acl 教程
幻灯片 1
幻灯片 2
幻灯片 3
幻灯片 4
Purpose: This figure explains the history of TCP/IP.
Emphasize: In the mid-1970s, DARPA established a packet-switched network to provide electronic communication between research institutions in the United States. DARPA and other government organizations understood the potential of packet-switched technology and were just beginning to face the problem virtually all companies with networks now have—how to establish communication between dissimilar computer systems.
幻灯片 5
幻灯片 6
幻灯片 7
幻灯片 8
Slide 1 of 3
Purpose: This figure (One of three layers) shows in more detail how an outbound access lists operate in a router.
Emphasize:
Transition: Shows packets coming in an inbound interface. This portion of the flowchart illustrates generic packet handling with or without access lists. The key outcome for the next layer is knowing which interface on the routing table indicates the best or next path.
Is an access list associated with the interface? If not, the packet can route directly, for example, out the upper outgoing interface (the upper arrow). Note: The graphic does not mean that only interfaces with no access group can output packets; based on source and destination addresses, and other parameters, other packets could also pass the access list and be routed out on an interface.
幻灯片 9
Slide 2 of 3
Purpose:
Emphasize: Shows the larger diamond. It contains words to summarize access list statements and permit/deny logic. This layer illustrates a permitted packet now sent to the outbound interface buffer for output (the lower arrow).
幻灯片 10
Slide 3 of 3
Purpose:
Emphasize: Shows a deny result of the access list test. Now the packet is discarded into the packet discard bucket. The unwanted packet has been denied access to the outbound interface.
The Notify Sender message shows a process like ICMP, returning an “administratively prohibited” message back to the sender.
幻灯片 11
Slide 1 of 4
Purpose:
Emphasize: This graphic explains in more detail the processes access list statements perform. Use the graphic’s diamond expanded from an earlier page to show individual access list statements.
Shows packets coming into the large diamond. It represents an expanded graphical view from the previous page. Inside, smaller diamonds represent access list statements. They occur in sequential, logical order. Tell students the graphic represents a single access list. There can be only one access list per protocol per per direction per interface.
幻灯片 12
Slide 2 of 4
Purpose:
Emphasize: Adds the next test diamond.
幻灯片 13
Slide 3 of 4
Purpose:
Emphasize: Adds the third diamond as the next test.
Discuss the logical, ordered testing of packet conditions. One recommendation for the sequence of access list statements begins with the most specific of conditions to match at the beginning of the list; then continue with matches involving a larger group, such as entire subnets or networks. Finish with statements matching still larger groups.
幻灯片 14
Slide 4 of 4
Purpose:
Emphasize: Shows the implicit “deny all.” Describe the final access list test to match any packets not covered by earlier access list statements. All remaining packets match the “Implicit Deny” and are discarded into the bit bucket.
幻灯片 15
Slide 3 of 3
Purpose:
Emphasize: Layer 3—Adds the Novell IPX access lists covered in the IPX chapter and the number ranges for these types of access lists. As of Release 11.2.4(F), IPX also supports named access lists.
Point out that number ranges generally allow 100 different access lists per type of protocol. When a given hundred-number range designates a standard access list, the rule is that the next hundred-number range is for extended access lists for that protocol.
Exceptions to the numbering classification scheme include AppleTalk and DECnet, where the same number range can identify various access list types.
For the most part, number ranges do not overlap between different protocols.
Note: With IOS 12.0, the IP access-lists range has been expanded to also include:
<1300-1999> IP standard access list (expanded range)
<2000-2699> IP extended access list (expanded range)
幻灯片 16
Slide 1 of 1
Purpose:
Emphasize: This graphic gives an overview of the type of TCP/IP packet tests standard access lists can filter. It uses the encapsulation graphic and diamond decision graphic to remind students of material presented earlier in this course.
幻灯片 17
Slide 1 of 1
Purpose:
Emphasize: This graphic gives an overview of the type of TCP/IP packet tests extended access lists can filter. It uses the encapsulation graphic and diamond decision graphic to remind students of material presented earlier in this course.
