A yau za mu fara koyo game da jerin abubuwan sarrafa damar shiga ACL, wannan batu zai ɗauki darussan bidiyo 2. Za mu dubi daidaitawar daidaitattun ACL, kuma a cikin koyawa na bidiyo na gaba zan yi magana game da jerin da aka fadada.
A cikin wannan darasi za mu tattauna batutuwa 3. Na farko shine menene ACL, na biyu shine menene bambanci tsakanin ma'auni da jerin hanyoyin shiga, kuma a karshen darasin, a matsayin dakin gwaje-gwaje, zamu duba kafa daidaitattun ACL da magance matsalolin da za a iya samu.
Don haka menene ACL? Idan kun karanta kwas ɗin daga darasin bidiyo na farko, to kun tuna yadda muka tsara sadarwa tsakanin na'urorin sadarwar daban-daban.
Mun kuma yi nazari a tsaye akan ka'idoji daban-daban don samun ƙwarewa wajen tsara sadarwa tsakanin na'urori da hanyoyin sadarwa. Yanzu mun kai matakin koyo inda ya kamata mu damu game da tabbatar da kula da zirga-zirga, wato, hana “miyagu” ko masu amfani da ba su izini kutsawa cikin hanyar sadarwa. Misali, wannan na iya shafar mutane daga sashen tallace-tallace na SALES, wanda aka nuna a cikin wannan zane. Anan kuma mun nuna ACCOUNTS na sashen kudi, MANAGEMENT sashen gudanarwa da dakin uwar garken SERVER.
Don haka, sashen tallace-tallace na iya samun ma'aikata ɗari, kuma ba ma son kowane ɗayan su ya iya isa dakin uwar garke akan hanyar sadarwa. An keɓancewa ga manajan tallace-tallace wanda ke aiki akan kwamfutar Laptop2 - yana iya samun damar shiga ɗakin uwar garken. Sabon ma'aikacin da ke aiki a Laptop3 bai kamata ya sami irin wannan damar ba, wato, idan zirga-zirgar kwamfuta daga kwamfutarsa ta kai hanyar R2, sai a sauke.
Matsayin ACL shine tace zirga-zirga bisa ga ƙayyadaddun sigogin tacewa. Sun haɗa da adireshin IP na tushen, adireshin IP na gaba, yarjejeniya, adadin tashar jiragen ruwa da sauran sigogi, godiya ga abin da za ku iya gano zirga-zirgar zirga-zirga kuma ku ɗauki wasu ayyuka tare da shi.
Don haka, ACL shine tsarin tacewa Layer 3 na samfurin OSI. Wannan yana nufin cewa ana amfani da wannan tsarin a cikin masu amfani da hanyar sadarwa. Babban ma'auni don tacewa shine gano ma'aunin bayanai. Misali, idan muna so mu toshe mutumin da ke da kwamfutar Laptop3 daga shiga uwar garken, da farko dole ne mu gane zirga-zirgar sa. Wannan zirga-zirga yana tafiya ne ta hanyar Laptop-Switch2-R2-R1-Switch1-Server1 ta hanyar mu'amala da na'urorin cibiyar sadarwa, yayin da hanyoyin sadarwa na G0/0 na masu amfani da hanyar sadarwa ba su da alaƙa da shi.
Don gane zirga-zirga, dole ne mu gano hanyarsa. Bayan mun yi wannan, za mu iya yanke shawarar inda daidai muke buƙatar shigar da tacewa. Kada ku damu da masu tacewa da kansu, zamu tattauna su a darasi na gaba, don haka yanzu muna buƙatar fahimtar ƙa'idar wacce yakamata a yi amfani da tacewa.
Idan ka duba na’ura mai ba da hanya tsakanin hanyoyin sadarwa, za ka ga cewa duk lokacin da zirga-zirgar zirga-zirgar ta motsa, akwai hanyar sadarwa da bayanai ke shigowa, da kuma wata hanyar sadarwa wacce wannan magudanar ke fitowa.
Haƙiƙa akwai musaya guda 3: wurin shigar da bayanai, da na'urar fitarwa da na'ura mai ba da hanya tsakanin hanyoyin sadarwa. Ka tuna kawai cewa za a iya amfani da tacewa a kan hanyar shigar da bayanai ko fitarwa.
