Cisco ACL 中的通配符掩码详解

注:机翻,未校。


Wildcard Masks in ACLs Explained

This tutorial explains what the ACL wildcard masks are and how they are used. Learn the differences and similarities between wildcard masks and subnet masks.

本教程介绍了什么是 ACL 通配符掩码以及如何使用它们。了解通配符掩码和子网掩码之间的差异和相似之处。

Wildcard masks are used to define criteria in ACL statements. Wildcard masks allow an administrator defines a single IP address or a range of IP addresses. Without wildcard masks, you have to create an entry for each IP address. With wildcard masks, you can create a range of IP addresses that need the same actions.

通配符掩码用于定义 ACL 语句中的条件。通配符掩码允许管理员定义单个 IP 地址或 IP 地址范围。如果没有通配符掩码,则必须为每个 IP 地址创建一个条目。使用通配符掩码,您可以创建需要相同操作的 IP 地址范围。

Let's take an example.

让我们举个例子。

A subnet includes 75 IP addresses. From these IP addresses, you want to block 50 IP addresses. Without wildcard masks, you have to create 50 entries to block these IP addresses. With wildcard masks, you can create a range that includes these IP addresses. Later, you can use this range to define criteria in the entry. This way, you can block or allow a range of IP addresses with a single entry.

子网包含 75 个 IP 地址。从这些 IP 地址中,您希望阻止 50 个 IP 地址。如果没有通配符掩码,您必须创建 50 个条目来阻止这些 IP 地址。使用通配符掩码,您可以创建包含这些 IP 地址的范围。稍后,您可以使用此范围在条目中定义条件。这样,您就可以通过单个条目阻止或允许一系列 IP 地址。

ACL 的定义、目的、优点和功能 ACL的基本概念和基础知识 访问列表在 Cisco 路由器上的工作原理 访问控制列表的类型说明 Cisco ACL 的规则和配置准则 访问控制列表用示例说明 ip access-list 命令选项和参数 标准 ACL 配置命令说明 配置标准访问控制列表分步指南 如何保护VTY对路由器的访问 扩展 ACL 配置命令说明 配置扩展访问控制列表分步指南 如何在Cisco路由器上阻止ICMP Ping

Wildcard masks v/s subnet masks 通配符掩码与子网掩码

Both wildcard masks and subnet masks are used with IP addresses. They look similar but they are different and are used for completely different purposes. A subnet mask is used to separate the network address from the host address in an IP address. A wildcard mask is used to define the part of the IP address that you want to match in the ACL statement.

通配符掩码和子网掩码都用于 IP 地址。它们看起来很相似,但它们是不同的,并且用于完全不同的目的。子网掩码用于将网络地址与 IP 地址中的主机地址分开。通配符掩码用于定义要在 ACL 语句中匹配的 IP 地址部分。

Both the wildcard mask and the subnet mask have a length of 32 bits. A bit has two states: ON and OFF . In binary, the ON state is written as 1 , and the OFF state is written as 0 .

通配符掩码和子网掩码的长度均为 32 位。位有两种状态:ON 和 OFF。在二进制文件中,ON 状态写为 1,OFF 状态写为 0。

In the subnet mask, an ON bit represents the network bit while the OFF bit represents the host bit.

在子网掩码中,ON 位表示网络位,而 OFF 位表示主机位。

In the wildcard mask, an ON bit represents the bit that you want to match while the OFF bit represents the bit that you want to ignore .

在通配符掩码中,ON 位表示要匹配的位,而 OFF 位表示要忽略的位。

Let's take an example. The following address represents a subnet.

让我们举个例子。以下地址表示一个子网。

Decimal value Binary value
IP address 10.0.0.0 00001010.00000000.00000000.00000000
Subnet mask 255.0.0.0 11111111.00000000.00000000.00000000

This subnet includes the IP addresses from 10.0.0.0 to 10.255.255.255.

此子网包括从 10.0.0.0 到 10.255.255.255 的 IP 地址。

Network address First available address for the host Last available address for the host Broadcast address
10.0.0.0 10.0.0.1 10.255.255.254 10.255.255.255

Creating the wildcard mask for the subnet mask 为子网掩码创建通配符掩码

Now, let's suppose, you want to create an ACL statement that matches this subnet. To create criteria for this subnet, you have to use a wildcard mask that ignores all network bits but matches all host bits of the address.

现在,假设您想要创建一个与此子网匹配的 ACL 语句。要为此子网创建条件,您必须使用通配符掩码,该掩码会忽略所有网络位,但会匹配地址的所有主机位。

As mentioned earlier, in a subnet mask an ON bit represents the network bit, and an OFF bit represents the host bit while in a wildcard mask an ON bit represents the bit to ignore , and an OFF bit represents the bit to match .

如前所述,在子网掩码中,ON位表示网络位,OFF位表示主机位,而在通配符掩码中,ON位表示要忽略的位,OFF位表示要匹配的位。

Bit value Subnet mask wildcard mask
0 Host bit Match
1 Network bit Ignore

To ignore all network bits, in the wildcard mask, you have to use the value 1 at the place of each network bit while to match all host bits, you have to use the value 0 at the place of each host bit.

要忽略所有网络位,在通配符掩码中,您必须在每个网络位的位置使用值 1,而要匹配所有主机位,您必须在每个主机位的位置使用值 0。

Decimal value Binary value
IP address 10.0.0.0 00001010.00000000.00000000.00000000
Subnet mask 255.0.0.0 11111111.00000000.00000000.00000000
Wildcard mask 0.255.255.255 00000000.11111111.11111111.11111111

This process is much easier than it looks. To create a wildcard mask for a subnet, all you need to do is reverse the value of the subnet mask. If the subnet mask contains the value 1 , then use the value 0 in the wildcard mask. If the subnet mask contains the value 0 , use the value 1 in the wildcard mask.

