阅读827 返回首页    go 小米 go 小米手环

思科路由交换之acl

1.ACL类型:
standard ACL 只能过滤3层信息,通常用于VTY访问
extended ACL 能过滤3和4层信息,通常用于过滤流量
turbo ACL 高效地处理ACL
定时 IP ACL
routerA(config)#time-rang internet
routerA(config-time-range)#?
Time range configuration commands:
absolute absolute time and date
default Set a command to its defaults
exit Exit from time-range configuration mode
no Negate a command or set its defaults
periodic periodic time and date
routerA(config-time-range)#absolute ?
end ending time and date
start starting time and date
routerA(config-time-range)#periodic ?
Friday Friday
Monday Monday
Saturday Saturday
Sunday Sunday
Thursday Thursday
Tuesday Tuesday
Wednesday Wednesday
daily Every day of the week
weekdays Monday thru Friday
weekend Saturday and Sunday
反射IP ACL
context-Based Access Control ACL 可以过滤3到7层信息
lock-and-key ACL 可以过滤3层信息,有时也可以过滤4层信息
2.ACL定位
a.只过滤数据包源地址的ACL放在离目的地尽可能近的地方
b.过滤数据包的源地址和目的地址以及其他信息的ACL,则应该放在离源地址尽可能近的地方
3.fragment,在VPN环境下,要注意。
a.通过使用fragments关键字,只过滤非初始的分片。对于TCP/UDP,不过滤第4层信息,如端口号。
b.语句放在ACL的最前面
c.access-list 100 deny tcp any any fragments
access-list 100 deny udp any any fragments
access-list 100 deny ip any any fragments
4.ACL remark
access-list 1 remark Thist ACL restricts admin
access-list 1 remark —-all admin access
access-list 1 permit 192.168.1.111
access-list 1 remark —-XXXXXX

5.日志记录更新
关键字log
关键字log-input 记录的信息包括接收到数据包的输入接口和数据包中的第二层源地址!
a. 注意开启记录日志时,不使用如CEF之类的高速交换方法!
b.改变日志记录的阈值:ip access-list log-update threshold #_of_matches
即当match了条件的记录,又同时达到了threshold 值时将又产生一个消息!但当每过5分钟后路由器后自动刷新清零!不要设太低了
6.ip统计和ACL
a.只记录经过数据!会禁用自治和SSE交换!
int fa0/0
ip accounting access-violations
show ip accounting access-violations
7.统计信息的限制
ip accounting-list 基于所列的地址为过滤统计信息
ip accounting-threshold 定义路由器将生成的统计记录的最大数目 default 512 占内存12928
ip accounting-transits 限制路由器存储的转换记录数,即生成其它设备的记录!不光是ip accounting-list 所定义的那些流量! 默认为0
8.Turbo ACL
access-list compiled 编译ACL,高效处理 7100 /7200 /7500/ 12000上可用!
不能使用定时和反射条目!编译时要2到4MB内存放置已编译的内容!
show access-list compiled
5个状态:
operational 成功编译
deleted 空,没有条目
unsuitable 不能被编译!如,定时
building 正在被编译
out of memory 没有足够内存编译
9.有序ACL,默认序列号为10,20,30,最大2147483647
a.命名的不需要!自动进行,从10开始!
b.超过序列号会提示错误,重复的序列号也会提示错误!
C。ACL重排序
routerA(config)#ip access-list resequence ?
Standard IP access-list number
Extended IP access-list number
Standard IP access-list number (expanded range)
Extended IP access list number (expanded range)
WORD Access-list name
routerA(config)#ip access-list resequence 1 ?
Starting Sequence Number
routerA(config)#ip access-list resequence 1 10
Step to increment the sequence number
routerA(config)#ip access-list resequence 1 10 20
routerA(config)#access-list 1 permit ip any
routerA(config)#access-list 1 permit host 1.1.1.1
routerA#show ip access-lists 1
Standard IP access list 1 (Compiled)
20 permit 1.1.1.1
10 permit any
coyp run start !
D。删除条目
routerA#show ip access-lists
Standard IP access list 1 (Compiled)
20 permit 1.1.1.1
routerA#conf t
Enter configuration commands, one per line. End with CNTL/Z.
routerA(config)#ip access-list standard 1
routerA(config-std-nacl)#no 20
E。添加条目
routerA#show ip access-lists 100
Extended IP access list 100 (Compiled)
10 permit ip host 1.1.1.1 any
20 permit tcp any any
routerA#conf t
Enter configuration commands, one per line. End with CNTL/Z.
routerA(config)#ip access-list extended 100
routerA(config-ext-nacl)#30 deny udp any any
routerA#show ip access-lists 100
Extended IP access list 100 (Compiled)
10 permit ip host 1.1.1.1 any
20 permit tcp any any
30 deny udp any any 这里系统默从10递增!

