閱讀827 返回首頁    go 小米 go 小米手環

思科路由交換之acl

1.ACL類型:
standard ACL 隻能過濾3層信息,通常用於VTY訪問
extended ACL 能過濾3和4層信息,通常用於過濾流量
turbo ACL 高效地處理ACL
定時 IP ACL
routerA(config)#time-rang internet
routerA(config-time-range)#?
Time range configuration commands:
absolute absolute time and date
default Set a command to its defaults
exit Exit from time-range configuration mode
no Negate a command or set its defaults
periodic periodic time and date
routerA(config-time-range)#absolute ?
end ending time and date
start starting time and date
routerA(config-time-range)#periodic ?
Friday Friday
Monday Monday
Saturday Saturday
Sunday Sunday
Thursday Thursday
Tuesday Tuesday
Wednesday Wednesday
daily Every day of the week
weekdays Monday thru Friday
weekend Saturday and Sunday
反射IP ACL
context-Based Access Control ACL 可以過濾3到7層信息
lock-and-key ACL 可以過濾3層信息,有時也可以過濾4層信息
2.ACL定位
a.隻過濾數據包源地址的ACL放在離目的地盡可能近的地方
b.過濾數據包的源地址和目的地址以及其他信息的ACL,則應該放在離源地址盡可能近的地方
3.fragment,在VPN環境下,要注意。
a.通過使用fragments關鍵字,隻過濾非初始的分片。對於TCP/UDP,不過濾第4層信息,如端口號。
b.語句放在ACL的最前麵
c.access-list 100 deny tcp any any fragments
access-list 100 deny udp any any fragments
access-list 100 deny ip any any fragments
4.ACL remark
access-list 1 remark Thist ACL restricts admin
access-list 1 remark —-all admin access
access-list 1 permit 192.168.1.111
access-list 1 remark —-XXXXXX

5.日誌記錄更新
關鍵字log
關鍵字log-input 記錄的信息包括接收到數據包的輸入接口和數據包中的第二層源地址!
a. 注意開啟記錄日誌時,不使用如CEF之類的高速交換方法!
b.改變日誌記錄的閾值:ip access-list log-update threshold #_of_matches
即當match了條件的記錄,又同時達到了threshold 值時將又產生一個消息!但當每過5分鍾後路由器後自動刷新清零!不要設太低了
6.ip統計和ACL
a.隻記錄經過數據!會禁用自治和SSE交換!
int fa0/0
ip accounting access-violations
show ip accounting access-violations
7.統計信息的限製
ip accounting-list 基於所列的地址為過濾統計信息
ip accounting-threshold 定義路由器將生成的統計記錄的最大數目 default 512 占內存12928
ip accounting-transits 限製路由器存儲的轉換記錄數,即生成其它設備的記錄!不光是ip accounting-list 所定義的那些流量! 默認為0
8.Turbo ACL
access-list compiled 編譯ACL,高效處理 7100 /7200 /7500/ 12000上可用!
不能使用定時和反射條目!編譯時要2到4MB內存放置已編譯的內容!
show access-list compiled
5個狀態:
operational 成功編譯
deleted 空,沒有條目
unsuitable 不能被編譯!如,定時
building 正在被編譯
out of memory 沒有足夠內存編譯
9.有序ACL,默認序列號為10,20,30,最大2147483647
a.命名的不需要!自動進行,從10開始!
b.超過序列號會提示錯誤,重複的序列號也會提示錯誤!
C。ACL重排序
routerA(config)#ip access-list resequence ?
Standard IP access-list number
Extended IP access-list number
Standard IP access-list number (expanded range)
Extended IP access list number (expanded range)
WORD Access-list name
routerA(config)#ip access-list resequence 1 ?
Starting Sequence Number
routerA(config)#ip access-list resequence 1 10
Step to increment the sequence number
routerA(config)#ip access-list resequence 1 10 20
routerA(config)#access-list 1 permit ip any
routerA(config)#access-list 1 permit host 1.1.1.1
routerA#show ip access-lists 1
Standard IP access list 1 (Compiled)
20 permit 1.1.1.1
10 permit any
coyp run start !
D。刪除條目
routerA#show ip access-lists
Standard IP access list 1 (Compiled)
20 permit 1.1.1.1
routerA#conf t
Enter configuration commands, one per line. End with CNTL/Z.
routerA(config)#ip access-list standard 1
routerA(config-std-nacl)#no 20
E。添加條目
routerA#show ip access-lists 100
Extended IP access list 100 (Compiled)
10 permit ip host 1.1.1.1 any
20 permit tcp any any
routerA#conf t
Enter configuration commands, one per line. End with CNTL/Z.
routerA(config)#ip access-list extended 100
routerA(config-ext-nacl)#30 deny udp any any
routerA#show ip access-lists 100
Extended IP access list 100 (Compiled)
10 permit ip host 1.1.1.1 any
20 permit tcp any any
30 deny udp any any 這裏係統默從10遞增!

