来源:蜘蛛抓取(WebSpider)
时间:2017-10-15 10:38
标签:
ios 判断是不是模拟器
华为交换机各种配置实例
&&&& 日期:&&&&浏览次数:出处:互联网
交换机配置(三)ACL基本配置1,二层ACL. 组网需求:通过二层访问控制列表,实现在每天8:00~18:00时间段内对源MAC为00e0-fc01-0101目的MAC为00e0-fc01-0303报文的过滤。该主机从GigabitEthernet0/1接入。.配置步骤:(1)定义时间段# 定义8:00至18:00的周期时间段。[Quidway] time-range huawei 8:00 to 18:00 daily(2)定义源MAC为00e0-fc01-0101目的MAC为00e0-fc01-0303的ACL# 进入基于名字的二层访问控制列表视图,命名为traffic-of-link。[Quidway] acl name traffic-of-link link# 定义源MAC为00e0-fc01-0101目的MAC为00e0-fc01-0303的流分类规则。[Quidway-acl-link-traffic-of-link] rule 1 deny ingress 00e0-fc01--0 egress 00e0-fc01--0 time-range huawei(3)激活ACL。# 将traffic-of-link的ACL激活。[Quidway-GigabitEthernet0/1] packet-filter link-group traffic-of-link2,三层ACLa)基本访问控制列表配置案例. 组网需求:通过基本访问控制列表,实现在每天8:00~18:00时间段内对源IP为10.1.1.1主机发出报文的过滤。该主机从GigabitEthernet0/1接入。.配置步骤:(1)定义时间段# 定义8:00至18:00的周期时间段。[Quidway] time-range huawei 8:00 to 18:00 daily(2)定义源IP为10.1.1.1的ACL# 进入基于名字的基本访问控制列表视图,命名为traffic-of-host。[Quidway] acl name traffic-of-host basic# 定义源IP为10.1.1.1的访问规则。[Quidway-acl-basic-traffic-of-host] rule 1 deny ip source 10.1.1.1 0 time-range huawei(3)激活ACL。# 将traffic-of-host的ACL激活。[Quidway-GigabitEthernet0/1] packet-filter inbound ip-group traffic-of-hostb)高级访问控制列表配置案例.组网需求:公司企业网通过Switch的端口实现各部门之间的互连。研发部门的由GigabitEthernet0/1端口接入,工资查询服务器的地址为129.110.1.2。要求正确配置ACL,限制研发部门在上班时间8:00至18:00访问工资服务器。.配置步骤:(1)定义时间段# 定义8:00至18:00的周期时间段。[Quidway] time-range huawei 8:00 to 18:00 working-day(2)定义到工资服务器的ACL# 进入基于名字的高级访问控制列表视图,命名为traffic-of-payserver。[Quidway] acl name traffic-of-payserver advanced# 定义研发部门到工资服务器的访问规则。[Quidway-acl-adv-traffic-of-payserver] rule 1 deny ip source any destination 129.110.1.2 0.0.0.0 time-range huawei(3)激活ACL。# 将traffic-of-payserver的ACL激活。[Quidway-GigabitEthernet0/1] packet-filter inbound ip-group traffic-of-payserver3,常见病毒的ACL创建aclacl number 100禁pingrule& deny icmp source any destination any用于控制Blaster蠕虫的传播rule& deny udp source any destination any destination-port eq 69rule& deny tcp source any destination any destination-port eq 4444用于控制冲击波病毒的扫描和攻击rule& deny tcp source any destination any destination-port eq 135rule& deny udp source any destination any destination-port eq 135rule& deny udp source any destination any destination-port eq netbios-nsrule& deny udp source any destination any destination-port eq netbios-dgmrule& deny tcp source any destination any destination-port eq 139rule& deny udp source any destination any destination-port eq 139rule& deny tcp source any destination any destination-port eq 445rule& deny udp source any destination any destination-port eq 445rule& deny udp source any destination any destination-port eq 593rule& deny tcp source any destination any destination-port eq 