Namhlanje siza kuqala ukufunda malunga noluhlu lokulawula ukufikelela kwe-ACL, esi sihloko siya kuthatha izifundo ze-2 zevidiyo. Siza kujonga ukucwangciswa kwe-ACL eqhelekileyo, kwaye kwisifundo sevidiyo esilandelayo ndiya kuthetha ngoluhlu olwandisiweyo.
Kwesi sifundo siza kugubungela izihloko ezi-3. Eyokuqala yintoni na ACL, okwesibini yintoni umahluko phakathi umgangatho kunye nofikelelo uluhlu eyandisiweyo, kwaye ekupheleni kwesifundo, njenge lab, siya kujonga ukuseta umgangatho ACL kunye nokusombulula iingxaki ezinokwenzeka.
Ke yintoni i-ACL? Ukuba ufunde ikhosi kwisifundo sokuqala sevidiyo, uyakhumbula ukuba silulungelelanise njani unxibelelwano phakathi kwezixhobo ezahlukeneyo zenethiwekhi.
Sikwafunde umzila ongatshintshiyo kwiiprothokholi ezahlukeneyo ukufumana izakhono zokucwangcisa unxibelelwano phakathi kwezixhobo kunye nothungelwano. Ngoku sifikelele kwinqanaba lokufunda apho kufuneka sikhathazeke ngokuqinisekisa ulawulo lwezithuthi, oko kukuthi, ukuthintela "ababi" okanye abasebenzisi abangagunyaziswanga ukuba bangene kwinethiwekhi. Umzekelo, oku kunokuchaphazela abantu abavela kwisebe lentengiso ye-SALES, eboniswe kulo mzobo. Apha sibonisa kwakhona isebe lezemali ACCOUNTS, isebe lolawulo ULAWULO kunye ne-server room SERVER ROOM.
Ngoko ke, isebe lokuthengisa linokuba nabasebenzi abalikhulu, kwaye asifuni ukuba nawuphi na kubo akwazi ukufikelela kwigumbi lomncedisi phezu kwenethiwekhi. Ukhetho lwenziwe kumphathi wentengiso osebenza kwikhompyuter yeLaptop2 - unokufikelela kwigumbi lomncedisi. Umqeshwa omtsha osebenza kwiLaptop3 akufanele abe nokufikelela okunjalo, oko kukuthi, ukuba i-traffic esuka kwikhompyutheni yakhe ifikelela kwi-router R2, kufuneka iwiswe.
Indima ye-ACL kukucoca i-traffic ngokweeparamitha ezichaziweyo zokucoca. Zibandakanya idilesi ye-IP yomthombo, idilesi ye-IP yendawo, iprotocol, inani lamachweba kunye nezinye iiparameters, enkosi apho unokwazi ukuchonga i-traffic kwaye uthathe amanyathelo athile ngayo.
Ke, i-ACL ngumaleko wesi-3 wokuhluza indlela ye-OSI. Oku kuthetha ukuba le ndlela isetyenziswa kwii-router. Umlinganiselo ophambili wokucoca kukuchongwa komjelo wedatha. Umzekelo, ukuba sifuna ukuvimba umntu onekhompyuter yeLaptop3 ekufikeleleni kumncedisi, okokuqala kufuneka sichonge itrafikhi yakhe. Le traffic ihamba kwicala leLaptop-Switch2-R2-R1-Switch1-Server1 ngokusebenzisa ujongano oluhambelanayo lwezixhobo zenethiwekhi, ngelixa i-G0/0 ujongano lweerouter ayinanto yakwenza nayo.
Ukuchonga izithuthi, kufuneka sichonge indlela yazo. Yakuba sikwenzile oku, sinokugqiba ukuba kuphi kanye kanye esikufunayo ukusifaka isihluzi. Ungazikhathazi malunga nezihluzi ngokwazo, siya kuxoxa ngazo kwisifundo esilandelayo, kuba ngoku kufuneka siqonde umgaqo wokuba isihluzo kufuneka sisetyenziswe kuso.
Ukuba ukhangele i-router, unokubona ukuba rhoqo xa i-traffic ihamba, kukho i-interface apho ukuhamba kwedatha kungena khona, kunye ne-interface apho oku kuphuma kuphuma khona.
Kukho ngokwenene ezi-3 ujongano: ujongano lwegalelo, ujongano lwemveliso kunye nojongano lwerouter eyakhe. Khumbula nje ukuba ukuhluza kunokufakwa kuphela kwigalelo okanye ujongano lwemveliso.