Ka'idar aikin ACL yayi kama da wucewa zuwa taron da waɗanda baƙi waɗanda sunansu ke cikin jerin waɗanda aka gayyata kawai za su iya halarta. ACL jerin sigogin cancanta ne waɗanda ake amfani da su don gano zirga-zirga. Misali, wannan jeri yana nuna cewa an ba da izinin duk zirga-zirga daga adireshin IP 192.168.1.10, kuma an hana zirga-zirga daga duk wasu adireshi. Kamar yadda na ce, ana iya amfani da wannan jeri zuwa duka abubuwan shigar da kayan aiki.
Akwai nau'ikan ACL guda 2: daidaitattun kuma tsawaitawa. Ma'auni na ACL yana da mai ganowa daga 1 zuwa 99 ko daga 1300 zuwa 1999. Waɗannan sunaye ne kawai waɗanda ba su da wani fa'ida akan juna yayin da ƙidayar ke ƙaruwa. Baya ga lambar, zaku iya sanya sunan ku ga ACL. Ana ƙididdige ƙarin ACLs 100 zuwa 199 ko 2000 zuwa 2699 kuma suna iya samun suna.
A cikin daidaitaccen ACL, rarrabuwa ya dogara ne akan tushen adireshin IP na zirga-zirga. Don haka, lokacin amfani da irin wannan jeri, ba za ku iya taƙaita zirga-zirgar ababen hawa zuwa kowane tushe ba, kuna iya toshe zirga-zirgar da ke samo asali daga na'ura kawai.
Ƙwararren ACL yana rarraba zirga-zirga ta hanyar adireshin IP na tushen, adireshin IP na manufa, yarjejeniya da aka yi amfani da shi, da lambar tashar jiragen ruwa. Misali, zaku iya toshe zirga-zirgar FTP kawai, ko zirga-zirgar HTTP kawai. A yau za mu dubi daidaitaccen ACL, kuma za mu ƙaddamar da darasi na bidiyo na gaba zuwa jerin abubuwan da suka dace.
Kamar yadda na ce, ACL jerin yanayi ne. Bayan ka yi amfani da wannan jeri zuwa mahallin mai shigowa ko mai fita, na'ura mai ba da hanya tsakanin hanyoyin sadarwa zai duba zirga-zirga a kan wannan jerin, kuma idan ya cika sharuddan da aka gindaya a cikin jerin, zai yanke shawarar ko zai ba da izini ko hana wannan zirga-zirga. Sau da yawa mutane suna samun wahalar tantance hanyoyin shigar da na'ura mai ba da hanya tsakanin hanyoyin sadarwa, kodayake babu wani abu mai rikitarwa a nan. Lokacin da muke magana game da hanyar sadarwa mai shigowa, wannan yana nufin cewa zirga-zirgar zirga-zirgar da ke shigowa ne kawai za a sarrafa a wannan tashar jiragen ruwa, kuma na'ura mai ba da hanya tsakanin hanyoyin sadarwa ba zai yi amfani da hani ga zirga-zirgar da ke fita ba. Hakazalika, idan muna magana ne game da ƙirar egress, wannan yana nufin cewa duk ka'idoji za su shafi zirga-zirgar zirga-zirgar zirga-zirga kawai, yayin da zirga-zirgar da ke shigowa a wannan tashar jiragen ruwa za a karɓa ba tare da hani ba. Misali, idan na'ura mai ba da hanya tsakanin hanyoyin sadarwa tana da tashar jiragen ruwa 2: f0/0 da f0/1, to ACL za a yi amfani da ita ne kawai ga zirga-zirgar zirga-zirgar shiga f0/0, ko kuma ga zirga-zirgar ababen hawa da suka samo asali daga f0/1 interface. Lissafin ba zai shafi shigar da zirga-zirga ko fita f0/1 ba.
Don haka, kada ku ruɗe ta hanyar mai shigowa ko mai fita na keɓancewa, ya dogara da jagorar takamaiman zirga-zirga. Don haka, bayan na'ura mai ba da hanya tsakanin hanyoyin sadarwa ya bincika zirga-zirga don dacewa da yanayin ACL, zai iya yanke shawara guda biyu kawai: ba da izinin zirga-zirgar ko ƙin yarda da shi. Misali, zaku iya ba da izinin zirga-zirgar da aka ƙaddara don 180.160.1.30 kuma ku ƙi zirga-zirgar da aka ƙaddara don 192.168.1.10. Kowane jeri na iya ƙunsar sharuɗɗa da yawa, amma kowane ɗayan waɗannan sharuɗɗan dole ne ya ƙyale ko ƙin yarda.
