第10章 IP访问控制列表.pptVIP

网络安全隐患 分布式拒绝服务攻击 IP欺骗 分组嗅探 木马和病毒 …… 分组嗅探 网卡正常的工作状态 分组嗅探器可以动态地捕捉并显示网络运行过程中流经一台机器的所有数据包，利用分组嗅探器可以观察协议之间交换的报文序列。 分组嗅探 IP报文格式 访问控制列表的使用 创建访问控制列表后，在应用之前它并不会起作用。 若要进行包过滤，需要将它应用到路由器的一个要过滤流量的接口上，并指定访问列表应用到哪一个方向的流量上。 通配符掩码 通配符掩码和主机或网络地址一起使用来告诉路由器要过滤的有效地址范围。 0：要求完全匹配 1：可以忽略，不做要求 练习 Slide 1 of 1 Purpose: This example shows how to restrict incoming telnet sessions to the router’s vty ports. Emphasize: The access-class is applied as an input filter. Note: Ask the student the effect of changing the direction of the access-class to outbound instead of inbound. Now the router can accept incoming telnet sessions to its vty ports from all hosts but will block outgoing telnet sessions from its vty ports to all hosts except hosts in network . Once a user is telneted into a router’s vty port, the outbound access-class filter will prevent the user from telneting to other hosts as specified by the standard access-list. Remember, when an access-list is applied to an interface, it only block or permit traffic going through the router, it does not block or permit traffic initiated from the router itself. Slide 1 of 1 Purpose: This slide begins the discussion on extended IP access lists. Emphasize: Distinguish the aspects of the extended IP access list from the standard access list. Your students will perform labs using extended access lists commands. For both standard and extended IP access lists, enter an address mask that identifies which bits in the address field you want the access list to match that will be “don’t care” bit positions. For both types of access lists, the access-group command allows packet filtering into or out of the router. Slide 1 of 2 Purpose: The access-list command creates an entry in complex traffic filter list. Emphasize: The access-list field descriptions: list—a number between 100 and 199 protocol—ip, tcp, udp, icmp, igrp, eigrp, ospf and etc……. ip = any internet protocol (see note below) source—ip address source-mask—wildcard-mask o