ACL访问控制列表
一、认识ACL
ACL是Access Control List的缩写,即访问控制列表。
访问控制列表是一种用于控制计算机资源(如文件、目录、邮箱等)访问权限的方法。ACL指定了哪些用户可以访问资源以及用户访问资源时可以执行的操作。
1、出现的原因:
最早是为了克服传统UNIX系统中的文件权限问题。
在传统的UNIX系统中,每个文件有三种不同的权限:读(r)、写(w)和执行(x),并且分别对应文件的拥有者、属组和其他用户。然而,这种权限控制方式过于简单,无法满足复杂的访问控制需求。
为此,ACL被引入,使得管理员可以为每个文件或目录设置更加细粒度的访问控制。ACL允许管理员控制文件的读、写和执行权限,同时还可以为每个文件或目录指定不同的用户和组的访问权限。
2、功能:
1、访问限制 在路由器流量进或出的接口上匹配流量,之后对其进行限制;
ACL支持对于每个资源,定义不同用户或组的不同访问权限,从而实现对资源的细粒度控制。
2、定义感兴趣流量
二、了解ACL
1、匹配原则:
1、自上而下,逐一匹配,上条匹配按上条执行,不在查看下一条;
2、ACL列表的调用分为in(先匹配ACL再查看路由)和out(先查看路由,再匹配ACL);
3、必须满足金字塔形结构;
4、ACL分为标准ACL和扩展ACL;
5、(在思科中末尾隐含拒接所有;在华为设备中若没有匹配到ACL则执行默认不做处理)
2、ACL的分类:
标准ACL: 关注源IP地址,在使用时尽量靠近目标;
扩展ACL: 关注源IP,目标IP,协议,在使用时尽量靠近源(不能在源之上,ACL不能过滤自身产生的流量)
ACL部署: ACL中匹配后缀参数为通配符0代表固定位1代表任意位
INTEGER<2000-2999>标准ACL使用的——一个编号是一张表;
INTEGER<3000-3999>扩展ACL使用的
三、基础ACL配置
首先依然用实验进行讲解,拓扑图如下:
这里为了方便所学的acl,配置PC端的IP这里采用手动静态配置;
实验要求:PC1
1、配置IP地址
首先,我先给接口进行配置IP以及PC配置IP地址;
R1实现代码:
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys r1
[r1]u
[r1]udp-helper
[r1]undo
[r1]user-bind
[r1]user-group
[r1]user-interface con
[r1]user-interface console 0
[r1-ui-console0]i
[r1-ui-console0]idle-timeout 0 0
[r1-ui-console0]int g0/0/0
[r1-GigabitEthernet0/0/0]ip ad
[r1-GigabitEthernet0/0/0]ip address 192.168.1.1 24
May 7 2023 11:20:43-08:00 r1 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[r1-GigabitEthernet0/0/0]int g0/0/1
[r1-GigabitEthernet0/0/1]ip ad
[r1-GigabitEthernet0/0/1]ip address 12.1.1.1 24
May 7 2023 11:21:05-08:00 r1 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP
on the interface GigabitEthernet0/0/1 has entered the UP state.
[r1-GigabitEthernet0/0/1]quit
[r1]
R2实现代码:
<Huawei>
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys r2
[r2]u
[r2]udp-helper
[r2]undo
[r2]user-bind
[r2]user-group
[r2]user-interface con
[r2]user-interface console 0
[r2-ui-console0]i
[r2-ui-console0]idle-timeout 0 0
[r2-ui-console0]int g0/0/0
[r2-GigabitEthernet0/0/0]ip ad
[r2-GigabitEthernet0/0/0]ip address 12.1.1.2 24
May 7 2023 11:22:20-08:00 r2 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[r2-GigabitEthernet0/0/0]int g0/0/1
[r2-GigabitEthernet0/0/1]ip ad
[r2-GigabitEthernet0/0/1]ip address 192.168.2.1 24
May 7 2023 11:22:32-08:00 r2 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP
on the interface GigabitEthernet0/0/1 has entered the UP state.
