Router - ACL - PortMC LC
PHN 1 : TNG QUAN V AN NINH MNG
CISCO...............................................2PHN 2.NGUYN TC
NH
TUYN......................................................................7PHN
3.REMOVINGPROTOCOL
VSERVICES..............................................16PHN
4:ACCESS CONTROL
LISTS(ACL)...........................................................19PHN
5: ACCESS-LIST V
ROUTE-FILTERING..................................................27PHN
6.CU HNH SYSLOG CHO ROUTER(LOGGING CONCEPTS)........34
PHN 1 : TNG QUAN V AN NINH MNG CISCO1.An ninh Mng l g?C nhng lc,
v d nh khi bn ri vn phng v nh khi kt thc ngy lm vic, bn s bt h thng
cnh bo an ninh v ng ca bo v vn phng v thit b. Dng nh bn cng s c mt
ngn cha an ton hoc kha t lu tr cc ti liu kinh doanh mt.Mng my tnh
ca bn cng i hi cng mt mc bo v nh vy.Cc cng ngh An ninh Mng bo v mng
ca bn trc vic nh cp v s dng sai mc ch thng tin kinh doanh b mt v
chng li tn cng bng m c t vi rt v su my tnh trn mng Internet. Nu
khng c An ninh Mng c trin khai, cng ty ca bn s gp ri ro trc xm nhp
tri php, s ngng tr hot ng ca mng, s gin on dch v, s khng tun th quy
nh v thm ch l cc hnh ng phm php na.2.An ninh hot ng nh th noAn ninh
Mng khng ch da vo mt phng php m s dng mt tp hp cc ro cn bo v doanh
nghip ca bn theo nhng cch khc nhau. Ngay c khi mt gii php gp s c th
gii php khc vn bo v c cng ty v d liu ca bn trc a dng cc loi tn cng
mng.Ccthng tinan ninh trn mng ca bn c ngha l thng tin c gi tr m bn
da vo tin hnh kinh doanh l lun sn c i vi bn v c bo v trc cc tn cng.
C th, An ninh Mngl: Bo v chng li nhng tn cng mng t bn trong v bn
ngoi. Cc tn cng c th xut pht t c hai pha, t bn trong v t bn ngoi
tng la ca doanh nghip ca bn. Mt h thng an ninh hiu qu s gim st tt c
cc hot ng mng, cnh bo v nhng hnh ng vi phm v thc hin nhng phn ng
thch hp. m bo tnh ring t ca tt c cc lin lc, bt c u v vo bt c lc
no.Nhn vin c th truy cp vo mng t nh hoc trn ng i vi s m bo rng hot
ng truyn thng ca h vn c ring t v c bo v. Kim sot truy cp thng tin
bng cch xc nh chnh xc ngi dng v h thng ca h.Cc doanh nghip c th t
ra cc quy tc ca ring h v truy cp d liu. Ph duyt hoc t chi c th c cp
trn c s danh tnh ngi dng, chc nng cng vic hoc cc tiu ch kinh doanh
c th khc. Gip bn tr nn tin cy hn.Bi v cc cng ngh an ninh cho php h
thng ca bn ngn chn nhng dng tn cng bit v thch ng vi nhng dng tn cng
mi, nhn vin, khch hng v cc doanh nghip c th an tm rng d liu ca h c
an ton.3.Cc doanh nghip ang s dng cc cng ngh an ninh nh th noAn
ninh Mng tr thnh mt yu cu i vi doanh nghip, c bit l nhng doanh
nghiphot ng trnmng Internet. Khch hng, nh cung cp v i tc kinh doanh
ca bn k vng vo bn bo v bt k thng tin no m h chia s vi bn.Trong khi
An ninh Mng gn nh tr thnh mt yu cu tin quyt vn hnh mt doanh nghip,
n cng mang li li ch theo nhiu cch khc nhau. Di y l nhng li ch m cc
doanh nghip thu c t mt mng c bo v an ton:a.Lng tin ca khch hng Tnh
ring t c m bo Cng tc c khuyn khchMt h thng an ninh mngm bo vi khch
hng rng nhng thng tin nhy cm nh l s th tn dng hoc cc chi tit kinh
doanh b mt s khng b truy cp v khai thc tri php. Cc i tc kinh doanh
ca bn s cm thy t tin hn khi chia s d liu nh l d bo doanh thu hoc ln
k hoch sn phm trc khi pht hnh. Ngoi ra, cc cng ngh va ngn chn xm
nhp tri php va cung cp cho cc i tc ca bn truy cp an ton n thng tin
trn mng ca bn, gip bn cng tc v lm vic cng nhau mt cch hiu qu
hn.b.Di ng Bo v truy cp di ng Nng cao nng sut khi ang ngoi vn
phngGii php An ninh Mng mnh m cho php nhn vin ca bn truy cp an ton
trn ng i hoc t nh ring m khng lm ly lan vi rt hoc cc dng tn cng
khc. Truy cp mng an ton, thun tin c ngha l nhn vin c th s dng thng
tin quan trng khi h cn, gip h tr nn c nng sut cao hn ngay c khi h
khng ngi trc bn lm vic.c.Nng sut cao hn t lng ph thi gian do spam
hn o c v cng tc tt hn gia cc nhn vinMth thngAn ninh Mng hiu qu c th
nng cao nng sut trn phm vi ton b t chc ca bn. Nhn vin mt t thi gian
hn vo nhng cng vic khng c nng sut nh l chng spam v dit vi rt. Mng v
kt ni Internet ca bn lun c an ton, m bo rng bn v nhn vin ca mnh c
