Access List ACL

ERION MIKO
1 Zgjdhje Ushtrimit me ane te Dynamic Routing
Router 1 Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface fastethernet0 Router(config-if)#ip address 200.100.100.1 255.255.255.240 Router(config-if)#^Z %SYS-5-CONFIG_I: Configured from console by console
Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface serial0
Router(config-if)#ip address 200.100.100.97 255.255.255.252 Router(config-if)#no shut %LINK-3-UPDOWN: Interface Serial0, changed state to up Router(config-if)#clock rate 64000 Router(config-if)#^Z %SYS-5-CONFIG_I: Configured from console by console
Router 2 Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface fsatethernet0 Router(config-if)#ip address 200.100.100.33 255.255.255.224 Router(config-if)#no shut %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up Router(config-if)#^Z %SYS-5-CONFIG_I: Configured from console by console
Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface serial0 Router(config-if)#ip address 200.100.100.101 255.255.255.252 Router(config-if)#no shut %LINK-3-UPDOWN: Interface Serial0, changed state to up Router(config-if)#clock rate 64000 Router(config-if)#^Z
%SYS-5-CONFIG_I: Configured from console by console
Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface serial1 %LINK-3-UPDOWN: Interface Serial0, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down Router(config-if)#ip address 200.100.100.98 255.255.255.252 Router(config-if)#no shut %LINK-3-UPDOWN: Interface Serial1, changed state to up Router(config-if)#^Z %SYS-5-CONFIG_I: Configured from console by console
%LINK-3-UPDOWN: Interface Serial0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up Router# Router#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route
Gateway of last resort is not set
200.100.100.0/24 is variably subnetted, 3 subnets C C C 200.100.100.32/27 is directly connected, FastEthernet0 200.100.100.96/30 is directly connected, Serial1 200.100.100.100/30 is directly connected, Serial0
Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#router eigrp 20 Router(config-router)#network 200.100.100.32 Router(config-router)#network 200.100.100.96 Router(config-router)#network 200.100.100.100 Router(config-router)#^Z %SYS-5-CONFIG_I: Configured from console by console
Router#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route
200.100.100.0/24 is variably subnetted, 5 subnets C C 200.100.100.32/27 is directly connected, FastEthernet0 200.100.100.96/30 is directly connected, Serial1
C D
200.100.100.100/30 is directly connected, Serial0 200.100.100.0/27 [90/1628160] via 200.100.100.97, 00:00:49, Serial1
D 200.100.100.64/27 [90/1628160] via 200.100.100.102, 00:00:14, Serial0
Router 3 Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface fastethernet0 Router(config-if)#ip address 200.100.100.65 255.255.255.224 Router(config-if)#no shut %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up Router(config-if)#^Z %SYS-5-CONFIG_I: Configured from console by console
Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface serial1 Router(config-if)#ip address 200.100.100.102 255.255.255.252 Router(config-if)#no shut %LINK-3-UPDOWN: Interface Serial1, changed state to up Router(config-if)#^Z %SYS-5-CONFIG_I: Configured from console by console
Router#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route
Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#router eigrp 20 Router(config-router)#network 200.100.100.64 Router(config-router)#network 200.100.100.100 Router(config-router)#^Z %SYS-5-CONFIG_I: Configured from console by console
D 200.100.100.32/27 [90/1628160] via 200.100.100.101, 00:00:16, Serial1 D 200.100.100.96/30 [90/1628160] via 200.100.100.101, 00:00:16, Serial1 D 200.100.100.0/27 [90/2455040] via 200.100.100.101, 00:00:16, Serial1
Host PC1 C:>ipconfig /ip 200.100.100.2 255.255.255.224 C:>ipconfig /dg 200.100.100.1 C:>ping 200.100.100.1 Pinging 200.100.100.1 with 32 bytes of data:
Reply from 200.100.100.1: bytes=32 time=60ms TTL=241 Reply from 200.100.100.1: bytes=32 time=60ms TTL=241 Reply from 200.100.100.1: bytes=32 time=60ms TTL=241 Reply from 200.100.100.1: bytes=32 time=60ms TTL=241 Reply from 200.100.100.1: bytes=32 time=60ms TTL=241
Ping statistics for 200.100.100.1: 0 (0% loss),
Packets: Sent = 5, Received = 5, Lost =
Approximate round trip times in milli-seconds: Minimum = 50ms, Maximum = 60ms, Average = 55ms
C:>ping 200.100.100.34 Pinging 200.100.100.34 with 32 bytes of data:
C:>ping 200.100.100.66 Pinging 200.100.100.66 with 32 bytes of data:
Approximate round trip times in milli-seconds:
Minimum = 50ms, Maximum = 60ms, Average = 55ms
Reply from 200.100.100.65: bytes=32 time=60ms TTL=241 Reply from 200.100.100.65: bytes=32 time=60ms TTL=241
Reply from 200.100.100.65: bytes=32 time=60ms TTL=241 Reply from 200.100.100.65: bytes=32 time=60ms TTL=241 Reply from 200.100.100.65: bytes=32 time=60ms TTL=241
Hyrje n Listat e Accessit

