Chimwe chinhu chandakakanganwa kutaura ndechekuti ACL haingosefa traffic pane inobvumira / kuramba, inoita mamwe mabasa mazhinji. Semuyenzaniso, ane ACL rinoshandiswa encrypt VPN traffic, asi kupasa bvunzo CCNA, unofanira chete kuziva sei rinoshandiswa kusefa motokari. Ngatidzokerei kune Dambudziko Nha.
Isu takaona kuti iyo accounting uye yekutengesa dhipatimendi traffic inogona kuvharika pane iyo R2 yekubuda interface uchishandisa inotevera ACL rondedzero.
Usanetseka pamusoro pemanyorerwo echinyorwa ichi, zvinongoreva semuenzaniso kukubatsira kunzwisisa kuti ACL chii. Tichasvika kune iyo fomati chaiyo kana tangotanga nePacket Tracer.
Basa Nha. 2 inonzwika seizvi: sevha yekamuri inogona kutaurirana nevose vanogamuchira, kunze kwevatenzi vedhipatimendi rekutungamirira. Ndiko kuti, sevha yekamuri makomputa anogona kuwana chero makomputa mumadhipatimendi ekutengesa uye accounting, asi haifanirwe kuwana makomputa mudhipatimendi rekutungamira. Izvi zvinoreva kuti vashandi veIT vekamuri ye server havafanirwe kuwana kure kure nekombuta yemukuru wedhipatimendi rekutungamira, asi kana paine matambudziko, huya kuhofisi yake uye kugadzirisa dambudziko ipapo. Ziva kuti basa iri harisi kushanda nekuti ini handizive kuti sei server kamuri yaisazokwanisa kutaurirana pamusoro petiweki nedhipatimendi remanejimendi, saka mune ino kesi tiri kungotarisa muenzaniso wedzidziso.
Kuti ugadzirise dambudziko iri, iwe unofanirwa kutanga waona iyo traffic traffic. Dhata kubva mukamuri yeseva inosvika pane yekuisa interface G0/1 ye router R1 uye inotumirwa kune manejimendi dhipatimendi kuburikidza neinobuda interface G0/0.
Kana tikashandisa Deny 192.168.1.192/27 mamiriro kune yekupinza interface G0/1, uye sezvaunorangarira, chiyero che ACL chinoiswa padyo nenzvimbo yemotokari, isu tichavhara traffic yese, kusanganisira kudhipatimendi rekutengesa uye accounting.
Sezvo isu tichida kuvharira traffic chete inotungamirwa kune manejimendi dhipatimendi, isu tinofanirwa kuisa ACL kune inobuda interface G0/0. Dambudziko iri rinogona kugadziriswa chete nekuisa iyo ACL pedyo nekwainoenda. Panguva imwecheteyo, traffic kubva kune accounting uye yekutengesa dhipatimendi network inofanira zvakasununguka kusvika kune manejimendi dhipatimendi, saka yekupedzisira mutsara weiyo runyorwa ichava Mvumo chero murairo - kubvumira chero traffic, kunze kweiyo traffic inotsanangurwa mune yapfuura mamiriro.
Ngatiendei kuBasa Nha. 3: Laptop 3 laptop kubva kudhipatimendi rekutengesa haifanirwe kuwana chero zvigadzirwa kunze kweiyo iri pane yemuno network yedhipatimendi rekutengesa. Ngatifungei kuti mudzidzi ari kushanda pakombiyuta iyi uye haafaniri kudarika LAN yake.
Muchiitiko ichi, unofanirwa kuisa ACL pane yekuisa interface G0/1 ye router R2. Kana tikapa IP kero 192.168.1.3/25 kune komputa iyi, ipapo Deny 192.168.1.3/25 mamiriro anofanira kusangana, uye traffic kubva kune chero imwe kero yeIP haifanirwe kuvharwa, saka mutsara wekupedzisira werunyorwa uchave Mvumo. chero.
Nekudaro, kuvharira traffic hakuzove nemhedzisiro paLaptop2.
