CCNA 4-ACLv1

CCNA
ACCESS-LIST
Agenda
CISCO PACKET TRACER v 7.2.1.0404
ACL
access-list
Onde tudo começou...
MODELO OSI
7 - APLICAÇÃO
6 - APRESENTAÇÃO
5 - SESSÃO
4 - TRANSPORTE
3 - REDE
2 - ENLACE
1 - FISICA
A camada 2...
FRAME 802.3
PREAMBULO SOF MAC ORIGEM MAC DESTINO TIPO FCS

DADOS...
TAMANHO
7 bytes 1 6 6 2 46 - 1500 4
FRAME 802.3
PREAMBULO SOF MAC ORIGEM MAC DESTINO VLAN TIPO FCS

DADOS...
TAG TAMANHO
7 bytes 1 6 6 4 2 46 - 1500 4
Tag protocol identifier (TPID)

TPID PRI CFI VID Priority identifier (PRI)
2 3bits 1bit 12bits Colision forward identifier
VLAN identifier (VID)
A camada 3...
https://tools.ietf.org/html/rfc791
A camada 4...
OSI x TCP/IP...
MODELO OSI MODELO OSI
7 - APLICAÇÃO
6 - APRESENTAÇÃO APLICAÇÃO
5 - SESSÃO
4 - TRANSPORTE TRANSPORTE
3 - REDE INTERNET
2 - ENLACE
ACESSO AOS
MEIOS
1 - FISICA
A comunicação fim-a-fim...
CAMADA 4
PORT PORT
CAMADA 4
DESTINO ORIGEM
PORT PORT
ORIGEM DESTINO
CAMADA 3
CAMADA 3
IP DESTINO IP ORIGEM
IP ORIGEM IP DESTINO
A comunicação fim-a-fim...
CAMADA 4
PORT PORT
CAMADA 4
DESTINO ORIGEM
PORT PORT
ORIGEM DESTINO
CAMADA 3
CAMADA 3
IP DESTINO IP ORIGEM
IP ORIGEM IP DESTINO
ACL
Como a ACL funciona...
SIM
REGRA 1
NAO
SIM
REGRA 2
NAO
ULTIMA SIM
REGRA
NAO DROP
Como a ACL funciona...
ACL
Numbered Named
Standard Extended Standard Extended

Cada uma no seu quadrado...
ROTEADOR REAL
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1000-1099> IPX SAP access list
<1100-1199> Extended 48-bit MAC address access list
<1200-1299> IPX summary address access list
<200-299> Protocol type-code access list
<300-399> DECnet access list
<600-699> Appletalk access list PACKET TRACER
<700-799> 48-bit MAC address access list
<800-899> IPX standard access list
<900-999> IPX extended access list
Router(config)#
Router(config)#
Router(config)#access-list ?
Router(config)#access-list
MAC ACLs are Layer 2 ACLs. You can configure the rules to inspect the following fields of a packet (limited by platform):
•Source MAC address with mask.
•Destination MAC address with mask.
•VLAN ID (or range of IDs).
•Class of Service (CoS) (802.1p) .
Standard: permit or deny packets based on source IP

Extended: filter packets based on multiple criteria like
source and destination IP, source and destination ports,
and more.
Regras básicas...
1. Os pacotes são comparados com cada uma das
linhas da lista em ordem sequencial;
2. Os pacotes são comparados com as linhas ATÉ
que sejam processados. Nenhuma comparação
adicional é feita depois;
3. TODA lista tem um DENY IMPLICITO no final;
4. Se nenhuma das linhas for processada o pacote
é descartado (item 3);
Vamos à prática ....
Configs...
ROUTER
Router#conf t
Router(config)#hostname ROUTER_1
ROUTER_1(config)#enable secret cisco

ROUTER_1(config)#enable password login
ROUTER_1(config)#
ROUTER_1(config)#int gi0/0
ROUTER_1(config-if)#ip address 192.168.10.1 255.255.255.0
ROUTER_1(config-if)#no shut
ROUTER_1(config-if)#
ROUTER_1(config)#line vty 0 15
ROUTER_1(config-line)#login
ROUTER_1(config-line)#password cisco
ROUTER_1(config-line)# SWITCH
Switch# conf t
Switch(config)#vlan 10
Switch(config-vlan)#
Switch(config-vlan)#
Switch(config-vlan)#int range f0/1-10
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 10
Switch(config-if-range)#
<1-99>IP standard access list
ROUTER_1(config)#access-list ?
ROUTER_1(config)#access-list 10 ?
deny Specify packets to reject
permit Specify packets to forward
EM QUE INTERFACE
remark Access list entry comment
APLICAR ??
ROUTER_1(config)#access-list 10 permit ?
A.B.C.D Address to match
any Any source host
host A single host address
ROUTER_1(config)#access-list 10 permit host ?

