0 ip address 12.1.1.1 255.255.255.0 traffic-filter outbound acl 2000 # interface GigabitEthernet0/0/1 ip address 13.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/2 ip address 192.168.1.254 255.255.255.0 # interface GigabitEthernet4/0/0 ip address 192.168.2.254 255.255.255.0 # interface LoopBack0 ip address 1.1.1.1 255.255.255.255 # ospf 1 router-id 1.1.1.1 area 0.0.0.0 network 1.1.1.1 0.0.0.0 network 12.1.1.1 0.0.0.0 network 13.1.1.1 0.0.0.0 network 192.168.1.254 0.0.0.0 network 192.168.2.254 0.0.0.0 #
|
R2# sysname R2 # interface GigabitEthernet0/0/0 ip address 12.1.1.2 255.255.255.0 # interface LoopBack0 ip address 2.2.2.2 255.255.255.255 # ospf 1 router-id 2.2.2.2 area 0.0.0.0 network 2.2.2.2 0.0.0.0 network 12.1.1.2 0.0.0.0
|
R3# sysname R3 # acl number 3000 rule 5 deny tcp source 12.1.1.2 0 destination 13.1.1.3 0 destination-port eq te lnet # interface GigabitEthernet0/0/0 ip address 13.1.1.3 255.255.255.0 traffic-filter inbound acl 3000 # interface LoopBack0 ip address 3.3.3.3 255.255.255.255 # ospf 1 router-id 3.3.3.3 area 0.0.0.0 network 3.3.3.3 0.0.0.0 network 13.1.1.3 0.0.0.0 # user-interface vty 0 4 authentication-mode password set authentication password cipher %$%$Bw.-6uoM]XN2l&>pzZ&X,%In[7fqV+cWrS,7Yk,, CAQY%Iq,%$%$
|