593用于控制振荡波的扫描和攻击rule& deny tcp source any destination any destination-port eq 445rule& deny tcp source any destination any destination-port eq 5554rule& deny tcp source any destination any destination-port eq 9995rule& deny tcp source any destination any destination-port eq 9996用于控制 Worm_MSBlast.A 蠕虫的传播rule& deny udp source any destination any destination-port eq 1434下面的不出名的病毒端口号& (可以不作)rule& deny tcp source any destination any destination-port eq 1068rule& deny tcp source any destination any destination-port eq 5800rule& deny tcp source any destination any destination-port eq 5900rule& deny tcp source any destination any destination-port eq 10080rule& deny tcp source any destination any destination-port eq 455rule& deny udp source any destination any destination-port eq 455rule& deny tcp source any destination any destination-port eq 3208rule& deny tcp source any destination any destination-port eq 1871rule& deny tcp source any destination any destination-port eq 4510rule& deny udp source any destination any destination-port eq 4334rule& deny tcp source any destination any destination-port eq 4331rule& deny tcp source any destination any destination-port eq 4557然后下发配置packet-filter ip-group 100目的:针对目前网上出现的问题,对目的是端口号为1434的UDP报文进行过滤的配置方法,详细和复杂的配置请看配置手册。NE80的配置:NE80(config)#rule-map r1 udp any any eq 1434//r1为role-map的名字,udp 为关键字,any any 所有源、目的IP,eq为等于,1434为udp端口号NE80(config)#acl a1 r1 deny//a1为acl的名字,r1为要绑定的rule-map的名字,NE80(config-if-Ethernet1/0/0)#access-group acl a1//在1/0/0接口上绑定acl,acl为关键字,a1为acl的名字NE16的配置:NE16-4(config)#firewall enable all//首先启动防火墙NE16-4(config)#access-list 101 deny udp any any eq 1434//deny为禁止的关键字,针对udp报文,any any 为所有源、目的IP,eq为等于, 1434为udp端口号NE16-4(config-if-Ethernet2/2/0)#ip access-group 101 in//在接口上启用access-list,in表示进来的报文,也可以用out表示出去的报文中低端路由器的配置[Router]firewall enable[Router]acl 101[Router-acl-101]rule deny udp source any destion any destination-port eq 1434[Router-Ethernet0]firewall packet-filter 101 inbound6506产品的配置:旧命令行配置如下:6506(config)#acl extended aaa deny protocol udp any any eq 14346506(config-if-Ethernet5/0/1)#access-group& aaa国际化新命令行配置如下:[Quidway]acl number 100[Quidway-acl-adv-100]rule deny udp source any destination any destination-port eq 1434[Quidway-acl-adv-100]quit[Quidway]interface ethernet& 5/0/1[Quidway-Ethernet5/0/1]packet-filter inbound ip-group 100 not-care-for-interface5516产品的配置:旧命令行配置如下:5516(config)#rule-map& l3 aaa protocol-type udp ingress any egress any eq 14345516(config)#flow-action fff deny5516(config)#acl bbb aaa fff5516(config)#access-group& bbb国际化新命令行配置如下:[Quidway]acl num 100[Quidway-acl-adv-100]rule deny udp source any destination any destination-port eq 1434[Quidway]packet-filter ip-group 1003526产品的配置:旧命令行配置如下:rule-map l3 r1 0.0.0.0 0.0.0.0 1.1.0.0 255.255.0.0 eq 1434flow-action f1 denyacl acl1 r1 f1access-group acl1国际化新命令配置如下:acl number 100rule 0 deny udp source 0.0.0.0 0 source-port eq 1434 destination 1.1.0.0 0packet-filter ip-group 101 rule 0注:3526产品只能配置外网对内网的过滤规则,其中1.1.0.0 255.255.0.0是内网的地址段。