这个过程比看起来要容易得多。要为子网创建通配符掩码,您只需反转子网掩码的值即可。如果子网掩码包含值 1,则在通配符掩码中使用值 0。如果子网掩码包含值 0,请在通配符掩码中使用值 1。

The following table shows some subnet masks and their relative wildcard masks.

下表显示了一些子网掩码及其相对通配符掩码。

Subnet mask Wildcard mask
11111111.00000000.00000000.00000000 00000000.11111111.11111111.11111111
11111111.11111111.00000000.00000000 00000000.00000000.11111111.11111111
11111111.11111111.11111111.00000000 00000000.00000000.00000000.11111111

If you are using subnet masks in decimal and want to create wildcard masks for them, there is no need to convert them into binary. Creating wildcard masks in decimal is also easy. In decimal, to create a wildcard mask for a given subnet mask, subtract the value of each byte from 255.

如果您使用十进制的子网掩码,并希望为它们创建通配符掩码,则无需将它们转换为二进制文件。以十进制创建通配符掩码也很容易。在十进制中,要为给定的子网掩码创建通配符掩码,请从 255 中减去每个字节的值。

Let's take an example.

让我们举个例子。

Calculate the wildcard mask that matches the subnet mask 255.0.0.0.

计算与子网掩码 255.0.0.0 匹配的通配符掩码。

To calculate the wildcard mask for this subnet, subtract each byte value from 255.

要计算此子网的通配符掩码,请从 255 中减去每个字节的值。

  Subtract value   255.255.255.255
 - Subnet mask    255.0.0.0
 = Wildcard mask   0.255.255.255

The following image shows another example.

下图显示了另一个示例。

The following table lists some more examples.

下表列出了更多示例。

Subtract value Subnet mask Wildcard mask
255.255.255.255 255.240.0.0 0.15.255.255
255.255.255.255 255.255.16.0 0.0.239.255
255.255.255.255 255.255.255.128 0.0.0.127

Creating the subnet mask from the wildcard mask 从通配符掩码创建子网掩码

ACL statements use wildcard masks to define criteria. To identify which statement filters which address or address range, you have to calculate the subnet mask from the wildcard card used in the statement.

ACL 语句使用通配符掩码来定义条件。要确定哪个语句筛选哪个地址或地址范围,您必须根据语句中使用的通配符卡计算子网掩码。

By reversing the above process, you can easily calculate the subnet mask from the wildcard mask. To calculate the subnet mask in binary, use the opposite bit at each place. For example, if you have 1 in the wildcard mask, use the 0 in the subnet mask or if you have 0 in the wildcard mask, use the 1 in the subnet mask.

通过反转上述过程,您可以轻松地从通配符掩码中计算出子网掩码。要以二进制形式计算子网掩码,请在每个位置使用相反的位。例如,如果通配符掩码中有 1,则在子网掩码中使用 0,或者如果通配符掩码中有 0,则在子网掩码中使用 1。

The following image shows some examples.

下图显示了一些示例。

The following table lists some more examples.

下表列出了更多示例。

Wildcard mask Subnet mask
00000000.11111111.11111111.11111111 11111111.00000000.00000000.00000000
00000000.00000000.11111111.11111111 11111111.11111111.00000000.00000000
00000000.00000000.00000000.11111111 11111111.11111111.11111111.00000000

To calculate the subnet mask in decimal, subtract each byte of the wildcard mask from 255. For example, if you have 239 in a byte of the wildcard mask, use 255 -239 = 16 in the byte of the subnet mask.

要以十进制计算子网掩码,请从 255 中减去通配符掩码的每个字节。例如,如果通配符掩码的一个字节中有 239,则在子网掩码的字节中使用 255 -239 = 16。

The following table lists some examples.

下表列出了一些示例。

Subtract value Wildcard mask Subnet mask
255.255.255.255 0.15.255.255 255.240.0.0
255.255.255.255 0.0.239.255 255.255.16.0
255.255.255.255 0.0.0.127 255.255.255.128

Special wildcard masks 特殊通配符掩码

There are two special wildcard masks: 0.0.0.0 and 255.255.255.255. A wildcard mask of 0.0.0.0 instructs the router to match all 32 bits of the address. This wildcard mask is called a host mask. This wildcard mask is used to match a single host. For example, if you want to allow or deny a specific host from a segment, you can use this wildcard mask to match the IP address of that host.

有两个特殊的通配符掩码:0.0.0.0 和 255.255.255.255。通配符掩码 0.0.0.0 指示路由器匹配地址的所有 32 位。此通配符掩码称为主机掩码。此通配符掩码用于匹配单个主机。例如,如果要允许或拒绝来自分段的特定主机,则可以使用此通配符掩码来匹配该主机的 IP 地址。

The following statement shows how this wildcard mask is used.

以下语句显示如何使用此通配符掩码。

deny 10.0.0.1 0.0.0.0

The above statement will deny only the packets that are originated from the host 10.0.0.1.

上述语句将仅拒绝源自主机 10.0.0.1 的数据包。

A wildcard mask of 255.255.255.255 instructs the router to ignore all 32 bits of the address and match all packets. This wildcard mask is used to match all packets. Since this wildcard mask matches all packets, the IP address that you enter with this mask does not matter.

通配符掩码 255.255.255.255 指示路由器忽略地址的所有 32 位并匹配所有数据包。此通配符掩码用于匹配所有数据包。由于此通配符掩码匹配所有数据包,因此您输入的带有此掩码的 IP 地址无关紧要。

Technically, you can enter this wildcard mask with any IP address but usually, it is used with the IP address 0.0.0.0. Administrators use the following IP address and wildcard mask to match all incoming or outgoing packets.

