路由器的配置和管理

第八章

路由器的配置和管理〔3〕本章內(nèi)容訪問(wèn)控制列表ACL網(wǎng)絡(luò)地址轉(zhuǎn)換NATInternet管理網(wǎng)絡(luò)中逐漸增長(zhǎng)的IP數(shù)據(jù)當(dāng)數(shù)據(jù)經(jīng)過(guò)路由器時(shí)進(jìn)展過(guò)濾為什么要運(yùn)用訪問(wèn)列表

訪問(wèn)列表的運(yùn)用允許、回絕數(shù)據(jù)包經(jīng)過(guò)路由器允許、回絕Telnet會(huì)話的建立沒(méi)有設(shè)置訪問(wèn)列表時(shí)，一切的數(shù)據(jù)包都會(huì)在網(wǎng)絡(luò)上傳輸虛擬會(huì)話(IP)端口上的數(shù)據(jù)傳輸

規(guī)范檢查源地址通常允許、回絕的是完好的協(xié)議

OutgoingPacketE0S0IncomingPacketAccessListProcessesPermit?Source什么是訪問(wèn)列表--規(guī)范

規(guī)范檢查源地址通常允許、回絕的是完好的協(xié)議擴(kuò)展檢查源地址和目的地址通常允許、回絕的是某個(gè)特定的協(xié)議OutgoingPacketE0S0IncomingPacketAccessListProcessesPermit?Sourceand

DestinationProtocol什么是訪問(wèn)列表--擴(kuò)展

規(guī)范檢查源地址通常允許、回絕的是完好的協(xié)議擴(kuò)展檢查源地址和目的地址通常允許、回絕的是某個(gè)特定的協(xié)議進(jìn)方向和出方向

OutgoingPacketE0S0IncomingPacketAccessListProcessesPermit?Sourceand

DestinationProtocol什么是訪問(wèn)列表

Inbound

InterfacePacketsNYPacketDiscardBucketChooseInterface

NAccessList

?RoutingTable

Entry

?YOutbound

InterfacesPacketS0出端口方向上的訪問(wèn)列表Outbound

InterfacesPacketNYPacketDiscardBucketChooseInterface

RoutingTable

Entry

?NPacketTestAccessListStatementsPermit

?Y出端口方向上的訪問(wèn)列表AccessList

?YS0E0Inbound

InterfacePacketsNotifySender出端口方向上的訪問(wèn)列表IfnoaccessliststatementmatchesthendiscardthepacketNYPacketDiscardBucketChooseInterface

RoutingTable

Entry

?NYTestAccessListStatementsPermit

?YAccessList

?DiscardPacketNOutbound

InterfacesPacketPacketS0E0Inbound

InterfacePackets訪問(wèn)列表的測(cè)試：允許和回絕

PacketstointerfacesintheaccessgroupPacket

DiscardBucketYInterface(s)DestinationDenyDenyYMatchFirstTest?Permit訪問(wèn)列表的測(cè)試：允許和回絕

PacketstoInterface(s)intheAccessGroupPacket

DiscardBucketYInterface(s)DestinationDenyDenyYMatchFirstTest?PermitNDenyPermitMatchNextTest(s)?YY訪問(wèn)列表的測(cè)試：允許和回絕

PacketstoInterface(s)intheAccessGroupPacket

DiscardBucketYInterface(s)DestinationDenyDenyYMatchFirstTest?PermitNDenyPermitMatchNextTest(s)?DenyMatchLastTest

?YYNYYPermit訪問(wèn)列表的測(cè)試：允許和回絕

PacketstoInterface(s)intheAccessGroupPacket

DiscardBucketYInterface(s)DestinationDenyYMatchFirstTest?PermitNDenyPermitMatchNextTest(s)?DenyMatchLastTest

?YYNYYPermitImplicitDenyIfnomatchdenyallDenyN訪問(wèn)列表配置指南

訪問(wèn)列表的編號(hào)指明了運(yùn)用何種協(xié)議的訪問(wèn)列表每個(gè)端口、每個(gè)方向、每條協(xié)議只能對(duì)應(yīng)于一條訪問(wèn)列表訪問(wèn)列表的內(nèi)容決議了數(shù)據(jù)的控制順序具有嚴(yán)厲限制條件的語(yǔ)句應(yīng)放在訪問(wèn)列表一切語(yǔ)句的最上面在訪問(wèn)列表的最后有一條隱含聲明：denyany－每一條正確的訪問(wèn)列表都至少應(yīng)該有一條允許語(yǔ)句先創(chuàng)建訪問(wèn)列表，然后運(yùn)用到端口上訪問(wèn)列表不能過(guò)濾由路由器本人產(chǎn)生的數(shù)據(jù)訪問(wèn)列表設(shè)置命令