8016产品的配置:旧命令行配置如下:8016(config)#rule-map intervlan aaa udp& any& any&& eq 14348016(config)#acl bbb aaa deny8016(config)#access-group acl bbb vlan 10 port all国际化新命令行配置如下:8016(config)#rule-map intervlan aaa udp& any& any&& eq 14348016(config)#eacl bbb aaa deny8016(config)#access-group eacl bbb vlan 10 port all防止同网段ARP欺骗的ACL一、组网需求:1. 二层交换机阻止网络用户仿冒网关IP的ARP攻击二、组网图:
图1二层交换机防ARP攻击组网S3552P是三层设备,其中IP:100.1.1.1是所有PC的网关,S3552P上的网关MAC地址为000f-e200-3999。PC-B上装有ARP攻击软件。现在需要对S3026C_A进行一些特殊配置,目的是过滤掉仿冒网关IP的ARP报文。三、配置步骤对于二层交换机如S3026C等支持用户自定义ACL(number为)的交换机,可以配置ACL来进行ARP报文过滤。全局配置ACL禁止所有源IP是网关的ARP报文acl num& 5000rule 0 deny 0806 ffff 24
ffffffff 40rule 1 permit 0806 ffff 24 000fe2003999 ffffffffffff 34其中rule0把整个S3026C_A的端口冒充网关的ARP报文禁掉,其中斜体部分是网关IP地址100.1.1.1的16进制表示形式。Rule1允许通过网关发送的ARP报文,斜体部分为网关的mac地址000f-e200-3999。注意:配置Rule时的配置顺序,上述配置为先下发后生效的情况。在S3026C-A系统视图下发acl规则:[S3026C-A] packet-filter user-group 5000这样只有S3026C_A上连网关设备才能够发送网关的ARP报文,其它主机都不能发送假冒网关的arp响应报文。三层交换机实现仿冒网关的ARP防攻击一、组网需求:1.& 三层交换机实现防止同网段的用户仿冒网关IP的ARP攻击二、组网图
1. IPARPACLACL
acl number 5000
rule 0 deny 0806 ffff 24
ffffffff 40
rule0S3526EARPIP100.1.1.516
[S3526E] packet-filter user-group 5000
1. 1PC-BIPPC-Darp replymacPC-Bmac (000d-88f8-09fa)ipPC-Dip(100.1.1.3)ipmac3552P3552arp
---------------------&
--------------------------------
IP Address&&& MAC Address&&&& VLAN ID& Port Name&&&&&& Aging Type
100.1.1.4&&&& 000d-88f8-09fa&& 1&&&&&&& Ethernet0/2&&&& 20&&& Dynamic
100.1.1.3&&&& 000f-3d81-45b4&& 1&&&&&& Ethernet0/2&&&& 20&&& Dynamic
PC-DarpE0/8E0/2ARPE0/2S3552ARP
arp static 100.1.1.3 000f-3d81-45b4 1 e0/8
2. 2 S3526CARPARP
3. S3050CS3026EARPIPMACportS3026CE0/4
am user-bind ip-addr 100.1.1.4 mac-addr 000d-88f8-09fa int e0/4
IP100.1.1.4MAC000d-88f8-09faARPE0/4ARPARP
Quidway SACLARP
ACLQoSACLACL
ACLACLconfigautoACLACL
ACLACLACL本新闻共12页,当前在第3页&&&&&&3&&&&&&&&&&&&&&&&&&&&vlan中ACL&inbound与outbound详解_七夕小子_新浪博客
vlan中ACL&inbound与outbound详解
关键字:华为ACL配置、Cisco
ACL配置、Vlan ACL配置
1. 应用到交换机物理端口上的ACL
拓扑:PC连接在交换机Gig0/0/1端口
实现:在PC上不能访问IP的80和443端口
站在PC侧(站在哪里很重要),看交换机,PC的数据包是要进入交换机端口,就应用到Gig/0/1的inbound方向上。​
PC访问百度的443,即数据包的destination-port 443
​。​
代码如下:
acl name test​​
rule 5 deny tcp
d​estination-port eq 443
​ rule 10 deny tcp destination-porteq www
​​​​interface
GigabitEthernet0/0/1
​​ traffic-filter inbound acl
name test​
```​
2. 应用到vlan上的ACL
实现:在vlan182的in方向上,只允许vlan182与主机10.10.10.89通讯,​
把vlan的网关看作交换机的门。
