31/ 6c0 010 010 0Es PSa3n>S >19 2 .16 8 .14 7.6by4xt" >19 2 .16 8 .14 7 padding="0"><">" name="description"/>
Tải bản đầy đủ - 0 (trang)
Appendix B.  Tutorial: Access Lists

Appendix B.  Tutorial: Access Lists

Tải bản đầy đủ - 0trang

AccessListBasics

Anaccesslistisasequentialseriesoffilters.Eachfilter

comprisessomesortofmatchingcriteriaandanaction.The

actionisalwayseitherpermitordeny.Thematchingcriteria

mightbeassimpleasasourceaddress;alternatively,they

mightbeamorecomplexcombinationofsourceanddestination

addresses,protocoltypes,portsorsockets,andspecifications

ofthestateofcertainflags,suchastheTCPACKbit.

Apacketis"droppedinto"thetopofthestackoffilters.(See

FigureB-2.)Ateachfilter,thematchingcriteriaareapplied.Ifa

matchoccurs,thespecifiedpermitordenyactionisexecuted.If

amatchdoesnotoccur,thepacket"dropsdown"tothenext

filterinthestack,andthematchingprocessisappliedagain.



FigureB-2.Anaccesslistisasequentiallistof

filters,eachofwhichdefinesamatchingcriterion

andanaction.



InFigureB-2,apermitmeansthatthepacketwillbeallowedto

exitoninterfaceE0;adenymeansthatthepacketwillbe

dropped.Forinstance,apacketwithasourceaddressofHOST

Awillbedroppedatthefirstfilter.Supposethepacket'ssource

addressisHostDofSubnet2ofNetwork5.Thefirstfilter

specifiesamatchcriteriaofHostA,sothepacketwillnotmatch

andwilldroptothesecondlayer.Thesecondfilterspecifies

Subnet3again,nomatch.Thepacketdropstothethirdfilter,

whichspecifiesNetwork5.Thismatches;theactionatlayer

threeispermit,sothepacketisallowedtoexitinterfaceE0.



ImplicitDenyAny

Whathappensifapacketdropsthroughallthefiltersanda

matchneveroccurs?Theroutermustknowwhattodowitha

packetinthissituation;thatis,theremustbeadefaultaction.



Thedefaultactioncanbeeithertopermitallpacketsthatdon't

matchortodenythem.Ciscochosetodenythem:Anypacket

thatisreferredtoanaccesslistanddoesnotfindamatchis

automaticallydropped.

Thisapproachisthecorrectengineeringchoice,particularlyif

theaccesslistisbeingusedforsecurity.Itisbettertodrop

somepacketsthatshouldn'thavebeendroppedthantopermit

packetsyouinadvertentlyneglectedtofilter.

Thislastfilteriscalledanimplicitdenyany(FigureB-3).Asthe

nameimplies,thelinedoesnotshowupinanyaccesslistyou

build.It'ssimplyadefaultaction,anditexistsattheendofany

andallaccesslists.



FigureB-3.Allaccesslistsendwithanimplicit

denyany,whichdiscardsallpacketsthatdonot

matchalineinthelist.



Thisdefaultcanbeoverriddenbymakingthelastlineofthelist

anexplicitpermitany.Theimplicationhereisthatpackets



droppingthroughalltheotherfilterswillmatchthepermitany

beforetheygettothedefaultdenyany;therefore,allpackets

notmatchinganythingelsewillbepermittednothingwillever

reachtheimplicitdeny.



Sequentiality

Accesslistsareexecutedsequentially,fromthetopdown.This

conceptisimportant:Perhaps,themostcommoncauseof

malfunctioningaccesslistsisputtingtheindividualfilteringlines

inthewrongsequence.Thefirstmatchencounteredinthe

sequencedaccesslistisalwaystaken.Afterthefirstmatchis

made,therestoftheaccesslistisignored.

InFigureB-4,subnet10.23.147.0/24shouldbedeniedandthe

restofnetwork10.0.0.0shouldbepermitted.Thelistonthe

leftisoutofsequence;network10.0.0.0,includingitssubnet

10.23.147.0,willmatchthefirstlineandwillbepermitted.

Packetswiththesubnettobedeniedwillneverreachthe

secondline.



FigureB-4.Iftheindividualfilterlayersofan

accesslistarenotconfiguredinthecorrect

sequence,theaccesslistwillnotfunction

correctly.



Thelistontherightiscorrect.Subnet10.23.147.0matchesthe

firstlineandisdenied,whereasallothersubnetsof10.0.0.0

droptothenextlineandarepermitted.



AccessListTypes

Theactualconfigurationlinesfortheaccesslistshown

graphicallyattherightofFigureB-4aredisplayedinExample

B-1.



ExampleB-1.Theaccesslistconfigurationfor

sequence2ofFigureB-4showsonelineforeach

filterlayer.

access-list9deny10.23.147.00.0.0.255



access-list9permit10.0.0.00.255.255.255



Everyfilterlayerofanaccesslistisrepresentedbyone

configurationline.Thevariouscomponentsofanaccesslistline

arediscussedshortly,butfornow,noticethenumber9inboth

lines.Thisnumberistheaccesslistnumber,anditservestwo

purposes:

Itlinksallthelinesofthislisttogetherandmakesthelist

distinctfromanyothersthatmightexistintherouter's

configurationfile.(Itiscommontohaveseveralaccesslists

onasinglerouter.)