Nj list access-i sht, esencialisht, nj list kushtesh q kategorizojn paketat. Ato mund t jen m gjith mend t dobishme kur sht e nevojshme t ushtrohet kontroll mbi trafikun e rrjetit. Nj list access-i do t ishte mjeti q do ju do t przgjidhni pr vendimmarrje n kto situata.
Nj nga prdorimet m t zakonshme dhe m lehtesisht t kuptueshme t listave t access-it sht filtrimi i paketave t padshiruara gjat implementimit t politikave t siguris. pr shmbull, ju mund ti ndrtoni ato n mnyre q t marrin vendime shum specifike mbi rregullimin e skemave t trafikut, n mnyr q ato t lejojn vetm disa host t caktuar t aksesojne burimet e web-it n Internet, duke u ndaluar aksesin, n t njjten kohe, t tjereve. m kombinimin e duhur t listave t access-it, drejtuesit e rrjetve e armatosin veten me pushtetin pr t zbatuar pothuaj cdo politike sigurie q mund t shpikin. Listat e access-it mund t prdoren edhe n situata q nuk kan t bjn patjetr me paketa bllokuese. pr shmbull, ju mund ti prdorni ato pr t kontrolluar s cilt rrjet do t apo nuk do t reklamohen nga protokollet dinamike t routing. Menyra s si e konfiguroni listen e access-it sht e njjta. Dallimi ktu sht thjesht s si e aplikoni atn nj protokoll routing n vend t nj ndrfaqeje. Kur ju aplikoni nj list access-i n kt mnyre, kjo quhet nj list shprndarjeje, dhe nuk ndalon reklamimet e routing, por thjesht kontrollon prmbajtjen e tyre. Ju gjithashtu mund t prdorni listat e aksesit pr t kategorizuar paketat pr queing apo sherbimet e llojit QoS dhe pr t kontrolluar cilat lloje trafiku mund t aktivizojne nj link ISDN t shtrenjte. T krijosh lista access-i sht, realisht, dicka shum e ngjashme m programimin e nj serie pohimesh t tipit n qoft se-ather-n qoft s nj kusht i caktuar prmbushet, ather nj veprim i caktuar ndrmerret. n qoft s kushti specifik nuk prmbushet, ather nuk ndodh asgj dhe vleresohet pohimi tjetr i radhes. Pohimet e listave t access-it jane, esencialisht, filtra paketash, ndaj t cilave paketat krahasohen, kategorizohen dhe n baz t t cilave veprohet pr pasoje. Nga moment q listat jan ndrtuar, ato mund ti aplikohen qoft trafikut n hyrje, qoft atij n dalje, n cdo ndrfaqe. Aplikimi i nj list access-i e bn router-in t analizoje cdo paket q kalon npr at ndrfaqe n drejtimin e specifikuar dhe t ndrmerret veprimi i duhur. Ka pak rregulla t rndesishme q nj pakete ndjek kur sht duke u krahasuar m nj list access-i: Krahasohet gjithmone m cdo rresht t lists s access-it n rend t njpasnjshm-q do t thot, do filloj gjithmon m rreshtin e par t lists s access-it, pastaj do kaloj te rreshti 2, m pas t rreshti 3, e kshtu m radhe. krahasohet me rreshtat e lists s access-it deri kur nj prputhje t shfaqet. Nga momenti q paketa prputhet me kushtin q ndodhet n nj rresht t lists s access-it, paketa i nnshtrohet veprimit prkats dhe nuk ndodh m asnj krahasim i mtejshm. Ka nj mohim t nnkuptuar n fund t cdo list access-i-kjo do t thote q n qoft s nj pakete nuk prputhet m kushtet n asnjrin prej rreshtave t lists s access-it, ather paketa nuk do t merret m tej parasysh.
Secili prej ktyre rregullave ka disa nnkuptime t forta kur filtrohen paketat IP m lista access-i, kshtu q kijeni parasysh q t krijosh lista access-i t efektshme m t vrtete q kerkon kohe q t praktikohesh dhe t familjarizohesh m te. Ka dy lloje kryesore listash access-i: Lista access-i standarde. Keto prdorin vetm adresn IP t burimit n nj pakete IP si kushti i proves. t gjitha vendimet merren duke u bazuar mbi adresn IP t burimit. Kjo do t thote q listat standarde t access-it, esencialisht, pranojne apo mohojne nj komplet t tere protokollesh. Ato nuk bejne dallim midis ndonjrit prej shum llojeve t trafikut IP, si web, Telnet, UDP, e kshtu m radh. Lista access-i t zgjeruara. Listat e access-it t zgjeruara mund t vlersojn shum nga fushat e tjera t headers t shtreses 3 dhe 4 t nj pakete IP. Ato mund t vlersojn adresat e burimit dhe t destinacionit IP, fushn e protokollit n header-in e shtreses s rrjetit, dhe numrin e ports tek header-i shtreses s transportit. Kjo ju krijon mundesine listave t access-it t zgjeruara t marrin vendime m t detajuara prsa i prket kontrollit t trafikut. Tani, teknikisht ka, n t vrtete, vetm dy lloje listash t tilla, meqense listat e access-it emerore jan ose standarde, ose t zgjeruara dhe realisht nuk prbjn nj lloj t ri. Un po i dalloj ato, sepse krijohen dhe ju behet referim n mnyr t ndryshme nga listat e access-it standarde dhe t zgjeruara, por nga ana funksionale jan e njjta gj. Nga moment q ti krijon nj list access-i, nuk ka pr t ndodhur asgj deri kur ta aplikosh ate. sht e vrtete, ato ndodhen n router, por ato qndrojne inaktive deri kur ti thuash router-it s cfar t bj m to. t prdoresh nj list access-i si filter pakete, sht e nevojshme q ta aplikoni n nj ndrfaqe n router n t ciln dshironi q trafiku t filtrohet. Dhe gjithashtu duhet t specifikoni s n cilin drejtim trafiku dshironi q lista e access-it t aplikohet. Ka nj arsye t vlefshme pr kete-ju mund t dshironi q t kt kontrolle t ndryshme n funnksionim pr trafikun q le sipermarrjen tuaj t biznesit t destinuar pr Internet-in, sesa pr trafikun q hyn n sipermarrjen tuaj nga Internet-i. n kt mnyr, duke percaktuar drejtimin e trafikut, ju mundeni-dhe shpesh do ju duhet qete prdorni lista t ndryshme access-i pr trafikun hyrs dhe dals n nj ndrfaqe t vetme: Listat e access-it t drejtuara pr n hyrje. Kur nj list access-i i aplikohet paketave n hyrje n nj ndrfaqe, ato paketa prpunohen nprmjet lists s aksesit prpara s t drejtohen tek nderfaqja e daljes. t gjitha paketat q mohohen nuk do t drejtohen pr tek dalja, sepse ato nuk merren parasysh q para s procesi i drejtimit t futet n loje.
Listat e access-it t drejtuara pr n dalje. Kur nj list access-i i aplikohet paketave t drejtuara pr n dalje n nj ndrfaqe, ato paketa kalojne nprmjet ndrfaqes s daljes dhe m pas procesohen nprmjet lists s access-it, prpara s t vihen n radhe. Ka disa udhzime t pergjithshme t listave t access-it q duhen ndjekur kur krijohen dhe implementohen lista access-i n nj router: Ju mund t percaktoni vetm nj list access-i pr ndrfaqe pr protokoll pr drejtim. Kjo do t thote qe, kur krijohen listat e access-it IP, mund t kt vetm nj list access-i t drejtuar pr brnda, dhe vetm nj list access-i t drejtuar pr jashte. Organizo listat e tua t access-it n mnyr q provat m specifike jan n krye t lists s access-it. Sa her q nj entry e re i shtohet lists s access-it, ajo vendoset n fund t lists. sht shum i sugjeruar prdorimi i nj edituesi teksti pr listat e access-it. Nuk mund t hiqni nj rresht nga lista e access-it. Nse prpiqeni t beni kete, do t hiqni t gjithe listen. sht m mire t kopjoni listen e aksesit n nj editues teksti, prpara s t prpiqeni t editoni listen. I vetmi prJashtim ndodh kur prpiqeni t prdorni listat e access-it emerore. Me prjashtim t rastit kur lista e access-it mbaron m lejimin e cdo komande, t gjitha paketat nuk do t merren parasysh, nse nuk prputhen m asNjrin prej testeve t lists. Cdo list duhet t kt t pakten nj pohim lejimi ose do t mohoj hyrjen e cdo trafiku. Krijoni lista access-i dhe pastaj aplikojini ato n nj ndrfaqe. Cdo list access-i e aplikuar n nj ndrfaqe pa qene e pranishme nj list accessi nuk do filtroje trafikun. Listat e accessit jan t dizenjuara q t filtrojne trafikun q kalon permes router-it. Ato nuk filtrojne trafikun q e ka origjinen n router. Vendosini listat e accessit standard IP sa m afr burimit q t jet e mundur. Meqense listat e accessit t zgjeruara mund t filtrojne adresa dhe protokolle shum specifike, nuk sht e deshirueshme q trafiku t kaloje prmes tr rrjetit dhe m pas t mohohet. Duke e vendosur kt list sa m afr burimit t adreses q t jet e mundur, ju mund t filtroni trafikun par at prdori t gjithe bandwidth-in tuaj.
Listat e access-it standard