交换机内部,报文在Vlan间由交换机L3转发引擎转发,不受ACL控制。所以,对于vlan182访问vlan221,只能控制vlan182的in方向​
Vlan
ACL 方向理解
Permit ip destination
10.10.10.89 0
Deny ip destination
10.0.0.0 0.255.255.255
Deny ip destination
172.16.0.0 0.25.255.255
Deny ip destination
192.168.0.0 0.0.255.255
Permit ip destination
any​​
另一种写法:
应用到vlan的out方向,这里控制的是已经进入交换机的流量,因为正常通信的建立需要对方回包(小偷已经进到客厅了,但不让它从后门出去)。
使用标准acl即可:​​
source10.10.10.89 0
Deny source 10.0.0.0
0.255.255.255
Deny source172.16.0.0
0.25.255.255
Deny source
192.168.0.0 0.0.255.255
Permit any
博客等级:
博客积分:0
博客访问:376,237
关注人气:0
荣誉徽章:新手园地& & & 硬件问题Linux系统管理Linux网络问题Linux环境编程Linux桌面系统国产LinuxBSD& & & BSD文档中心AIX& & & 新手入门& & & AIX文档中心& & & 资源下载& & & Power高级应用& & & IBM存储AS400Solaris& & & Solaris文档中心HP-UX& & & HP文档中心SCO UNIX& & & SCO文档中心互操作专区IRIXTru64 UNIXMac OS X门户网站运维集群和高可用服务器应用监控和防护虚拟化技术架构设计行业应用和管理服务器及硬件技术& & & 服务器资源下载云计算& & & 云计算文档中心& & & 云计算业界& & & 云计算资源下载存储备份& & & 存储文档中心& & & 存储业界& & & 存储资源下载& & & Symantec技术交流区安全技术网络技术& & & 网络技术文档中心C/C++& & & GUI编程& & & Functional编程内核源码& & & 内核问题移动开发& & & 移动开发技术资料ShellPerlJava& & & Java文档中心PHP& & & php文档中心Python& & & Python文档中心RubyCPU与编译器嵌入式开发驱动开发Web开发VoIP开发技术MySQL& & & MySQL文档中心SybaseOraclePostgreSQLDB2Informix数据仓库与数据挖掘NoSQL技术IT业界新闻与评论IT职业生涯& & & 猎头招聘IT图书与评论& & & CU技术图书大系& & & Linux书友会二手交易下载共享Linux文档专区IT培训与认证& & & 培训交流& & & 认证培训清茶斋投资理财运动地带快乐数码摄影& & & 摄影器材& & & 摄影比赛专区IT爱车族旅游天下站务交流版主会议室博客SNS站务交流区CU活动专区& & & Power活动专区& & & 拍卖交流区频道交流区
丰衣足食, 积分 951, 距离下一级还需 49 积分
论坛徽章:0
Hi, 大家好.
为了防止局域网内非法DHCP的服务,我在我的cisco 2960交换机上设置了如下的ACL:
access-list 108 deny udp any eq 67 any
access-list 108 permit any any
int range fa0/1-48
ip access-group 108 in
现在的情况是:我在网内开启了一个非法的DHCP服务, 并且拿了一台PC去自动获得IP, PC 能收到合法的DHCP服务器给的IP(我用了几次ipconfig/relese, ipconfig/renew).这说明我的ACL是起了作用的. 但是我telnet 到Cisco 2960, 输入:sh access-lists,显示的结果是:
& &&&Extended IP access list 108
& & 10 deny udp any eq bootps any
& & 20 permit ip any any (28 matches)
10 deny udp any eq bootps any 这条规则后面没有显示匹配.&&我有点搞不懂了,应该是阻止到了包才对呀.
Any suggestion, I will appreciate!
腰缠万贯, 积分 9589, 距离下一级还需 411 积分
论坛徽章:3
2960是二层的吧,ACL能过滤端口和IP吗?
丰衣足食, 积分 951, 距离下一级还需 49 积分
论坛徽章:0
谢谢你的回复.我知道它是二层的. 可2960的spec 里面有这样的描述呢.
精确的速率限制:
思科CIR功能能够以低达1Mbps的精确度保障带宽。
速率限制基于源和目的地IP地址、源和目的地MAC地址、第四层TCP/UDP信息或者这些字段的任意组合,并利用QoS ACL(IP ACL或者MAC ACL)、级别图和策略图提供。
利用输入策略控制和输出整形,可以方便地管理来自于基站或者上行链路的异步上行和下行数据流。
每个快速以太网或者千兆以太网端口最多可以支持64个汇总或者单独策略控制器。
难道只能设置ACL来限制速率吗?
丰衣足食, 积分 951, 距离下一级还需 49 积分
论坛徽章:0
不好意思,刚才没有看完
在安全这一栏是这样说的:
用于第二层接口的、基于端口的ACL(PRAC)让用户可以将安全策略用于各个交换机端口。
腰缠万贯, 积分 9589, 距离下一级还需 411 积分
论坛徽章:3
Port-based ACLs for Layer 2 interfaces allow application of security policies on individual switch ports.
You can also apply ACLs to Layer 2 interfaces on a switch. Port ACLs are supported on physical interfaces and EtherChannel interfaces.
