{"id":870,"date":"2008-10-07T21:36:00","date_gmt":"2008-10-07T13:36:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=870"},"modified":"2023-11-07T21:53:41","modified_gmt":"2023-11-07T13:53:41","slug":"cisco-acl","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/870","title":{"rendered":"Cisco ACL"},"content":{"rendered":"\n

ACL(access control list,\u5b58\u53d6\u63a7\u5236\u6e05\u55ae)<\/strong>
\u6e05\u55ae\u5927\u5c0f,\u4e5f\u5c31\u662f\u689d\u4ef6\u6558\u8ff0\u7684\u6578\u91cf,\u4f9d\u53ef\u7528\u8a18\u61b6\u9ad4\u7684\u6c7a\u5b9a
\u7528\u4f86\u63a7\u5236\u7ba1\u7406\u6d41\u7a0b
\u53ef\u7528\u5728\u9632\u706b\u7246\u4e2d\u904e\u6ffe\u5c01\u5305\u8207\u8def\u5f91
\u53ef\u7528\u5728isdn\u7684ddr
ps:\u96d6\u53ef\u904e\u6ffe\u7d93\u904erouter\u7684\u4ea4\u901a,\u4f46\u7121\u6cd5\u904e\u6fferouter\u81ea\u5df1\u7522\u751f\u7684\u4ea4\u901a<\/p>\n\n\n\n

\u4f7f\u7528ACL\u6b65\u9a5f\u5927\u81f4\u5982\u4e0b<\/strong>
1\u8a2d\u5b9a< acl id>\u898f\u5247
(config)#access-list < acl id> < describe rule><\/strong>
2\u5c07\u61c9\u7528\u5728\u4ecb\u9762\u4e0a
(config-if)#ip access-group < acl id> < act><\/strong><\/p>\n\n\n\n

\u6bd4\u5c0d\u5c01\u5305\u8207acl\u7684\u4e3b\u8981\u898f\u5247<\/strong>
1\u4f9d\u9806\u5e8f\u5faa\u5e8f\u5730\u6bd4\u5c0d\u6e05\u55ae
2\u4e00\u65e6\u6bd4\u5c0d\u5230\u7b26\u5408\u689d\u4ef6\u7acb\u5373\u4f5c\u7528,\u4e0d\u6703\u7e7c\u7e8c\u6bd4\u5c0d\u4e0b\u53bb
3\u82e5\u6bd4\u5c0d\u5230\u6700\u5f8c\u7121\u7b26\u5408\u689d\u4ef6\u5247\u88ab\u4e1f\u68c4,\u56e0\u70ba\u6700\u5f8c\u6709\u96b1\u85cfdeny all\u7684\u547d\u4ee4

………………………………………………………………………………………………………………………………..<\/p>\n\n\n\n

\u8a2d\u5b9astand ACL
(config)#access-list < acl id> < act> < source [source wildcard]><\/strong> [log]<\/strong>
\u6a19\u6e96acl\u5efa\u8b70\u653e\u5728\u9760\u8fd1\u76ee\u7684\u5730\u7684\u5730\u65b9,\u56e0\u70ba\u53ea\u80fd\u9650\u5236\u4f86\u6e90<\/p>\n\n\n\n

< acl id><\/strong>
\u5b58\u53d6\u6e05\u55ae\u7de8\u865f,\u7de8\u865f\u5f9e1\u958b\u59cb,\u53ef\u8a2d\u5b9a\u7684\u7de8\u865f\u4f9d\u5354\u5b9a\u6709\u6240\u4e0d\u540c,\u5982\u4e0b:
\u3000ip:1-99,1300-1399
\u3000extended ip:100-199,2000-2699 \/\/\u8a2d\u5b9aextended acl\u6642\u7528
\u3000appletalk:600-699
\u3000ipx:800-899
\u3000extended ipx:900-999\u3000\/\/\u8a2d\u5b9aextended acl\u6642\u7528
\u3000ipx sap filter:1000-1099

< act><\/strong>
\u6709deny(\u62d2\u7d55),permit(\u5141\u8a31),remark(\u8a3b\u89e3)

