19.1.  基于源或者目的地址過(guò)濾

提問(wèn) 阻止來(lái)自某地址或者發(fā)送至某地址的數(shù)據(jù)包

回答

使用標(biāo)準(zhǔn)控制列表來(lái)阻止特定源地址的數(shù)據(jù)包

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 50 deny host 10.2.2.2

Router1(config)#access-list 50 permit any

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group 50 in

Router1(config-if)#exit

Router1(config)#end

Router1#

使用擴(kuò)展控制列表來(lái)阻止特定源地址和目的地址的數(shù)據(jù)包

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 150 deny ip host 10.2.2.2 host 172.25.25.1

Router1(config)#access-list 150 permit ip any any

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group 150 in

Router1(config-if)#exit

Router1(config)#end

Router1#

注釋

19.2.  給ACL添加注釋

提問(wèn) 給控制列表添加注釋方便閱讀

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 50 remark Authorizing thy trespass with compare Router1(config)#access-list 50 deny host 10.2.2.2

Router1(config)#access-list 50 permit 10.2.2.0 0.0.0.255

Router1(config)#access-list 50 permit any

Router1(config)#end

Router1#

或者

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#ip access-list standard TESTACL      

Router2(config-std-nacl)#remark Authorizing thy trespass with compare

Router2(config-std-nacl)#deny host 10.2.2.2

Router2(config-std-nacl)#permit 10.2.2.0 0.0.0.255

Router2(config-std-nacl)#permit any

Router2(config-std-nacl)#end

Router2#

注釋 在show access list命令中是看不到注釋的

19.3.  基于應(yīng)用過(guò)濾

提問(wèn) 根據(jù)不同的應(yīng)用來(lái)進(jìn)行過(guò)濾

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 151 permit tcp any any eq www

Router1(config)#access-list 151 deny tcp any any gt 1023

Router1(config)#access-list 151 permit icmp any any

Router1(config)#access-list 151 permit udp any any eq ntp

Router1(config)#access-list 151 deny ip any any

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group 151 in

Router1(config-if)#exit

Router1(config)#end

Router1#

注釋 無(wú)

19.4.  基于TCP頭標(biāo)簽過(guò)濾

提問(wèn) 根據(jù)TCP頭字段中的標(biāo)簽位進(jìn)行過(guò)濾

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 161 deny tcp any any ack fin psh rst syn urg

Router1(config)#access-list 161 deny tcp any any rst syn

Router1(config)#access-list 161 deny tcp any any rst syn fin

Router1(config)#access-list 161 deny tcp any any rst syn fin ack

Router1(config)#access-list 161 deny tcp any any syn fin

Router1(config)#access-list 161 deny tcp any any syn fin ack

Router1(config)#end

Router1#

從12.3(4)T以后開(kāi)始啟用新的命令格式

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#ip access-list extended TCPFLAGFILTER

Router2(config-ext-nacl)#deny tcp any any match-all +ack +fin +psh +rst +syn +urg     

Router2(config-ext-nacl)#deny tcp any any match-all +rst +syn                   

Router2(config-ext-nacl)#deny tcp any any match-all +rst +syn +fin

Router2(config-ext-nacl)#deny tcp any any match-all +rst +syn +fin +ack

Router2(config-ext-nacl)#deny tcp any any match-all +syn +fin         

Router2(config-ext-nacl)#deny tcp any any match-all +syn +fin +ack

Router2(config-ext-nacl)#end

Router2#

注釋 TCP頭字段中有六種標(biāo)簽位設(shè)置ACK，SYN，F(xiàn)IN，RST，PSH和URG。在新的命令格式中引入了match-all和match-any兩個(gè)要害詞，match-any和傳統(tǒng)過(guò)濾方式一致，只關(guān)心特定標(biāo)志位設(shè)置而不管其他標(biāo)志位設(shè)置，match-all必須符合特定的標(biāo)志位設(shè)置。

19.5.  限制TCP會(huì)話(huà)的方向

提問(wèn) 過(guò)濾TCP會(huì)話(huà) 只答應(yīng)客戶(hù)端發(fā)起應(yīng)用

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 148 permit tcp any eq telnet any established

Router1(config)#access-list 148 deny ip any any

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip access-group 148 in

Router1(config-if)#exit

Router1(config)#end

Router1#

注釋

19.6.  基于多端口應(yīng)用的過(guò)濾

提問(wèn) 過(guò)濾某些開(kāi)啟多端口的應(yīng)用

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 152 permit tcp any any eq FTP

Router1(config)#access-list 152 permit tcp any any eq ftp-data established

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip access-group 152 in

Router1(config-if)#exit

Router1(config)#end

Router1#

注釋 對(duì)于其他多端口的可以使用下面的格式

Router1(config)#access-list 154 permit udp any any range 6000 6063

Router1(config)#access-list 155 deny udp any any gt 1023

Router1(config)#access-list 156 permit udp any any lt 1024

Router1(config)#access-list 157 permit udp any any neq 666

19.7.  基于DSCP和TOS的過(guò)濾

提問(wèn) 根據(jù)IP服務(wù)質(zhì)量信息進(jìn)行過(guò)濾

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 162 permit ip any any dscp af11

