Phn loi: ACLs c phn lm cc loi sau: Standard ACLs, Extended ACLs, Dynamic ACLs (Lock and Key),

, Reflexive ACLs, Timebased ACLs. ACLs c th c to ra bng hai cch l dng Numbered ACLs hay Name ACLs Chng ta i tm hiu tng loi ACLs gm c im, ng dng v cch to cc loi ACLs k bn trn 2. Standard ACLs c im: Standard ACLs l bng lc traffic n gin nht trong cc loi ACLs. Standard ACLs lc traffic ch da vo thng s source address ca gi tin. ng dng: Dng lc traffic n gin chi da vo a ch source address. Cch to Standard ACLs: Command: Router(config)#access-list access-list-number [deny/permit] remark source [source-wildcard] [log]
1.

V d:

R3(config)#access-list 99 deny 192.168.10.0 0.0.0.255 R3(config)#access-list 99 permit any R3(config)#interface s0/0/1 R3(config-if)#ip access-group 99 in 3. Extended ACLs c im: Extended ACLs l bng lc traffic da vo cc thng tin trong gi tin gm source address, destination address, protocols, port-number ng dng: Dng lc gi tin da vo nhiu thng tin hn standard ACL Cch to Extended ACLs: Command:

V d:

R3(config)#access-list 102 deny tcp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 equal 23 R3(config)#access-list 102 deny tcp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 equal 21 R3(config)#access-list 102 deny tcp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 equal 20 R3(config)#interface f0/2 R3(config-if)#ip access-group 102 in 4. Cch cu hnh Name ACLs: Ta dng lnh ip access-list sau ch nh loi standard hay extended v cui cng l tn ca ACLs V d:

5. Dynamic ACLs c im: ch s dng lc cc IP traffic, Dynamic ACLs b ph thuc vo s kt ni Telnet, s xc thc (local or remote), v extended ACLs. + Mt user s m kt ni n router bin c cu hnh lock-and-key. Nhng kt ni ca user thng qua virtual terminal port trn router. + Khi nhn telnet packet router s m mt telnet session v yu cu xc thc mt password hoc mt ti khon username. User phi vt qua st thc mi c cho php i qua router. Qu trnh xc thc s thc hin bi router hoc mt server xc thc s dng giao thc RADIUS hoc TACACS server. + Khi user qua c st thc, chng s thot ra khi telnet session v mt entry s xut hin trng Dynamic ACLs + Lc , cc ngi dng s trao i d liu thng qua Firewall. + Khi dng khong thi gian timeout c cu hnh, router s xa entry va to trong dynamic ACLs hoc ngi qun tr c th xa bng tay. Timeout c hai loi l idle timeout hoc absolute timeout. Idle timeout l nu user khng s dng session ny trong mt khong thi gian th entry trong Dynamip s b xa. Absolute timeout l khong thi gian c nh cho php user s dng session ny khi ht thi gian th entry trong Dynamic ACLs s b xa.

ng dng: + Khi bn mun ch nh mt user hay mt group user truy cp n mt host no trong mng ca bn, hay kt ni ti nhng host t xa thng qua Internet. Lock-andkey ACLs s xc thc ngi dng v sau cho php gii hn truy cp thng qua router firewall cho mt host hay mt mng con trong mt chu k thi gian gii hn. + Khi bn mun mt ng mng con trong mng local network truy cp ti mt host no trong mng t xa m c bo v bi mt firewall. Vi lock-and-key ACLs, bn c th truy cp ti host xa ch vi mt nhm host c ngh. Lock-and-key ACLs yu cu nhng ngi dng xc thc thng qua mt AAA, TACACS+ server, hay nhng server bo mt khc trc khi cho php nhng host truy cp n nhng host xa.