Bari mu ce muna da jeri:
Haramta ______
Izinin ____
Izinin ____
Hana _____.
Na farko, na'ura mai ba da hanya tsakanin hanyoyin sadarwa zai duba zirga-zirga don ganin ko ya dace da yanayin farko, idan bai dace ba, zai duba yanayin na biyu. Idan zirga-zirga ta dace da yanayi na uku, na'ura mai ba da hanya tsakanin hanyoyin sadarwa zai daina dubawa kuma ba zai kwatanta shi da sauran yanayin jeri ba. Zai yi aikin “ba da izini” kuma ya ci gaba zuwa duba ɓangaren zirga-zirga na gaba.
Idan ba ku kafa doka don kowane fakiti ba kuma zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar ababen hawa ta ratsa cikin dukkan layin jeri ba tare da buga wani sharuɗɗan ba, an lalatar da shi, saboda kowane jerin ACL ta tsohuwa ya ƙare tare da ƙin yarda da kowane umarni - wato, jefar. kowane fakiti, ba faɗuwa ƙarƙashin kowace ƙa'ida ba. Wannan yanayin yana aiki idan akwai aƙalla doka ɗaya a cikin jerin, in ba haka ba ba shi da wani tasiri. Amma idan layin farko ya ƙunshi ƙin shigar da 192.168.1.30 kuma jerin ba su da wasu sharuɗɗa, to a ƙarshe ya kamata a ba da izinin izini kowane, wato, ba da izinin zirga-zirga sai dai abin da doka ta haramta. Dole ne ku yi la'akari da wannan don guje wa kuskure yayin saita ACL.
Ina so ku tuna ainihin ƙa'idar ƙirƙirar jerin ASL: sanya daidaitattun ASL kamar yadda zai yiwu zuwa wurin da aka nufa, wato, zuwa ga mai karɓar zirga-zirga, kuma sanya ASL mai tsawo kamar yadda zai yiwu ga tushen, wato, ga mai aikawa da zirga-zirga. Waɗannan shawarwarin Cisco ne, amma a aikace akwai yanayi inda ya fi ma'ana don sanya daidaitaccen ACL kusa da tushen zirga-zirga. Amma idan kun haɗu da tambaya game da ka'idodin sanya ACL yayin jarrabawar, bi shawarwarin Cisco kuma ku amsa ba tare da wata shakka ba: ma'auni ya fi kusa da inda ake nufi, ƙarawa ya fi kusa da tushen.
Yanzu bari mu dubi ma'anar ma'auni na ACL. Akwai nau'ikan tsarin umarni guda biyu a cikin yanayin daidaitawa na na'ura mai ba da hanya tsakanin hanyoyin sadarwa: classic syntax da syntax na zamani.
Nau'in umarni na yau da kullun shine lissafin shiga <ACL lambar> <ƙasa/ba da izini> <ma'auni>. Idan ka saita <ACL lamba> daga 1 zuwa 99, na'urar za ta fahimci kai tsaye cewa wannan ACL daidai ne, kuma idan ya kasance daga 100 zuwa 199, to yana da tsawo. Tun da a cikin darasi na yau muna kallon jerin ma'auni, za mu iya amfani da kowace lamba daga 1 zuwa 99. Sa'an nan kuma mu nuna aikin da ake buƙatar amfani da shi idan sigogi sun dace da ma'auni mai zuwa - ba da izini ko hana zirga-zirga. Za mu yi la'akari da ma'aunin daga baya, tun da shi ma ana amfani da shi a cikin rubutun zamani.
Hakanan ana amfani da nau'in umarni na zamani a cikin yanayin daidaitawa na Rx(config) kuma yayi kama da wannan: daidaitaccen lissafin damar shiga ip <ACL lamba/name>. Anan zaka iya amfani da ko dai lamba daga 1 zuwa 99 ko sunan jerin ACL, misali, ACL_Networking. Wannan umarnin nan da nan yana sanya tsarin cikin yanayin ƙayyadaddun yanayin Rx (config-std-nacl), inda dole ne ku shigar da < deny/enable> <ma'auni>. Nau'in ƙungiyoyi na zamani yana da ƙarin fa'ida idan aka kwatanta da na al'ada.