Listat IP standarde t access-it filtrojne trafikun e rrjetit duke marre n shqyrtim adresn IP t burimit n nj pakete. Ju mund t krijoni nj list IP standard t access-it duke prdorur numrat e lists s access-it 1-99 ose 1300-1999 (rrezja e zgjeruar). Llojet e
listave t accessit n pergjithesi dallohen duke prdorur nj numer. Duke u bazuar n numrin e prdorur kur krijohet lista e accessit, routeri e kupton s cila lloj sintakse do vihet n pun ndersa lista futet n prdorim. Duke prdorur numrat 1-99 ose 1300-1999, ju i thoni routerit q ju dshironi t krijoni nj list IP accessi standard, kshtu q routeri e kupton q vetm nj sintakse q specifikon adresn IP t burimit n rreshtat e testit do vihet n pun. Ky m poshte sht nj shmbull i shum rrezeve t numrave t listave t accessit q ju mund t prdorni pr t filtruar trafikun n rrjetin tuaj (protokollet pr t cilat ju mund t specifikoni lista accessi varen nga version juaj IOS)
Corp(config)#access-list ? <1-99> IP standard access list <100-199> IP extended access list <1100-1199> Extended 48-bit MAC address access list <1300-1999> IP standard access list (expanded range) <200-299> Protocol type-code access list <2000-2699> IP extended access list (expanded range) <700-799> 48-bit MAC address access list compiled Enable IP access-list compilation dynamic-extended Extend the dynamic ACL absolute timer rate-limit Simple rate-limit specific access list
Le ti hedhim nj veshtrim sintakses s prdorur kur krijohet nj list standarde accessi