从技术上讲,您可以使用任何 IP 地址输入此通配符掩码,但通常,它与 IP 地址 0.0.0.0 一起使用。管理员使用以下 IP 地址和通配符掩码来匹配所有传入或传出数据包。

0.0.0.0 255.255.255.255

访问控制列表的类型说明

Types of Access Control Lists Explained

This tutorial explains Standard ACLs, Extended ACLs, Numbered ACLs, Named ACLs, and Advanced sequence editing ACLs. Learn the differences between different types of access control lists.

本教程介绍标准 ACL、扩展 ACL、编号 ACL、命名 ACL 和高级序列编辑 ACL。了解不同类型的访问控制列表之间的差异。

There are mainly two types of access control lists: standard access lists and extended access lists. These types can be further classified into two subtypes: numbered and named. A standard access list can be either a numbered standard list or a named standard access list. Similarly, you can have a numbered extended access list or a named extended list.

访问控制列表主要有两种类型:标准访问列表和扩展访问列表。这些类型可以进一步分为两个亚型:编号和命名。标准访问列表可以是带编号的标准列表,也可以是命名的标准访问列表。同样,您可以有一个带编号的扩展访问列表或一个命名的扩展列表。

Let us discuss the properties, characteristics, and functions of these types and understand how each type differs from the others.

让我们讨论一下这些类型的属性、特征和功能,并了解每种类型与其他类型有何不同。

For this tutorial, I assume that you are familiar with ACLs. To learn the basic concepts of ACLs, you can check the previous parts of this tutorial.

在本教程中,我假设您熟悉 ACL。要了解 ACL 的基本概念,您可以查看本教程的前几部分。

This tutorial is the fourth part of the article 'Cisco Access Lists Explained with Examples.'. Other parts of this tutorial are the following.

ACL 的定义、目的、优点和功能 ACL的基本概念和基础知识 访问列表在 Cisco 路由器上的工作原理 ACL 中的通配符掩码说明 Cisco ACL 的规则和配置准则 访问控制列表用示例说明 ip access-list 命令选项和参数 标准 ACL 配置命令说明 配置标准访问控制列表分步指南 如何保护VTY对路由器的访问 扩展 ACL 配置命令说明 配置扩展访问控制列表分步指南 如何在Cisco路由器上阻止ICMP Ping

Standard access lists 标准访问列表

Standard access lists are easy to configure. But they support limited options in entries. In a standard access list entry, you can use only the source address to define the criteria. Apart from the source address, you can't use any other option.

标准访问列表易于配置。但它们支持条目中的有限选项。在标准访问列表条目中,只能使用源地址来定义条件。除了源地址之外,您不能使用任何其他选项。

Standard access lists work on an 'all or none' formula. They will either allow or block all traffic from the source host. You cannot allow or deny only certain types of traffic from the source host.

标准访问列表使用"全有或全无"公式。它们将允许或阻止来自源主机的所有流量。您不能仅允许或拒绝来自源主机的某些类型的流量。

Since standard access lists work with all traffic originating from a host, they are applied closer to the destination.

由于标准访问列表适用于源自主机的所有流量,因此它们将应用到更接近目标的位置。

Extended access lists 扩展访问列表

Extended access lists are complex. But they support many options in entries. In an extended access list entry, you can use a source address, a destination address, protocol, traffic type, application, and port to define the criteria.

扩展访问列表很复杂。但它们支持条目中的许多选项。在扩展访问列表条目中,您可以使用源地址、目标地址、协议、流量类型、应用程序和端口来定义条件。

Extended access lists allow you to target a specific type of traffic. You can allow a certain type of traffic while blocking the remaining traffic, or you can block a specific type of traffic while allowing the remaining traffic.

扩展访问列表允许您定位特定类型的流量。您可以在阻止剩余流量的同时允许特定类型的流量,也可以在允许剩余流量的同时阻止特定类型的流量。

Since extended access lists work with a specific type of traffic, they are applied closer to the source.

由于扩展访问列表适用于特定类型的流量,因此它们会更接近源应用。

Numbered and named ACLs 编号和命名的 ACL

Routers support multiple ACLs. You can create as many ACLs as you want. To differentiate between ACLs, routers use a unique number and name for each ACL. You may consider these numbers or names as identification numbers or names.

路由器支持多个ACL。您可以根据需要创建任意数量的 ACL。为了区分 ACL,路由器为每个 ACL 使用唯一的编号和名称。您可以将这些号码或名称视为身份证号码或名称。

When creating an ACL, you must specify an identification number or name for the ACL. Since the router uses this number to identify the ACL, you cannot choose a random number for the ACL. You have to choose a number from a pre-defined range.

创建 ACL 时,必须为 ACL 指定标识号或名称。由于路由器使用此编号来标识 ACL,因此您无法为 ACL 选择随机数。您必须从预定义的范围内选择一个数字。

Routers reserve the following number ranges for standard access lists and extended access lists.

路由器为标准访问列表和扩展访问列表保留以下号码范围。

Standard access lists 1 - 99 and 1300 - 1999
Extended access lists 100 - 199 and 2000 - 2699

To create a standard access list, you can use any number from the range 1 - 99 and 1300 - 1999. For example, you can use the number 10 or 1400, but you cannot use the number 150 or 2100.

若要创建标准访问列表,可以使用 1 - 99 和 1300 - 1999 范围内的任意数字。例如,可以使用数字 10 或 1400,但不能使用数字 150 或 2100。

Similarly, to create an extended list, you can use any number from the range 100 - 199 and 2000 - 2699. For example, you can use the number 120 or 2450, but you cannot use the number 50 or 1500.

