Ender204426777乾颐堂CCNAv3.0课程ManagingNetworkDeviceSecurityImplementingTrafficFilteringwithACLs乾颐堂CCNAv3.0Ender204426777UsingACLstoFilterNetworkTrafficHowcanyourestrictInternetaccessforPC2?如何限制PC2接入互联网Ender乾颐堂CCNAv3.0Ender204426777ACLOperationACLoperationoutbound:验证路由表->选择出接口->匹配ACL(如果允许通过,则转发,否则丢弃)Ender-38乾颐堂CCNAv3.0Ender204426777ApplyingACLstoInterfacesBranch(config-if)#ipaccess-group1outBranch(config-if)#ipaccess-group2inAppliesACL1ontheinterfaceasanoutboundfilter:AppliesACL2ontheinterfaceasaninboundfilter:Important:OnlyoneACLperprotocol,perdirection,andperinterfaceisallowed.每个协议,每个方向,每个接口只能运用一个ACLEnder-39乾颐堂CCNAv3.0Ender204426777ApplyingACLstoInterfaces(Cont.)Example:•DenyInternetaccessforaspecifichost(10.1.1.101).•AllowallotherLANhoststoaccesstheInternet.Branch(config)#access-list1deny10.1.1.101Branch(config)#access-list1permit10.1.1.00.0.0.255Branch(config)#interfaceGigabitEthernet0/1Branch(config-if)#ipaccess-group1outEnder-40乾颐堂CCNAv3.0Ender204426777TheNeedforExtendedACLs•HowcanyoupreventPC2fromaccessingonlyaspecificserverontheInternet?如何仅仅阻止PC2访问访问网络中的特定一台主机•Howcanyouallowotherusersonlywebaccess?如何允许其他用户仅仅进行WEB访问Ender-41乾颐堂CCNAv3.0Ender204426777TheNeedforExtendedACLs(Cont.)TestingpacketswithextendedIPv4ACLs扩展列表中的一些字段Ender-42乾颐堂CCNAv3.0Ender204426777ConfiguringNumberedExtendedIPv4ACLsBranch(config)#access-list110denyiphost10.1.1.101host209.165.202.197Branch(config)#access-list110permittcp10.1.1.00.0.0.255anyeq80Branch(config)interfaceg0/0Branch(config-if)#ipaccess-group110in•Thenumber110ischosentodefineanACLasanextendedACL.•ThefirststatementmatchesIPtrafficbetweentwospecifichostsanddeniesit.•ThesecondstatementmatchesHTTPTCPtrafficfromnetwork10.1.1.0/24.–Theoperatoreq(equal)isusedtomatchTCPport80.•TheimplicitdenystatementispresentattheendoftheACLAnextendedACLisactivatedontheinterfaceinthesamewayasastandardACL.扩展列表更接...
