TNG QUAN V ACCESS-LIST

Thng Ba 26, 2011 L QUC NHT NG

i
5 Votes
I- MT S KHI NIM V ACCESS-LIST
1. ACL(Access control lists) l g?
- ACL l mt danh sch cc cu lnh c p t vo cc cng (interface) ca router. Danh sch ny ch ra cho router bit loi packet no
c chp nhn (allow) v loi packet no b hy b (deny). S chp nhn v hu b ny c th da vo a ch ngun, a ch ch hoc
ch s port.
2. Ti sao phi s dng ACLs?
L QUC NHT NG
About these ads
TNG QUAN V ACCESS-LIST | L QUC NHT NG http://lequocnhatdong.wordpress.com/2011/03/26/tng-quan-v-access-list/
1 of 16 8/20/2014 7:25 AM

- Qun l cc IP trac
- H tr mc c bn v bo mt cho cc truy cp mng, th hin tnh nng lc cc packet qua router
Chc nng:
+Xc nh tuyn ng thch hp cho DDR (dial-on-demand routing)
+ Thun tin cho vic lc gi tin ip
+ Cung cp tnh sn sn mng cao
3. Cc loi ACLs
TNG QUAN V ACCESS-LIST | L QUC NHT NG http://lequocnhatdong.wordpress.com/2011/03/26/tng-quan-v-access-list/
2 of 16 8/20/2014 7:25 AM
C 2 loi Access lists l: Standard Access lists v Extended Access lists
- Standard (ACLs): Lc (Filter) a ch ip ngun (Source) vo trong mng t gn ch (Destination).
- Extended (ACLs): Lc a ch ip ngun v ch ca 1 gi tin (packet), giao thc tng Network layer header nh TCP, UDP, ICMP, v
port numbers trong tng Transport layer header. Nn t gn ngun (source).
4. Cch t ACLs.
a- Inbound ACLs.
+ Inbound: ni nm na l 1 ci cng vo(theo chiu i vo ca gi tin) trn Router nhng gi tin s c x l thng qua ACL trc khi
c nh tuyn ra ngoi (outbound interface). Ti y nhng gi tin s dropped nu khng trng vi bng nh tuyn (routing table),
nu gi tin (packet) c chp nhn n s c x l trc khi chuyn giao (transmission).
b- Outbound ACLs.
+Outbound: l cng i ra ca gi tin trn Router, nhng gi tin s c nh tuyn n outbound interface v x l thng qua ACLs, trc
khi a n ngoi hng i (outbound queue).
5. Hot ng ca ACLs.
- ACL s c thc hin theo trnh t ca cc cu lnh trong danh sch cu hnh khi to access-list. Nu c mt iu kin c so khp
(matched) trong danh sch th n s thc hin, v cc cu lnh cn li s khng c kim tra na.Trng hp tt c cc cu lnh trong
danh sch u khng khp (unmatched) th mt cu lnh mc nh deny any c thc hin. Cui access-list mc nh s l lnh loi b
tt c (deny all). V vy, trong access-list cn phi c t nht mt cu lnh permit.
Khi packet i vo mt interface, router s kim tra xem c mt ACL trong inbound interface hay khng, nu c packet s c kim tra
i chiu vi nhng iu kin trong danh sch.
Nu packet c cho php (allow) n s tip tc c kim tra trong bng routing quyt nh chn interface i n ch.
Tip , router s kim tra xem outbound interface c ACL hay khng. Nu khng th packet c th s c gi ti mng ch. Nu c
ACL outbound interface, n s kim tra i chiu vi nhng iu kin trong danh sch ACL .
6. Mt s im cn lu
* Ch c th thit lp 1 ACL trn giao thc cho mi hng trn mi interface. Mt interface c th c nhiu ACL.
TNG QUAN V ACCESS-LIST | L QUC NHT NG http://lequocnhatdong.wordpress.com/2011/03/26/tng-quan-v-access-list/
3 of 16 8/20/2014 7:25 AM
* Router khng th lc trac m bt u t chnh n.
* Cu lnh no t trc th x l trc. Khi 1 cu lnh mi thm vo danh sch, n s t cui danh sch.
* Standard ACLs: Nn t gn ch ca trac.
* Extended ACLs: Nn t gn ngun ca trac.
* Mc nh c hai lnh the Access-Group hay the Access-Class theo chiu OUT
II- CU HNH ACCESS-LIST (ACLs)
1. Standard Access lists.
#: Standard ACLs s dng s t 1 -> 99 hay 1300 -> 1999.
C 2 bc to ACLs:
+ nh ngha danh sch ACLs t vo interface.
router(cong)#access-list [#] [permit deny] [wildcard mask] [log]
Hoc l :
router(cong)#access-list [#] [permit deny] [host any] Thng th ta dng lnh ny
Sau t danh sch(ACLs) vo interface trn router m ta mun chn gi tin ngay ti .
router(cong)#interface [interface-number]
router(cong-if)#ip access-group [#] [in out] interface access control
V d c th
TNG QUAN V ACCESS-LIST | L QUC NHT NG http://lequocnhatdong.wordpress.com/2011/03/26/tng-quan-v-access-list/
4 of 16 8/20/2014 7:25 AM