同样,要创建扩展列表,可以使用 100 - 199 和 2000 - 2699 范围内的任何数字。例如,您可以使用数字 120 或 2450,但不能使用数字 50 或 1500。

Numbers are a bit difficult to remember. They also do not provide any descriptive meaning. If you have multiple ACLs, it becomes very difficult to remember which ACL is doing what. To make ACLs management easier, routers also support names for ACLs. It means you can also use descriptive names for ACLs instead of pre-defined numbers.

数字有点难记住。它们也不提供任何描述性含义。如果您有多个 ACL,则很难记住哪个 ACL 在做什么。为了简化 ACL 管理,路由器还支持 ACL 的名称。这意味着您还可以对 ACL 使用描述性名称,而不是预定义的数字。

No matter whether you use a name or a number for the ACL, the ACL functions the same way. As far as functionality is concerned, named ACLs and numbered ACLs are the same. The main advantage of a named ACL over a numbered ACL is that a named ACL is easier to manage and remember than a numbered ACL.

无论对 ACL 使用名称还是数字,ACL 的功能都相同。就功能而言,命名 ACL 和编号的 ACL 是相同的。与编号的 ACL 相比,命名 ACL 的主要优点是命名 ACL 比编号的 ACL 更易于管理和记住。

Let's take an example. You check the configuration of a router and find the following ACLs.

让我们举个例子。您检查路由器的配置并找到以下 ACL。

Interface ACL Direction
F0/0 25 Inbound
S0/0/0 145 Outbound
S0/0/1 39 Inbound

To figure out what these ACLs are doing, you have to check the entries of each ACL. Now, suppose, you read the configuration of another router and find the following ACLs.

要弄清楚这些 ACL 在做什么,您必须检查每个 ACL 的条目。现在,假设您阅读了另一台路由器的配置,并找到了以下 ACL。

Interface ACL Direction
F0/0 BlockingStudents Inbound
S0/0/0 AllowingAdmin Outbound
S0/0/1 BlockingExternalUsers Inbound

By looking at these ACLs you can get an idea of what each ACL is doing. For example, by looking at the name BlockingStudents , you can guess that this ACL would be blocking traffic from the Students segment.

通过查看这些 ACL,您可以了解每个 ACL 正在执行的操作。例如,通过查看名称 BlockingStudents,您可以猜测此 ACL 将阻止来自 Students 段的流量。

By using a descriptive name (such as block-external-users ), a network administrator can easily determine the purpose of the ACL. This feature is especially helpful in large networks, where a router may have multiple ACLs with hundreds of statements.

通过使用描述性名称(例如 block-external-users),网络管理员可以轻松确定 ACL 的用途。此功能在大型网络中特别有用,因为在大型网络中,路由器可能具有多个 ACL 和数百个语句。

Advanced sequence editing ACLs 高级序列编辑 ACL

Advanced sequence editing is a new feature. Before this feature, editing or updating ACL entries was not possible. To edit an ACL entry, you had to recreate the entire ACL. This feature allows an administrator to change, update, or delete a single entry from an ACL. This feature was added later to Cisco IOS. All new IOS versions include this feature. If the IOS includes this feature, you can use this feature to edit both types of ACL.

高级序列编辑是一项新功能。在此功能之前,无法编辑或更新 ACL 条目。要编辑 ACL 条目,您必须重新创建整个 ACL。此功能允许管理员更改、更新或删除 ACL 中的单个条目。此功能后来被添加到Cisco IOS中。所有新的IOS版本都包含此功能。如果IOS包含此功能,则可以使用此功能来编辑两种类型的ACL。

The following image shows all types of Cisco access lists.

下图显示了所有类型的 Cisco 访问列表。

访问列表在 Cisco 路由器上的工作原理

How Access Lists work on Cisco routers

This tutorial explains how Cisco access lists work through examples. Learn how Cisco routers process access control lists.

本教程通过示例说明 Cisco 访问列表的工作原理。了解 Cisco 路由器如何处理访问控制列表。

When routers receive IP packets on their interfaces, they check the destination address of each packet and forward that packet from the interface that is directly connected to the destination address or the path leading to the destination address. If none of the router's interfaces are connected to the destination address, the router discards the packet.

当路由器在其接口上收到 IP 数据包时,它们会检查每个数据包的目标地址,并从直接连接到目标地址或通向目标地址的路径的接口转发该数据包。如果路由器的接口均未连接到目标地址,则路由器将丢弃数据包。

An access list is a set of additional commands or instructions that you can instruct a router to perform before forwarding IP packets. In the access list, each command or instruction is written on a separate line. Each line of the access list is treated as a separate entry.

访问列表是一组附加命令或指令,您可以指示路由器在转发 IP 数据包之前执行这些命令或指令。在访问列表中,每个命令或指令都写在单独的行上。访问列表的每一行都被视为一个单独的条目。

An access list can contain many entries. Each entry must include a criterion and an action. A criterion defines the condition that triggers the action. An entry may include multiple criteria or actions.

访问列表可以包含多个条目。每个条目必须包含一个条件和一个操作。条件定义触发操作的条件。一个条目可以包含多个条件或操作。

Let's take an example to understand how access lists work.

让我们举个例子来了解访问列表的工作原理。

The following image shows a sample school network.

下图显示了一个示例学校网络。

In this network, four LAN segments are connected through a router. These segments are Students, Teachers, Staff, and Administrators. These segments respectively belong to students, teachers, office staff, and management team.

在此网络中,四个LAN段通过路由器连接。这些细分是学生、教师、员工和管理员。这些部分分别属于学生、教师、办公室工作人员和管理团队。

The following table lists the IP configurations of all segments.