truy cp thng xuyn n Internet v e-mail.d.Gim chi ph Trnh c gin on
dch v Cc dch v tin tin c pht trin an tonS gin on hot ng ca mng gy
thit hi ln i vi mi th loi doanh nghip. Bng cch m bo rng mng v kt ni
Internet ca bn l an ton v hot ng lin tc, bn c th m bo rng khch hng
c th tip cn bn khi h cn n bn. An ninh hiu qu cho php doanh nghip ca
bn b sung cc dch v v ng dng mi m khng lm nh hng n hiu nng mng. S
dng mt khuynh hng ch ng bo v d liu ca bn s m bo rng doanh nghip ca
bn s tn ti v hot ng theo yu cu.Khi cng ty ca bn tng trng, nhu cu v
mng cng thay i. Vic thit lp mt mng an ton, mnh m ngay t hm nay s
cho php cng ty bn b sung nhng chc nng tin tin nh l kt ni mng khng
dy an ton hoc thoi v hi ngh.4.Bt u vi An ninh MngTy theonhu cu ca
doanh nghip bn vi nhng cng ngh an ninh thch hp l bc u tin bt u mt d
n an ninh mng.S dng danh sch nhng cn nhc di y gip bn bt u:a.Cp an
ninh hin ti ca bnKhm ph v nhng tnh nng an ninh m mng ca bn c. Danh
sch ny s gip xc nh nhng thiu ht trong cc phng php bo v hin ti ca
bn. Mng hin ti c cung cp tng la, mng ring o, ngn chn xm nhp, chng
vi rt, mt mng khng dy an ton, pht hin bt thng v qun l danh tnh cng
nh ph duyt tun th hay khng? Nhng tnh nng ny c giao tip vi nhau
khng?b.Cc ti sn ca bnXy dng mt danh mc v cc ti sn ca bn xc nh xem s
cn bao nhiu cp , lp bo v m h thng ca bn cn c. Bn trong doanh nghip
c th ca bn, nhng ti sn no c vai tr quan trng nht i vi s thnh cng? C
phi vic bo v thng tin ni b ca bn l quan trng nht khng; hay l vic bo
v thng tin khch hng ca bn l quan trng nht; hay l c hai? Gi tr ca
nhng ti sn ny ln n u? Nhng ti sn ny nm u trong doanh nghip ca
bn?c.Truyn ti thng tinnh gi xem thng tin ang c chia s nh th no bn
trong v bn ngoi cng ty ca bn. Nhn vin ca bn c cn truy cp nhanh n
thng tin ni b thc hin cng vic ca h khng? Bn c chia s d liu bn ngoi
bn bc tng ca doanh nghip khng? Bn kim sot vic ai c th truy cp n
thng tin ny nh th no? Bn c cung cp nhng cp khc nhau v truy cp cho
nhng ngi dng mng khc nhau khng?d.Cc k hoch pht trinCng ty bn c ang
lp k hoch b sung thm cc tnh nng tin tin vo h thng ca mnh khng? H
thng ca bn cn phi thch ng v linh ng n u? Gii php an ninh ca bn cn
phi c th h tr c s gia tng lu lng mng hoc cc ng dng tin tin m khng
lm gin on dch v.e.nh gi ri roXc nh xem nhng hu qu ca mt v tn cng an
ninh c vt khi phm vi v tn tht nng sut v gin on dch v khng. Mi trng
kinh doanh ca bn b iu chnh v mt php l n mc no? Ri ro ca vic khng
tun th quy nh l g? Doanh nghip ca bn c th chp nhn c mc gin on thi
gian hot ng n mc no trc khi tn tht v ti chnh hoc uy tn xy ra?f.D s
dngMt cng ngh an ninh tt nht cng s khng mang li cho bn li ch no c
nu n khng c lp t v s dng d dng. Hy m bo l bn c cc ti nguyn qun l h
thng m bn lp t.
PHN 2.NGUYN TC NH TUYN
1. Khi Nim ROUTING
nh tuyn l qu trnh router s dng chuyn tip cc packet n mng ch.
Router a ra quyt nh da trn a ch IP ch ca packet. c th a ra c quyt
nh chnh xc, router phi hc cch lm sao i n cc mng xa. Khi router s
dng qu trnh nh tuyn ng, thng tin ny s c hc t nhng router khc. Khi
qu trnh nh tuyn tnh c s dng, nh qun tr mng s cu hnh thng tin v nhng
mng xa bng tay cho router.Bi v cc tuyn ng tnh c cu hnh bng tay, nh
qun tr phi thm v xa cc tuyn ng tnh phn nh s thay i ca hnh mng. Qu
trnh nh tuyn tnh c nhc im l khng c kh nng m rng nh nh tuyn ng bi v
n i hi nhiu cng sc ca nh qun tr.
2. Nguyn tc nh tuynCc giao thc nh tuyn phi t c cc yu cu ng thi
sau:Khm ph ng mt topo mng.Xy dng cc ng ngn nht.Kim sot tm tt thng
tin v cc mng bn ngoi, c th s dng cc metric khc nhau trong mng cc
b.Phn ng nhanh vi s thay i topo mng v cp nht cc cy ng ngn nht.Lm tt
c cc iu trn theo nh k thi gian.
3. Cc Phng Thc nh Tuyn:
A. STATIC ROUTINGCc bc cu hnh nh tuyn tnh:Nh qun tr cu hnh con
ng tnh.Router s a con ng vo trong bng nh tuyn.Con ng nh tuyn tnh s
c a vo s dng.
C php cu lnh:Router(config)#ip route {destination network}
{subnet mask} {nexthop ip address | outgoing interface}
Administrative distance (AD) l mt tham s ty chn, ch ra tin cy ca mt
con ng. Con ng c gi tr cng thp th cng c tin cy. Gi tr AD mc nh ca
tuyn ng tnh l 1.
