Namuhla sizoqala ukufunda ngohlu lokulawula ukufinyelela kwe-ACL, lesi sihloko sizothatha izifundo zevidiyo ezi-2. Sizobheka ukumiswa kwe-ACL ejwayelekile, futhi esifundweni sevidiyo esilandelayo ngizokhuluma ngohlu olunwetshiwe.
Kulesi sifundo sizoxoxa ngezihloko ezi-3. Esokuqala siyini i-ACL, eyesibili isho ukuthi uyini umehluko phakathi kwezinga kanye nohlu lokufinyelela olwandisiwe, futhi ekupheleni kwesifundo, njengelebhu, sizobheka ukusetha i-ACL evamile nokuxazulula izinkinga ezingase zibe khona.
Ngakho yini i-ACL? Uma ufunde isifundo kusukela esifundweni sokuqala sevidiyo, uzokhumbula ukuthi sihlele kanjani ukuxhumana phakathi kwamadivaysi enethiwekhi ahlukahlukene.
Siphinde safunda umzila omile phezu kwezivumelwano ezahlukahlukene ukuze sithole amakhono okuhlela ukuxhumana phakathi kwamadivayisi namanethiwekhi. Manje sesifinyelele esigabeni sokufunda lapho kufanele sikhathazeke ngokuqinisekisa ukulawulwa kwethrafikhi, okungukuthi, ukuvimbela “abantu ababi” noma abasebenzisi abangagunyaziwe ukuthi bangangeni kunethiwekhi. Isibonelo, lokhu kungase kuthinte abantu abavela kumnyango wezokuthengisa we-SALES, ovezwe kulo mdwebo. Lapha futhi sibonisa umnyango wezezimali AMA-AKHAWUNTI, umnyango wezokuphatha MANAGEMENT kanye ne-server room SERVER ROOM.
Ngakho-ke, umnyango wezokuthengisa ungase ube nabasebenzi abayikhulu, futhi asifuni ukuthi noma yimuphi wabo akwazi ukufinyelela ekamelweni leseva phezu kwenethiwekhi. Kwenziwa okuhlukile kumphathi wezokuthengisa osebenza kukhompyutha ye-Laptop2 - angakwazi ukufinyelela egumbini leseva. Isisebenzi esisha esisebenza ku-Laptop3 akufanele sibe nokufinyelela okunjalo, okungukuthi, uma ithrafikhi evela kukhompyutha yakhe ifinyelela kumzila u-R2, kufanele iyekwe.
Iqhaza le-ACL ukuhlunga ithrafikhi ngokuya ngemingcele yokuhlunga eshiwo. Ihlanganisa ikheli le-IP eliwumthombo, ikheli le-IP okuyiwa kulo, iphrothokholi, inombolo yezimbobo namanye amapharamitha, ngenxa yalokho ongakwazi ukuhlonza ithrafikhi futhi wenze okuthile ngayo.
Ngakho-ke, i-ACL iwusendlalelo 3 wokuhlunga wemodeli ye-OSI. Lokhu kusho ukuthi le ndlela isetshenziswa kuma-routers. Umbandela oyinhloko wokuhlunga ukuhlonza ukusakaza kwedatha. Isibonelo, uma sifuna ukuvimba umfana onekhompyutha ye-Laptop3 ukuthi afinyelele iseva, okokuqala kufanele sikhombe ithrafikhi yakhe. Le thrafikhi ihamba ibheke ku-Laptop-Switch2-R2-R1-Switch1-Server1 ngokusebenzisa ukuxhumana okuhambisanayo kwamadivayisi enethiwekhi, kuyilapho ukuxhumana kwe-G0/0 kwamarutha akuhlanganise lutho nakho.
Ukuze sihlonze ithrafikhi, kufanele sikhombe indlela yazo. Ngemva kokwenza lokhu, singanquma ukuthi sidinga kuphi ngempela isihlungi. Ungakhathazeki ngezihlungi ngokwazo, sizoxoxa ngazo esifundweni esilandelayo, ngoba manje sidinga ukuqonda isimiso sokuthi isihlungi kufanele sisetshenziswe kuphi.
Uma ubheka i-router, ungabona ukuthi njalo lapho i-traffic ihamba, kune-interface lapho ukugeleza kwedatha kungena khona, kanye nesixhumi esibonakalayo lapho lokhu kugeleza kuphuma khona.
Empeleni kunezindawo ezi-3 zokusebenzelana: i-interface yokufaka, isixhumi esibonakalayo esikhiphayo kanye nesixhumi esibonakalayo serutha. Khumbula nje ukuthi ukuhlunga kungasetshenziswa kuphela kokufakwayo noma kokukhiphayo.