Cch to Dynamic ACLs:

V d

Cc bc cu hnh: Step 1: To mt ti khon ngi dng local trn router Step 2: To mt Extended ACLs cho php tt c cc host c telnet n host 10.2.2.2. Khi telnet thnh cng s cho php ng mng 192.168.10.0 i qua ng mng 192.168.30.0 vi thi gian timeout 15 pht (absolute time)(ALCs ng s sinh ra khi lnh access-enable c bt ln v s mt i sau 15 pht bt chp user c s dng n hay ko) Step 3: Gn ACLs cho interface ch nh Step 4: Ch nh nu user telnet v xc thc thnh cng th s thit lp mt session 5 pht, nu user ko s dng session ny n s kt thc sau 5 pht (idle timeout) nu user s dng session ny n s kt thc sau 120 pht. V d 2: Xc thc vi TACACS server //Enable chc nng xc thc AAA aaa new-model aaa authentication login default group tacacs+ enable aaa accounting exec stop-only group tacacs+ aaa accounting network stop-only group tacacs+ enable password ciscotac ! isdn switch-type basic-dms100 ! interface ethernet0 ip address 172.18.23.9 255.255.255.0

! interface BRI0 ip address 172.18.21.1 255.255.255.0 encapsulation ppp dialer idle-timeout 3600 dialer wait-for-carrier-time 100 dialer map ip 172.18.21.2 name diana dialer-group 1 isdn spid1 2036333715291 isdn spid2 2036339371566 ppp authentication chap ip access-group 102 in ! //Cho php cc host telnet ti 172.18.21.2 bng giao thc telnet. Khi telnet ti s xc thc vi tacacs server nu xc thc thnh cng th s cho tt c cc traffic qua li router v s t ng session trong 5 pht access-list 102 permit tcp any host 172.18.21.2 eq telnet access-list 102 dynamic testlist timeout 5 permit ip any any ! ! ip route 172.18.250.0 255.255.255.0 172.18.21.2 priority-list 1 interface BRI0 high //Khai bo IP ca taccas server v key xc thc vi tacacs server tacacs-server host 172.18.23.21 tacacs-server host 172.18.23.14 tacacs-server key test1 tftp-server rom alias all ! dialer-list 1 protocol ip permit ! line con 0 password cisco line aux 0 //Thi gian idle timeout cho session l 5 pht line VTY 0 4 autocommand access-enable timeout 5 password cisco
!

6. Reflexive ACLs:

c im: ACLs ny ch c to bi Extend Name ACLs khng c to bi Numbering hay Standard Name ACL ng dng: c s dng cho php cc IP traffic t bn ngoi ca session m khi to t bn trng ni mng v ngn nhng IP traffic khi to session t mng bn ngoi. ACLs ny s xem xt gi tin gi ra ngoi nu l gi khi to session n t ng thm vo mt outbound entry cho php traffic tr li v. Rflexive ACLs c th lc session tt hn thay v ch ACK v RST bit nh cu lnh permitestablished. Rflexive lc c a ch ngun, ch, port, ACK v RST bit ca gi tin. Ngoi ra, session filtering s dng nhng b lc tm thi ci m c xa khi mt session kt thc. Cch to Reflexive ACLs: V d

+ Cu hnh ACLs cho php ICMP v TCP traffic c chiu inbound v outbound nhng ch cho php nu gi tin u tin ca session bt ngun t mng ni b. Tt c cc traffic khc s b cm. Reflexive ACLs c gn trn interface s0/1/0 + Cc bc cu hnh: Step 1: To mt Extend name ACLs cho php cc traffic i ra ngoi Internet Step 2: To mt Extend name ACLs cha Reflexive ACLs t ng c to ra khi c gi outbound match vi Name ACLs bc 1. Step 3: Gn cc name ACLs cho interface

7. Time-based ACLs c im: chc nng tng t extended ACLs, nhng chng cho php iu khin truy cp da vo thi gian ng dng: Dng lc gi tin da vo nhiu thng tin nh Exended ACLs v da vo c thng tin v thi gian. Cch to Time-based ACLs: V d: Thit lp ACLs cho php mt kt ni Telnet c cho php t inside network ti the outside network vo Monday, Wednesday, and Friday trong sut gi hnh chnh. + Cc bc cu hnh: Step 1. nh ngha khong thi gian thi hnh ACLs v t cho n mt ci tn.(khong thi gian ny ph thuc vo gi h thng trn router, chc nng ny lm vic tt vi s ng b thi gian ca giao thc Network Time Protocol (NTP) nhng lc ny ng h ca router khng c s dng. ) Step 2. p dng khong thi gian ny cho ACLs Step 3. P dng ACL cho interface.

