anh ơi!
ACL thì trên mạng nhiều lắm, anh chỉ cần vào google search một cái là có một rổ ACL ngay.
vào www.cisco.netacad.net cũng không thiếu, anh gõ từ khoá rồi filter từng level một cũng ra nhiều lắm.

Một số thông tin sơ sơ về ACL như thế này:
ACL thì chia làm 2 loại là standard và Extended. Với mỗi routed protocol thì number range của acl cũng khác nhau:
IP: standard 1-99, extended 100-199
IPX: stand_ 800-899, extend 900-999 (nếu em nhớ không nhầm)
Appletalk:...

Standard: filter theo source add
Còn extended theo: source, destination, port, protocol...

Về cách dùng thì phải khai báo ACL ở mức global config, sau đó gán vào các interface theo chiều inbound hoặc outbound.

Khi làm ACL phải luôn nhớ cụm từ là: "implicit deny" nghĩa là nếu gói tin nếu không match bất cứ dòng nào của ACL đều bị discard. Cần chú ý đặt chiều inbound, outbound cho thích hợp....

Chào anh ạ!

ps: anh tham khảo một số topic trong forum này:
ACL tác động cổng 20 hay 21 khi...eq fpt

IP access-group

Lệnh Ping không kiểm tra ACL

Access list



và còn một số topic nữa ở CCNP, CCIE, anh chịu khó tìm nhé.

Chào 1'hpSky,

Cảm ơn bạn rất nhiều. Mình cũng có vào Google tìm rồi nhưng nó nhiều wá, vì lười nên mình muốn bạn nào biết thì chi giúp mình để mình vào xem cho nhanh đấy mà.

Nếu bạn có thông tin gi về ACL cho mình biết với nhé.

Chào.

1. Câu hỏi của anh quá rộng , nên rất khó trả lời chính xác cho anh được.

2. Bạn 1'hpSky đã đưa cho anh 1 số link để anh tham khảo, tại sao anh kô đọc.

3. Anh muốn thông tin về ACL, thì trước tiên anh fải xác định rõ là anh cần cái gi trong ACL?

Thân chào anh
_________________
Lê Nguyễn Trúc Như
CCxx
E-mail : mikami@vnpro.org

Anh Giang,

Đây là một loạt các bài tập về access-list dành cho những người lười. Nếu Anh giải quyết được hết, anh đã ok phần access-list. Nếu anh không giải quyết được câu hỏi nào, hãy nêu vấn đề anh gặp phải ở đây.

Chúc anh thành công,
------------------------------------
EXERCISES:

1. Design an IP access list that permits traffic from host 193.5.2.76, but denies all other IP traffic.

2. Design an IP access list that denies traffic from host 11.5.25.239, but permits all other IP traffic.

3. Design an IP access list that permits IP traffic from hosts on network 196.25.1.0/24, and denies other IP traffic.

4. Design an access list that denies IP traffic from hosts 152.5.35.83 and 104.2.64.33, permits IP traffic from all hosts on network 185.25.0.0/16, and denies all other IP traffic. Invoke your access list inbound on interface E2.

5. Given the statements:

interface ethernet 1
ip access-group 25 in
access-list 25 permit host 101.2.3.40
access-list 25 deny 203.45.0.0 0.0.255.255
access-list 25 permit any

What will the result be?

6. Design an access list that permits IP traffic from hosts 1.2.3.98 and 1.2.3.99, and denies all other IP traffic. Invoke your access list outbound on interface Token Ring 3/1.

7. Design an extended IP access list that denies HTTP traffic intended for the web server at 47.23.67.102, permits HTTP traffic to other web servers, and denies all other IP traffic. Invoke your access list inbound on interface E0, and outbound on FDDI interface 3.

8. Given the statements:

interface ethernet 0
ip access-group 95 in
access-list 95 deny host 101.202.3.4
access-list 95 deny 203.45.6.0 0.0.0.255
access-list 95 permit any

What will the result be?