Ta thc hin trn m hnh sau uc cu hnh hot ng trn giao thc RIP cc router v pc ping c vi nhau.
To access list ti global cong mode:
To access-list trn R2 cm PC0(10.0.0.2) vo mng 220.0.0.0ngay ti cng vo ca Router 2.
R2(cong)# access-list 1 deny host 10.0.0.2
R2(cong)# access-list 1 permit any <<< Ch sau khi lit k cc danh sch a chi mun cp hoc cho php th cui cng phi t lnh
permit any bi v mc nh ca router sau khi ta thit lp danh sch th k t sau router s deny tt c, v vy ta phi dng lnh permit
any thay i.
p access-list vo cng.
TNG QUAN V ACCESS-LIST | L QUC NHT NG http://lequocnhatdong.wordpress.com/2011/03/26/tng-quan-v-access-list/
5 of 16 8/20/2014 7:25 AM
p access-list ny vo Inbound s0/3/0 trn R2.
Khi p access-list vo mt cng, xem nh ang trn router. V vy nu mun cm d liu i ra khi cng, ta dng t kha out; mun
cm d liu vo mt cng, ta dng t kha in.
R2(cong)# interface s0/3/0
R2(cong-if)# ip access-group 1 out

Sau ta vo PC0(10.0.0.2) dng lnh ping vo mng 220.0.0.0 kim tra.

TNG QUAN V ACCESS-LIST | L QUC NHT NG http://lequocnhatdong.wordpress.com/2011/03/26/tng-quan-v-access-list/
6 of 16 8/20/2014 7:25 AM

Ta th dng my PC1(10.0.0.3) ping vo mng 220.0.0.0.

TNG QUAN V ACCESS-LIST | L QUC NHT NG http://lequocnhatdong.wordpress.com/2011/03/26/tng-quan-v-access-list/
7 of 16 8/20/2014 7:25 AM

V standard access-list ch kim tra c a ch ngun nn phi p access-list vo cng gn ch nht.
2. Extended Access lists.
#: Extanded ACLs s dng s t 100 -> 199 hay 2000 -> 2699.
Cng ging standard ACL v thm mt s cch lc gi tin nh:
+ Source and destination IP address (a ch ngun a ch ch)
+ IP protocol TCP, UDP, ICMP, and so on( cm giao thc)
+ Port information (WWW, DNS, FTP, TELNET, etc)( cm cc dch v thng qua cc cng hot ng ca n)
TNG QUAN V ACCESS-LIST | L QUC NHT NG http://lequocnhatdong.wordpress.com/2011/03/26/tng-quan-v-access-list/
8 of 16 8/20/2014 7:25 AM
Cc lnh cu hnh:
Ta cng thc hin 2 bc ging nh Standard ACLs
To access list ti global cong mode:
router(cong)#access-list [#] [permit deny] [protocol] [wildcard mask] [operator source port] [destination address] [wildcard mask]
[operator destination port] [log]
Hoc
router(cong)#access-list [#] [permit deny] [protocol] [host] [host] [destination address][ lt, gt, neq, eq, range] [port number]
p access-list vo cng.
router(cong)#interface [interface-number]
router(cong-if)#ip access-group [#] [in out] interface access control
V d:
To ACls ti router R1 cm R2 truy cp vo Router 1 di giao thc TCP bng dch v Telnet.
u tin ta m dch v telnet cho cc Router
Ti global cong mode ta g cc lnh sau.
router(cong)#line vty 0 4
router(cong)#password telnet <<<<t pass ty cho telnet
router(cong)#login