幻灯片 18
Slide 2 of 2
Purpose:
Emphasize: Layer 2—Adds the general form of the interface command. This links the previously specified interface to a group that will handle its packet for the protocol in the manner specified by the global access list statements.
It can help student understanding to learn a generalized command as a simplified template common to most access list processes. However, the details for specific access lists vary widely.
As you present the global access list command material that follows in this chapter, return to the template term “test conditions” if it helps your students associate variations to the general elements of this model.
Emphasize that “test conditions” is an abstraction for this course. Use this abstraction as a generalization to assist teaching and learning. The words “test conditions” are not a Cisco IOS argument or parameter.
Cisco IOS software also offers many variations for the second interface command. As you present these variations, refer your students to the template term “access group” and emphasize how each variation performs a link of the access list test conditions met and the interfaces that packets can use as a result.
幻灯片 19
Slide 1 of 2
Purpose:
Emphasize: Introduce the wildcard bit process. Tell students the wildcard bit matching process is different than the IP subnet addressing mask covered earlier.
This graphic describes the binary wildcard masking process. Illustrate how wildcard masking works using the examples shown in the graphic table.
The term wildcard masking is a nickname for this access list mask-bit-matching process. This nickname comes from an analogy of a wildcard that matches any other card in a poker game.
Emphasize the contrast between wildcard masks and subnet masks stated in the student guide note. The confusion over wildcard and subnet masks can be a key obstacle to learning if students fail to understand the different uses of binary 0 and binary 1 in the two mask types.
Point out that the 1 bits in a wild card mask need not be contiguou while the 1 bits in a subnet mask need to be contiguous.
Wildcard is like the DOS “*” character.
幻灯片 20
Slide 1 of 1
Purpose:
Emphasize: This graphic shows students how to use the host abbreviation in the extended access list wildcard mask.
This abbreviation means check the bit value in all bit positions, which has the effect of matching only the specified IP host address in all bit positions.
幻灯片 21
Slide 1 of 1
Purpose:
Emphasize: This graphic shows students how to use the wildcard any abbreviation.
This abbreviation means ignore any bit value in all bit positions, which has the effect of matching anything in all bit positions.
幻灯片 22
Slide 1 of 1
Purpose: This slide describes an example of how wildcard mask bits will match all hosts on subnets 172.30.16.0/24 to 172.30.31.0/24.
Emphasize: This process requires a thorough understanding of binary numbering, what values to use in the power of two bit positions, and how to convert a number from decimal to binary.
If some of your students seem to lack this understanding, tell them that responsibility for complex access list design is an advanced configuration skill. Later, this course offers a hands-on lab to allow practice designing simple access lists.
If you feel that your students need another example to improve their understanding of the process, prepare another example as a chalk talk. Consider having students volunteer to help as you solve your own example that lines up the binary bits of the address and the binary bits of the wildcard mask.
幻灯片 23
Slide 1 of 2
Purpose: This slide gives the specific command syntax for TCP/IP standard access list configuration. The access-list command creates an entry in a standard access list.
Emphasize: The access-list field descriptions:
list—identifies the list to which the entry belongs; a number from 1 to 99.
address—source IP address.
wildcard-mask—identifies which bits in the address field are matched. It has a 1 in
positions indicating “don’t care” bits, and a 0 in any position which is to be strictly
followed.
幻灯片 24
Slide 2 of 2
Purpose: This layer shows the ip access-group command.
Emphasize: The ip access-group command links an access list to an interface. Only one access list per interface per direction per protocol is allowed.
The ip access-group field descriptions:
list—number of the access-list to be linked to this interface.
direction – default in outbound.
Note: Create the access-list first before applying it to the interface. If it is applied to the interface before it is created, the action will be to permit all traffic. However, as soon as you create the first statement in the access list, the access list will be active on the interface. Since there is the implicit deny all at the end of every access list, the access-list may cause most traffic to be blocked on the interface.
To remove an access-list, remove it from all the interfaces first, then remove the access-list. In older version of IOS, removing the access-list without removing it from the interface can cause problems.