[r2-GigabitEthernet0/0/1]quit
[r2]
PC1
PC2
PC3
PC4
2、配置OSPF
R1实现代码:
[r1]os
[r1]ospf 1 ro
[r1]ospf 1 router-id 1.1.1.1
[r1-ospf-1]n
[r1-ospf-1]nexthop
[r1-ospf-1]ar
[r1-ospf-1]area 0
[r1-ospf-1-area-0.0.0.0]n
[r1-ospf-1-area-0.0.0.0]nssa
[r1-ospf-1-area-0.0.0.0]network 0.0.0.0 255.255.255.255
[r1-ospf-1-area-0.0.0.0]quit
[r1-ospf-1]quit
[r1]
May 7 2023 14:11:19-08:00 r1 %%01OSPF/4/NBR_CHANGE_E(l)[0]:Neighbor changes eve
nt: neighbor status changed. (ProcessId=256, NeighborAddress=2.1.1.12, NeighborE
vent=HelloReceived, NeighborPreviousState=Down, NeighborCurrentState=Init)
[r1]
May 7 2023 14:11:23-08:00 r1 %%01OSPF/4/NBR_CHANGE_E(l)[1]:Neighbor changes eve
nt: neighbor status changed. (ProcessId=256, NeighborAddress=2.1.1.12, NeighborE
vent=2WayReceived, NeighborPreviousState=Init, NeighborCurrentState=ExStart)
[r1]
May 7 2023 14:11:23-08:00 r1 %%01OSPF/4/NBR_CHANGE_E(l)[2]:Neighbor changes eve
nt: neighbor status changed. (ProcessId=256, NeighborAddress=2.1.1.12, NeighborE
vent=NegotiationDone, NeighborPreviousState=ExStart, NeighborCurrentState=Exchan
ge)
[r1]
May 7 2023 14:11:23-08:00 r1 %%01OSPF/4/NBR_CHANGE_E(l)[3]:Neighbor changes eve
nt: neighbor status changed. (ProcessId=256, NeighborAddress=2.1.1.12, NeighborE
vent=ExchangeDone, NeighborPreviousState=Exchange, NeighborCurrentState=Loading)
[r1]
May 7 2023 14:11:23-08:00 r1 %%01OSPF/4/NBR_CHANGE_E(l)[4]:Neighbor changes eve
nt: neighbor status changed. (ProcessId=256, NeighborAddress=2.1.1.12, NeighborE
vent=LoadingDone, NeighborPreviousState=Loading, NeighborCurrentState=Full)
[r1]
R2实现代码:
[r2]ospf
[r2]ospf 1 ro
[r2]ospf 1 router-id 2.2.2.2
[r2-ospf-1]ar
[r2-ospf-1]area 2
[r2-ospf-1-area-0.0.0.2]quir
^
Error: Unrecognized command found at '^' position.
[r2-ospf-1-area-0.0.0.2]quit
[r2-ospf-1]area
[r2-ospf-1]area 0
[r2-ospf-1-area-0.0.0.0]n
[r2-ospf-1-area-0.0.0.0]network
[r2-ospf-1-area-0.0.0.0]nssa
[r2-ospf-1-area-0.0.0.0]network 0.0.0.0 255.255.255.255
[r2-ospf-1-area-0.0.0.0]quit
[r2-ospf-1]quit
[r2]
May 7 2023 14:11:23-08:00 r2 %%01OSPF/4/NBR_CHANGE_E(l)[4]:Neighbor changes eve
nt: neighbor status changed. (ProcessId=256, NeighborAddress=1.1.1.12, NeighborE
vent=HelloReceived, NeighborPreviousState=Down, NeighborCurrentState=Init)
[r2]
May 7 2023 14:11:23-08:00 r2 %%01OSPF/4/NBR_CHANGE_E(l)[5]:Neighbor changes eve
nt: neighbor status changed. (ProcessId=256, NeighborAddress=1.1.1.12, NeighborE
vent=2WayReceived, NeighborPreviousState=Init, NeighborCurrentState=2Way)
[r2]
May 7 2023 14:11:23-08:00 r2 %%01OSPF/4/NBR_CHANGE_E(l)[6]:Neighbor changes eve
nt: neighbor status changed. (ProcessId=256, NeighborAddress=1.1.1.12, NeighborE
vent=AdjOk?, NeighborPreviousState=2Way, NeighborCurrentState=ExStart)
[r2]
May 7 2023 14:11:23-08:00 r2 %%01OSPF/4/NBR_CHANGE_E(l)[7]:Neighbor changes eve
nt: neighbor status changed. (ProcessId=256, NeighborAddress=1.1.1.12, NeighborE