9. Design an IP access list that permits TFTP traffic to TFTP servers that have host addresses ending in even numbers, denies TELNET traffic to TELNET servers that have host addresses ending in odd numbers, permits traffic to other TELNET servers, and denies all other IP traffic. Activate your list inbound on interface E1.

10. Design an extended access list that permits all IP traffic from hosts on network 215.23.45.0/24, denies all IP traffic going to subnet 52.54.0.0/16, permits anyone to open a Telnet session with either 14.63.73.66 and 221.63.62.88 (and logs such packets to the console), and denies all other IP traffic. Invoke your list inbound on the first Token Ring interface on the card in slot 2.

11. Given the statements:

interface serial 0
ip access-group 164 out
access-list 164 deny tcp 14.3.6.234 0.0.0.0 host 6.5.4.1 eq 23
access-list 164 deny udp any any eq tftp
access-list 164 permit ip any any

What will the result be?

12. Design an access list that permits web traffic from the server at 101.54.32.2 to all hosts on subnet 149.23.8.0/24, permits pings in either direction between the hosts on network 39.0.0.0/8 and subnet 197.2.5.96/27, and denies everything else. Place this access list in force in the outbound direction on the router's E2 port.

13. Given the statements:

interface fddi 3/2
ip access-group 66
access-list 66 permit 100.200.0.0 0.0.255.63

What will the result be?

14. Design an access list that permits all IP traffic except pings in either direction between subnets 10.20.0.0/16 and 40.50.60.0/24.

15. Given the statements:

interface token-ring 7
ip access-group 13 in
ip access-group 184 out
access-list 13 permit host 201.3.4.2
access-list 13 deny 203.45.0.0 0.0.255.255
access-list 13 deny 84.7.22.240 0.0.0.7
access-list 13 permit any
access-list 184 permit ip any host 101.202.3.4 log
access-list 184 permit tcp 203.45.6.0 0.0.0.255 any eq www
access-list 184 permit udp any any

What will the result be?

16. Design an access list that permits all IP traffic from the hosts on networks 222.111.3.0/24 through 222.111.7.0/24, and denies all other IP traffic.

17. Given the statements:

interface token-ring 2/1
ip access-group 23 in
access-list 23 deny host 201.3.4.2
access-list 23 deny 84.7.22.248 0.0.0.7
access-list 23 deny 153.45.0.0 0.0.255.255
access-list 23 deny 203.45.6.0 0.0.0.255

What will the result be?

18. Design an access list that denies all FTP traffic from the hosts on subnets 101.202.8.0/24 through 101.202.13/24 that is destined for FTP servers, but permits all other IP traffic.

19. Given the statements:

interface ethernet 4
ip access-group 199
access-list 199 permit ip any any
access-list 199 deny ip 106.45.0.0 0.0.255.255 any
access-list 199 deny tcp any 44.7.12.224 0.0.0.15 eq ftp
access-list 199 deny udp 23.145.64.0 0.0.0.255 host 1.2.3.4 eq rip

What will the result be?

20. Design an access list that permits all IP traffic from the hosts on subnets 10.0.0.0/16 through 10.7.0.0/16, permits IP traffic from the hosts on subnets 10.9.0.0/16 through 10.15.0.0/16, and denies all other IP traffic. Place it outbound on E0 and inbound on Token Ring 2.

21. Design an access list that permits bi-directional ICMP traffic between subnets 1.0.96.0/20 and 2.0.1.64/27, permits bi-directional IP traffic between the hosts on subnets 131.5.0.0/16 through 131.8.0.0/16 and the hosts on network 239.5.6.0/24, and denies all other IP traffic except IGRP, which must be permitted everywhere.

22. The following statements are executed in the order given:

access-list 1 deny any
access-list 1 permit any
no access-list 1 deny any
access-list 2 deny 1.2.3.4
access-list 2 permit any
interface serial 3
ip access-group 2 in
ip access-group 1 in

What is the result?

