Você está na página 1de 47

CCNA

ACCESS-LIST
Agenda
CISCO PACKET TRACER v 7.2.1.0404
ACL
access-list
Onde tudo começou...
MODELO OSI

7 - APLICAÇÃO

6 - APRESENTAÇÃO

5 - SESSÃO

4 - TRANSPORTE

3 - REDE

2 - ENLACE

1 - FISICA
A camada 2...
FRAME 802.3

PREAMBULO SOF MAC ORIGEM MAC DESTINO TIPO FCS


DADOS...
TAMANHO
7 bytes 1 6 6 2 46 - 1500 4

FRAME 802.3

PREAMBULO SOF MAC ORIGEM MAC DESTINO VLAN TIPO FCS


DADOS...
TAG TAMANHO
7 bytes 1 6 6 4 2 46 - 1500 4

Tag protocol identifier (TPID)


TPID PRI CFI VID Priority identifier (PRI)
2 3bits 1bit 12bits Colision forward identifier
VLAN identifier (VID)
A camada 3...

https://tools.ietf.org/html/rfc791
A camada 4...
OSI x TCP/IP...
MODELO OSI MODELO OSI

7 - APLICAÇÃO

6 - APRESENTAÇÃO APLICAÇÃO

5 - SESSÃO

4 - TRANSPORTE TRANSPORTE

3 - REDE INTERNET

2 - ENLACE
ACESSO AOS
MEIOS
1 - FISICA
A comunicação fim-a-fim...

CAMADA 4
PORT PORT
CAMADA 4

DESTINO ORIGEM

PORT PORT
ORIGEM DESTINO

CAMADA 3
CAMADA 3

IP DESTINO IP ORIGEM

IP ORIGEM IP DESTINO
A comunicação fim-a-fim...

CAMADA 4
PORT PORT
CAMADA 4

DESTINO ORIGEM

PORT PORT
ORIGEM DESTINO

CAMADA 3
CAMADA 3

IP DESTINO IP ORIGEM

IP ORIGEM IP DESTINO

ACL
Como a ACL funciona...

SIM
REGRA 1

NAO

SIM
REGRA 2

NAO

ULTIMA SIM
REGRA

NAO DROP
Como a ACL funciona...

ACL

Numbered Named

Standard Extended Standard Extended


Cada uma no seu quadrado...
ROTEADOR REAL
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1000-1099> IPX SAP access list
<1100-1199> Extended 48-bit MAC address access list
<1200-1299> IPX summary address access list
<200-299> Protocol type-code access list
<300-399> DECnet access list
<600-699> Appletalk access list PACKET TRACER
<700-799> 48-bit MAC address access list
<800-899> IPX standard access list
<900-999> IPX extended access list

Router(config)#
Router(config)#
Router(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
Router(config)#access-list
MAC ACLs are Layer 2 ACLs. You can configure the rules to inspect the following fields of a packet (limited by platform):
•Source MAC address with mask.
•Destination MAC address with mask.
•VLAN ID (or range of IDs).
•Class of Service (CoS) (802.1p) .

Standard: permit or deny packets based on source IP


Extended: filter packets based on multiple criteria like
source and destination IP, source and destination ports,
and more.
Regras básicas...
1. Os pacotes são comparados com cada uma das
linhas da lista em ordem sequencial;
2. Os pacotes são comparados com as linhas ATÉ
que sejam processados. Nenhuma comparação
adicional é feita depois;
3. TODA lista tem um DENY IMPLICITO no final;
4. Se nenhuma das linhas for processada o pacote
é descartado (item 3);
Vamos à prática ....
Configs...
ROUTER
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname ROUTER_1

ROUTER_1(config)#enable secret cisco


ROUTER_1(config)#enable password login
ROUTER_1(config)#

ROUTER_1(config)#int gi0/0
ROUTER_1(config-if)#ip address 192.168.10.1 255.255.255.0
ROUTER_1(config-if)#no shut
ROUTER_1(config-if)#

ROUTER_1(config)#line vty 0 15
ROUTER_1(config-line)#login
ROUTER_1(config-line)#password cisco
ROUTER_1(config-line)# SWITCH
Switch# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#vlan 10
Switch(config-vlan)#
Switch(config-vlan)#
Switch(config-vlan)#int range f0/1-10
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 10
Switch(config-if-range)#
<1-99>IP standard access list
ROUTER_1(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list

ROUTER_1(config)#access-list 10 ?
deny Specify packets to reject
permit Specify packets to forward
EM QUE INTERFACE
remark Access list entry comment
APLICAR ??
ROUTER_1(config)#access-list 10 permit ?
A.B.C.D Address to match
any Any source host
host A single host address

ROUTER_1(config)#access-list 10 permit host ?