A.B.C.D Host address
ROUTER_1(config)#access-list 10 permit host 192.168.10.10
ROUTER_1(config-line)#access-class ?
<1-199> IP access list
WORD Access-list name
Testar o acesso TELNET ROUTER_1(config-line)#access-class 10 ?

in Filter incoming connections
dos três computadores... out Filter outgoing connections
ROUTER_1(config-line)#access-class 10 in
ROUTER_1#conf t ROUTER_1(config)#access-list 10 permit ?
Enter configuration commands, one per line. End with CNTL/Z. A.B.C.D Address to match
ROUTER_1(config)#access-list 10 permit host 192.168.10.20 any Any source host
ROUTER_1(config)# host A single host address
ROUTER_1(config)#
ROUTER_1(config)#access-list 10 permit any ?
ROUTER_1#show run <cr>
… <linhas omitidas> ROUTER_1(config)#access-list 10 permit any
ip flow-export version 9 ROUTER_1(config)#
!
access-list 10 permit host 192.168.10.10
access-list 10 permit host 192.168.10.20 ROUTER_1#show access-lists
! Standard IP access list 10
10 permit host 192.168.10.10 (6 match(es))
20 permit host 192.168.10.20
30 permit any (2 match(es))
ROUTER_1#
ROUTER_1#show access-lists 10 | ?
begin Begins unfiltered output of the show command with the first line that contains the regular expression.
exclude Displays output lines that do not contain the regular expression.
include Displays output lines that contain the regular expression.
ROUTER_1#show access-lists 10 | include mat

permit host 192.168.10.10 (6 match(es))
permit any (2 match(es))
ROUTER_1#
ROUTER_1#conf t
ROUTER_1(config)#no access-list 10
ROUTER_1(config)#
ROUTER_1(config)#access-list 10 permit any
ROUTER_1(config)#
Testar o acesso TELNET dos três computadores...

ROUTER_1#show access-lists
Standard IP access list 10
10 permit any (4 match(es))
20 permit host 192.168.10.10
30 permit host 192.168.10.20
40 permit host 192.168.10.30
ROUTER_1#
ROUTER_1#conf t
A.B.C.D Address to match
any Any source host
host A single host address
ROUTER_1(config)#access-list 10 permit 192.168.10.0 ?

A.B.C.D Wildcard bits
<cr>
ROUTER_1(config)#access-list 10 permit 192.168.10.0 0.0.0.255
ROUTER_1(config)#
Testar o acesso TELNET dos três computadores...

ROUTER_1#show access-lists
Standard IP access list 10
10 permit 192.168.10.0 0.0.0.255 (4 match(es))
ROUTER_1#
DEU MATCH ?? 192.168.10.0 0.0.0.255
WILDCARD NÃO É O
COMPLEMENTO DA
MASCARA
DEU MATCH ?? 192.168.10.0 0.0.0.255
1100000.10101000.00001010.00000000 192.168.10.0
0000000.00000000.00000000.11111111
BIT 0 = tem que dar match

BIT 1 = não interessa
DEU MATCH ??
access-list 10 permit 192.168.10.0 0.0.0.255
REGRA
1100000.10101000.00001010.00000000
0000000.00000000.00000000.11111111
APLICAÇÃO DA REGRA
1100000.10101000.00001010.00000000 = 192.168.10.0
1100000.10101000.00001010.00001010 = 192.168.10.10
!!!!!!!.!!!!!!!!.!!!!!!!!.######## = 192.168.10.XX
MATCH EXATO DE TODOS OS BITS NÃO INTERESSA
DESAFIO 1
Altere a ACL 10 para permitir apenas
TELNET de endereços IP cujo ultimo
octeto seja “par”
1100000.10101000.00001010.00000000 = 192.168.10.0
WILDCARD
0000000.00000000.00000000.11111110 = 0.0.0.254
DESAFIO 1 ROUTER_1#
ROUTER_1#conf t
ROUTER_1(config)#
DESAFIO 2
Altere a ACL 10 para permitir apenas
TELNET de endereços IP cujo ultimo
octeto seja “ímpar”
1100000.10101000.00001010.00000001 = 192.168.10.1
WILDCARD
0000000.00000000.00000000.11111110 = 0.0.0.254
DESAFIO 2 ROUTER_1#conf t

