×¢²á | µÇ¼ Íü¼ÇÃÜÂ룿 51ctoÊ×Ò³ | ²©¿Í | ÂÛ̳ | ÕÐƸ
ÈȵãÎÄÕ linux·þÎñ---DHCP
¡¡°ïÖú
ÉçÇøÍƼö΢ÈíMVP ÕýÔÚ½øÐÐ ¡¡Óн±½ÓÁú£ºÎÒÑÛÖеÄTech¡¤Ed ²©Ö÷µÄ¸ü¶àÎÄÕÂ>>

CCIEÊÔÑ鱸¿¼Ö®½»»»security(3)

2007-03-28 11:30:32
°æȨÉùÃ÷£ºÔ­´´×÷Æ·£¬ÈçÐèתÔØ£¬ÇëÓë×÷ÕßÁªÏµ¡£·ñÔò½«×·¾¿·¨ÂÉÔðÈΡ£
µÚÈý²¿·Ö  ·ÃÎÊ¿ØÖÆ
1£®RACL
Õë¶Ô·ÓɽӿڵĿØÖÆͨÐÅÁ÷Á¿µÄ°²È«²ßÂÔ¡£½»»»»úÔÚÓ²¼þÖÐÖ§³Ö°üº¬ÔÊÐíºÍ¾Ü¾ø²Ù×÷µÄRACL¡£RACLµÄÅäÖ÷½Ê½Óë³£¹æµÄACLÏàͬ¡£
ÔÚ½»»»»úÖУ¬Óû§¿ÉÒÔÔÚÈκηÓɽӿÚÖÐÓ¦ÓÃRACL£¬ÆäÖаüÀ¨ÈçϽӿڣº
*SVI£¨½»»»ÐéÄâ½Ó¿Úvlan¶Ë¿Ú£©
*µÚ3²ã¶Ë¿Ú»ò·Óɶ˿Ú
*µÚ3²ã¶Ë¿ÚͨµÀ
*ÆäËüµÚ3²ã½Ó¿Ú
2£®VACL
VACLÓÖ³ÆΪVLAN·ÃÎÊÓ³Éä±í£¬Ó¦ÓÃÓÚVLANÖеÄËùÓÐͨÐÅÁ÷¡£VACLÖ§³Ö»ùÓÚethertypeºÍMACµØÖ·µÄ¹ýÂË£¬Ò²Ö§³ÖIpv4µÄIPµØÖ·¹ýÂË¡£Óë»ùÓÚcisco IOSµÄ·ÓÉÓ³Éä±íÒ»Ñù£¬vaclÖÐÌõÄ¿µÄ˳Ðò²¢·ÇÎ޹ؽôÒª¡£VACL²»¶¨Òå·½Ïò£¨½ø»ò³ö£©¡£Ò»¸öVACL¿ÉÒÔÓÃÓÚ¶à¸öVLANÖУ»µ«Ò»¸öVLANÖ»ÄÜÓëÒ»¸öVACL¹ØÁª¡£
Ö§³Ö¶àÖÖVACL²Ù×÷£º
* ×ª·¢£¨ÔÊÐí£©£ºÕâÖÖVACL²Ù×÷Ïñͨ³£ÄÇÑùת·¢Ö¡¡£Èç¹ûÏ£ÍûÅäÖý»»»»ú¶Ë¿Ú·ÖÎöÆ÷£¨SPAN£©Ñ¡Ï±ØÐë²ÉÓôøcaptureÑ¡ÏîµÄת·¢²Ù×÷£»SPANÊÇÒ»ÏîÓÃÓÚ½«Êý¾ÝÖ¡¸´ÖƵ½¼à¿Ø¶Ë¿ÚµÄÅÅ´íÌØÐÔ¡£ÕâÖÖVACL¶ÔÓÚÅäÖöà¸öSPAN¶Ë¿Ú²¢Á¬½ÓÍøÂç¼à¿ØÉ豸£¨ÈçµÚÈý·½IDSÉ豸£©ºÜÓÐÓá£
* ¶ªÆú£¨¾Ü¾ø£©£ºÁ÷Óëij¸öACL¶ªÆú£¨¾Ü¾ø£©ÌõÄ¿Æ¥Åäºó£¬½«ËüͬÏÂÒ»¸öACLÌõÄ¿½øÐбȽϡ£Èç¹ûÁ÷²»ÓèÈκÎACLÌõÄ¿Æ¥Å䣬ÇÒÖÁÉÙÅäÖÃÁËÒ»¸öÕë¶ÔÊý¾Ý°üÀàÐ͵ÄACL£¬ÔòÁ÷ÖеÄÊý¾Ý°ü½«±»¶ªÆú
* Öض¨Ïò£ºVACLÖض¨Ïò²Ù×÷¶ÔÓÚ³öÓÚ¼à¿Ø¡¢°²È«»ò½»»»µÄÄ¿µÄ¶øÖض¨ÏòÌض¨Í¨ÐÅÁ÷ºÜÓÐÓá£
 