DEFAULT ROUTEC php:Router(config)#ip route 0.0.0.0 0.0.0.0
{nexthop ip address | outgoing interface}Default route c s dng gi
cc packet n cc mng ch m khng c trong bng nh tuyn. Thng c s dng trn
cc mng dng stub network (mng ch c mt con ng i ra bn ngoi)
KIM TRA CU HNH
Router#show running-configRouter#show ip route
B. DYNAMIC ROUTING
Routing Protocol (giao thc nh tuyn)Ngn ng giao tip gia cc
router. Mt giao thc nh tuyn cho php cc router chia s thng tin v cc
network. Router s dng cc thng tin ny xy dng v duy tr bng nh tuyn ca
mnh.
Cc loi giao thc nh tuyn:
Distance Vector: RIP, IGRP. Hot ng theo nguyn tt "hng xm", ngha
l mi router s gi bng routing-table ca chnh mnh cho tt c cc router c
ni trc tip vi mnh. Cc router sau o so snh vi bn routing-table m mnh
hin c v kim xem route ca mnh v route mi nhn c, route no tt hn s c
cp nht. Cc routing-update s c gi theo nh k (30 giy vi RIP , 60 giy
i vi RIP-novell, 90 giy i vi IGRP). Do , khi c s thay i trong mng,
cc router s bit c khc mng no down lin.u im:Dcu hnh,router khngtn
nhiu ti nguyn x l thng tin nh tuynNhc im:H thng metric qu n gin (nh
rip ch l hop-count) nn c thxy ra vicchn ng i tt nht (best route)
khng hon ton chnh xc.Do phi cp nht nh k cc routing-table, nn mt lng
bandwidth ng k sblng ph, throughputgimi mc d mng khngcthay i.Cc
Router hi t chm, s dn n vic sai lch trong bng route, thiu n nh
(route flaping),Routing LOOP.
Link-state: Linkstate khng gi routing-update, m ch gi tnh trng
[state] ca cc ci link trong linkstate-database ca mnh i cho cc
router khc, ri t mi router schy gii thut shortest path first (giao
thcOSPF - open shortest path first), txy dngbng routing-table cho
mnh. Sau khi mng hi t, link-state protocol s khng gi update nh k nh
Distance-vector, m ch gi khi no c mt s thay i trong topology mng (1
line b down, cn s dng ng back-up)u im:Scalable: c th thch nghi c vi
a s h thng, cho php ngi thit k c th thit k mng linh hot, phn ng
nhanh vithay isy ra.Do khng gi interval-update, nn link state bo m
c bng thng cho cc ng mng .Khuyt im:Do router phi s l nhiu, nn chim
nhiuti nguyn,gim performance.Mt khuyt im na l: linkstate kh kh cu
hnh chy tt , nhng ngi lm vic c kinh nghim lu th mi cu hnh tt c, do
cc k thi cao cp ca Cisco ch trng kh k n linkstate
Mt s giao thc nh tuyn:Routing Information Protocol (RIP)Interior
Gateway Routing Protocol (IGRP)Enhanced Interior Gateway Routing
Protocol (EIGRP)Open Shortest Path First (OSPF)
a. RIPGiao thc nh tuyn Distance VectorS dng hop-count lm metric.
Maximum hop-count l 15Administrative distance l 120Hot ng theo kiu
tin nGi update nh k sau 30 giy. Thng tin gi i l ton b bng nh
tuynRIP v1 v RIP v2RIP v1: classful (khng gi subnetmask)RIPv2:
classless, h tr VLSM(c km theo subnetmask), authenticationCu hnhKch
hot giao thc nh tuyn RIP trn router bng cu
lnh:Router(config)#router ripKhai bo cc network cn qung b cng nh
kch hot cc interface c php gi v nhn RIP update bng cu
lnh:Router(config-router)#networkKim tra hot ngShow ip protocolShow
ip routeDebug ip rip quan st vic RIP cp nht bng cch gi v nhn trn
router.No debug ip rip hoc undebug all tt ch debugShow ip protocol
xem routing protocol timerShow protocolsxem cc protocols no c cu
hnh trn cc interface
b. IGRPGiao thc nh tuyn Distance VectorS dng kt hp gia bng thng
(bandwidth) v tr (delay) lm metricAdministrative distance l 100Hot
ng theo kiu tin nGi update nh k sau 90 giy. Thng tin gi i l ton b
bng nh tuynclassful (khng gi subnetmask)L giao thc ring ca CiscoCu
hnhKch hot giao thc nh tuyn RIP trn router bng cu
lnh:Router(config)#router igrpKhai bo cc network cn qung b cng nh
kch hot cc interface c php gi v nhn IGRP update bng cu
lnh:Router(config-router)#network(*) AS (Autonomous System): l mt
mng c qun tr chung vi cc chnh sch nh tuyn chung. Giao thc IGRP s
dng AS to cc nhm router cng chia s thng tin tm ng vi nhau.Kim tra
hot ngShow ip protocolShow ip routeDebug ip igrp events xem cc cp
nht ca IGRP c gi v nhn trn router.No debug ip igrp eventshocundebug
all tt ch debugShow ip protocol xem routing protocol timerShow
protocolsxem cc protocols no c cu hnh trn cc interfaceDebug ip igrp
transactions xem cc s IGRP events c x l trn router.
