CCNA 16강 수업내용
글 작성자: 마노링
반응형
@@ACL(Access Control List)
Router를 경유하는 Packet들을 IP,TCP,UDP Header를 검사하여 허용하거나 거부하는 항목을 만든다.
@Standard ACL(표준ACL) - 접근 제어 항목
Source IP만을 검사하여 허용하거나 거부하는 항목을 만든다.
list-number : 1 - 99
Router(config)#access-list <list-number><permit/deny><Source-ip><Vildcardamask>'
- 192.168.1.0/24 Network 접근 제어항목 만들기
Router(config)#access-list 1 deny 192.168.1.0 0.0.0.02555
Router(config)#access-list 1 permit way
- 192.168.1.0/24 Network 접근 제어항목 만들기
Router(config)#access-list 2 permit 192.168.1.0 0.0.0.02555
++Standard ACL 실습하기
1. 172.13.0.0 Network 172.12.0.0 Network로 접근 거부항목 만들기
!--R2
conf t
access-list 1 deny 172.13.0.0 0.0.0.255
access-list 1 permit any
int s1/1
ip access-group 1 in
end
R3#ping 172.12.0.1 source 192.168.1.6
!!!!!
R3#ping 172.12.0.1 source 172.13.0.1
.....
R3#telnet 172.12.0.1 /source-interface serial 1/1
R2>
R3#telnet 172.12.0.1 /source-interface loopback 0
% Destination unreachable; gateway or host down
!-R3
!- R2
conf t
no access-list 1
int s1/1
no ip access-group 1 in
exit
access-list 1 deny 172.13.0.0 0.0.0.255
access-list 1 permit any
int f0/0
ip access-group 1 out
end
R3#ping 172.12.0.2 source 172.13.0.1
.....
!-R3
conf t
no ip route 172.12.0.0 255.255.255.0 s1/0
end
R3#sh ip route
D 172.12.0.0 [90/1764352] via 192.168.1.5, 01:11:05, Serial1/1
R3#ping 172.12.0.2 source 172.13.0.1
.....
2. R2 Router에 172.12.0.0 Network 허용 나머지는 거부하는 항목 만들기
!--R2
conf t
access-list 2 permit 172.12.0.0 0.0.0.255
int s1/0
ip access-group 2 in
int s1/1
ip access-group 2 in
end
R1#ping 192.168.1.2
.....
R3#ping 192.168.1.5
.....
R2 VMnet1
C:\>ping 192.168.1.5
Replay
C:\>ping 172.12.0.1
Replay
3. R1 Router에 172.11.0.0 172.12.0.0 Network는 허용 나머지는 거부하는 항목만들기
!--R1
conf t
access-list 3 permit 172.11.0.0 0.0.0.255
access-list 3 permit 172.12.0.0 0.0.0.255
int s1/0
ip access-group 3 in
int s1/1
ip access-group 3 in
end
R1#ping 192.168.1.1 source 172.11.0.1
!!!!!
R2#ping 192.168.1.1 source 172.12.0.1
!!!!!
R3#ping 192.168.1.1 source 172.13.0.1
.....
4. 172.12.0.0 Network R1 Router 접근허용, R3 Router 접근 거부하는 항목만들기
!--R3
conf t
access-list 4 deny 172.12.0.0 0.0.0.255
access-list 4 permit any
int s1/1
ip access-group 4 in
end
R2 VMnet1
C:\>ping 192.168.1.1
Replay
C:\>ping 192.168.1.6
Request Time Out
@Extended ACL(확장ACL) - Packet Filtering
Source IP, Destination IP, Protocol, Option를 검사하여 허용하거나 거부하는 항목을 만든다.
Router를 경유하는 Packet들을 IP,TCP,UDP Header를 검사하여 허용하거나 거부하는 항목을 만든다.