ÅäÖ÷½·¨£º
1£© ¶¨Òå·ÃÎÊ¿ØÖÆÁÐ±í£¨±ê×¼¡¢À©Õ¹¡¢ÃüÃû£©
a.±ê×¼·ÃÎÊ¿ØÖÆÁбí
access-list Áбí±àºÅ deny|permit Ô´µØÖ· ·´ÑÚÂë [log]
* Áбí±àºÅ£º1-99
* deny:¾Ü¾ø
* permit:ÔÊÐí
* Ô´µØÖ·£º¿ØÖÆ·ÃÎʵÄÔ´Í·
* ·´ÑÚÂ룺any ÊÇÖ¸ÈÎÒâÖ÷»ú£¬hostÊÇָij̨Ö÷»ú
* log:¼Ç¼µ½ÈÕÖ¾Îļþ
°¸Àý£º
Switch (config)# access-list 2 deny host 171.69.198.102
Switch (config)# access-list 2 permit any
Switch(config)# end
Switch# show access-lists
Standard IP access list 2
    10 deny   171.69.198.102
    20 permit any
 
b.À©Õ¹·ÃÎÊ¿ØÖÆÁбí
access-list Áбí±àºÅ deny|permit ЭÒé Ô´µØÖ· ·´ÑÚÂë [Ô´¶Ë¿Ú] Ä¿±êµØÖ· ·´ÑÚÂë [Ä¿±ê¶Ë¿Ú] [±í´ïʽ]
* Áбí±àºÅ£º100-199
* Ð­Ò飺IP¡¢TCP¡¢UDP¡¢ICMPµÈ£¬Ð­ÒéÑ¡ÏîÊÇÇø±ð±ê×¼·ÃÎÊÁбíµÄÌØÕ÷Ö®Ò»
* ±í´ïʽ£ºeq ЭÒé»ò¶Ë¿ÚºÅ:µÈÓÚЭÒé»ò¶Ë¿ÚºÅ
                gq ЭÒé»ò¶Ë¿ÚºÅ£ºÐ¡ÓÚÖ¸¶¨µÄЭÒé»ò¶Ë¿ÚºÅ
                lq ЭÒé»ò¶Ë¿ÚºÅ£º´óÓÚÖ¸¶¨µÄЭÒé»ò¶Ë¿ÚºÅ

°¸Àý£º
Switch(config)# access-list 102 deny tcp 171.69.198.0 0.0.0.255 172.20.52.0 0.0.0.255 eq telnet
Switch(config)# access-list 102 permit tcp any any
Switch(config)# end
Switch# show access-lists
Extended IP access list 102
    10 deny tcp 171.69.198.0 0.0.0.255 172.20.52.0 0.0.0.255 eq telnet
    20 permit tcp any any

c.ÃüÃû·ÃÎÊ¿ØÖÆÁбí
ÃüÃûµÄÁбíÔÊÐíʹÓó¬¹ý99¸ö±ê×¼¿ØÖÆÁбíºÍ100¸öÀ©Õ¹¿ØÖÆÁÐ±í¡£ÓÅÓÚ±àºÅµÄ¿ØÖÆÁбíµÄÌصãÊÇ¿ÉÒÔɾ³ýÌض¨µÄÒ»ÌõÓï¾ä£¬¶ø±àºÅ·ÃÎÊ¿ØÖÆÁбíÖ»ÄÜɾ³ýÕû¸ö·ÃÎÊ¿ØÖÆ¡£
    Ip access-list [standard|extended] Ãû³Æ
    Permit|deny ±ê×¼ºÍÀ©Õ¹ÓÐËù²»Í¬

°¸Àý£º
Switch(config)# ip access-list extended border-list
Switch(config-ext-nacl)# no permit ip host 10.1.1.3 any
2£© ¶¨ÒåVACLÓ³Éä±í
    vlan access-map Ãû³Æ
a)  Æ¥ÅäÖ¸¶¨µÄIP·ÃÎÊ¿ØÖÆÁÐ±í    match ip address ·ÃÎÊÁбíºÅ
         Æ¥ÅäÖ¸¶¨µÄmac·ÃÎÊ¿ØÖÆÁÐ±í   match mac address ·ÃÎÊ¿ØÖÆÁбí
b) Ö¸¶¨¶Ô·ûºÏÌõ¼þµÄÁ÷Á¿½øÐкζ¯×÷    action drop|forward

