.
(access control list ACL) , , . . , , . , .
, , , , . , , .
ACL
ACL, , , IP .
Router(config)# access-list permit | deny source-address source-mask,
, source-address , source-mask , , permit , deny . . access-list , .. . , source-address , . , , , , . . 1 99. , 255.255.0.0 0.0.255.255.
Cisco , , , .
Router(config)# access-list # deny 0.0.0.0 255.255.255.255
, 1.1.1.1
Router(config)# access-list 77 permit 1.1.1.1 0.0.0.0.
, 77.
. 10.3.16.0 10.3.31.255. 0.0.15.255.
|
|
Router(config)# access-list 100 permit 10.3.16.0 0.0.15.255
,
Router(config-if)# ip access-group -- in out
C (in) (out). , . , , . , , . . , 77 Ethernet 0
Router(config)# int Ethernet 0
Router(config-if)# ip access-group 77 in
Ethernet 0
Router(config-if)# ip access-group 77 out
no
Router(config-if)# no ip access-group 77 out
. 1. , 10.1.1.0 /25 (10.1.1.0 255.255.255.128), , 10.1.1.128 /25 (10.1.1.128 255.255.255.128). , 15.1.1.0 /24 (15.1.1.0 255.255.255.0), 15.1.1.5. . 2.
Router(config)# access-list 2 deny 10.1.1.128 0.0.0.127
Router(config)# access-list 2 permit 15.1.1.5 0.0.0.0
Router(config)# access-list 2 deny 15.1.1.0 0.0.0.255
Router(config)# access-list 2 permit 0.0.0.0 255.255.255.255
10.1.1.0 255.255.255.128. access-list 2 permit 0.0.0.0 255.255.255.255.
, .
1. , 10.1.1.0 255.255.255.128.
. , , permit 0.0.0.0 255.255.255.255.
2. , 10.1.1.128 255.255.255.128.
. 0.0.0.127 . , , . 255.255.255.128, , .
|
|
3. , 15.1.1.0 255.255.255.0, 15.1.1.5
9.1.
. , . , . , 15.1.1.0 255.255.255.0 15.1.1.5. , , , 15.1.1.0 15.1.1.5. , 15.1.1.5 deny 15.1.1.0 0.0.0.255.
4.
, .
, .
1. .
2. ccess-list, .
3. , .
. , . . , . , . , , , , .
1. ( 1.1.1.2 1.1.1.0/24), 15.1.1.0 /24 (15.1.1.5) . , 10.1.1.128 / 25 D (10.1.1.133). . 1 PC5 (15.1.1.5) 15.1.1.0/24.
. 2. 2, , . , 1. Ethernet A 1, .
ACL
ACL , . ACL . . , TCP UDP , ICMP . ACL, log .
access-list access-list-number {permit | deny} protocol source source-wildcard [operator source-port] destination destination-wildcard [operator destination-port] [precedence precedence-number] [tos tos] [established] [log | log-input],
access-list-number -100-199|2000-2699, protocol - ip, icmp, tcp, gre, udp, igrp, eigrp, igmp, ipinip, nos ospf. source-port destination-port bgp, chargen, daytime, discard, domain, echo, finger, ftp, ftp-data, gopher, hostname, irc, klogin, kshell, lpd, nntp, pop2, pop3, smtp, sunrpc, syslog, tacacs-ds, talk, telnet, time, uucp, whois www. Operator eq (), neq ( ), gt ( ), lt ( ), range ( ).
|
|
ACL ACL
Router(config-if)# ip access-group ACL in
Router(config-if)# ip access-group ACL ut
ACL - .
ACL
SMTP
Router(config)# access-list 111 permit tcp any host 172.17.11.19 eq 25
Router(config)# access-list 111 permit tcp any host 172.17.11.19 eq 23
ACL .
ACL
ACL , , . ACL
Router(config)# ip access-list extended ACL_name
Router(config-ext-nacl)# permit|deny IP_protocol source_IP_address wildcard_mask [protocol_information] destination_IP_address wildcard_mask [protocol_information] [log]
exit.
. , . ip ACL . permit deny access-list .
ACL
Router(config)# interface type [slot_]port_
Router(config-if)# ip access-group ACL_name in|out
ACL . . , . ACLs , . (out) ACLs , , .
ACLs . ,
Router(config)# ip access-list extended ACL_name
, . , . . . . no .
ACLs .
.
1. , 2.
9.2.
( 255.255.255.240) . DCE .
Router2 | Router1 | Router4 | |
Ethernet | 24.17.2.2 | 24.17.2.1 | |
Serial | 24.17.2.17 | 24.17.2.18 |
|
|
RIP
Router1
Router1(config)# router rip
Router1(config- router)# version 2
Router1(config- router)# network 24.0.0.0
Router2
Router2(config)# router rip
Router1(config- router)# version 2
Router2(config- router)# network 24.0.0.0
Router4
Router4(config)# router rip
Router1(config- router)# version 2
Router4(config- router)# network 24.0.0.0
ping , , Ethernet0 (24.17.2.2) 2 4
Router4# ping 24.17.2.2
, 2 4. 24.17.2.18 4 . 2
Router2(config)# access-list 1 deny 24.17.2.18 0.0.0.0
Router2(config)# access-list 1 permit 0.0.0.0 255.255.255.255
Ethernet 2
Router2(config)# interface FastEthernet0/0
Router2(config-if)# ip access-group 1 in
, .
