由於篇幅所限,接上篇的https://www.toutiao.com/i6912977664655589892/六、ACL相關知識6.1 Acl基本知識路由器和三層交換機利用ACL控制策略,與服務器,防火墻等策略相同,都是控制用戶訪問,增強網絡安全的一種手段。適用於對安全訪問要求較高的企業網,園區網。路由器主要靠編號區分不同的ACL。6.2原理1.ACL是從上至下逐條匹配,一旦匹配成功則不再向下匹配,相同的允許或者拒絕,深度深的排在前面。2.ACL最後隱含瞭一條拒絕所有的規則,每條acl中,至少有一條permit語句。3.路由器的一個接口一個方向最多隻可以應用一個ACL,但是可以有N條條目。6.3 ACL規則示例acl 2000rule 5 deny source 192.168.1.0 0.0.0.255(5是行號,默認以5遞進,source是關鍵詞,0.0.0.255是通配符掩碼,0代表匹配項,1代表不關心,IP和通配符做與運算),[gw-GigabitEthernet0/0/1]traffic-filter outbound acl 2000這條編號為2000的acl規則意思是在路由器的g0/0/1接口的出口方向,拒絕掉來自192.168.1.0/24這個網段來的流量。6.4 配置步驟先創建一個acl編號,再定義規則條目,再把規則條目應用到路由器相應的接口。6.5分類在三層上,acl分為基本acl和高級acl七、ACL實驗需求和分析實際環境中,配置acl的時候,拿到需求後,經過分析,最好自己先把需求配置到一個文本文件中,到現場實施的時候,復制粘貼即可。7.1逐條分析2、Vlan10內所有主機,隻能通過http訪問Vlan100內服務器,不能訪問Vlan150的服務器(從左到右)192.160.10.0 0.0.0.255表示vlan 10內的所有主機192.168.100.200 0.0.0.0表示vlan 100內的服務器permit tcp source 192.160.10.0 0.0.0.255 destination 192.168.100.200 0.0.0.0 dest-port eq 80deny ip source 192.160.10.0 0.0.0.255 destination 192.168.150.200 0.0.0.0這些配置中包含關鍵詞permit,deny,協議tcp,有的是udp,協議可以用ip總包括,源source,目的destination,前面再加上rule和編號。3、Vlan20內主機,可以與Vlan150進行完全訪問,不能訪問Vlan100內的服務器。(從左到右)192.168.20.100 0.0.0.0 表示vlan20內的主機192.168.20.100192.168.150.0 0.0.0.255表示vlan150內的所有主機隻有IP層面的訪問,不涉及端口,也不涉及具體的tcp和udppermit ip source 192.168.20.100 0.0.0.0 destination 192.168.150.0 0.0.0.255deny ip source 192.168.20.100 0.0.0.0 destination 192.168.100.200 0.0.0.04、Vlan100內主機,不能訪問Vlan20內的服務器,可以訪問Vlan150的服務器。(從右到左)192.168.100.100 0.0.0.0 是vlan 100內的主機192.168.20.200 0.0.0.0 是Vlan20內的服務器deny ip source 192.168.100.100 0.0.0.0 desitnation 192.168.20.200 0.0.0.0因為vlan100和vlan150在同一個三層交換機上,並沒有經過路由器,所以他們是可以相互訪問的,路由器不能做控制。5、Public服務器對Vlan10和Vlan20僅提供Ftp服務(中間)192.168.1.200 0.0.0.0 是public服務器192.168.10.0 0.0.0.255 是vlan 10內所有主機192.168.20.0 0.0.0.255 是vlan 20內所有主機permit tcp source 192.168.10.0 0.0.0.255 desitination 192.168.1.200 0.0.0.0 dest-port eq 21permit tcp source 192.168.20.0 0.0.0.255 destination 192.168.1.200 0.0.0.0 dest-port eq 21deny ip source any destination any6、Public服務器對vlan100和vlan150提供Http服務(中間)permit tcp source 192.168.100.0 0.0.0.255 destination 192.168.1.200 0.0.0.0 dest-port eq 80permit tcp source 192.168.150.0 0.0.0.255 destination 192.168.1.200 0.0.0.0 dest-port eq 80deny ip source any destination any7、Public服務器對所有人提供DNS服務(中間)permit udp source any destination 192.168.1.200 0.0.0.0 dest-port eq 53deny ip source any destination any8、所有節點和主機均能夠ping通permit icmp source any destination any7.2合並歸納縱觀以上的ACL和拓撲圖,需要用高級acl,可以歸納為路由器左邊的設備訪問路由器右邊的設備,路由器右邊的設備訪問路由器左邊的設備,路由器左邊的設備和右邊的設備如何訪問中間的public server7.2.1 left訪問rightacl 3001rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.100.200 0.0.0.0 dest-port eq 80rule deny ip source 192.168.10.0 0.0.0.255 destination 192.168.150.200 0.0.0.0rule deny ip source 192.168.20.100 0.0.0.0 destination 192.168.100.200 0.0.0.0rule permit ip source 192.168.20.100 0.0.0.0 destination 192.168.150.0 0.0.0.255rule permit icmp source any destination any7.2.2 right訪問leftacl 3002rule deny ip source 192.168.100.100 0.0.0.0 destination 192.168.20.200 0.0.0.0rule permit icmp source any destination any7.2.3 all—centeracl 3003rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.1.200 0.0.0.0 destination-port eq 21rule permit tcp source 192.168.20.0 0.0.0.255 destination 192.168.1.200 0.0.0.0 destination-port eq 21rule permit tcp source 192.168.100.0 0.0.0.255 destination 192.168.1.200 0.0.0.0 destination-port eq 80rule permit tcp source 192.168.150.0 0.0.0.255 destination 