< source [source wildcard]><\/strong>
\u50b3\u9001\u5c01\u5305\u7684\u7db2\u8def\u6216\u4e3b\u6a5f\u7de8\u865f
\u3000source wildcard\u70ba\u9078\u64c7\u6027\u53c3\u6578,\u662f\u4e00\u500b32bit\u7684wildcard mask(\u842c\u7528\u906e\u7f69)
\u3000\u8207ip\u4f4d\u7f6e\u914d\u5c0d\u800c\u6210\u7684,\u53ef\u5206\u62104\u500bbyte,\u54048bit
\u3000wildcard mask\u4f4d\u5143\u70ba0\u4ee3\u8868\u6aa2\u67e5\u76f8\u5c0d\u61c9\u7684\u4f4d\u5143\u503c,\u70ba1\u5247\u5ffd\u7565
ps:
\u842c\u7528\u5b57\u5143any,\u53ef\u8868\u793asource=0.0.0.0,source willdcard=255.255.255.255
ex:0.0.0.0 255.255.255.255 \u53ef\u7528any\u8868\u793a
\u842c\u7528\u5b57\u5143host,\u53ef\u8868\u793awildcard mask 0.0.0.0,\u6b64\u70ba\u9810\u8a2d
ex:172.30.16.29 0.0.0.0 \u53ef\u7528host 172.30.16.29\u6216172.30.16.29\u8868\u793a

[log]<\/strong>
\u7522\u751f\u6709\u95dc\u5c01\u5305\u8a73\u7d30\u7684\u7d00\u9304\u8a0a\u606f<\/p>\n\n\n\n

\u6a19\u6e96acl\u5e38\u7528\u7bc4\u4f8b
ex:
\u8a2d\u5b9aacl\u7de8\u865f1\u7684\u63cf\u8ff0
(config)#access-list 1 remark this is a example \/\/\u5c0dacl id 1\u8a3b\u89e3
(config)#access-list 1 deny 172.16.1.1 \/\/\u62d2\u7d55172.16.1.1
(config)#access-list 1 permit 172.16.1.0 0.0.0.255 \/\/\u5141\u8a31\u4efb\u4f55\u4f86\u81ea172.16.1.0\u7684\u7db2\u8def
(config)#access-list 1 deny 172.16.1.1 0.0.255.255 \/\/\u62d2\u7d55\u4efb\u4f55\u4f86\u81ea172.16.0.0\u7684\u7db2\u8def
(config)#access-list 1 deny 172.16.88.0 0.0.7.255 \/\/\u62d2\u7d55\u4efb\u4f55\u4f86\u81ea172.16.88.0\/21\u7684\u7db2\u8def
(config)#access-list 1 deny 172.16.192.0 0.0.31.255 \/\/\u62d2\u7d55\u4efb\u4f55\u4f86\u81ea172.16.192.0\/19\u7684\u7db2\u8def
(config)#access-list 1 permit any \/\/\u5141\u8a31\u4efb\u4f55\u7db2\u8def<\/p>\n\n\n\n

…..<\/p>\n\n\n\n

\u8a2d\u5b9aextended ACL
(config)#access-list < acl id><\/strong> [dynamic] [timeout] < act> < protocol> < addr info> [other options]<\/strong>
extended acl\u5efa\u8b70\u653e\u5728\u9760\u8fd1source\u7684\u5730\u65b9
\u56e0\u70baextended acl\u7684\u8a2d\u5b9a\u8f03\u8a73\u7d30,\u653e\u5728source\u662f\u6c92\u6709\u554f\u984c
\u4e14\u53ef\u7701\u8cc7\u6e90,\u8b93\u5c01\u5305\u4e00\u8981\u51fa\u53bb\u6642\u5c31\u53ef\u4ee5\u6aa2\u67e5,\u800c\u975e\u8d70\u9060\u624d\u767c\u73fe\u6b64\u5c01\u5305\u4e0d\u51c6\u9032\u5165\u76ee\u7684\u7aef<\/p>\n\n\n\n