Router2# show running-config
, , show ip interface. Innbound access list is 1.
Router2# show ip interface
show access-lists .
Router2# show access-lists
, host 24.17.2.18 24.17.2.18 0.0.0.0. Ethernet0 (24.17.2.2) 2 4
Router4# ping 24.17.2.2
UUUUU, , .
- 2,
9.3.
( 255.255.255.0)
Router2 | Router1 | Router3 | Router4 | |
Ethernet 0 | 160.10.1.2 | 160.10.1.1 | 175.10.1.2 | 180.10.1.2 |
Ethernet 1 | 175.10.1.1 | 180.10.1.1 |
OSPF
Router1
Router1(config)# router ospf 1
Router1(config- router)# network 160.10.1.0 0.0.0.255 area 0
Router1(config- router)# network 175.10.1.0 0.0.0.255 area 0
Router2
Router2(config)# router ospf 1
Router2(config- router)# network 160.10.1.0 0.0.0.255 area 0
end
Router3
Router3(config) # router ospf 1
Router3(config- router)# network 175.10.1.0 0.0.0.255 area 0
Router3(config- router)# network 180.10.1.0 0.0.0.255 area 0
Router4
Router4(config)# router ospf 1
Router4(config- router)# network 180.10.1.0 0.0.0.255 area 0
router2#ping 180.10.1.2
router4#ping 160.10.1.2
, ethernet0 1- router1 175.10.1.0 (router3) .
router1(config)# access-list 1 permit 175.10.1.0 0.0.0.255
,
router1# show access-list
Ethernet 1
router1(config)# interface FastEthernet1/0
router1(config-if)# ip access-group 1 in
router1# show running-config
3 2 4 2.
router3# ping 160.10.1.2
router4# ping 160.10.1.2
3 2- , 4 2 - .
180.10.1.0 (router4) .
router1(config)# no access-list 2
router1(config)# access-list 2 permit 180.10.1.0 0.0.0.255
,
router1# show access-list
Ethernet 1
router1(config)# interface FastEthernet1/0
router1(config-if)# ip access-group 1 in
router1# show running-config
3 2 4 2.
router3# ping 160.10.1.2
router4# ping 160.10.1.2
4 2- , 3 2 - .
3. IP 1 OSPF .
router 1
router1(config)# router ospf 1
router1(config-router)# network 2.2.2.0 0.0.0.255 area 0
router1(config-router)# network 1.1.1.0 0.0.0.255 area 0
router1(config-router)# network 10.1.1.0 0.0.0.127 area 0
router 2
Router2(config)# router ospf 1
|
|
Router2(config-router)# network 10.1.1.128 0.0.0.127 area 0
Router2(config-router)# network 15.1.1.0 0.0.0.255 area 0
Router2(config-router)# network 2.2.2.0 0.0.0.255 area 0
: . : A, B, C, D, PC5 .
3.1 router 1
router1(config)# access-list 2 deny 10.1.1.128 0.0.0.127
router1(config)# access-list 2 permit host 15.1.1.5
router1(config)# access-list 2 deny 15.1.1.0 0.0.0.255
router1(config)# access-list 2 permit 0.0.0.0 255.255.255.255
Ethernet0
router1(config)# interface FastEthernet0/0
router1(config-if)# ip access-group 2 out
router1# show access-list
A, B, C, PC5, D.
\ | A | B | C | E | D |
A | + | + | + | - | - |
B | + | + | + | + | + |
C | + | + | + | + | + |
E | - | + | + | + | + |
D | - | + | + | + | + |
1
, .
3.2 ACL c 0 s0
router1(config)# interface fa0/0
router1(config-if)# no ip access-group 2 out
router1(config-if)# int s2/0
router1(config-if)# ip access-group 2 in
A, B, C, PC5, D.
\ | A | B | C | E | D |
A | + | + | + | - | - |
B | + | + | + | - | - |
C | + | + | + | + | + |
E | - | - | + | + | + |
D | - | - | + | + | + |
2
, 10.1.1.0/25 10.1.1.128/25 . 10.1.1.0/25 15.1.1.0/24 15.1.1.5.
4. 1
, 1
Router2(config)# no access-list 1 deny 24.17.2.18 0.0.0.0
Router2(config)# no access-list 1 permit 0.0.0.0 255.255.255.255
Ethernet 2
Router2(config)# interface fa0/0
Router2(config-if)# no ip access-group 1 in
router1 router1
Router1(config)# line vty 0 4
Router1(config-line)# login
Router1(config-line)# password router1
EACL . 24.17.2.16/240 router1
router1(conf)# access-list 101 permit tcp 24.17.2.16 0.0.0.15 any eq telnet log
log .
router1 Ethernet 0 24.17.2.0/240
router1(conf)# access-list 102 permit ip 24.17.2.0 0.0.0.15 any
router1#show access-list
router1(conf)# interface Serial2/0
router1(conf-if)# ip access-group 101 in
router1(conf-if)# interface fa0/0
router1(conf-if)# ip access-group 102 in
, EACL ,
router1# show running-config
router1# show ip interface
EACL. router4 Serial2/0 router1
router4# ping 24.17.2.17
EACL 101 ping. telnet
router4# telnet 24.17.2.17
. router1. router4# router1>. ctrl-shift-6 6, router4. EACL 101 router1
router4# show sess
router4# disconnect 1
router2 , Serial0 router4.
