Wani abu da na manta da ambaton shi ne cewa ACL ba wai kawai tace zirga-zirga a kan izini / hanawa ba, yana yin ayyuka da yawa. Misali, ana amfani da ACL don ɓoye zirga-zirgar VPN, amma don cin jarrabawar CCNA, kawai kuna buƙatar sanin yadda ake amfani da shi don tace zirga-zirga. Mu koma Matsala ta 1.
Mun gano cewa za a iya toshe zirga-zirgar sashen lissafin kuɗi da tallace-tallace a kan mahaɗin fitarwa na R2 ta amfani da jerin ACL masu zuwa.
Kada ku damu da tsarin wannan jeri, ana nufin kawai a matsayin misali don taimaka muku fahimtar menene ACL. Za mu isa ga tsarin da ya dace da zarar mun fara da Packet Tracer.
Aiki No. 2 sauti kamar haka: uwar garken dakin iya sadarwa tare da kowane runduna, sai ga runduna na management sashen. Wato kwamfutocin dakin uwar garken na iya samun damar shiga kowace kwamfutoci a sassan tallace-tallace da lissafin kudi, amma bai kamata su sami damar yin amfani da kwamfutocin da ke cikin sashin gudanarwa ba. Wannan yana nufin cewa ma’aikatan IT na dakin uwar garken bai kamata su sami hanyar shiga nesa ta hanyar kwamfutar shugaban sashen gudanarwa ba, amma idan an samu matsala sai su zo ofishinsa su gyara matsalar nan take. Lura cewa wannan aikin ba shi da amfani saboda ban san dalilin da yasa ɗakin uwar garken ba zai iya sadarwa ta hanyar sadarwa tare da sashen gudanarwa ba, don haka a wannan yanayin muna kallon misali koyawa.
Don magance wannan matsalar, da farko kuna buƙatar ƙayyade hanyar zirga-zirga. Bayanai daga ɗakin uwar garken sun isa wurin shigar da bayanai G0/1 na na'ura mai ba da hanya tsakanin hanyoyin sadarwa R1 kuma an aika zuwa sashen gudanarwa ta hanyar G0/0 na kayan sarrafawa.
Idan muka yi amfani da Deny 192.168.1.192/27 yanayin zuwa shigar da ke dubawa G0/1, kuma kamar yadda ka tuna, daidaitattun ACL an sanya shi kusa da hanyar zirga-zirga, za mu toshe duk zirga-zirga, ciki har da sashen tallace-tallace da lissafin kuɗi.
Tunda muna son toshe zirga-zirgar ababen hawa ne kawai da aka kai ga sashen gudanarwa, dole ne mu yi amfani da ACL zuwa ga abin da ake fitarwa G0/0. Ana iya magance wannan matsalar ta hanyar sanya ACL kusa da inda ake nufi. A lokaci guda, zirga-zirga daga cibiyar sadarwar sashen lissafin kuɗi da tallace-tallace dole ne su isa sashin gudanarwa cikin yardar kaina, don haka layin ƙarshe na jerin zai zama Izinin kowane umarni - don ba da izinin kowane zirga-zirga, sai dai zirga-zirgar da aka ƙayyade a cikin yanayin da ya gabata.
Bari mu matsa zuwa Task No. 3: kwamfutar tafi-da-gidanka 3 daga sashin tallace-tallace bai kamata ya sami damar yin amfani da kowane na'ura ba banda waɗanda ke kan cibiyar sadarwar gida na sashen tallace-tallace. Bari mu ɗauka cewa wanda aka horar yana aiki akan wannan kwamfutar kuma kada ya wuce LAN ɗinsa.
A wannan yanayin, kuna buƙatar amfani da ACL akan hanyar shigar da bayanai G0/1 na na'ura mai ba da hanya tsakanin hanyoyin sadarwa R2. Idan muka sanya adireshin IP 192.168.1.3/25 zuwa wannan kwamfutar, to dole ne a cika yanayin Deny 192.168.1.3/25, kuma ba za a toshe zirga-zirga daga kowane adireshin IP ba, don haka layin ƙarshe na jerin zai zama Izini. kowane.
Koyaya, toshe zirga-zirgar ababen hawa ba zai yi wani tasiri akan Laptop2 ba.
Ayyukan na gaba zai zama Aiki No. 4: kawai PC0 na kwamfuta na ma'aikatar kudi na iya samun damar shiga cibiyar sadarwar uwar garke, amma ba sashen gudanarwa ba.
