Nhasi tichatanga kudzidza nezve ACL yekuwana control list, iyi nyaya ichatora 2 vhidhiyo zvidzidzo. Tichatarisa kugadziridzwa kweiyo ACL yakajairwa, uye mune inotevera vhidhiyo tutorial ini ndichataura nezve yakawedzera runyorwa.
Muchidzidzo chino tichabata misoro mitatu. Yokutanga ndiyo ACL chii, chechipiri ndicho chii musiyano pakati mureza uye yakawedzerwa kuwana mazita, uye pakupera chidzidzo, serabhoritari, tichaona kumisa mureza ACL uye kugadzirisa zvinobvira matambudziko.
Saka chii chinonzi ACL? Kana iwe wakadzidza iyo kosi kubva kune yekutanga vhidhiyo chidzidzo, saka unorangarira marongedzero atakaita kutaurirana pakati peakasiyana network zvishandiso.
Isu takadzidzawo static routing pamusoro peakasiyana maprotocol kuti tiwane hunyanzvi mukuronga kutaurirana pakati pemidziyo nemanetiweki. Isu tasvika padanho rekudzidza apo isu tinofanirwa kuve nehanya nekuona kudzora kwetraffic, ndiko kuti, kudzivirira "vakaipa" kana vashandisi vasina mvumo kubva mukupinza network. Semuenzaniso, izvi zvingave zvine chekuita nevanhu vanobva kubazi rekutengesa reSALES, iro rinoratidzwa mumufananidzo uyu. Pano isu tinoratidzawo dhipatimendi rezvemari ACCOUNTS, manejimendi department MANAGEMENT uye server room SERVER ROOM.
Saka, dhipatimendi rekutengesa rinogona kunge riine vashandi zana, uye isu hatidi kuti chero mumwe wavo akwanise kusvika kune server server pane network. Kusarudzika kunoitirwa maneja wekutengesa anoshanda paLaptop2 komputa - anogona kuwana mukamuri yeseva. Mushandi mutsva anoshanda paLaptop3 haafaniri kuva nekuwana kwakadaro, kureva, kana motokari kubva pakombiyuta yake inosvika router R2, inofanira kudonhedzwa.
Basa re ACL ndere kusefa traffic zvinoenderana neyakatsanangurwa yekusefa paramita. Zvinosanganisira kwainobva IP kero, kwainoenda IP kero, protocol, nhamba yezviteshi uye mamwe ma paramita, kuvonga kwaunogona kuona traffic uye kuita zvimwe zviito nazvo.
Saka, ACL ndeye 3 yekusefa nzira yeOSI modhi. Izvi zvinoreva kuti nzira iyi inoshandiswa muma routers. Chiyero chikuru chekusefa ndeyekuzivikanwa kweiyo data stream. Semuenzaniso, kana isu tichida kuvharira mukomana ane Laptop3 komputa kuti asasvike sevha, chekutanga tinofanirwa kuona traffic yake. Iyi traffic inofamba yakananga kuLaptop-Switch2-R2-R1-Switch1-Server1 kuburikidza neinopindirana maratidziro emidziyo yetiweki, nepo G0/0 nzvimbo dzemarouter dzisina chekuita nazvo.
Kuti tizive traffic, tinofanira kuziva nzira yayo. Kana taita izvi, tinogona kusarudza kuti ndepapi chaipo patinofanira kuisa sefa. Usanetseka nezvemasefa pachawo, isu tichaakurukura muchidzidzo chinotevera, nekuti ikozvino tinoda kunzwisisa musimboti weiyo interface iyo sefa inofanira kuiswa kwairi.
Kana iwe ukatarisa router, iwe unogona kuona kuti nguva dzose motokari inofamba, pane chimiro apo kuyerera kwe data kunouya, uye iyo inoshandiswa iyo inoyerera inobuda.
Iko kune chaizvo 3 interfaces: iyo yekupinza interface, yekubuda interface uye router's pachayo interface. Ingo rangarira kuti kusefa kunogona chete kuiswa kune yekupinza kana yekubuda interface.