Step1:設(shè)置訪問(wèn)列表測(cè)試語(yǔ)句的參數(shù)access-listaccess-list-number{permit|deny}{testconditions}Router(config)#Step1:設(shè)置訪問(wèn)列表測(cè)試語(yǔ)句的參數(shù)Router(config)#Step2:在端口上運(yùn)用訪問(wèn)列表ipaccess-groupaccess-list-number{in|out}Router(config-if)#訪問(wèn)列表設(shè)置命令

IP訪問(wèn)列表的標(biāo)號(hào)為1-99和100-199access-listaccess-list-number{permit|deny}{testconditions}如何識(shí)別訪問(wèn)列表號(hào)

編號(hào)范圍訪問(wèn)列表類型IP 1-99Standard規(guī)范訪問(wèn)列表(1to99)檢查IP數(shù)據(jù)包的源地址編號(hào)范圍訪問(wèn)列表類型如何識(shí)別訪問(wèn)列表號(hào)

IP 1-99100-199StandardExtended規(guī)范訪問(wèn)列表(1to99)檢查IP數(shù)據(jù)包的源地址擴(kuò)展訪問(wèn)列表(100to199)檢查源地址和目的地址、詳細(xì)的TCP/IP協(xié)議和目的端口編號(hào)范圍1-991300-1999Name(CiscoIOS11.2andlater)100-1992000-2699Name(CiscoIOS11.2andlater)StandardNamed訪問(wèn)列表類型如何識(shí)別訪問(wèn)列表號(hào)

規(guī)范訪問(wèn)列表檢查IP數(shù)據(jù)包的源地址擴(kuò)展訪問(wèn)列表檢查源地址和目的地址、詳細(xì)的TCP/IP協(xié)議和目的端口其它訪問(wèn)列表編號(hào)范圍表示不同協(xié)議的訪問(wèn)列表ExtendNamed例如9檢查一切的地址位可以簡(jiǎn)寫(xiě)為host(host9)Testconditions:Checkalltheaddressbits(matchall)9

(checksallbits)AnIPhostaddress,forexample:Wildcardmask:通配符掩碼指明特定的主機(jī)

一切主機(jī):55可以用any簡(jiǎn)寫(xiě)Testconditions:Ignorealltheaddressbits(matchany)

55(ignoreall)AnyIPaddressWildcardmask:通配符掩碼指明一切主機(jī)規(guī)范IP訪問(wèn)列表的配置

access-listaccess-list-number{permit|deny}source[inverse-mask]Router(config)#為訪問(wèn)列表設(shè)置參數(shù)IP規(guī)范訪問(wèn)列表編號(hào)1到99“noaccess-listaccess-list-number〞命令刪除訪問(wèn)列表access-listaccess-list-number{permit|deny}source[mask]Router(config)#在端口上運(yùn)用訪問(wèn)列表指明是進(jìn)方向還是出方向“noipaccess-groupaccess-list-number〞命令在端口上刪除訪問(wèn)列表Router(config-if)#ipaccess-groupaccess-list-number{in|out}為訪問(wèn)列表設(shè)置參數(shù)IP規(guī)范訪問(wèn)列表編號(hào)1到99缺省的通配符掩碼=“noaccess-listaccess-list-number〞命令刪除訪問(wèn)列表規(guī)范IP訪問(wèn)列表的配置3E0S0E1Non-規(guī)范訪問(wèn)列表舉例1access-list1permit55(implicitdenyall-notvisibleinthelist)(access-list1deny55)Permitmynetworkonlyaccess-list1permit55(implicitdenyall-notvisibleinthelist)(access-list1deny55)interfaceethernet0ipaccess-group1outinterfaceethernet1ipaccess-group1out3E0S0E1Non-規(guī)范訪問(wèn)列表舉例1Denyaspecifichost規(guī)范訪問(wèn)列表舉例23E0S0E1Non-access-list1deny3規(guī)范訪問(wèn)列表舉例23E0S0E1Non-Denyaspecifichostaccess-list1deny3access-list1permit55(implicitdenyall)(access-list1deny55)access-list1deny3access-list1permit55(implicitdenyall)(access-list1deny55)interfaceethernet0ipaccess-group1out規(guī)范訪問(wèn)列表舉例23E0S0E1Non-DenyaspecifichostDenyaspecificsubnet規(guī)范訪問(wèn)列表舉例33E0S0E1Non-access-list1deny55access-list1permitany(implicitdenyall)

