Professional Documents
Culture Documents
Week09 Acl
Week09 Acl
Access-Control List: Access-Control List l mt chc nng trn router Cisco cho php gim st v lc cc gi tin i qua mt interface Router. Chc nng ny cho php Router lm vic nh mt Firewall n gin. V d : Vi ng mng sau, ta cn cho php Router R1 giao tip vi cc Router mng bn ngoi, tuy nhin khng cho php cc Router mng bn ngoi c th truy cp vi cc my tnh hay Interface mng ni b 192.168.11.0/24 d cc Router bn ngoi c th thit lp Static route v R1.
Cissco phn ra 2 loi Access-Control List chnh l : Standard Access-Control List : Lc c source IP. Extended Access-Control List : Lc c source IP, destination IP, port, protocol. Page 1
Ngoi ra, Access-Control List c th c phn bit bng kiu nh danh l tn hay s. Thut ng lin quan: Inbound v outbound : khi p dng khi mt Access-Control List trn mt cng (interface) ca router, ta phi xc nh lun d liu m Access-Control List ny p dng ln. Inbound l lun d liu i vo cng , cn Outbound l lung d liu t cng ny i ra. s dng ACL trn router Cisco ta cn phi lm 2 bc: 1. To ra ACL theo nh danh tn hay s. 2. p t cc chnh sch t ACL ny ln interface mong mun. To Number Access-Control List L loi Access-Control List nh danh bng s. Trong , nh danh ca cc ACL ny c quy nh nh sau: Standard ACL s c nh danh : <1-99>, <1300-1999> Extended ACL s c nh danh : <100-199>, <2000-2699>
Standard Access-Control List :
C php xy dng mt Standard ACL: Router(config)# access-list access-list-number {deny|permit} source [source-wildcard] VD :
Page 2
Router(config)# access-list access-list-number {deny | permit | remark } protocol source [wildcard] [operator] [port|name] destination [wildcard] [operator] [port|name] [established] VD:
Name Access-Control List : o L loi ACL nh danh bng tn. o c s dng trong cc IOS 11.2 tr ln. o Cho php thm hoc xa cc entries trong ACL. o C th s dng nh l Standard ACL hay Extended ACL. Router(config)#ip access-list {standard|extended}NAME Sau ta thm cc iu kin cho access list ny nh v d : Router(config-ext-nacl)#permit tcp any host 131.108.101.99 eq smtp Cho php tt c cc gi tin SMTP i t bt k my no n my c IP l 131.108.101.99. C php p dng Access-Control List ln cc cng giao tip : Ta c th p dng ACL ln cc interface ca mt router tin hnh lc cc gi tin theo inbound vo outbound bng c php sau :
Page 3
Router (config-if)# ip access-group {Number|name} {in|out} p dng ACL vo cng telnet ta s dng cu lnh dnh ring : Router(config)# line vty 0 4 Router(config-line)#access-class {Number|name} {in|out} Kim tra cc Access-Control List kim tra cc ACL ang tn ti trn router th ta c th s dng cc lnh sau : Router#show access-list Router#show running-config access-list
Page 4
1. nh tuyn cc router sao cho mng hi t. (t thc hin, lu l Cloud phi hi t vi cc router ) 2. p dng Standard ACL ln interface f1/0 ca R1 khng cho Router R4 c th giao tip c Cloud R1 :
Th nghim li R3 v R4:
Ta thy d hon thnh vic cm cc gi tin t R4 n Cloud 3. p dng Extended ACL ln interface s0/0 ca R2Cho php tt c cc router c th telnet ti R3 tr router R1. Ta xy dng telnet trn R3
Th li ti R1 :
Page 5
Tao thy R1 c th ping thng ti R3 m khng th telnet ti R3. 4. p dng Name ACL ti cng telnet ca R3 chn khng cho Cloud c th telnet n R3. Th Telnet t cloud sang R3:
Ti R3 cu hnh:
Th li ti cloud
Nhn xt : lc ny ta khng cn phi nhn mnh l cm port 23 na v ACL c thit lp ti cng Telnet ca Router .
Page 6