[dynamic]<\/strong> \u5c07acl\u5b9a\u7fa9\u70ba\u52d5\u614b
[timeout]<\/strong> \u6307\u5b9a\u5b58\u53d6\u6e05\u55ae\u7684\u6709\u6548\u7684\u6642\u9593\u9577\u5ea6,\u9810\u8a2d\u7121\u9650\u9577,\u4ee5\u5206\u9418\u70ba\u55ae\u4f4d
< protocol><\/strong> \u7db2\u8def\u5354\u5b9a\u7684\u540d\u7a31\u6216\u7de8\u865f ex:ip,tcp,eigrp,icmp,…\u7b49
< addr info><\/strong>
\u4f4d\u7f6e\u8cc7\u8a0a,\u683c\u5f0f\u70ba< source [source wildcard]> < destination [destination wildcard]>
\u3000< destination [destination wildcard]> \u5c01\u5305\u50b3\u9001\u5230\u7db2\u8def\u6216\u4e3b\u6a5f\u7684\u7de8\u865f,\u683c\u5f0f\u540csource
\u3000< source [source wildcard]> \u540c\u6a19\u6e96acl 
[other options]<\/strong>
\u5176\u4ed6\u53ef\u9078\u7684\u53c3\u6578,\u683c\u5f0f\u70ba[precedence] [tos] [log|log-input] [time-range] [fragments]
\u3000[precede] \u53ef\u5229\u7528\u512a\u5148\u6b0a\u4f86\u904e\u6ffe\u6d41\u91cf,\u4ee50\u52307\u7684\u6578\u5b57\u8868\u793a
\u3000[tos] \u53ef\u5229\u7528\u670d\u52d9\u7b49\u7d1a\u4f86\u904e\u6ffe\u6d41\u91cf,\u4ee50\u52307\u7684\u6578\u5b57\u8868\u793a
\u3000[log|log-input],log-input\u5305\u62ec\u8f38\u5165\u4ecb\u9762\u8207\u4f86\u6e90mac\u4f4d\u7f6e,\u6216\u7d00\u9304\u8f38\u51fa\u4e2d\u7684vc
\u3000[time-range] \u61c9\u7528\u5728\u6b64\u6558\u8ff0\u6642\u9593\u7bc4\u570d\u7684\u540d\u7a31
\u3000[fragments] \u5c07acl\u9805\u76ee\u61c9\u7528\u5230noninitial(\u975e\u521d\u59cb\u5316\u7684)\u5c01\u5305\u7247\u6bb5\u4e0a,\u56e0\u6b64\u4e0d\u662f\u5141\u8a31\u5c31\u662f\u62d2\u7d55\u5c01\u5305\u7247\u6bb5
ex:
time-range\u5927\u81f4\u7528\u6cd5
(config)#time-range
(config-time-range)#periodic
(config)#access-list 101 permit tcp any any time-range<\/p>\n\n\n\n

fragments<\/strong>
\u82e5packet\u70bafragment,
\u9810\u8a2d\u53ea\u5b8c\u6574\u6aa2\u67e5initial fragment,noninitial fragment\u53ea\u6aa2\u67e5protocol,src\/dst ip,\u82e5\u7b26\u5408\u5247\u653e\u884c,\u4e0d\u7b26\u5408\u5247\u6bd4\u5c0d\u4e0b\u4e00\u689dacl 
\u82e5\u52a0\u4e86fragments,\u5247\u6703\u5c0dnoninitial fragment\u9032\u884c\u63a7\u5236 <\/p>\n\n\n\n

ACL\u548cICMP\u8207IGMP <\/strong>
extended ACL\u61c9\u7528\u5728icmp\u6216igmp\u6642,[protocol]=icmp\u6216igmp
(config)#access-list < acl id> [dynamic] [timeout] < act> < protocol> < addr info> [icmp] [other options]<\/strong>
[icmp]\u53ef\u4f7f\u7528\u6b04\u4f4d\u5982\u4e0b:
\u3000[icmp-type] \u5229\u7528icmp\u8a0a\u606f\u985e\u578b\u4f86\u904e\u6ffeicmp\u5c01\u5305,icmp\u8a0a\u606f\u985e\u578b\u662f\u4ecb\u65bc0-255\u7684\u6578\u5b57
\u3000[icmp-code] \u5229\u7528icmp\u8a0a\u606f\u78bc\u9032\u884c\u904e\u6ffeicmp\u5c01\u5305,icmp\u8a0a\u606f\u78bc\u662f\u4ecb\u65bc0-255\u7684\u6578\u5b57
\u3000[icmp-message] \u5229\u7528icmp\u8a0a\u606f\u540d\u7a31\u904e\u6ffeicmp\u5c01\u5305
\u3000[igmp-type] \u5229\u7528icmp\u8a0a\u606f\u985e\u578b\u4f86\u904e\u6ffeigmp\u5c01\u5305,igmp\u8a0a\u606f\u985e\u578b\u662f\u4ecb\u65bc0-15\u7684\u6578\u5b57,\u91dd\u5c0digmp<\/p>\n\n\n\n