Idan kun tuna, ACL daga Task # 1 yana toshe duk zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar ababen hawa na S0/1/0 na na'ura mai ba da hanya tsakanin hanyoyin sadarwa R2, amma Task # 4 ya ce muna buƙatar tabbatar da cewa zirga-zirgar PC0 ne kawai ke wucewa, don haka dole ne mu keɓancewa.
Duk ayyukan da muke warwarewa yanzu yakamata su taimaka muku a cikin yanayi na gaske lokacin kafa ACLs don hanyar sadarwar ofis. Don saukakawa, na yi amfani da nau'in shigarwa na gargajiya, amma ina ba ku shawara da ku rubuta duk layukan da hannu a kan takarda ko rubuta su cikin kwamfuta don ku iya yin gyara ga abubuwan da aka shigar. A cikin yanayinmu, bisa ga ka'idodin Task No. 1, an haɗa jerin ACL na al'ada. Idan muna son ƙara keɓanta shi don PC0 na Izinin nau'in , to za mu iya sanya wannan layi na hudu kawai a cikin jerin, bayan Izinin Duk wani layi. Duk da haka, tun da adireshin wannan kwamfutar yana cikin kewayon adiresoshin don duba yanayin Deny 0/192.168.1.128, za a toshe zirga-zirgar ta nan da nan bayan an cika wannan yanayin kuma na'ura mai ba da hanya tsakanin hanyoyin sadarwa ba zai kai ga duba layi na hudu ba, yana ba da izini. zirga-zirga daga wannan adireshin IP.
Don haka, dole ne in sake sake fasalin jerin ACL na Task No. 1, share layin farko kuma in maye gurbin shi tare da layin Izinin 192.168.1.130/26, wanda ke ba da izinin zirga-zirga daga PC0, sannan sake shigar da layin da ke hana duk zirga-zirga. daga sassan lissafin kudi da tallace-tallace.
Don haka, a cikin layi na farko muna da umarni don takamaiman adireshin, kuma a cikin na biyu - na gaba ɗaya don duk hanyar sadarwar da ke cikin wannan adireshin. Idan kuna amfani da nau'in ACL na zamani, zaku iya yin canje-canje a cikin sa ta hanyar sanya layin Izinin 192.168.1.130/26 azaman umarni na farko. Idan kuna da ACL na al'ada, kuna buƙatar cire shi gaba ɗaya sannan ku sake shigar da umarni cikin tsari daidai.
Magani ga Matsala No. 4 shine sanya layin Izinin 192.168.1.130/26 a farkon ACL daga Matsala No. 1, saboda kawai a cikin wannan yanayin za a yi zirga-zirga daga PC0 da yardar kaina barin wurin fitarwa na na'ura mai ba da hanya tsakanin hanyoyin sadarwa R2. Za a toshe zirga-zirgar PC1 gaba daya saboda adireshin IP ɗin sa yana ƙarƙashin haramcin da ke cikin layi na biyu na jerin.
Yanzu za mu matsa zuwa Packet Tracer don yin saitunan da suka dace. Na riga na tsara adiresoshin IP na duk na'urori saboda sauƙaƙan zane-zanen da suka gabata sun ɗan yi wuyar fahimta. Bugu da kari, na saita RIP tsakanin hanyoyin sadarwa guda biyu. A kan topology na cibiyar sadarwa da aka ba, sadarwa tsakanin duk na'urori na 4 subnets yana yiwuwa ba tare da wani hani ba. Amma da zaran mun yi amfani da ACL, za a fara tace zirga-zirga.
Zan fara da sashen kudi na PC1 kuma in gwada yin amfani da adireshin IP 192.168.1.194, wanda ke na Server0, wanda ke cikin dakin uwar garken. Kamar yadda kake gani, ping yana cin nasara ba tare da wata matsala ba. Na kuma yi nasarar ping Laptop0 daga sashen gudanarwa. An yi watsi da fakitin farko saboda ARP, sauran 3 ana yin pinged kyauta.