Umgaqo wokusebenza kwe-ACL ufana nokupasa kwisiganeko esinokuzinyaswa kuphela ngezo ndwendwe ezigama labo likuluhlu lwabantu abamenyiweyo. I-ACL luluhlu lweeparamitha zokufaneleka ezisetyenziselwa ukuchonga i-traffic. Ngokomzekelo, olu luhlu lubonisa ukuba zonke i-traffic zivunyelwe kwidilesi ye-IP 192.168.1.10, kunye ne-traffic evela kuzo zonke ezinye iidilesi zinqatshelwe. Njengoko benditshilo, olu luhlu lunokusetyenziswa kuzo zombini igalelo kunye nojongano lwemveliso.
Kukho iintlobo ezi-2 ze-ACLs: umgangatho kunye nokwandiswa. I-ACL eqhelekileyo ine-identifier ukusuka ku-1 ukuya ku-99 okanye ukusuka ku-1300 ukuya ku-1999. La ngamagama adweliswe ngokulula angenayo nayiphi na inzuzo phezu komnye njengoko amanani enyuka. Ukongeza kwinani, unokwabela igama lakho kwi-ACL. Ii-ACLs ezandisiweyo zinenombolo 100 ukuya ku-199 okanye 2000 ukuya ku-2699 kwaye zisenokuba negama.
Kwi-ACL eqhelekileyo, ulwahlulo lusekelwe kwidilesi ye-IP yomthombo wetrafikhi. Ngoko ke, xa usebenzisa uluhlu olunjalo, awukwazi ukukhawulela i-traffic ejoliswe kuwo nawuphi na umthombo, unokuvala kuphela itrafikhi evela kwisixhobo.
I-ACL eyandisiweyo ihlela i-traffic ngedilesi ye-IP yomthombo, idilesi ye-IP yendawo, iprotocol esetyenzisiweyo, kunye nenombolo yezibuko. Umzekelo, ungavimba kuphela itrafikhi yeFTP, okanye itrafikhi yeHTTP kuphela. Namhlanje siza kujonga umgangatho we-ACL, kwaye siya kunikela isifundo esilandelayo sevidiyo kwizintlu ezongeziweyo.
Njengoko benditshilo, i ACL uluhlu lweemeko. Emva kokuba usebenzise olu luhlu kwi-interface ye-router engenayo okanye ephumayo, i-router ihlola i-traffic ngokumelene nolu luhlu, kwaye ukuba ihlangabezana neemeko ezichazwe kuluhlu, ithatha isigqibo sokuba ivumele okanye ikhanyele le traffic. Abantu bahlala bekufumanisa kunzima ukumisela igalelo kunye nemveliso yojongano lwe-router, nangona kungekho nto inzima apha. Xa sithetha nge-interface engenayo, oku kuthetha ukuba i-traffic engenayo kuphela iya kulawulwa kule port, kwaye i-router ayiyi kusebenzisa izithintelo kwi-traffic ephumayo. Ngokufanayo, ukuba sithetha nge-interface ye-egress, oku kuthetha ukuba yonke imithetho iya kusetyenziswa kuphela kwi-traffic ephumayo, ngelixa i-traffic engenayo kule port iya kwamkelwa ngaphandle kwemida. Umzekelo, ukuba umzila unamazibuko ama-2: f0/0 kunye ne-f0/1, ngoko i-ACL iya kusetyenziswa kuphela kwi-traffic engena kwi-interface ye-f0/0, okanye kuphela kwi-traffic evela kwi-interface ye-f0/1. I-traffic engena okanye eshiya ujongano lwe-f0/1 aluyi kuchatshazelwa luluhlu.
Ngoko ke, musa ukudideka ngendlela engenayo okanye ephumayo ye-interface, kuxhomekeke kwindlela yetrafikhi ethile. Ngoko ke, emva kokuba i-router ihlolisise i-traffic yokufanisa iimeko ze-ACL, inokwenza izigqibo ezimbini kuphela: vumela i-traffic okanye uyigatye. Umzekelo, ungavumela itrafikhi emiselwe 180.160.1.30 kwaye ukwale itrafikhi emiselwe 192.168.1.10. Uluhlu ngalunye lunokuqulatha iimeko ezininzi, kodwa nganye kwezi meko kufuneka ivumele okanye ikhanyele.
Masithi sinoluhlu:
Yalela _______
Vumela ________
Vumela ________
Yalela _______.