c. EIGRPGiao thc c quyn ca Cisco.Giao thc nh tuyn classless (gi
km thng tin v subnet mask trong cc update).Giao thc
distance-vector.Ch gi update khi c s thay i trn mng.H tr cc giao
thc IP, IPX v AppleTalk.H tr VLSM/CIDR.Cho php thc hin qu trnh
summarization ti bin mng.La chn ng i tt nht thng qua gii thut
DUAL.Xy dng v duy tr cc bng neighbor table, topology table v
routing table.Metric c tnh da trn cc yu t: bandwidth, delay, load,
reliability.Cho php cn bng ti trn cc con ng c gi thnh khng bng nhau
(unequal-cost).Gi tr AD bng 90.Khc phc c vn mng khng lin tcgp phi i
vi cc giao thc RIPv1 v IGRP.Cu hnhKch hot giao thc nh tuyn
EIGRP:Router(config)# router eigrpKch hot cc interface s gi v nhn
update, cng nh khai bo cc network cn qung b:Router(config-router)#
networkTt chc nng auto-summary ti bin mng:Router(config-router)# no
auto-summaryCc cu lnh troubleshoot: show ip route,show ip route
eigrp, show ip eigrp neighbors, show ip eigrp topology.
d. OSPFChun m.Giao thc link-state.Ch h tr giao thc IP.Gom nhm cc
network v router vo trong tng area. Lun tn ti area 0 (backbone
area). Tt c cc area khc (nu c) u phi ni vo area 0.S dng gii thut
Dijkstra xy dng cy ng i ngn nht n cc ch.Cho php cn bng ti trn cc
con ng bng c gi thnh bng nhau (equal-cost).H tr VLSM/CIDR.Ch gi
update khi c s thay i trn mng.Khc phc vn lin quan n discontiguous
network.Xy dng v duy tr cc neighbor database, topology database.Gi
tr AD bng 110.
Cu hnhKch hot giao thc nh tuyn OSPFRouter(config)#router ospf Cu
hnh OSPF areaRouter(config-router)#network area Cc cu lnh
troubleshoot:show ip route, show ip ospf, show ip ospf database,
show ip ospf interface, show ip ospf neighbor.
PHN 3.REMOVINGPROTOCOL VSERVICES
Extended Access Listcho php hoc loi b (permit / deny) traffic
theo protocol v service
port:Router(config)#access-list{access-list-number}{deny|permit}
{protocol} [sourceaddress] [destination
address]{serviceport|eqservice}access-list-number:Vi Extended
Access list, ch s ny nm trong khong 100-199, 2000-2069.Protocol:0
255 IP protocol number (tham kho
tihttp://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml)
hoc cc protocol ph bin sau:AhpAuthentication Header
ProtocolEigrpCisco's EIGRP routing protocolEspEncapsulation
Security PayloadGreCisco's GRE tunnelingIcmpInternet Control
Message ProtocolIgmpInternet Gateway Message ProtocolIpAny Internet
ProtocolIpinipIP in IP tunnelingNosKA9Q NOS compatible IP over IP
tunnelingospfOSPF routing protocolpcpPayload Compression
ProtocolpimProtocol Independent MulticasttcpTransmission Control
ProtocoludpUser Datagram Protocol
Services v port number tng ng:WELL-KNOWN PORTS: 01023Tham kho y
tihttp://www.iana.org/assignments/port-numbershttp://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Registered_ports:_1024.E2.80.9349151hoc
mt s port thng dng:21: File Transfer Protocol (FTP)22: Secure Shell
(SSH)23: Telnet remote login service25: Simple Mail Transfer
Protocol (SMTP)53: Domain Name System service80: Hypertext Transfer
Protocol (HTTP) used in the World Wide Web110: Post Office
Protocol(POP)119: Network News Transfer Protocol (NNTP)161: Simple
Network Management Protocol (SNMP)443: HTTPs with Transport Layer
Security or Secure Sockets LayerREGISTERED PORTS: 102449151Tham kho
y
tihttp://www.iana.org/assignments/port-numbershttp://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Registered_ports:_1024.E2.80.9349151hoc
mt s port thng dng:1080 TCP SOCKS proxy1167 UDP phone, conference
calling1194 TCP UDP OpenVPN1220 TCP QuickTime Streaming Server
administration1234 UDP VLC media player Default port for UDP/RTP
stream1293 TCP UDP IPSec (Internet Protocol Security)1352 TCP IBM
Lotus Notes/Domino[36](RPC) protocol1470 TCP Solarwinds Kiwi Log
Server1503 TCP UDP Windows Live Messenger (Whiteboard and
Application Sharing)1512 TCP UDP Microsoft Windows Internet Name
Service (WINS)1513 TCP UDP Garena Garena Gaming ClientDYNAMIC,
PRIVATE OR EPHEMERAL PORTS: 4915265535GM CC PORT C S DNG M KHNG CN
NG K VI IANA, S DNG TRONG CC DCH V CHY TRONG MNG NI B, HOC CC DCH V
PHT TRIN RING.