TNG QUAN V ACCESS-LIST | L QUC NHT NG http://lequocnhatdong.wordpress.com/2011/03/26/tng-quan-v-access-list/
9 of 16 8/20/2014 7:25 AM
TNG QUAN V ACCESS-LIST | L QUC NHT NG http://lequocnhatdong.wordpress.com/2011/03/26/tng-quan-v-access-list/
10 of 16 8/20/2014 7:25 AM

Khi cu hnh xong ta ng ti 1 Router no telnet qua Cc router cn li Test.

TNG QUAN V ACCESS-LIST | L QUC NHT NG http://lequocnhatdong.wordpress.com/2011/03/26/tng-quan-v-access-list/
11 of 16 8/20/2014 7:25 AM

Vy l cc Router telnet c vi nhau
By gi ta thit lp ACL ti R1
R1(cong)# access-list 101 deny TCP host 200.0.0.2 host 200.0.0.1 eq telnet
R1(cong)# access-list 101 deny tcp any any
p ACL vo cng mun chn li ngay .
R1(cong)# interface s0/3/0
TNG QUAN V ACCESS-LIST | L QUC NHT NG http://lequocnhatdong.wordpress.com/2011/03/26/tng-quan-v-access-list/
12 of 16 8/20/2014 7:25 AM
R1(cong-if)#ip access-group 101 in


Sau khi cu hnh xong ta Telnet th
ng ti Router 2 Telnet qua Router 1 bng lnh
R2#telnet 200.0.0.1
TNG QUAN V ACCESS-LIST | L QUC NHT NG http://lequocnhatdong.wordpress.com/2011/03/26/tng-quan-v-access-list/
13 of 16 8/20/2014 7:25 AM


Router 1 khng tr li vy l ta cu hnh thnh cng
Mt s port thng dng:

Port Number -TCP port names -UDP port names

6 -TCP
21-FTP
TNG QUAN V ACCESS-LIST | L QUC NHT NG http://lequocnhatdong.wordpress.com/2011/03/26/tng-quan-v-access-list/
14 of 16 8/20/2014 7:25 AM
23 TELNET
25 SMTP
53-DNS-
69 TFTP-
80 WWW
161 SNMP
520 RIP
III- QUN L CC ACCESS-LIST (ACLs)
Hin th tt c ACLs ang s dng. Router(cong)#show running-cong
Xem ACLs hot ng trn interface no . Router(cong)#show interface [ # ]
Xem vic t v hng i ca ip ACLs: Router(cong)#show ip interfaces [ # ]
Xem nhng cu lnh ACLs: Router(cong)#show access-list [ # ]
Hin th tt c ip ACLs: Router#show ip access-list
Hin th ip ACL 100: Router#show ip access-list 100
Xa b m (to clear the counters use):
router(cong)#show access-list [ # ]
router(cong)#clear access-list counter [ # ]
Xa Access list
router(cong)#no ip access-list [standard-extended][#]
router(cong)#interface [interface-number]
router(cong-if)#no access-list [#] [permit deny] [wildcard mask]

n mn Networking ca Lovebug Team
GVHD : L Hu Thu
TNG QUAN V ACCESS-LIST | L QUC NHT NG http://lequocnhatdong.wordpress.com/2011/03/26/tng-quan-v-access-list/
15 of 16 8/20/2014 7:25 AM
You May Like
1.
Posted in Uncategorized. Leave a Comment
10 NGHCH L TRONG CUC SNG LISTEN AND PONDER (PHN 1)
ACCESS LIST V CC CU HNH C BN LIN QUAN
To mt website min ph hoc 1 blog vi WordPress.com. | The Garland Theme.
Theo di
Follow L QUC NHT NG
Powered by WordPress.com
TNG QUAN V ACCESS-LIST | L QUC NHT NG http://lequocnhatdong.wordpress.com/2011/03/26/tng-quan-v-access-list/
16 of 16 8/20/2014 7:25 AM