c





P c
  

ACL là mӝt danh sách các câu lӋnh đưӧc áp đһt vào các cәng
(interface) cӫa router. Danh sách này chӍ ra cho router biӃt loҥi packet
nào đưӧc chҩp nhұn (allow) và loҥi packet nào bӏ hӫy bӓ (deny). Sӵ
chҩp nhұn và huӹ bӓ này có thӇ dӵa vào đӏa chӍ nguӗn, đӏa chӍ đích
hoһc chӍ sӕ port.

P ‰  
 

Access Control List trong mô hình mҥng

- Quҧn lý các IP traffic
- Hӛ trӧ mӭc đӝ cơ bҧn vӅ bҧo mұt cho các truy cұp mҥng, thӇ hiӋn ӣ
tính năng lӑc các packet qua router

P     
 

- Permit hoһc deny các packet di chuyӇn qua router.

-Permit hoһc deny các truy cұp tӯ xa hoһc tӯ router.
 P    
 

ACL đưӧc chia thành 2 loҥi :

P Standard ACL
P šxtended ACL

ACL có thӇ đưӧc tҥo cho tҩt cҧ các routed-network-protocol (IP,

IPX«) đӇ lӑc packet qua router.

P o   c

ACL sӁ đưӧc thӵc hiӋn theo trình tӵ cӫa các câu lӋnh trong danh sách cҩu hình khi
tҥo access-list. NӃu có mӝt điӅu kiӋn đưӧc so khӟp (matched) trong danh sách thì
nó sӁ thӵc hiӋn, và các câu lӋnh còn lҥi sӁ không đưӧc kiӇm tra nӳa.Trưӡng hӧp tҩt
cҧ các câu lӋnh trong danh sách đӅu không khӟp (unmatched) thì mӝt câu lӋnh mһc
đӏnh ³deny any´ đưӧc thӵc hiӋn. Cuӕi access-list mһc đӏnh sӁ là lӋnh loҥi bӓ tҩt cҧ
(deny all). Vì vұy, trong access-list cҫn phҧi có ít nhҩt mӝt câu lӋnh permit.
Thӭ tӵ kiӇm tra các câu lӋnh trong ACL

P Ühi packet đi vào mӝt interface, router sӁ kiӇm tra xem có mӝt ACL trong
inbound interface hay không, nӃu có packet sӁ đưӧc kiӇm tra đӕi chiӃu vӟi
nhӳng điӅu kiӋn trong danh sách.
P NӃu packet đó đưӧc cho phép (allow) nó sӁ tiӃp tөc đưӧc kiӇm tra trong bҧng
routing đӇ quyӃt đӏnh chӑn interface đӇ đi đӃn đích.
P TiӃp đó, router sӁ kiӇm tra xem outbound interface có ACL hay không. NӃu
không thì packet có thӇ sӁ đưӧc gӱi tӟi mҥng đích. NӃu có ACL ӣ outbound
interface, nó sӁ kiӇm tra đӕi chiӃu vӟi nhӳng điӅu kiӋn trong danh sách ACL
đó.

Lưu đӗ hoҥt đӝng cӫa inbound ACL

V





 




A. The wildcard mask and subnet mask perform the same function.
B. The wildcard mask is always the inverse of the subnet mask.
C. A "0" in the wildcard mask identifies IP address bits that must be checked.
D. A "1" in the wildcard mask identifies a network or subnet bit.







 





 






   

 

A. The first 29 bits of a supplied IP address will be ignored.

B. The last three bits of a supplied IP address will be ignored.
C. The first 32 bits of a supplied IP address will be matched.
D. The first 29 bits of a supplied IP address will be matched.
E. The last four bits of a supplied IP address will be matched.

3.

 





 



V 


V ! V 
 

" 






 


 

A. Router(config)# access-list 22 deny 192.5.5.25 0.0.0.0

B Router(config)# access-list 22 deny host 192.5.5.25 0.0.0.0

Router(config)# access-list 22 permit any any

C. Router(config)# access-list 22 deny 192.5.5.25 0.0.0.0

Router(config)# access-list 22 permit any

D. Router(config)# access-list 22 deny host 192.5.5.25

Router(config)# access-list 22 permit any

E. Router(config)# access-list 22 deny 192.5.5.0 0.0.0.255

Router(config)# access-list 22 permit any
—







 
 




 

A. Router(config)# access-list 97 permit host 192.5.5.1

B. Router(config)# access-list 32 permit 210.93.105.3 0.0.0.0
C. Router(config)# access-list 148 permit 201.100.11.2 0.0.0.0
D. Router(config)# access-list 107 permit host 192.5.5.1 213.45.27.0 0.0.0.255 eq 23
E. Router(config)# access-list 10 permit tcp 192.5.5.1 0.0.0.255 201.100.11.0 0.0.0.255 eq 80

5.

 

 



# $ 



V V—


 

 "


 

V ! V 

A. access-list 10 deny tcp host 192.5.5.148 host 210.93.105.50 eq 80

access-list 10 permit tcp any any

B. access-list 10 deny tcp 192.5.5.148 0.0.0.0 210.93.105.50 0.0.0.0 eq 23

access-list 10 permit tcp any any

C. access-list 100 deny tcp 192.5.5.148 0.0.0.0 210.93.105.50 0.0.0.0 eq 80

access-list 100 permit tcp any any

D. access-list 100 deny tcp 192.5.5.148 0.0.0.255 210.93.105.50 0.0.0.255 eq 80

access-list 100 permit tcp any any

E. access-list 100 deny tcp host 192.5.5.148 255.255.255.255 210.93.105.50 255.255.255.255

eq 80
access-list 100 permit tcp any any

%



# 

 & '

 
(





 '

 








  
(








 '


## 


# 

A. The packets will be placed in a buffer and forwarded when the ACL is removed.
B. The packets will be sent to the source with an error notification message.
C. The implicit permit any statement placed at the end of the list will allow the packets to flow
through uninhibited.
D. The implicit deny any statement placed at the end of the list will cause the packets to be
dropped.

7.


 


" 
  


 


— —  
 


#
 $ 

 

V% % V!  —

access-list 111 deny tcp 204.204.7.89 0.0.0.0 196.6.13.254 0.0.0.0 eq 21

access-list 111 permit tcp any any





 #





#




## 


A. Router2(config)# interface s0/0

Router2(config-if)# ip access-group 111 in

B. Router2(config)# interface fa0/0

Router2(config-if)# ip access-group 111 out

C. Router2(config)# interface fa0/0

Router2(config-if)# ip access-group 111 in

D. Router3(config)# interface fa0/0

Router3(config-if)# ip access-group 111 in

E. Router3(config)# interface s0/1

Router3(config-if)# ip access-group 111 out

F. Router3(config)# interface fa0/0

Router3(config-if)# ip access-group 111 out

)
  
(*+
 









 & 
*





 '




 

 

A. The entire ACL must be deleted and recreated.
B. The accept or reject action is performed.
C. The packet is forwarded to the next hop.
D. The remaining ACL statements are not checked.
E. The router goes through the list again to verify that a match has been made.


+  




 "

# 

# 

 

A. An implicit  
 rejects any packet that does not match any ACL statement.
B. A packet can either be rejected or forwarded as directed by the statement that is matched.
C. A packet that has been denied by one statement can be permitted by a subsequent
statement.
D. A packet that does not match the conditions of any ACL statements will be forwarded by
default.
E. Each statement is checked only until a match is detected or until the end of the ACL
statement list.
F. Each packet is compared to the conditions of every statement in the ACL before a
forwarding decision is made.