Hng dn thc hnh Bi 9 : ACL

Access-Control List: Access-Control List l mt chc nng trn router Cisco cho php gim st v lc cc gi tin i qua mt interface Router. Chc nng ny cho php Router lm vic nh mt Firewall n gin. V d : Vi ng mng sau, ta cn cho php Router R1 giao tip vi cc Router mng bn ngoi, tuy nhin khng cho php cc Router mng bn ngoi c th truy cp vi cc my tnh hay Interface mng ni b 192.168.11.0/24 d cc Router bn ngoi c th thit lp Static route v R1.

Cissco phn ra 2 loi Access-Control List chnh l : Standard Access-Control List : Lc c source IP. Extended Access-Control List : Lc c source IP, destination IP, port, protocol. Page 1

Ngoi ra, Access-Control List c th c phn bit bng kiu nh danh l tn hay s. Thut ng lin quan: Inbound v outbound : khi p dng khi mt Access-Control List trn mt cng (interface) ca router, ta phi xc nh lun d liu m Access-Control List ny p dng ln. Inbound l lun d liu i vo cng , cn Outbound l lung d liu t cng ny i ra. s dng ACL trn router Cisco ta cn phi lm 2 bc: 1. To ra ACL theo nh danh tn hay s. 2. p t cc chnh sch t ACL ny ln interface mong mun. To Number Access-Control List L loi Access-Control List nh danh bng s. Trong , nh danh ca cc ACL ny c quy nh nh sau: Standard ACL s c nh danh : <1-99>, <1300-1999> Extended ACL s c nh danh : <100-199>, <2000-2699>
Standard Access-Control List :

C php xy dng mt Standard ACL: Router(config)# access-list access-list-number {deny|permit} source [source-wildcard] VD :

Cm cc my thuc ng mng 172.29.1.0/24 Cho php cc my thuc ng mng cn li

Page 2

Extended Access-Control List :

Router(config)# access-list access-list-number {deny | permit | remark } protocol source [wildcard] [operator] [port|name] destination [wildcard] [operator] [port|name] [established] VD:

Cm cc gi tin t a ch 172.29.1.3 n a ch 192.168.3.0/24 Cho php cc gi tin cn li.

Name Access-Control List : o L loi ACL nh danh bng tn. o c s dng trong cc IOS 11.2 tr ln. o Cho php thm hoc xa cc entries trong ACL. o C th s dng nh l Standard ACL hay Extended ACL. Router(config)#ip access-list {standard|extended}NAME Sau ta thm cc iu kin cho access list ny nh v d : Router(config-ext-nacl)#permit tcp any host 131.108.101.99 eq smtp Cho php tt c cc gi tin SMTP i t bt k my no n my c IP l 131.108.101.99. C php p dng Access-Control List ln cc cng giao tip : Ta c th p dng ACL ln cc interface ca mt router tin hnh lc cc gi tin theo inbound vo outbound bng c php sau :

Page 3

Router (config-if)# ip access-group {Number|name} {in|out} p dng ACL vo cng telnet ta s dng cu lnh dnh ring : Router(config)# line vty 0 4 Router(config-line)#access-class {Number|name} {in|out} Kim tra cc Access-Control List kim tra cc ACL ang tn ti trn router th ta c th s dng cc lnh sau : Router#show access-list Router#show running-config access-list

Thc hnh trn lp Xy dng m hnh sau v thc hin cc yu cu:

Page 4

1. nh tuyn cc router sao cho mng hi t. (t thc hin, lu l Cloud phi hi t vi cc router ) 2. p dng Standard ACL ln interface f1/0 ca R1 khng cho Router R4 c th giao tip c Cloud R1 :

Th nghim li R3 v R4:

Ta thy d hon thnh vic cm cc gi tin t R4 n Cloud 3. p dng Extended ACL ln interface s0/0 ca R2Cho php tt c cc router c th telnet ti R3 tr router R1. Ta xy dng telnet trn R3

Xy dng Access List R2 :

Th li ti R1 :

Page 5

Tao thy R1 c th ping thng ti R3 m khng th telnet ti R3. 4. p dng Name ACL ti cng telnet ca R3 chn khng cho Cloud c th telnet n R3. Th Telnet t cloud sang R3:

Ti R3 cu hnh:

Th li ti cloud

Nhn xt : lc ny ta khng cn phi nhn mnh l cm port 23 na v ACL c thit lp ti cng Telnet ca Router .

Page 6