204426777乾颐堂CCNAv3.0课程EstablishingInternetConnectivityManagingTrafficUsingACLs用ACL管理流量乾颐堂CCNAv3.0204426777UnderstandingACLsWhatisanACL?•AnACLisaCiscoIOStoolfortrafficidentification.ACL是思科IOS定义流量的工具•AnACLisalistofpermitanddenystatements.ACL包含允许和拒绝的表项(有些场景的含义为匹配-hit或者忽略)•AnACLidentifiestrafficbasedontheinformationwithintheIPpacket.ACL基于IP报文定义流量•Aftertrafficisidentified,differentactionscanbetaken.定义流量之后可以赋予不同的行为•ACLscanbeusedonroutersandswitches.ACL可以用于路由器和交换机-129乾颐堂CCNAv3.0204426777ACLOperationACLtests:•AnACLconsistsofaseriesofpermitanddenystatements.•AnACLisconsultedintop-downorder.ACL由上至下进行操作•ThefirstmatchexecutesthepermitordenyactionandstopsfurtherACLmatching.第一个被匹配的报文执行拒绝或者允许的行为,然后停止后面的ACL匹配•ThereisanimplicitdenyallstatementattheendofeachACL.最后一行隐私deny行为-130乾颐堂CCNAv3.0204426777ACLWildcardMaskingWildcardbits—howtocheckthecorrespondingaddressbits通配符掩码定义了如何检查一致的地址位:•0meanstomatchthevalueofthecorrespondingaddressbit.0代表匹配•1meanstoignorethevalueofthecorrespondingaddressbit.1代表忽略-131乾颐堂CCNAv3.0204426777ACLWildcardMasking(Cont.)FilterforIPsubnets172.30.16.0/24to172.30.31.0/24.Addressandwildcardmask:172.30.16.00.0.15.255-132乾颐堂CCNAv3.0204426777ACLWildcardMasking(Cont.)ThisexampleshowsthewildcardmaskingprocessforIPsubnets.-133第三个字节的最后4位可以随意变化乾颐堂CCNAv3.0204426777WildcardBitMaskAbbreviations通配符掩码的缩写Usingwildcardbitmaskabbreviations:•172.30.16.290.0.0.0matchesalloftheaddressbits.•AbbreviatethiswildcardmaskusingtheIPaddressprecededbythekeywordhost(host172.30.16.29).用host代表该主机•0.0.0.0255.255.255.255ignoresalladdressbits.忽略所有位的检查,即任意•Abbreviateexpressionwiththekeywordany.-134乾颐堂CCNAv3.0204426777TypesofACLsTwomaintypesofACLs:•StandardACL:–CheckssourceIPaddress检查源地址–Permitsordeniesentireprotocolsuite匹配或者拒绝整个协议栈•ExtendedACL:–Checkssou...