Router2# ping 24.17.2.18
? Router2, Router1 ( EACL 102 router1
) Router4. Router4 Router1. Router4 , . Serial0 router1 , IP Serial0 router4 24.17.2.17, tcp.
router2 , Ethernet0 router1.
router2# ping 24.17.2.1
.
router2# telnet 24.17.2.1
EACL . EACL 102 router1 .
, RIP
5. ACL
router1 EACL
router1(conf)# interface Serial0
router1(conf-if)# no ip access-group 101 in
router1(conf-if)# interface Ethernet0
router1(conf-if)# no ip access-group 102 in
router1 EACL
router1(conf)# no access-list 101
router1(conf)# no access-list 102
router4 router2. router1 router2. ACL ( ), deny_ping router2.
router2(config)# ip access-list extended deny_ping
router2(config-ext-nacl)# deny icmp 24.17.2.18 0.0.0.0 24.17.2.2 0.0.0.0 log
router2(config- ext-nacl)# permit ip any any log
, deny_ping. ICMP 24.17.2.18 24.17.2.2. IP .
router2# show access-list
, deny icmp 24.17.2.18 0.0.0.0 24.17.2.2 0.0.0.0 log.
Ethernet0 router2
Router2(conf)# interface Ethernet0
Router2(conf-if)# ip access-group deny_ping in
router4 2
router4# ping 24.17.2.2
. router1 2
Router1# ping 24.17.2.2
. router2 -: router4 router1
6. .
.
9.4.
1912. Router1 - 805. Router2 - 1605.
IP
Router1 | Router2 | |
Fa0/0 | 1.1.3.1/24 | 1.1.1.129/25 |
Fa1/0 | 1.1.1.1/25 | |
Serial2/0 | 1.1.2.1/24 | 1.1.2.2/24 |
Hostname | IP ethernet0 | |
PC1 | 1.1.3.2 255.255.255.0 | 1.1.3.1 |
PC2 | 1.1.1.130 255.255.255.128 | 1.1.1.129 |
PC3 | 1.1.1.131 255.255.255.128 | 1.1.1.129 |
PC4 | 1.1.1.2 255.255.255.128 | 1.1.1.1 |
PC5 | 1.1.1.3 255.255.255.128 | 1.1.1.1 |
Router1 Router2 RIP
Router(config)# router rip
Router(config-router)# network 1.0.0.0
.
6.1. -.
, PC4 PC5 PC1 PC2 PC3 PC1. router2 router1, serial2/0 router1
Router1(conf)# access-list 100 permit ip 1.1.1.0 0.0.0.127 1.1.3.0 0.0.0.255 log
Router1(conf)# access-list 100 permit ip 1.1.2.0 0.0.0.255 any log
, RIP .
Router1# show access-list
.
Router1(conf)# interface Serial2/0
Router1(conf-if)# ip access-group 100 in
, PC1 PC2, PC3, PC4 PC5.
PC# Ping 1.1.3.2
PC2 PC3 . PC4 PC5 . . router1
.
6.2. -.
router2 , PC5 PC2. router2.
Router2(conf)# access-list 101 deny ip 1.1.1.130 0.0.0.0 1.1.1.3 0.0.0.0 log
Router2(conf)# access-list 101 permit ip any any
Router2# show access-list
fast Ethernet router2
Router2(conf)# interface FastEthernet0/0
Router2(conf-if)# ip access-group 101 in
PC2 , PC5
PC2# Ping 1.1.1.3
router2
PC3 , PC5.
PC3# Ping 1.1.1.3
router2
6.3. -.
Router1 Router2.
Router1(conf)# interface Serial2/0
Router1(conf-if)# no ip access-group 100 in
Router2(conf)# interface FastEthernet0/0
Router2(conf-if)# no ip access-group 101 in
, PC1 PC2 PC3. , IP .
Router2(conf)#access-list 102 deny ip 1.1.1.128 0.0.0.127 1.1.3.2 0.0.0.0 log
Router2(conf)#access-list 102 permit ip any any
Router2# show access-list
Serial2/0 Router2
Router2(conf)# interface Serial2/0
Router2(conf-if)# ip access-group 102 out
PC1 (1.1.3.2) PC2 PC3. . - Router2.
(matches) .
1. ACL?
2. / ?
3. ACL?
4. ACL ?
5. ACL?
6. ACL?
7. ACL ?
8. ACL ?
9. ACL?
10. ACL .
11. ACL?
12. ACL ?
13. , ACL, TCP/IP ?
14. ACL.
15. ACL?
16. ACL?
17. ACL?