一、访问控制列表

图片.png

ACL默认是放通所有
config 匹配顺序:按ACL规则的编号(rule-id)按照从小到大的顺序进行匹配
acl 2000 match-order auto:自动排序“使用深度优先”的原则进行匹配

二、配置步骤

access-list 1 remark permit_R1_Telnet注明作用,由于时间问题,条目众多无法区分

access-list 2 permit 172.16.1.1 0.0.0.0=access-list 2 permit 172.16.1.1意思相同

access-list 3 permit 0.0.0.0 255.255.255.255=access-list 3 permit any意思相同


access-list 100 permit ip 172.16.1.1 0.0.0.0 10.1.1.1 0.0.0.0

access-list 100 permit ip host 172.16.1.1 host 10.1.1.1意思相同

access-list 101 permit ip0. 0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

access-list 101 permit ip any any意思相同

255为任意(1为任意,0为严格匹配)254为匹配11111110
10.1.1.0 0.0.254.0
00000001
11111110


ip accounting access-violations在接口上应用,作用计费监视

ip access-list 1 permit 192.168.0.0 0.0.0.0   同时匹配/25-32

备注:

rule-id处理重复,矛盾
路由器上ACL最后隐藏一条默认放通所有
标准ACL靠近目的,扩展ACL靠近源的地方做控制

二、自反列表、前缀列表

图片.png

例1:

rule permit ip source 192.168.11.33 27

rule permit ip source 192.168.11.33 mask 255.255.255.224
rule permit ip source 192.168.11.33 0.0.0.31
00000000
00011111 1+2+4+8+16=31
00100000 32为网络号(前三位必须匹配,后五位可以忽略)
00111111 63=32+16+8+4+2+1 63为广播地址

172.16.1.1/24
……
172.16.3.1/24
access-list 1 permit 172.16.1.1 0.0.3.0 0.0.3.255
0000 0000.0000 00001
0000 0001.0000 00001
0000 0010.0000 00001
0000 0011.0000 00001
---------------------------------------
0000 0011.0000 0000
access-list 99 permit 172.16.0.1   0.0.1.0=access-list 99 permit 172.16.1.1 0.0.1.0

例2:
192.168.4.8/32
……
192.168.7.8/32
access-list 1 permit 192.168.4.8 0.0.3.0

例3: 172.16.0.0/24  第三个位为奇数
例如:
172.16.1.0/24
172.16.3.0/24
172.16.xxxx xxx1.0    0.0.254.0
access-list 1 permit 172.16.1.0 0.0.254
172.16.0.0/24  第三个位为偶数
172.16.xxxx xxx0.0    0.0.254.0
access-list 1 permit 172.16.2.0 0.0.254

例4:
192.168.4.0/24
……
192.168.7.0/24
192.168.4.0/25
……
192.168.7.0/25
access-list permit 1 192.168.4.0 0.0.3.0 #不能匹配掩码

例5:172.16.x.1/1-32   x=任意值

access-list 1 permit 172.16.0.1 0.0.255.0


前缀列表
ip prefix-list wolf permit 网络号/掩码
ip prefix-list wolf permit 172.16.0.0/24 ge 25 le 27
ip prefix-list wolf permit  网络号/网络号位数 掩码大于等于25 掩码小于等于27
ip prefix-list wolf permit 172.16.0.0/24  le 25
ip prefix-list wolf permit  网络号/网络号位数和最小掩码 掩码小于等于 25
隐含命令:ip prefix-list wolf deny  0.0.0.0/0 le 32

192.168.0.0/24
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
ip prefix-list wolf permit 192.168.0.0/22    ge  24  le 24

ip ip-prefix aa index 10 deny 0.0.0.0 24 less-equal 32
ip ip-prefix aa index 10 permit 0.0.0.0 0 less-equal 32 过滤24位到32位掩码地址
ip ip-prefix aa index 10 permit 1.1.1.1 24 greater-equal 26 less-equal 32 过滤26位掩码以下路由


acl number 3000 对于已知具有3、4层特征的病毒破坏,ACL对这些数据流进行过滤,增加网络的安全性
rule 0 deny tcp destination-port eq 445
rule 1 deny udp destination-port eq 445
rule 2 deny tcp destination-port eq 135
rule 3 deny tcp destination-port eq 136
rule 4 deny tcp destination-port eq 137
rule 5 deny tcp destination-port eq 138
rule 6 deny tcp destination-port eq 139
rule 7 deny udp destination-port eq 135
rule 8 deny udp destination-port eq 136
rule 9 deny udp destination-port eq netbios-ns
rule 10 deny udp destination-port eq netbios-dgm
rule 11 deny udp destination-port eq netbios-ssn
rule 12 deny udp destination-port eq 1434
rule 13 deny udp destination-port eq 6667
rule 14 deny udp destination-port eq 7626
rule 15 deny udp destination-port eq 6789
rule 16 deny udp destination-port eq 5800
rule 17 deny udp destination-port eq 5900
rule 18 deny tcp destination-port eq 5900
rule 19 deny tcp destination-port eq 5800
rule 20 deny tcp destination-port eq 1999
rule 21 deny tcp destination-port eq 5554
rule 22 deny tcp destination-port eq 9995
rule 23 deny tcp destination-port eq 9996
rule 24 deny udp destination-port eq 12345
rule 25 deny udp destination-port eq 1057
rule 26 deny udp destination-port eq 2616