A.B.C.D Host address
ROUTER_1(config)#line vty 0 15
ROUTER_1(config)#access-list 10 permit host 192.168.10.10
ROUTER_1(config-line)#access-class ?
<1-199> IP access list
WORD Access-list name

Testar o acesso TELNET ROUTER_1(config-line)#access-class 10 ?


in Filter incoming connections
dos três computadores... out Filter outgoing connections

ROUTER_1(config-line)#access-class 10 in
<1-99>IP standard access list
ROUTER_1#conf t ROUTER_1(config)#access-list 10 permit ?
Enter configuration commands, one per line. End with CNTL/Z. A.B.C.D Address to match
ROUTER_1(config)#access-list 10 permit host 192.168.10.20 any Any source host
ROUTER_1(config)# host A single host address
ROUTER_1(config)#
ROUTER_1(config)#access-list 10 permit any ?
ROUTER_1#show run <cr>
… <linhas omitidas> ROUTER_1(config)#access-list 10 permit any
ip flow-export version 9 ROUTER_1(config)#
!
access-list 10 permit host 192.168.10.10
access-list 10 permit host 192.168.10.20 ROUTER_1#show access-lists
! Standard IP access list 10
10 permit host 192.168.10.10 (6 match(es))
20 permit host 192.168.10.20
30 permit any (2 match(es))
ROUTER_1#
ROUTER_1#show access-lists 10 | ?
begin Begins unfiltered output of the show command with the first line that contains the regular expression.
exclude Displays output lines that do not contain the regular expression.
include Displays output lines that contain the regular expression.

ROUTER_1#show access-lists 10 | include mat


permit host 192.168.10.10 (6 match(es))
permit any (2 match(es))
ROUTER_1#
<1-99>IP standard access list
ROUTER_1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ROUTER_1(config)#no access-list 10
ROUTER_1(config)#
ROUTER_1(config)#access-list 10 permit any
ROUTER_1(config)#access-list 10 permit host 192.168.10.10
ROUTER_1(config)#access-list 10 permit host 192.168.10.20
ROUTER_1(config)#access-list 10 permit host 192.168.10.30
ROUTER_1(config)#

Testar o acesso TELNET dos três computadores...


ROUTER_1#show access-lists
Standard IP access list 10
10 permit any (4 match(es))
20 permit host 192.168.10.10
30 permit host 192.168.10.20
40 permit host 192.168.10.30
ROUTER_1#
<1-99>IP standard access list
ROUTER_1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ROUTER_1(config)#no access-list 10

ROUTER_1(config)#access-list 10 permit ?
A.B.C.D Address to match
any Any source host
host A single host address

ROUTER_1(config)#access-list 10 permit 192.168.10.0 ?


A.B.C.D Wildcard bits
<cr>
ROUTER_1(config)#access-list 10 permit 192.168.10.0 0.0.0.255
ROUTER_1(config)#

Testar o acesso TELNET dos três computadores...


ROUTER_1#show access-lists
Standard IP access list 10
10 permit 192.168.10.0 0.0.0.255 (4 match(es))
ROUTER_1#
DEU MATCH ?? 192.168.10.0 0.0.0.255

WILDCARD NÃO É O
COMPLEMENTO DA
MASCARA
DEU MATCH ?? 192.168.10.0 0.0.0.255

1100000.10101000.00001010.00000000 192.168.10.0

0000000.00000000.00000000.11111111

BIT 0 = tem que dar match


BIT 1 = não interessa
DEU MATCH ??
access-list 10 permit 192.168.10.0 0.0.0.255
REGRA
1100000.10101000.00001010.00000000
0000000.00000000.00000000.11111111