下表列出了所有网段的 IP 配置。

LAN Network Address Default gateway Gateway interface
Students 10.0.0.0/8 10.0.0.1 Router'F0/0
Teachers 20.0.0.0/8 20.0.0.1 Router'F0/1
Staff 30.0.0.0/8 30.0.0.1 Router'F1/0
Administrators 40.0.0.0/8 40.0.0.1 Router'F1/1

As far as connectivity is concerned, this network is fine. All LAN segments can access each other without any issues. The main issue of this network is security. This network has no security policy. Anyone can access any resource of the network. A student can access the teacher's computer. A teacher can access the principal's computer. This free flow of access makes this network useless. This network will be useful only if it allows only authorized users to access permitted resources.

就连接性而言,这个网络很好。所有 LAN 网段都可以相互访问,而不会出现任何问题。该网络的主要问题是安全性。此网络没有安全策略。任何人都可以访问网络的任何资源。学生可以访问教师的计算机。教师可以访问校长的计算机。这种访问的自由流动使这个网络变得毫无用处。仅当此网络仅允许授权用户访问允许的资源时,它才有用。

To block unauthorized access, Cisco routers have a built-in feature. This feature is known as access-lists . An access list allows the administrator to define what is allowed and what is blocked.

为了阻止未经授权的访问,Cisco路由器具有内置功能。此功能称为访问列表。访问列表允许管理员定义允许的内容和阻止的内容。

Once the criteria for allowed packets are defined, the router will only allow packets that meet the defined criteria. Access lists are used to define criteria for allowed packets. Access lists use lines to separate entries. Each line in the access list represents an entry. Each entry contains two things a condition and an action. When processing the entry, the router matches the condition, if the condition is matched, the router executes the action. A condition may include a single criterion or multiple criteria.

一旦定义了允许数据包的条件,路由器将只允许满足定义条件的数据包。访问列表用于定义允许数据包的条件。访问列表使用行来分隔条目。访问列表中的每一行都代表一个条目。每个条目都包含两个内容:一个条件和一个操作。在处理条目时,路由器匹配条件,如果条件匹配,路由器执行操作。条件可以包括单个条件或多个条件。

When creating an access list entry, you should keep three important factors in mind. These factors are location, direction, and order. We have already discussed these factors in the previous part of this tutorial. In this part, we will take an example to understand how an access list works and how these factors can affect an access list.

创建访问列表条目时,应牢记三个重要因素。这些因素是位置、方向和顺序。在本教程的前一部分中,我们已经讨论过这些因素。在这一部分中,我们将通过一个示例来了解访问列表的工作原理以及这些因素如何影响访问列表。

This tutorial is the third part of the article 'Cisco Access Lists Explained with Examples.' . Other parts of this article are the following.

ACL 的定义、目的、优点和功能 ACL的基本概念和基础知识 访问控制列表的类型说明 ACL 中的通配符掩码说明 Cisco ACL 的规则和配置准则 访问控制列表用示例说明 ip access-list 命令选项和参数 标准 ACL 配置命令说明 配置标准访问控制列表分步指南 如何保护VTY对路由器的访问 扩展 ACL 配置命令说明 配置扩展访问控制列表分步指南 如何在Cisco路由器上阻止ICMP Ping

Location 位置

In our example network, all LAN segments can access all LAN segments. To block students from accessing resources available outside the Students segment, the administrator created an access list and applied it to the F0/0 interface of the router. The ACL has the following entry.

在我们的示例网络中,所有 LAN 网段都可以访问所有 LAN 网段。为了阻止学生访问 Students 段之外的可用资源,管理员创建了一个访问列表,并将其应用于路由器的 F0/0 接口。ACL 具有以下条目。

If a packet has the source address from the network address 10.0.0.0/8, then discard the packet.

如果数据包的源地址来自网络地址 10.0.0.0/8,则丢弃该数据包。

The following image shows how this ACL is applied.

下图显示了如何应用此 ACL。

Since all packets generated from the Students segment have source addresses from the 10.0.0.0/8 network, they will be blocked as soon as they enter the F0/0 interface. After this ACL, users from the Students segment will not be able to access outside resources.

由于从 Students 段生成的所有数据包的源地址都来自 10.0.0.0/8 网络,因此一旦它们进入 F0/0 接口,它们就会被阻止。在此 ACL 之后,"学生"段中的用户将无法访问外部资源。

To understand how the location affects the ACL, let's suppose the administrator applied the above ACL to the F0/1 interface.

为了了解该位置如何影响 ACL,我们假设管理员将上述 ACL 应用于 F0/1 接口。

The following image shows this change.

下图显示了此更改。

Now, this ACL is useless. This ACL instructs the router to block a packet if it arrives from the 10.0.0.0/8 network. A packet from the 10.0.0.0/8 will never enter from the F0/1 interface. The F0/1 interface is the default gateway of the Teachers segment. Since the network address of the Teachers segment is 20.0.0.0/8, all packets entering F0/1 will have a source address from the network 20.0.0.0/8.

现在,这个ACL没用了。如果数据包来自 10.0.0.0/8 网络,则此 ACL 指示路由器阻止数据包。来自 10.0.0.0/8 的数据包永远不会从 F0/1 接口进入。F0/1 接口是 Teachers 段的默认网关。由于 Teachers 段的网络地址是 20.0.0.0/8,因此所有进入 F0/1 的数据包都将具有来自网络的源地址 20.0.0.0/8。

This example shows how the correct location of the ACL is important. An ACL must be implemented on the interface that interacts with targeted traffic.