Umgomo wokusebenza kwe-ACL ufana nokudlula emcimbini ongahanjelwa kuphela yilabo abamenyiwe amagama abo asohlwini lwabantu abamenyiwe. I-ACL iwuhlu lwamapharamitha wokufaneleka asetshenziselwa ukukhomba ithrafikhi. Isibonelo, lolu hlu lubonisa ukuthi yonke ithrafikhi ivunyelwe kusuka ekhelini le-IP 192.168.1.10, futhi ithrafikhi evela kuwo wonke amanye amakheli inqatshiwe. Njengoba ngishilo, lolu hlu lungasetshenziswa kukho kokubili okokufaka nokukhiphayo.
Kunezinhlobo ezi-2 zama-ACL: ajwayelekile futhi anwetshiwe. I-ACL ejwayelekile inesikhombi esisuka ku-1 kuye ku-99 noma sisuka ku-1300 kuya ku-1999. Lawa amagama nje ohlu angenazo izinzuzo phezu kwelinye njengoba izinombolo zikhula. Ngaphezu kwenombolo, ungabela igama lakho ku-ACL. Ama-ACL anwetshiwe anezinombolo ezingu-100 kuya ku-199 noma 2000 kuya ku-2699 futhi angase abe negama.
Ku-ACL evamile, ukuhlukaniswa kusekelwe ekhelini le-IP eliwumthombo wethrafikhi. Ngakho-ke, uma usebenzisa uhlu olunjalo, awukwazi ukukhawulela ithrafikhi eqondiswe kunoma yimuphi umthombo, ungavimba kuphela ithrafikhi evela kudivayisi.
I-ACL enwetshiwe ihlukanisa ithrafikhi ngekheli le-IP eliwumthombo, ikheli le-IP okuyiwa kulo, iphrothokholi esetshenzisiwe, nenombolo yembobo. Isibonelo, ungavimba kuphela ithrafikhi ye-FTP, noma ithrafikhi ye-HTTP kuphela. Namuhla sizobheka i-ACL ejwayelekile, futhi sizonikela ngesifundo sevidiyo esilandelayo ohlwini olunwetshiwe.
Njengoba ngishilo, i-ACL iwuhlu lwemibandela. Ngemva kokufaka lolu hlu kusixhumi esibonakalayo esingenayo noma esiphumayo se-router, i-router ihlola ithrafikhi ngokumelene nalolu hlu, futhi uma ihlangabezana nemibandela ebekwe ohlwini, inquma ukuthi iyayivumela noma iyayiphika le thrafikhi. Abantu bavame ukukuthola kunzima ukunquma i-interfaces okokufaka nokuphumayo kwerutha, nakuba kungekho lutho oluyinkimbinkimbi lapha. Uma sikhuluma ngesixhumi esibonakalayo esingenayo, lokhu kusho ukuthi ithrafikhi engenayo kuphela izolawulwa kuleli chweba, futhi i-router ngeke isebenzise imingcele kuthrafikhi ephumayo. Ngokufanayo, uma sikhuluma nge-interface ye-egress, lokhu kusho ukuthi yonke imithetho izosebenza kuphela kuthrafikhi ephumayo, kuyilapho ithrafikhi engenayo kuleli chweba izokwamukelwa ngaphandle kwemingcele. Isibonelo, uma umzila unezimbobo ezingu-2: f0/0 kanye no-f0/1, i-ACL izosetshenziswa kuphela kuthrafikhi engena kusixhumi esibonakalayo sika-f0/0, noma kuphela kuthrafikhi evela kusixhumi esibonakalayo sika-f0/1. Isixhumi esibonakalayo esingena noma esiphumayo esithi f0/1 ngeke sithintwe uhlu.
Ngakho-ke, ungadidwa indlela engenayo noma ephumayo ye-interface, kuncike ekuqondeni kwethrafikhi ethile. Ngakho-ke, ngemva kokuba i-router ihlole ithrafikhi ukuze ifane nezimo ze-ACL, ingenza izinqumo ezimbili kuphela: vumela ithrafikhi noma inqabe. Isibonelo, ungavumela ithrafikhi emiselwe 180.160.1.30 futhi wenqabe ithrafikhi emiselwe 192.168.1.10. Uhlu ngalunye lungaqukatha izimo eziningi, kodwa ngayinye yale mibandela kufanele ivumele noma yenqabe.
Ake sithi sinohlu:
Vimbela _______
Vumela ________
Vumela ________
Vimbela _______.