vent=NegotiationDone, NeighborPreviousState=ExStart, NeighborCurrentState=Exchan
ge)
[r2]
May 7 2023 14:11:23-08:00 r2 %%01OSPF/4/NBR_CHANGE_E(l)[8]:Neighbor changes eve
nt: neighbor status changed. (ProcessId=256, NeighborAddress=1.1.1.12, NeighborE
vent=ExchangeDone, NeighborPreviousState=Exchange, NeighborCurrentState=Loading)
[r2]
May 7 2023 14:11:23-08:00 r2 %%01OSPF/4/NBR_CHANGE_E(l)[9]:Neighbor changes eve
nt: neighbor status changed. (ProcessId=256, NeighborAddress=1.1.1.12, NeighborE
vent=LoadingDone, NeighborPreviousState=Loading, NeighborCurrentState=Full)
3、全网可达展示
4、创建ACL
[r2]acl 2000
[r2-acl-basic-2000]ru
[r2-acl-basic-2000]rule de
[r2-acl-basic-2000]rule deny so
[r2-acl-basic-2000]rule deny source 192.168.1.3 0.0.0.0
[r2-acl-basic-2000]quit
这里采用基础的ACL进行配置;
设置ACL,因为是标准ACL所以,需要尽量靠近目标,所以需要在R2路由器上配置。
注:ACL使用的是通配符,OSPF使用的是反掩码;区别在于通配符可以0和1穿插。
5、调用
在R2的0/0/1口进行调用:
[r2]int g0/0/1
[r2-GigabitEthernet0/0/1]t
[r2-GigabitEthernet0/0/1]tcp
[r2-GigabitEthernet0/0/1]test-aaa
[r2-GigabitEthernet0/0/1]tracert
[r2-GigabitEthernet0/0/1]traffic-filter o
[r2-GigabitEthernet0/0/1]traffic-filter outbound ac
[r2-GigabitEthernet0/0/1]traffic-filter outbound acl 2000
[r2-GigabitEthernet0/0/1]quit
6、查看ACL
实现代码:[r2]display acl 2000
[r2]display acl 2000
Basic ACL 2000, 1 rule
Acl's step is 5
rule 10 deny source 192.168.1.3 0
[r2]
7、测试
这里显示已经配置完毕并且实现;
以上是用基础的ACL进行配置实现的。
四、高级ACL配置
首先在上面的实验中加入实验的要求;
即为实验:PC1不能访问PC3,但可以访问PC4,PC2都可以访问;
1、创建ACL并指定规则
实现代码: [r1-acl-adv-3000]rule deny icmp source 192.168.1.2 0 destination 192.168.2.2 0
[r1]acl 3000
[r1-acl-adv-3000]ru
[r1-acl-adv-3000]rule de
[r1-acl-adv-3000]rule deny s
[r1-acl-adv-3000]rule deny i
[r1-acl-adv-3000]rule deny icmp s
[r1-acl-adv-3000]rule deny icmp source 192.168.1.2 0 d
[r1-acl-adv-3000]rule deny icmp source 192.168.1.2 0 destination 192.168.2.2 0
[r1-acl-adv-3000]qui
2、接口调用
实现代码:[r1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
[r1]int g0/0/0
[r1-GigabitEthernet0/0/0]t
[r1-GigabitEthernet0/0/0]test-aaa
[r1-GigabitEthernet0/0/0]tracert
[r1-GigabitEthernet0/0/0]traffic-filter
[r1-GigabitEthernet0/0/0]traffic-f
[r1-GigabitEthernet0/0/0]traffic-filter in
[r1-GigabitEthernet0/0/0]traffic-filter inbound ac
[r1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
[r1-GigabitEthernet0/0/0]quit
[r1]
3、测试
这里可以看到PC1无法ping通PC3,但是可以ping通PC4;
这里PC2可以ping通所有,所以高级ACL已经配置完毕。
五、“杀死远程登陆”
还是这张图;
首先实现:R1远程登录R2
(由于华为的PC不能使用远程登录,所以用路由器测试)
telnet远程登录:基于tcp下的23号端口进行;
条件:
1、登录与登录设备间可以正常通讯;
2、被登录设备开启远程登录服务,配置登录用的账号和密码。
1、配置telnet
实现代码:
[r2]aaa
[r2-aaa]local-user xx p
[r2-aaa]local-user xx password 123 p
[r2-aaa]local-user xx password ci
[r2-aaa]local-user xx password cipher 123 p
[r2-aaa]local-user xx password cipher 123 privilege l
[r2-aaa]local-user xx password cipher 123 privilege level 15 s
[r2-aaa]local-user xx password cipher 123 privilege level 15 state
[r2-aaa]local-user xx password cipher 123 privilege level 15
Info: Add a new user.