此示例显示了 ACL 的正确位置的重要性。必须在与目标流量交互的接口上实现 ACL。

Direction 方向

Now suppose, instead of using the source address in the ACL entry, the administrator mistakenly used the destination address. The modified ACL is given below.

现在假设,管理员没有在 ACL 条目中使用源地址,而是错误地使用了目标地址。修改后的 ACL 如下。

If the destination address of a packet is from the network 10.0.0.0/8, discard the packet.

如果数据包的目标地址来自网络 10.0.0.0/8,则丢弃该数据包。

The administrator applied this ACL to the F0/0 interface of the router.

管理员将此 ACL 应用于路由器的 F0/0 接口。

Will this ACL work? 此 ACL 是否有效?

The following image shows the new ACL.

下图显示了新的 ACL。

This ACL will not work. This ACL instructs the router to block the packets that are going to the network 10.0.0.0/8, not to the packets that are coming from the network 10.0.0.0/8. If you apply this ACL to the F0/0 interface, the Students segment will be able to access all three segments but they will not be able to access the Students segment.

此 ACL 将不起作用。此 ACL 指示路由器阻止流向网络 10.0.0.0/8 的数据包,而不是流向来自网络 10.0.0.0/8 的数据包。如果将此 ACL 应用于 F0/0 接口,则 Students 段将能够访问所有三个段,但他们将无法访问 Students 段。

Order 次序

As mentioned earlier, for each packet, the router checks ACL entries from top to bottom until a match is found. Once a match is found, it does not check the remaining entries for that packet. Let's understand this factor through the example.

如前所述,对于每个数据包,路由器从上到下检查 ACL 条目,直到找到匹配项。找到匹配项后,它不会检查该数据包的其余条目。让我们通过这个例子来理解这个因素。

The administrator wants to allow a user from the Teachers segment to access the server available in the Administrators segment. The IP address of the allowed user is 20.0.0.3/8. Apart from the allowed user, all remaining users must not be able to access the Administrators segment. For this, the administrator created the following ACL and applied it to the F0/1 interface of the router.

管理员希望允许"教师"段中的用户访问"管理员"段中可用的服务器。允许用户的 IP 地址为 20.0.0.3/8。除允许的用户外,其余所有用户不得访问管理员段。为此,管理员创建了以下 ACL 并将其应用于路由器的 F0/1 接口。

Drop the packet if its source address belongs to the network 20.0.0.0/8
Allow the packet if its source address is 20.0.0.3/8

The following image shows this ACL.

下图显示了此 ACL。

Will this ACL work? 此 ACL 是否有效?

No , this ACL will block all outgoing traffic from the Teachers segment. When a packet originated from the host 20.0.0.3/8 reaches the router, the router checks the entries of the applied ACL until a match is found.

否,此 ACL 将阻止来自 Teachers 段的所有传出流量。当源自主机 20.0.0.3/8 的数据包到达路由器时,路由器会检查应用的 ACL 的条目,直到找到匹配项。

The first line of the ACL says "drop the packet if its source address belongs to the network 20.0.0.3/8 ". Since the IP address 20.0.0.3/8 belongs to the network 20.0.0.0/8, the statement becomes true. The router executes the action that is associated with this statement. Since the action of this statement is the drop, the router drops the packet.

ACL 的第一行说"如果数据包的源地址属于网络 20.0.0.3/8,则丢弃数据包"。由于 IP 地址 20.0.0.3/8 属于网络 20.0.0.0/8,因此该语句为 true。路由器执行与此语句关联的操作。由于此语句的动作是丢弃,因此路由器会丢弃数据包。

Even the second line of the ACL allows the host 20.0.0.3/8, but it will never be read and executed by the router.

即使是 ACL 的第二行也允许主机 20.0.0.3/8,但路由器永远不会读取和执行它。

The correct order to allow the host 20.0.0.3/8 will be the following.

允许主机 20.0.0.3/8 的正确顺序如下。

Allow the packet if its source address is 20.0.0.3/8
Drop the packet if its source address belongs to the network 20.0.0.0/8

The following image shows the above ACL.

下图显示了上述 ACL。

Now, this ACL will allow all packets that are originated from the host 20.0.0.3/8 but it will block all packets that are originated from other hosts of the network 20.0.0.0/8.

现在,此 ACL 将允许源自主机 20.0.0.3/8 的所有数据包,但会阻止源自网络 20.0.0.0/8 的其他主机的所有数据包。


Cisco ACL 的规则和配置准则

Rules and Configuration Guidelines for Cisco ACLs

This tutorial explains the general guidelines and rules for Cisco ACLs configuration. Learn the basic principles of Cisco ACL implementation.

介绍 Cisco ACL 配置的一般准则和规则。了解 Cisco ACL 实施的基本原则。

ACLs are not simple. They are one of the most complex features of the router. They work only when they are applied properly. An incorrectly applied ACL can lead to the opposite or strange results. For example, you have created an ACL to block a certain type of traffic but have implemented it on an interface that does not interact with that traffic, then this ACL will not work.

ACL 并不简单。它们是路由器最复杂的功能之一。它们只有在正确应用时才起作用。不正确地应用 ACL 可能会导致相反或奇怪的结果。例如,您创建了一个 ACL 来阻止某种类型的流量,但在不与该流量交互的接口上实施了该 ACL,则此 ACL 将不起作用。

To get the desired results from ACLs, you need to build and implement them properly.

要从 ACL 中获得所需的结果,您需要正确构建和实施它们。

There are some basic principles and rules for creating and implementing an ACL. In this tutorial, we will discuss them. Understanding these rules and principles will help you create and implement ACLs more effectively.

