cisco基本訪問控制列表管理

1、Basic Traffic Management with Access Lists,Module 9,Copyright © 1998, Cisco Systems, Inc.,Managing IP,,Configure IP standard access listsLimit virtual terminal accessConfigure IP extended access listsVerify acces

2、s list configurationConfigure an alternative to using access listsConfigure an IP helper address to manage broadcasts,Objectives,Upon completion of this module, you will be able to perform the following tasks:,,Manag

3、ing IP Traffic Overview,Limit traffic and restrict network use Enable directed forwarding of broadcasts,,,,,,,Access List Applications,Access lists control packet movement through a network,,QueueList,Priority and

4、 custom queuing,Other Access List Uses,Access lists are multipurpose,,Configuring IP Standard Access Lists,Copyright © 1998, Cisco Systems, Inc.,Managing IP,,172.16.5.0,IP Standard Access Lists Overview,Use source

5、address onlyAccess list range: 1 to 99,,For Standard IP Access Lists,Inbound Access List Processing,,Outbound Access List Processing,IP Addressing Review,exactly host 131.104.7.11,* Assuming subnet mask of 255.255.248.0

6、,0 bit = must match bits in addresses1 bit = unconditional match for bits in addresses,Access Lists Use Wildcard Mask,,To create an access list, perform the following tasks:Define an access listApply the list to an in

7、terface,Access List Configuration Tasks,Standard Access List Commands,Defines a standard access list (numbered 1-99),,Implicit Masks,Omitted mask assumed to be 0.0.0.0 Last two lines unnecessary (implicit deny any),Conf

8、iguration Principles,Top-down processingPlace more specific references firstImplicit deny anyUnless access list ends with explicit permit anyNew lines added to the endCannot selectively add/remove linesUndefined ac

9、cess list = permit anyNeed to create access list lines for implicit deny any,,Standard Access List Example,Who can connect to A?,,Location of Standard Access Lists,On which router should the access list be configured to

10、 deny host Z access to host V?How does location of a standard access list change the policy implemented?,,Written Exercise: IP Standard Access Lists,RestrictingVirtual Terminal Access,Copyright © 1998, Cisco Syst

11、ems, Inc.,Managing IP,,Virtual Terminal Access Overview,Standard and extended access lists will not block access from the routerFor security, virtual terminal (vty) access can be blocked to or from the router,,How to Co

12、ntrol vty Access,Five virtual terminal lines (0-4)Set identical restrictions on all the virtual terminal lines,,,,Virtual Terminal Line Commands,Enters configuration mode for a terminal line or a range of lines,,Contro

13、lling Inbound Access,Virtual Terminal Access Example 1,Permits only hosts in network 192.89.55.0 to connect to the virtual terminal ports on the router,,Controlling Outbound Access,Virtual Terminal Access Example 2,Permi

14、ts terminal line connections only to network 36.0.0.0,,Lab: L8 Virtual Terminal Access,Copyright © 1998, Cisco Systems, Inc.,Managing IP,Configuring IP Extended Access Lists,Copyright © 1998, Cisco Systems,

15、Inc.,Managing IP,,IP Extended Access List Overview,Control traffic by application, not just address,,Forward Packet,* If present in access list,Extended Access List Processing,,{ source source-wildcard | any },Router (co

16、nfig) #,,access-list access-list-number { permit | deny },,{ destination destination-wildcard | any },[ protocol-specific options ],{ protocol | protocol-keyword },,Extended IP Access List Command,Defines an extended ac

17、cess list (numbered 100 to 199)Protocol keywords icmp, igmp, tcp, and udp define alternate syntax with protocol-specific options,Extended Mask Keywords,The keyword any can be used in place of the address 0.0.0.0. with

18、 mask 255.255.255.255,,access-list access-list-number { permit | deny } icmp{ source source-wildcard | any }{ destination destination-wildcard | any }[ icmp-type [ icmp-code ] | icmp-message ],ICMP Command Syntax,Filt

19、ers based on ICMP messages,,ICMP Message and Type Names,Names simplify configuration,,access-list access-list-number { permit | deny } tcp{ source source-wildcard | any }[ operator source-port | source-port ]{ desti

20、nation destination-wildcard | any }[ operator destination-port | destination-port ][ established ],TCP Syntax,Filters based on TCP/TCP port number or name,,,TCP Port Names,Type ? to get port numbers corresponding to

21、names Other port numbers found in Assigned Numbers RFC,,,Router (config) #,,,access-list access-list-number { permit | deny } udp{ source source-wildcard | any }[ operator source-port | source-port ]{ destination d

22、estination-wildcard | any }[ operator destination-port | destination-port ],UDP Syntax,Filters based on udp protocol or udp port number or name,,Type ? to get port numbers corresponding to the name Other port numbers

23、 found in Assigned Numbers RFC,UDP Port Names,,Extended Access List Example 1,,E1,E0,Extended Access List Example 2,,Minimize distance traveled by traffic that will be denied (and ICMP unreachable messages)Keep denied t

24、raffic off the backboneSelect router to receive CPU overhead from access lists,Location of Extended Access Lists,Location of Extended Access Lists (cont.),Consider number of interfaces affectedConsider access list mana

25、gement and securityConsider network growth impacts on accesslist maintenance,Lab: L9 IP Extended Access Lists,Copyright © 1998, Cisco Systems, Inc.,Managing IP,Verifying Access List Configuration,Copyright ©

26、; 1998, Cisco Systems, Inc.,Managing IP,,,,Access List show Commands,Displays access lists from all protocols,Access List show Commands (cont.),Clears packet counts,,show ip access-list Command,Using an Alternative to Ac

27、cess Lists,Copyright © 1998, Cisco Systems, Inc.,Managing IP,,Null Interface,Route to nowhere saves valuable CPU cycles,,Null Interface Command,Creates a static route to filter unwanted trafficInterface name is alw

28、ays null 0,,Null Interface Example,Eliminates traffic for 201.222.5.0 from WAN,,131.108.4.0,,,,,,,,,,,,,,,,,,,131.108.5.0,131.108.7.0,201.222.5.0,131.108.1.0,131.108.6.1,131.108.6.2,,,ip route 201.222.5.0 255.255.255.0 n

29、ull 0,,Written Exercise: Alternative to Access Lists,Using Helper Addresses,Copyright © 1998, Cisco Systems, Inc.,Managing IP,,Helper Addressing Overview,Routers do not forward broadcast by defaultHelper address p

30、rovides selective connectivity,,,,,Why Use a Helper Address?,Sometimes clients do not know the server address Helpers change broadcast to unicast to reach server,,,,,,DisklessWorkstation,BootServer,,,Looking for boot

31、 server,,Broadcast,,,,Server Location,,IP Helper Address Commands,Enables forwarding and specifies destination address for main UDP broadcast packetsChanges destination address from broadcast to unicast or directed broa

32、dcast address,,Single Server—Remote Medium,,BootServer,Single Server—Remote Medium (cont.),,Multiple Servers—Remote Media,,Multiple Servers—Remote Media,,Written Exercise: IP Helper Address,,You can manage IP traffic by

33、:Controlling packet transmission on each mediumUsing a static route to the null interface in place ofan access list to minimize processing overheadConfiguring helper addresses to forward broadcastsStandard access li