diff --git "a/24\346\254\247\345\272\255\347\200\232/20250422-\350\267\257\347\224\261\345\231\250ospf\345\212\250\346\200\201\350\267\257\347\224\261\347\232\204\351\205\215\347\275\256 .md" "b/24\346\254\247\345\272\255\347\200\232/20250422-\350\267\257\347\224\261\345\231\250ospf\345\212\250\346\200\201\350\267\257\347\224\261\347\232\204\351\205\215\347\275\256 .md" index bf99e111fc9b7116264863c08508977ad39cc3ef..4f0e0746f34dfa76532335123c432ae19a82b8af 100644 --- "a/24\346\254\247\345\272\255\347\200\232/20250422-\350\267\257\347\224\261\345\231\250ospf\345\212\250\346\200\201\350\267\257\347\224\261\347\232\204\351\205\215\347\275\256 .md" +++ "b/24\346\254\247\345\272\255\347\200\232/20250422-\350\267\257\347\224\261\345\231\250ospf\345\212\250\346\200\201\350\267\257\347\224\261\347\232\204\351\205\215\347\275\256 .md" @@ -1,194 +1,141 @@ - - - - -练习 - -OSPF与RIP连接 - -![image-20250423222134135](https://gitee.com/syjtl/picture-warehouse/raw/master/img/upgit_20250423_1745418097.png) - -``` -右边rip配置 - -Router>en - -Router#conf t - -Enter configuration commands, one per line. End with CNTL/Z. - -Router(config)#interface g0/0 - -Router(config-if)#ip address 3.3.3.1 255.255.255.0 - -Router(config-if)#no shut - - - -Router(config-if)# - -%LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to up - - - -%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up - -ex - -Router(config)#in - -Router(config)#interface g0/1 - -Router(config-if)#ip addRouter(config-if)#ip address 2.2.2.2 255.255.255.0 - -Router(config-if)#no shut - - - - - -​ - -Router(config-if)#ex - -Router(config)#ex - -Router#show ip route - -Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP - -​ D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area - -​ N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 - -​ E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP - -​ i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area - -​ \* - candidate default, U - per-user static route, o - ODR - -​ P - periodic downloaded static route - - - -Gateway of last resort is not set - - - -​ 3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks - -C 3.3.3.0/24 is directly connected, GigabitEthernet0/0 - -L 3.3.3.1/32 is directly connected, GigabitEthernet0/0 - - - -Router#conf t - -Enter configuration commands, one per line. End with CNTL/Z. - -Router(config)#route - -Router(config)#router rip - -Router(config-router)#version 2 - -Router(config-router)#network 3.3.3.0 - -Router(config-router)#network 2.2.2.0 - -Router(config-router)#ex - -Router(config)# -``` - - - -``` -Router>en -Router#conf t -Enter configuration commands, one per line. End with CNTL/Z. -Router(config)#in -Router(config)#interface g0/0 -Router(config-if)#no shut - -Router(config-if)# -%LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to up - -%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up -ip addre -Router(config-if)#ip address 1.1.1.2 255.255.255.0 -Router(config-if)#ex -Router(config)#in -Router(config)#interface g0/1 -Router(config-if)#ip add -Router(config-if)#ip address 2.2.2.1 255.255.255.0 -Router(config-if)#no shut - -Router(config-if)# -%LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to up - -%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up - -Router(config-if)#ex -Router(config)#rout -Router(config)#router ospf 1 -Router(config-router)#net -Router(config-router)#network 1.1.1.0 0.0.0.255 ar -Router(config-router)#network 1.1.1.0 0.0.0.255 area 0 -Router(config-router)#end -Router# -%SYS-5-CONFIG_I: Configured from console by console - -Router#conf t -Enter configuration commands, one per line. End with CNTL/Z. -Router(config)#ro -Router(config)#router rip -Router(config-router)#ver -Router(config-router)#version 