Okokuqala, i-router izohlola ithrafikhi ukuze ibone ukuthi iyahambisana yini nesimo sokuqala; uma ingahambisani, izohlola isimo sesibili. Uma ithrafikhi ifana nesimo sesithathu, i-router izoyeka ukuhlola futhi ngeke iqhathanise nezinye izimo zohlu. Izokwenza isenzo "sokuvumela" futhi iqhubekele ekuhloleni ingxenye elandelayo yethrafikhi.
Uma kwenzeka ungabekanga umthetho wanoma yiliphi iphakethe futhi ithrafikhi idlula yonke imigqa yohlu ngaphandle kokushaya noma yimiphi imibandela, iyabhujiswa, ngoba uhlu ngalunye lwe-ACL ngokuzenzakalelayo luphetha ngokuphika noma yimuphi umyalo - okungukuthi, lahla. noma yiliphi iphakethe, elingawi ngaphansi kwanoma yimiphi imithetho. Lesi simo siqala ukusebenza uma okungenani kunomthetho owodwa ohlwini, ngaphandle kwalokho awunawo umphumela. Kodwa uma umugqa wokuqala uqukethe okufakiwe phika 192.168.1.30 futhi uhlu lungasaqukethe noma yiziphi izimo, khona-ke ekugcineni kufanele kube nemvume yomyalo noma iyiphi, okungukuthi, vumela noma iyiphi ithrafikhi ngaphandle kwaleyo enqatshelwe umthetho. Kumelwe ukucabangele lokhu ukuze ugweme amaphutha lapho ulungiselela i-ACL.
Ngifuna ukhumbule umthetho oyisisekelo wokudala uhlu lwe-ASL: beka i-ASL ejwayelekile eduze nendawo oya kuyo, okungukuthi, kumamukeli wethrafikhi, futhi ubeke i-ASL enwetshiwe eduze kakhulu nomthombo, okungukuthi, kumthumeli wethrafikhi. Lezi yizincomo ze-Cisco, kodwa ekusebenzeni kunezimo lapho kunengqondo khona ukubeka i-ACL ejwayelekile eduze komthombo wethrafikhi. Kodwa uma uhlangabezana nombuzo mayelana nemithetho yokubeka i-ACL phakathi nokuhlolwa, landela izincomo ze-Cisco futhi uphendule ngokungananazi: okujwayelekile kuseduze nendawo, okunwetshiwe kuseduze nomthombo.
Manje ake sibheke i-syntax ye-ACL ejwayelekile. Kunezinhlobo ezimbili ze-syntax yomyalo kumodi yokumisa i-router global: i-syntax yakudala kanye ne-syntax yesimanje.
Uhlobo lomyalo wakudala wuhlu lokufinyelela <inombolo ye-ACL> <phika/vumela> <imibandela>. Uma usetha <inombolo ye-ACL> isuka ku-1 kuye ku-99, idivayisi izoqonda ngokuzenzakalela ukuthi lena i-ACL ejwayelekile, futhi uma isuka ku-100 iye ku-199, izosho ukuthi inwetshiwe. Njengoba esifundweni sanamuhla sibheka uhlu olujwayelekile, singasebenzisa noma iyiphi inombolo ukusuka ku-1 kuye ku-99. Bese sikhomba isenzo okufanele sisetshenziswe uma amapharamitha afana nombandela olandelayo - vumela noma wenqabe ithrafikhi. Sizocabangela umbandela kamuva, njengoba usetshenziswa naku-syntax yesimanje.
Uhlobo lwesimanje lomyalo luphinde lusetshenziswe kumodi yokumisa yomhlaba wonke ye-Rx(config) futhi ibukeka kanjena: indinganiso yohlu lokufinyelela lwe-ip <inombolo ye-ACL/igama>. Lapha ungasebenzisa noma inombolo ukusuka ku-1 kuye ku-99 noma igama lohlu lwe-ACL, isibonelo, ACL_Networking. Lo myalo ubeka ngokushesha uhlelo kumodi ye-subcommand yemodi evamile ye-Rx (config-std-nacl), lapho kufanele ufake khona <deny/enable> <criteria>. Uhlobo lwesimanje lwamaqembu lunezinzuzo eziningi uma kuqhathaniswa nelakudala.
Ohlwini lwakudala, uma uthayipha ukufinyelela-uhlu 10 phika ______, bese uthayipha umyalo olandelayo wohlobo olufanayo kwenye umbandela, bese ugcina unemiyalo enjalo eyi-100, bese ushintsha noma yimiphi imiyalo efakiwe, uzodinga susa lonke uhlu lokufinyelela 10 ngomyalo othi akukho uhlu lokufinyelela 10. Lokhu kuzosusa yonke imiyalo eyi-100 ngoba ayikho indlela yokuhlela noma yimuphi umyalo owodwa kulolu hlu.
