Академический Документы
Профессиональный Документы
Культура Документы
SWITCH v7 Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 1
ACCESS CONTROL LIST
Filtrado de paquetes para implementar políticas de control y
seguridad.
Existen 2 tipos:
ACL estándar
ACL Extendida
Existen dos clases de configuración:
ACL Numeradas
ACL Nombradas
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 2
ACL ESTÁNDAR
Están basadas en la dirección IP origen de un paquete.
Utilizan número de ACL entre 1 y 99 y entre 1300 y 1999
Se configuran lo más cerca posible al destino del paquete.
SINTAXIS DE CONFIGURACIÓN:
access-list access-list-number {permit |
deny} source {source-mask}
Aplicación sobre una interfaz:
ip access-group access-list-number {in | out}
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 3
ACL´s NOMBRADAS
Las ACLs estándar y extendidas pueden ser configuradas
utilizando nombres en lugar de números.
SINTAXIS
ip access-list {standard | extended} {name | number}
EJEMPLO:
ip access-list extended in_to_out permit tcp host
10.0.0.1 host 187.100.1.6 eq telnet
Aplicación sobre una interfaz:
ip access-group in_to_out in
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 4
ACL´s NOMBRADAS
Las ACLs estándar y extendidas pueden ser configuradas
utilizando nombres en lugar de números.
SINTAXIS
ip access-list {standard | extended} {name | number}
EJEMPLO:
ip access-list extended in_to_out permit tcp host
10.0.0.1 host 187.100.1.6 eq telnet
Aplicación sobre una interfaz:
ip access-group in_to_out in
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 5
ACL SIM1
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 6
ACL SIM1
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 7
ACL SIM1
La ACL se esta aplicando a la Interfaz f0/0 como inbound
La ACL 106 solo permite el echo-reply, por lo cual no permite el
ingreso de paquetes ICMP echo, y el ping desde el SW no puede
ingresar al router.
La ACL 104 PERMITE el ingreso de paquetes ICMP eco, la ACL
se esta aplicando solo como entrada por lo cual los paquetes
eco-reply pueden salir por la interfaz sin que aplique la ACL.
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 8
ACL SIM1
Aplicar la ACL 104 en lugar de la ACL 106 resuelve el problema,
considerando que se mantiene en la interfaz f0/0 una ACL de
entrada (Inbound)
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 9
ACL SIM1
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 10
ACL SIM1
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 11
ACL SIM1
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 12
ACL SIM1
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 13
ACL SIM1
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 15
ACL SIM2 v1
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 16
ACL SIM2 v1
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 17
ACL SIM2 v2
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 18
ACL SIM2 v2
NOTA:
“access-list 100 permit ip any any”
“access-list 100 permit ip any host (IP of Public Web Server)”
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 19
DHCP
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 20
DHCP
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 21
DHCP
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 22
DHCP
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 24
DHCP
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 25
DHCP
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 26
DHCP
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 27
DHCP
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 28
DHCP
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 29
DHCP
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 31
DHCP
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 32
DHCP
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 33
DHCP
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 35
DHCP
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 37
NAT
• Always consider the device that is having its private address translated to understand this
concept.
• Inside address – address of the company network device that is being translated by NAT
• Outside address – IP address of the destination device
• Local address – any address that appears on the inside portion of the network
• Global address – any address that appears on the outside portion of the network
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 38
STATIC NAT
Static address translation (static NAT) assigns one public IP address to
one private IP address
Commonly used for servers that need to be accessed by external devices
or for devices that must be accessible by authorized personnel when
offsite
One-to-one address mapping between local and global addresses
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 39
DYNAMIC NAT
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 40
DYNAMIC NAT
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 41
PAT NAT
PAT (otherwise known as NAT overload) can use one public IPv4 address to
allow thousand of private IPv4 addresses to communicate with outside
network devices.
Uses port numbers to track the session
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 42
STATIC NAT
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 43
DINAMIC
NAT
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 44
STATIC NAT
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 45
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 46