@Standard ACL(표준ACL) - 접근 제어 항목
Source IP만을 검사하여 허용하거나 거부하는 항목을 만든다.
list-number : 1 - 99
Router(config)#access-list <list-number><permit/deny><Source-ip><Vildcardamask>'
- 192.168.1.0/24 Network 접근 제어항목 만들기
Router(config)#access-list 1 deny 192.168.1.0 0.0.0.02555
Router(config)#access-list 1 permit way
- 192.168.1.0/24 Network 접근 제어항목 만들기
Router(config)#access-list 2 permit 192.168.1.0 0.0.0.02555
++Standard ACL 실습하기
1. 172.13.0.0 Network 172.12.0.0 Network로 접근 거부항목 만들기
!--R2
conf t
access-list 1 deny 172.13.0.0 0.0.0.255
access-list 1 permit any
int s1/1
ip access-group 1 in
end
R3#ping 172.12.0.1 source 192.168.1.6
!!!!!
R3#ping 172.12.0.1 source 172.13.0.1
.....
R3#telnet 172.12.0.1 /source-interface serial 1/1
R2>
R3#telnet 172.12.0.1 /source-interface loopback 0
% Destination unreachable; gateway or host down
!-R3
!- R2
conf t
no access-list 1
int s1/1
no ip access-group 1 in
exit
access-list 1 deny 172.13.0.0 0.0.0.255
access-list 1 permit any
int f0/0
ip access-group 1 out
end
R3#ping 172.12.0.2 source 172.13.0.1
.....
!-R3
conf t
no ip route 172.12.0.0 255.255.255.0 s1/0
end
R3#sh ip route
D 172.12.0.0 [90/1764352] via 192.168.1.5, 01:11:05, Serial1/1
R3#ping 172.12.0.2 source 172.13.0.1
.....
2. R2 Router에 172.12.0.0 Network 허용 나머지는 거부하는 항목 만들기
!--R2
conf t
access-list 2 permit 172.12.0.0 0.0.0.255
int s1/0
ip access-group 2 in
int s1/1
ip access-group 2 in
end
R1#ping 192.168.1.2
.....
R3#ping 192.168.1.5
.....
R2 VMnet1
C:\>ping 192.168.1.5
Replay
C:\>ping 172.12.0.1
Replay
3. R1 Router에 172.11.0.0 172.12.0.0 Network는 허용 나머지는 거부하는 항목만들기
!--R1
conf t
access-list 3 permit 172.11.0.0 0.0.0.255
access-list 3 permit 172.12.0.0 0.0.0.255
int s1/0
ip access-group 3 in
int s1/1
ip access-group 3 in
end
R1#ping 192.168.1.1 source 172.11.0.1
!!!!!
R2#ping 192.168.1.1 source 172.12.0.1
!!!!!
R3#ping 192.168.1.1 source 172.13.0.1
.....
4. 172.12.0.0 Network R1 Router 접근허용, R3 Router 접근 거부하는 항목만들기
!--R3
conf t
access-list 4 deny 172.12.0.0 0.0.0.255
access-list 4 permit any
int s1/1
ip access-group 4 in
end
R2 VMnet1
C:\>ping 192.168.1.1
Replay
C:\>ping 192.168.1.6
Request Time Out
@Extended ACL(확장ACL) - Packet Filtering
Source IP, Destination IP, Protocol, Option를 검사하여 허용하거나 거부하는 항목을 만든다.
반응형
'공부(工夫) > CCNA' 카테고리의 다른 글
| CCNA 19강 수업내용 (0) | 2009.02.03 |
|---|---|
| CCNA 18강 수업내용 (0) | 2009.01.30 |
| CCNA 17강 수업내용 (0) | 2009.01.29 |
| CCNA 15강 수업내용 (0) | 2009.01.23 |
| CCNA 14강 수업내용 (0) | 2009.01.22 |
| CCNA 13강 수업내용 (0) | 2009.01.21 |
댓글
이 글 공유하기
다른 글
-
CCNA 18강 수업내용
CCNA 18강 수업내용
2009.01.30 -
CCNA 17강 수업내용
CCNA 17강 수업내용
2009.01.29 -
CCNA 15강 수업내용
CCNA 15강 수업내용
2009.01.23 -
CCNA 14강 수업내용
CCNA 14강 수업내용
2009.01.22