PHN 4:ACCESS CONTROL LISTS(ACL)I.Mt s khi nim v ACL.ACL l mt
danh sch cc cu lnh c p t vo cc cng (interface) ca router. Danh sch
ny ch ra cho router bit loi packet no c chp nhn (allow) v loi
packet no b hy b (deny). S chp nhn v hu b ny c th da vo a ch ngun,
a ch ch hoc ch s port.1.Ti sao phi s dng ACLs?- Qun l cc IP
traffic- H tr mc c bn v bo mt cho cc truy cp mng, th hin tnh nng lc
cc packet qua routerChc nng:+Xc nh tuyn ng thch hp cho DDR
(dial-on-demand routing)+ Thun tin cho vic lc gi tin ip+ Cung cp
tnh sn sngmng cao2.Cc loi ACLsC 2 loi Access lists l: Standard
Access lists v Extended Access listsStandard ACLs:Lc (Filter) a ch
ip ngun (Source) vo trong mngnn ct gn ch (Destination).Extended
ACLs:Lc a ch ip ngun v ch ca 1 gi tin (packet), giao thc tng
Network layer header nh TCP, UDP, ICMP, v port numbers trong tng
Transport layer header. Nn t gn ngun (source).Complex ACLs: Ngoi ra
cn c thm cc ACLs khc nh: Dynamic ACLs, Reflexive ACLs, Time-base
ACLs.Dynamic ACLs:Lock and key cho php lc cc ip tracffic ng.Dng
ACLs extended trong vic to ra cc ACLs bo mt hnS dng khi c host t xa
mun truy cp n localhostReflexive ACLs:Ngn chn nhng traffic l t ngoi
vo trong localhostNhng tracffic t trong ra ngoi th c cho php t ngoi
i vo trongTime-base ACLsQun l ACLs theo thi gian m ngi qun tr qui
nh trc3.Cch t ACLs.a-Inbound ACLs.Inbound: ni nm na l 1 ci cng
vo(theo chiu i vo ca gi tin) trn Router nhng gi tin s c x l thng
qua ACL trc khi c nh tuyn ra ngoi (outbound interface). Ti y nhng
gi tin s dropped nu khng trng vi bng nh tuyn (routing table), nu gi
tin (packet) c chp nhn n s c x l trc khi chuyn giao
(transmission).b-Outbound ACLs.Outbound: l cng i ra ca gi tin trn
Router, nhng gi tin s c nh tuyn n outbound interface v x l thng qua
ACLs, trc khi a n ngoi hng i (outbound queue).4.Hot ng ca ACLs.-
ACL s c thc hin theo trnh t ca cc cu lnh trong danh sch cu hnh khi
to access-list. Nu c mt iu kin c so khp (matched) trong danh sch th
n s thc hin, v cc cu lnh cn li s khng c kim tra na.Trng hp tt c cc
cu lnh trong danh sch u khng khp (unmatched) th mt cu lnh mc nh
deny any c thc hin. Cui access-list mc nh s l lnh loi b tt c (deny
all). V vy, trong access-list cn phi c t nht mt cu lnhpermit. Khi
packet i vo mt interface, router s kim tra xem c mt ACL trong
inbound interface hay khng, nu c packet s c kim tra i chiu vi nhng
iu kin trong danh sch. Nu packet c cho php (allow) n s tip tc c kim
tra trong bng routing quyt nh chn interface i n ch. Tip , router s
kim tra xem outbound interface c ACL hay khng. Nu khng th packet c
th s c gi ti mng ch. Nu c ACL outbound interface, n s kim tra i
chiu vi nhng iu kin trong danh sch ACL .5.Ch :Ch c th thit lp 1 ACL
trn giao thc cho mi hng trn mi interface. Mt interface c th c nhiu
ACL.Router khng th lc traffic m bt u t chnh n.Cu lnh no t trc th x
l trc. Khi 1 cu lnh mi thm vo danh sch, n s t cui danh sch.Standard
ACLs: Nn t gn ch ca traffic.Extended ACLs: Nn t gn ngun ca
traffic.Mc nh c hai lnh the Access-Group hay the Access-Class theo
chiu OUT6.Thut ton hot ngHnh nh m t hot ng ca ACLs:
Cng vo d liu c gi l Incoming, cng ra l Outcomming, trc tin n s d
bng nh tuyn, nu ng th tip in l kim tra ACLs, nu ng th i tip, ngc li
s bi hu b.ACLs hot ng theo th t v thc hin cu lnh u tin nu n
matched.
Hnh trn cho ta thy ACLs kim tra cc danh sch truy cp nh th
no.
II-Cu hnh Access control lists.1.Standard Access lists.Standard
ACLs s dng s t 1 -> 99 hay 1300 -> 1999.C 2 bc to ACLs:B1:nh
ngha danh sch ACLs t vo interface.router(config)#access-list [ACL
number] [permit|deny] [source address] [wildcard mask] [log]Hoc l
:router(config)#access-list [ACL number] [permit|deny] [host|any]
[source address]B2:Sau t danh sch(ACLs) vo interface trn router m
ta mun chn gi tin ngay ti .router(config)#interface
[interface-number]router(config-if)#ip access-group [ACL number]
[in out]V standard access-list ch kim tra c a ch ngun nn phi p
access-list vo cng gn ch nht.2.Extended Access lists.#: Extanded
ACLs s dng s t 100 -> 199 hay 2000 -> 2699.Cng ging standard
ACL v thm mt s cch lc gi tin nh:Source and destination IP address
(a ch ngun a ch ch)IP protocol TCP, UDP, ICMP(cm giao thc)Port
information (WWW, DNS, FTP, TELNET,)( cm cc dch v thng qua cc cng
hot ng ca n)Cc lnh cu hnh:Ta cng thc hin 2 bc ging nh Standard
ACLsB1:Toaccesslistti global config mode:router(config)#access-list
[#] [permit deny] [protocol] [source address] [wildcard mask]
[operator source port] [destination address] [wildcard mask]
[operator destination port] [log]Hocrouter(config)#access-list [#]
[permit deny] [protocol] [host] [source address] [host]
[destination address][ lt, gt, neq, eq, range] [port number]B2:p
access-list vo cng.router(config)#interface
[interface-number]router(config-if)#ip access-group [#] [in out] -
interface access controlMt s port thng
dng:21FTP23TELNET25SMTP53DNS69TFTP80WWW161SNMP520RIP
3.Complex ACLsa-Dynamic ACLs:Cc bc cu hnh:B 1: To mt ti khon ngi
dng local trn routerB 2: To mt Extended ACLs cho php tt c cc host c
telnet n host 10.2.2.2. Khi telnet thnh cng s cho php ng mng
192.168.10.0 i qua ng mng 192.168.30.0 vi thi gian timeout 15 pht
(absolute time)(ALCs ng s sinh ra khi lnh access-enable c bt ln v s
mt i sau 15 pht bt chp user c s dng n hay ko)B 3: Gn ACLs cho
interface ch nhB 4: Ch nh nu user telnet v xc thc thnh cng th s
thit lp mt session 5 pht, nu user ko s dng session ny n s kt thc
sau 5 pht (idle timeout) nu user s dng session ny n s kt thc sau 15
pht.