Ku-syntax yesimanje, umyalo uhlukaniswe waba imigqa emibili, owokuqala oqukethe inombolo yohlu. Ake sithi uma unohlu lokufinyelela-okujwayelekile 10 ukuphika ________, ukufinyelela-uhlu izinga 20 phika ________ nokunye, lapho ke unethuba lokufaka uhlu oluphakathi nezinye izindlela phakathi kwazo, isibonelo, uhlu lokufinyelela olujwayelekile 15 phika ________ .
Okunye, ungavele ususe imigqa engu-20 ejwayelekile yohlu lokufinyelela bese uyibhala kabusha ngamapharamitha ahlukene phakathi kwezinga elingu-10 lohlu lokufinyelela kanye nemigqa engu-30 yohlu lokufinyelela. Ngakho, kunezindlela ezihlukahlukene zokuhlela i-syntax yesimanje ye-ACL.
Udinga ukuqaphela kakhulu lapho udala ama-ACL. Njengoba wazi, izinhlu zifundwa ukusuka phezulu kuye phansi. Uma ubeka umugqa phezulu ovumela ithrafikhi evela kumsingathi othile, ngezansi ungabeka ulayini ovimbela ithrafikhi kuyo yonke inethiwekhi lo msingathi ayingxenye yayo, futhi zombili izimo zizohlolwa - ithrafikhi eya kumsingathi othile bavunyelwe, futhi ithrafikhi evela kubo bonke abanye abasingathi le nethiwekhi izovinjelwa. Ngakho-ke, hlala ubeka okufakiwe okuqondile phezulu ohlwini futhi okujwayelekile ngezansi.
Ngakho-ke, ngemva kokudala i-ACL yakudala noma yesimanje, kufanele uyisebenzise. Ukuze wenze lokhu, udinga ukuya kuzilungiselelo zesixhumi esibonakalayo esithile, isibonelo, i-f0/0 usebenzisa isixhumi esibonakalayo somyalo <uhlobo ne-slot>, iya kumodi ye-interface ye-subcommand bese ufaka umyalo we-ip access-group <inombolo ye-ACL/ igama> . Sicela uqaphele umehluko: lapho uhlanganisa uhlu, kusetshenziswa uhlu lokufinyelela, futhi uma ulusebenzisa, kusetshenziswa iqembu lokufinyelela. Kufanele unqume ukuthi isiphi isixhumi esibonakalayo lolu hlu oluzosetshenziswa kuso - isixhumi esibonakalayo esingenayo noma isixhumi esibonakalayo esiphumayo. Uma uhlu lunegama, isibonelo, Inethiwekhi, igama elifanayo liyaphindwa emyalweni wokusebenzisa uhlu kulesi sikhombimsebenzisi.
Manje ake sithathe inkinga ethile futhi sizame ukuyixazulula sisebenzisa isibonelo somdwebo wethu wenethiwekhi sisebenzisa i-Packet Tracer. Ngakho-ke, sinamanethiwekhi ama-4: umnyango wokuthengisa, umnyango we-accounting, abaphathi kanye negumbi leseva.
I-Task No. 1: yonke i-traffic eqondiswa kusukela eminyangweni yokuthengisa neyezezimali ukuya emnyangweni wabaphathi kanye negumbi leseva kufanele ivinjwe. Indawo yokuvinjwa iyisixhumi esibonakalayo S0/1/0 serutha R2. Okokuqala kufanele sakhe uhlu oluqukethe okufakiwe okulandelayo:
Masibize uhlu ngokuthi "Ukuphathwa Nokuphepha Kweseva", esifushanisiwe njenge-ACL Secure_Ma_And_Se. Lokhu kulandelwa ukuvimbela ithrafikhi evela kunethiwekhi yomnyango wezezimali 192.168.1.128/26, ukuvimbela ithrafikhi evela kunethiwekhi yomnyango wezokuthengisa 192.168.1.0/25, nokuvumela noma iyiphi enye ithrafikhi. Ekupheleni kohlu kuboniswa ukuthi isetshenziselwa isixhumi esibonakalayo esiphumayo S0/1/0 serutha R2. Uma singenayo Imvume Noma yikuphi ukufakwa ekupheleni kohlu, khona-ke yonke enye ithrafikhi izovinjelwa ngoba i-ACL ezenzakalelayo ihlezi isethwe ukuthi Yenqabe Noma yikuphi ukufakwa ekugcineni kohlu.
