История страницы

...

Блок кода

ME5200:R5_10.0.0.1# show ipv4 access-lists detailed 
Tue Jan 17 07:09:32 2023
  HW resources: 5/100 ipv4 acl entries						    	<----- Активно 5 правил из 100 распределённых
  
  IPv4 access-list: example
  Configured on interfaces:
    te0/0/4															<----- ACL example назначен на интерфейс te0/0/4 и считается за одно активное правило.
  seq-num 1
    action:  deny
    match:   proto any, source 192.168.0.0/16, destination any
  
  IPv4 access-list: example_2
  Configured on interfaces:
    te0/0/1															<----- ACL example_2 назначен на интерфейсы te0/0/1 и te0/0/20.77 и считается за четыре активных правила.
    te0/0/20.77
  seq-num 10, Allow_10.10.10.1
    action:  permit
    match:   proto any, source 10.10.10.1, destination any
  seq-num 100, Drop_All
    action:  deny
    match:   proto any, source any, destination any

В версии 3.5.0 был значительно расширен функционал ACL.

IPv6

В качестве source и destination можно указывать:

IPV6 адреса - (X:X:X:X::X);
префиксы - (X:X:X:X::X/N);
wildcard - (X:X::X/X:X::X);

Блок кода

title	Пример

access-list example_ipv6
  seq-num 1
    destination
      ipv6 2001:db8::/32						<----- IPv6 Prefix
    exit
    protocol tcp
  exit
  seq-num 2
    destination
      ipv6 2001:db8::/32						<----- IPv6 Prefix
    exit
    protocol udp
  exit
  seq-num 3
    destination
      ipv6 2001::1:10:0:1:41/::ff:0:0			<----- IPv6 WildCard
    exit
  exit
  seq-num 4
    source
      ipv6 fe80::1ff:fe23:4567:890a				<----- IPv6 Address
    exit
  exit
  seq-num 10
    action deny
  exit
exit

L2

Для L2 ACL в качестве source и destination можно указать MAC адрес - XX:XX:XX:XX:XX:XX

Так же можно указать VLAN ID

Блок кода

title	Пример:

access-list example_mac
  seq-num 1
    action deny
    destination
      mac e0:d9:e3:ff:48:01					<----- MAC Address
    exit
    outer-vid 200							<----- Vlan ID
  exit
exit

На маршрутизаторах ME5100 IPv6 и L2 ACL не реализован из за аппаратных особенностей маршрутизатора.

Object-Group

Создать группу можно с помощью команды "object-group network ipv4 [name]"
В качестве объектов в группе могут быть использованы IPv4 префиксы (A.B.C.D/N) и хосты (A.B.C.D).

Для примера создадим следующие группы:

Блок кода
object-group network ipv4 group1 address 192.168.0.0/24 address 192.168.1.0/24 exit object-group network ipv4 group2 host 192.168.0.254 host 192.168.1.254 exit

Блок кода

title	Пример ACL:

access-list example
  seq-num 10
    destination
      ipv4 group1
    exit
    protocol icmp						<----- Правило будет срабатывать только на ICMP протокол
    remark [Allow_ICMP]
  exit
  seq-num 20
    destination
      ipv4 group2
    exit
    source
      ipv4 192.168.3.0/24
    exit
  exit
  seq-num 100
    action deny
  exit
exit

Каждый элемент объектных групп занимает аппаратный ресурс маршрутизатора.

Блок кода

title	Выводы show команд:

0/ME5200:R5# show access-lists 
Fri May  5 04:34:59 2023
  access-list example
    10, permit, icmp, src[any], dst[group1] L2: 0, IPv4: 0, IPv6: 0 hits						
    20, permit, any, src[192.168.3.0/24], dst[group2] L2: 0, IPv4: 0, IPv6: 0 hits
    100, deny, any, src[any], dst[any] L2: 0, IPv4: 0, IPv6: 0 hits
  
  access-list example_ipv6
    1, permit, tcp, src[any], dst[2001:db8::/32] L2: 0, IPv4: 0, IPv6: 0 hits
    2, permit, udp, src[any], dst[2001:db8::/32] L2: 0, IPv4: 0, IPv6: 0 hits
    3, permit, any, src[any], dst[2001::1:10:0:1:41/::ff:0:0] L2: 0, IPv4: 0, IPv6: 0 hits
    4, permit, any, src[fe80::1ff:fe23:4567:890a], dst[any] L2: 0, IPv4: 0, IPv6: 0 hits
    10, deny, any, src[any], dst[any] L2: 0, IPv4: 0, IPv6: 0 hits
  
  access-list example_mac
    1, deny, any, src[any], dst[mac e0:d9:e3:ff:48:01, mask ff:ff:ff:ff:ff:ff], vid 200 L2: 0, IPv4: 0, IPv6: 0 hits
  
0/ME5200:R5# show access-lists detailed 
Fri May  5 04:35:04 2023
  HW resources: 22/1000 acl entries
  