Domin tsara hanyoyin tace zirga-zirga, na shiga cikin saitunan R2 na'ura mai ba da hanya tsakanin hanyoyin sadarwa, kunna yanayin daidaitawa na duniya kuma zan ƙirƙiri jerin ACL na zamani. Hakanan muna da kyan gani na ACL 10. Don ƙirƙirar jerin farko, na shigar da umarni wanda dole ne ku saka sunan jerin sunayen da muka rubuta a takarda: ip access-list misali ACL Secure_Ma_And_Se. Bayan wannan, tsarin yana haifar da yuwuwar sigogi: Zan iya zaɓar ƙi, fita, a'a, izini ko sanarwa, sannan kuma shigar da Lambobin Jeri daga 1 zuwa 2147483647. Idan ban yi wannan ba, tsarin zai sanya shi ta atomatik.
Don haka, ban shigar da wannan lambar ba, amma nan da nan je zuwa umarnin mai ba da izini 192.168.1.130, tunda wannan izinin yana aiki don takamaiman na'urar PC0. Hakanan zan iya amfani da Mask ɗin Wildcard na baya, yanzu zan nuna muku yadda ake yi.
Na gaba, na shigar da umarnin 192.168.1.128. Tun da muna da /26, Ina amfani da abin rufe fuska kuma na ƙara umarnin tare da shi: ƙaryatãwa 192.168.1.128 0.0.0.63. Don haka, na hana zirga-zirga zuwa cibiyar sadarwar 192.168.1.128/26.
Hakazalika, Ina toshe zirga-zirga daga hanyar sadarwa mai zuwa: ƙaryata 192.168.1.0 0.0.0.127. Ana ba da izinin duk sauran zirga-zirga, don haka na shigar da izinin kowane. Na gaba dole in yi amfani da wannan jeri zuwa dubawa, don haka ina amfani da umarnin int s0/1/0. Daga nan sai in rubuta ip access-group Secure_Ma_And_Se, kuma tsarin ya sa ni zabi wani abu - in ga fakiti masu shigowa da kuma fita don fita. Muna buƙatar amfani da ACL zuwa wurin fitarwa, don haka ina amfani da ip access-group Secure_Ma_And_Se out order.
Bari mu je layin umarni na PC0 da ping adireshin IP 192.168.1.194, wanda ke na uwar garken Server0. ping ya yi nasara saboda mun yi amfani da yanayin ACL na musamman don zirga-zirgar PC0. Idan na yi haka daga PC1, tsarin zai haifar da kuskure: "Ba a samuwa mai masaukin baki", tun da an katange zirga-zirga daga sauran adiresoshin IP na sashen lissafin kuɗi daga shiga ɗakin uwar garke.
Ta hanyar shiga cikin CLI na R2 na'ura mai ba da hanya tsakanin hanyoyin sadarwa da buga umarnin jerin adiresoshin IP na nuni, zaku iya ganin yadda aka lalata zirga-zirgar cibiyar sadarwar sashen kudi - yana nuna sau nawa aka wuce ping bisa ga izini da sau nawa ya kasance. katange bisa ga haramcin.
Koyaushe muna iya zuwa saitunan na'ura mai ba da hanya tsakanin hanyoyin sadarwa kuma mu ga jerin shiga. Don haka, an cika sharuddan ayyuka na 1 da na 4. Bari in nuna muku wani abu guda. Idan ina so in gyara wani abu, zan iya shiga cikin yanayin sanyi na duniya na saitunan R2, shigar da umarnin ip access-list misali Secure_Ma_And_Se sannan kuma umarnin "ba a yarda da rundunar 192.168.1.130 ba" - babu izinin mai watsa shiri 192.168.1.130.
Idan muka sake duba jerin hanyoyin shiga, za mu ga cewa layi na 10 ya ɓace, muna da layin 20,30, 40 da XNUMX kawai. Don haka, za ku iya gyara lissafin shiga ACL a cikin saitunan na'ura mai ba da hanya tsakanin hanyoyin sadarwa, amma idan ba a haɗa shi ba. a cikin classic form.
Yanzu bari mu matsa zuwa ACL na uku, domin shi ma ya shafi na'ura mai ba da hanya tsakanin hanyoyin sadarwa R2. Ya bayyana cewa duk wani zirga-zirga daga Laptop3 bai kamata ya bar cibiyar sadarwar sashen tallace-tallace ba. A wannan yanayin, Laptop2 ya kamata sadarwa ba tare da matsala tare da kwamfutocin sashen kudi ba. Don gwada wannan, Ina buga adireshin IP 192.168.1.130 daga wannan kwamfutar tafi-da-gidanka kuma tabbatar da cewa komai yana aiki.