A cikin jerin al'ada, idan kun buga lissafin shiga 10 ƙaryata ______, sannan ku rubuta umarni na gaba iri ɗaya don wani ma'auni, kuma kun ƙare da waɗannan umarni 100, sannan don canza kowane umarni da aka shigar, kuna buƙatar share duk jerin hanyoyin shiga 10 tare da umarnin babu damar-jerin 10. Wannan zai share duk umarni 100 saboda babu wata hanya ta gyara kowane umarni ɗaya a cikin wannan jeri.
A cikin syntax na zamani, an raba umarnin zuwa layi biyu, na farko wanda ya ƙunshi lambar lissafin. A ce idan kana da lissafin shiga-jerin ma'auni 10 ƙaryatãwa ________, damar-jerin misali 20 ƙaryata ________ da sauransu, to, kana da damar da za a saka matsakaici lists tare da wasu sharudda tsakanin su, misali, damar-jerin misali 15 musun ________ .
A madadin, za ku iya kawai share jerin hanyoyin shiga daidaitattun layukan 20 kuma ku sake rubuta su tare da sigogi daban-daban tsakanin daidaitattun jeri na 10 da daidaitattun layukan 30. Don haka, akwai hanyoyi daban-daban don gyara haɗin ACL na zamani.
Kuna buƙatar yin hankali sosai lokacin ƙirƙirar ACLs. Kamar yadda ka sani, ana karanta lissafin daga sama zuwa kasa. Idan ka sanya layi a saman da ke ba da damar zirga-zirga daga takamaiman mai masaukin baki, to a ƙasa zaku iya sanya layin da ya haramta zirga-zirga daga duk hanyar sadarwar da wannan rundunar ke cikinsa, kuma za a bincika yanayin duka biyu - zirga-zirga zuwa takamaiman mai watsa shiri zai a ba da izinin shiga, kuma za a toshe zirga-zirga daga duk sauran runduna wannan hanyar sadarwa. Don haka, koyaushe sanya takamaiman shigarwar a saman jerin kuma na gaba ɗaya a ƙasa.
Don haka, bayan kun ƙirƙiri ACL na zamani ko na zamani, dole ne ku yi amfani da shi. Don yin wannan, kuna buƙatar zuwa saitunan ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun bayanai, misali, f0/0 ta amfani da ƙayyadaddun umarni <nau'in da ramuka>, je zuwa yanayin subcommand na dubawa kuma shigar da umarnin ip access-group <ACL number/ suna> . Da fatan za a lura da bambancin: lokacin tattara jeri, ana amfani da jerin hanyoyin shiga, kuma lokacin amfani da shi, ana amfani da ƙungiyar samun dama. Dole ne ku ƙayyade wace keɓaɓɓiyar keɓaɓɓiyar wannan jeri za a yi amfani da ita - ƙirar mai shigowa ko mai fita waje. Idan lissafin yana da suna, alal misali, Networking, ana maimaita sunan iri ɗaya a cikin umarnin don amfani da jeri akan wannan ƙa'idar.
Yanzu bari mu ɗauki takamaiman matsala kuma muyi ƙoƙarin magance ta ta amfani da misalin tsarin sadarwar mu ta amfani da Packet Tracer. Don haka, muna da cibiyoyin sadarwa guda 4: sashen tallace-tallace, sashen lissafin kuɗi, gudanarwa da ɗakin uwar garke.
Aiki No. 1: duk zirga-zirgar da aka jagoranta daga sassan tallace-tallace da na kuɗi zuwa sashen gudanarwa da ɗakin uwar garke dole ne a toshe. Wurin toshewa shine dubawar S0/1/0 na na'ura mai ba da hanya tsakanin hanyoyin sadarwa R2. Da farko dole ne mu ƙirƙiri jeri mai ɗauke da abubuwan shigarwa masu zuwa:
Mu kira lissafin "Management and Server Security ACL", a takaice a matsayin ACL Secure_Ma_And_Se. Wannan ya biyo baya ta hanyar hana zirga-zirga daga cibiyar sadarwar sashen kudi 192.168.1.128/26, hana zirga-zirga daga cibiyar sadarwar sashen tallace-tallace 192.168.1.0/25, da ba da izinin kowane zirga-zirga. A ƙarshen jerin an nuna cewa ana amfani da shi don ƙirar mai fita S0/1/0 na na'ura mai ba da hanya tsakanin hanyoyin sadarwa R2. Idan ba mu da izini Duk wani shigarwa a ƙarshen jeri, to duk sauran zirga-zirga za a toshe saboda tsohowar ACL koyaushe ana saita zuwa Ƙin Duk wani shigarwa a ƙarshen jeri.