The following access lists are supported on Layer 2 interfaces:
•Standard IP access lists using source addresses
•Extended IP access lists using source and destination addresses and optional protocol type information
•MAC extended access lists using source and destination MAC addresses and optional protocol type information
As with router ACLs, the switch examines ACLs associated with features configured on a given interface and permits or denies packet forwarding based on how the packet matches the entries in the ACL. In the example in Figure 37-1, if all workstations were in the same VLAN, ACLs applied at the Layer 2 input would allow Host A to access the Human Resources network, but prevent Host B from accessing the same network.
When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.
With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP access list and a MAC access list to the interface.
--------------------------------------------------------------------------------
Note You cannot apply more than one IP access list and one MAC access list to a Layer 2 interface. If an IP access list or MAC access list is already configured on a Layer 2 interface and you apply a new IP access list or MAC access list to the interface, the new ACL replaces the previously configured one.
丰衣足食, 积分 951, 距离下一级还需 49 积分
论坛徽章:0
many thanks
腰缠万贯, 积分 9589, 距离下一级还需 411 积分
论坛徽章:3
防止非法的dhcp还不如用dhcp snooping
发个参考给你
腰缠万贯, 积分 9589, 距离下一级还需 411 积分
论坛徽章:3
Handling Fragmented and Unfragmented Traffic
IP packets can be fragmented as they cross the network. When this happens, only the fragment containing the beginning of the packet contains the Layer 4 information, such as TCP or UDP port numbers, ICMP type and code, and so on. All other fragments are missing this information.
Some ACEs do not check Layer 4 information and therefore can be applied to all packet fragments. ACEs that do test Layer 4 information cannot be applied in the standard manner to most of the fragments in a fragmented IP packet. When the fragment contains no Layer 4 information and the ACE tests some Layer 4 information, the matching rules are modified:
•ermit ACEs that check the Layer 3 information in the fragment (including protocol type, such as TCP, UDP, and so on) are considered to match the fragment regardless of what the missing Layer 4 information might have been.
•Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains Layer 4 information.
Consider access list 102, configured with these commands, applied to three fragmented packets:
Switch(config)# access-list 102 permit tcp any host 10.1.1.1 eq smtp
Switch(config)# access-list 102 deny tcp any host 10.1.1.2 eq telnet
Switch(config)# access-list 102 permit tcp any host 10.1.1.2
Switch(config)# access-list 102 deny tcp any any
--------------------------------------------------------------------------------
Note In the first and second ACEs in the examples, the eq keyword after the destination address means to test for the TCP-destination-port well-known numbers equaling Simple Mail Transfer Protocol (SMTP) and Telnet, respectively.
--------------------------------------------------------------------------------
•acket A is a TCP packet from host 10.2.2.2., port 65000, going to host 10.1.1.1 on the SMTP port. If this packet is fragmented, the first fragment matches the first ACE (a permit) as if it were a complete packet because all Layer 4 information is present. The remaining fragments also match the first ACE, even though they do not contain the SMTP port information, because the first ACE only checks Layer 3 information when applied to fragments. The information in this example is that the packet is TCP and that the destination is 10.1.1.1.
•acket B is from host 10.2.2.2, port 65001, going to host 10.1.1.2 on the Telnet port. If this packet is fragmented, the first fragment matches the second ACE (a deny) because all Layer 3 and Layer 4 information is present. The remaining fragments in the packet do not match the second ACE because they are missing Layer 4 information. Instead, they match the third ACE (a permit).
Because the first fragment was denied, host 10.1.1.2 cannot reassemble a complete packet, so packet B is effectively denied. However, the later fragments that are permitted will consume bandwidth on the network and resources of host 10.1.1.2 as it tries to reassemble the packet.
•Fragmented packet C is from host 10.2.2.2, port 65001, going to host 10.1.1.3, port ftp. If this packet is fragmented, the first fragment matches the fourth ACE (a deny). All other fragments also match the fourth ACE because that ACE does not check any Layer 4 information and because Layer 3 information in all fragments shows that they are being sent to host 10.1.1.3, and the earlier permit ACEs were checking different hosts.
丰衣足食, 积分 951, 距离下一级还需 49 积分
论坛徽章:0
谢谢大家的帮助
我先看下哈
北京盛拓优讯信息技术有限公司. 版权所有 京ICP备号 北京市公安局海淀分局网监中心备案编号:22
广播电视节目制作经营许可证(京) 字第1234号
中国互联网协会会员&&联系我们:
感谢所有关心和支持过ChinaUnix的朋友们
转载本站内容请注明原作者名及出处