23. Given the statements:

interface ethernet 1
ip access-group 60 in
ip access-group 161 in
access-list 60 deny host 1.3.5.7 0.0.0.0
access-list 60 deny 10.0.0.0 0.0.0.0
access-list 60 deny 54.78.43.2 255.255.255.255
access-list 60 deny ip host 101.2.5.7 eq telnet
access-list 161 permit ip 205.6.23.6 34.67.22.3
access-list 161 permit ipx a0b1c2 -1
access-list 161 deny telnet
access-list 161 permit ip host 225.0.0.5 any
access-list 161 deny ip any any

How many errors can you find?

EXTRA CREDIT:
24. Design a standard IPX access list that allows traffic from network 3A6C to go to network 5BF2, and blocks all other IPX traffic. Place it in force on interface E3 in the inbound direction.

25. Design an IPX access list that denies traffic in either direction between networks 543210 and ABCDEF, denies traffic between sources on network 1020304 and the host with MAC address 0000.0C12.54FB on network 4B9C2, and permits any other IPX traffic. Place it outbound on FDDI 3.

26. Interface S0 is connected to a slow WAN link. Keep the SAP traffic advertising file services on network 2BDEAD from crossing the link.

27. Keep all SAP advertisements received via interface To2 from the NetWare servers named "SUZY" and "CHIPSTER" from being entered into the SAP table.

28. Stop the SAP advertisements for service type 47 on any network from leaving via interface S2, permit all other SAP traffic to leave via S2, and allow only UDP traffic from hosts on IP subnet 201.2.6.0/24 to enter via S5.

29. Given the statements:

interface ethernet 4
appletalk access-group 606
access-list 606 deny cable-range 200-205
access-list 606 deny within 303-305
access-list 606 permit other-access

What will the result be?

Tui cũng đang mơ hồ lắm!!!!!

Re: Access Control List?????

Co' ai do' sieng nang lam` tung bai` 1 di. Em cung dang lam` dung ma` ko biet co' dung' ko nua. :lol:

Re: Access Control List?????

Chào các bạn,

Tại sao khi không hiểu về điều gì đó các bạn lại không bỏ công sức ra tìm hiểu mà lại nhờ người khác nhỉ? như vậy có phải ỷ lại và không có tính tự lập không?
Theo mình nghĩ, các bạn phải tự mình tìm hiểu để hiểu một vấn đề, khi gặp khó khắn hoặc gút mắc không tự mình giải quyết được thì mới đưa lên đây để mọi người giúp đỡ hoặc cùng thảo luận.

Thân chào.

Thân !

Nhờ các anh chỉ giúp mình chổ sai nhé.

1. Design an IP access list that permits traffic from host 193.5.2.76, but denies all
other IP traffic.

permit ip host 193.5.2.76 any

2. Design an IP access list that denies traffic from host 11.5.25.239, but permits all other IP traffic.

deny ip host 11.5.25.239 nay
permit ip any any

3. Design an IP access list that permits IP traffic from hosts on network 196.25.1.0/24, and denies other IP traffic.

permit ip 196.25.1.0 0.0.0.255 any

5. Given the statements:

interface ethernet 1
ip access-group 25 in
access-list 25 permit host 101.2.3.40
access-list 25 deny 203.45.0.0 0.0.255.255
access-list 25 permit any

What will the result be?

Cấm tất cả các ip từ 203.45.0.0 203.45.255.255

8. Given the statements:

interface ethernet 0
ip access-group 95 in
access-list 95 deny host 101.202.3.4
access-list 95 deny 203.45.6.0 0.0.0.255
access-list 95 permit any

What will the result be?

Cấm host 101.202.3.4 và mạng 203.45.6.0/24


11. Given the statements:

interface serial 0
ip access-group 164 out
access-list 164 deny tcp 14.3.6.234 0.0.0.0 host 6.5.4.1 eq 23
access-list 164 deny udp any any eq tftp
access-list 164 permit ip any any

What will the result be?