Router1(config)#end

或者

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 162 permit ip any any tos max-reliability

Router1(config)#end

注釋

19.8.  記錄觸發(fā)的控制列表

提問(wèn) 記錄觸發(fā)控制列表的包信息

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 150 permit ip any any log

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group 150 in

Router1(config-if)#exit

Router1(config)#end

Router1#

更具體點(diǎn)的信息

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 150 permit tcp any any log-input

Router1(config)#access-list 150 permit ip any any

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group 150 in

Router1(config-if)#exit

Router1(config)#end

Router1#

注釋 第一個(gè)例子的日志信息

Feb  6 13:01:19: %SEC-6-IPACCESSLOGRP: list 150 permitted ospf 10.1.1.1 -> 224.0.0.5, 9 packets

Feb  6 13:01:19: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp 10.1.1.1 -> 10.1.1.2 (0/0), 4 packets

第二個(gè)例子的日志信息

Feb  6 14:56:34: %SEC-6-IPACCESSLOGP: list 150 permitted tcp 172.25.1.1(0) (FastEthernet0/0.1 0010.4b09.5700) -> 172.25.25.1(0), 1 packet

注重的是log-input參數(shù)只能適應(yīng)于擴(kuò)展控制列表

19.9.  記錄TCP會(huì)話(huà)

提問(wèn) 記錄TCP會(huì)話(huà)數(shù)目

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 122 permit tcp any any eq telnet established

Router1(config)#access-list 122 permit tcp any any eq telnet

Router1(config)#access-list 122 permit ip any any

Router1(config)#interface Serial0/0

Router1(config-if)#ip access-group 122 in

Router1(config-if)#exit

Router1(config)#end

Router1#

或者

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 121 permit tcp any any eq telnet syn

Router1(config)#access-list 121 permit tcp any any eq telnet

Router1(config)#access-list 121 permit ip any any

Router1(config)#interface Serial0/0

Router1(config-if)#ip access-group 121 in

Router1(config-if)#exit

Router1(config)#end

Router1#

注釋 對(duì)于第一個(gè)例子

Router1#show access-list 122

Extended IP access list 122

    permit tcp any any eq telnet established (3843 matches)

    permit tcp any any eq telnet (6 matches)

    permit ip any any (31937 matches)

Router1#

從輸出可以看到總共有六個(gè)Telnet會(huì)話(huà)通過(guò)接口，3,843 + 6 = 3,849 個(gè)Telnet數(shù)據(jù)包

19.10.  分析ACL日志條目

注釋 使用腳本來(lái)分析生成的ACL日志，暫略

19.11.  使用命名和單反控制列表

提問(wèn) 在命名控制列表中使用一個(gè)單反控制列表

回答

一個(gè)基本的命名控制列表類(lèi)似數(shù)字控制列表

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#ip access-list standard STANDARD-ACL

Router1(config-std-nacl)#remark This is a standard ACL

Router1(config-std-nacl)#permit any log

Router1(config-std-nacl)#exit

Router1(config)#ip access-list extended EXTENDED-ACL

Router1(config-ext-nacl)#remark This is an extended ACL

Router1(config-ext-nacl)#deny tcp any any eq www

Router1(config-ext-nacl)#permit ip any any log

Router1(config-ext-nacl)#exit

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group STANDARD-ACL in

Router1(config-if)#exit

Router1(config)#end

Router1#

下面是在其中內(nèi)嵌單反控制列表來(lái)答應(yīng)單反向的Ping

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#ip access-list extended PING-OUT

Router1(config-ext-nacl)#permit icmp any any reflect ICMP-REFLECT timeout 15

Router1(config-ext-nacl)#permit ip any any

Router1(config-ext-nacl)#exit

Router1(config)#ip access-list extended PING-IN

Router1(config-ext-nacl)#evaluate ICMP-REFLECT

Router1(config-ext-nacl)#deny icmp any any log

Router1(config-ext-nacl)#permit ip any any

Router1(config-ext-nacl)#exit

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group PING-OUT out

Router1(config-if)#ip access-group PING-IN in

Router1(config-if)#end

Router1#

注釋 在例子中單反控制列表可以對(duì)返回的ICMP Response進(jìn)行控制

19.12.  處理被動(dòng)模式FTP

提問(wèn) 對(duì)被動(dòng)模式的FTP來(lái)進(jìn)行區(qū)分

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 144 permit tcp any gt 1023 any eq ftp