幻灯片 25
Slide 1 of 2
Purpose: This slide gives a specific TCP/IP example of a standard access list configuration.
Emphasize: Describe each part of the standard access list to your students. The blue statements represent the implicit deny all.
A good way to teach this material is to start with another similar configuration on the board. Set goals that will result in the example and have students tell you how to configure it. Have the students tell you what to write. After the configuration correct on the board, use the slide to review.
幻灯片 26
Slide 2 of 2
Purpose:
Emphasize: Because of the implicit deny all, all non 172.16.x.x traffic are blocked going out E0 and E1.
Note: The red arrows represent the access-list is applied as an outbound access-list.
幻灯片 27
Slide 1 of 3
Purpose: This slide gives another specific TCP/IP example of a standard access list configuration.
Emphasize:
Note: The wildcard mask of 0.0.0.0 is the default wildcard mask. It does not have to be specified.
幻灯片 28
Slide 2 of 3
Purpose:
Emphasize: Each access-list should have at least one permit statement in it to make it meaningful because of the implicit deny all statement at the end.
幻灯片 29
Slide 3 of 3
Purpose:
Emphasize: Only host 172.16.4.13 is blocked from going out on E0 to subnet 172.16.3.0.
Ask the students what will happen if the access-list is placed as an input access-list on E1 instead – Host 172.16.4.13 will be blocked from going out to the Non 172.16.0.0 cloud as well as to subnet 172.16.3.0.
Note: The red arrows represent the access-list is applied as an outbound access-list.
幻灯片 30
Slide 1 of 2
Purpose: This slide gives another specific TCP/IP example of a standard access list configuration.
Emphasize: This example features the use of the wildcard abbreviation any.
幻灯片 31
Slide 2 of 2
Purpose:
Emphasize: All hosts on subnet 172.16.4.0 is blocked from going out on E0 to subnet 172.16.3.0.
Note: The red arrows represent the access-list is applied as an outbound access-list.
幻灯片 32
Slide 1 of 2
Purpose: The access-list command creates an entry in complex traffic filter list.
Emphasize: The access-list field descriptions:
list—a number between 100 and 199
protocol—ip, tcp, udp, icmp, igrp, eigrp, ospf and etc…….
ip = any internet protocol
(see note below)
source—ip address
source-mask—wildcard-mask of address bits that must match. 0s indicate bits that must match, 1s are "don’t care".
destination—ip address
destination-mask—wildcard-mask
operator—lt, gt, eq, neq
operand—a port number or application name (i.e. “23” or “telnet”)
established-only allow established tcp session coming in (ack or rst bit must be set)
log-generates a console message when a packet matches the access-list statement
Note:
If the protocol number is not listed, you may enter the protocol number between 1-255.
幻灯片 33
Slide 2 of 2
Purpose: Layer 2—Adds the access-group command for IP.
Emphasize:
The list number must match the number (100 to 199) you specified in the access-list command.
幻灯片 34
Slide 1 of 3
Purpose: This 3 layers slide shows an example of an extended IP access list.
Emphasize:
幻灯片 35
Slide 2 of 3
Purpose:
Emphasize:. Don’t forget to include the permit statement to permit all other IP traffic out on E0.
幻灯片 36
Slide 3 of 3
Purpose:
Emphasize:
幻灯片 37
Slide 1 of 3
Purpose: This slide gives another example of an extended IP access list configuration.
Emphasize: Notice this example of an IP extended access list specifies a source subnet address and any destination address.
幻灯片 38
Slide 2 of 3
Purpose:
Emphasize: Don’t forget to include the permit statement to permit all other IP traffic out on E0.
幻灯片 39
Slide 3 of 3
Purpose:
Emphasize:
幻灯片 40
Slide 1 of 3
Purpose: Layer 1—Shows the command syntax to declare a named IP access list.
Emphasize: Show how to use named access lists, a new approach to configuring access lists in Cisco IOS software.
幻灯片 41
Slide 2 of 3
Purpose: Layer 2—Adds the new configuration environment for this form of access list entry.
