CCNA試験対策 下巻ch3: Advanced IPv4 Access Control Lists
https://www.ciscopress.com/store/ccna-200-301-official-cert-guide-volume-2-9781587147135www.ciscopress.com
- ACLは4つに大別される:
Numbered | Named | |
---|---|---|
Standard | ||
Extended |
- 本章ではStandard Numbered以外の3つを学ぶ
Extended Numbered IP Access Control Lists
- Standard Numbered ACLではsource IP addressしかマッチングに使えなかった
- Extendedではいろいろなフィールドを使える
Matching the Protocol, Source IP, and Destination IP
Matching TCP and UDP Port Numbers
Router(config)#access-list 101 permit ? ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol ip Any Internet Protocol ospf OSPF routing protocol tcp Transmission Control Protocol udp User Datagram Protocol Router(config)#access-list 101 permit tcp ? A.B.C.D Source address any Any source host host A single source host Router(config)#access-list 101 permit tcp host 1.1.1.1 ? A.B.C.D Destination address any Any destination host eq Match only packets on a given port number gt Match only packets with a greater port number host A single destination host lt Match only packets with a lower port number neq Match only packets not on a given port number range Match only packets in the range of port numbers Router(config)#access-list 101 permit tcp host 1.1.1.1 eq ? <0-65535> Port number ftp File Transfer Protocol (21) pop3 Post Office Protocol v3 (110) smtp Simple Mail Transport Protocol (25) telnet Telnet (23) www World Wide Web (HTTP, 80)
R2>telnet 10.1.1.254 Trying 10.1.1.254 ...Open Router>exit [Connection to 10.1.1.254 closed by foreign host]
- 任意のホストのEphemeral Portsから10.1.1.254の23番ポートへのinboundパケットをdenyする
- Ephemeral Portsの範囲は49251(0xBFFF)-65535
Router(config)#access-list 101 deny tcp any gt 49151 10.1.1.254 0.0.0.0 eq telnet Router(config)#int g0/0/0 Router(config-if)#ip access-group 101 in
- 繋がらなくなる
R2>telnet 10.1.1.254 Trying 10.1.1.254 ... % Connection timed out; remote host not responding
Extended IP ACL Configurations
- なるべくパケット送信元の近くでfilteringする
- 帯域節約のため
- 指定した条件すべてを満たすパケットだけがマッチする
- 100-199, 2000-2699番を使う
Extended IP Access Lists: Example 1
Router(config)#no access-list 101 Router(config)#access-list 101 deny tcp any gt 49151 10.1.1.254 0.0.0.0 eq 23 Router(config)#end Router#show running-config | section access-list access-list 101 deny tcp any gt 49151 host 10.1.1.254 eq telnet
- ポート番号を数値で指定してもconfig上ではテキスト版になる
23
->telnet
Extended IP Access Lists: Example 2
略
Practice Building access-list Commands
略
Named ACLs and ACL Editing
- ACLは書いた順番のfirst-matchなので行削除とかしたくなる
Named IP Access Lists
- 名前をつけてStandard/Extended ACLを作成できる
Router(config)#ip access-list ? extended Extended Access List standard Standard Access List Router(config)#ip access-list extended no-telnet
- 設定項目は
access-list
コマンドとおなじ
Router(config-ext-nacl)#deny tcp any ? A.B.C.D Destination address any Any destination host eq Match only packets on a given port number gt Match only packets with a greater port number host A single destination host lt Match only packets with a lower port number neq Match only packets not on a given port number range Match only packets in the range of port numbers Router(config-ext-nacl)#deny tcp any 10.0.0.254 0.0.0.0 eq telnet
Router(config)#interface g0/0/0 Router(config-if)#no ip access-group 101 in Router(config-if)#ip access-group ? <1-199> IP access list (standard or extended) WORD Access-list name Router(config-if)#ip access-group no-telnet ? in inbound packets out outbound packets Router(config-if)#ip access-group no-telnet in