192.168.1.200 0.0.0.0 destination-port eq 80rule permit udp source any destination 192.168.1.200 0.0.0.0 destination-port eq 53rule permit icmp source any destination any(icmp為四層,排在前面)rule deny ip source any destination any(ip為三層)7.3應用規則Acl3001應用在路由器的ge0/0/1的出口上[gw-GigabitEthernet0/0/1]traffic-filter outbound acl 3001Acl3002應用在路由器的ge0/0/0的出口上[gw-GigabitEthernet0/0/0]traffic-filter outbound acl 3002Acl3003應用在路由器的ge0/0/2的出口上[gw-GigabitEthernet0/0/2]traffic-filter outbound acl 3003八、實施操作8.1 網關路由器8.1.1 編號3001[gw]acl 3001[gw-acl-adv-3001][gw-acl-adv-3001]rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.100.200 0.0.0.0 destination-port eq 80[gw-acl-adv-3001]rule deny ip source 192.168.10.0 0.0.0.255 destination 192.168.150.200 0.0.0.0[gw-acl-adv-3001]rule deny ip source 192.168.20.100 0.0.0.0 destination 192.168.100.200 0.0.0.0[gw-acl-adv-3001]rule permit ip source 192.168.20.100 0.0.0.0 destination 192.168.150.0 0.0.0.255[gw-acl-adv-3001]rule permit icmp source any destination any[gw-acl-adv-3001]rule deny ip[gw-acl-adv-3001]disp th8.1.2 編號3002[gw]acl 3002[gw-acl-adv-3002]rule deny ip source 192.168.100.100 0.0.0.0 destination 192.168.20.200 0.0.0.0[gw-acl-adv-3002]rule permit icmp source any destination any[gw-acl-adv-3002]rule deny ip[gw-acl-adv-3002][gw-acl-adv-3002]dis th8.1.3 編號3003[gw]acl 3003[gw-acl-adv-3003]rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.1.200 0.0.0.0 destination-port eq 21[gw-acl-adv-3003]rule permit tcp source 192.168.20.0 0.0.0.255 destination 192.168.1.200 0.0.0.0 destination-port eq 21[gw-acl-adv-3003]rule permit tcp source 192.168.100.0 0.0.0.255 destination 192.168.1.200 0.0.0.0 destination-port eq 80[gw-acl-adv-3003]rule permit tcp source 192.168.150.0 0.0.0.255 destination 192.168.1.200 0.0.0.0 destination-port eq 80[gw-acl-adv-3003]rule permit udp source any destination 192.168.1.200 0.0.0.0 destination-port eq 53[gw-acl-adv-3003]rule permit icmp source any destination any[gw-acl-adv-3003]rule deny ip source any destination any[gw-acl-adv-3003]disp th由於數據報文是雙向,出的去也要回得來,所以參考Left—Right的3001選項裡面的permit ,在Right—Left 3002這個acl裡面增加回來的acl,編號為6、7,根據acl 3003,增加編號8。acl 3001rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.100.200 0.0.0.0 dest-port eq 80rule permit ip source 192.168.20.100 0.0.0.0 destination 192.168.150.0 0.0.0.255all—centeracl 3003rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.1.200 0.0.0.0 destination-port eq 21rule permit tcp source 192.168.20.0 0.0.0.255 destination 192.168.1.200 0.0.0.0 destination-port eq 21rule permit tcp source 192.168.100.0 0.0.0.255 destination 192.168.1.200 0.0.0.0 destination-port eq 80rule permit tcp source 192.168.150.0 0.0.0.255 destination 192.168.1.200 0.0.0.0 destination-port eq 80rule permit udp source any destination 192.168.1.200 0.0.0.0 destination-port eq 53right訪問leftacl 3002rule deny ip source 192.168.100.100 0.0.0.0 destination 192.168.20.200 0.0.0.0rule 6 permit ip source 192.168.100.200 0.0.0.0 destination 192.168.10.0 0.0.0.255rule 7 permit ip source 192.168.150.0 0.0.0.255 destination 192.168.20.0 0.0.0.255rule 8 permit ip source 192.168.1.200 0.0.0.0 destination any(對於3003返回的報文)rule permit icmp source any destination any通過disp acl 3002顯示icmp的規則是10,第一個規則是5,而要插入的三條回報文,需要在5和10之間,所以需要手動寫規則號,分別為6,7,8[gw-acl-adv-3002]dis th由於數據報文是出的去也要回得來,所以參考all-center的3003選項裡面的permit ,在Right—Left 3001這個acl裡面增加回來的acl,編號是24。