Okokuqala, i-router iya kujonga i-traffic ukuze ibone ukuba ihambelana nemeko yokuqala; Ukuba i-traffic ihambelana nemeko yesithathu, i-router iya kuyeka ukujonga kwaye ayiyi kuthelekisa nayo yonke imimiselo yoluhlu. Iyakwenza "vumela" isenzo kwaye iqhubele phambili ekujongeni indawo elandelayo yetrafikhi.
Kwimeko awukhange ubeke umgaqo kuyo nayiphi na ipakethe kunye netrafikhi idlula kuzo zonke imigca yoluhlu ngaphandle kokubetha nayiphi na imiqathango, iyatshatyalaliswa, kuba uluhlu ngalunye ACL ngokungagqibekanga iphela ngokukhanyela nawuphi na umyalelo - oko kukuthi, ukulahla. nayiphi na ipakethi, engawi phantsi kwayo nayiphi na imigaqo. Lo mqathango usebenza ukuba kukho ubuncinane umgaqo omnye kuluhlu, ngaphandle koko akukho nto. Kodwa ukuba umgca wokuqala uqulethe ukungena ukuphika 192.168.1.30 kwaye uluhlu alusekho nayiphi na imiqathango, ngoko ekugqibeleni kufuneka kubekho imvume yomyalelo nayiphi na, oko kukuthi, vumela nayiphi na i-traffic ngaphandle kokuba inqatshelwe ngumgaqo. Kufuneka uthathele ingqalelo oku ukuphepha iimpazamo xa uqwalasela i ACL.
Ndifuna ukuba ukhumbule umgaqo osisiseko wokudala uluhlu lwe-ASL: beka i-ASL esemgangathweni ngokusondeleyo kangangoko kunokwenzeka kwindawo oya kuyo, oko kukuthi, kumamkeli we-traffic, kwaye ubeke i-ASL eyandisiweyo ngokusondeleyo kangangoko kunokwenzeka kumthombo, oko kukuthi, kumthumeli wetrafikhi. Ezi zincomo Cisco, kodwa ekusebenzeni kukho iimeko apho kunengqiqo ngakumbi ukubeka umgangatho ACL kufutshane kumthombo wezithuthi. Kodwa ukuba udibana nombuzo malunga nemithetho yokubekwa kwe-ACL ngexesha loviwo, landela iingcebiso zeCisco kwaye uphendule ngokungathandabuzekiyo: umgangatho usondele kwindawo, eyandisiweyo isondele kumthombo.
Ngoku makhe sijonge kwisivakalisi se-ACL eqhelekileyo. Kukho iindidi ezimbini ze-syntax yomyalelo kwimowudi yokumisela i-router yehlabathi: i-syntax yakudala kunye ne-syntax yanamhlanje.
Uhlobo lomyalelo wakudala luluhlu lofikelelo <inombolo yeACL> <khanyela/vumela> <criteria>. Ukuba ucwangcisa <inombolo ACL> ukusuka 1 ukuya 99, isixhobo uya ngokuzenzekelayo baqonde ukuba le ACL standard, kwaye ukuba isuka 100 ukuba 199, ngoko ke eyandisiweyo. Ekubeni kwisifundo sanamhlanje sijonge uluhlu oluqhelekileyo, sinokusebenzisa nayiphi na inombolo ukusuka kwi-1 ukuya kwi-99. Emva koko sibonisa isenzo esifuna ukusetyenziswa ukuba iiparitha zihambelana nomgaqo olandelayo - vumela okanye ukukhanyela i-traffic. Siza kuqwalasela umgaqo kamva, ekubeni ikwasetyenziswa nakwisintaksi yale mihla.
Uhlobo lomyalelo lwangoku lukwasetyenziswa kwi-Rx(config) imo yoqwalaselo yehlabathi kwaye ijongeka ngolu hlobo: umgangatho wofikelelo we-ip <inombolo ye-ACL/igama>. Apha ungasebenzisa nokuba inani ukusuka ku-1 ukuya ku-99 okanye igama loluhlu lwe-ACL, umzekelo, ACL_Networking. Lo myalelo ubeka ngokukhawuleza inkqubo kwimowudi ye-Rx esezantsi yomyalelo (config-std-nacl), apho kufuneka ungenise <khanye/yenza> <criteria>. Uhlobo lwangoku lwamaqela luneenzuzo ezininzi xa kuthelekiswa neklasikhi.
