1.ACL访问控制列表
拓扑结构
一、基础知识
1.访问控制列表ACL,分为基本ACL(2000~2999)、高级ACL(3000~3999)、二层ACL(4000~4999)、用户自定义ACL(5000~5999)。
2.基本ACL只根据报文的源IP地址信息制定匹配规则,高级ACL根据报文的源/目IP地址,协议类型,端口号等三、四层信息定制匹配规则。
3.配置步长
4.配置时间段
time-range time-range-name{start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [to time2 date2 ] | to time2 date2
<Sysname>system-view
[Sysname] time-range test 8:00 to 18:00 working-day
[Sysname] display time-range test
Current time is 22:17:42 1/5/2006 Thursday
5.创建基本的ACL:
(1)创建ACL,并进入ACL视图
acl acl-number [ name acl-name ] [ match-order { auto | config } ]
(2)定义规则
rule [ rule-id ] { deny | permit } [ fragment | logging | source { sour-addr sour-wildcard | any } | time-range time-range-name ] *
(3)定义步长
step step-value
(4)定义描述信息
description text
(5)定义规则的描述信息
rule rule-id comment text
#ACL配置示例
#配置基本IPv4 ACL 2000,禁止源IP地址为1.1.1.1的报文通过。
<Sysname>system-view
[Sysname] acl 2000
[Sysname-acl-basic-2000] rule deny source 1.1.1.1 0
[Sysname-acl-basic-2000] display acl 2000
Basic ACL 2000, named -none-, 1 rule, ACL's step is 5 rule 0 deny source 1.1.1.1 0 (5 times matched)
6.创建高级的ACL
(1)创建并进入高级ACL视图
acl acl-number [ name acl-name ] [ match-order { auto | config } ]
(2)定义规则
rule [ rule-id ] { deny | permit } protocol [ { established | { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * } | destination { dest-addr dest-wildcard | any } | destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmp-type { icmp-type icmp-code | icmp-message } | logging |precedence precedence | reflective | source { sour-addr sour-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name | tos tos ] *
#配置示例
# 配置高级IPv4 ACL 3000,允许129.9.0.0网段的主机向202.38.160.0网段的主机发送端口号为80的TCP报文。
<Sysname>system-view
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80
[Sysname-acl-adv-3000] display acl 3000 Advanced ACL 3000, named -none-, 1 rule, ACL's step is 5 rule 0 permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq www (5 times matched)
7.应用ACL进行报文过滤
packet-filter过滤
8.outbound与inbound
从较高安全级别区域去往较低安全级别区域的报文称为Outbound报文;
从较低安全级别区域去往较高安全级别区域的报文称为Inbound报文。
二、配置步骤
1.配置路由器各接口ip地址(略)
2.为各部门创建安全区域
#配置域间防火墙,创建安全区域,并设置安全级别。
[R1]firewall zone HR
[R1-zone-HR]priority 12
[R1-zone-HR]firewall zone SALES
[R1-zone-SALES]priority 10
[R1-zone-SALES]fire zone IT
[R1-zone-IT]priority 8
[R1-zone-IT]fire zone trust
[R1-zone-trust]priority 14
#将R1上连接不同部门的接口加入到相应部门的安全区域中,GE2/0/1加入到trust区域中
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]zone HR
[R1-GigabitEthernet0/0/0]interg0/0/1
[R1-GigabitEthernet0/0/1]zone SALES
[R1-GigabitEthernet0/0/1]int g2/0/0
[R1-GigabitEthernet2/0/0]zone IT
[R1-GigabitEthernet2/0/0]int g2/0/1
[R1-GigabitEthernet2/0/1]zone trust
#使用命令display firewall zone查看相应区域的优先级、区域内包含接口名称、接口数量等信息。
[R1]display firewall zone
zone IT
priority is 8
interface of the zone is (total number 1):
GigabitEthernet2/0/0
zone SALES
priority is 10
interface of the zone is (total number 1):
GigabitEthernet0/0/1
zone HR
priority is 12
interface of the zone is (total number 1):
GigabitEthernet0/0/0
zone trust
priority is 14
interface of the zone is (total number 1):
GigabitEthernet2/0/1
zone Local
priority is 15
interface of the zone is (total number 0):