all—centeracl 3003rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.1.200 0.0.0.0 destination-port eq 21rule permit tcp source 192.168.20.0 0.0.0.255 destination 192.168.1.200 0.0.0.0 destination-port eq 21rule permit tcp source 192.168.100.0 0.0.0.255 destination 192.168.1.200 0.0.0.0 destination-port eq 80rule permit tcp source 192.168.150.0 0.0.0.255 destination 192.168.1.200 0.0.0.0 destination-port eq 80rule permit udp source any destination 192.168.1.200 0.0.0.0 destination-port eq 53left訪問rightacl 3001rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.100.200 0.0.0.0 dest-port eq 80rule deny ip source 192.168.10.0 0.0.0.255 destination 192.168.150.200 0.0.0.0rule deny ip source 192.168.20.100 0.0.0.0 destination 192.168.100.200 0.0.0.0rule permit ip source 192.168.20.100 0.0.0.0 destination 192.168.150.0 0.0.0.255rule 24 permit ip source 192.168.1.200 0.0.0.0 destination anyrule permit icmp source any destination any[gw-acl-adv-3001]dis th九、按要求測試2、Vlan10內所有主機,隻能通過http訪問Vlan100內服務器,不能訪問Vlan150的服務器3、Vlan20內主機,可以與Vlan150進行完全訪問,不能訪問Vlan100內的服務器。4、Vlan100內主機,不能訪問Vlan20內的服務器,可以訪問Vlan150的服務器。5、Public服務器對Vlan10和Vlan20僅提供Ftp服務6、Public服務器對vlan100和vlan150提供Http服務7、Public服務器對所有人提供DNS服務測試小結測試的時候,如果那條測試結果與當前要求不匹配,就檢查相應的acl,發現錯誤後,undo掉錯誤的acl,增加正確的acl。十、設備配置文件10.1 網關路由器配置文件<gw>dis cu[V200R003C00]#sysname gw#snmp-agent local-engineid 800007DB03000000000000snmp-agent#clock timezone China-Standard-Time minus 08:00:00#portal local-server load flash:/portalpage.zip#drop illegal-mac alarm#wlan ac-global carrier id other ac id 0#set cpu-usage threshold 80 restore 75#acl number 3001rule 5 permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.100.200 0 destination-port eq wwwrule 10 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.150.200 0rule 15 deny ip source 192.168.20.100 0 destination 192.168.100.200 0rule 20 permit ip source 192.168.20.100 0 destination 192.168.150.0 0.0.0.255rule 24 permit ip source 192.168.1.200 0rule 25 permit icmprule 30 deny ipacl number 3002rule 5 deny ip source 192.168.100.100 0 destination 192.168.20.200 0rule 6 permit ip source 192.168.100.200 0 destination 192.168.10.0 0.0.0.255rule 7 permit ip source 192.168.150.0 0.0.0.255 destination 192.168.20.0 0.0.0.255rule 8 permit ip source 192.168.1.200 0rule 10 permit icmprule 15 deny ipacl number 3003rule 5 permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.1.200 0 destination-port eq ftprule 10 permit tcp source 192.168.20.0 0.0.0.255 destination 192.168.1.200 0 destination-port eq ftprule 15 permit tcp source 192.168.100.0 0.0.0.255 destination 192.168.1.200 0 destination-port eq wwwrule 20 permit tcp source 192.168.150.0 0.0.0.255 destination 192.168.1.200 0 destination-port eq wwwrule 25 permit udp destination 192.168.1.200 0 destination-port eq dnsrule 30 permit icmprule 35 deny ip#aaaauthentication-scheme defaultauthorization-scheme defaultaccounting-scheme defaultdomain defaultdomain default_adminlocal-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$local-user admin service-type http#firewall zone Localpriority 15#interface GigabitEthernet0/0/0ip address 192.168.30.1 255.255.255.0traffic-filter outbound acl 3002#interface GigabitEthernet0/0/1ip address 192.168.200.1 255.255.255.0traffic-filter outbound acl 3001#interface GigabitEthernet0/0/2ip address 192.168.1.1 255.255.255.0traffic-filter outbound acl 3003#interface NULL0#rip 1undo summaryversion 2network 192.168.30.0network 192.168.200.0network 192.168.1.0#user-interface con 0authentication-mode passworduser-interface vty 0 4user-interface