°¸Àý£º
switch(config)#vlan access-map test
switch(config-access-map)#match ip address 101
switch(config-access-map)#action forward
3£© ½«VACLÓ³Éä±íÓ¦Óõ½Ä³¸öVLAN
    vlan filter Ó³Éä±íÃû³Æ vlan-list vlanÁбí

°¸Àý£º
    vlan filter test vlan-list 10

4£© ÑéÖ¤½á¹û
    show vlan access-map Ãû³Æ
 
Switch#show vlan access-map
Vlan access-map "test"  10
  Match clauses:
    ip  address: 100
  Action:
    drop
Vlan access-map "test"  20
  Match clauses:
  Action:
    forward
---------------------------------------------------
show vlan filter access-map Ãû³Æ | vlan vlanºÅ

Switch#show vlan filter
VLAN Map test is filtering VLANs:
  11-13

°¸Àý£º
Ö÷»úXºÍÖ÷»úYλÓÚ²»Í¬µÄVLAN£¬½»»»»úBÒѾ­¶ÔÕâÁ½¸öVLAN×öÁËvlan¼äµÄ·ÓÉ
Switch(config)# ip access-list extended http
Switch(config-ext-nacl)# permit tcp host 10.1.1.32 host 10.1.1.34 eq www
Switch(config-ext-nacl)# exit

Switch(config)# vlan access-map map2 10
Switch(config-access-map)# match ip address http
Switch(config-access-map)# action drop
Switch(config-access-map)# exit
Switch(config)# ip access-list extended match_all
Switch(config-ext-nacl)# permit ip any any
Switch(config-ext-nacl)# exit
Switch(config)# vlan access-map map2 20
Switch(config-access-map)# match ip address match_all
Switch(config-access-map)# action forward
Switch(config)# vlan filter map2 vlan 1
ҪעÒâvlan¼äµÄaclºÍvaclÖ®¼äµÄÇø±ð
 
3.PACL
ͨ¹ý¿ØÖƶ˿ڼ¶±ðµÄÁ÷Á¿£¬PACL(Port ACL)¶Ë¿ÚACLÄܹ»ÌṩÁíÍâÒ»ÖÖ¿ØÖÆ»úÖÆ¡£PACL¿ÉÓ¦ÓÃÓÚµÚ2²ã½»»»»ú¶Ë¿Ú¡¢¸ÉµÀ¶Ë¿Ú»òEtherChannel¶Ë¿Ú¡£
ÔÚʹÓÃPACLµÄʱºò£¬Äܹ»ÔÚµÚ2²ã½Ó¿ÚÉÏÓ¦ÓÃÈçϵÄACL:
* ±ê×¼·Ã¿Ø£¨Õë¶ÔÔ´IPµØÖ·£©
* À©Õ¹·Ã¿Ø£¨Õë¶ÔÔ´IPµØÖ·ºÍÄ¿±êIPµØÖ·ÒÔ¼°ÓÃÓÚµÚ4²ãЭÒéÀàÐÍÐÅÏ¢£©
* MACÀ©Õ¹·Ã¿Ø£¨Õë¶ÔÔ´ºÍÄ¿±êMACµØÖ·£¬»¹¿ÉÒÔʹÓõÚ3²ãЭÒéÀàÐÍÐÅÏ¢£©
µ±PACLÓ¦ÓÃÓÚtrunk¶Ë¿ÚÉÏʱ£¬ACL½«¹ýÂËtrunk¶Ë¿ÚÉÏËùÓеÄvlanµÄÁ÷Á¿¡£µ±PACLÓ¦Óõ½ÓïÒôvlan¶Ë¿ÚµÄʱºò£¬ACL½«¹ýÂËÊý¾ÝºÍÓïÒôVLANµÄÁ÷Á¿¡£
¶ÔÓÚPACL£¬Í¨¹ý²ÉÓÃIP·ÃÎÊ¿ØÖÆÁÐ±í£¬½«Äܹ»¹ýÂËIPÁ÷Á¿£¬Í¨¹ý²ÉÓÃMAC·ÃÎÊ¿ØÖÆÁÐ±í£¬½«Äܹ»¹ýÂË·ÇIPÁ÷Á¿¡£´ËÍ⣬ͨ¹ýÔÚ½Ó¿ÚÉÏÓ¦ÓÃIP·ÃÎÊ¿ØÖÆÁбíºÍMAC·ÃÎÊÁÐ±í£¬½«Äܹ»¹ýÂËÏàͬµÄµÚ2²ã½Ó¿ÚÉÏIPÁ÷Á¿ºÍ·ÇIPÁ÷Á¿¡£

