ACL
IP Access Control Lists (ACLs),根據以下內容過濾 IP 數據包:
- Source address
- Destination address
- Type of packet
- Any combination of these items
為了要過濾網路流量,ACL 控制是否在路由器 interface 上 forward 或 drop 路由數據包。
- Source address of the traffic
- Destination address of the traffic
- Upper-layer protocol
Standard ACLs 將 IP 數據包的 source address 與 ACL中配置的 address 進行比較,以控制流量,但不能針對特定的網路協定指定允許或拒絕的動作處理。 Extended ACLs 將 IP 數據包的 source address 和 destination address 與 ACL 中配置的地址進行比較或針對特定的網路協定做處置,以控制流量。可以使 extended ACL 更精細,並配置為按以下標準過濾流量:
- Protocol
- Port numbers
- Differentiated services code point (DSCP) value
- Precedence value
- State of the synchronize sequence number (SYN) bit
埠號及所對應的網路服務
| Port | TCP/UDP | IP protocol |
|---|---|---|
| 20 | TCP | FTP 的資料 |
| 21 | TCP | FTP 控制 |
| 22 | TCP | SSH |
| 23 | TCP | Telnet |
| 25 | TCP | SMTP |
| 53 | TCP/UDP | DNS |
| 69 | UDP | TFTP |
| 80 | TCP | HTTP |
Inbound 與 Outbound
Inbound
流向路由器的封包
Outbound
路由器設備流出去的封包
上兩點符合First Match都是第一條規則匹配則套用規則。
Inbound 的方式會有較好的性能,因先藉由存取控制清單先過濾,再進行路由表的查詢。
拓樸
Created by David Bombal. Get more at http://davidbombal.com
Configure ACLs as follows:
Restrict traffic internally using Router1 as follows:
- Use access list number 100
- Inside PC1 can only access the HTTP server 1 using HTTP on subnet 10.1.1.0/24
Router1(config)#access-list 100 permit tcp host 10.1.2.101 host 10.1.1.100 eq 80
- Inside PC2 can only access the HTTP server 2 using HTTPS on subnet 10.1.1.0/24
Router1(config)#access-list 100 permit tcp host 10.1.2.102 host 10.1.1.101 eq 443
- No other PCs or servers on subnet 10.1.2.0/24 can access subnet 10.1.1.0/24 (Explicitly add this line. This is normally done to log the traffic with the word log, but PT does not support logging)
Router1(config)#access-list 100 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
- Hosts on subnet 10.1.2.0/24 can access any other network
Router1(config)#access-list 100 permit ip 10.1.2.0 0.0.0.255 any
- Bind access list in the most efficient place on Router1
Cisco 路由器的設定模式包括
User Mode和Privileged Mode,以及Global Configuration Mode。
Router1(config)#interface gigabitEthernet 0/0/0
Router1(config-if)#ip access-group 100 in
在 Global Configuration Mode 之下還有以下五種設定模式:
- Interface Mode
- Sub-interface Mode
- Controller Mode
- Line Mode
- Router Mode
Verification:
- Verify that Inside PC1 can access the internal HTTP server 1 using HTTP, but not ping HTTP server 2
- Verify that Inside PC2 can access the internal HTTP server 2 using HTTPS, but not ping HTTP server 1
- Verify that both inside PC1 and PC2 can browse to cisco.com and facebook.com
顯示 ACL 規則
Router1(config)#do sh access
Extended IP access list 100
10 permit tcp host 10.1.2.101 host 10.1.1.100 eq www
20 permit tcp host 10.1.2.102 host 10.1.1.101 eq 443
30 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
40 permit ip 10.1.2.0 0.0.0.255 any
刪除特定 ACL 規則
Router1(config)#ip access-list extended 100
Router1(config-ext-nacl)#no 40
Router1(config-ext-nacl)#do sh access
Extended IP access list 100
10 permit tcp host 10.1.2.101 host 10.1.1.100 eq www
20 permit tcp host 10.1.2.102 host 10.1.1.101 eq 443
30 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
Router1(config)#access-list 100 permit ip 10.1.2.0 0.0.0.255 any
插入特定 ACL 規則
Router1(config)#ip access-list extended 100
Router1(config-ext-nacl)#no 20
Router1(config-ext-nacl)#do sh access
Extended IP access list 100
10 permit tcp host 10.1.2.101 host 10.1.1.100 eq www
30 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
40 permit ip 10.1.2.0 0.0.0.255 any
# 插入動作
Router1(config-ext-nacl)#20 permit tcp host 10.1.2.102 host 10.1.1.101 eq 443
Router1(config-ext-nacl)#do sh access
Extended IP access list 100
10 permit tcp host 10.1.2.101 host 10.1.1.100 eq www
20 permit tcp host 10.1.2.102 host 10.1.1.101 eq 443
30 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
40 permit ip 10.1.2.0 0.0.0.255 any
查看 ACL match
Router1#sh access-lists 100
Extended IP access list 100
permit tcp host 10.1.2.101 host 10.1.1.100 eq www (6 match(es))
permit tcp host 10.1.2.102 host 10.1.1.101 eq 443 (11 match(es))
deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 (114 match(es))
permit ip 10.1.2.0 0.0.0.255 any (213 match(es))