Emphasize: Note the new prompter form shown. Enter all test condition statements without an initial access list number.
The statement that begins with the word no shows how you can delete a specific test condition for IP named access lists, which is much more flexible than earlier forms.
With numbered access lists, the entire list and all its statements are considered an entity. With numbered access lists, to change or delete a statement, you would first need to delete the entire numbered access list, then reenter the statements you want to keep.
Example:
RouterB(config)#ip access-list standard test
RouterB(config-std-nacl)#permit 10.1.1.1
RouterB(config-std-nacl)#end
RouterB#sh ip access-list
Standard IP access list test
permit 10.1.1.1
幻灯片 42
Slide 3 of 3
Purpose: Layer 3—Finishes with the new form of the access group command, now able to refer to an IP access list name as well as an access list number.
Emphasize: Introduced with Cisco IOS Release 11.2, named access lists:
Intuitively identify IP access lists using alphanumeric identifiers.
Remove the limit on the number of access lists (previously 99 for IP standard and 100 for IP extended access lists).
Allow per-access-list-statement deletions (previously the entire numbered access list needed to be deleted as a single entity).
Require Cisco IOS Release 11.2 or later.
幻灯片 43
Slide 1 of 1
Purpose:
Emphasize: Explain the basic rules on where to configure standard and extended access lists.
Describe how the extended access list can eliminate unwanted traffic across the serial lines.
幻灯片 44
Slide 1 of 1
Purpose: This slide shows how to verify an access list.
Emphasize: Lists IP interface information. Indicates whether outgoing access list is set.
Review the output of the show ip interface command. The highlighted text shows details about access list settings in the show command output.
幻灯片 45
Slide 1 of 1
Purpose: This slide introduces the show access-lists command used to verify access lists.
Emphasize: This is the most consolidated method for seeing several access lists.
Note, the implicit deny all statement is not displayed unless it is explicitly entered in the access-list.
幻灯片 46
Slide 1 of 1
Purpose:
Emphasize: Instead of applying a standard access-list to a physical interface, now we will apply a standard access-list to the router’s vty ports. A vty port is a logical port on the router that can accept telnet sessions.
Note:
Access-class is used to filter incoming telnet session into the router’s vty ports and to filter outgoing telnet session from the router’s vty port.
Access-class always use standard access-list to match the source address of the incoming telnet session and the destination address of the outgoing telnet session.
The 2500 series router by default has 5 vty ports (vty 0 through 4).
To configure more vty ports, use the following global configuration command:
RouterB(config)#line vty 0 ?
<1-188> Last Line number
<cr>
幻灯片 47
Slide 1 of 1
Purpose:
Emphasize: To filter incoming and outgoing telnet sessions to and from the router’s vty ports, standard access-list is used.
If this is to block incoming telnet sessions into a router’s vty port, the standard access-list is used to match the source address of the host trying to telnet into the router’s vty port.
If this is to block outgoing telnet sessions from the router’s vty ports to a host, the standard access-list is used to match the destination address of the host the router is trying to telnet into from its vty ports.
幻灯片 48
Slide 1 of 1
Purpose:
Emphasize: Use “access-class” to apply the standard access-list to the vty port. The next slide will show a configuration example.
幻灯片 49
Slide 1 of 1
Purpose: This example shows how to restrict incoming telnet sessions to the router’s vty ports.
Emphasize: The access-class is applied as an input filter.
Note: Ask the student the effect of changing the direction of the access-class to outbound instead of inbound.
Now the router can accept incoming telnet sessions to its vty ports from all hosts but will block outgoing telnet sessions from its vty ports to all hosts except hosts in network 192.89.55.0.
Once a user is telneted into a router’s vty port, the outbound access-class filter will prevent the user from telneting to other hosts as specified by the standard access-list.
Remember, when an access-list is applied to an interface, it only block or permit traffic going through the router, it does not block or permit traffic initiated from the router itself.
幻灯片 50
Slide 1 of 1
Purpose:
Emphasize:
幻灯片 51
Slide 1 of 1
Purpose:
Emphasize:
发表评论
要发表评论,您必须先登录。