Tm hi u v IP Access Control Lists trn router Cisco 1.

Phn lo i: y ACLs c phn lm cc lo i sau: Standard ACLs, Extended ACLs, Dynamic ACLs (Lock and Key), Reflexive ACLs, Time-based ACLs. y ACLs c th c t o ra b ng hai cch l dng Numbered ACLs hay Name ACLs

Chng ta i tm hi u t ng lo i ACLs g m c i m, ng d ng v cch t o cc lo i ACLs k bn trn 2. Standard ACLs y c i m: Standard ACLs l b ng l c traffic n gi n nh t trong cc lo i ACLs. Standard ACLs l c traffic ch d a vo thng s source address c a gi tin. y ng d ng: Dng l c traffic n gi n chi d a vo a ch source address. y Cch t o Standard ACLs: Command: Router(config)#access-list access-list-number [deny/permit] remark source [source-wildcard] [log]
y

V d :

R3(config)#access-list 99 deny 192.168.10.0 0.0.0.255 R3(config)#access-list 99 permit any R3(config)#interface s0/0/1 R3(config-if)#ip access-group 99 in 3. Extended ACLs
y y

c i m: Extended ACLs l b ng l c traffic d a vo cc thng tin trong gi tin g m source address, destination address, protocols, port-number ng d ng: Dng l c gi tin d a vo nhi u thng tin h n standard ACL

Cch t o Extended ACLs: Command:

y

V d :

R3(config)#access-list 102 deny tcp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 equal 23 R3(config)#access-list 102 deny tcp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 equal 21 R3(config)#access-list 102 deny tcp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 equal 20 R3(config)#interface f0/2 R3(config-if)#ip access-group 102 in 4. Cch c u hnh Name ACLs: Ta dng l nh ip access-list sau ch extended v cu i cng l tn c a ACLs V d : nh lo i standard hay

5. Dynamic ACLs c i m: ch s d ng l c cc IP traffic, Dynamic ACLs b ph thu c vo s k t n i Telnet, s xc th c (local or remote), v extended ACLs. + M t user s m k t n i n router bin c c u hnh lock-and-key. Nh ng k t n i c a user thng qua virtual terminal port trn router. + Khi nh n telnet packet router s m m t telnet session v yu c u xc th c m t password ho c m t ti kho n username. User ph i v t qua st th c m i c cho php i qua router. Qu trnh xc th c s th c hi n b i router ho c m t server xc th c s d ng giao th c RADIUS ho c TACACS server. + Khi user qua c st th c, chng s thot ra kh i telnet session v m t entry s xu t hi n tr ng Dynamic ACLs + Lc , cc ng i dng s trao i d li u thng qua Firewall. + Khi dng kho ng th i gian timeout c c u hnh, router s xa entry v a t o trong dynamic ACLs ho c ng i qu n tr c th xa b ng tay. Timeout c hai lo i l idle timeout ho c absolute timeout. Idle timeout l n u user khng s d ng session ny trong m t kho ng th i gian th entry trong Dynamip s b xa. Absolute timeout l kho ng th i gian c nh cho php user s d ng session ny khi h t th i gian th entry trong Dynamic ACLs s b xa.
y

ng d ng: + Khi b n mu n ch nh m t user hay m t group user truy c p n m t host no trong m ng c a b n, hay k t n i t i nh ng host t xa thng qua Internet. Lock-and-key ACLs s xc th c ng i dng v sau cho php gi i h n truy c p thng qua router firewall cho m t host hay m t m ng con trong m t chu k th i gian gi i h n. + Khi b n mu n m t ng m ng con trong m ng local network truy c p t i m t host no trong m ng t xa m c b o v b i m t firewall. V i lock-and-key ACLs, b n c th truy c p t i host xa ch v i m t nhm host c ngh . Lock-and-key ACLs yu c u nh ng ng i dng xc th c thng qua m t AAA, TACACS+ server, hay nh ng server b o m t khc tr c khi cho php nh ng host truy c p n nh ng host xa.
y y

Cch t o Dynamic ACLs:

V d

Cc b

c c u hnh:

Step 1: T o m t ti kho n ng i dng local trn router Step 2: T o m t Extended ACLs cho php t t c cc host c telnet n host 10.2.2.2. Khi telnet thnh cng s cho php ng m ng 192.168.10.0 i qua ng m ng 192.168.30.0 v i th i gian timeout 15 pht (absolute time)(ALCs ng s sinh ra khi l nh access-enable cb t ln v s m t i sau 15 pht b t ch p user c s d ng n hay ko) Step 3: Gn ACLs cho interface ch nh Step 4: Ch nh n u user telnet v xc th c thnh cng th s thi t l p m t session 5 pht, n u user ko s d ng session ny n s k t thc sau 5 pht (idle timeout) n u user s d ng session ny n s k t thc sau 120 pht.