Corp(config)#access-list 10 ? deny Specify packets to reject permit Specify packets to forward remark Access list entry comment
Sic permenda m pare, duke prdorur numrat e lists s accessit 1-99 ose 1300-1999, ju po i thoni routerit q ju dshironi t krijoni nj list standarde accessi. Pasi q keni zgjedhur numrin e lists s accessit, ju duhet t vendosni nse doni t krijoni nj shprehje pohimi ose mohimi. pr kt shmbull, ju po krijoni nj shprehje mohimi:
Corp(config)#access-list 10 deny ? Hostname or A.B.C.D Address to match any Any source host host A single host address
Hapi tjetr ka nevoje pr nj shpjegim m t detajuar. Ka 3 alternativa t mundshme. Ju mund t prdorni parametrin any pr t pohuar ose mohuar cdo host ose network, ju mund t prdorni nj adrese IP pr t specifikuar ose nj host t vetm ose nj shumllojshmeri prej tyre, ose mund t prdorni komanden host pr t specifikuar vetm nj host specifik. Komanda any sht shum e qarte-cdo adrese burimi i prputhet pohimit, kshtu q cdo pakete e krahasuar m kt rresht do t prputhet. Komanda host sht relativisht m e thjesht. m poshte sht nj shmbull s si t prdoret:
Corp(config)#access-list 10 deny host ? Hostname or A.B.C.D Host address
Corp(config)#access-list 10 deny host 172.16.30.2
Kjo i thote lists q t mohoj cdo pakete nga hosti 172.16.30.2. Parametri i default sht host. Me fjal t tjera, nse ju shkruani access-list 10 deny 172.16.30.2, routeri e merr si t mireqene q ju doni t thoni hosti 172.16.30.2. Por ka edhe nj mnyr tjetr pr t specifikuar ose nj host t vecante ose nj range hostesh-mund t prdorni wildcard masking. n fakt, pr t specifikuar nj range hostesh, ju duhet t prdorni wildcard masking tek lista e accessit. Wildcard masking Wildcards prdoren m listat e accessit pr t specifikuar nj host individual, nj rrjet, ose nj rreze t caktuar rrjeti ose rrjetsh. pr t kuptuar nj wildcard, ju duhet t kuptoni s cfar sht madhesia e bllokut; prdoret pr t specifikuar nj range adresash. Disa nga madhesi blloku t ndryshme jan 64, 32, 16, 8 dhe 4. Kur ju nevojitet t specifikoni nj range adresash, duhet t zgjidhni madhesine e bllokut m t madhe pr nevojat tuaja. pr shmbull, nse keni nevoje t specifikoni 34 rrjet, ju nevojitet nj madhesi blloku prej 64. Nse dshironi t specifikoni 18 hosts, ju nevojitet nj madhesi blloku prej 32. Nse specifikoni vetm 2 rrjet, ather nj madhesi blloku prej 4 do t mjaftonte. Wildcards prdoren m adresn e hostit ose rrjetit pr ti treguar routerit nj range adresash t vlefshme pr tu filtruar. pr t specifikuar nj host, adresa do t dukej si m poshte: 172.16.30.5 0.0.0.0 Kater zerot perfaqesojne cdo oktet t adreses. Kurdoher q nj zero sht e pranishme, kjo do t thote q okteti n adrese duhet t prputhet ekzaktesisht. pr t specifikuar q nj oktet mund t jet cdo vlere, vlera 255 prdoret. Si shmbull, ja s si specifikohet nj /24 subnet m nj wildcard: 172.16.30.5 0.0.0.255 Kjo i thote routerit q t prputhe 3 oktetet e pare ekzaktesisht, por okteti i katert mund t marre cdo vlere. Tani, kjo ishte pjesa e lehte. Po nse dshironi t specifikoni vetm nj range t vogel subnetesh? ktu futet n loje madhesia e bllokut. Duhet t specifikoni range e vlerave n nj madhesi blloku. m fjal t tjera, ju nuk mund t zgjidhni t specifikoni 20 rrjet. Ju
mundeni vetm t specifikoni sasine ekzakte si vlera e madhesise s bllokut. pr shmbull, range do t duhet t ishte ose 16 ose 32, por jo 20. Le t themi s dshironi t bllokoni aksesin e nj pjese t rrjetit q sht n range nga 172.16.8.0 deri n 172.16.15.0. Ajo sht nj madhesi blloku prej 8. Numri i rrjetit tuaj do t ishte 172.16.8.0 dhe wildcard do t ishte 0.0.7.255! Cfar sht kjo? 7.255 sht cfar routeri prdor pr t percaktuar madhesine e bllokut. Rrjeti dhe wildcardi i thote routerit t filloje t 172.16.8.0 dhe m pas t ngjitet lart nj bllok m madhesi prej 8 adresash tek rrjeti 172.16.15.0. Realisht, sht m e lehte s sa duket. Sigurisht, ju mund t prdorni matematiken binare, por kjo sdo t ishte e nevojshme. n fakt, gjithcka q ju keni nevoje t beni sht t mbani mend q wildcardi sht gjithmone nj numer m pak s sa madhesia e bllokut. Kshtu qe, n shmbullin tone, wildcardi do t ishte 7 meqense madhesia e bllokut sht 8. Nse ju prdoret nj madhesi blloku prej 16, wildcardi do t ishte 15. E lehte, apo jo? Por, sa pr t qene t sigurt, le t bejme ca shmbuj sa pr ta ngulitur n koke. Shmbulli i meposhtem i thote routerit q t prputhe 3 oktetet e pare n mnyr ekzakte, por okteti i katrt mund t jet cdo gj. Corp (config)#access-list 10 deny 172.16.10.0 0.0.0.255 Shmbulli tjetr i thote routerit q t prputhe dy oktetet e par dhe q dy oktetet e fundit mund t marrin cdo vler: Corp(config)#access-list 10 deny 172.16.10.0 0.0.255.255 Prpiquni t kuptoni s cfar do t thote ky rresht tjetr: Corp(config)#access-list 10 deny 172.16.16.0 0.0.3.255 Ky konfigurim i thote routerit t filloje tek rrjeti 172.16.16.0 dhe t prdori nj madhesi blloku prej 4. Range pastaj do t ishte prej172.16.16.0 deri n 172.16.19.0. Shmbulli i meposhtem tregon nj list accessi q fillon tek 172.16.16.0 dhe ngjitet lart nj bllok m madhesi 8 deri tek 172.16.23.0: Corp(config)#access-list 10 deny 172.16.16.0 0.0.7.255 Shmbulli n vazhdim fillon tek rrjeti 172.16.32.0 dhe ngjitet lart nj madhesi blloku prej 16 deri tek 172.16.47.0: Corp(config)#access-list 10 deny 172.16.32.0 0.0.15.255
Shmbulli tjetr fillon tek rrjeti 172.16.64.0 dhe ngjitet lart nj madhesi blloku prej 64 deri tek 172.16.127.0: Corp(config)#access-list 10 deny 172.16.64.0 0.0.63.255 Shmbulli i fundit fillon tek rrjeti 192.168.160.0 dhe ngjitet lart nj madhesi blloku prej 32 deri tek 192.168.191.255: Corp(config)#access-list 10 deny 192.168.160.0 0.0.31.255 Ketu m poshte ka akoma edhe dy gjera q duhen patur parasysh kur punohet m madhesite e bllokut dhe wildcardet: Cdo madhesi blloku duhet t filloje tek 0 ose tek nj shumfish i madhesise s bllokut. pr shmbull, ju nuk mund t thoni q dshironi nj madhesi blloku prej 8 dhe m pas t filloni tek 12. Ju duhet t prdorni 0-7, 8-15, 16-23, etj. pr nj madhesi blloku prej 32, range jan 0-31, 32-63, 64-95, etj. Komanda any sht e Njjta gje si t shkruash wildcardin 0.0.0.0 255.255.255.255. Maskimi i wildcardit sht nj aftesi kyc pr tu zoteruar kur krijohen listat e accessit IP. Prdoret n mnyr identike kur krijohen listat e accessit standard dhe t zgjeruara. Shmbull list accessi standarde Ne kt seksion, ju do mesoni s si t prdorni nj list accessi standarde pr t parandaluar q user t caktuar t marrin akses tek LAN i departamentit t Finances. Tek figura 10.2, nj router ka tre lidhje LAN dhe nj lidhje WAN n Internet. Prdoruesit tek LAN e Shitjeve nuk duhet t kene akses tek LAN e Finances, por ata duhet ta kene t mundur t aksesojne Interneti dhe departamentin e Marketingut. LAN e Marketingut e ka t nevojshme t aksesoje LAN e Finances pr sherbime aplikimi.
Tek routeri n figure, lista e meposhtme access IP standard sht e konfiguruar: Lab_A#config t Lab_A(config)#access-list 10 deny 172.16.40.0 0.0.0.255 Lab_A(config)#access-list 10 permit any sht shum e rendesishme t dihet q komanda any sht e Njjta gje si t thuash sa m poshte duke prdorur maskimin e wildcard: Lab_A(config)#access-list 10 permit 0.0.0.0 255.255.255.255 Meqense maska e wildcard thote q asnj nga oktetet nuk duhen vleresuar, cdo adrese prputhet m kushtin e testit. Kshtu q nga ana funksionale kjo sht e Njjta gje si t prdoresh fjaln kyce any. Ne kt pike, lista e accessit sht e konfiguruar q t mohoj adresat burimore nga aksesi i LAN t Shitjeve pr tek LAN e Finances dhe t lejoje t gjithe t tjeret. Por mbani mend q asnj veprim nuk do t ndermerret deri kur lista e accessit t aplikohet n nj ndrfaqe n nj drejtim t caktuar. Por ku duhet vendosur kjo list accessi? Nse e vendosni si nj list accessi hyrse n E0, mund edhe t mbyllni ndrfaqen e Ethernet-it, sepse t gjitha pajisjeve t LAN t shitjes do tju mohohet aksesi tek t gjithe rrjett e