Basa rinotevera richava Basa Nhamba
Kana iwe uchiyeuka, iyo ACL kubva Basa #1 inovhara traffic yese inobuda paS0/1/0 interface yerouter R2, asi Task #4 inoti isu tinofanirwa kuve nechokwadi chekuti PC0 traffic chete inopfuura, saka tinofanira kuita kusarudzika.
Mabasa ese atiri kugadzirisa zvino anofanira kukubatsira mumamiriro ezvinhu chaiwo paunenge uchigadzira ACLs yehofisi network. Kuti zvive nyore, ndakashandisa mhando yemhando yekupinda, asi ndinokupa zano kuti unyore pasi mitsetse yese pabepa kana kuinyora mukombuta kuitira kuti ugone kugadzirisa kune zvinyorwa. Kwatiri, maererano nemamiriro eTask No. Kana isu tichida kuwedzera kusarudzika kwairi kune PC1 yemhando Permit , zvino tinogona kuisa mutsara uyu chete wechina mune rondedzero, mushure meMvumo Chero mutsetse. Zvisinei, sezvo kero yekombuta iyi yakabatanidzwa muhuwandu hwekero yekutarisa Deny condition 0/0, traffic yayo ichavharwa pakarepo mushure mekunge mamiriro aya asangana uye router haingasviki pamutsara wechina cheki, ichibvumira. traffic kubva pane ino IP kero.
Nokudaro, ndichafanira kugadzirisa zvachose ACL rondedzero yeTask No. kubva kumadhipatimendi eakaunzi nekutengesa.
Nokudaro, mumutsara wekutanga tine murairo kune imwe kero, uye mune yechipiri - yakawanda kune network yese iyo kero iyi iripo. Kana uri kushandisa yemazuva ano mhando ACL, unogona nyore kuchinja kwairi nokuisa mutsetse Mvumo 192.168.1.130/26 sezvo murayiro wokutanga. Kana uine yemhando ACL, unofanira kubvisa zvachose uye wozoisazve mirairo muhurongwa hwakarurama.
Mhinduro yeDambudziko Nhamba 4 ndeyekuisa mutsara Mvumo 192.168.1.130/26 pakutanga kwe ACL kubva Dambudziko Nha. PC1's traffic ichavharwa zvachose nekuti yayo IP kero iri pasi pekurambidzwa kuri mumutsara wechipiri werondedzero.
Isu tichaenda kuPacket Tracer kuti tigadzirise zvinodiwa. Ini ndakatogadzirisa IP kero yemidziyo yese nekuti madhayagiramu akarerutswa akarerutswa anga akatinetsa kunzwisisa. Mukuwedzera, ndakagadzirisa RIP pakati pema routers maviri. Pane yakapihwa network topology, kutaurirana pakati pezvishandiso zvese zve4 subnets zvinogoneka pasina zvirambidzo. Asi patinongoshandisa iyo ACL, iyo traffic ichatanga kusefa.
Ini ndichatanga nedhipatimendi rezvemari PC1 ndoedza kubaya IP kero 192.168.1.194, inova yeServer0, iri mukamuri yeseva. Sezvauri kuona, ping inobudirira pasina matambudziko. Ini zvakare ndakabudirira ping Laptop0 kubva kune manejimendi dhipatimendi. Yekutanga pakiti inoraswa nekuda kweARP, iyo yasara 3 yakasununguka pinged.
Kuti uronge kusefa kwetraffic, ndinoenda muzvigadziro zveR2 router, shandisa iyo yepasirese configuration modhi uye ndiri kuenda kugadzira yemazuva ano ACL rondedzero. Isu tine zvakare yemhando yepamusoro inotarisa ACL 10. Kugadzira runyoro rwekutanga, ndinoisa murairo waunofanirwa kudoma zita rimwechete iro ratakanyora pabepa: ip kuwana-rondedzero chiyero ACL Secure_Ma_And_Se. Mushure meizvi, hurongwa hunoita kuti zvigadziriswe zvigadziriswe: Ndinogona kusarudza kuramba, kubuda, kwete, kubvumira kana kutaura, uye zvakare kuisa Nhamba Yekutevedzana kubva 1 kusvika 2147483647. Kana ini ndisingaiti izvi, hurongwa huchazvipa pakarepo.