V d 2: Xc th c v i TACACS server

//Enable ch c n ng xc th c AAA aaa new-model aaa authentication login default group tacacs+ enable aaa accounting exec stop-only group tacacs+ aaa accounting network stop-only group tacacs+ enable password ciscotac ! isdn switch-type basic-dms100 ! interface ethernet0 ip address 172.18.23.9 255.255.255.0 ! interface BRI0 ip address 172.18.21.1 255.255.255.0 encapsulation ppp dialer idle-timeout 3600 dialer wait-for-carrier-time 100 dialer map ip 172.18.21.2 name diana dialer-group 1 isdn spid1 2036333715291 isdn spid2 2036339371566 ppp authentication chap ip access-group 102 in ! //Cho php cc host telnet t i 172.18.21.2 b ng giao th c telnet. Khi telnet t i s xc th c v i tacacs server n u xc th c thnh cng th s cho t t c cc traffic qua l i router v s t ng session trong 5 pht access-list 102 permit tcp any host 172.18.21.2 eq telnet access-list 102 dynamic testlist timeout 5 permit ip any any ! ! ip route 172.18.250.0 255.255.255.0 172.18.21.2 priority-list 1 interface BRI0 high //Khai bo IP c a taccas server v key xc th c v i tacacs server tacacs-server host 172.18.23.21 tacacs-server host 172.18.23.14 tacacs-server key test1 tftp-server rom alias all ! dialer-list 1 protocol ip permit ! line con 0 password cisco line aux 0 //Th i gian idle timeout cho session l 5 pht line VTY 0 4

autocommand access-enable timeout 5 password cisco ! 6. Reflexive ACLs:

y y

V d

c i m: ACLs ny ch c t o b i Extend Name ACLs khng c t o b i Numbering hay Standard Name ACL ng d ng: c s d ng cho php cc IP traffic t bn ngoi c a session m kh i t o t bn tr ng n i m ng v ng n nh ng IP traffic kh i t o session t m ng bn ngoi. ACLs ny s xem xt gi tin g i ra ngoi n u l gi kh i t o session n t ng thm vo m t outbound entry cho php traffic tr l i v . Rflexive ACLs c th l c session t t h n thay v ch ACK v RST bit nh cu l nh permitestablished. Rflexive l c c a ch ngu n, ch, port, ACK v RST bit c a gi tin. Ngoi ra, session filtering s d ng nh ng b l c t m th i ci m c xa khi m t session k t thc. Cch t o Reflexive ACLs:

+ C u hnh ACLs cho php ICMP v TCP traffic c chi u inbound v outbound nh ng ch cho php n u gi tin u tin c a session b t ngu n t m ng n i b . T t c cc traffic khc s b c m. Reflexive ACLs c gn trn interface s0/1/0 + Cc b c c u hnh: Step 1: T o m t Extend name ACLs cho php cc traffic i ra ngoi Internet Step 2: T o m t Extend name ACLs ch a Reflexive ACLs t ng c t o ra khi c gi outbound match v i Name ACLs b c 1. Step 3: Gn cc name ACLs cho interface

7. Time-based ACLs c i m: ch c n ng t ng t extended ACLs, nh ng chng cho php i u khi n truy c p d a vo th i gian y ng d ng: Dng l c gi tin d a vo nhi u thng tin nh Exended ACLs v d a vo c thng tin v th i gian. y Cch t o Time-based ACLs: V d : Thi t l p ACLs cho php m t k t n i Telnet c cho php t inside network t i the outside network vo Monday, Wednesday, and Friday trong su t gi hnh chnh. + Cc b c c u hnh: Step 1. nh ngh a kho ng th i gian thi hnh ACLs v t cho n m t ci tn.(kho ng th i gian ny ph thu c vo gi h th ng trn router, ch c n ng ny lm vi c t t v i s ng b th i gian c a giao th c Network Time Protocol (NTP) nh ng lc ny ng h c a router khng c s d ng. ) Step 2. p d ng kho ng th i gian ny cho ACLs Step 3. P d ng ACL cho interface.
y

S m ng - c m truy c p Web server b ng ACL Topology

Yu c u: c m cc my trong LAN 192.168.10.0/24 truy c p t i Web server H ng d n c u hnh:

- Gi s b n c u hnh routing trong m ng xong (c th dng Static routing, Dynamic routing (RIP, OSPF, EIGRP,...) - C m cc PC trong LAN 192.168.10.0/24 truy xu t t i Web server RA(config)#access-list 101 deny tcp 192.168.10.0 0.0.0.255 host 192.168.20.200 eq www RA(config)#access-list 101 permit ip any any RA(config)#interface fa0/1 RA(config-if)#ip access-group 101 in