一、deny Smurf and Fraggle:
ip access-list extended smurf-fraggle
deny icmp any any echo
deny icmp any any echo-reply
deny udp any any eq echo
deny udp eq echo any
remark —> add your other ACL statements here as necessary
deny ip any any
int fa0/0
ip access-group smurf-fraggle in
ip access-group smurf-fraggle out
二、阻塞網絡200.1.1.0和200.1.1.255定向廣播地址。
ip access-list extended no-broadcast-in
remark This command prevents spoofing
deny ip 200.1.1.0 0.0.0.255 any
remark These two commands block directed boradcast address
deny ip any host 200.1.1.0
deny ip any host 200.1.1.255
remark —>add your other ACL statements here as necessary
deny ip any any
ip access-list extended no-broadcasts-out
deny ip any host 200.1.1.0
deny ip any host 200.1.1.255
deny ip host 200.1.1.0 any
deny ip host 200.1.1.255 any
remark —>add your other ACL statements here as necessary
deny ip any any
int fa0/0
ip access-group no-broadcast-in in
ip access-group no-broadcast-out out

三、禁止ping入
ip access-list extended icmp-in
remark —>add your other ACL statements here as necessary
deny icmp any any echo
deny icmp any any redirect
deny icmp any any mack-request
permit icmp any host 200.1.1.5 echo-reply 允許回聲應答消息發送到管理員PC
deny icmp any any echo-reply
permit icmp any 200.1.1.0 0.0.0.255 允許本網ping 出去
remark —>add your other ACL statements here as necessary
int fa0/0
ip access-group icmp-in in
四、ICMP流量的出口過濾
ip access-list extended icmp-out
remark —>add your other ACL statements here as necessary
permit icmp host 200.1.1.5 any echo 允許管理站發出回聲消息!
permit icmp 200.1.1.0 0.0.0.255 any parameter-problem 允許內部設備發送流量進來的internet 設備發達“數據包頭問題”
permit icmp 200.1.1.0 0.0.0.255 any packet-too-big 允許MTU發現消息
permit icmp 200.1.1.0 0.0.0.255 any source-quench 允許設備適應擁塞
deny icmp any any
remark —>add your other ACL statements here as necessary
int fa0/0
ip access-group icmp-out out
五、traceroute
ip access-list extended traceroute
remark —>add your other ACL statements here as necessary
deny udp any any range 33400 34400
remark —>add your other ACL statements here as necessary
int fa0/0
ip access-group traceroute in

六、簡單的防TCP SYN洪水ACL
ip access-list extended tcp-syn-flood
permit tcp any 200.1.1.0 0.0.0.255 establelished
permit tcp any host 200.1.1.11 eq 25
deny ip any any
int fa0/0
ip access-group tcp-syn-flood in

最後更新:2017-01-04 22:34:51

  上一篇:go APACHE支持Gzip壓縮的方法
  下一篇:go Linux-VPS安裝和配置(補充)