Kuluhlu lwakudala, ukuba uchwetheza-uluhlu lofikelelo 10 khanyela ______, ngoko chwetheza umyalelo olandelayo wohlobo olufanayo kwenye ikhrayitheriya, kwaye ugqibelisa nge-100 yemiyalelo enjalo, ngoku ukutshintsha nayiphi imiyalelo engenisiweyo, kuya kufuneka cima lonke uluhlu lofikelelo-luhlu 10 ngomyalelo akukho ukufikelela-uluhlu 10. Oku kuyakucima yonke imiyalelo 100 kuba akukho ndlela ukuhlela nawuphi umyalelo ngamnye kolu luhlu.
Kwisintaksi yanamhlanje, umyalelo wahlulahlulwe ube yimigca emibini, owokuqala unenombolo yoluhlu. Masithi ukuba unoluhlu lofikelelo-uluhlu umgangatho 10 khanyela ________, ukufikelela-uluhlu umgangatho 20 khanyela ________ njalo njalo, ke unethuba lokufaka uluhlu oluphakathi kunye nezinye iikhrayitheriya phakathi kwabo, umzekelo, ukufikelela-uluhlu umgangatho 15 khanyela ________ .
Kungenjalo, unokucima ngokulula uluhlu lofikelelo-ilayini ezingama-20 kwaye uzichwetheze kwakhona ngeeparamitha ezahlukeneyo phakathi komgangatho wofikelelo-uluhlu lwelayini ezingama-10 ngoko ke, kukho iindlela ezahlukeneyo zokuhlela i-syntax ye-ACL yangoku.
Kufuneka ulumke kakhulu xa usenza ACLs. Njengoko usazi, uluhlu lufundwa ukusuka phezulu ukuya ezantsi. Ukuba ubeka umgca phezulu ovumela i-traffic evela kumamkeli othile, ngoko ngezantsi ungabeka umgca othintela i-traffic kuwo wonke umsebenzi womnatha oyinxalenye yalo, kwaye zombini iimeko ziya kuhlolwa - i-traffic ukuya kumamkeli othile bavunyelwe ukudlula, kwaye itrafikhi kuzo zonke ezinye iinginginya zothungelwano ziya kuvalelwa. Ke ngoko, hlala ubeka amangeno athile phezulu kuluhlu kunye nalawo aqhelekileyo asezantsi.
Ke, emva kokuba udale i-ACL yakudala okanye yanamhlanje, kufuneka uyisebenzise. Ukwenza oku, kufuneka uye kwizicwangciso zojongano oluthile, umzekelo, f0/0 usebenzisa i-interface yomyalelo <uhlobo kunye ne-slot>, yiya kwi-interface ye-subcommand mode kwaye ungenise umyalelo we-ip access-group <inombolo ye-ACL/ igama> . Nceda uqaphele umahluko: xa uqulunqa uluhlu, uluhlu lokufikelela lusetyenziswa, kwaye xa ulisebenzisa, iqela lokufikelela lisetyenziswa. Kufuneka umisele ukuba loluphi ujongano olu luhlu luya kusetyenziswa kulo - ujongano olungenayo okanye ujongano oluphumayo. Ukuba uluhlu lunegama, umzekelo, Uthungelwano, igama elifanayo liyaphindwa kumyalelo wokusebenzisa uluhlu kolu jongano.
Ngoku makhe sithathe ingxaki ethile kwaye sizame ukuyisombulula sisebenzisa umzekelo womzobo wethu womnatha usebenzisa iPacket Tracer. Ngoko ke, sineenethiwekhi ezi-4: isebe lokuthengisa, i-accounting, ulawulo kunye neseva.
Inombolo yoMsebenzi 1: zonke iitrafikhi ezijoliswe kumasebe okuthengisa kunye nezezimali kwisebe lolawulo kunye negumbi leseva kufuneka livalwe. Indawo yokuthintela lujongano S0/1/0 we-router R2. Okokuqala kufuneka senze uluhlu oluqulathe amangeniso alandelayo:
Masibize uluhlu "Ulawulo kunye noKhuseleko lwe-Server ACL", efinyeziweyo njenge-ACL Secure_Ma_And_Se. Oku kulandelwa ngokuthintela i-traffic kwinethiwekhi yesebe lezemali 192.168.1.128/26, ukuvimbela i-traffic kwinethiwekhi yesebe lokuthengisa 192.168.1.0/25, kunye nokuvumela nayiphi na enye i-traffic. Ekupheleni koluhlu kubonisiwe ukuba isetyenziselwa ujongano oluphumayo S0/1/0 ye-router R2. Ukuba asinayo iMvume Naliphi na ingeniso ekupheleni koluhlu, ngoko zonke ezinye traffic ziya kuthintelwa ngenxa yokuba ACL engagqibekanga isoloko imiselwe Yala Nakuphi na ukungena ekupheleni koluhlu.