ACL\u548cTCP\u8207UDP<\/strong>
extended ACL\u61c9\u7528\u5728tcp\u6216udp\u6642,[protocol]=tcp\u6216udp
(config)#access-list < acl id> [dynamic] [timeout] < act> < protocol> < detail addr info> [established] [other options]<\/strong>
< detail addr info>
<\/strong>\u683c\u5f0f\u70ba< source [source wildcard] [operator [port]]> < destination [destination wildcard] [operator [port]]>
\u3000[operator] \u6bd4\u8f03\u4f86\u6e90\u8207\u76ee\u7684\u5730\u57e0,\u904b\u7b97\u7a2e\u985e\u6709lt(\u5c0f\u65bc),gt(\u5927\u65bc),eq(\u7b49\u65bc),neq(\u4e0d\u7b49\u65bc),range(\u7bc4\u570d)
\u3000[port] \u904e\u6ffetcp\u6216udp\u7684\u57e0\u6216\u540d\u7a31
[established]
<\/strong>\u91dd\u5c0dtcp,\u8868\u793a\u5df1\u5efa\u7acb\u7684\u9023\u7dda
ex:
\u8a2d\u5b9aacl\u7de8\u865f101\u7684\u63cf\u8ff0
(config)#access-list 101 permit tcp 172.16.6.0 0.0.0.255 any eq telnet \/\/\u5141\u8a31\u4f86\u81ea172.16.6.0\u7db2\u8def\u7684\u5c01\u5305\u4f7f\u7528telnet
(config)#access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21 \/\/\u62d2\u7d55172.16.4.0\/24\u7684port21\u8cc7\u6599\u5230172.16.3.0\/24
(config)#access-list 101 deny tcp host 172.16.10.1 host 172.16.30.5 eq 23 \/\/\u62d2\u7d55172.16.10.1 telnet\u5230172.16.30.5
(config)#access-list 101 permit ip any any eq SMTP \/\/\u5141\u8a31SMTP
(config)#access-list 101 permit ip any any \/\/\u5141\u8a31\u5176\u4ed6\u8cc7\u6599
(config)#access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 \/\/\u5141\u8a31\u5176\u4ed6\u8cc7\u6599\uff0c\u548cany any\u76f8\u540c<\/p>\n\n\n\n

…..<\/p>\n\n\n\n

\u547d\u540d\u5f0fACL
(config)#ip access-list < class> < name><\/strong>
< class>\u9078standed,\u57f7\u884c\u5f8c\u9032\u5165(config-std-nacl)#
< class>\u9078extended,\u57f7\u884c\u5f8c\u9032\u5165(config-ext-nacl)#
\u8a2d\u5b9a\u898f\u5247\u548cacl\u540c,\u4f46\u7701\u7565access-list < acl id>
ps:acl\u540d\u7a31\u4e0d\u53ef\u91cd\u8986,\u4e14\u53ea\u5728IOS11.2\u4e4b\u5f8c\u652f\u63f4
ex:\u8a2d\u5b9aacl\u540d\u7a31\u70baserver-access\u7684\u63cf\u8ff0,\u4e26\u61c9\u7528\u5728\u5f9eeth0\u4ecb\u9762\u51fa\u53bb
(config)#ip access-list extended server-access
(config-ext-nacl)#permit tcp any host 131.108.101.99 eq smtp \/\/\u53ea\u53ef\u5b58\u53d6\u96fb\u5b50\u90f5\u4ef6
(config-ext-nacl)#deny ip any any \/\/\u62d2\u7d55\u6240\u6709ip
(config-ext-nacl)#^z
(config)#interface ethernet 0
(config-if)#ip access-group server-access out<\/p>\n\n\n\n