Phn loi: ACLs c phn lm cc loi sau: Standard ACLs, Extended ACLs, Dynamic ACLs (Lock and Key), Reflexive ACLs, Timebased ACLs. ACLs c th c to ra bng hai cch l dng Numbered ACLs hay Name ACLs Chng ta i tm hiu tng loi ACLs gm c im, ng dng v cch to cc loi ACLs k bn trn 2. Standard ACLs c im: Standard ACLs l bng lc traffic n gin nht trong cc loi ACLs. Standard ACLs lc traffic ch da vo thng s source address ca gi tin. ng dng: Dng lc traffic n gin chi da vo a ch source address. Cch to Standard ACLs: Command: Router(config)#access-list access-list-number [deny/permit] remark source [source-wildcard] [log]
1.

V d:

R3(config)#access-list 99 deny 192.168.10.0 0.0.0.255 R3(config)#access-list 99 permit any R3(config)#interface s0/0/1 R3(config-if)#ip access-group 99 in 3. Extended ACLs c im: Extended ACLs l bng lc traffic da vo cc thng tin trong gi tin gm source address, destination address, protocols, port-number ng dng: Dng lc gi tin da vo nhiu thng tin hn standard ACL Cch to Extended ACLs: Command:

V d:

R3(config)#access-list 102 deny tcp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 equal 23 R3(config)#access-list 102 deny tcp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 equal 21 R3(config)#access-list 102 deny tcp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 equal 20 R3(config)#interface f0/2 R3(config-if)#ip access-group 102 in 4. Cch cu hnh Name ACLs: Ta dng lnh ip access-list sau ch nh loi standard hay extended v cui cng l tn ca ACLs V d:

5. Dynamic ACLs c im: ch s dng lc cc IP traffic, Dynamic ACLs b ph thuc vo s kt ni Telnet, s xc thc (local or remote), v extended ACLs. + Mt user s m kt ni n router bin c cu hnh lock-and-key. Nhng kt ni ca user thng qua virtual terminal port trn router. + Khi nhn telnet packet router s m mt telnet session v yu cu xc thc mt password hoc mt ti khon username. User phi vt qua st thc mi c cho php i qua router. Qu trnh xc thc s thc hin bi router hoc mt server xc thc s dng giao thc RADIUS hoc TACACS server. + Khi user qua c st thc, chng s thot ra khi telnet session v mt entry s xut hin trng Dynamic ACLs + Lc , cc ngi dng s trao i d liu thng qua Firewall. + Khi dng khong thi gian timeout c cu hnh, router s xa entry va to trong dynamic ACLs hoc ngi qun tr c th xa bng tay. Timeout c hai loi l idle timeout hoc absolute timeout. Idle timeout l nu user khng s dng session ny trong mt khong thi gian th entry trong Dynamip s b xa. Absolute timeout l khong thi gian c nh cho php user s dng session ny khi ht thi gian th entry trong Dynamic ACLs s b xa.

ng dng: + Khi bn mun ch nh mt user hay mt group user truy cp n mt host no trong mng ca bn, hay kt ni ti nhng host t xa thng qua Internet. Lock-andkey ACLs s xc thc ngi dng v sau cho php gii hn truy cp thng qua router firewall cho mt host hay mt mng con trong mt chu k thi gian gii hn. + Khi bn mun mt ng mng con trong mng local network truy cp ti mt host no trong mng t xa m c bo v bi mt firewall. Vi lock-and-key ACLs, bn c th truy cp ti host xa ch vi mt nhm host c ngh. Lock-and-key ACLs yu cu nhng ngi dng xc thc thng qua mt AAA, TACACS+ server, hay nhng server bo mt khc trc khi cho php nhng host truy cp n nhng host xa.

Cch to Dynamic ACLs:

V d

Cc bc cu hnh: Step 1: To mt ti khon ngi dng local trn router Step 2: To mt Extended ACLs cho php tt c cc host c telnet n host 10.2.2.2. Khi telnet thnh cng s cho php ng mng 192.168.10.0 i qua ng mng 192.168.30.0 vi thi gian timeout 15 pht (absolute time)(ALCs ng s sinh ra khi lnh access-enable c bt ln v s mt i sau 15 pht bt chp user c s dng n hay ko) Step 3: Gn ACLs cho interface ch nh Step 4: Ch nh nu user telnet v xc thc thnh cng th s thit lp mt session 5 pht, nu user ko s dng session ny n s kt thc sau 5 pht (idle timeout) nu user s dng session ny n s kt thc sau 120 pht.