[r2-aaa]l
[r2-aaa]local-user xx s
[r2-aaa]local-user xx service-type tel
[r2-aaa]local-user xx service-type telnet
[r2-aaa]quit
[r2]u
[r2]udp-helper
[r2]undo
[r2]user-bind
[r2]user-group
[r2]user-interface vty 0 4
[r2-ui-vty0-4]a
[r2-ui-vty0-4]acl
[r2-ui-vty0-4]arp-ping
[r2-ui-vty0-4]authentication-mode aaa
[r2-ui-vty0-4]quit
[r2]
2、测试telnet
实现代码:
<r1>telnet 12.1.1.2
Press CTRL_] to quit telnet mode
Trying 12.1.1.2 ...
Connected to 12.1.1.2 ...
Login authentication
Username:xx
Password:
<r2>
这里可以看到路由器R1可以登录到R2;
3、配置ACL
实现代码:[r2-acl-adv-3000]rule deny tcp source 12.1.1.1 0 destination 12.1.1.2 0 destinat ion-port eq 23
[r2]acl 3000
[r2-acl-adv-3000]ru
[r2-acl-adv-3000]rule de
[r2-acl-adv-3000]rule deny t
[r2-acl-adv-3000]rule deny tcp s
[r2-acl-adv-3000]rule deny tcp source 12.1.1.1 0 d
[r2-acl-adv-3000]rule deny tcp source 12.1.1.1 0 destination-port
[r2-acl-adv-3000]rule deny tcp source 12.1.1.1 0 dscp
[r2-acl-adv-3000]rule deny tcp source 12.1.1.1 0 destination 12.1.1.2 0 d
[r2-acl-adv-3000]rule deny tcp source 12.1.1.1 0 destination 12.1.1.2 0 dscp
[r2-acl-adv-3000]rule deny tcp source 12.1.1.1 0 destination 12.1.1.2 0 destinat
ion-port eq 23
[r2-acl-adv-3000]quit
[r2]
4、展示ACL
实现代码:[r2]display acl 3000
[r2]display acl 3000
Advanced ACL 3000, 1 rule
Acl's step is 5
rule 5 deny tcp source 12.1.1.1 0 destination 12.1.1.2 0 destination-port eq te
lnet
[r2]
5、接口调用
实现代码:[r2-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
[r2]int g0/0/0
[r2-GigabitEthernet0/0/0]t
[r2-GigabitEthernet0/0/0]tcp
[r2-GigabitEthernet0/0/0]test-aaa
[r2-GigabitEthernet0/0/0]tracert
[r2-GigabitEthernet0/0/0]traffic-filter in
[r2-GigabitEthernet0/0/0]traffic-filter inbound a
[r2-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
[r2-GigabitEthernet0/0/0]quit
[r2]
6、测试
实现代码:<r1>telnet 12.1.1.2
<r1>telnet 12.1.1.2
Press CTRL_] to quit telnet mode
Trying 12.1.1.2 ...
这里我们很明显可以看到R1无法访问R2,实验完毕。
扫一扫
6599
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