ÅäÖÃMACÀ©Õ¹·Ã¿Ø£º
1£©½øÈëÈ«¾Öģʽ   configure terminal
2£©¶¨ÒåmacÀ©Õ¹·Ã¿ØÃû³Æ
    mac access-list extended Ãû³Æ
3£© ¶¨ÒåÏàÓ¦·ÃÎÊ¿ØÖÆÁбíÓï¾ä
    deny|permit [any | host Ô´MAC | Ô´MAC Ô´MACÑÚÂë] [any | host Ä¿±êMAC | Ä¿±êMAC Ä¿±êMACÑÚÂë ] [ aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | mop-console | mop-dump | msdos | mumps | netbios | vines-echo |vines-ip | xns-idp | 0-65535] [cos cos]
4£© Ó¦Ó÷ÃÎÊ¿ØÖÆÁÐ±íµ½µÚ2²ã½Ó¿Ú
    ½øÈë½Ó¿Úģʽ     interface ½Ó¿Ú
    Ó¦Ó÷ÿؠ        mac access-group ·Ã¿ØÃû³Æ in
                 ¶ÔÓڶ˿ÚACL¶øÑÔ£¬Ö»ÓнøÈëµÄ·½Ïò¿ÉÒԼӷÿØ
5£© ÑéÖ¤½á¹û
    show  access-lists [ÁбíºÅ|Ãû³Æ]
    show access-group [interface ½Ó¿Ú]
 
°¸Àý£º
switch#configure terminal
switch(config)#mac access-list extended cisco
switch(config-ext-macl)#permit host 0011.abcd.abcd host 0011.1111.1111
switch(config-ext-macl)#exit
switch(config)#access-list 101 deny ip 10.10.1.0 0.0.0.255 host 10.10.2.2
switch(config)#access-list 101 permit ip any any
switch(config)#interface f0/23
switch(config-if)#switchport mode trunk
switch(config-if)#ip access-group 101 in
switch(config-if)#mac access-group cisco in
switch(config-if)#end
switch#show access-lists
switch#show access-group interface f0/23

°¸Àý£º
CCIE-LAB(v133)
ÌâÄ¿ÒªÇó£º
Assume that connected to port f0/15 on SW1 is a host sending Ethernet Type 6000 frames into the network configures an access-list to block only this traffic allowing other frames to enter into the network.Please use ¡°Block_eth6000¡± as the name of access-list.
ÅäÖãº
SW1
configure terminal
mac access-list extended Block_eth6000
   deny any any etype-6000
  permit any any
interface f0/15
  switchport mode access
  mac access-group Block_eth6000 in

±¾Îijö×Ô ¡°ÎÞÁÄÉú»î£¬»ý¼«Ãæ¶Ô¡± ²©¿Í£¬×ªÔØÇëÓë×÷ÕßÁªÏµ£¡





    Ïà¹ØÎÄÕÂ
CCIEÊÔÑ鱸¿¼Ö®½»»»STP(2)
CCIEÊÔÑ鱸¿¼Ö®½»»»STP(3)
CCIEÊÔÑ鱸¿¼---½»»»STP£¨1£©
CCIEÊÔÑ鱸¿¼Ö®½»»»VTP1
CCIEÊÔÑ鱸¿¼Ö®½»»»VLAN¼ä·ÓÉ
CCIEÊÔÑ鱸¿¼Ö®½»»»TRUNK
CCIEÊÔÑ鱸¿¼Ö®½»»»Voice VLAN
CCIEÊÔÑ鱸¿¼Ö®½»»»security(4)
CCIEÊÔÑ鱸¿¼Ö®½»»»security(1)
CCIEÊÔÑ鱸¿¼Ö®½»»»SPAN
    ÎÄÕÂÆÀÂÛ
 
2007-03-28 16:34:22
ʼÖÕÕâô¾­µäŶ£®£®£®

2007-03-29 09:16:27
thanks!

 

·¢±íÆÀÂÛ

êÇ   ³Æ£º
ÑéÖ¤Â룺 ¡¡µã»÷ͼƬ¿ÉË¢ÐÂÑéÖ¤Âë¡¡¡¡²©¿Í¹ý2¼¶£¬ÎÞÐèÌîдÑéÖ¤Âë
ÄÚ   ÈÝ£º