(access-list1deny55)access-list1deny55access-list1permitany(implicitdenyall)

(access-list1deny55)interfaceethernet0ipaccess-group1out規(guī)范訪問(wèn)列表舉例33E0S0E1Non-Denyaspecificsubnet在路由器上過(guò)濾vty五個(gè)虛擬通道(0到4)路由器的vty端口可以過(guò)濾數(shù)據(jù)在路由器上執(zhí)行vty訪問(wèn)的控制01234Virtualports(vty0through4)Physicalporte0(Telnet)Consoleport(directconnect)consolee0如何控制vty訪問(wèn)01234Virtualports(vty0through4)Physicalport(e0)(Telnet)運(yùn)用規(guī)范訪問(wèn)列表語(yǔ)句用access-class命令運(yùn)用訪問(wèn)列表在一切vty通道上設(shè)置一樣的限制條件Router#e0虛擬通道的配置指明vty通道的范圍在訪問(wèn)列表里指明方向access-classaccess-list-number{in|out}linevty#{vty#|vty-range}Router(config)#Router(config-line)#虛擬通道訪問(wèn)舉例只允許網(wǎng)絡(luò)內(nèi)的主機(jī)銜接路由器的vty通道access-list12permit55!linevty04access-class12inControllingInboundAccess規(guī)范訪問(wèn)列表和擴(kuò)展訪問(wèn)列表

比較規(guī)范擴(kuò)展基于源地址基于源地址和目的地址允許和回絕完好的TCP/IP協(xié)議指定TCP/IP的特定協(xié)議和端口號(hào)編號(hào)范圍100-199和2000-2699編號(hào)范圍1-99和1300-1999擴(kuò)展IP訪問(wèn)列表的配置Router(config)#設(shè)置訪問(wèn)列表的參數(shù)access-listaccess-list-number{permit|deny}protocolsource

source-wildcard[operatorport]destinationdestination-wildcard

[operatorport]Router(config-if)#ipaccess-groupaccess-list-number{in|out}擴(kuò)展IP訪問(wèn)列表的配置在端口上運(yùn)用訪問(wèn)列表Router(config)#設(shè)置訪問(wèn)列表的參數(shù)access-listaccess-list-number{permit|deny}protocolsource

source-wildcard[operatorport]destinationdestination-wildcard

[operatorport]回絕子網(wǎng)的數(shù)據(jù)運(yùn)用路由器e0口ftp到子網(wǎng)允許其它數(shù)據(jù)3E0S0E1Non-擴(kuò)展訪問(wèn)列表運(yùn)用舉例1access-list101denytcp5555eq21access-list101denytcp5555eq20回絕子網(wǎng)的數(shù)據(jù)運(yùn)用路由器e0口ftp到子網(wǎng)允許其它數(shù)據(jù)擴(kuò)展訪問(wèn)列表運(yùn)用舉例13E0S0E1Non-access-list101denytcp5555eq21access-list101denytcp5555eq20access-list101permitipanyany(implicitdenyall)(access-list101denyip5555)access-list101denytcp5555eq21access-list101denytcp5555eq20access-list101permitipanyany(implicitdenyall)(access-list101denyip5555)interfaceethernet0ipaccess-group101out回絕子網(wǎng)的數(shù)據(jù)運(yùn)用路由器e0口ftp到子網(wǎng)允許其它數(shù)據(jù)擴(kuò)展訪問(wèn)列表運(yùn)用舉例13E0S0E1Non-回絕子網(wǎng)內(nèi)的主機(jī)運(yùn)用路由器的E0端口建立Telnet會(huì)話允許其它數(shù)據(jù)擴(kuò)展訪問(wèn)列表運(yùn)用舉例23E0S0E1Non-access-list101denytcp55anyeq23回絕子網(wǎng)內(nèi)的主機(jī)運(yùn)用路由器的E0端口建立Telnet會(huì)話允許其它數(shù)據(jù)擴(kuò)展訪問(wèn)列表運(yùn)用舉例23E0S0E1Non-access-list101denytcp55anyeq23access-list101permitipanyany(implicitdenyall)access-list101denytcp55anyeq23access-list101permitipanyany(implicitdenyall)interfaceethernet0ipaccess-group101out回絕子網(wǎng)內(nèi)的主機(jī)運(yùn)用路由器的E0端口建立Telnet會(huì)話允許其它數(shù)據(jù)擴(kuò)展訪問(wèn)列表運(yùn)用舉例23E0S0E1Non-查看訪問(wèn)列表的語(yǔ)句