b-Replexive ACLsCu hnh ACLs cho php ICMP v TCP traffic c chiu
inbound v outbound nhng ch cho php nu gi tin u tin ca session bt
ngun t mng ni b. Tt c cc traffic khc s b cm. Reflexive ACLs c gn
trn interface s0/1/0Cc bc cu hnh:B 1: To mt Extend name ACLs cho
php cc traffic i ra ngoi InternetB 2: To mt Extend name ACLs cha
Reflexive ACLs t ng c to ra khic gi outbound match vi Name ACLs bc
1.B 3: Gn cc name ACLs cho interface
c-Time-base ACLsCc bc cu hnh:B 1. nh ngha khong thi gian thi hnh
ACLs v t cho n mt ci tn.(khong thi gian ny ph thuc vo gi h thng trn
router, chc nng ny lm vic tt vi s ng b thi gian ca giao thc Network
Time Protocol (NTP) nhng lc ny ng h ca router khng c s dng. )B 2. p
dng khong thi gian ny cho ACLsB 3. P dng ACL cho interface.
III-Qun l cc ACLs. Hin th tt c ACLs ang s
dng.Router(config)#show running-config Xem ACLs hot ng trn
interface no . Router(config)#show interface [ # ] Xem vic t v hng
i ca ip ACLs:Router(config)#show ip interfaces [ # ] Xem nhng cu
lnh ACLs:Router(config)#show access-list [ # ] Hin th tt c ip
ACLs:Router#show ip access-list Hin th ip ACL 100:Router#show ip
access-list 100 Xa b m (to clear the counters
use):router(config)#show access-list [ # ]router(config)#clear
access-list counter [ # ] Xa Access listrouter(config)#no ip
access-list [standard-extended][#]router(config)#interface
[interface-number]router(config-if)#no access-list [#] [permit
deny] [source address] [wildcard mask]
PHN 5: ACCESS-LIST V ROUTE-FILTERING
1.Khi nim v route-filtering:Khi chy nhiu giao thc chung vi nhau
v c nhu cu redistribution t giao thc ny vo giao thc kia ta c th gp
phi vn ng dn khng ti u, route feedback(sau khi redistribute route
xong route li quay ngc v ni sinh ra do distance ca giao thc c
redistribute vo thp hn)S dng tnh nng lc route gip nh qung tr iu
khin c nhng route qung b, redistribute, Vic lc route nhng giao thc
distance th hiu qu hn nhng giao thc link-state. V giao thc vi giao
thc distance th router qung b route da trn bng routing table c
n.Nhng router ang chy link-state protocol xc nh route ca chng da
trn thng tin trong link-state database hn l nhng route c neighbors
qung b vo n.Vic lc route khng nh hng n qung b trng thi link hay bng
link-state database.Kt qu vic lc route c th tc ng trn router c cu
hnh lc nhng khng nh hng n route i vo router neighbor.(i vi
Link-state, bi v n qung b trng thi ca link)V vy vic lc route th
thng c s dng trn con ASBR v ni y route s i vo v i ra ging dng ca
distace vector.Access-list c s dng chn route (route selection)trong
distribute-list v route-map
2.Distribute-listDistribute-list c dng nhiu trong qu trnh thc
hin kim sot v ti u cc routes (route control & optimize). Mt
trong nhng ng dng thng thy l trong qu trnh redistribution ca cc
routing protocols vi nhau. Distribute-list c dng chng hin tng
route-feedback.Cch s dng:- Ch ra nhng a ch network bn mun loi b
(filter) v to ra mt access-list. Bn cng cn xc nh bn mun lc theo
chiu incoming hay chiu outgoing.- Nu dng theo chiu
OUT:distribute-list access-list-number out [interface-name]Trong
trng hp ny th distribute-list out s khng cho mt s routes c qung b
ra t router.- Nu dng theo chiu IN:distribute-list
access-list-number in [interface-name]Distribute-list s ngn khng
cho nhng routes no c a vo bng routing-table.Di y l mt s v d:IGRP
Route Filtering:router igrp 10network 140.10.0.0redist
ripdefault-metric 1 1 1 1 1
distr-list 1 in
access-list 1 deny 170.10.0.0 0.0.255.255access-list 1 permit
any any
Routes 170.10.0.0 s khng c a vo bng routes.