total number is : 5
所有区域的配置工作已经完成,下面配置ACL访问控制
3.禁止SALES部门和HR部门之间的互访
#启用SALES区域和HR区域的域间防火墙
[R1]firewall interzone SALES HR
[R1-interzone-HR-SALES]firewallenable
默认情况下,当域间防火墙启用之后,安全级别较高的区域能够访问安全级别较低的区域,并且应答的报文也能够返回到安全级别较高的区域,但是安全级别较低的区域无法访问安全级别较高的区域。
#使用命令display firewall interzone SALES HR查看区域间的默认策略
[R1]display firewall interzone SALESHR
interzone HR SALES
firewall enable
packet-filter default deny inbound(低到高)
packet-filter default permit outbound(高到低)
由于HR的安全级别(12)高于SALES的安全级别(10),因此HR到SALES的访问是被允许的,而从SALES到HR的访问是禁止的。
下面,为了禁止HR和SALES之间的互访,可以使用在他们之间使用ACL达到目的,由于默认情况下,SALES已经无法访问HR区域,因此,只需要在outbound方向上将HR去往SALES的报文全部过滤即可。
#创建高级ACL 3000来定义从HR到SALES之间的报文,步长设置为10,然后,在outbound方向上引用ACL 3000
[R1]acl 3000
[R1-acl-adv-3000]step 10
[R1-acl-adv-3000]rule deny ip source172.16.1.0 0.0.0.255 destination 172.16.2.0 0.0.0.255
[R1]firewall interzone HR SALES
[R1-interzone-HR-SALES]packet-filter3000 outbound
#查看ACL配置
[R1]display acl 3000
Advanced ACL 3000, 1 rule
Acl's step is 10
rule 10 deny ip source 172.16.1.0 0.0.0.255destination 172.16.2.0 0.0.0.255
#查看SALES和HR之间的域间Firewall策略
[R1]display firewall interzone SALESHR
interzone HR SALES
firewall enable
packet-filter default deny inbound
packet-filter default permit outbound
packet-filter 3000 outbound
此时SALES和HR之间已经无法通信了。
4.实现对WEB-Server和Ftp-server的访问控制,SALES部门能够访问Web-server,禁止访问Ftp-server
#开启SALES和trust之间的域间防火墙
[R1]firewall interzone SALES trust
[R1-interzone-trust-SALES]firewallenable
#创建acl 3001,允许SALES部门的用户访问web-server,并应用在SALES和trust的区域之间
[R1]acl 3001
[R1-acl-adv-3001]step 10
[R1-acl-adv-3001]rule permit tcpsource 172.16.2.0 0.0.0.255 destination 192.168.1.30 0 destination-port eq 80
[R1]firewall interzone SALES trust
[R1-interzone-trust-SALES]packet-filter3001 inbound
配置完成后,SALES区域的用户能够访问web-server,但是不能访问ftp-server。
5.IP部门的用户可以随时访问ftp-server,但只能在每天的14:00到16:00才能访问web-server,另外还要求IT部门的用户能够随时ping通ftp-server和web-server。
#开启IT和trust之间的域间防火墙
[R1]firewall interzone IT trust
[R1-interzone-trust-IT]firewallenable
#配置时间跨度为每天的14:00-16:00
[R1]time-range access-web 14:00 to16:00 daily
#创建ACL 3003,放行IT到trust的inbound方向的FTP、HTTP、ICMP的echo报文,步长设置为10
[R1]acl 3003
[R1-acl-adv-3003]step 10
[R1-acl-adv-3003]rule permit tcpsource 172.16.3.0 0.0.0.255 destination 192.168.1.30 0 destination-port eq 80time-range access-web
[R1-acl-adv-3003]rule permit tcpsource 172.16.3.0 0.0.0.255 destination 192.168.1.10 0 destination-port eq 21
[R1-acl-adv-3003]rule permit icmpsource 172.16.3.0 0.0.0.255 destination 192.168.1.30 0
[R1-acl-adv-3003]rule permit icmpsource 172.16.3.0 0.0.0.255 destination 192.168.1.10 0
#查看ACL配置
[R1]display acl 3003
Advanced ACL 3003, 4 rules
Acl's step is 10
rule 10 permit tcp source 172.16.3.0 0.0.0.255destination 192.168.1.30 0 desti
nation-port eq www time-rangeaccess-web(Inactive)
rule 20 permit tcp source 172.16.3.0 0.0.0.255destination 192.168.1.10 0 desti
nation-port eq ftp
rule 30 permit icmp source 172.16.3.00.0.0.255 destination 192.168.1.30 0
rule 40 permit icmp source 172.16.3.00.0.0.255 destination 192.168.1.10 0
#将ACL 3003应用在IT区域和trust区域之间的inbound方向上
[R1]firewall interzone IT trust
[R1-interzone-trust-IT]packet-filter3003 inbound
配置完成!