一、deny Smurf and Fraggle:
ip access-list extended smurf-fraggle
deny icmp any any echo
deny icmp any any echo-reply
deny udp any any eq echo
deny udp eq echo any
remark —> add your other ACL statements here as necessary
deny ip any any
int fa0/0
ip access-group smurf-fraggle in
ip access-group smurf-fraggle out
二、阻塞网络200.1.1.0和200.1.1.255定向广播地址。
ip access-list extended no-broadcast-in
remark This command prevents spoofing
deny ip 200.1.1.0 0.0.0.255 any
remark These two commands block directed boradcast address
deny ip any host 200.1.1.0
deny ip any host 200.1.1.255
remark —>add your other ACL statements here as necessary
deny ip any any
ip access-list extended no-broadcasts-out
deny ip any host 200.1.1.0
deny ip any host 200.1.1.255
deny ip host 200.1.1.0 any
deny ip host 200.1.1.255 any
remark —>add your other ACL statements here as necessary
deny ip any any
int fa0/0
ip access-group no-broadcast-in in
ip access-group no-broadcast-out out

三、禁止ping入
ip access-list extended icmp-in
remark —>add your other ACL statements here as necessary
deny icmp any any echo
deny icmp any any redirect
deny icmp any any mack-request
permit icmp any host 200.1.1.5 echo-reply 允许回声应答消息发送到管理员PC
deny icmp any any echo-reply
permit icmp any 200.1.1.0 0.0.0.255 允许本网ping 出去
remark —>add your other ACL statements here as necessary
int fa0/0
ip access-group icmp-in in
四、ICMP流量的出口过滤
ip access-list extended icmp-out
remark —>add your other ACL statements here as necessary
permit icmp host 200.1.1.5 any echo 允许管理站发出回声消息!
permit icmp 200.1.1.0 0.0.0.255 any parameter-problem 允许内部设备发送流量进来的internet 设备发达“数据包头问题”
permit icmp 200.1.1.0 0.0.0.255 any packet-too-big 允许MTU发现消息
permit icmp 200.1.1.0 0.0.0.255 any source-quench 允许设备适应拥塞
deny icmp any any
remark —>add your other ACL statements here as necessary
int fa0/0
ip access-group icmp-out out
五、traceroute
ip access-list extended traceroute
remark —>add your other ACL statements here as necessary
deny udp any any range 33400 34400
remark —>add your other ACL statements here as necessary
int fa0/0
ip access-group traceroute in

六、简单的防TCP SYN洪水ACL
ip access-list extended tcp-syn-flood
permit tcp any 200.1.1.0 0.0.0.255 establelished
permit tcp any host 200.1.1.11 eq 25
deny ip any any
int fa0/0
ip access-group tcp-syn-flood in

最后更新:2017-01-04 22:34:51

  上一篇:go APACHE支持Gzip压缩的方法
  下一篇:go Linux-VPS安装和配置(补充)