Naizvozvo, ini handiisi nhamba iyi, asi nekukasira enda kumugadziri wemvumo 192.168.1.130 kuraira, sezvo mvumo iyi inoshanda kune chaiyo PC0 mudziyo. Ini ndinogona zvakare kushandisa reverse Wildcard Mask, ikozvino ini ndichakuratidza maitiro ekuzviita.
Zvadaro, ndinoisa mutemo kuramba 192.168.1.128. Sezvo tine /26, ini ndinoshandisa reverse mask uye ndinowedzera murairo nayo: ramba 192.168.1.128 0.0.0.63. Nokudaro, ndinoramba traffic kune network 192.168.1.128/26.
Saizvozvo, ndinovhara traffic kubva kune inotevera network: kuramba 192.168.1.0 0.0.0.127. Mamwe matraffic ese anotenderwa, saka ini ndinoisa mvumo yekuraira chero. Tevere ini ndinofanira kushandisa iyi runyorwa kune iyo interface, saka ini ndinoshandisa murairo int s0/1/0. Ndobva ndanyora ip yekuwana-boka Secure_Ma_And_Se, uye sisitimu inondikurudzira kuti ndisarudze chinongedzo - mukati memapaketi anouya uye kunze kwekubuda. Isu tinofanirwa kuisa iyo ACL kune inobuda interface, saka ini ndinoshandisa ip yekuwana-boka Secure_Ma_And_Se kunze kuraira.
Ngatiendei kuPC0 command line uye ping iyo IP kero 192.168.1.194, inova yeServer0 server. Iyo ping yakabudirira nekuti isu takashandisa yakakosha ACL mamiriro ePC0 traffic. Kana ndikaita zvakafanana kubva kuPC1, sisitimu inoburitsa chikanganiso: "nzvimbo yekuenda haisi kuwanikwa", sezvo traffic kubva kune yasara IP kero yedhipatimendi re accounting yakavharwa kubva pakuwana server server.
Nekupinda muCLI yeR2 router uye nekunyora iyo show ip kero-rondedzero yekuraira, unogona kuona kuti iyo dhipatimendi rezvemari network network yakafambiswa sei - inoratidza kangani iyo ping yakapfuudzwa zvinoenderana nemvumo uye kuti kangani. yakavharwa maererano nekurambidzwa.
Tinogona kugara tichienda kune zvigadziriso zve router uye toona iyo yekuwana rondedzero. Nokudaro, mamiriro eMabasa Nhamba 1 uye Nha. Rega ndikuratidze chimwe chinhu zvakare. Kana ndichida kugadzirisa chimwe chinhu, ndinogona kupinda mugadziriro yepasi rose yeR4 zvigadziro, pinda murairo ip access-list standard Secure_Ma_And_Se uye ipapo murairo "host 2 haibvumirwi" - hapana mvumo yekutambira 192.168.1.130.
Kana tikatarisa rondedzero yekuwana zvakare, tichaona kuti mutsara wegumi wanyangarika, isu tine mitsara 10, 20,30 uye 40 chete. Nokudaro, unogona kugadzirisa ACL access list muzvirongwa zve router, asi chete kana isina kunyorwa. mune classic fomu.
Iye zvino ngatiendei kune yechitatu ACL, nokuti inobatawo R2 router. Inoti chero traffic kubva kuLaptop3 haifanire kusiya network yedhipatimendi rekutengesa. Muchiitiko ichi, Laptop2 inofanira kutaurirana pasina matambudziko nemakombiyuta edhipatimendi rezvemari. Kuti ndiedze izvi, ndinobaya IP kero 192.168.1.130 kubva palaptop iyi uye ndive nechokwadi chekuti zvese zvinoshanda.
Iye zvino ndichaenda kumutsetse wekuraira weLaptop3 uye ping kero 192.168.1.130. Pinging inobudirira, asi isu hatizvidi, nekuti zvinoenderana nemamiriro ebasa, Laptop3 inogona kungotaurirana neLaptop2, iri mune imwecheteyo yekutengesa dhipatimendi network. Kuti uite izvi, unofanirwa kugadzira imwe ACL uchishandisa nzira yechinyakare.