Nheyo yekushanda kwe ACL yakafanana nekupfuura kune chiitiko chinogona kungopindwa nevaya vaenzi vane zita riri pane rondedzero yevanhu vakakokwa. An ACL ndiwo mazita qualification parameters kuti anoshandiswa kuziva motokari. Semuenzaniso, rondedzero iyi inoratidza kuti traffic yese inotenderwa kubva kuIP kero 192.168.1.10, uye traffic kubva kune mamwe maadhiresi inorambwa. Sezvandakataura, runyorwa urwu runogona kuiswa kune ese ari maviri ekuisa uye anobuda interface.
Pane 2 mhando ACLs: mureza uye akawedzera. A mureza ACL ane identifier kubva 1 kusvika 99 kana kubva 1300 kuti 1999. Aya anongova mazita mazita kuti havana zvakanakira mumwe sezvo nhamba kuwedzera. Mukuwedzera kune nhamba, unogona kupa zita rako pachako kune ACL. ACLs Akawedzerwa ane nhamba 100 kusvika 199 kana 2000 kusvika 2699 uye anogonawo kuva nezita.
Mune yakajairwa ACL, kupatsanurwa kunobva pane kwakabva IP kero yetraffic. Naizvozvo, kana uchishandisa runyoro rwakadai, haugone kudzora traffic yakanangidzirwa kune chero sosi, unogona chete kuvharira traffic kubva kune mudziyo.
ACL yakawedzerwa inoisa traffic kune sosi IP kero, kwainoenda IP kero, protocol inoshandiswa, uye nhamba yechiteshi. Semuenzaniso, unogona kuvhara chete FTP traffic, kana chete HTTP traffic. Nhasi tichatarisa iyo yakajairwa ACL, uye isu tichapa inotevera vhidhiyo chidzidzo kune akawedzera rondedzero.
Sezvandakataura, ane ACL ndiwo mazita ezvinhu. Mushure mekunge maisa runyoro urwu kune iyo router inopinda kana inobuda interface, iyo router inotarisa traffic inopesana neiyi runyorwa, uye kana ikasangana nemamiriro akaiswa mune iyo runyorwa, inosarudza kana ichibvumidza kana kuramba iyi traffic. Vanhu vanowanzoomerwa nekuona iyo yekupinza uye yekubuda interfaces ye router, kunyangwe pasina chakaoma apa. Kana tichitaura nezve inopinda interface, izvi zvinoreva kuti traffic inouya chete inodzorwa pachiteshi ichi, uye router haizoshandisi zvirambidzo kune inobuda traffic. Saizvozvo, kana isu tichitaura nezve egress interface, izvi zvinoreva kuti mitemo yese ichashanda chete kune inobuda traffic, nepo traffic inouya pachiteshi ichi ichagamuchirwa pasina zvirambidzo. Semuyenzaniso, kana router ane 2 zviteshi: f0/0 uye f0/1, ipapo ACL achaita chete kushandiswa kumotokari kupinda f0/0 interface, kana chete kuti motokari inobva f0/1 interface. Traffic inopinda kana kusiya interface f0/1 haizokanganiswe nerondedzero.
Naizvozvo, usavhiringike neiyo inouya kana inobuda nzira yeiyo interface, zvinoenderana negwara reiyo chaiyo traffic. Saka, mushure mekunge router yaongorora traffic kuti ienderane neiyo ACL mamiriro, inogona kuita sarudzo mbiri chete: bvumidza traffic kana kuiramba. Semuenzaniso, unogona kubvumira traffic yakanangana ne 180.160.1.30 uye kuramba traffic inoitirwa 192.168.1.10. Rondedzero yega yega inogona kuve nemamiriro akati wandei, asi imwe neimwe yemamiriro aya inofanira kubvumidza kana kuramba.
Ngatitii tine runyorwa:
Kurambidza _______
Bvumira ________
Bvumira ________
Kurambidza _______.