EIGRP IP Filtering
router eigrp 1network 172.16.0.0network
192.168.5.0distribute-list 7 out s0access-list permit 172.16.0.0
0.0.255.255
RIP
access-list 1 deny 10.2.2.0 0.0.0.255access-list 1 deny
172.16.0.0 0.0.0.255.255access-list 1 permit anyrouter
ripdistrbute-list 1 in e0
3.Route-mapRoute map l cc cng c trong cc logic if/then c th c p
dng cho mt router. Cc route-map l cc cng c lp trnh c dng kim sot qu
trnh redistribution, hin thc PBR, kim sot qu trnh NAT hoc hin thc
BGP.C th dng route-map cho cc mc ch sau y: kim sot qu trnh
redistribution: cc route map cho php kim sot mt mc cao hn so vi cch
dng distribution list. Route-map khng n thun ngn chn hay cho php mt
mng ging nh distribute list m cn c kh nng gn metric cho nhng route
b so trng . kim sot v thay i thng tin nh tuyn: cc route map c dng
thay i thng tin nh tuyn bng cch gn gi tr metric cho cc route.nh
ngha chnh sch trong PBR: cc route-map ra cc quyt nh da trn a ch
ngun. Khi mt php so trng c tm thy trong access-list, s c cc hnh ng
tng ng. thm vo mc tinh t trong cu hnh NAT: cc route map nh ngha dy
ca cc a ch public v a ch private. C cc lnh show gim st v kim tra
hot ng ca NAT. hin thc BGP: mt trong nhng im mnh ca giao thc BGP l
kh nng thc hin policy based routing. Cc thuc tnh trong BGP c dng nh
hng n ng i cho traffic. Cc thuc tnh ny thng c hin thc dng route
maps. Nu c mt php so trng th p dng thuc tnh ny. Khi ny dng lnh set
thc hin. Route map l phng thc ch yu c dng bi BGP nh ngha chnh sch
nh tuyn BGP.Route map rt ging ACL. C hai thc hin tc v if/then,
trong cc tiu ch c dng xc nh l gi tin c c cho php hoc t chi hay
khng. S khc nhau c bn l route map c kh nng thc hin hnh ng thay i
thuc tnh n cc gi d liu tha iu kin so trng. Trong mt ACL, tiu ch so
trng l ngm nh, trong mt route map, l mt keyword. iu ny c ngha rng,
nu mt gi tha vi mt tiu chun cho trong mt route map, mt vi hnh ng
phi c thc hin thay i gi, trong khi accesslist ch n gin cho php hoc
t chi mt gi.
Cc c im ca route map c tm tt trong danh sch sau:Mt route map c
mt danh sch cc tiu ch v tiu chun chn la, c lit k vi pht biu mtch.Mt
route map c kh nng thay i cc gi hoc cc route b so trng bng cch dng
lnh set.Mt tp hp ca cc pht biu mch c cng tn c xem l cng mt route
mapRoute map s ngng x l ngay khi c mt php so trng c thc hin, ging
nh mt ACL.Trong mt route map, mi pht biu c nh s th t v c th c son
tho ring l.S th t c dng ch ra th t trong cc iu kin c kim tra. Nh vy
nu hai pht biu trong route map c tn l BESTTEST, mt pht biu c ch s l
5, mt pht biu c ch s l 15 th pht biu c ch s l 5 s c kim tra trc. Nu
khng c mt pht biu match trong pht biu 5 th pht biu th 15 s c kim
tra.Route map c th dng cc IP access-list chun hoc m rng thit lp cc
chnh sch nh tuyn.Cc access-list m rng c th c dng ch ra tiu ch so
snh da trn phn a ch ngun v a ch ch, ng dng, kiu giao thc, kiu dch v
ToS v u tin.Lnh match trong cc cu hnh route map c dng nh ngha iu
kin phi kim tra.Lnh set trong cu hnh route map c dng nh ngha hnh ng
theo sau mt pht biu so snh.Mt route map c th ch cc php AND v OR.
Ging nh mt access-list, c mt pht biu ngm nh DENY cui mt route map.
Hnh ng theo sau ca pht biu deny ny ty thuc route map c dng nh th
no. hiu iu ny mt cch chnh xc, bn cn hiu chnh xc route map hot ng nh
th no.Danh sch sau y s gii thch logic ca hot ng route-map:Pht biu
ca route map dng cho PBR c th c nh du nh l permit hoc denyCh nu pht
biu c nh du nh permit v gi tin b so trng, lnh set mi c p dng.Cc pht
biu trong route-map s tng ng vi cc dng ca mt access-list. Ch ra mt
iu kin so snh trong route map th cng tng t nh ch ra ngun v ch trong
access listCc pht biu trong route map c so snh vi ng i ca gi xem c
mt so trng no hay khng. Cc pht biu ny s c ln lt kim tra t trn xung
di.Mt pht biu so trng c th cha nhiu iu kin. t nht mt iu kin trong
pht biu match phi l ng. y l php logic ORMt route-map c th cha nhiu
pht biu so snh. Tt c cc pht biu match trong route map phi c xem xt
l ng cho pht biu ca route map l so trng. iu kin ny gi l php logic
AND.Route-map c s dng trong bn trng hp:Dng vi NATDng trong
redistributionDng vi BGPDng trong PBRCu lnh access list trong Cisco
IOS thng c dng nh l mt cng c chn la "matching" mt mu traffic no i
qua router. Nh bn cng bit, trng thi bnh thng, router cho php hu nh
mi lu lng IP i qua n. Nu, trong mt iu kin no , bn khng mun cho lu
lng mail (SMTP/POP3) c i qua router, bn cn cm cc traffic ny. Lc ny,
bn vit ra mt access-list, "quan tm" n TCP (SMTP/POP3). Sau bn p
access list vo cng ca router, theo chiu IN/OUT.Trong v d trn,
access list c dng lc gi. V d cng ch ra l bn cn ch ra traffic m bn
ang quan tm (SMTP/POP3), bc k tip l bn p dng access list vo mt