vty 16 20#wlan ac#return<gw>10.2 左邊交換機配置文件<sw-left>disp cu#sysname sw-left#vlan batch 10 20 30#cluster enablentdp enablendp enable#drop illegal-mac alarm#diffserv domain default#drop-profile default#aaaauthentication-scheme defaultauthorization-scheme defaultaccounting-scheme defaultdomain defaultdomain default_adminlocal-user admin password simple adminlocal-user admin service-type http#interface Vlanif1#interface Vlanif10ip address 192.168.10.1 255.255.255.0#interface Vlanif20ip address 192.168.20.1 255.255.255.0#interface Vlanif30ip address 192.168.30.2 255.255.255.0#interface MEth0/0/1#interface GigabitEthernet0/0/1port link-type accessport default vlan 10#interface GigabitEthernet0/0/2port link-type accessport default vlan 10#interface GigabitEthernet0/0/3port link-type accessport default vlan 20#interface GigabitEthernet0/0/4port link-type accessport default vlan 20#interface GigabitEthernet0/0/5#interface GigabitEthernet0/0/6#interface GigabitEthernet0/0/7#interface GigabitEthernet0/0/8#interface GigabitEthernet0/0/9#interface GigabitEthernet0/0/10port link-type accessport default vlan 30#interface GigabitEthernet0/0/11#interface GigabitEthernet0/0/12#interface GigabitEthernet0/0/13#interface GigabitEthernet0/0/14#interface GigabitEthernet0/0/15#interface GigabitEthernet0/0/16#interface GigabitEthernet0/0/17#interface GigabitEthernet0/0/18#interface GigabitEthernet0/0/19#interface GigabitEthernet0/0/20#interface GigabitEthernet0/0/21#interface GigabitEthernet0/0/22#interface GigabitEthernet0/0/23#interface GigabitEthernet0/0/24#interface NULL0#rip 1undo summaryversion 2network 192.168.10.0network 192.168.20.0network 192.168.30.0#user-interface con 0user-interface vty 0 4#return<sw-left>10.3 右邊交換機配置文件<sw-right>dis cu#sysname sw-right#vlan batch 100 150 200#cluster enablentdp enablendp enable#drop illegal-mac alarm#diffserv domain default#drop-profile default#aaaauthentication-scheme defaultauthorization-scheme defaultaccounting-scheme defaultdomain defaultdomain default_adminlocal-user admin password simple adminlocal-user admin service-type http#interface Vlanif1#interface Vlanif100ip address 192.168.100.1 255.255.255.0#interface Vlanif150ip address 192.168.150.1 255.255.255.0#interface Vlanif200ip address 192.168.200.2 255.255.255.0#interface MEth0/0/1#interface GigabitEthernet0/0/1port link-type accessport default vlan 100#interface GigabitEthernet0/0/2port link-type accessport default vlan 100#interface GigabitEthernet0/0/3port link-type accessport default vlan 150#interface GigabitEthernet0/0/4#interface GigabitEthernet0/0/5#interface GigabitEthernet0/0/6#interface GigabitEthernet0/0/7#interface GigabitEthernet0/0/8#interface GigabitEthernet0/0/9#interface GigabitEthernet0/0/10port link-type accessport default vlan 200#interface GigabitEthernet0/0/11#interface GigabitEthernet0/0/12#interface GigabitEthernet0/0/13#interface GigabitEthernet0/0/14#interface GigabitEthernet0/0/15#interface GigabitEthernet0/0/16#interface GigabitEthernet0/0/17#interface GigabitEthernet0/0/18#interface GigabitEthernet0/0/19#interface GigabitEthernet0/0/20#interface GigabitEthernet0/0/21#interface GigabitEthernet0/0/22#interface GigabitEthernet0/0/23#interface GigabitEthernet0/0/24#interface NULL0#rip 1undo summaryversion 2network 192.168.100.0network 192.168.150.0network 192.168.200.0#user-interface con 0user-interface vty 0 4#Return上篇的網址https://www.toutiao.com/i6912977664655589892/
本文出自快速备案,转载时请注明出处及相应链接。