…………………………………………………………………………………………………………………….<\/p>\n\n\n\n

\u8a2d\u5b9a\u4ecb\u9762\u4f7f\u7528acl
(config-if)#ip access-group < acl id|acl name> < act><\/strong>
< acl id|acl name>\u5b58\u53d6\u6e05\u55ae\u7de8\u865f\u6216\u540d\u7a31
< act>\u6709in(\u9032\u5165),out(\u51fa\u53bb)
ps:\u6bcf\u500b\u4ecb\u9762\u7684\u6bcf\u500b\u5354\u5b9a\u7684\u6bcf\u500b\u65b9\u5411\u53ea\u53ef\u6709\u4e00\u500bACL
ex:
\u8b93\u9032\u5165ethernet0\u4ecb\u9762\u4f7f\u7528acl\u7de8\u865f1\u7684\u63cf\u8ff0
(config)#interface ethernet 0
(config-if)#ip access-group 1 in<\/p>\n\n\n\n

\u8a2d\u5b9a\u865b\u64ec\u7d42\u7aef\u6a5f\u4f7f\u7528ACL
(config-line)#access-class < stand acl id> < act><\/strong>
< stand acl id>\u6a19\u6e96\u5b58\u53d6\u6e05\u55ae\u7de8\u865f,\u76ee\u524d\u53ea\u652f\u63f4\u6a19\u6e96access-list\u8a2d\u5b9a\u7684\u7de8\u865f
< act>\u6709in(\u9032\u5165),out(\u51fa\u53bb)
ex:
\u8b93\u9032\u5165vty 0-4\u4f7f\u7528acl\u7de8\u865f1\u7684\u63cf\u8ff0
(config)#line vty 0 4
(config-line)#access-class 1 in<\/p>\n\n\n\n

…………………………………………………………………………………………………………………….<\/p>\n\n\n\n

\u986f\u793aACL
#show access-list [acl-id]<\/strong>
\u8d8a\u5f8c\u9762\u7684\u898f\u5247\u8868\u793a\u8d8a\u665a\u52a0\u5165\u7684
\u756b\u9762\u5927\u81f4\u5982\u4e0b
Standard IP access list 1   \/\/\u6a19\u6e96acl
\u30001 deny host 24.17.2.18 (5 matches)  \/\/\u62d2\u7d5524.17.2.18
\u30001 permit any (395 matches)   \/\/\u4f46\u5141\u8a31\u5176\u4ed6\u6240\u6709
Extended IP access list account  \/\/\u547d\u540d\u5f0f\u5ef6\u4f38acl
\u3000permit ip any any (0 matches)<\/p>\n\n\n\n

\u5224\u65b7acl\u662f\u5426\u61c9\u7528\u5728\u4ecb\u9762\u4e0a\u53ef\u7528
#show running-config<\/strong>
\u76f8\u95dc\u8cc7\u8a0a\u756b\u9762\u5927\u81f4\u5982\u4e0b
…\u7701\u7565
interface Ethernet0
ip address 24.17.2.2 255.255.255.240
no ip directed-broadcast
ip access-group 1 in \/\/eth0\u4ecb\u9762\u4f7f\u7528acl 1\u5728\u9032\u5165\u7684\u4ecb\u9762
…\u7701\u7565
access-list 1 deny host 24.17.2.18 \/\/acl 1\u7684\u5167\u5bb9
access-list 1 permit any
ip access-list extended account  \/\/\u547d\u540d\u5f0f\u5ef6\u4f38acl acount\u7684\u5167\u5bb9\u3000
\u3000permit ip any any
…\u7701\u7565<\/p>\n\n\n\n

\u770bacl\u61c9\u7528\u5728\u4ecb\u9762\u4e0a\u7684\u7de8\u865f\u548cdirection(\u65b9\u5411)
#show ip interface<\/strong>
\u4ee5\u770bs0\u4ecb\u9762\u7684acl\u70ba\u4f8b,\u756b\u9762\u5927\u81f4\u5982\u4e0b
serial 0 is up, line protocol is up
…\u7701\u7565
outgoing access list is 101 \/\/\u9032\u5165\u65b9\u5411\u4f7f\u7528acl 101
Inbound access list is not set \/\/\u51fa\u53bb\u65b9\u5411\u6c92\u8a2d\u5b9aacl
…\u7701\u7565<\/p>\n","protected":false},"excerpt":{"rendered":"

ACL(access control list,\u5b58\u53d6\u63a7\u5236\u6e05\u55ae …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[31],"tags":[],"class_list":["post-870","post","type-post","status-publish","format-standard","hentry","category-cisco-security"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/870","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=870"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/870\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=870"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=870"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=870"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}