Zan iya amfani da wannan ACL don dubawa G0/0? Tabbas, zan iya, amma a cikin wannan yanayin kawai zirga-zirga daga sashen lissafin kuɗi za a toshe, kuma zirga-zirga daga sashen tallace-tallace ba za a iyakance ta kowace hanya ba. Hakanan zaka iya amfani da ACL zuwa G0/1 interface, amma a wannan yanayin ba za a toshe zirga-zirgar sashen kudi ba. Tabbas, zamu iya ƙirƙirar jerin toshe daban-daban guda biyu don waɗannan musaya, amma yana da inganci sosai don haɗa su cikin jeri ɗaya kuma a yi amfani da shi zuwa ƙirar fitarwa na na'ura mai ba da hanya tsakanin hanyoyin sadarwa R2 ko S0/1/0 na na'ura mai ba da hanya tsakanin hanyoyin sadarwa R1.
Kodayake dokokin Cisco sun bayyana cewa ya kamata a sanya madaidaicin ACL kusa da wurin da zai yiwu, zan sanya shi kusa da tushen zirga-zirga saboda ina so in toshe duk zirga-zirgar zirga-zirgar da ke fita, kuma yana da ma'ana don yin wannan kusa da tushe don kada wannan zirga-zirgar ta ɓata hanyar sadarwa tsakanin hanyoyin sadarwa biyu.
Na manta ban gaya muku ma'auni ba, don haka mu hanzarta komawa. Kuna iya ƙididdige kowane a matsayin ma'auni - a wannan yanayin, duk wani zirga-zirga daga kowace na'ura da kowace hanyar sadarwa za a hana ko izini. Hakanan zaka iya tantance mai watsa shiri tare da mai gano shi - a wannan yanayin, shigarwar zata zama adireshin IP na takamaiman na'ura. A ƙarshe, zaku iya ƙayyade hanyar sadarwa gaba ɗaya, misali, 192.168.1.10/24. A wannan yanayin, / 24 yana nufin kasancewar abin rufe fuska na 255.255.255.0, amma ba shi yiwuwa a saka adireshin IP na mashin subnet a cikin ACL. Don wannan yanayin, ACL yana da ra'ayi da ake kira Wildcart Mask, ko "mashin baya". Don haka dole ne ka saka adireshin IP da abin rufe fuska. Mashin juzu'i yayi kama da haka: dole ne ku cire abin rufe fuska kai tsaye daga mashin subnet na gabaɗaya, wato, lambar da ta yi daidai da ƙimar octet a cikin abin rufe fuska an cire shi daga 255.
Saboda haka, ya kamata ka yi amfani da siga 192.168.1.10 0.0.0.255 a matsayin ma'auni a cikin ACL.
Ta yaya yake aiki? Idan akwai 0 a cikin octet abin rufe fuska, ana la'akari da ma'aunin ya dace da daidai octet na adireshin IP na subnet. Idan akwai lamba a cikin octet na baya, ba a duba wasan ba. Don haka, don hanyar sadarwa na 192.168.1.0 da abin rufe fuska na 0.0.0.255, duk zirga-zirga daga adiresoshin waɗanda octets uku na farko daidai suke da 192.168.1., ba tare da la’akari da ƙimar octet na huɗu ba, za a toshe ko ba da izini dangane da shi. aikin da aka ƙayyade.
Yin amfani da abin rufe fuska yana da sauƙi, kuma za mu dawo kan Mashin Wildcart a cikin bidiyo na gaba don in bayyana yadda ake aiki da shi.
28:50 min
Na gode da kasancewa tare da mu. Kuna son labaran mu? Kuna son ganin ƙarin abun ciki mai ban sha'awa? Goyon bayan mu ta hanyar ba da oda ko ba da shawara ga abokai, Rangwamen 30% ga masu amfani da Habr akan keɓaɓɓen analogue na sabar matakin shigarwa, wanda mu muka ƙirƙira muku: (akwai tare da RAID1 da RAID10, har zuwa 24 cores kuma har zuwa 40GB DDR4).
Dell R730xd sau 2 mai rahusa? Nan kawai a cikin Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - daga $99! Karanta game da
source: www.habr.com