网络安全-ACL(Access Control List)

两种ACL

• standard：Permit/Deny based on source IP address ONLY 标准ACL只考虑原地址

• extended：Permit/Deny based on source IP address, destination IP application type 拓展ACL考虑原地址，目的地址，应用类型

type of protocol: TCP UDP…

type of applicaiton: SSH, HTTP, etc

标准ACL的模板

access-list acl-number(1-99) {permit/deny} source[mask]

access-list acl-number(1-99) {permit/deny} source[mask]

interface interface-number

ip access-group acl-number

掩码mask采用的是反码，0代表8个位都匹配

例子：

a) Prevent all traffic from the workstation 170.16.10.5 from reaching the workstation 170.16.80.16. Traffic from all other hosts/ networks including traffic from outside should be allowed.

R3(config)# access-list 1 deny 170.16.10.5 0.0.0.0
R3(config)# access-list 1 permit any 
R3(config)# interface E0
R3(config)# ip access-group 1 out 

b) Prevent traffic from the network 170.16.40.0 must not be allowed on the 170.16.50.0 network. All other traffic originating from 170.16.0.0 networks must be allowed (that is, outside traffic must not be allowed).

R2(config)# access-list 2 deny 170.16.40.0 0.0.0.255
R2(config)# access-list 2 permit 170.16.0.0 0.0.255.255 
R2(config)# access-list 2 deny any 
R2(config)# interface E0
R2(config)# ip access-group 2 out 

c) Workstations 170.16.50.75 and 170.16.50.7 should not be allowed HTTP access on tower box 170.16.70.2. All other workstations can. All other traffic including traffic from outside networks can go anywhere.

R2(config)# access-list 101 deny tcp 170.16.50.0 0.0.0.255 host 170.16.70.2 eq 80
R2(config)# access-list 101 permit ip any any 
R2(config)# interface E0
R2(config)# ip access-group 101 in 

d) 170.16.80.16 can telnet to 170.16.40.89. No one else from the network 170.16.80.0 can telnet to 170.16.40.89. All other hosts can telnet to 40.89. Also permit all other traffic, but only as long as they originate from 170.16.0.0 (that is, do not allow outside traffic).

R2(config)# access-list 102 permit tcp host 170.16.80.16 host 170.16.40.89 eq 22
R2(config)# access-list 102 deny tcp 170.16.80.0 0.0.0.255 host 170.16.40.89 eq 22
R2(config)# access-list 102 permit tcp 170.16.0.0 0.0.255.255 host 170.16.40.89 eq 22
R2(config)# access-list 102 deny ip any any 
R2(config)# interface E1
R2(config)# ip access-group 102 out 

e) Only the host 170.16.10.5 can ftp to the tower box 170.16.70.2. No other host can ftp to the tower box. Allow all other traffic to all other networks (and also to the tower box), but only as long as they originate from 170.16.0.0 (that is, do not allow outside traffic).

R3(config)# access-list 103 permit tcp host 170.16.10.5 host 170.16.70.2 range 20-21
R3(config)# access-list 103 deny tcp any host 170.16.70.2 range 20-21
R3(config)# access-list 103 permit 170.16.0.0 0.0.255.255 any
R3(config)# access-list 103 deny ip any any 
R3(config)# interface E1
R3(config)# ip access-group 103 out 

f) Prevent traffic from the network 170.16.20.0 from flowing on the network 170.16.70.0. All other traffic, including traffic from outside can.

R3(config)# access-list 3 deny 170.16.20.0 0.0.0.255
R3(config)# access-list 3 permit any
R3(config)# access-list 3 deny any 
R3(config)# interface E1
R3(config)# ip access-group 3 out 

g) Prevent traffic from the tower box 170.16.70.2 from going outside to the non-170.16.0.0 network. All other traffic can go out.

R3(config)# access-list 104 permit host 170.16.70.2 170.16.0.0 0.0.255.255
R3(config)# access-list 104 deny host 170.16.70.2 any
R3(config)# access-list 104 permit any any
R3(config)# access-list 104 deny any any
R3(config)# interface E1
R3(config)# ip access-group 104 in