Listas De Acceso
Páginas: 51 (12555 palabras)
Publicado: 17 de junio de 2012
Extended
CL
Any
Access
0.0.0.0
Lists
Workbook
Version 1.5
permit
deny
access-list
Standard
access-group
Wildcard Mask
Student Name:
Access-List Numbers
IP Standard
IP Extended
Ethernet Type Code
Ethernet Address
DECnet and Extended DECnet
XNS
Extended XNS
Appletalk
48-bit MAC Addresses
IPX Standard
IPX Extended
IPX SAP (service advertisement protocol)IPX SAP SPX
Extended 48-bit MAC Addresses
IPX NLSP
IP Standard, expanded range
IP Extended, expanded range
SS7 (voice)
Standard Vines
Extended Vines
Simple Vines
Transparent bridging (protocol type)
Transparent bridging (vendor type)
Extended Transparent bridging
Source-route bridging (protocol type)
Source-route bridging (vendor type)
1
100
200
700
300
400
500
600
700800
900
1000
1000
1100
1200
1300
2000
2700
1
101
201
200
700
1100
200
700
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
99
199
299
799
399
499
599
699
799
899
999
1099
1099
1199
1299
1999
2699
2999
100
200
300
299
799
1199
299
799
Produced by: Robb Jones
jonesr@careertech.net and/orRobert.Jones@fcps.org
Frederick County Career & Technology Center
Cisco Networking Academy
Frederick County Public Schools
Frederick, Maryland, USA
Special Thanks to Melvin Baker, Jim Dorsch, and Brent Sieling
for taking the time to check this workbook for errors, and making suggestions for improvements.
Inside Cover
What are Access Control Lists?
ACLs...
...are a sequential list ofinstructions that tell a router which packets to
permit or deny.
General Access Lists Information
Access Lists...
...are read sequentially.
...are set up so that as soon as the packet matches a statement it
stops comparing and permits or denys the packet.
...need to be written to take care of the most abundant traffic first.
...must be configured on your router before you can deny packets....can be written for all supported routed protocols; but each routed
protocol must have a different ACL for each interface.
...must be applied to an interface to work.
How routers use Access Lists
(Outbound Port - Default)
The router checks to see if the packet is routable. If it is it looks up
the route in its routing table.
The router then checks for an ACL on that outbound interface.
Ifthere is no ACL the router switches the packet out that interface to its
destination.
If there is an ACL the router checks the packet against the access list
statements sequentially. Then permits or denys each packet as it is
matched.
If the packet does not match any statement written in the ACL it is
denyed because there is an implicit “deny any” statement at the end of
every ACL.
1 Standard Access Lists
Standard Access Lists...
...are numbered from 1 to 99.
...filter (permit or deny) only source addresses.
...do not have any destination information so it must placed as close
to the destination as possible.
...work at layer 3 of the OSI model.
Why standard ACLs are placed close to the
destination.
If you want to block traffic from Juan’s computer from reachingJanet’s computer with a standard access list you would place the
ACL close to the destination on Router D, interface E0. Since
its using only the source address to permit or deny packets the
ACL here will not effect packets reaching Routers B, or C.
Router A
Router B
S0
S1
E0
S0
Router C
S1
E0
S0
E0
Janet’s
Computer
Matt’s
Computer
Juan’s
Computer
Jimmy’sComputer
If you place the ACL on router A to block traffic to Router D
it will also block all packets going to Routers B, and C;
because all the packets will have the same source address.
2
Router D
S1
E0
Standard Access List Placement
Sample Problems
FA0
FA1
Router A
Jan’s
Computer
Juan’s
Computer
In order to permit packets from Juan’s computer to arrive at
Jan’s...
CL
Any
Access
0.0.0.0
Lists
Workbook
Version 1.5
permit
deny
access-list
Standard
access-group
Wildcard Mask
Student Name:
Access-List Numbers
IP Standard
IP Extended
Ethernet Type Code
Ethernet Address
DECnet and Extended DECnet
XNS
Extended XNS
Appletalk
48-bit MAC Addresses
IPX Standard
IPX Extended
IPX SAP (service advertisement protocol)IPX SAP SPX
Extended 48-bit MAC Addresses
IPX NLSP
IP Standard, expanded range
IP Extended, expanded range
SS7 (voice)
Standard Vines
Extended Vines
Simple Vines
Transparent bridging (protocol type)
Transparent bridging (vendor type)
Extended Transparent bridging
Source-route bridging (protocol type)
Source-route bridging (vendor type)
1
100
200
700
300
400
500
600
700800
900
1000
1000
1100
1200
1300
2000
2700
1
101
201
200
700
1100
200
700
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
99
199
299
799
399
499
599
699
799
899
999
1099
1099
1199
1299
1999
2699
2999
100
200
300
299
799
1199
299
799
Produced by: Robb Jones
jonesr@careertech.net and/orRobert.Jones@fcps.org
Frederick County Career & Technology Center
Cisco Networking Academy
Frederick County Public Schools
Frederick, Maryland, USA
Special Thanks to Melvin Baker, Jim Dorsch, and Brent Sieling
for taking the time to check this workbook for errors, and making suggestions for improvements.
Inside Cover
What are Access Control Lists?
ACLs...
...are a sequential list ofinstructions that tell a router which packets to
permit or deny.
General Access Lists Information
Access Lists...
...are read sequentially.
...are set up so that as soon as the packet matches a statement it
stops comparing and permits or denys the packet.
...need to be written to take care of the most abundant traffic first.
...must be configured on your router before you can deny packets....can be written for all supported routed protocols; but each routed
protocol must have a different ACL for each interface.
...must be applied to an interface to work.
How routers use Access Lists
(Outbound Port - Default)
The router checks to see if the packet is routable. If it is it looks up
the route in its routing table.
The router then checks for an ACL on that outbound interface.
Ifthere is no ACL the router switches the packet out that interface to its
destination.
If there is an ACL the router checks the packet against the access list
statements sequentially. Then permits or denys each packet as it is
matched.
If the packet does not match any statement written in the ACL it is
denyed because there is an implicit “deny any” statement at the end of
every ACL.
1 Standard Access Lists
Standard Access Lists...
...are numbered from 1 to 99.
...filter (permit or deny) only source addresses.
...do not have any destination information so it must placed as close
to the destination as possible.
...work at layer 3 of the OSI model.
Why standard ACLs are placed close to the
destination.
If you want to block traffic from Juan’s computer from reachingJanet’s computer with a standard access list you would place the
ACL close to the destination on Router D, interface E0. Since
its using only the source address to permit or deny packets the
ACL here will not effect packets reaching Routers B, or C.
Router A
Router B
S0
S1
E0
S0
Router C
S1
E0
S0
E0
Janet’s
Computer
Matt’s
Computer
Juan’s
Computer
Jimmy’sComputer
If you place the ACL on router A to block traffic to Router D
it will also block all packets going to Routers B, and C;
because all the packets will have the same source address.
2
Router D
S1
E0
Standard Access List Placement
Sample Problems
FA0
FA1
Router A
Jan’s
Computer
Juan’s
Computer
In order to permit packets from Juan’s computer to arrive at
Jan’s...
Leer documento completo
Regístrate para leer el documento completo.