wg_ro_a#showaccess-listsStandardIPaccesslist1permitpermitpermitpermitExtendedIPaccesslist101permittcphostanyeqtelnetpermittcphostanyeqftppermittcphostanyeqftp-datawg_ro_a#show{protocol}access-list{access-listnumber}wg_ro_a#showaccess-lists{access-listnumber}NAT———網(wǎng)絡(luò)地址翻譯隨著Internet的飛速開(kāi)展，網(wǎng)上豐富的資源產(chǎn)生著宏大的吸引力。接入Internet成為當(dāng)今信息業(yè)最為迫切的需求。但這遭到IP地址的許多限制。首先，許多局域網(wǎng)在未聯(lián)入Internet之前，就曾經(jīng)運(yùn)轉(zhuǎn)許多年了，局域網(wǎng)上有了許多現(xiàn)成的資源和運(yùn)用程序，但它的IP地址分配不符合Internet的國(guó)際規(guī)范，因此需求重新分配局域網(wǎng)的IP地址，這無(wú)疑是勞神費(fèi)時(shí)的任務(wù)其二，隨著Internet的膨脹式開(kāi)展，其可用的IP地址越來(lái)越少，要想在ISP處懇求一個(gè)新的IP地址已不是很容易的事了。NATNAT〔網(wǎng)絡(luò)地址翻譯〕能處理不少令人頭疼的問(wèn)題。它處理問(wèn)題的方法是：在內(nèi)部網(wǎng)絡(luò)中運(yùn)用內(nèi)部地址，經(jīng)過(guò)NAT把內(nèi)部地址翻譯成合法的IP地址，在Internet上運(yùn)用。其詳細(xì)的做法是把IP包內(nèi)的地址池〔內(nèi)部本地〕用合法的IP地址段〔內(nèi)部全局〕來(lái)交換。ChapterActivitiesWindows95PCModemBranchofficeISDN/analogSmallofficeCentralsiteFrameRelayFrameRelayservicePRIBRIBRIFrameRelayAsyncAAAserverAsyncSASAInsideLocalIPAddressInsideGlobalIPAddressNATtablePATNAT術(shù)語(yǔ)NAT功能NAT三種類型NAT術(shù)語(yǔ)InternetInsideInsideLocalIPAddressSimpleNATtableInsideGlobalIPAddress8HostBACBABDSADASADA內(nèi)部本地地址:私有IP，不能直接用于互連網(wǎng)。內(nèi)部全局地址：用來(lái)替代內(nèi)部本地IP地址的，對(duì)外，或在互聯(lián)網(wǎng)上是合法的的IP地址。復(fù)用內(nèi)部的全局地址將一個(gè)內(nèi)部全局地址用于同時(shí)代表多個(gè)內(nèi)部部分地址。主要用IP地址和端口號(hào)的組合來(lái)獨(dú)一區(qū)分各個(gè)內(nèi)部主機(jī)。目前在公司內(nèi)普遍運(yùn)用。〔如以下圖〕復(fù)用內(nèi)部的全局地址:1723:1024NATtable:1723:1024:23:23TCPTCP:1723:1492:23TCPInternetInsideHostB13SADASADA452HostCDA4InsideGlobalIPAddress:PortOutsideGlobalIPAddress:PortProtocolInsideLocalIPAddress:PortNAT三種類型NAT有三種類型：靜態(tài)NAT，動(dòng)態(tài)NAT和端口NAT〔PAT〕。其中靜態(tài)NAT設(shè)置起來(lái)最為簡(jiǎn)單，內(nèi)部網(wǎng)絡(luò)中的每個(gè)主機(jī)都被永久映射成外部網(wǎng)絡(luò)中的某個(gè)合法的地址。而動(dòng)態(tài)NAT是在外部網(wǎng)絡(luò)中定義了一系列的合法地址，采用動(dòng)態(tài)分配的方法映射到內(nèi)部網(wǎng)絡(luò)。PAT那么是把內(nèi)部地址映射到外部網(wǎng)絡(luò)的一個(gè)IP地址的不同端口上。StaticNATConfigurationExampleipnatinsidesourcestatic!interfaceEthernet0ipaddress0ipnatinside!interfaceSerial0ipaddressipnatoutside!Mapstheinsidelocaladdresstotheinsideglobaladdress.Thisinterfaceconnectedtotheoutsideworld.Thisinterfaceconnectedtotheinsidenetwork.ipnatpooldyn-nat54

netmaskipnatinsidesourcelist1pooldyn-nat!interfaceEthernet0ipaddress0ipnatinside!interfaceSerial0ipaddressipnatoutside!access-list1permit55!DynamicNATConfiguration

Translat