Escolar Documentos
Profissional Documentos
Cultura Documentos
ACCESS-LIST
Agenda
CISCO PACKET TRACER v 7.2.1.0404
ACL
access-list
Onde tudo começou...
MODELO OSI
7 - APLICAÇÃO
6 - APRESENTAÇÃO
5 - SESSÃO
4 - TRANSPORTE
3 - REDE
2 - ENLACE
1 - FISICA
A camada 2...
FRAME 802.3
FRAME 802.3
https://tools.ietf.org/html/rfc791
A camada 4...
OSI x TCP/IP...
MODELO OSI MODELO OSI
7 - APLICAÇÃO
6 - APRESENTAÇÃO APLICAÇÃO
5 - SESSÃO
4 - TRANSPORTE TRANSPORTE
3 - REDE INTERNET
2 - ENLACE
ACESSO AOS
MEIOS
1 - FISICA
A comunicação fim-a-fim...
CAMADA 4
PORT PORT
CAMADA 4
DESTINO ORIGEM
PORT PORT
ORIGEM DESTINO
CAMADA 3
CAMADA 3
IP DESTINO IP ORIGEM
IP ORIGEM IP DESTINO
A comunicação fim-a-fim...
CAMADA 4
PORT PORT
CAMADA 4
DESTINO ORIGEM
PORT PORT
ORIGEM DESTINO
CAMADA 3
CAMADA 3
IP DESTINO IP ORIGEM
IP ORIGEM IP DESTINO
ACL
Como a ACL funciona...
SIM
REGRA 1
NAO
SIM
REGRA 2
NAO
ULTIMA SIM
REGRA
NAO DROP
Como a ACL funciona...
ACL
Numbered Named
Router(config)#
Router(config)#
Router(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
Router(config)#access-list
MAC ACLs are Layer 2 ACLs. You can configure the rules to inspect the following fields of a packet (limited by platform):
•Source MAC address with mask.
•Destination MAC address with mask.
•VLAN ID (or range of IDs).
•Class of Service (CoS) (802.1p) .
ROUTER_1(config)#int gi0/0
ROUTER_1(config-if)#ip address 192.168.10.1 255.255.255.0
ROUTER_1(config-if)#no shut
ROUTER_1(config-if)#
ROUTER_1(config)#line vty 0 15
ROUTER_1(config-line)#login
ROUTER_1(config-line)#password cisco
ROUTER_1(config-line)# SWITCH
Switch# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#vlan 10
Switch(config-vlan)#
Switch(config-vlan)#
Switch(config-vlan)#int range f0/1-10
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 10
Switch(config-if-range)#
<1-99>IP standard access list
ROUTER_1(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
ROUTER_1(config)#access-list 10 ?
deny Specify packets to reject
permit Specify packets to forward
EM QUE INTERFACE
remark Access list entry comment
APLICAR ??
ROUTER_1(config)#access-list 10 permit ?
A.B.C.D Address to match
any Any source host
host A single host address
ROUTER_1(config-line)#access-class 10 in
<1-99>IP standard access list
ROUTER_1#conf t ROUTER_1(config)#access-list 10 permit ?
Enter configuration commands, one per line. End with CNTL/Z. A.B.C.D Address to match
ROUTER_1(config)#access-list 10 permit host 192.168.10.20 any Any source host
ROUTER_1(config)# host A single host address
ROUTER_1(config)#
ROUTER_1(config)#access-list 10 permit any ?
ROUTER_1#show run <cr>
… <linhas omitidas> ROUTER_1(config)#access-list 10 permit any
ip flow-export version 9 ROUTER_1(config)#
!
access-list 10 permit host 192.168.10.10
access-list 10 permit host 192.168.10.20 ROUTER_1#show access-lists
! Standard IP access list 10
10 permit host 192.168.10.10 (6 match(es))
20 permit host 192.168.10.20
30 permit any (2 match(es))
ROUTER_1#
ROUTER_1#show access-lists 10 | ?
begin Begins unfiltered output of the show command with the first line that contains the regular expression.
exclude Displays output lines that do not contain the regular expression.
include Displays output lines that contain the regular expression.
ROUTER_1(config)#access-list 10 permit ?
A.B.C.D Address to match
any Any source host
host A single host address
WILDCARD NÃO É O
COMPLEMENTO DA
MASCARA
DEU MATCH ?? 192.168.10.0 0.0.0.255
1100000.10101000.00001010.00000000 192.168.10.0
0000000.00000000.00000000.11111111
APLICAÇÃO DA REGRA
1100000.10101000.00001010.00000000 = 192.168.10.0
1100000.10101000.00001010.00001010 = 192.168.10.10
!!!!!!!.!!!!!!!!.!!!!!!!!.######## = 192.168.10.XX
MATCH EXATO DE TODOS OS BITS NÃO INTERESSA
DESAFIO 1
Altere a ACL 10 para permitir apenas
TELNET de endereços IP cujo ultimo
octeto seja “par”
1100000.10101000.00001010.00000000 = 192.168.10.0
WILDCARD
0000000.00000000.00000000.11111110 = 0.0.0.254
DESAFIO 1 ROUTER_1#
ROUTER_1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ROUTER_1(config)#no access-list 10
ROUTER_1(config)#access-list 10 permit 192.168.10.0 0.0.0.254
ROUTER_1(config)#
DESAFIO 2
Altere a ACL 10 para permitir apenas
TELNET de endereços IP cujo ultimo
octeto seja “ímpar”
1100000.10101000.00001010.00000001 = 192.168.10.1
WILDCARD
0000000.00000000.00000000.11111110 = 0.0.0.254
DESAFIO 2 ROUTER_1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ROUTER_1(config)#no access-list 10
EXTENDIDA
(100-199)
AÇAO
(PERMIT ou DENY)
DESTINO
(host ou rede com WILDCARD
ORIGEM
OPERADOR LOGICO
(host ou rede com WILDCARD
MAIOR
MENOR
PROTOCOLO IGUAL
(TCP / UDP / IP / etc etc