ACL 訪問控制列表
原理說明:
ACL是網絡設備常用的安全技術,通過手動配置可以部署網絡安全策略,acl規則是檢查流量通信特徵。一般從rule5開始建立(留給後續添加優先使用),匹配即停止,默認permit any。每接口。每協議,每方向只允許部署一個acl。
基本acl: 組號2000~2999 只能檢查流量的源ip地址
高級acl:組號3000~3999 可檢測流量的protool,源ip,目的ip,源端口。更精細的流量檢查等
通配符掩碼及計算:
![clip_image002[6]](https://s1.51cto.com/images/blog/201805/29/ca4b02c18d1a7d929f71f5add14915c5.jpg?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk= "clip_image002[6]")
![clip_image004[7]](https://s1.51cto.com/images/blog/201805/29/d6f8ea7974bc63bb579f9baa92489af8.jpg?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk= "clip_image004[7]")
基本acl規則:
![clip_image006[6]](https://s1.51cto.com/images/blog/201805/29/4452385ad9487b85af031a63a4725a10.jpg?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk= "clip_image006[6]")
高級acl規則:
![clip_image008[4]](https://s1.51cto.com/images/blog/201805/29/4aef6488470a7d60d89ff520c1cac446.jpg?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk= "clip_image008[4]")
實驗拓撲:
![clip_image010[4]](https://s1.51cto.com/images/blog/201805/29/13d364f26cf2227fb122f48da5775d7e.jpg?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk= "clip_image010[4]")
1 先將路由器及各電腦主機的ip配置,使其互通(此步驟省略)
2 在R3上配置acl規則 ,在g0/0/1上配置基於acl對報文過濾,允許10.165.126.0/24 的報文通過, 拒絕其他流量
R3:
[R3]acl 2000
[R3-acl-basic-2000] rule 5 permit source 10.165.126.0 0.0.0.255
[R3-acl-basic-2000]rule 10 deny source any
interface GigabitEthernet0/0/1
[R3-GigabitEthernet0/0/1]traffic-filter outbound acl 2000
驗證:
![clip_image012[4]](https://s1.51cto.com/images/blog/201805/29/8e68de7d6ac611b61427826f3caa08db.jpg?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk= "clip_image012[4]")
3 配置高級acl規則
在R3g0/0/0上配置基於acl流量控制,只允許172.25.4.0/24的地址可以ping ,其他的拒絕
R3:
[R3-acl-adv-3000]rule 5 permit icmp source 172.25.4.0 0.0.0.255
[R3-acl-adv-3000]rule 10 deny icmp source any
interface GigabitEthernet0/0/0
[R3-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
驗證:
![clip_image014[4]](https://s1.51cto.com/images/blog/201805/29/61dd114c3362b6ea35e99a6207d355cc.jpg?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk= "clip_image014[4]")
刪除接口應用acl:
net0/0/1]und traffic-filter inbound
[R3-GigabitEthernet0/0/1]und traffic-filter out
拓展:
![clip_image016[4]](https://s1.51cto.com/images/blog/201805/29/f4c2500711595a5e1331bd534ed4f16c.jpg?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk= "clip_image016[4]")
![clip_image018[4]](https://s1.51cto.com/images/blog/201805/29/4e4af647ce4bae8fb99838efd1f2baa0.jpg?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk= "clip_image018[4]")