ROUTER_1(config)#

ROUTER_1#conf t Router(config)#hostname ROUTER_2
ROUTER_1(config)#int gi0/1 ROUTER_2(config)#int gi0/0
ROUTER_1(config-if)#ip address 192.168.20.1 255.255.255.0 ROUTER_2(config-if)#ip address 192.168.20.2 255.255.255.0
ROUTER_1(config-if)#no shut ROUTER_2(config-if)#no shut
ROUTER_1(config-if)#
ROUTER_1(config-if)#router rip ROUTER_2(config-if)#int gi0/1
ROUTER_1(config-router)#network 192.168.10.0 ROUTER_2(config-if)#ip address 192.168.30.1 255.255.255.0
ROUTER_1(config-router)#network 192.168.20.0 ROUTER_2(config-if)#no shut
ROUTER_1(config-router)#version 2
ROUTER_1(config-router)# ROUTER_2(config-if)#router rip
ROUTER_2(config-router)#network 192.168.20.0
ROUTER_2(config-router)#network 192.168.30.0
ROUTER_2(config-router)#version 2
C:\>telnet 192.168.20.2
Trying 192.168.20.2 ...Open
[Connection to 192.168.20.2 closed by foreign host]

ACL EXTENDIDA
C:\>
C:\>
Ajustes na config ROUTER_2

ROUTER_2#
ROUTER_2#conf t
ROUTER_2(config)#enable secret cisco
ORIGEM ESPECIFICA
ROUTER_2(config)#enable password login
DESTINO ESPECIFICO
ROUTER_2(config-line)#password login
ROUTER_2(config-line)#login
PORT ESPECIFICO
Vamos construir uma ACL para permitir TELNET no IP

192.168.20.2 do ROUTER_2 APENAS do host 192.168.10.10 e
NEGAR os demais HOSTS para esse IP (deixando os demais livres)
ROUTER_1(config)#access-list 110 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment

ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
ip Any Internet Protocol
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
ROUTER_1(config)#access-list 110 permit tcp ?

A.B.C.D Source address
any Any source host
host A single source host
ROUTER_1(config)#access-list 110 permit tcp host 192.168.10.10 ?

A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
ROUTER_1(config)#access-list 110 permit tcp host 192.168.10.10 host 192.168.20.2 ?
dscp Match packets with given dscp value
eq Match only packets on a given port number
established established
gt Match only packets with a greater port number
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
range Match only packets in the range of port numbers
ROUTER_1(config)#access-list 110 permit tcp host 192.168.10.10 host 192.168.20.2 eq ?

<0-65535> Port number
ftp File Transfer Protocol (21)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
telnet Telnet (23)
www World Wide Web (HTTP, 80)
ROUTER_1(config)#access-list 110 permit tcp host 192.168.10.10 host 192.168.20.2 eq 23
ROUTER_1(config)#
PROTOCOLO
LISTA DE ACESSO (PORT
EXTENDIDA
(100-199)
AÇAO
(PERMIT ou DENY)
DESTINO
(host ou rede com WILDCARD
access-list 110 permit tcp host 192.168.10.10 host 192.168.20.2 eq 23
ORIGEM
OPERADOR LOGICO
(host ou rede com WILDCARD
MAIOR
MENOR
PROTOCOLO IGUAL
(TCP / UDP / IP / etc etc

CCNA 4-ACLv1

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

CCNA 4-ACLv1

Enviado por

Direitos autorais:

Formatos disponíveis

CCNA

PREAMBULO SOF MAC ORIGEM MAC DESTINO TIPO FCS

PREAMBULO SOF MAC ORIGEM MAC DESTINO VLAN TIPO FCS

Tag protocol identifier (TPID)

Standard Extended Standard Extended

Standard: permit or deny packets based on source IP

ROUTER_1(config)#enable secret cisco

ROUTER_1(config)#access-list 10 permit host ?

Testar o acesso TELNET ROUTER_1(config-line)#access-class 10 ?

ROUTER_1#show access-lists 10 | include mat

Testar o acesso TELNET dos três computadores...

ROUTER_1(config)#access-list 10 permit 192.168.10.0 ?

Testar o acesso TELNET dos três computadores...

BIT 0 = tem que dar match

ROUTER_1(config)#access-list 10 permit 192.168.10.1 0.0.0.254

Enter configuration commands, one per line. End with CNTL/Z.

[Connection to 192.168.20.2 closed by foreign host]

Ajustes na config ROUTER_2

Vamos construir uma ACL para permitir TELNET no IP

ROUTER_1(config)#access-list 110 permit ?

ROUTER_1(config)#access-list 110 permit tcp ?

ROUTER_1(config)#access-list 110 permit tcp host 192.168.10.10 ?

ROUTER_1(config)#access-list 110 permit tcp host 192.168.10.10 host 192.168.20.2 eq ?

access-list 110 permit tcp host 192.168.10.10 host 192.168.20.2 eq 23

Você também pode gostar