访问控制列表 Access Control List 厦 Cisco.com 深圳职业技术学院计算机系网络专业 006,ShenzhenPolytechnic.All rightsreserve
© 2006, Shenzhen Polytechnic. All rights reserved. 1 访问控制列表 Access Control List 深圳职业技术学院计算机系网络专业
教学目标(Objectives Cisco.com 1.访问控制列表(Access Control List)) 2配置标准访问控制列表 Configure standard IP access lists 3.配置扩展访问控制列表 Configure extended IP access lists 4配置命名访问控制列表 Configure named IP access lists 5.验证和监视ACL Verify and monitor IP access lists 2006,ShenzhenPolytechnic.Allrights reserved
© 2006, Shenzhen Polytechnic. All rights reserved. 2 教学目标( Objectives ) 1. 访问控制列表(Access Control List) 2.配置标准访问控制列表 ( Configure standard IP access lists ) 3. 配置扩展访问控制列表 ( Configure extended IP access lists ) 4.配置命名访问控制列表 ( Configure named IP access lists ) 5. 验证和监视ACL ( Verify and monitor IP access lists )
为什么使用ACL? (Why Use Access Control Lists?) Cisco.com 172.16.0.0 Toker Internet Ring FDDI 172.17.0.0 ·当网络访问增长时,管理P通信 Manage IP traffic as network access grows ·当数据包通过路由器时,起到过滤作用 ...Filter packets as they pass through the router
© 2006, Shenzhen Polytechnic. All rights reserved. 3 FDDI 172.16.0.0 172.17.0.0 Token Ring Internet • 当网络访问增长时,管理IP通信 • Manage IP traffic as network access grows • 当数据包通过路由器时,起到过滤作用 • Filter packets as they pass through the router 为什么使用ACL? (Why Use Access Control Lists?)
ACL作用(Function of ACL) A香 Cisco.com 1.限制网络流量、提高网络性能 Limit network traffic and increase network performance. 2.提供对通信流量的控制手段。 Provide traffic flow control. 3.提供网络访问的基本安全手段。 Provide a basic level of security for network access. 类锅餐整决定哪种类型的通信流量枝转发、哪种 or blocked
© 2006, Shenzhen Polytechnic. All rights reserved. 4 ACL作用( Function of ACL ) 1.限制网络流量、提高网络性能。 Limit network traffic and increase network performance. 2.提供对通信流量的控制手段。 Provide traffic flow control. 3.提供网络访问的基本安全手段。 Provide a basic level of security for network access. 4.在路由器接口处,决定哪种类型的通信流量被转发、哪种 类型的通信流量被阻塞。 Decide which types of traffic are forwarded or blocked at the router interfaces
ACL如何工作(ACL How to work) A Cisco.com 出站 选择接口 数据包 入站 路由选 数据包 ACL 不想要的数据 通知发送端 数据包垃圾桶
© 2006, Shenzhen Polytechnic. All rights reserved. 5 ACL如何工作(ACL How to work)
ACL条件顺序 (The order in which ACL statements are placed Cisco.com 酷的瓷 匹配第一岁 目的接口
© 2006, Shenzhen Polytechnic. All rights reserved. 6 ACL条件顺序 (The order in which ACL statements are placed )
ACL条件顺序 (The order in which ACL statements are placed W Cisco.com Cisco IOS按照各描述语句在ACL中的顺序,根据各描 述语句的判断条件,对数据包进行检查。一旦找到了某 一匹配条件,就结束比较过程,不再检查以后的其他条 件判断语句。 The Cisco IOS software tests the packet against each condition statement in order from the top of the list to the bottom.Once a match is found in the list,the accept or reject action is performed and no other ACL statements are checked
© 2006, Shenzhen Polytechnic. All rights reserved. 7 ACL条件顺序 (The order in which ACL statements are placed ) Cisco IOS按照各描述语句在ACL中的顺序,根据各描 述语句的判断条件,对数据包进行检查。一旦找到了某 一匹配条件,就结束比较过程,不再检查以后的其他条 件判断语句。 The Cisco IOS software tests the packet against each condition statement in order from the top of the list to the bottom. Once a match is found in the list, the accept or reject action is performed and no other ACL statements are checked
什么是ACL? (What Are Access Lists?) A Cisco.com fa0/0 Access List Processes Outgoing Source Packet s0/0 ·标准ACL(Standard ACL) -检查源地址(Checks Source address) -允许或拒绝整个协议族(Generally permits or denies entire protocol suite) 2006,Shenzhen Polytechnic.All rights reservec
© 2006, Shenzhen Polytechnic. All rights reserved. 8 什么是ACL?(What Are Access Lists?) • 标准 ACL ( Standard ACL ) – 检查源地址(Checks Source address ) – 允许或拒绝整个协议族(Generally permits or denies entire protocol suite) Outgoing Packet fa0/0 S0/0 Incoming Packet Access List Processes Permit? Source
什么是ACL?(What Are Access Lists?) 画 Cisco.com Fa0/0 Access List Processes Outgoing Protocol Packet and Destinatio s0/0 ·扩展ACL(Extended ACL) 一检查源和目的地址 Checks Source and Destination address) 通常允许或拒绝特定的协议(Generally permits or denies specific protocols)
© 2006, Shenzhen Polytechnic. All rights reserved. 9 • 扩展 ACL ( Extended ACL ) – 检查源和目的地址 ( Checks Source and Destination address) – 通常允许或拒绝特定的协议 (Generally permits or denies specific protocols) Outgoing Packet Fa0/0 s0/0 Incoming Packet Access List Processes Permit? Source and Destination Protocol 什么是ACL?(What Are Access Lists?)
用扩展ACL检查数据包 (Check Packets with Extended ACL) 0000m0mm Cisco.com 帧报头 数据包 段 数据 端口号 协议 源地址 目的地址 测数据包 拒绝 允许
© 2006, Shenzhen Polytechnic. All rights reserved. 10 用扩展ACL检查数据包 (Check Packets with Extended ACL)