Noriu/Cyber_Security_Notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
23689af350
Cyber_Security_Notes/B. 第二阶段/拓扑练习/0829_ACL规则优先级.md
Noriu 55826ed3b4 2024年8月29日 17:36:48
2024-08-29 17:36:54 +08:00

3.5 KiB
Raw Blame History

ACL规则优先级

image-20240829171502458

image-20240829170059565

一、IP

  • AR1

    [AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ip add 192.168.3.254 24
[AR1-GigabitEthernet0/0/0]int g0/0/1
[AR1-GigabitEthernet0/0/1]ip add 192.168.1.254 24
[AR1-GigabitEthernet0/0/1]int g0/0/2
[AR1-GigabitEthernet0/0/2]ip add 192.168.2.254 24

二、ACL

  • AR1

    [AR1]acl 2000
[AR1-acl-basic-2000]rule 10 permit source 192.168.1.1 0.0.0.0
[AR1-acl-basic-2000]rule 20 deny source 192.168.1.0 0.0.0.255
[AR1-acl-basic-2000]quit
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]traffic-filter outbound acl 2000

    注释:

    1. [AR1]acl 2000在设备AR1上创建一个编号为2000的基本ACL。
    2. [AR1-acl-basic-2000]rule 10 permit source 192.168.1.1 0.0.0.0在ACL 2000中添加规则10该规则允许源IP地址为192.168.1.1的数据包通过。
    3. [AR1-acl-basic-2000]rule 20 deny source 192.168.1.0 0.0.0.255在ACL 2000中添加规则20该规则拒绝源IP地址在192.168.1.0/24网段的数据包通过。
    4. [AR1-acl-basic-2000]quit退出ACL 2000的配置模式。
    5. [AR1]int g0/0/0进入设备AR1的GigabitEthernet0/0/0接口配置模式。
    6. [AR1-GigabitEthernet0/0/0]traffic-filter outbound acl 2000在GigabitEthernet0/0/0接口的出方向应用ACL 2000以过滤出站流量。

    需要注意的是ACL规则的执行顺序是从上到下的因此规则10和规则20的顺序很重要。在这个例子中由于规则10先于规则20所以只有源IP地址为192.168.1.1的数据包会被允许通过而192.168.1.0/24网段的其他数据包将被拒绝。然而由于规则20覆盖了规则10中的IP地址实际上所有来自192.168.1.0/24网段的数据包都将被拒绝。这可能是配置错误通常应该先配置拒绝规则然后配置允许规则。

三、测试

  • PC间连通性测试

    全通

  • PC PING Server

    • PC1

      PC>ping 192.168.3.1

Ping 192.168.3.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.3.1: bytes=32 seq=2 ttl=254 time=31 ms
From 192.168.3.1: bytes=32 seq=3 ttl=254 time=32 ms
From 192.168.3.1: bytes=32 seq=4 ttl=254 time=31 ms
From 192.168.3.1: bytes=32 seq=5 ttl=254 time=31 ms

--- 192.168.3.1 ping statistics ---
  5 packet(s) transmitted
  4 packet(s) received
  20.00% packet loss
  round-trip min/avg/max = 0/31/32 ms

    • PC2

      PC>ping 192.168.3.1

Ping 192.168.3.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!

--- 192.168.3.1 ping statistics ---
  5 packet(s) transmitted
  0 packet(s) received
  100.00% packet loss

    • PC3

      PC>ping 192.168.3.1

Ping 192.168.3.1: 32 data bytes, Press Ctrl_C to break
From 192.168.3.1: bytes=32 seq=1 ttl=254 time=16 ms
From 192.168.3.1: bytes=32 seq=2 ttl=254 time=15 ms
From 192.168.3.1: bytes=32 seq=3 ttl=254 time=16 ms
From 192.168.3.1: bytes=32 seq=4 ttl=254 time<1 ms
From 192.168.3.1: bytes=32 seq=5 ttl=254 time=16 ms

--- 192.168.3.1 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 0/12/16 ms