Cấm telnet từ host 14.3.6.234 đến host 6.5.4.1 - cấm mọi traffic tftp
cho phép các traffic khác


13. Given the statements:

interface fddi 3/2
ip access-group 66
access-list 66 permit 100.200.0.0 0.0.255.63

What will the result be?

Cho phép các ip 100.200.0 - 255.0 - 63

16. Design an access list that permits all IP traffic from the hosts on networks 222.111.3.0/24 through 222.111.7.0/24, and denies all other IP traffic.

permit ip 222.111.3.0 0.0.0.255 222.111.7.0 0.0.0.255

Thân chào.

mình cũng đang làm nè mình thấy bạn cần gán number của từng AL nữa thì mới đúng cú pháp lệnh ,khi nào xong mình cũng load lên nhờ mọi người sửa dùm

Có ai sửa dùm đệ với ,những câu có dấu (????)là không biết làm ,ai sửa dùm đi,cám ơn nhiều
1. Design an IP access list that permits traffic from host 193.5.2.76, but denies all other IP traffic.
(access-list 1 permit host 193.5.2.76)

2. Design an IP access list that denies traffic from host 11.5.25.239, but permits all other IP traffic.
( access-list 2 deny host 11.5.25.239
access-list 2 permit any)

3. Design an IP access list that permits IP traffic from hosts on network 196.25.1.0/24, and denies other IP traffic.
( access-list 100 permit ip 196.25.1.0 0.0.0.255 any)

4. Design an access list that denies IP traffic from hosts 152.5.35.83 and 104.2.64.33, permits IP traffic from all hosts
on network 185.25.0.0/16, and denies all other IP traffic. Invoke your access list inbound on interface E2.
( access-list 101 permit ip 185.25.0.0 0.0.255.255 any
int e2
ip access-group 101 in)

5. Given the statements:

interface ethernet 1
ip access-group 25 in
access-list 25 permit host 101.2.3.40
access-list 25 deny 203.45.0.0 0.0.255.255
access-list 25 permit any

What will the result be?
( từ chối tất cả traffic từ mạng 203.45.0.0 ,permit tất cả các traffic từ các máy khác,gán inbound vào ethernet 1)

6. Design an access list that permits IP traffic from hosts 1.2.3.98 and 1.2.3.99, and denies all other IP traffic. Invoke
your access list outbound on interface Token Ring 3/1.
( access-list 102 permit host 1.2.3.98 any
access-list 102 permit host 1.2.3.99 any
int token-ring 3/1
ip access-group 102 out)

7. Design an extended IP access list that denies HTTP traffic intended for the web server at 47.23.67.102, permits HTTP
traffic to other web servers, and denies all other IP traffic. Invoke your access list inbound on interface E0, and outbound
on FDDI interface 3.
( access-list 103 deny tcp any host 47.23.67.102 eq 80
access-list 103 permit tcp any any eq 80
int e0
ip access-group 103 in
int fddi 3
ip access-group 103 out)

8. Given the statements:

interface ethernet 0
ip access-group 95 in
access-list 95 deny host 101.202.3.4
access-list 95 deny 203.45.6.0 0.0.0.255
access-list 95 permit any

What will the result be?
(từ chối tất cả traffic từ máy 101.202.3.4 và từ mạng 203.45.6.0,cho fép tất cả các traffic còn lại,gán inbound vào e0)

9. Design an IP access list that permits TFTP traffic to TFTP servers that have host addresses ending in even numbers,
denies TELNET traffic to TELNET servers that have host addresses ending in odd numbers, permits traffic to other TELNET
servers, and denies all other IP traffic. Activate your list inbound on interface E1.
( access-list 104 deny tcp any host ???? eq 23
access-list 104 permit udp any host ????? eq 69
access-list 104 permit tcp any any eq 23
int e1
ip access-group 104 in)