创建和实施 ACL 有一些基本原则和规则。在本教程中,我们将讨论它们。了解这些规则和原则将帮助您更有效地创建和实施 ACL。

This tutorial is the sixth part of the article 'Cisco Access Lists Explained with Examples.' . Other parts of this article are the following.

本教程是 "Cisco 访问列表与示例解释" 一文的第六部分。本文的其他部分如下。

ACL 的定义、目的、优点和功能 ACL 的基本概念和基础知识 访问列表在 Cisco 路由器上的工作原理 访问控制列表的类型说明 ACL 中的通配符掩码说明 访问控制列表用示例说明 ip access-list 命令选项和参数 标准 ACL 配置命令说明 配置标准访问控制列表分步指南 如何保护 VTY 对路由器的访问 扩展 ACL 配置命令说明 配置扩展访问控制列表分步指南 如何在 Cisco 路由器上阻止 ICMP Ping

Access control lists (ACL) are implemented in two steps: creating and activating. In the first step, you create an ACL. In the second step, you apply it to an interface. Until you apply it to an interface, it remains in an inactive state. An access list does nothing in its inactive state. To activate an ACL, you have to apply it to an interface.

访问控制列表 (ACL) 分两步实现:创建和激活。在第一步中,创建 ACL。在第二步中,将其应用于接口。在将其应用于接口之前,它将保持非活动状态。访问列表在其非活动状态下不执行任何操作。要激活 ACL,您必须将其应用于接口。

You can apply an ACL in two directions: inbound and outbound. If you apply the ACL in the inbound direction, it will filter the incoming traffic. If you apply the ACL in the outbound direction, it will filter the outgoing traffic.

您可以在两个方向上应用 ACL:入站和出站。如果在入站方向应用 ACL,它将过滤传入流量。如果在出站方向应用 ACL,它将过滤出站流量。

You can apply only one ACL per interface per protocol per direction. For example, you can apply only one ACL to filter incoming IP traffic on an interface. When applying an ACL to an interface, you have to specify the direction in which you want to filter the traffic.

每个接口、每个协议、每个方向只能应用一个 ACL。例如,您只能应用一个 ACL 来过滤接口上的传入 IP 流量。将 ACL 应用于接口时,您必须指定要过滤流量的方向。

Processing ACLs 处理 ACL

Once an ACL is applied to an interface, the interface processes all packets through the ACL. For each packet, it checks all ACL entries from top to bottom until it finds a match. If it finds a match between the packet and the entry, it executes the action defined in the entry. If it does not find the match, it checks the next entry.

一旦将 ACL 应用于接口,该接口将通过 ACL 处理所有数据包。对于每个数据包,它会从上到下检查所有 ACL 条目,直到找到匹配项。如果发现数据包和条目之间匹配,则执行条目中定义的操作。如果找不到匹配项,则检查下一个条目。

If the next entry matches the packet, the interface executes the action defined in the next entry. If the next entry does not match the packet, the interface will keep checking entries until it finds a match.

如果下一个条目与数据包匹配,则接口将执行下一个条目中定义的操作。如果下一个条目与数据包不匹配,接口将继续检查条目,直到找到匹配项。

Once the interface finds a match for the packet, it does not check the remaining entries for the packet. For example, if you have two entries, one denying a host and one permitting the same host. The router will execute the action of the entry that appears first in the ACL. It will never read the second entry for the same host.

一旦接口找到数据包的匹配项,它就不会检查数据包的其余条目。例如,如果有两个条目,一个拒绝主机,另一个允许同一主机。路由器将执行 ACL 中首先出现的条目的操作。它永远不会读取同一主机的第二个条目。

Since the order of entries is important, you should always place the most significant entries at the top of the list and the least significant entries at the bottom of the list. This arrangement will improve the router's performance because most of the time a match will be available at the top of the list and once a match is found, the router will not check the remaining entries.

由于条目的顺序很重要,因此应始终将最重要的条目放在列表的顶部,将最不重要的条目放在列表的底部。这种安排将提高路由器的性能,因为大多数情况下,匹配项将在列表顶部可用,一旦找到匹配项,路由器将不会检查剩余的条目。

The implicit deny statement 隐式拒绝语句

If a router goes through the entire list and does not find a match in the ACL entries for a packet, the router drops the packet. This aspect is known as implicit deny. In simple words, there is an invisible 'deny all ' statement at the end of every ACL that drops all traffic that does not match any of the preceding statements in the ACL.

如果路由器遍历了整个列表,但在数据包的 ACL 条目中找不到匹配项,则路由器将丢弃该数据包。这方面称为隐式拒绝。简单来说,每个 ACL 的末尾都有一个不可见的 "全部拒绝" 语句,该语句会丢弃所有与 ACL 中任何上述语句不匹配的流量。

Because of the implicit deny, every ACL should have at least one permit statement; otherwise, an ACL with only deny statements will drop all traffic.

由于隐式拒绝,每个 ACL 都应至少有一个许可声明;否则,仅包含拒绝语句的 ACL 将丢弃所有流量。

Let's take an example. A segment 10.0.0.0/8 is connected to the F0/0 interface. You want to block only 10.0.0.10/8 from this segment. Since you want to block only one host, you created an ACL with a single entry 'deny 10.0.0.10' and applied it to the F0/0 interface in the inbound direction.

让我们举个例子。段 10.0.0.0/8 连接到 F0/0 接口。您只想阻止此段的 10.0.0.10/8。由于您只想阻止一个主机,因此您创建了一个包含单个条目 "deny 10.0.0.10" 的 ACL,并将其应用于入站方向的 F0/0 接口。

Can you guess what will happen in this scenario?

你能猜到在这种情况下会发生什么吗?

Yes, you guess it right. This ACL will block all incoming traffic on the F0/0 interface. Let us understand, why would this happen.