APLICAÇÃO DA REGRA
1100000.10101000.00001010.00000000 = 192.168.10.0
1100000.10101000.00001010.00001010 = 192.168.10.10
!!!!!!!.!!!!!!!!.!!!!!!!!.######## = 192.168.10.XX
MATCH EXATO DE TODOS OS BITS NÃO INTERESSA
DESAFIO 1
Altere a ACL 10 para permitir apenas
TELNET de endereços IP cujo ultimo
octeto seja “par”
1100000.10101000.00001010.00000000 = 192.168.10.0
WILDCARD
0000000.00000000.00000000.11111110 = 0.0.0.254
DESAFIO 1 ROUTER_1#
ROUTER_1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ROUTER_1(config)#no access-list 10
ROUTER_1(config)#access-list 10 permit 192.168.10.0 0.0.0.254
ROUTER_1(config)#
DESAFIO 2
Altere a ACL 10 para permitir apenas
TELNET de endereços IP cujo ultimo
octeto seja “ímpar”
1100000.10101000.00001010.00000001 = 192.168.10.1
WILDCARD
0000000.00000000.00000000.11111110 = 0.0.0.254
DESAFIO 2 ROUTER_1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ROUTER_1(config)#no access-list 10

ROUTER_1(config)#access-list 10 permit 192.168.10.1 0.0.0.254


ROUTER_1(config)#
<100-199> IP extended access list

Enter configuration commands, one per line. End with CNTL/Z.


ROUTER_1#conf t Router(config)#hostname ROUTER_2
Enter configuration commands, one per line. End with CNTL/Z.
ROUTER_1(config)#int gi0/1 ROUTER_2(config)#int gi0/0
ROUTER_1(config-if)#ip address 192.168.20.1 255.255.255.0 ROUTER_2(config-if)#ip address 192.168.20.2 255.255.255.0
ROUTER_1(config-if)#no shut ROUTER_2(config-if)#no shut
ROUTER_1(config-if)#
ROUTER_1(config-if)#router rip ROUTER_2(config-if)#int gi0/1
ROUTER_1(config-router)#network 192.168.10.0 ROUTER_2(config-if)#ip address 192.168.30.1 255.255.255.0
ROUTER_1(config-router)#network 192.168.20.0 ROUTER_2(config-if)#no shut
ROUTER_1(config-router)#version 2
ROUTER_1(config-router)# ROUTER_2(config-if)#router rip
ROUTER_2(config-router)#network 192.168.20.0
ROUTER_2(config-router)#network 192.168.30.0
ROUTER_2(config-router)#version 2
<100-199> IP extended access list
<100-199> IP extended access list
<100-199> IP extended access list
C:\>telnet 192.168.20.2
Trying 192.168.20.2 ...Open

[Connection to 192.168.20.2 closed by foreign host]


ACL EXTENDIDA
C:\>
C:\>

Ajustes na config ROUTER_2


ROUTER_2#
ROUTER_2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ROUTER_2(config)#enable secret cisco
ORIGEM ESPECIFICA
ROUTER_2(config)#enable password login
DESTINO ESPECIFICO
ROUTER_2(config)#line vty 0 15
ROUTER_2(config-line)#password login
ROUTER_2(config-line)#login
PORT ESPECIFICO

Vamos construir uma ACL para permitir TELNET no IP


192.168.20.2 do ROUTER_2 APENAS do host 192.168.10.10 e
NEGAR os demais HOSTS para esse IP (deixando os demais livres)
<100-199> IP extended access list
ROUTER_1(config)#access-list 110 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment

ROUTER_1(config)#access-list 110 permit ?


ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
ip Any Internet Protocol
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol

ROUTER_1(config)#access-list 110 permit tcp ?


A.B.C.D Source address
any Any source host
host A single source host

ROUTER_1(config)#access-list 110 permit tcp host 192.168.10.10 ?


A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
<100-199> IP extended access list
ROUTER_1(config)#access-list 110 permit tcp host 192.168.10.10 host 192.168.20.2 ?
dscp Match packets with given dscp value
eq Match only packets on a given port number
established established
gt Match only packets with a greater port number
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
range Match only packets in the range of port numbers

ROUTER_1(config)#access-list 110 permit tcp host 192.168.10.10 host 192.168.20.2 eq ?


<0-65535> Port number
ftp File Transfer Protocol (21)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
telnet Telnet (23)
www World Wide Web (HTTP, 80)
ROUTER_1(config)#access-list 110 permit tcp host 192.168.10.10 host 192.168.20.2 eq 23
ROUTER_1(config)#
<100-199> IP extended access list
PROTOCOLO
LISTA DE ACESSO (PORT

EXTENDIDA
(100-199)
AÇAO
(PERMIT ou DENY)
DESTINO
(host ou rede com WILDCARD

access-list 110 permit tcp host 192.168.10.10 host 192.168.20.2 eq 23

ORIGEM
OPERADOR LOGICO
(host ou rede com WILDCARD
MAIOR
MENOR
PROTOCOLO IGUAL
(TCP / UDP / IP / etc etc