Upload
rimotoji-toridotoji
View
222
Download
0
Embed Size (px)
DESCRIPTION
Mang May Tinh
Citation preview
1
BO CO THC HNH MN MNG MY TNH
Nhm thc hin : Nhm 02
1/ ng Hin ( 10417012)
2/ Trng Ngc ng (10417013)
3/ Phm Vn Hi (10417015 )
4/ Cao Vn Hay ( 10417016 )
5/ Nguyn Hu Hu ( 10417017)Ni dung tiTNG QUAN V ACL ( ACCESS CONTROL LISTS )I. GII THIU ACL ( ACCESS CONTROL LISTS )
1. ACL(Access control lists) l g?
- ACL l mt danh sch cc cu lnh c p t vo cc cng (interface) ca router. Danh sch ny ch ra cho router bit loi packet no c chp nhn (allow) v loi packet no b hy b (deny). S chp nhn v hu b ny c th da vo a ch ngun, a ch ch hoc ch s port.
2. Ti sao phi s dng ACLs?
- Qun l cc IP traffic
- H tr mc c bn v bo mt cho cc truy cp mng, th hin tnh nng lc cc packet qua router
Chc nng:
+Xc nh tuyn ng thch hp cho DDR (dial-on-demand routing)
+ Thun tin cho vic lc gi tin ip
+ Cung cp tnh sn sn mng cao
3. Cc loi ACLs
C 2 loi Access lists l: Standard Access lists v Extended Access lists
- Standard (ACLs): Lc (Filter) a ch ip ngun (Source) vo trong mng t gn ch (Destination).
- Extended (ACLs): Lc a ch ip ngun v ch ca 1 gi tin (packet), giao thc tng Network layer header nh TCP, UDP, ICMP, v port numbers trong tng Transport layer header. Nn t gn ngun (source).
4. Cch t ACLs.
a- Inbound ACLs.
+ Inbound: ni nm na l 1 ci cng vo (theo chiu i vo ca gi tin) trn Router nhng gi tin s c x l thng qua ACL trc khi c nh tuyn ra ngoi (outbound interface). Ti y nhng gi tin s dropped nu khng trng vi bng nh tuyn (routing table), nu gi tin (packet) c chp nhn n s c x l trc khi chuyn giao (transmission).
b- Outbound ACLs.
+Outbound: l cng i ra ca gi tin trn Router, nhng gi tin s c nh tuyn n outbound interface v x l thng qua ACLs, trc khi a n ngoi hng i (outbound queue).
5. Hot ng ca ACLs.
- ACL s c thc hin theo trnh t ca cc cu lnh trong danh sch cu hnh khi to access-list. Nu c mt iu kin c so khp (matched) trong danh sch th n s thc hin, v cc cu lnh cn li s khng c kim tra na.Trng hp tt c cc cu lnh trong danh sch u khng khp (unmatched) th mt cu lnh mc nh deny any c thc hin. Cui access-list mc nh s l lnh loi b tt c (deny all). V vy, trong access-list cn phi c t nht mt cu lnh permit.
Khi packet i vo mt interface, router s kim tra xem c mt ACL trong inbound interface hay khng, nu c packet s c kim tra i chiu vi nhng iu kin trong danh sch.
Nu packet c cho php (allow) n s tip tc c kim tra trong bng routing quyt nh chn interface i n ch.
Tip , router s kim tra xem outbound interface c ACL hay khng. Nu khng th packet c th s c gi ti mng ch. Nu c ACL outbound interface, n s kim tra i chiu vi nhng iu kin trong danh sch ACL .
6. Mt s im cn lu
* Ch c th thit lp 1 ACL trn giao thc cho mi hng trn mi interface. Mt interface c th c nhiu ACL.
* Router khng th lc traffic m bt u t chnh n.
* Cu lnh no t trc th x l trc. Khi 1 cu lnh mi thm vo danh sch, n s t cui danh sch.
* Standard ACLs: Nn t gn ch ca traffic.
* Extended ACLs: Nn t gn ngun ca traffic.
* Mc nh c hai lnh the Access-Group hay the Access-Class theo chiu OUTII- CU HNH ACCESS-LIST (ACLs)
1. Standard Access lists.
#: Standard ACLs s dng s t 1 -> 99 hay 1300 -> 1999.
C 2 bc to ACLs:
+ nh ngha danh sch ACLs t vo interface.
router(config)#access-list [#] [permit deny] [wildcard mask] [log]
Hoc l :
router(config)#access-list [#] [permit deny] [host any] .Thng th ta dng lnh ny
Sau t danh sch(ACLs) vo interface trn router m ta mun chn gi tin ngay ti .
router(config)#interface [interface-number]
router(config-if)#ip access-group [#] [in out] interface access control
V d c th
Ta thc hin trn m hnh sau uc cu hnh hot ng trn giao thc RIP cc router v pc ping c vi nhau.
Tao access list tai global config mode:
Tao access-list trn R2 cm PC0(10.0.0.2) vo mng 220.0.0.0 ngay ti cng vo ca Router 2.
R2(config)# access-list 1 deny host 10.0.0.2
R2(config)# access-list 1 permit any 2699.
Cng ging standard ACL v thm mt s cch lc gi tin nh:
+ Source and destination IP address (a ch ngun a ch ch)
+ IP protocol TCP, UDP, ICMP, and so on( cm giao thc)
+ Port information (WWW, DNS, FTP, TELNET, etc)( cm cc dch v thng qua cc cng hot ng ca n)
Cc lnh cu hnh:
Ta cng thc hin 2 bc ging nh Standard ACLs
Tao access list tai global config mode:
router(config)#access-list [#] [permit deny] [protocol] [wildcard mask] [operator source port] [destination address] [wildcard mask] [operator destination port] [log]
Hoc
router(config)#access-list [#] [permit deny] [protocol] [host] [host] [destination address][ lt, gt, neq, eq, range] [port number]
Ap access-list vao cng.
router(config)#interface [interface-number]
router(config-if)#ip access-group [#] [in out] interface access control
V d:
To ACls ti router R1 cm R2 truy cp vo Router 1 di giao thc TCP bng dch v Telnet.
u tin ta m dch v telnet cho cc Router
Ti global config mode ta g cc lnh sau.
router(config)#line vty 0 4
router(config)#password telnet