bashkenjgitura ndaj routerit. Vendi m i mire pr ta aplikuar kt list accessi sht tek nderfaqja E1 si nj list e drejtuar pr n dalje: Lab_A(config)#int el Lab_A(config-if)#ip access-group 10 out Kjo e ndalon plotesisht trafikun nga 172.16.40.0 q t dali nga Etherneti 1. Nuk ka asNj efekt mbi hostet mbi LAN t Shitjeve q aksesojne LAN t Marketingut dhe Internetin, meqense trafiku pr ato destinacione nuk kalon permes ndrfaqes E1. Cdo pakete q prpiqet t dale nga E1, do t duhet t kaloje perms lists s accessit n fillim. Nse do kishte nj list t drejtuar pr brnda t vendosur n E0, ather cdo pakete q prpiqet t hyje n ndrfaqen E0 do t duhej t kalonte permes lists s accessit, prpara s t orientohej pr nj ndrfaqe daljeje. Le t hedhim nj veshtrim tek nj shmbull tjetr i nj list accessi standard. Figura 10.3 tregon nj nderrrjet dy routerash m tre lidhje LAN dhe nj lidhje seriale WAN.
Ju dshironi q t mos jua lejoni prdoruesve t Accounting q t aksesojne serverin e Burimeve Njrezore t bashkengjitur t routeri i Lab B, por edhe tju lejoni t gjithe prdoruesve t tjere akses tek ai LAN. Cfar list accessi standarde do t krijonit dhe ku do ta vendosnit? Pergjigjja e vrtete sht q ju duhet t prdorni nj list accessi t zgjeruar dhe ta vendosni sa m afr burimit t jet e mundur, por pyetja specifikon q ju duhet t prdorni nj list accessi standarde. Listat e accessit standarde, si rregull i pergjithshm, jan ato q vendosen m afr destinacionit-ne kt shmbull, Ethernet 0 i drejtuar pr jashte tek routeri i Lab B. ktu m poshte sht lista e accessit q duhet vendosur n routerin e Lab B:
Lab_B#config t Lab_B(config)#access-list 10 deny 192.168.10.128 0.0.0.31 Lab_B(config)#access-list 10 permit any Lab_B(config)#interface Ethernet 0 Lab_B(config)#ip access-group 10 out Prpara s t kalojme tek zvogelimi i accessit Telnet n nj router, le t hedhim nj veshtrim mbi nj shmbull tjetr list accessi standarde, por kjo do t kerkoje t harxhohen disa mendime mbi te. Tek figura 10.4, ndodhet nj router m 4 lidhje LAN dhe nj lidhje WAN t Interneti. Ju duhet t shkruani nj list accessi q do t ndaloj aksesin nga secili prej 4 LAN t treguar n diagram tek Interneti. Secili prej LAN tregon adresn IP t nj hosti t vetm, dhe nga ajo ju duhet t percaktoni subnetin dhe t prdorni wildcards pr t konfiguruar listen e accessit.
Ketu m poshte sht nj shmbull s si pergjigjja juaj duhet t duket (duke filluar m rrjetin n E0 dhe duke vazhduar punn m pas deri tek E3):
Router(config)#access-list 1 deny 172.16.128.0 0.0.31.255
Router(config)#access-list 1 deny 172.16.48.0 0.0.15.255 Router(config)#access-list 1 deny 172.16.192.0 0.0.63.255 Router(config)#access-list 1 deny 172.16.88.0 0.0.7.255 Router(config)#access-list 1 permit any Router(config)#interface serial 0 Router(config-if)#ip access-group 1 out
Ok, cili do t ishte qellimi i t krijuarit t kesaj liste? Nse ju e aplikoni kt list accessi n router, ju efektivisht do t mbyllni aksesin n router, kshtu q cfar kuptimi edhe thjesht t kesh nj lidhje Interneti? Un e shkruajta kt ushtrim q ju t mund t praktikoni si t prdorni madhesite e bllokut m listat e accessit. Kontrolli i aksesit VTY (Telnet) Ju m siguri do e keni t veshtire nse prpiqeni t parandaloni prdoruesit t telnetojne drejt nj routeri t madh, sepse cdo ndrfaqe aktive n nj router sht shum e lehte t aksesohet nga VTY. Ju mund t prpiqeni t krijoni nj list accessi IP t zgjeruar q e kufizon aksesin e Telnetit n cdo adrese IP n router. Por nse ju e beni ate, juve do tju duhej ta aplikonit ate n drejtim hyrs n cdo ndrfaqe dhe kjo m gjithe mend q nuk do t pershkallezohej mire n nj router t madh m dhjetra, ose qindra, ndrfaqe, apo jo? Ja nj zgjidhje shum m e mire: Prdorni nj list accessi IP standarde pr t kontrolluar aksesin tek vete linjat VTY. Pse funksionon kjo gje? Sepse kur ju aplikoni nj list aksesi tek linjat VTY, ju nuk keni nevoje t specifikoni protokollin Telnet, meqense aksesi t VTY implikon akses terminal. Ju gjithashtu nuk keni nevoje t specifikoni nj adrese destinacioni, meqense m gjithe mend nuk ka rendesi ciln adrese ndrfaqeje useri prdori si objektiv pr sesionin e Telnetit. Ju realisht keni nevoje t kontrolloni vetm s nga vjen useri-adresa e burimit t tyre IP. Per t kryer kt funksion, ndiqni keto hapa: 1. Krijoni nj list standarde accessi IP q lejon vetm hostin ose hostet q dshironi t mund t telnetoni drejt routerave. 2. Aplikoni listen e aksesit tek linja VTY m komanden access-class.
Ketu m poshte sht nj shmbull i t lejuarit t vetm hostit 172.16.10.3 t telnetohet n nj router:
Lab_A(config)#access-list 50 permit 172.16.10.3 Lab_A(config)#line vty 0 4 Lab_A(config-line)#access-class 50 in
Per shkak t deny t nnkuptuar n fund t lists, lista e aksesit e parandalon cdo host q t telnetoje n router, m prJashtim t hostit 172.16.10.3, pavaresisht s cila adrese IP individuale prdoret si target. Cisco rekomandon q ju t prdorni Secure Shell (SS), n vend t Telnet tek linjat VTY n nj router. Listat e accessit t zgjeruar Tek shmbulli i lists s accessit IP standard pak m pare, vereni s si juve ju duhej t bllokonit gjithe aksesin nga LAN e Shitjeve pr tek departamenti i Finances. Po nse do ju nevojiteshin Shitjet pr t marre akses tek nj server i caktuar i LAN s Finances, por jo tek sherbimet e tjera t rrjetit, pr arse sigurie? m nj list accessi IP standarde, ju nuk mund ti lejoni prdoruesit q t kene akses n nj sherbim t caktuar t rrjetit, dhe jo n nj tjetr. E thene ndryshe, kur e keni t nevojshme t merrni vendime duke u bazuar edhe tek adresa e burimit, edhe tek ajo e destinacionit, nj list accessi standarde nuk do jua bj t mundur ta kryeni kete, meqense merr vendime duke u bazuar mbi adresn e burimit. Por nj list aksesi e zgjeruar do ju lejoje ta beni kete. Arsyeja sht sepse listat e aksesit t zgjeruara ju lejojne t specifikoni adresn burimore dhe ate t destinacionit, si dhe protokollin dhe numrin e portes q identifikojne aplikimin ose protokollin e shtreses s siperme. Duke prdorur listat e accessit t zgjeruara, ju mundeni q efektivisht ti lejoni userat t kene akses n nj LAN fizik dhe ti parandaloni ata q t aksesojne hoste t caktuar-ose edhe sherbime t caktuara n ato hoste. Ja nj shmbull i nj list accessi t zgjeruar:
Corp(config)#access-list ? <1-99> IP standard access list <100-199> IP extended access list <1100-1199> Extended 48-bit MAC address access list <1300-1999> IP standard access list (expanded range) <200-299> Protocol type-code access list <2000-2699> IP extended access list (expanded range) <700-799> 48-bit MAC address access list compiled Enable IP access-list compilation dynamic-extended Extend the dynamic ACL absolute timer rate-limit Simple rate-limit specific access list
Komanda e pare tregon numrat e lists s accessit t mundshm. Ju do prdorni range e lists s accessit t zgjeruar nga 100 deri n 199. Sigurohuni q t vini re q range 20002699 sht gjithashtu i mundshm pr listat e accessit t zgjeruara.
Ne kt pike, ju duhet t vendosni s cfar lloji entry t lists jeni duke bere. pr kt shmbull, ju do zgjidhni nj deny list entry.
Corp(config)#access-list 110 ? deny Specify packets to reject dynamic Specify a DYNAMIC list of PERMITs or DENYs permit Specify packets to forward remark Access list entry comment
Nga momeni q ju zgjidhni llojin e lists s accessit, ather do ju duhet t perzgjidhni nj entry t fushes s protokollit.
Corp(config)#access-list 110 deny ? <0-255> An IP protocol number ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol ip Any Internet Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling ospf OSPF routing protocol pcp Payload Compression Protocol pim Protocol Independent Multicast tcp Transmission Control Protocol
Nse dshironi t filtroni sipas protokollit t shtreses s aplikimit, duhet t zgjidhni protokollin e pershtatshm t transportit t shtreses 4, pas pohimit permit ose deny. pr shmbull, pr t filtruar Telnet ose FTP, ju zgjidhni TCP, meqense edhe Telneti, edhe FTP prdorin TCP n shtresen e transportit. Nse do ju duhej t zgjidhni IP, nuk do ju lejohej t specifikoni nj protokoll specifik aplikimi m vone. Ketu, ju do zgjidhni t filtroni nj protokoll shtrese aplikimi q prdor TCP duke perzgjedhur TCP si protokoll. Ju do specifikoni portin specific TCP m vone. m pas, do ju kerkohet t perzgjidhni adresn IP burimore t hostit ose rrjetit (mund t zgjidhni komanden any pr t lejuar cdo adrese burimore):
Corp(config)#access-list 110 deny tcp ? A.B.C.D Source address any Any source host host A single source host
Pasi q adresa burimore perzgjidhet, adresa e destinacionit zgjidhet:

Corp(config)#access-list 110 deny tcp any ? A.B.C.D Destination address any Any destination host eq Match only packets on a given port number gt Match only packets with a greater port number host A single destination host lt Match only packets with a lower port number
neq Match only packets not on a given port number range Match only packets in the range of port numbers
Tek shmbulli i meposhtem, cdo adrese e burimit IP q ka nj adrese destinacioni IP 172.16.30.2, sht mohuar:
Corp(config)#access-list 110 deny tcp any host 172.16.30.2 ? ack Match on the ACK bit dscp Match packets with given dscp value eq Match only packets on a given port number established Match established connections fin Match on the FIN bit fragments Check non-initial fragments gt Match only packets with a greater port number log Log matches against this entry log-input Log matches against this entry, including input interface lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value psh Match on the PSH bit range Match only packets in the range of port numbers rst Match on the RST bit syn Match on the SYN bit time-range Specify a time-range tos Match packets with given TOS value urg Match on the URG bit
Ju mund t shtypni Enter ktu dhe ta lini listen e accessit ashtu sic sht. Por nse e beni ate, i gjithe trafiku TCP pr tek hosti 172.16.30.2 do t mohohet, pavaresisht portes s destinacionit. Mund t beheni akoma m specifik: Nga momenti q adresat e hostit jan n funksionim, thjesht specifikoni llojin e sherbimit q po mohoni. Ekrani ndihmes i meposhtem ju tregon alternativat e mundshme. Ju mund t zgjidhni nj numer porte ose t prdorni numrin e protokollit ose aplikimit:
Corp(config)#access-list 110 deny tcp any host 172.16.30.2 eq ? <0-65535> Port number bgp Border Gateway Protocol (179) chargen Character generator (19) cmd Remote commands (rcmd, 514) daytime Daytime (13) discard Discard (9) domain Domain Name Service (53) drip Dynamic Routing Information Protocol (3949) echo Echo (7) exec Exec (rsh, 512) finger Finger (79) ftp File Transfer Protocol (21) ftp-data FTP data connections (20) gopher Gopher (70) hostname NIC hostname server (101) ident Ident Protocol (113) irc Internet Relay Chat (194)
klogin Kerberos login (543) kshell Kerberos shell (544) login Login (rlogin, 513) lpd Printer service (515) nntp Network News Transport Protocol (119) pim-auto-rp PIM Auto-RP (496) pop2 Post Office Protocol v2 (109) pop3 Post Office Protocol v3 (110) smtp Simple Mail Transport Protocol (25) sunrpc Sun Remote Procedure Call (111) syslog Syslog (514) tacacs TAC Access Control System (49) talk Talk (517) telnet Telnet (23) time Time (37) uucp Unix-to-Unix Copy Program (540) whois Nicname (43) www World Wide Web (HTTP, 80)
Ne kt pike, le t bllokojme vetm aksesin e Telnet (porta 23) pr tek host 172.16.30.2. Nse prdoruesit duan t FTP, gjithcka sht n rregull. Kjo lejohet. Komanda log prdoret pr t loguar mesazhet sa her q prdoret lista e accessit. Kjo mund t jet nj mnyr shum cool pr t monitoruar perpjekje aksesi jo-proceduriale. ktu m poshte shpjegohet s si behet kjo:
Corp(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log
Duhet t kini parasysh q rreshti n vazhdim sht nj deny any e nnkuptuar by default. Nse ju e aplikoni kt list accessi n nj ndrfaqe, ju mund edhe m mire ta fikni far ndrfaqen, meqense by default ka nj deny all t nnkuptuar n fund t cdo list accessi. Duhet ta vazhdoni listen e accessit m komanden e meposhtme:
Corp(config)#access-list 110 permit ip any any
Mbani mend q 0.0.0.0 255.255.255.255 sht e Njjta komande si any, kshtu q komanda mund t duket si m poshte:
Corp(config)#access-list 110 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
Nga moment q lista e accessit sht krijuar, sht e nevojshme q ju ta aplikoni ate n nj ndrfaqe (sht e Njta komande si lista standard IP):
Corp(config-if)#ip access-group 110 in
Ose kjo tjetra m poshte:

