思科网络技术学院教程(第九章访问列表)

访问列表第九章Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.32Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3为什么使用访问列表?TokenRingFDDI3Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3TokenRingFDDI172.16.0.0172.17.0.0Internet为什么使用访问列表?4Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3TokenRingFDDI172.16.0.0172.17.0.0Internet为什么使用访问列表?5Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3数据包到达S0PublicSwitchedTelephoneNetwork为什么使用访问列表?6Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3数据包到达S0为这些流量拨号?PublicSwitchedTelephoneNetwork为什么使用访问列表?7Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3OutgoingPacketE0S0IncomingPacketAccessListProcessesPermit?Source什么是访问列表?•标准访问表–简单的地址说明–允许或禁止整个协议组8Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3•标准访问表–简单的地址说明–允许或禁止整个协议组•扩展访问表–更复杂的地址说明–允许或禁止指定的协议OptionalDialerOutgoingPacketE0S0IncomingPacketAccessListProcessesPermit?SourceandDestinationProtocol什么是访问列表?9Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3访问列表怎样工作InboundInterfaceOutboundInterfacesPacketsPacketDiscardBucketPacketNChooseInterfaceNYAccessList?YRoutingTableEntry?10Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3InboundInterfaceOutboundInterfacesPacketsPacketDiscardBucketPacketPacketTestAccessListStatementsPermit?YNChooseInterfaceNYAccessList?YRoutingTableEntry?访问列表怎样工作11Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3UnwantedPacketInboundInterfaceOutboundInterfacesPacketsPacketDiscardBucketPacketPacketTestAccessListStatementsPermit?YNChooseInterfaceNYAccessList?YNNotifySenderRoutingTableEntry?访问列表怎样工作12Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3MatchFirstTest?PacketstoInterface(s)intheAccessGroupPacketDiscardBucketYInterface(s)DestinationDenyDenyPermitY访问表的测试:DenyorPermit13Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3MatchFirstTest?PacketstoInterface(s)intheAccessGroupPacketDiscardBucketYInterface(s)DestinationDenyDenyPermitYMatchNextTest(s)?NPermitYDenyY访问表的测试:DenyorPermit14Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3MatchFirstTest?PacketstoInterface(s)intheAccessGroupPacketDiscardBucketYInterface(s)DestinationDenyDenyPermitYMatchNextTest(s)?NPermitYDenyYYNPermitDenyMatchLastTest?Y访问表的测试:DenyorPermit15Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3MatchFirstTest?PacketstoInterface(s)intheAccessGroupPacketDiscardBucketYInterface(s)DestinationDenyDenyPermitYMatchNextTest(s)?NPermitYDenyYYNPermitDenyMatchLastTest?YNImplicitDeny访问表的测试:DenyorPermit16Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3Step1:设置访问表语句参数access-listaccess-list-number{permit|deny}{testconditions}Router(config)#访问列表命令17Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3access-listaccess-list-number{permit|deny}{testconditions}Router(config)#Step2:在一个接口上使用指定的访问列表access-groupaccess-list-number[in|out]Router(config-if)#访问列表命令Step1:设置访问表语句参数18Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3NumberRange/IdentifierIP1-99100-199HowtoIdentifyAccessLists•NumberidentifiestheprotocolandtypeStandardExtendedAccessListType19Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3NumberRange/IdentifierIP1-99100-199Named(CiscoIOS11.2andlater)HowtoIdentifyAccessLists•NumberidentifiestheprotocolandtypeStandardExtendedAccessListType20Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3NumberRange/IdentifierIP1-99100-199Named(CiscoIOS11.2andlater)HowtoIdentifyAccessLists•Numberidentifiestheprotocolandtype800-899900-9991000-1099Named(CiscoIOS11.2.Fandlater)StandardExtendedSAPfiltersStandardExtendedAccessListTypeIPX21Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3NumberRange/IdentifierIP1-99100-199Named(CiscoIOS11.2andlater)怎样识别访问列表•通过访问列表号识别访问列表的协议和类型800-899900-9991000-1099Named(CiscoIOS11.2.Fandlater)StandardExtendedSAPfiltersStandardExtendedAccessListType600-699IPXAppleTalk22Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3Segment(forexample,TCPheader)DataPacket(IPheader)FrameHeader(forexample,HDLC)DestinationAddressSourceAddressProtocolPortNumberUseaccessliststatements1-99or100-199totestthepacketDenyPermit一个TCP/IP包怎样识别访问列表23Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3•访问表1到99（标准）的测试条件是IP包的源地址•访问表100到199（扩展）的测试条件是–源地址和目的地址–指定的TCP/IP协议组–目的端口•通配掩码的各位指示怎样检测地址对应为是否检测(0=检测,1=忽略)。关键概念24Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3•0说明检测对应位的值•1说明忽略相应位的值donotcheckaddress(ignorebitsinoctet)=001111111286432168421=00000000=00001111=11111100=11111111ignorelast6addressbitscheckalladdressbits(matchall)ignorelast4addressbitschecklast2addressbitsExamples怎样使用通配掩码位25Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3IP访问表的测试条件:检查子网172.30.16.0到172.30.31.0network.host172.30.16.0000001111checkignore00010000通配掩码匹配位:•地址和通配掩码:172.30.16.00.0.15.255怎样使用通配掩码位26Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3•接受任何地址:0.0.0.0255.255.255.255;其缩写表达式使用关键字any测试条件:忽略所有的地址位0.0.0.0255.255.255.255(ignoreall)任何IP地址通配掩码:匹配任意IP地址27Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3•172.30.16.290.0.0.0用于检查地址中所有位•缩写通配掩码在地址前面使用关键字host测试条件:检查所有的地址位172.30.16.290.0.0.0(checkallbits)任何主机地址:通配掩码:匹配指定的IP地址28Copyright?1998,CiscoSystems,Inc.ICRC_revision_11.3access-listaccess-list-num