ACL (Access Control List) hanesan mekanizmu ne'ebé uza atu kontrola ka limita aksesu ba trafiku iha rede. Ita bele uza ACL iha router, switch, firewall, ka dispositivu seluk hodi kontrola komunikasaun entre fonte no destinu sira iha rede.
Standard Access List (ACL) mak tipu ida hosi ACL sira ne'ebé bele uza atu limita ka permiti tráfiku baseia ba endereçu IP origem nia. Nia limitasaun boot iha ita bele determina ho baseia ba IP address origem deit, labele inklui IP address destinu, protokolu, ka porta sira. Iha ACL standart, ita bele kontrola komunikasaun baseia ba IP address origem deit.
Ha'u sei hatudu prosesu hanesan tuir mai atu kria ACL standart iha router:
Kriasaun ACL Standart
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Ida-ne'e sei kria ACL ne'ebé permiti tráfiku hosi rede ho IP address range 192.168.1.0 - 192.168.1.255.
Applika ACL Standart ba Interface:
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip access-group 1 in
Ida-ne'e sei aplika ACL ida ne'e ba interface GigabitEthernet0/0 hanesan hanesan in (entrada), ne'ebé signifika katak ACL sei kontrola tráfiku ne'ebé tama ba interface ne'e.
Ho ACL standart, ita bele permiti ka limita komunikasaun boot liu hosi endereçu IP origem deit. Tanba ne'e, uzu ACL standart normalmente hanesan boot tuir nesesidade simplifikadu ka kontrol limitadu ba tráfiku.
Mai ita koko Deny tiha Network ida tomak labele asesu ba Network seluk, hanesan Topology tuir mai neé ita sei block tiha Network 10.0.0.0/24 labele fo asesu ba network 172.16.1.0/28.
Tuir topology ida neé ita sei block tiha network iha Lantai I labele asesu ba Network 172.16.1.0/28 ka ba IT-Office, konfigurasaun mak hanesan tuir mai neé:
# Konfigurasaun iha Router-2
hostname Rtr001
!
!
ip dhcp pool Lantai_III
network 30.0.0.0 255.255.255.0
default-router 30.0.0.1
dns-server 172.16.1.2
ip dhcp pool lantai_IV
network 40.0.0.0 255.255.255.0
default-router 40.0.0.1
dns-server 172.16.1.2
!
no ip cef
no ipv6 cef
!
!
spanning-tree mode pvst
!
!
interface FastEthernet0/0
ip address 30.0.0.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 40.0.0.1 255.255.255.0
duplex auto
speed auto
!
interface Ethernet0/0/0
ip address 172.16.1.1 255.255.255.240
ip access-group TEST-II out
duplex auto
speed auto
!
interface Ethernet0/1/0
no ip address
duplex auto
speed auto
!
interface Serial0/3/0
ip address 50.0.0.1 255.255.255.252
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 20.0.0.0 255.255.255.0 50.0.0.2
ip route 10.0.0.0 255.255.255.0 50.0.0.2
!
ip flow-export version 9
!
!
ip access-list standard TEST-II
deny 10.0.0.0 0.0.0.255
permit any
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end
=======================
# Konfigurasaun iha Router-1
=======================
hostname Rtr002
!
!
ip dhcp pool Lantai_II
network 20.0.0.0 255.255.255.0
default-router 20.0.0.1
dns-server 172.16.1.2
ip dhcp pool Lantai_I
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
dns-server 172.16.1.2
!
no ip cef
no ipv6 cef
!
!
!
spanning-tree mode pvst
!
!
interface FastEthernet0/0
ip address 20.0.0.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
!
interface Ethernet0/0/0
no ip address
duplex auto
speed auto
shutdown
!
interface Ethernet0/1/0
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/3/0
ip address 50.0.0.2 255.255.255.252
clock rate 2000000
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 30.0.0.0 255.255.255.0 50.0.0.1
ip route 40.0.0.0 255.255.255.0 50.0.0.1
ip route 172.16.1.0 255.255.255.240 50.0.0.1
!
ip flow-export version 9
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
end
========================
# Koko test ping husi network 10.0.0.0/24 kualquer host ba network 172.16.1.0/24
ex: ping 172.16.1.2
# Koko loke Web browser ex ;
# koko ping fali network 10.0.0.0/24 ====>>>> 30.0.0.0/24 ka Lantai III
Ex.
# Koko Loke Browsing tok ba Server iha Lantai III
ex:
Bele koko test ping husi network sira seluk parece hetan Reply hotu tamba iha neé ita so block network 10.0.0.0/24 ba network 172.16.1.0/28 ka husi lantai I la iha permisaun atu asesu ba IT-Office.
Tidak ada komentar:
Posting Komentar