Yanzu zan je layin umarni na Laptop3 kuma in buga adireshin 192.168.1.130. Pinging yana da nasara, amma ba ma buƙatar shi, tunda bisa ga yanayin aikin, Laptop3 na iya sadarwa kawai tare da Laptop2, wanda ke cikin cibiyar sadarwar sashen tallace-tallace iri ɗaya. Don yin wannan, kuna buƙatar ƙirƙirar wani ACL ta amfani da hanyar gargajiya.
Zan koma saitunan R2 kuma in gwada dawo da shigarwar da aka goge ta 10 ta amfani da umarnin mai ba da izini 192.168.1.130. Kun ga cewa wannan shigarwar ta bayyana a ƙarshen jerin a lamba 50. Duk da haka, samun damar har yanzu ba zai yi aiki ba, saboda layin da ke ba da izinin takamaiman mai watsa shiri yana a ƙarshen jerin, kuma layin da ke hana duk zirga-zirgar hanyar sadarwa yana saman. na lissafin. Idan muka yi ƙoƙarin ping Laptop0 na sashen gudanarwa daga PC0, za mu sami saƙon "Mai watsa shiri ba zai iya isa ba," duk da cewa akwai izinin shigarwa a lamba 50 a cikin ACL.
Don haka, idan kuna son shirya ACL data kasance, kuna buƙatar shigar da umarnin babu mai ba da izini 2 a cikin yanayin R192.168.1.130 (config-std-nacl), duba layin 50 ya ɓace daga jerin, kuma shigar da izini 10 umarni. Mai watsa shiri 192.168.1.130. Mun ga cewa lissafin yanzu ya koma yadda yake na asali, tare da wannan shigarwa a matsayi na farko. Lambobin jeri suna taimakawa shirya jeri a kowane nau'i, don haka nau'in ACL na zamani ya fi dacewa fiye da na gargajiya.
Yanzu zan nuna yadda tsarin al'ada na jerin ACL 10 ke aiki. Don amfani da lissafin gargajiya, kuna buƙatar shigar da damar shiga-jeri na 10?, kuma, bin faɗakarwa, zaɓi aikin da ake so: ƙi, izini ko sanarwa. Sa'an nan na shigar da damar layi-jeri 10 na ƙaryata mai watsa shiri, bayan haka na rubuta damar shiga umarni-jeri 10 ƙaryata 192.168.1.3 kuma ƙara abin rufe fuska. Tunda muna da mai watsa shiri, abin rufe fuska na gaba shine 255.255.255.255, kuma baya shine 0.0.0.0. Sakamakon haka, don ƙin karɓar zirga-zirgar mai masaukin baki, dole ne in shigar da damar shiga umarni-jeri 10 ƙaryata 192.168.1.3 0.0.0.0. Bayan wannan, kuna buƙatar saka izini, wanda na rubuta damar shiga umarni-jeri 10 na ba da izinin kowane. Ana buƙatar yin amfani da wannan jeri zuwa G0/1 interface na na'ura mai ba da hanya tsakanin hanyoyin sadarwa R2, don haka a jere na shigar da umarni a cikin g0/1, ip access-group 10 in. Ko da wane jeri ne aka yi amfani da shi, na gargajiya ko na zamani, ana amfani da umarni iri ɗaya don amfani da wannan jeri zuwa wurin dubawa.
Don bincika idan saitunan sun yi daidai, na je tashar layin umarni na Laptop3 kuma in gwada yin amfani da adireshin IP 192.168.1.130 - kamar yadda kuke gani, tsarin yana ba da rahoton cewa ba a iya isa wurin mai masaukin.
Bari in tunatar da ku cewa don duba jerin za ku iya amfani da duka jerin abubuwan shiga-ip na nuni da kuma nuna umarnin lissafin shiga. Dole ne mu warware matsala guda ɗaya, wanda ke da alaƙa da na'ura mai ba da hanya tsakanin hanyoyin sadarwa R1. Don yin wannan, je zuwa CLI na wannan na'ura mai ba da hanya tsakanin hanyoyin sadarwa kuma je zuwa yanayin daidaitawa na duniya kuma shigar da umarnin ip access-list misali Secure_Ma_From_Se. Tun da muna da hanyar sadarwa 192.168.1.192/27, subnet mask zai zama 255.255.255.224, wanda ke nufin mashin baya zai zama 0.0.0.31 kuma muna buƙatar shigar da umarnin 192.168.1.192 0.0.0.31. Tunda an ba da izinin duk wasu zirga-zirga, lissafin yana ƙarewa tare da izinin kowane. Domin amfani da ACL zuwa wurin fitar da na'ura mai ba da hanya tsakanin hanyoyin sadarwa, yi amfani da ip access-group Secure_Ma_From_Se out umarni.