Kutanga, iyo router inoongorora traffic kuti ione kana ichienderana nemamiriro ekutanga; kana isingaenderane, inotarisa yechipiri mamiriro. Kana iyo traffic inoenderana neyechitatu mamiriro, iyo router inomira kutarisa uye haizoienzanise nemamwe ese ezvinyorwa zvinyorwa. Ichaita "kubvumira" chiito uye kuenderera mberi nekutarisa chikamu chinotevera chetraffic.
Kana iwe usina kuisa mutemo chero packet uye motokari inopfuura nepakati pemitsetse yose yezvinyorwa pasina kurova chero mamiriro ezvinhu, inoparadzwa, nokuti imwe neimwe ACL rondedzero nekusingaperi inopera nekuramba chero murairo - ndiko kuti, kurasa. chero pakiti, kwete kuwira pasi pemitemo ipi zvayo. Chimiro ichi chinoitika kana paine kanenge mutemo mumwechete mune rondedzero, zvikasadaro haina mhedzisiro. Asi kana mutsara wekutanga uine yekupinda ramba 192.168.1.30 uye rondedzero isisina chero mamiriro, ipapo pamagumo panofanirwa kuve nemvumo yekuraira chero, kureva, bvumidza chero traffic kunze kweiyo inorambidzwa nemutemo. Unofanira kufunga izvi kudzivisa kukanganisa apo configuring ari ACL.
Ndinoda kuti iwe uyeuke mutemo wekutanga wekugadzira rondedzero yeASL: isa chiyero cheASL padyo nepaunogona napo kune kwaunoenda, ndiko kuti, kune anogamuchira traffic, uye isa ASL yakawedzerwa padhuze sezvinobvira kune kwainobviwa, ndiko kuti, kune anotumira traffic. Aya ndiwo mazano eCisco, asi mukuita pane mamiriro ezvinhu apo zvinonzwisisika kuisa chiyero che ACL pedyo nemugwagwa wemotokari. Asi kana ukasangana mubvunzo pamusoro ACL placement mitemo panguva bvunzo, tevera Cisco's mazano uye pindura zvisina kujeka: mwero iri pedyo nekwainoenda, yakawedzerwa iri pedyo kunobva.
Zvino ngatitarisei syntax yeyakajairwa ACL. Kune marudzi maviri emirairo syntax mune router global configuration mode: classic syntax uye yemazuva ano syntax.
Iyo yemhando yekuraira yemhando yekuwana-rondedzero <ACL nhamba> <ramba/bvumira> <criteria>. Kana ukaisa <ACL nhamba> kubva 1 kusvika 99, mudziyo vachangoerekana vanzwisisa kuti ichi mureza ACL, uye kana iri kubva 100 kusvika 199, zvino iri akawedzera mumwe. Sezvo muchidzidzo chemazuva ano tiri kutarisa rondedzero yakajairika, tinogona kushandisa chero nhamba kubva 1 kusvika 99. Zvadaro tinoratidza chiito chinoda kushandiswa kana maparameter achienderana nechiyero chinotevera - bvumira kana kuramba traffic. Tichazotarisa mucherechedzo wacho gare gare, sezvo uchishandiswawo muzvirevo zvemazuva ano.
Iyo yemazuva ano yekuraira mhando inoshandiswawo muRx(config) yepasirese yekumisikidza modhi uye inoita seizvi: ip yekuwana-rondedzero chiyero <ACL nhamba/zita>. Pano unogona kushandisa nhamba kubva pa1 kusvika pa99 kana zita rezita re ACL, semuenzaniso, ACL_Networking. Uyu murairo unobva waisa iyo system muRx standard mode subcommand mode (config-std-nacl), paunofanira kuisa <deny/enable> <criteria>. Mhando yemazuva ano yezvikwata ine zvakawanda zvakanakira zvichienzaniswa neyekare.
Mune runyorwa rwemhando yepamusoro, kana ukanyora access-list 10 ramba ______, wobva wanyora murairo unotevera werudzi rumwechete kune chimwe chiyedzo, uye unopedzisira wava ne100 mirairo yakadaro, wozoshandura chero yemirairo yakapinda, unozoda dzima rondedzero yese yekuwana-runyoro 10 nemurairo hapana kupinda-rondedzero 10. Izvi zvinobvisa mirairo yese zana nekuti hapana nzira yekugadzirisa chero murairo wega wega mune iyi runyorwa.