  Access-list: example
  Configured on interfaces:
    te0/0/20.100, L2: 0, IPv4: 0, IPv6: 0 hits
  seq-num 10, [Allow_ICMP]
    action:  permit
    match:   proto icmp, tos any, no fragments, flow-label any, vid any, pcp any, dei any, ethertype any
             source: ipv4 any, ipv6 any, port any, mac any
             destination: ipv4 192.168.0.0/24, ipv6 any, port any, mac any
    set:     none
    total:   L2: 0, IPv4: 0, IPv6: 0 hits
  seq-num 10, [Allow_ICMP]
    action:  permit
    match:   proto icmp, tos any, no fragments, flow-label any, vid any, pcp any, dei any, ethertype any
             source: ipv4 any, ipv6 any, port any, mac any
             destination: ipv4 192.168.1.0/24, ipv6 any, port any, mac any
    set:     none
    total:   L2: 0, IPv4: 0, IPv6: 0 hits
  seq-num 20
    action:  permit
    match:   proto any, tos any, no fragments, flow-label any, vid any, pcp any, dei any, ethertype any
             source: ipv4 192.168.3.0/24, ipv6 any, port any, mac any
             destination: ipv4 192.168.0.254, ipv6 any, port any, mac any
    set:     none
    total:   L2: 0, IPv4: 0, IPv6: 0 hits
  seq-num 20
    action:  permit
    match:   proto any, tos any, no fragments, flow-label any, vid any, pcp any, dei any, ethertype any
             source: ipv4 192.168.3.0/24, ipv6 any, port any, mac any
             destination: ipv4 192.168.1.254, ipv6 any, port any, mac any
    set:     none
    total:   L2: 0, IPv4: 0, IPv6: 0 hits
  seq-num 100
    action:  deny
    match:   proto any, tos any, no fragments, flow-label any, vid any, pcp any, dei any, ethertype any
             source: ipv4 any, ipv6 any, port any, mac any
             destination: ipv4 any, ipv6 any, port any, mac any
    set:     none
    total:   L2: 0, IPv4: 0, IPv6: 0 hits
  
  Access-list: example_ipv6
  Configured on interfaces:
    te0/0/20.200, L2: 0, IPv4: 0, IPv6: 0 hits
  seq-num 1
    action:  permit
    match:   proto tcp, tos any, no fragments, flow-label any, vid any, pcp any, dei any, ethertype any
             source: ipv4 any, ipv6 any, port any, mac any
             destination: ipv4 any, ipv6 2001:db8::/32, port any, mac any
    set:     none
    total:   L2: 0, IPv4: 0, IPv6: 0 hits
  seq-num 2
    action:  permit
    match:   proto udp, tos any, no fragments, flow-label any, vid any, pcp any, dei any, ethertype any
             source: ipv4 any, ipv6 any, port any, mac any
             destination: ipv4 any, ipv6 2001:db8::/32, port any, mac any
    set:     none
    total:   L2: 0, IPv4: 0, IPv6: 0 hits
  seq-num 3
    action:  permit
    match:   proto any, tos any, no fragments, flow-label any, vid any, pcp any, dei any, ethertype any
             source: ipv4 any, ipv6 any, port any, mac any
             destination: ipv4 any, ipv6 2001::1:10:0:1:41/::ff:0:0, port any, mac any
    set:     none
    total:   L2: 0, IPv4: 0, IPv6: 0 hits
  seq-num 4
    action:  permit
    match:   proto any, tos any, no fragments, flow-label any, vid any, pcp any, dei any, ethertype any
             source: ipv4 any, ipv6 fe80::1ff:fe23:4567:890a, port any, mac any
             destination: ipv4 any, ipv6 any, port any, mac any
    set:     none
    total:   L2: 0, IPv4: 0, IPv6: 0 hits
  seq-num 10
    action:  deny
    match:   proto any, tos any, no fragments, flow-label any, vid any, pcp any, dei any, ethertype any
             source: ipv4 any, ipv6 any, port any, mac any
             destination: ipv4 any, ipv6 any, port any, mac any
    set:     none
    total:   L2: 0, IPv4: 0, IPv6: 0 hits
  
  Access-list: example_mac
  Configured on interfaces:
    te0/0/20, L2: 0, IPv4: 0, IPv6: 0 hits
  seq-num 1
    action:  deny
    match:   proto any, tos any, no fragments, flow-label any, vid 200, pcp any, dei any, ethertype any
             source: ipv4 any, ipv6 any, port any, mac any
             destination: ipv4 any, ipv6 any, port any, mac e0:d9:e3:ff:48:01, mask ff:ff:ff:ff:ff:ff
    set:     none
    total:   L2: 0, IPv4: 0, IPv6: 0 hits

Дерево страниц

Сравнение версий

Старая версия 1

Новая версия 2

Ключ

В версии 3.5.0 был значительно расширен функционал ACL.

IPv6

L2

Object-Group