Corp(config-if)#ip access-group 110 out
Shembull Access List
Konfigurim Router 1
Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface fastetherenet0 Router(config-if)#ip address 200.100.100.1 255.255.255.224 Router(config-if)#no shut %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up Router(config-if)#^Z %SYS-5-CONFIG_I: Configured from console by console
Router#config t Router(config)#interface serial0 Router(config-if)#ip address 200.100.100.49 255.255.255.252 Router(config-if)#no shut %LINK-3-UPDOWN: Interface Serial0, changed state to up Router(config-if)#clock rate 64000 Router(config-if)#^Z %SYS-5-CONFIG_I: Configured from console by console
Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#router eigrp 10 Router(config-router)#network 200.100.100.0 Router(config-router)#network 200.100.100.48 Router(config-router)#^Z %SYS-5-CONFIG_I: Configured from console by console
200.100.100.0/24 is variably subnetted, 3 subnets C C D 200.100.100.0/27 is directly connected, FastEthernet0 200.100.100.48/30 is directly connected, Serial0 200.100.100.32/28 [90/1628160] via 200.100.100.50, 00:00:18, Serial0
Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#line vty 0 4 Router(config-line)#password erion Router(config-line)#login Router(config-line)#^Z %SYS-5-CONFIG_I: Configured from console by console
Pjesa e access list
Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 101 deny tcp 200.100.100.2 0.0.0.0 200.100.100.1 0.0.0.0 eq telnet Router(config)#access-list 101 permit ip any any Router(config)#^Z %SYS-5-CONFIG_I: Configured from console by console
Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface fastethernet0
Router(config-if)#ip access-group 101 in Router(config-if)#^Z %SYS-5-CONFIG_I: Configured from console by console
Konfigurim Router 2
Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface fastethernet0 Router(config-if)#ip address 200.100.100.33 255.255.255.240 Router(config-if)#no shut %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up Router(config-if)#^Z %SYS-5-CONFIG_I: Configured from console by console
Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface serial0 Router(config-if)#ip address 200.100.100.50 255.255.255.252 Router(config-if)#no shut %LINK-3-UPDOWN: Interface Serial0, changed state to up Router(config-if)#^Z %SYS-5-CONFIG_I: Configured from console by console
Router#config t
Enter configuration commands, one per line. End with CNTL/Z. Router(config)#router eigrp 10 Router(config-router)#network 200.100.100.32 Router(config-router)#network 200.100.100.48 Router(config-router)#^Z %SYS-5-CONFIG_I: Configured from console by console
200.100.100.0/24 is variably subnetted, 3 subnets C C D 200.100.100.32/28 is directly connected, FastEthernet0 200.100.100.48/30 is directly connected, Serial0 200.100.100.0/27 [90/1628160] via 200.100.100.49, 00:00:04, Serial0
Pjesa e access list Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 101 deny icmp 200.100.100.34 0.0.0.0 200.100.100.1 0.0.0.0 echo Router(config)#access-list 101 permit ip any any
Router(config)#^Z %SYS-5-CONFIG_I: Configured from console by console
Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface fastethernet0 Router(config-if)#ip access-group 101 in Router(config-if)#^Z %SYS-5-CONFIG_I: Configured from console by console
Konfigurim I host PC1 C:>ipconfig /ip 200.100.100.2 255.255.255.224 C:>ipconfig /dg 200.100.100.1 C:>ping 200.100.100.1 Pinging 200.100.100.1 with 32 bytes of data: Reply from 200.100.100.1: bytes=32 time=60ms TTL=241 Reply from 200.100.100.1: bytes=32 time=60ms TTL=241 Reply from 200.100.100.1: bytes=32 time=60ms TTL=241 Reply from 200.100.100.1: bytes=32 time=60ms TTL=241 Reply from 200.100.100.1: bytes=32 time=60ms TTL=241 Ping statistics for 200.100.100.1: 0 (0% loss), Packets: Sent = 5, Received = 5, Lost =
Konfigurim I host PC2 C:>ipconfig /ip 200.100.100.34 255.255.255.240
C:>ipconfig /dg 200.100.100.33 C:>ping 200.100.100.33 Pinging 200.100.100.33 with 32 bytes of data: Reply from 200.100.100.33: bytes=32 time=60ms TTL=241 Reply from 200.100.100.33: bytes=32 time=60ms TTL=241 Reply from 200.100.100.33: bytes=32 time=60ms TTL=241 Reply from 200.100.100.33: bytes=32 time=60ms TTL=241 Reply from 200.100.100.33: bytes=32 time=60ms TTL=241
Shpjegim: Tashm ju duhet t dini si t aplikoni VLSM dhe t gjeni shprndarjen e IP adresave. Sic e shikoni, ato jan implementuar n ndrfaqet e routerave dhe hosteve. Mpas sht br lidhja llogjike ndrmjet rrjetave nprmjet konfigurimit t protokolleve t routimit dinamik. Access listat e implemnetuara jan extended, dallojini nga numri. Me an t parametrit deny, ndalojm paketat e specifikuara dhe permit lejojm paketat. Mpas specifikojm protokollin q prmbajn paketat. Mpas specifikojm adresn burim dhe adresn destinacion. Shprehjet 0.0.0.0 jan ildcard, bitet e t cilave n rast se konvertohen n system binary, n rast se jan 0 specifikojn q bitet e adresave burim dhe destinacion t pranohen. Bitet e tjera q jan 1 nuk pranohen. N fund specifkojm llojin e pakets apo aplikimit t cilit I prket, sin rastin e telnet. Si n rastin e ICMP echo dhe n rastine telnet, vini re me kujdes adresat burim, kush drgon paketn, dhe adresn destinacion, kush merr paketn. Shprehja access-list 101 permit ip any any, lejon gjithe paketat e tjera t qarkullojn.
Listat e aksesit implementohen inbound dhe outbound. Me komandn ip access-group 101 in ose out prcaktojm nse lista e aksesit duhet aplikuar para ose mbas procesit t routimit. In n rast se paketa merret n ndrfaqe, out kur paketa ka kaluar procesin e IP routing.
Ushtrime
N seciln nga ushtrimet e mposhtme duhet t zgjidhni nj IP adres e klass C dhe bni subnetting para konfigurimit. 1. Nj rrjet sht e ndrtuar n kt mnyr: sht e prbr nga 2 router t lidhuara nprmjet portave serial. Ne nj nga portat FastEthernet t secilit router sht i lidhur nj sitch. N secilin sitch kemi t paktn 2 VLAN dhe n secilin VLAN t paktn nj host. Dizenjoheni dhe konfigurojeni kt rrjet me protokollin EIGRP. Implementoni access list n mnyr q 1 host t mos ket mundsi t bj ping m nj host n nj rrjet tjetr. Implementoni access list n mnyr q 1 host t mos ket mundsi t marr paketa echoreply m nj host n nj rrjet tjetr. Implementoni access list n mnyr q 1 host t mos ket mundsi t bj telnet router. 2. Nj rrjet sht e ndrtuar n kt mnyr: sht e prbr nga 3 router t lidhur njri me tjetrin duke formuar nj trekndsh. Ne nj nga portat FastEthernet t secilit router sht i lidhur nj sitch. N secilin sitch kemi t paktn 2 VLAN dhe n secilin VLAN t paktn nj host. Dizenjoheni dhe konfigurojeni kt rrjet me protokollin EIGRP. Implementoni access list n mnyr q 1 host t mos ket mundsi t bj ping m nj host n nj rrjet tjetr. Implementoni access list n mnyr q 1 host t mos ket mundsi t marr paketa echoreply m nj host n nj rrjet tjetr. Implementoni access list n mnyr q 1 host t mos ket mundsi t bj telnet router.
3. Nj rrjet sht e ndrtuar n kt mnyr: sht i prbr nga 4 router t lidhur njri me tjetrin duke formuar nj katror. Ne nj nga portat FastEthernet t secilit router sht i lidhur nj sitch. N secilin sitch kemi t paktn 2 VLAN dhe n secilin VLAN t paktn nj host. Dizenjoheni dhe konfigurojeni kt rrjet me protokollin EIGRP. Implementoni access list n mnyr q 1 host t mos ket mundsi t bj ping m nj host n nj rrjet tjetr. Implementoni access list n mnyr q 1 host t mos ket mundsi t marr paketa echoreply m nj host n nj rrjet tjetr. Implementoni access list n mnyr q 1 host t mos ket mundsi t bj telnet router.

