1

BO CO THC HNH MN MNG MY TNH

Nhm thc hin : Nhm 02

1/ ng Hin ( 10417012)

2/ Trng Ngc ng (10417013)

3/ Phm Vn Hi (10417015 )

4/ Cao Vn Hay ( 10417016 )

5/ Nguyn Hu Hu ( 10417017)Ni dung tiTNG QUAN V ACL ( ACCESS CONTROL LISTS )I. GII THIU ACL ( ACCESS CONTROL LISTS )

1. ACL(Access control lists) l g?

- ACL l mt danh sch cc cu lnh c p t vo cc cng (interface) ca router. Danh sch ny ch ra cho router bit loi packet no c chp nhn (allow) v loi packet no b hy b (deny). S chp nhn v hu b ny c th da vo a ch ngun, a ch ch hoc ch s port.

2. Ti sao phi s dng ACLs?

- Qun l cc IP traffic

- H tr mc c bn v bo mt cho cc truy cp mng, th hin tnh nng lc cc packet qua router

Chc nng:

+Xc nh tuyn ng thch hp cho DDR (dial-on-demand routing)

+ Thun tin cho vic lc gi tin ip

+ Cung cp tnh sn sn mng cao

3. Cc loi ACLs

C 2 loi Access lists l: Standard Access lists v Extended Access lists

- Standard (ACLs): Lc (Filter) a ch ip ngun (Source) vo trong mng t gn ch (Destination).

- Extended (ACLs): Lc a ch ip ngun v ch ca 1 gi tin (packet), giao thc tng Network layer header nh TCP, UDP, ICMP, v port numbers trong tng Transport layer header. Nn t gn ngun (source).

4. Cch t ACLs.

a- Inbound ACLs.

+ Inbound: ni nm na l 1 ci cng vo (theo chiu i vo ca gi tin) trn Router nhng gi tin s c x l thng qua ACL trc khi c nh tuyn ra ngoi (outbound interface). Ti y nhng gi tin s dropped nu khng trng vi bng nh tuyn (routing table), nu gi tin (packet) c chp nhn n s c x l trc khi chuyn giao (transmission).

b- Outbound ACLs.

+Outbound: l cng i ra ca gi tin trn Router, nhng gi tin s c nh tuyn n outbound interface v x l thng qua ACLs, trc khi a n ngoi hng i (outbound queue).

5. Hot ng ca ACLs.

- ACL s c thc hin theo trnh t ca cc cu lnh trong danh sch cu hnh khi to access-list. Nu c mt iu kin c so khp (matched) trong danh sch th n s thc hin, v cc cu lnh cn li s khng c kim tra na.Trng hp tt c cc cu lnh trong danh sch u khng khp (unmatched) th mt cu lnh mc nh deny any c thc hin. Cui access-list mc nh s l lnh loi b tt c (deny all). V vy, trong access-list cn phi c t nht mt cu lnh permit.

Khi packet i vo mt interface, router s kim tra xem c mt ACL trong inbound interface hay khng, nu c packet s c kim tra i chiu vi nhng iu kin trong danh sch.

Nu packet c cho php (allow) n s tip tc c kim tra trong bng routing quyt nh chn interface i n ch.

Tip , router s kim tra xem outbound interface c ACL hay khng. Nu khng th packet c th s c gi ti mng ch. Nu c ACL outbound interface, n s kim tra i chiu vi nhng iu kin trong danh sch ACL .

6. Mt s im cn lu

* Ch c th thit lp 1 ACL trn giao thc cho mi hng trn mi interface. Mt interface c th c nhiu ACL.

* Router khng th lc traffic m bt u t chnh n.

* Cu lnh no t trc th x l trc. Khi 1 cu lnh mi thm vo danh sch, n s t cui danh sch.

* Standard ACLs: Nn t gn ch ca traffic.

* Extended ACLs: Nn t gn ngun ca traffic.

* Mc nh c hai lnh the Access-Group hay the Access-Class theo chiu OUTII- CU HNH ACCESS-LIST (ACLs)

1. Standard Access lists.

#: Standard ACLs s dng s t 1 -> 99 hay 1300 -> 1999.

C 2 bc to ACLs:

+ nh ngha danh sch ACLs t vo interface.

router(config)#access-list [#] [permit deny] [wildcard mask] [log]

Hoc l :

router(config)#access-list [#] [permit deny] [host any] .Thng th ta dng lnh ny

Sau t danh sch(ACLs) vo interface trn router m ta mun chn gi tin ngay ti .

router(config)#interface [interface-number]

router(config-if)#ip access-group [#] [in out] interface access control

V d c th

Ta thc hin trn m hnh sau uc cu hnh hot ng trn giao thc RIP cc router v pc ping c vi nhau.

Tao access list tai global config mode:

Tao access-list trn R2 cm PC0(10.0.0.2) vo mng 220.0.0.0 ngay ti cng vo ca Router 2.

R2(config)# access-list 1 deny host 10.0.0.2

R2(config)# access-list 1 permit any 2699.

Cng ging standard ACL v thm mt s cch lc gi tin nh:

+ Source and destination IP address (a ch ngun a ch ch)

+ IP protocol TCP, UDP, ICMP, and so on( cm giao thc)

+ Port information (WWW, DNS, FTP, TELNET, etc)( cm cc dch v thng qua cc cng hot ng ca n)

Cc lnh cu hnh:

Ta cng thc hin 2 bc ging nh Standard ACLs

Tao access list tai global config mode:

router(config)#access-list [#] [permit deny] [protocol] [wildcard mask] [operator source port] [destination address] [wildcard mask] [operator destination port] [log]

Hoc

router(config)#access-list [#] [permit deny] [protocol] [host] [host] [destination address][ lt, gt, neq, eq, range] [port number]

Ap access-list vao cng.

router(config)#interface [interface-number]

router(config-if)#ip access-group [#] [in out] interface access control

V d:

To ACls ti router R1 cm R2 truy cp vo Router 1 di giao thc TCP bng dch v Telnet.

u tin ta m dch v telnet cho cc Router

Ti global config mode ta g cc lnh sau.

router(config)#line vty 0 4

router(config)#password telnet