2 -Router(config-router)#ne -Router(config-router)#network 2.2.2.0 -Router(config-router)#ex -Router(config)#router rip -Router(config-router)#re -% Incomplete command. -Router(config-router)#red -Router(config-router)#redistribute o -Router(config-router)#redistribute ospf 1 me -Router(config-router)#redistribute ospf 1 metric 5 -Router(config-router)#ex -Router(config)#ospf -Router(config)#router os -Router(config)#router ospf 1 -Router(config-router)#re -Router(config-router)#redistribute rip su -Router(config-router)#redistribute rip subnets -Router(config-router)#end -Router# -%SYS-5-CONFIG_I: Configured from console by console - -Router#show ip route -Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP - D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area - N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 - E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP - i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area - * - candidate default, U - per-user static route, o - ODR - P - periodic downloaded static route - -Gateway of last resort is not set - - 1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks -C 1.1.1.0/24 is directly connected, GigabitEthernet0/0 -L 1.1.1.2/32 is directly connected, GigabitEthernet0/0 - 2.0.0.0/8 is variably subnetted, 2 subnets, 2 masks -C 2.2.2.0/24 is directly connected, GigabitEthernet0/1 -L 2.2.2.1/32 is directly connected, GigabitEthernet0/1 -R 3.0.0.0/8 [120/1] via 2.2.2.2, 00:00:17, GigabitEthernet0/1 - -Router# -``` - -![image-20250423231420510](https://gitee.com/syjtl/picture-warehouse/raw/master/img/upgit_20250423_1745421260.png) - + + + + +练习 + +OSPF与RIP连接 + +![image-20250423222134135](https://gitee.com/syjtl/picture-warehouse/raw/master/img/upgit_20250423_1745418097.png) + +``` +右边rip配置 + +Router>en +Router#conf t +Enter configuration commands, one per line. End with CNTL/Z. +Router(config)#interface g0/0 +Router(config-if)#ip address 3.3.3.1 255.255.255.0 +Router(config-if)#no shut + +Router(config-if)# +%LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to up + +%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up +ex +Router(config)#in +Router(config)#interface g0/1 +Router(config-if)#ip addRouter(config-if)#ip address 2.2.2.2 255.255.255.0 +Router(config-if)#no shut + + +​ + +Router(config-if)#ex +Router(config)#ex +Router#show ip route +Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP +​ D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area +​ N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 +​ E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP +​ i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area +​ \* - candidate default, U - per-user static route, o - ODR +​ P - periodic downloaded static route + +Gateway of last resort is not set + + +​ 3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks +C 3.3.3.0/24 is directly connected, GigabitEthernet0/0 +L 3.3.3.1/32 is directly connected, GigabitEthernet0/0 + + +Router#conf t +Enter configuration commands, one per line. End with CNTL/Z. +Router(config)#route +Router(config)#router rip +Router(config-router)#version 2 +Router(config-router)#network 3.3.3.0 +Router(config-router)#network 2.2.2.0 +Router(config-router)#ex +Router(config)# +``` + + + +``` +Router>en +Router#conf t +Enter configuration commands, one per line. End with CNTL/Z. +Router(config)#interface g0/0 +Router(config-if)#no shut + +Router(config-if)# +%LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to up + +%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up +ip addre +Router(config-if)#ip address 1.1.1.2 255.255.255.0 +Router(config-if)#ex +Router(config)#interface g0/1 +Router(config-if)#ip address 2.2.2.1 255.255.255.0 +Router(config-if)#no shut + +Router(config-if)# +%LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to up + +%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up + +Router(config-if)#ex +Router(config)#router ospf 1 +Router(config-router)#net +Router(config-router)#network 1.1.1.0 0.0.0.255 area 0 +Router(config-router)#end +Router# +%SYS-5-CONFIG_I: Configured from console by console + +Router#conf t +Enter configuration commands, one per line. End with CNTL/Z. +Router(config)#router rip +Router(config-router)#version 2 +Router(config-router)#network 2.2.2.0 +Router(config-router)#ex +Router(config)#router rip +Router(config-router)#re +% Incomplete command. +Router(config-router)#redistribute o +Router(config-router)#redistribute ospf 1 me +Router(config-router)#redistribute ospf 1 metric 5 +Router(config-router)#ex +Router(config)#ospf +Router(config)#router ospf 1 +Router(config-router)#redistribute rip subnets +Router(config-router)#end +Router# +%SYS-5-CONFIG_I: Configured from console by console + +Router#show ip route +Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP + D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area + N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 + E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP + i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area + * - candidate default, U - per-user static route, o - ODR + P - periodic downloaded static route + +Gateway of last resort is not set + + 1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks +C 1.1.1.0/24 is directly connected, GigabitEthernet0/0 +L 1.1.1.2/32 is directly connected, GigabitEthernet0/0 + 2.0.0.0/8 is variably subnetted, 2 subnets, 2 masks +C 2.2.2.0/24 is directly connected, GigabitEthernet0/1 +L 2.2.2.1/32 is directly connected, GigabitEthernet0/1 +R 3.0.0.0/8 [120/1] via 2.2.2.2, 00:00:17, GigabitEthernet0/1 + +Router# +``` + +![image-20250423231420510](https://gitee.com/syjtl/picture-warehouse/raw/master/img/upgit_20250423_1745421260.png) + ![image-20250423231508437](https://gitee.com/syjtl/picture-warehouse/raw/master/img/upgit_20250423_1745421308.png) \ No newline at end of file diff --git "a/24\346\254\247\345\272\255\347\200\232/20250424-ACL.md" "b/24\346\254\247\345\272\255\347\200\232/20250424-ACL.md" new file mode 100644 index 0000000000000000000000000000000000000000..a349b81b4a7565f7301c3974abff6e62336b3dec --- /dev/null +++ "b/24\346\254\247\345\272\255\347\200\232/20250424-ACL.md" @@ -0,0 +1,195 @@ +# **思科ACL(访问控制列表)** + +访问控制列表(ACL,Access Control List)是思科设备中用于**流量过滤**和**安全策略**的核心技术,广泛应用于: + +- **网络安全**:限制非法访问(如阻止攻击流量) +- **流量控制**:允许/拒绝特定服务(如HTTP、SSH) +- **策略路由**:结合路由映射(Route-map)实现高级选路 + +本指南涵盖**标准ACL、扩展ACL、命名ACL**的语法、配置案例及验证方法,适用于CCNA/CCNP学习及实际工程部署 + +--- + + + +### **一、ACL类型** + +| 类型 | 编号范围 | 匹配依据 | 特点 | +| ----------- | ------------------ | ------------------------ | ------------------ | +| **标准ACL** | 1-99, 1300-1999 | 仅源IP地址 | 简单,效率低 | +| **扩展ACL** | 100-199, 2000-2699 | 源IP、目的IP、协议、端口 | 精细控制,推荐使用 | + +--- + +### **二、标准ACL语法** + +#### **1. 创建ACL** + +```bash +access-list <编号> <动作> <源IP> <通配符掩码> +# 编号范围 1-99 +# 动作:permit 允许 、 deny 拒绝 +``` + +#### **2. 示例** + +```bash +access-list 10 permit 192.168.1.0 0.0.0.255 # 允许192.168.1.0/24g整个网络 +access-list 10 permit 192.168.10.2 # 允许192.168.10.2单个IP通过 +access-list 10 deny any # 拒绝其他所有流量 +``` + +#### **3. 应用ACL** + +```bash +# 语法分两步骤 +# 步骤1:先选择要应用ACL的端口 如 interface g0/0 +# 步骤2:通过ACL编号及方向来应用ACL,格式如下 +ip access-group <编号> <方向> # +# 方向 in / out 代表流量流入/流出路由器的方向 +# 示例: +interface GigabitEthernet0/0 # 第一步,进入G0/0端口 +ip access-group 10 in # 第二步,在G0/0端口的入口方向应用编号为10的ACL +``` + +--- + +### **三、扩展ACL语法** + +#### **1. 创建ACL** + +```cisco +access-list <100-199|2000-2699> {permit|deny} <协议> <源IP> <通配符掩码> [源端口] <目的IP> <通配符掩码> [目的端口] [选项] +``` + +#### **2. 