V d 2: Xc thc vi TACACS server //Enable chc nng xc thc AAA aaa new-model aaa authentication login default group tacacs+ enable aaa accounting exec stop-only group tacacs+ aaa accounting network stop-only group tacacs+ enable password ciscotac ! isdn switch-type basic-dms100 ! interface ethernet0 ip address 172.18.23.9 255.255.255.0 ! interface BRI0 ip address 172.18.21.1 255.255.255.0 encapsulation ppp dialer idle-timeout 3600 dialer wait-for-carrier-time 100 dialer map ip 172.18.21.2 name diana dialer-group 1 isdn spid1 2036333715291 isdn spid2 2036339371566 ppp authentication chap ip access-group 102 in ! //Cho php cc host telnet ti 172.18.21.2 bng giao thc telnet. Khi telnet ti s xc thc vi tacacs server nu xc thc thnh cng th s cho tt c cc traffic qua li router v s t ng session trong 5 pht access-list 102 permit tcp any host 172.18.21.2 eq telnet access-list 102 dynamic testlist timeout 5 permit ip any any ! ! ip route 172.18.250.0 255.255.255.0 172.18.21.2 priority-list 1 interface BRI0 high //Khai bo IP ca taccas server v key xc thc vi tacacs server tacacs-server host 172.18.23.21 tacacs-server host 172.18.23.14 tacacs-server key test1 tftp-server rom alias all !

dialer-list 1 protocol ip permit ! line con 0 password cisco line aux 0 //Thi gian idle timeout cho session l 5 pht line VTY 0 4 autocommand access-enable timeout 5 password cisco
!

6. Reflexive ACLs: c im: ACLs ny ch c to bi Extend Name ACLs khng c to bi Numbering hay Standard Name ACL ng dng: c s dng cho php cc IP traffic t bn ngoi ca session m khi to t bn trng ni mng v ngn nhng IP traffic khi to session t mng bn ngoi. ACLs ny s xem xt gi tin gi ra ngoi nu l gi khi to session n t ng thm vo mt outbound entry cho php traffic tr li v. Rflexive ACLs c th lc session tt hn thay v ch ACK v RST bit nh cu lnh permitestablished. Rflexive lc c a ch ngun, ch, port, ACK v RST bit ca gi tin. Ngoi ra, session filtering s dng nhng b lc tm thi ci m c xa khi mt session kt thc. Cch to Reflexive ACLs: V d

+ Cu hnh ACLs cho php ICMP v TCP traffic c chiu inbound v outbound nhng ch cho php nu gi tin u tin ca session bt ngun t mng ni b. Tt c cc traffic khc s b cm. Reflexive ACLs c gn trn interface s0/1/0 + Cc bc cu hnh: Step 1: To mt Extend name ACLs cho php cc traffic i ra ngoi Internet Step 2: To mt Extend name ACLs cha Reflexive ACLs t ng c to ra khi c gi outbound match vi Name ACLs bc 1. Step 3: Gn cc name ACLs cho interface

7. Time-based ACLs c im: chc nng tng t extended ACLs, nhng chng cho php iu khin truy cp da vo thi gian ng dng: Dng lc gi tin da vo nhiu thng tin nh Exended ACLs v da vo c thng tin v thi gian. Cch to Time-based ACLs: V d: Thit lp ACLs cho php mt kt ni Telnet c cho php t inside network ti the outside network vo Monday, Wednesday, and Friday trong sut gi hnh chnh. + Cc bc cu hnh: Step 1. nh ngha khong thi gian thi hnh ACLs v t cho n mt ci tn.(khong thi gian ny ph thuc vo gi h thng trn router, chc nng ny lm vic tt vi s ng b thi gian ca giao thc Network Time Protocol (NTP) nhng lc ny ng h ca router khng c s dng. ) Step 2. p dng khong thi gian ny cho ACLs

Step 3. P dng ACL cho interface.