Ngingakwazi ukusebenzisa le ACL kusixhumi esibonakalayo se-G0/0? Yiqiniso, ngingakwazi, kodwa kulokhu kuphela ithrafikhi evela emnyangweni we-accounting izovinjelwa, futhi ithrafikhi evela emnyangweni wezokuthengisa ngeke ibe nomkhawulo nganoma iyiphi indlela. Ngendlela efanayo, ungasebenzisa i-ACL kusixhumi esibonakalayo se-G0/1, kodwa kulesi simo ithrafikhi yomnyango wezezimali ngeke ivinjwe. Yebo, singakha izinhlu ezimbili ezihlukene zamabhulokhi zalezi zindawo zokuxhumana, kodwa kusebenza kahle kakhulu ukukuhlanganisa ohlwini olulodwa futhi sikusebenzise kusixhumi esibonakalayo esikhiphayo serutha R2 noma isixhumi esibonakalayo sokufaka S0/1/0 serutha R1.
Nakuba imithetho ye-Cisco ithi i-ACL ejwayelekile kufanele ibekwe eduze nendawo okuyiwa kuyo ngangokunokwenzeka, ngizoyibeka eduze nomthombo wethrafikhi ngoba ngifuna ukuvimba yonke ithrafikhi ephumayo, futhi kunengqondo ukwenza lokhu eduze umthombo ukuze le thrafikhi ingamoshi inethiwekhi phakathi kwama-routers amabili.
Ngikhohliwe ukukutshela mayelana nemibandela, ngakho-ke masibuyele emuva ngokushesha. Ungacacisa noma iyiphi njengesimo sokunquma - kulokhu, noma iyiphi ithrafikhi evela kunoma iyiphi idivayisi nanoma iyiphi inethiwekhi izonqatshelwa noma ivunyelwe. Ungaphinda ucacise umsingathi ngesihlonzi saso - kulokhu, okufakiwe kuzoba yikheli le-IP ledivayisi ethile. Ekugcineni, ungacacisa yonke inethiwekhi, isibonelo, 192.168.1.10/24. Kulesi simo, /24 izosho ukuba khona kwe-subnet mask ye-255.255.255.0, kodwa akunakwenzeka ukucacisa ikheli le-IP le-subnet mask ku-ACL. Kulokhu, i-ACL inomqondo obizwa nge-Wildcart Mask, noma "imaski ehlehlayo". Ngakho-ke kufanele ucacise ikheli le-IP bese ubuyisela imaski. Imaski ehlanekezela ibukeka kanje: kufanele ukhiphe imaskhi eqondile ye-subnet kumaski ejwayelekile ye-subnet, okungukuthi, inombolo ehambisana nenani le-octet kumaski wangaphambili isuswa ku-255.
Ngakho-ke, kufanele usebenzise ipharamitha 192.168.1.10 0.0.0.255 njengombandela ku-ACL.
Isebenza kanjani? Uma kukhona u-0 ku-octet yemaski yokubuyisela, umbandela ubhekwa njengokufana ne-octet ehambisanayo yekheli le-subnet le-IP. Uma kukhona inombolo ku-backmask octet, okufanayo akuthikhiwe. Ngakho, kunethiwekhi ye-192.168.1.0 kanye ne-mask yokubuya engu-0.0.0.255, yonke i-traffic evela kumakheli ama-octet awo amathathu okuqala alingana no-192.168.1., kungakhathaliseki inani le-octet yesine, izovinjelwa noma ivunyelwe kuye ngokuthi isenzo esishiwo.
Ukusebenzisa imaski ebuyela emuva kulula, futhi sizobuyela ku-Wildcart Mask kuvidiyo elandelayo ukuze ngikwazi ukuchaza ukuthi kusetshenzwa kanjani ngayo.
28:50 imiz
Siyabonga ngokuhlala nathi. Uyazithanda izindatshana zethu? Ufuna ukubona okuqukethwe okuthakaselayo okwengeziwe? Sisekele ngokufaka i-oda noma ngokuncoma kubangani, Isaphulelo sika-30% sabasebenzisi be-Habr ku-analogue ehlukile yamaseva eleveli yokungena, esungulwe yithi ngenxa yakho: (itholakala nge-RAID1 kanye ne-RAID10, kufika kuma-cores angu-24 kuze kufike ku-40GB DDR4).
I-Dell R730xd ishibhile izikhathi ezi-2? Lapha kuphela eNetherlands! I-Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - isuka ku-$99! Funda mayelana
Source: www.habr.com