Access List ACL

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Access List ACL

Uploaded by

Copyright:

Available Formats

ERION MIKO

1 Zgjdhje Ushtrimit me ane te Dynamic Routing

%SYS-5-CONFIG_I: Configured from console by console

Gateway of last resort is not set

Gateway of last resort is not set

D 200.100.100.64/27 [90/1628160] via 200.100.100.102, 00:00:14, Serial0

Router#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

Gateway of last resort is not set

Gateway of last resort is not set

Ping statistics for 200.100.100.1: 0 (0% loss),

Packets: Sent = 5, Received = 5, Lost =

C:>ping 200.100.100.34 Pinging 200.100.100.34 with 32 bytes of data:

Ping statistics for 200.100.100.34: 0 (0% loss),

Packets: Sent = 5, Received = 5, Lost =

C:>ping 200.100.100.66 Pinging 200.100.100.66 with 32 bytes of data:

Ping statistics for 200.100.100.66: 0 (0% loss),

Packets: Sent = 5, Received = 5, Lost =

Approximate round trip times in milli-seconds:

Minimum = 50ms, Maximum = 60ms, Average = 55ms

Ping statistics for 200.100.100.33: 0 (0% loss),

Packets: Sent = 5, Received = 5, Lost =

Ping statistics for 200.100.100.65: 0 (0% loss),

Packets: Sent = 5, Received = 5, Lost =

Hyrje n Listat e Accessit

Listat e access-it standard

Le ti hedhim nj veshtrim sintakses s prdorur kur krijohet nj list standarde accessi

Corp(config)#access-list 10 deny host 172.16.30.2

Pasi q adresa burimore perzgjidhet, adresa e destinacionit zgjidhet:

Ose kjo tjetra m poshte:

Shembull Access List

Gateway of last resort is not set

Pjesa e access list

Router(config-if)#ip access-group 101 in Router(config-if)#^Z %SYS-5-CONFIG_I: Configured from console by console

Gateway of last resort is not set

Router(config)#^Z %SYS-5-CONFIG_I: Configured from console by console

Konfigurim I host PC2 C:>ipconfig /ip 200.100.100.34 255.255.255.240

Ping statistics for 200.100.100.33: 0 (0% loss),

Packets: Sent = 5, Received = 5, Lost =

You might also like