CU HNH ACCESS-LIST C BN

I. Gii thiu - ACL l mt danh sch cc cu lnh c p t vo cc cng (interface) ca router. Danh sch ny ch ra cho router bit loi packet no c chp nhn (allow) v loi packet no b hy b (deny). S chp nhn v hu b ny c th da vo a ch ngun, a ch ch hoc ch s port. - ACL s c thc hin theo trnh t ca cc cu lnh trong danh sch cu hnh khi to access-list. Nu c mt iu kin c so khp (matched) trong danh sch th n s thc hin, v cc cu lnh cn li s khng c kim tra na.Trng hp tt c cc cu lnh trong danh sch u khng khp (unmatched) th mt cu lnh mc nh deny any c thc hin. Cui access-list mc nh s l lnh loi b tt c (deny all). V vy, trong accesslist cn phi c t nht mt cu lnh permit. - ACL c hai loi l ACL Standard va ACL Extended trong ACL Standard ch quan tn ti a ch ngun ca gi tin ngha l n cho php Permit hoc Deny mt a ch hoc mt mng. ACL Extended lm vic vi a ch ch, a ch ngun, port ng dng ca gi tin , ACL extended l dng m rng ca ACL standard. ACL extended cho php permit hoc Deny t a ch mng ny ti a ch mng kia, t mng ny ti mng kia hay cm hoc cho php cc ng dng. Access-list Standard thng c t ch cn Access-list Exstanded thng c t ngun. - Trong thc t ACL c thc hin kh nhiu control mng v cng l mt cng c tt cho bo mt cho mng.

II. Cho m hnh.

III. Yu cu. 1. Cu hnh khi to cho cc thit b mng. - t tn

1

- cu hnh Banner mote - cu hnh password cho console, telnet, Privileged. Password console: itn Password telnet: itn Password Privileged: itn 2. Cu hnh cc interface ca router, Switch. - cu hnh a ch IP cho cc interface - cu hnh description - cu hnh enable cc interface 3. cu hnh default route cho Router1 v static route cho Router2 4. Kim tra - kim tra cc interface up hay cha bng cu lnh Show ip intface Brief - cu hnh ng hay cha s dng cu lnh Show Running - config - mng thng cha s dng lnh Ping hoc Show Ip route kim tra bng nh tuyn 5. cu hnh ACL. - Cu hnh ACL cm ton b lu lng t PC1 ti PC2. - Cm Ping t PC1 ti cng serial 0/1 ca router 2. 6. Kim tra ACL - ng trn PC1 ping n PC2 v so snh vi ng trn R1 ping - ng trn PC1 ping Cng serial 0/1 v ng trn Router1 Ping so snh kt qu. IV.cu hnh chi tit 1. cu hnh c bn 1.1. cu hnh khi to cc thit b mng Router 1 Cu hnh t tn Router>enable Router#configure terminal Router(config)#hostname Router1 Router1(config)# cu hnh Banner mote Router1(config)#banner motd " Router_1 " cu hnh console Router1(config)#line console 0 Router1(config-line)#password itn Router1(config-line)#login
2

Router1(config-line)#exit

cu hnh telnet Router1(config)#line vty 0 4 Router1(config-line)#password itn Router1(config-line)#login Router1(config-line)#exit cu hnh password privileged Router1(config)#enable secret itn Cu hnh cc interface ca router Router1(config)#interface serial 1/0 Router1(config-if)#ip address 192.168.2.1 255.255.255.0 Router1(config-if)#description ket noi toi router 2 Router1(config-if)#clock rate 64000 Router1(config-if)#no shutdown Router1(config-if)#exit

Router1(config)#interface fastEthernet 2/0 Router1(config-if)#ip address 192.168.1.1 255.255.255.0 Router1(config-if)#description ket noi toi lan Router1(config-if)#no sh Router1(config-if)#exit cu hnh default route cho Router1 Router1(config)# ip route 0.0.0.0 0.0.0.0 s1/0

Router 2 Cu hnh t tn Router>enable Router#configure terminal Router(config)#hostname Router2 Router2(config)# cu hnh Banner mote Router2(config)#banner motd " Router_2 " cu hnh console Router2(config)#line console 0 Router2(config-line)#password itn
3

Router2(config-line)#login Router2(config-line)#exit cu hnh telnet Rter2(config)#line vty 0 4 Router2(config-line)#password itn Router2(config-line)#login Router2(config-line)#exit cu hnh password privileged Router2(config)#enable secret itn Cu hnh cc interface ca router Router2(config)#interface serial 1/0 Router2(config-if)#ip address 192.168.2.2 255.255.255.0 Router2(config-if)#description ket noi toi router 1 Router2(config-if)#clock rate 64000 Router2(config-if)#no shutdown Router2(config-if)#exit

Router2(config)#interface fastEthernet 2/0 Router2(config-if)#ip address 192.168.3.1 255.255.255.0 Router2(config-if)#description ket noi toi lan Router2(config-if)#no sh Router2(config-if)#exit Cu hnh static route cho Router2 Router(config)#ip route 192.168.3.0 255.255.255.0 192.168.2.2 kim tra Kim tra cc interface c cu hnh ng cha s dng cu lnh show ip interface brief kim tra xem cc cu hnh bn trn ng cha s dng cu lnh show running-config Kim tra bng nh tuyn s dng cu lnh show ip route Cu hnh a ch IP cho cc PC PC1 C:>winipcfg Ip address 192.168.1.2 Subnet mask 255.255.255.0 Default gateway 192.168.1.1 PC2
4

C:>winipcfg Ip address 192.168.3.2 Subnet mask 255.255.255.0 Default gateway 192.168.3.1 2. cu hnh Access-list trn Router 2 - Cu hnh cm ton b lu lng t PC1 n PC2 Router2(config)# access-list 1 deny 192.168.3.2 0.0.0.0 t access-list 1 va to vo cng fastethernet 0/2 ca Router2 Router2(config)# int fa0/2 Router2(config)#ip access-group 1 out Router2(config)# exit - Cu hnh cm ping PC1 ti cng serial ca Router2 Router2(config)# access-list 101 deny ip host 192.168.1.2 host 192.168.2.2 eq echo-reply Router2(config)# access-list 101 deny ip host 192.168.1.2 host 192.168.2.2 eq echo Router2(config)# access-list 100 permit ip any any \\ cho php cc lu lng khc lu thng bnh thng t Access-list vo interface s1/0 theo chiu in Router2(config)#interface s1/0 Router2(config)#ip access-group 101 in Router2(config)#exit khi cu hnh Access-List cc cu lnh nn thc hin ln lt t phc tp n n gin, Cui ACL lun c cu lnh cm tt c, mt ACL phi c t nht mt cu lnh Permit. 3. kim tra - dng Router1 vi a ch ngun l192.168.1.1 ping n PC2 Router1#ping Protocol [ip]: Target IP address: 192.168.3.2 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 192.168.1.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort.
5

Sending 5, 100-byte ICMP Echos to 172.16.0.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Ping thnh cng trong khi vi PC1 khi ping n PC2:

- Dng extended ping trn Router1 ti cng serial 1/0 ca Router2, ly a ch ngun l 192.168.1.1 R1#ping Protocol [ip]: Target IP address: 192.168.2.2 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 192.168.1.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.0.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms C th ping c v access list ch cm PC1 vi a ch 192.168.1.2
6

- th Ping t PC1

V. Lu cu hnh vo NVRam - sau khi hon tt cu hnh v vic kim tra tin hnh lu cu hnh vo NVRam Router2#copy running-config startup-config Router2#copy running-config startup-config