Mune syntax yemazuva ano, murairo wakakamurwa kuita mitsetse miviri, yekutanga ine nhamba yerondedzero. Tomboti kana uine runyorwa rwekuwana-runyorwa mwero 10 ramba ________, kupinda-rondedzero chiyero 20 ramba ________ zvichingodaro, ipapo une mukana wekuisa mazita epakati nemamwe maitiro pakati pavo, semuenzaniso, yekuwana-rondedzero chiyero 15 ramba ________ .
Neimwe nzira, unogona kungodzima mitsara yekuwana-rondedzero mitsara makumi maviri uye woinyora zvakare neyakasiyana paramita pakati pekuwana-rondedzero mwero 20 uye kuwana-rondedzero chiyero mitsara 10. Saka, pane nzira dzakasiyana dzekugadzirisa yemazuva ano ACL syntax.
Iwe unofanirwa kungwarira zvakanyanya paunenge uchigadzira ACLs. Sezvaunoziva, zvinyorwa zvinoverengwa kubva kumusoro kusvika pasi. Kana iwe ukaisa mutsara kumusoro unobvumira traffic kubva kune yakasarudzika muenzi, ipapo pazasi iwe unogona kuisa mutsara unorambidza traffic kubva kune yese network iyo ino host iri chikamu, uye ese ari maviri mamiriro anozotariswa - traffic kune yakasarudzika muenzi achaita. kubvumidzwa kuburikidza, uye traffic kubva kune mamwe ese anotambira iyi network ichavharwa. Naizvozvo, gara uchiisa zvinyorwa zvakananga kumusoro kwechinyorwa uye zvakajairika pazasi.
Saka, mushure mekunge wagadzira yekare kana yemazuva ano ACL, unofanirwa kuishandisa. Kuti uite izvi, iwe unofanirwa kuenda kune zvigadziriso zveimwe interface, semuenzaniso, f0/0 uchishandisa iyo command interface <type uye slot>, enda kune iyo interface subcommand mode uye isa murairo ip kuwana-boka <ACL nhamba/ zita> . Ndokumbira utarise mutsauko: kana uchigadzira runyoro, runyorwa-runyorwa runoshandiswa, uye kana uchiishandisa, boka rekuwana-rinoshandiswa. Iwe unofanirwa kuona kuti ndeipi interface iyo runyorwa ruchashandiswa kune - iyo inouya interface kana inobuda interface. Kana iyo rondedzero ine zita, semuenzaniso, Networking, zita rimwechete rinodzokororwa mukuraira kushandisa rondedzero pane ino interface.
Zvino ngatitorei dambudziko chairo uye tiedze kurigadzirisa tichishandisa muenzaniso wetiweki dhayagiramu yedu tichishandisa Packet Tracer. Saka, isu tine mana network: dhipatimendi rekutengesa, dhipatimendi re accounting, manejimendi uye server kamuri.
Basa Nhamba 1: motokari yose inotungamirirwa kubva kumatareji ekutengesa uye emari kune dhipatimendi rekutungamira uye server room inofanira kuvharwa. Nzvimbo yekuvharira ndiyo interface S0/1/0 ye router R2. Chekutanga isu tinofanirwa kugadzira rondedzero ine zvinotevera zvinyorwa:
Ngatishevedze rondedzero "Management uye Server Chengetedzo ACL", yakapfupikiswa se ACL Secure_Ma_And_Se. Izvi zvinoteverwa nekurambidza traffic kubva kudhipatimendi rezvemari network 192.168.1.128/26, inorambidza traffic kubva kune yekutengesa department network 192.168.1.0/25, uye kubvumira chero imwe traffic. Pakupera kwechinyorwa kunoratidzwa kuti inoshandiswa kune inobuda interface S0/1/0 ye router R2. Kana tisina Mvumo Chero kupinda panoperera rondedzero, ipapo vamwe vose motokari vachavharwa nokuti default ACL nguva dzose akaiswa kuti Ramba Chero kupinda pakupera mazita.