interface no ca router.Vy, ACL l mt cng c la ra mt loi traffic no m
mnh quan tm.Cng c route-map trong Cisco IOS cung cp mt thun ton tng
t nh logic If/Then/Else thng thy trong cc ngn ng lp trnh. Mt route
map cha mt hoc nhiu cu lnh route-map v router s x l cc cu lnh
route-map da vo th t i km vi chng.Mi cu lnh route-map c nhng thng s
so trng (match) bn trong c cu hnh bng cu lnh match. ( so trng tt c
gi tin, mt mnh route-map ch n gin a ra mt cu lnh match). ng thi, cu
lnh route-map cng c mt hoc nhiu cu lnh ty chn set dng p t thng tin,
chng hn p t metric cho mt s route c redistribute.Nh vy, mt cm gic
ging nhau gia hai cu lnh l c hai cng c th th hin thun ton if-then
khi cu hnh router. Tuy nhin, s khc nhau l route-map mang tnh cht
tng qut hn. V trong route map cng c dng access list.Cc quy lut tng
qut ca route map nh sau:Mi cu lnh route-map phi c mt tn gi r rng,
tt c cc cu lnh c cng tn gi ny u thuc chung mt route map.Mi cu lnh
route-map phi c mt hnh ng (permit hoc deny).Mi cu lnh route-map c
mt s th t duy nht, cho php xa, chn cc cu lnh route-map n.Khi dng
route-map trong qu trnh redistribute, route map s x l route ly t
bng nh tuyn hin thi ch khng ly t database.Route map c x l tun t da
vo s th t nh km trong cc cu lnh route-map.Khi mt route c th c so
trng trong route map, n s khng c x l trong cc cu lnh route-map ng
sau na (dng cho redistribution).Khi mt route c so trng vi pht biu
route map, nu route-map c thng s permit i km th route s c
redistribute (dng cho redistribution).Khi mt route c so trng vi pht
biu route map, nu route-map c thng s deny i km th route s khng c
redistribute (dng cho redistribution). Route map thng hay gy nhm
ln, c bit khi dng thng s deny trong cu lnh route-map.V d v
route-map:Route-filtering in
redistribution:Router(config)#access-list 1 deny 192.168.1.0
0.0.255Router(config)#access-list 1 deny 192.168.2.0
0.0.255Router(config)#access-list 1 permit
anyRouter(config)#route-map MYMAP permit
10Router(config-route-map)#match ip address
1Router(config-route-map)#set tag 150
Router(config)#router ospf 1Router(config-router)#redistribute
eigrp 10 metric 3 subnets route-map MYMAP
BGP route-filtering:Router(config)#access-list 1 permit 10.1.1.0
0.0.0.255Router(config)#route-map MYMAP permit
10Router(config-route-map)#match ip address
1Router(config-route-map)#set metric
100Router(config-route-map)#route-map MYMAP permit 20
Router(config)#router bgp 100Router(config-router)#neighbor
172.16.1.1 route-map MYMAP out
PHN 6.CU HNH SYSLOG CHO ROUTER(LOGGING CONCEPTS)1.Syslog:Syslogl
mt cng c (phn mm) s dng lu tr cc s kin xy ra trn mt thit b, h thng
phc v cho cng tc qun tr, pht hin cc xm nhp tri php... Syslog c xy
dng da trn cc Trap (phn loi cc s kin) c tt c khong 7 Trap. Nhng
thng thng th ch dngTrap InformationviTrap Debugging.Cu hnh Log ch
cn vi cu lnh v mt my tnh ci sn phn mm Syslog. Cc phn mm Syslog c th
s dng lKiwi-Syslog(Free), Solarwind tn ph ....Cu lnh cu hnh
:Router(config)#logging Router(config)#logging trap debugging(c th
thay th debugging bng s 7).Rt nhiu thit b ca Cisco bao gm
router,switch,Pix firewall,ASA u c kh nng s dng syslog gi cc thng
tin v h thng,cnh bo.V d nh mt Cisco router s to ra mt syslog nu cng
bdownhay c s thay i v cu hnh.Ta c th cu hnh cho cc thit b Cisco gi
thng tin syslog n 1 syslog server bn ngoi c th lu tr tp trung,trong
trng hp kt ni n syslog server b ngt th ton b thng tin v syslog ca
thit b s c lu tr cc b.
Syslog s dng User Datagram Protocol (UDP), cng 514 mc nh truyn d
liu. Mt gi tin syslog s gii hn trong 1024 bytes gm 5 thng tin
sau:Facility(1):phn loi ngun sinh ra syslog (ng dng,h iu hnh,cc tin
trnh..) Mc nh, thit b s dng Cisco IOS, CatOS switches, v VPN 3000
Concentrators s dng facility l local7 , trong khi Cisco PIX
Firewalls s dng local4 trong thng tin syslog.Severity(2):Mc pht
sinh ra cc thng tin syslog c phn chia ra nh sau0Emergency:System is
unusable.1Alert:Action must be taken immediately.2Critical:Critical
conditions.3Error:Error conditions.4Warning:Warning
conditions.5Notice:Normal but significant
condition.6Informational:Informational messages.7Debug:Debug-level
messages.Thit b Cisco s dng mcEmergencynWarning thng bo cc vn lin
quan cc vn v phn mm v phn cng. Tin trnh khi ng li ,cngup/down th c
gi vi mc Notice. H thng khi ng li l mc Informational. Kt qu ca lnh
debug l mc Debug.Hostname(3):C th l tn hocIpca thit b sinh ra
syslogTimestamp(4):Thi gian sinh ra syslog theo nh dngMMM DD
HH:MM:SS .Thi gian sinh ra syslog phi chnh xc nn khi trin khai dch
v ny ta thng kt hp vi giao thc NTP(Network Time Protocol) ng b thng
tin v thi gian trn tt c thit b .Message(5):Ni dung Syslog
Giao din chng trnh Kiwi Syslog