是的,你猜对了。此 ACL 将阻止 F0/0 接口上的所有传入流量。让我们明白,为什么会这样。

If the packet arrives from the host 10.0.0.10, the 'deny 10.0.0.10' statement will block the packet. If the packet arrives from the other host, the criteria of the first statement will not match and the interface will check the next statement to match the packet. Since there is no next statement, the interface will execute the implicit deny statement. The implicit deny statement blocks all packets. This way, all incoming packets will be blocked.

如果数据包来自主机 10.0.0.10,则 "deny 10.0.0.10" 语句将阻止该数据包。如果数据包来自另一台主机,则第一个语句的条件将不匹配,接口将检查下一个语句以匹配数据包。由于没有 next 语句,接口将执行隐式 deny 语句。隐式 deny 语句阻止所有数据包。这样,所有传入的数据包都将被阻止。

To fix this problem, you have to add one more entry just after the first entry. In this entry, write an allow statement for the network 10.0.0.0 as given below.

要解决此问题,您必须在第一个条目之后再添加一个条目。在此条目中,为网络 10.0.0.0 编写一个 allow 语句,如下所示。

deny 10.0.0.10
allow 10.0.0.0

Now, this ACL will block only the host 10.0.0.10 while allowing all reaming hosts from the segment 10.0.0.10.

现在,此 ACL 将仅阻止主机 10.0.0.10,同时允许来自段 10.0.0.10 的所有铰孔主机。

Editing ACLs 编辑 ACL

A new entry is always placed at the bottom of the list. Once you have added an entry, you cannot edit, modify or delete it. If you want to change an entry, you have to delete the existing list and recreate the entire list.

新条目始终位于列表的底部。一旦添加了条目,就无法编辑、修改或删除它。如果要更改条目,则必须删除现有列表并重新创建整个列表。

Since modification is not allowed, you should create ACL entries on a text editor. After creating them on a text editor, you can copy them to the router. To edit or remove an entry from the existing ACL, you can use the following process.

由于不允许修改,因此应在文本编辑器上创建 ACL 条目。在文本编辑器上创建它们后,您可以将它们复制到路由器。要编辑或删除现有 ACL 中的条目,您可以使用以下过程。

Copy all entries into a text editor, modify the entries, and copy the updated entries back to the router.

将所有条目复制到文本编辑器中,修改条目,然后将更新的条目复制回路由器。

This restriction does not apply to routers that support a feature called sequence editing. If a router supports the sequence editing, you can edit or remove a single entry from the existing ACL.

此限制不适用于支持称为序列编辑功能的路由器。如果路由器支持序列编辑,则可以编辑或删除现有 ACL 中的单个条目。

Placing ACLs 放置 ACL

Access list filters the traffic passing through the router. They do not filter the traffic that originated from the router.

访问列表过滤通过路由器的流量。它们不会过滤源自路由器的流量。

A standard access list can only filter traffic based on the source address. You should place a standard ACL as close as possible to the destination of the traffic you want to deny so that the source can reach intermediary networks.

标准访问列表只能根据源地址过滤流量。您应将标准 ACL 放置在尽可能靠近要拒绝的流量的目标的位置,以便源可以到达中间网络。

An extended access list can filter traffic based on specific addresses and protocols. You should place an extended ACL as close as possible to the source of the traffic you wish to block.

扩展访问列表可以根据特定地址和协议过滤流量。您应将扩展 ACL 放置在尽可能靠近您希望阻止的流量源的位置。

There is no point in allowing the traffic to cross the entire network just to deny it. By placing an extended access list as close to the source address as possible, you can save precious network bandwidth.

仅仅为了否认它而允许流量穿过整个网络是没有意义的。通过将扩展访问列表放置在尽可能靠近源地址的位置,可以节省宝贵的网络带宽。

Key points 要点
  • We can apply the same ACL to multiple interfaces.
    我们可以将相同的 ACL 应用于多个接口。
  • We can enable the same ACL twice on the same interface in separate directions: inbound and outbound.
    我们可以在同一接口上以不同的方向启用相同的 ACL 两次:入站和出站。
  • We cannot enable the same ACL twice on the same interface in the same direction.
    我们不能在同一接口上以同一方向两次启用同一 ACL。
  • An empty ACL will permit all traffic.
    空 ACL 将允许所有流量。
  • Implicit deny condition will work only if ACL has at least one user-defined condition.
    仅当 ACL 具有至少一个用户定义的条件时,隐式拒绝条件才起作用。

via:

相关推荐
车载诊断技术11 分钟前
电子电气架构 --- 什么是EPS?
网络·人工智能·安全·架构·汽车·需求分析
KevinRay_15 分钟前
Python超能力:高级技巧让你的代码飞起来
网络·人工智能·python·lambda表达式·列表推导式·python高级技巧
2301_819287121 小时前
ce第六次作业
linux·运维·服务器·网络
CIb0la1 小时前
GitLab 停止为中国区用户提供 GitLab.com 账号服务
运维·网络·程序人生
Black_mario2 小时前
链原生 Web3 AI 网络 Chainbase 推出 AVS 主网, 拓展 EigenLayer AVS 应用场景
网络·人工智能·web3
中科岩创3 小时前
中科岩创边坡自动化监测解决方案
大数据·网络·物联网
brrdg_sefg4 小时前
WEB 漏洞 - 文件包含漏洞深度解析
前端·网络·安全
Quz8 小时前
Wireshark协议相关功能:过滤、启用/禁用、导出和统计查看
网络·测试工具·wireshark
安全方案9 小时前
如何增强网络安全意识?(附培训PPT资料)
网络·安全·web安全