Ini ndichadzokera kuR2 marongero uye edza kudzoreredza yakadzimwa yekupinda 10 ndichishandisa mvumo inotambira 192.168.1.130 kuraira. Iwe unoona kuti ichi chinopinda chinoonekwa pamagumo echinyorwa pane nhamba 50. Zvisinei, kuwana hakuzoshandi, nokuti mutsara unobvumira mumwe muenzi uri pamagumo echinyorwa, uye mutsara unorambidza zvose network network iri pamusoro. zvechinyorwa. Kana tikaedza kubatidza Laptop0 yedhipatimendi rekutungamira kubva kuPC0, isu tinogashira meseji "nzvimbo yekuenda haisvikike," kunyangwe paine mvumo yekupinda nhamba 50 muACL.
Saka, kana uchida kugadzirisa huripo ACL, unofanira kupinda murayiro hapana mvumo mugamuchiri 2 muna R192.168.1.130 muoti (config-std-nacl), tarisa kuti mutsetse 50 ranyangarika kubva mazita, uye kupinda murayiro 10 mvumo. host 192.168.1.130. Isu tinoona kuti rondedzero ikozvino yadzokera kune yayo yekutanga fomu, neiyi yekupinda iri pachinzvimbo chekutanga. Nhamba dzekutevedzana dzinobatsira kugadzirisa rondedzero mune chero chimiro, saka chimiro chemazuva ano che ACL chiri nyore kupfuura chekare.
Iye zvino ndicharatidza kuti chimiro chekare che ACL 10 list inoshanda sei.Kushandisa chinyorwa chekare, unoda kuisa murairo wekuwana-nyora 10?, uye, uchitevera kukurumidza, sarudza chiito chaunoda: kuramba, kubvumira kana kutaura. Ndobva ndapinza mutsara wekuwana-nyora gumi kuramba mugadziri, mushure mezvo ini ndinonyora iyo yekuraira kuwana-nyora 10 kuramba 10 uye kuwedzera reverse mask. Sezvo isu tine muenzi, iyo yekumberi subnet mask ndeye 192.168.1.3, uye kumashure ndeye 255.255.255.255. Nekuda kweizvozvo, kuti ndirambe traffic yevaenzi, ndinofanira kuisa command access-list 0.0.0.0 kuramba 10 192.168.1.3. Mushure meizvi, iwe unofanirwa kutsanangura zvibvumirano, izvo zvandinonyora iyo yekuraira kupinda-nyora 0.0.0.0 mvumo chero. Rondedzero iyi inofanirwa kuiswa kune iyo G10/0 interface ye router R1, saka ini ndinoteedzera mirairo mu g2/0, ip yekuwana-boka 1 mukati. Pasinei nerondedzero ipi inoshandiswa, yekare kana yemazuva ano, mirairo yakafanana inoshandiswa kushandisa iyi rondedzero kune interface.
Kuti nditarise kana zvigadziriso zvakarurama, ndinoenda kuLaptop3 yekuraira mutsara uye edza ping iyo IP kero 192.168.1.130 - sezvauri kuona, iyo system inoshuma kuti iyo nzvimbo yekuenda haisvikike.
Rega ndikuyeuchidze kuti kutarisa rondedzero iwe unogona kushandisa ese ari maviri anoratidza ip yekuwana-zvinyorwa uye kuratidza yekuwana-rondedzero mirairo. Tinofanira kugadzirisa rimwe dambudziko, iro rine chekuita neR1 router. Kuti ndiite izvi, ndinoenda kuCLI yeiyi router uye ndinoenda kune yepasi rose configuration mode uye isa murairo ip yekuwana-rondedzero standard Secure_Ma_From_Se. Sezvo tine network 192.168.1.192/27, ayo subnet chifukidzo chichava 255.255.255.224, izvo zvinoreva reverse maski achava 0.0.0.31 uye tinofanira kupinda kuramba 192.168.1.192 0.0.0.31 murayiro. Sezvo mamwe matraffic ese achibvumidzwa, rondedzero inopera nemvumo yekuraira chero. Kuti uise ACL kune router's output interface, shandisa ip access-group Secure_Ma_From_Se out command.