Yanzu zan je tashar layin umarni na Server0 kuma in gwada ping Laptop0 na sashen gudanarwa a adireshin IP 192.168.1.226. Ƙoƙarin bai yi nasara ba, amma idan na buga adireshin 192.168.1.130, an kafa haɗin ba tare da matsala ba, wato, mun hana kwamfutar uwar garken sadarwa tare da sashen gudanarwa, amma an yarda da sadarwa tare da duk sauran na'urori a wasu sassan. Don haka, mun sami nasarar magance dukkan matsalolin guda 4.
Bari in nuna muku wani abu dabam. Muna shiga cikin saitunan R2 na'ura mai ba da hanya tsakanin hanyoyin sadarwa, inda muke da nau'ikan ACL guda biyu - classic da na zamani. Bari mu ce ina so in gyara ACL 2, Standard IP access list 10, wanda a cikin tsarinsa na gargajiya ya ƙunshi shigarwar guda biyu 10 da 10. Idan na yi amfani da umarnin gudu show, zan iya ganin cewa da farko muna da jerin hanyoyin shiga na zamani na 20. shigarwar ba tare da lambobi ba a ƙarƙashin babban jigon Secure_Ma_And_Se, kuma a ƙasa akwai shigarwar ACL 4 guda biyu na sigar gargajiya da ke maimaita sunan jerin hanyoyin shiga guda 10.
Idan ina so in yi wasu canje-canje, kamar cire shigarwar 192.168.1.3 mai hanawa da kuma gabatar da shigarwa don na'ura akan hanyar sadarwa daban, Ina buƙatar amfani da umarnin sharewa don wannan shigarwa kawai: babu jerin-jerin 10 na ƙaryata mai watsa shiri 192.168.1.3 .10. Amma da zarar na shigar da wannan umarni, duk shigarwar ACL XNUMX sun ɓace gaba ɗaya. Wannan shine dalilin da ya sa ra'ayin gargajiya na ACL bai dace ba don gyarawa. Hanyar rikodi na zamani ya fi dacewa don amfani, saboda yana ba da damar gyara kyauta.
Domin koyon abubuwan da ke cikin wannan darasi na bidiyo, ina ba ku shawara ku sake kallonsa kuma ku yi ƙoƙari ku magance matsalolin da aka tattauna da kanku ba tare da wata alama ba. ACL muhimmin batu ne a cikin kwas ɗin CCNA, kuma mutane da yawa sun ruɗe ta hanyar, misali, hanyar ƙirƙirar Mashin Katin Wild. Ina tabbatar muku, kawai fahimtar manufar canjin abin rufe fuska, kuma komai zai zama mafi sauƙi. Ka tuna cewa abu mafi mahimmanci a fahimtar batutuwan kwas ɗin CCNA shine horo mai amfani, saboda kawai yin aiki zai taimake ka fahimtar wannan ko waccan ra'ayin Cisco. Kwafi ba kwafin ƙungiyoyi na bane, amma magance matsaloli ta hanyar ku. Yi wa kanku tambayoyi: me ya kamata a yi don toshe zirga-zirgar ababen hawa daga nan zuwa can, inda za a yi amfani da sharuɗɗa, da dai sauransu, kuma ku yi ƙoƙarin amsa su.
Na gode da kasancewa tare da mu. Kuna son labaran mu? Kuna son ganin ƙarin abun ciki mai ban sha'awa? Goyon bayan mu ta hanyar ba da oda ko ba da shawara ga abokai, Rangwamen 30% ga masu amfani da Habr akan keɓaɓɓen analogue na sabar matakin shigarwa, wanda mu muka ƙirƙira muku: (akwai tare da RAID1 da RAID10, har zuwa 24 cores kuma har zuwa 40GB DDR4).
Dell R730xd sau 2 mai rahusa? Nan kawai a cikin Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - daga $99! Karanta game da
source: www.habr.com