Router1(config)#access-list 144 permit tcp any gt 1023 any gt 1023

Router1(config)#access-list 144 deny ip any any                  

Router1(config)#interface Serial0/0.1   

Router1(config-subif)#ip access-group 144 in

Router1(config-subif)#exit

Router1(config)#end

Router1#

注釋 被動(dòng)模式下的FTP，客戶(hù)端會(huì)再對(duì)服務(wù)器發(fā)送一個(gè)高于1024端口的鏈接，所以對(duì)于此類(lèi)會(huì)話(huà)必須開(kāi)啟所有高于1024的端口，例子中的配置雖然能夠解決此問(wèn)題，但是減少了安全性，在以后的章節(jié)會(huì)介紹更有效的處理方式

19.13.  使用基于時(shí)間的控制列表

提問(wèn) 對(duì)應(yīng)用基于時(shí)間段進(jìn)行控制

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#time-range NOSURF

Router1(config-time-range)# periodic weekdays 9:00 to 17:00

Router1(config-time-range)#exit

Router1(config)#ip access-list extended NOSURFING

Router1(config-ext-nacl)# deny   tcp any any eq www time-range NOSURF

Router1(config-ext-nacl)# permit ip any any

Router1(config-ext-nacl)#exit

Router1(config)#interface FastEthernet0/1

Router1(config-if)#ip access-group NOSURFING in

Router1(config-if)#end

Router1#

注釋 在時(shí)間段的配置上你可以配置多個(gè)periodic，

19.14.  基于非連續(xù)端口的過(guò)濾

提問(wèn) 配置一種高效的非連續(xù)端口的過(guò)濾

回答

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#ip access-list extended OREILLY

Router2(config-ext-nacl)#permit tcp any host 172.25.100.100 eq 80 23 25 110 514 21

Router2(config-ext-nacl)#end

Router2#

注釋 通常對(duì)于連續(xù)端口的過(guò)濾可以使用permit tcp any any range 20 25此類(lèi)的命令，而對(duì)于非連續(xù)端口的過(guò)濾則要使用多個(gè)類(lèi)似permit tcp any host 172.25.100.100 eq 80 的命令，自從12.3(7)T以后則可以使用上例中的配置方式來(lái)進(jìn)行簡(jiǎn)化。

19.15.  控制列表編輯

提問(wèn) 直接對(duì)控制列表進(jìn)行編輯

回答

插入一個(gè)條目至現(xiàn)有的控制列表中

Router2#configure terminal         

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#ip access-list extended OREILLY        

Router2(config-ext-nacl)#12 permit tcp any host 172.25.100.100 eq 20

Router2(config-ext-nacl)#end

Router2#

重新對(duì)控制列表序列號(hào)進(jìn)行調(diào)整

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#ip access-list resequence OREILLY 10 10

Router2(config)#end

Router2#

刪除特定的控制列表?xiàng)l目

Router2#configure terminal         

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#ip access-list extended OREILLY           

Router2(config-ext-nacl)#no 60

Router2(config-ext-nacl)#end

Router2#

注釋 從12.3(2)T以后路由器增加了對(duì)控制列表?xiàng)l目序列號(hào)的支持，缺省10遞增，這樣可以方便對(duì)控制列表進(jìn)行編輯

Router2#show ip access-lists OREILLY

Extended IP access list OREILLY

    10 permit tcp any host 172.25.100.100 eq www

    20 permit tcp any host 172.25.100.100 eq telnet

    30 permit tcp any host 172.25.100.100 eq smtp

    40 permit tcp any host 172.25.100.100 eq pop3

    50 permit tcp any host 172.25.100.100 eq cmd

<!--[if !supportLists]-->19.16.       <!--[endif]-->基于IPv6過(guò)濾

提問(wèn) 對(duì)Ipv6的數(shù)據(jù)包進(jìn)行過(guò)濾

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#ipv6 access-list EXAMPLES

Router1(config-ipv6-acl)#permit ipv6 AAAA:5::/64 any

Router1(config-ipv6-acl)#permit ipv6 host AAAA:5::FE:1 any

Router1(config-ipv6-acl)#permit tcp any any eq telnet established

Router1(config-ipv6-acl)#deny tcp any any eq telnet syn

Router1(config-ipv6-acl)#sequence 55 permit udp any any eq snmp

Router1(config-ipv6-acl)#remark this is a comment

Router1(config-ipv6-acl)#sequence 66 remark this comment has a sequence number

Router1(config-ipv6-acl)#permit icmp any any reflect ICMP-REFLECT

Router1(config-ipv6-acl)#deny ipv6 any host AAAA:6::1 log

Router1(config-ipv6-acl)#deny ipv6 any any log-input

Router1(config-ipv6-acl)#exit

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ipv6 traffic-filter EXAMPLES in

Router1(config-if)#exit

Router1(config)#end

Router1#

注釋 Ipv6過(guò)濾只能使用命名式控制列表，當(dāng)然也繼續(xù)了命名式控制列表的所有優(yōu)點(diǎn)。