Theroutermusthaveawaytodistinguishtheaccesslist

type.CiscoIOSSoftwarehasaccesslistsforIP,IPX,

AppleTalk,DEC,NetBIOS,bridging,andmanyother

protocols.Further,manyoftheseprotocolshavemultiple

accesslisttypes.Theaccesslistnumbertellstherouter

whattypeoflistitis.

Accesslisttypescanbeidentifiedbyeitheranumberora

name.TableB-1showssomeofthenumberedaccesslisttypes

andtherangeofaccesslistnumbersavailableforeach.For

example,asshowninthetable,access-list1010isidentifying

IPXSAPsbecausethenumberisbetween1000and1099.

TableB-1.Ciscoaccesslistnumbers

AccessListType



Range



StandardIP



199,13001999



ExtendedIP



100199,20002699



Ethernettypecode



200299



Ethernetaddress



700799



Transparentbridging(protocoltype)



200299



Transparentbridging(vendorcode)



700799



Extendedtransparentbridging



11001199



DECnetandextendedDECnet



300399



XNS



400499



ExtendedXNS



500599



AppleTalk



600699



Source-routebridging(protocoltype)



200299



Source-routebridging(vendorcode)



700799



StandardIPX



800899



ExtendedIPX



900999



IPXSAP



10001099



NLSProutesummary



12001299



StandardVINES



199



ExtendedVINES



100199



SimpleVINES



200299



Withinarange,accesslistnumbersdonotneedtofollowany

particularsequence.Thatis,thefirststandardIPlistona

routerdoesnotneedtobe1,thesecond2,andsoon.They

canbeanynumberbetween1and99,or1300and1999,just

soeachlistisuniquelynumberedonasinglerouter.

Also,noticethatsomenumberrangesarethesamefor

differentprotocols:EthernetTypeCode,SourceRouteBridging,

andSimpleVINES,forinstance.Inthesecases,therouter

differentiatesbetweenaccesslisttypesbytheformatofthe

accesslistlinesthemselves.

Thefollowingaccesslisttypescanbeidentifiedbynames

insteadofnumbers:

Apollodomain

StandardIP

ExtendedIP

ISOCLNS

Source-routebridgingNetBIOS

StandardIPX

ExtendedIPX

IPXSap

IPXNetBIOS

NLSProutesummary



AnexampleofanaccesslistnamedBoo,identifyingIPX

NetBIOS,isdisplayedinExampleB-2.



ExampleB-2.TheaccesslistnamedBoodenies

variousNetBIOSdevices.

netbiosaccess-listhostBoodenyAtticus

netbiosaccess-listhostBoodenyScout

netbiosaccess-listhostBoodenyJem

netbiosaccess-listhostBoopermit*



NotethatalthoughstandardandextendedIPaccesslists

normallyarenumbered,theycanalsobenamedaccesslists.

ThisconventionissupportedinIOS11.2andlater.Insome

environments,aroutermightbeconfiguredwithalarge

numberofIPlists.Byusingnamesinsteadofnumbers,

individuallistsmightbemoreeasilyidentified.

NamedIPaccesslistscurrentlycanbeusedonlywithpacket

androutefilters.RefertotheCiscoconfigurationguidesfor

moreinformation.



EditingAccessLists

Anyonewhohaseditedanaccesslistlongerthanafewlines

fromtheconsolewilltellyouthatthisprocesscanbean

exerciseinfrustration.Before12.2(14),therewasnoway,from

theconsole,toaddalinetothemiddleofthelist.Allnewlines

wereaddedtothebottom.Andifyouhadtypedamistakeand

triedtoeliminateaparticularlinebytyping,forinstance,



noaccess-list101permittcp10.2.5.40.0.0.255192.168.3.00.



thisline,andallofaccesslist101,wouldhavebeendeleted!

Afarmoreconvenienttechniqueistocutandpastethelistto

thenotepadofyourPC,oruploadtheconfigurationtoaTFTP

server,anddotheeditingfromthere.Whenfinished,thenew

accesslistcanbeloadedbackintotherouter.Awordof

caution,however:Allnewlinesareaddedtothebottomofan

accesslist.Alwaysaddnoaccess-list#,where#isthe

numberofthelistyou'reediting,tothebeginningoftheedited

list.ExampleB-3showsasample.



ExampleB-3.noaccess-listisaddedtothe

beginningofanaccesslistthatiscreatedand

editedonaPCorserver,sotheaccesslistis

createdaneweachtimeitisloadedintothe

router.

noaccess-list5

access-list5permit172.16.5.40.0.0.0

access-list5permit172.16.12.00.0.0.255

access-list5deny172.16.0.00.0.255.255

access-list5permitany



Thelinenoaccess-list5deletestheoldlist5fromthe

configurationfilebeforeaddingthenewone.Ifyouomitthis

step,thenewlistissimplyaddedontotheendoftheoldone.

Thecommandshowaccess-listdisplayscurrentlyconfigured

lists,asExampleB-4demonstrates.



ExampleB-4.showaccess-listdisplays



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Appendix B.  Tutorial: Access Lists

Tải bản đầy đủ ngay(0 tr)

×