Iye zvino ndichaenda kune yekuraira mutsara terminal yeServer0 uye edza kuping Laptop0 yedhipatimendi rekutungamira paIP kero 192.168.1.226. Kuedza hakuna kubudirira, asi kana ini pinged kero 192.168.1.130, kubatana kwakasimbiswa pasina matambudziko, ndiko kuti, isu takarambidza sevha komputa kubva kutaurirana nedhipatimendi rekutungamira, asi yakabvumira kutaurirana nemamwe madhipatimendi ese mune mamwe madhipatimendi. Nokudaro, takabudirira kugadzirisa matambudziko ose mana.
Rega ndikuratidze chimwe chinhu. Isu tinopinda muzvigadziro zveR2 router, kwatine marudzi maviri eACL - classic uye yemazuva ano. Ngatitii ndinoda kugadzirisa ACL 2, Standard IP access list 10, iyo muchimiro chayo chekare ine zvinyorwa zviviri 10 uye 10. Kana ndikashandisa do show run command, ndinogona kuona kuti kutanga tine runyorwa rwemazuva ano rwekuwana 20. mapindiro asina manhamba pasi pemusoro wenyaya Secure_Ma_And_Se, uye pazasi pane maviri ACL 4 manyorerwo emhando yemhando yepamusoro anodzokorora zita reiyo yakafanana yekuwana-rondedzero gumi.
Kana ini ndichida kuita zvimwe shanduko, sekubvisa iyo yekuramba host 192.168.1.3 yekupinda uye kuunza yekupinda yemudziyo pane imwe network, ini ndinofanira kushandisa murairo wekudzima weiyo yekupinda chete: no access-list 10 deny host 192.168.1.3 .10. Asi pandinongopinda murairo uyu, zvese zve ACL XNUMX zvinonyangarika zvachose.Ndosaka maonero echinyakare e ACL asinganyatso gadzirisa. Iyo yemazuva ano yekurekodha nzira yakanyanya nyore kushandisa, sezvo ichibvumira mahara editing.
Kuti udzidze izvo zviri muchidzidzo ichi chevhidhiyo, ndinokupa zano kuti utarise zvakare uye edza kugadzirisa matambudziko anokurukurwa wega pasina chero mazano. ACL inyaya yakakosha muCCNA kosi, uye vazhinji vanovhiringidzika ne, semuenzaniso, maitiro ekugadzira reverse Wildcard Mask. Ndinokuvimbisa, ingonzwisisa pfungwa yekushandurwa kwemaski, uye zvese zvichave nyore. Rangarira kuti chinhu chinonyanya kukosha pakunzwisisa CCNA kosi misoro kudzidziswa kunoshanda, nekuti kudzidzira chete kuchakubatsira iwe kunzwisisa ichi kana icho Cisco pfungwa. Kudzidzira hakusi kukopa-kuisa zvikwata zvangu, asi kugadzirisa matambudziko nenzira yako. Zvibvunze mibvunzo: chii chinoda kuitwa kudzivirira kuyerera kwetraffic kubva pano kuenda uko, kupi kwekushandisa mamiriro, nezvimwe, uye edza kuvapindura.
Ndinokutendai nekugara nesu. Unoda zvinyorwa zvedu here? Unoda kuona zvimwe zvinonakidza zvemukati? Titsigire nekuisa odha kana kukurudzira kushamwari, 30% kuderedzwa kwevashandisi veHabr pane yakasarudzika analogue yekupinda-level maseva, iyo yakagadzirwa nesu kuti iwe: (inowanikwa neRAID1 uye RAID10, kusvika ku24 cores uye kusvika ku40GB DDR4).
Dell R730xd kaviri zvakachipa? Chete pano muNetherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - kubva pamadhora makumi mapfumbamwe nemapfumbamwe! Verenga nezve
Source: www.habr.com