Router#show running-config | section access-list access-list 101 deny tcp any gt 49151 host 10.1.1.254 eq telnet ip access-list extended no-telnet deny tcp any host 10.0.0.254 eq telnet
Editing ACLs Using Sequence Numbers
Router#show running-config | section access-list access-list 101 deny tcp any gt 49151 host 10.1.1.254 eq telnet ip access-list extended no-telnet deny tcp any host 10.0.0.254 eq telnet deny tcp any host 10.1.1.254 eq telnet
- 間違えてしまった1行目
deny tcp any host 10.0.0.254 eq telnet
を消したい
Router(config)#ip access-list extended no-telnet Router(config-ext-nacl)#do show ip access-lists no-telnet Extended IP access list no-telnet deny tcp any host 10.0.0.254 eq telnet deny tcp any host 10.1.1.254 eq telnet (12 match(es))
- 教科書的にはデフォルト10刻みの行番号が出てくるはずなのだが…Packet Tracerだからか出てこなかった
- 見えないが、行番号10で行を指定して消せる
Router(config-ext-nacl)#no 10 Router(config-ext-nacl)#do show ip access-lists no-telnet Extended IP access list no-telnet deny tcp any host 10.1.1.254 eq telnet (12 match(es))
- 行の内容の否定でも消せる
Router(config-ext-nacl)#permit ip any any Router(config-ext-nacl)#do show ip access-lists no-telnet Extended IP access list no-telnet deny tcp any host 10.1.1.254 eq telnet (12 match(es)) permit ip any any Router(config-ext-nacl)#no permit ip any any Router(config-ext-nacl)#do show ip access-lists no-telnet Extended IP access list no-telnet deny tcp any host 10.1.1.254 eq telnet (12 match(es))
- 行番号を指定して割り込むこともできる
Router(config-ext-nacl)#5 permit ip any any Router(config-ext-nacl)#do show ip access-lists no-telnet Extended IP access list no-telnet permit ip any any deny tcp any host 10.1.1.254 eq telnet (12 match(es)) Router(config-ext-nacl)#no 5 Router(config-ext-nacl)#do show ip access-lists no-telnet Extended IP access list no-telnet deny tcp any host 10.1.1.254 eq telnet (12 match(es))
Numbered ACL Configuration Versus Named ACL Configuration
Router(config)#ip access-list standard 1 Router(config-std-nacl)#permit any Router(config-std-nacl)#do show ip access-lists 1 Standard IP access list 1 permit any
Router#show running-config | section access-list access-list 101 deny tcp any gt 49151 host 10.1.1.254 eq telnet ip access-list extended no-telnet deny tcp any host 10.1.1.254 eq telnet access-list 1 permit any
- numbered ACLもnamed ACLと同様にaccess-listコンフィグモードで設定できる
- が、configファイル上ではグローバルコンフィグのaccess-listコマンドの形で保存される
ACL Implementation Considerations
- extended ACLはなるべくパケット送信元の近くに配置する
- パケットを早期に廃棄できるよう
- standard ACLはなるべくパケット宛先の近くに配置する
- 意図せず、廃棄する必要のないパケットまで廃棄してしまうミスを防止するため
- source IP addressしか設定できないので起こりやすい
- 意図せず、廃棄する必要のないパケットまで廃棄してしまうミスを防止するため
- 条件の狭いものから順に書く
- ACLに変更を加える前に、interfaceコンフィグモードの
no ip access-group
コマンドで当該ACLを無効化する
Router(config-std-nacl)#do show running-config | section interface GigabitEthernet0/0/0 interface GigabitEthernet0/0/0 ip address 10.1.1.254 255.255.255.0 ip access-group hoge in duplex auto speed auto Router(config-std-nacl)#do show ip access-list hoge Standard IP access list hoge
R2>ping 10.1.1.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
- 何かルールを追加した瞬間に、暗黙のdeny anyでpingが通らなくなる
Router(config-std-nacl)#permit 1.1.1.1
R2>ping 10.1.1.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.254, timeout is 2 seconds: UUUUU Success rate is 0 percent (0/5)