Ndinogona here kuisa iyi ACL kune interface G0/0? Zvechokwadi, ndinogona, asi munyaya iyi chete motokari kubva kudhipatimendi re accounting ichavharwa, uye motokari kubva kune dhipatimendi rekutengesa haizogumiri munzira ipi zvayo. Nenzira imwecheteyo, unogona kushandisa ACL kune G0/1 interface, asi mune iyi nyaya yedhipatimendi rezvemari traffic haizovharwi. Ehe, isu tinokwanisa kugadzira maviri akapatsanurwa block rondedzero yeaya mainterfaces, asi zvinonyanya kushanda kuabatanidza mune imwe runyorwa uye kuishandisa kune inobuda interface ye router R2 kana yekuisa interface S0/1/0 ye router R1.
Kunyange zvazvo mitemo yeCisco ichitaura kuti ACL yakajairika inofanira kuiswa pedyo nekwaunoenda sezvinobvira, ndichaiisa pedyo nekwakabva traffic nokuti ndinoda kuvhara motokari yose inobuda, uye zvine musoro kuita izvi padyo sosi kuitira kuti traffic iyi isatambise network pakati pemarouter maviri.
Ndakanganwa kukuudza nezvemaitiro, saka ngatidzokerei nekukurumidza. Iwe unogona kutsanangura chero sechiyero - mune iyi kesi, chero traffic kubva kune chero mudziyo uye chero network inorambwa kana kubvumidzwa. Iwe unogona zvakare kutsanangura mugadziri ane identifier yayo - mune iyi kesi, yekupinda ichave iyo IP kero yeimwe mudziyo. Pakupedzisira, unogona kutsanangura network yese, semuenzaniso, 192.168.1.10/24. Muchiitiko ichi, / 24 ichareva kuvapo kwe subnet mask ye 255.255.255.0, asi hazvibviri kutsanangura IP kero ye subnet mask mu ACL. Panyaya iyi, ACL ine pfungwa inonzi Wildcart Mask, kana "reverse mask". Saka iwe unofanirwa kutsanangura iyo IP kero uye kudzorera mask. Iyo reverse mask inotaridzika seizvi: iwe unofanirwa kubvisa yakananga subnet mask kubva kune general subnet mask, ndiko kuti, iyo nhamba inoenderana neiyo octet kukosha mune yekumberi mask inobviswa kubva pa255.
Saka, unofanira kushandisa parameter 192.168.1.10 0.0.0.255 sezvo criterion muna ACL.
Inoshanda sei? Kana paine 0 mune yekudzoka mask octet, iyo criterion inoonekwa seyakafanana octet inoenderana ye subnet IP kero. Kana paine nhamba mubackmask octet, mutambo hautariswe. Nokudaro, kune network ye 192.168.1.0 uye mask yekudzoka ye 0.0.0.255, motokari yose kubva kumakero ayo matatu octet okutanga akaenzana ne192.168.1., pasinei nekukosha kwechina octet, ichavharwa kana kubvumirwa zvichienderana chiito chakataurwa.
Kushandisa reverse mask kuri nyore, uye isu tichadzoka kuWildcart Mask muvhidhiyo inotevera kuti ndigone kutsanangura maitiro ekushanda nayo.
28:50 min
Ndinokutendai nekugara nesu. Unoda zvinyorwa zvedu here? Unoda kuona zvimwe zvinonakidza zvemukati? Titsigire nekuisa odha kana kukurudzira kushamwari, 30% kuderedzwa kwevashandisi veHabr pane yakasarudzika analogue yekupinda-level maseva, iyo yakagadzirwa nesu kuti iwe: (inowanikwa neRAID1 uye RAID10, kusvika ku24 cores uye kusvika ku40GB DDR4).
Dell R730xd kaviri zvakachipa? Chete pano muNetherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - kubva pamadhora makumi mapfumbamwe nemapfumbamwe! Verenga nezve
Source: www.habr.com