Ndingayisebenzisa le ACL kujongano lwe-G0/0? Ngokuqinisekileyo, ndiyakwazi, kodwa kule meko kuphela i-traffic esuka kwisebe le-accounting iya kuvalwa, kwaye i-traffic evela kwisebe lokuthengisa ayiyi kunqunyulwa nangayiphi na indlela. Ngendlela efanayo, ungasebenzisa i-ACL kwi-interface ye-G0/1, kodwa kule meko i-traffic yesebe lezemali ayiyi kuvinjelwa. Kakade ke, singenza uluhlu lwebhloko ezimbini ezahlukeneyo kwezi ujongano, kodwa kusebenza kakhulu ngakumbi ukudibanisa kuluhlu olunye kwaye sisebenzise ujongano imveliso umzila R2 okanye ujongano igalelo S0/1/0 umzila R1.
Nangona imithetho yeCisco ichaza ukuba i-ACL esemgangathweni kufuneka ibekwe kufutshane nendawo ekuyiwa kuyo ngokusemandleni, ndiya kuyibeka kufutshane nomthombo wetrafikhi kuba ndifuna ukuvala yonke i-traffic ephumayo, kwaye kunengqiqo ukwenza oku ngokusondeleyo umthombo ukuze le traffic ingachithi inethiwekhi phakathi kweendlela ezimbini.
Ndilibele ukuxelela malunga ne-criteria, ngoko masibuyele ngokukhawuleza. Ungakhankanya nayiphi na into njengenqobo - kulo mzekelo, nayiphi na itrafikhi evela kuso nasiphi na isixhobo kwaye nayiphi na inethiwekhi iya kwaliwa okanye ivunyelwe. Unokuphinda ucacise umkhosi kunye nesazisi sayo - kulo mzekelo, ukungena kuya kuba yidilesi ye-IP yesixhobo esithile. Ekugqibeleni, unokucacisa inethiwekhi yonke, umzekelo, 192.168.1.10/24. Kule meko, / 24 iya kuthetha ubukho be-subnet mask ye-255.255.255.0, kodwa akunakwenzeka ukucacisa idilesi ye-IP ye-subnet mask kwi-ACL. Kule meko, i-ACL inombono obizwa ngokuba yi-Wildcart Mask, okanye "i-mask ebuyisela umva". Ngoko ke kufuneka ucacise idilesi ye-IP kwaye ubuyisele imaski. Imaski ebuyela umva ijongeka ngolu hlobo: kufuneka uthabathe imaski ye-subnet ngokuthe ngqo kwi-subnet mask jikelele, oko kukuthi, inani elihambelana nexabiso le-octet kwimaski yangaphambili lithatyathwe kwi-255.
Ngoko ke, kufuneka usebenzise iparamitha 192.168.1.10 0.0.0.255 njengekhrayitheriya kwi-ACL.
Ingaba isebenza kanjani? Ukuba kukho i-0 kwi-octet yemaski yokubuyisela, umgaqo uthathwa njengokuhambelana ne-octet ehambelanayo yedilesi ye-IP ye-subnet. Ukuba kukho inani kwi-backmask octet, umdlalo awukhangelwa. Ngaloo ndlela, kwinethiwekhi ye-192.168.1.0 kunye ne-mask yokubuya ye-0.0.0.255, zonke i-traffic ukusuka kwiidilesi ezine-octet ezintathu zokuqala zilingana no-192.168.1., kungakhathaliseki ukuba ixabiso le-octet yesine, liya kuvalwa okanye livunyelwe ngokuxhomekeka isenzo esichaziweyo.
Ukusebenzisa imaski ebuyela umva kulula, kwaye siya kubuyela kwi-Wildcart Mask kwividiyo elandelayo ukuze ndikwazi ukuchaza indlela yokusebenza nayo.
28:50 imiz
Enkosi ngokuhlala nathi. Ngaba uyawathanda amanqaku ethu? Ngaba ufuna ukubona umxholo onomdla ngakumbi? Sixhase ngokufaka iodolo okanye ngokucebisa abahlobo, I-30% isaphulelo kubasebenzisi beHabr kwi-analogue ekhethekileyo yeeseva zomgangatho wokungena, eyenzelwe wena: (ifumaneka nge-RAID1 kunye ne-RAID10, ukuya kuthi ga kwi-24 cores kunye ne-40GB DDR4).
I-Dell R730xd 2 amaxesha aphantsi? Kuphela apha eNetherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - ukusuka $99! Funda malunga
umthombo: www.habr.com