常用协议关键字** + +- `ip`:所有IP流量 +- `tcp`:TCP协议 +- `udp`:UDP协议 +- `icmp`:ICMP协议 + +#### **3. 示例** + +##### **(1)允许特定TCP端口** + +```cisco +access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 80 ! 允许192.168.1.0/24访问任意HTTP +access-list 101 deny tcp any any eq 22 ! 拒绝所有SSH流量 +access-list 101 permit ip any any ! 允许其他所有IP流量 +``` + +##### **(2)允许ICMP(Ping)** + +```cisco +access-list 102 permit icmp any any echo-reply ! 允许Ping回应 +access-list 102 permit icmp any any echo ! 允许发起Ping +``` + +##### **(3)拒绝特定子网访问** + +```bash +# 拒绝来自192.168.10.0网段主机的IP流量访问172.16.1.0的主机 +access-list 103 deny ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255 +#允许其它任意网络IP流量访问任意网络(除上一条拒绝的以外) +access-list 103 permit ip any any +``` + +#### **4. 应用ACL** + +```cisco +interface GigabitEthernet0/1 + ip access-group 101 out ! 在接口出方向应用 +``` + +--- + +### **四、命名ACL(更易管理)** + +#### **1. 创建命名ACL** + +```cisco +ip access-list {standard|extended} +``` + +#### **2. 示例** + +```cisco +ip access-list extended WEB_TRAFFIC + permit tcp 192.168.1.0 0.0.0.255 any eq 80 + deny tcp any any eq 22 + permit ip any any +``` + +#### **3. 应用命名ACL** + +```cisco +interface GigabitEthernet0/2 + ip access-group WEB_TRAFFIC in +``` + +--- + +### **五、ACL高级选项** + +#### **1. 通配符掩码(Wildcard Mask)** + +- `0.0.0.255` = 匹配前24位(类似子网掩码`255.255.255.0`的反向)。 +- `host 192.168.1.1` = 精确匹配单个IP(等价于`192.168.1.1 0.0.0.0`)。 + +#### **2. 端口匹配** + +- `eq 80`:等于80端口(HTTP) +- `gt 1023`:大于1023端口 +- `range 20 21`:20到21端口(FTP) + +#### **3. 日志记录** + +```cisco +access-list 104 deny tcp any any eq 23 log ! 拒绝Telnet并记录日志 +``` + +--- + +### **六、验证与排错** + +#### **1. 查看ACL配置** + +```cisco +show access-lists ! 显示所有ACL +show ip interface Gig0/0 ! 查看接口应用的ACL +``` + +#### **2. 清除ACL统计** + +```cisco +clear access-list counters ! 重置ACL命中计数器 +``` + +--- + +### **七、注意事项** + +1. **隐式拒绝**:ACL末尾默认有`deny any`,需显式允许必要流量。 +2. **顺序敏感**:ACL按从上到下匹配,首条匹配的规则生效。 +3. **性能影响**:过多ACL规则可能影响设备性能,尽量合并规则。 + +--- + +### **八、完整示例** + +#### **场景**:允许内网访问Web,禁止访问SSH,允许Ping。 + +```bash +# 创建扩展ACL +access-list 105 permit tcp 192.168.1.0 0.0.0.255 any eq 80 +access-list 105 deny tcp any any eq 22 +access-list 105 permit icmp any any +access-list 105 deny ip any any log + +# 应用ACL +interface GigabitEthernet0/0 + ip access-group 105 in +``` + +![image-20250425131304615](https://gitee.com/syjtl/picture-warehouse/raw/master/img/upgit_20250425_1745557984.png) \ No newline at end of file diff --git "a/24\346\254\247\345\272\255\347\200\232/\347\254\224\350\256\260/pkt/t8_1\345\220\204\345\215\225\345\205\203\345\267\262\351\205\215\347\275\2561.pkt" "b/24\346\254\247\345\272\255\347\200\232/\347\254\224\350\256\260/pkt/t8_1\345\220\204\345\215\225\345\205\203\345\267\262\351\205\215\347\275\2561.pkt" new file mode 100644 index 0000000000000000000000000000000000000000..b125ab3515aa28fd8154484aff545b8e046b829e Binary files /dev/null and "b/24\346\254\247\345\272\255\347\200\232/\347\254\224\350\256\260/pkt/t8_1\345\220\204\345\215\225\345\205\203\345\267\262\351\205\215\347\275\2561.pkt" differ diff --git "a/24\346\254\247\345\272\255\347\200\232/\347\254\224\350\256\260/pkt/\351\233\206\345\233\242\345\244\247\347\275\221\346\235\203\351\231\220\347\256\241\347\220\206.pkt" "b/24\346\254\247\345\272\255\347\200\232/\347\254\224\350\256\260/pkt/\351\233\206\345\233\242\345\244\247\347\275\221\346\235\203\351\231\220\347\256\241\347\220\206.pkt" new file mode 100644 index 0000000000000000000000000000000000000000..b692fbbda528aa6e2fcd1ae4e6468db62291461a Binary files /dev/null and "b/24\346\254\247\345\272\255\347\200\232/\347\254\224\350\256\260/pkt/\351\233\206\345\233\242\345\244\247\347\275\221\346\235\203\351\231\220\347\256\241\347\220\206.pkt" differ