10. Design an extended access list that permits all IP traffic from hosts on network 215.23.45.0/24, denies all IP traffic
going to subnet 52.54.0.0/16, permits anyone to open a Telnet session with either 14.63.73.66 and 221.63.62.88 (and logs
such packets to the console), and denies all other IP traffic. Invoke your list inbound on the first Token Ring interface on
the card in slot 2.
( access-list 105 permit ip 215.23.45.0 0.0.0.255 any
access-list 105 deny ip any 52.54.0.0 0.0.255.255
access-list 105 permit tcp any host 14.63.73.66 eq 23
access-list 105 permit tcp any host 221.63.62.88 eq 23
line console
access-class 105 in )


11. Given the statements:

interface serial 0
ip access-group 164 out
access-list 164 deny tcp 14.3.6.234 0.0.0.0 host 6.5.4.1 eq 23
access-list 164 deny udp any any eq tftp
access-list 164 permit ip any any

What will the result be?
(từ chối tất cả Telnet traffic từ máy 14.3.234 ðến máy 6.5.4.1,từ chối tất cả TFTP traffic ,cho fép tất cả IP traffic còn lại,
gán vào outbound ở interface serial0)

(****)12. Design an access list that permits web traffic from the server at 101.54.32.2 to all hosts on subnet 149.23.8.0/24,
permits pings in either direction between the hosts on network 39.0.0.0/8 and subnet 197.2.5.96/27, and denies everything
else. Place this access list in force in the outbound direction on the router's E2 port.
(?????)

13. Given the statements:

interface fddi 3/2
ip access-group 66
access-list 66 permit 100.200.0.0 0.0.255.63

What will the result be?
(cho fép tất cả traffic từ các máy có tâm ðịa chỉ từ:100.200.0.0-->100.200.255.63,từ chối tất cả traffic khác,gán vào FDDI3/2)

(*****)14. Design an access list that permits all IP traffic except pings in either direction between subnets 10.20.0.0/16 and
40.50.60.0/24.
(????)


15. Given the statements:

interface token-ring 7
ip access-group 13 in
ip access-group 184 out
access-list 13 permit host 201.3.4.2
access-list 13 deny 203.45.0.0 0.0.255.255
access-list 13 deny 84.7.22.240 0.0.0.7
access-list 13 permit any
access-list 184 permit ip any host 101.202.3.4 log
access-list 184 permit tcp 203.45.6.0 0.0.0.255 any eq www
access-list 184 permit udp any any

What will the result be?
(2 access-list 13 và 184 ,13:chỉ từ chối tất cả các traffic từ mạng 203.45.0.0và các máy có tầm ðịa chỉ :84.7.22.240-->84.7.22.247
184:cho fép các traffic trên mạng 203.45.6.0 kết nối internet,cho fép các traffic udp,

16. Design an access list that permits all IP traffic from the hosts on networks 222.111.3.0/24 through 222.111.7.0/24,
and denies all other IP traffic.
( access-list 106 permit ip 222.111.3.0 0.0.4.255 any )

17. Given the statements:

interface token-ring 2/1
ip access-group 23 in
access-list 23 deny host 201.3.4.2
access-list 23 deny 84.7.22.248 0.0.0.7
access-list 23 deny 153.45.0.0 0.0.255.255
access-list 23 deny 203.45.6.0 0.0.0.255

What will the result be?
(từ chối tất cả các traffic từ bất kì máy nào)


18. Design an access list that denies all FTP traffic from the hosts on subnets 101.202.8.0/24 through 101.202.13/24 that
is destined for FTP servers, but permits all other IP traffic.
( access-list 107 deny ftp 101.202.8.0 0.0.5.255 host <server address> eq 20
access-list 107 permit ip any any )

19. Given the statements:

interface ethernet 4
ip access-group 199
access-list 199 permit ip any any
access-list 199 deny ip 106.45.0.0 0.0.255.255 any
access-list 199 deny tcp any 44.7.12.224 0.0.0.15 eq ftp
access-list 199 deny udp 23.145.64.0 0.0.0.255 host 1.2.3.4 eq rip

What will the result be?
( cho fép tất cả các traffic )

20. Design an access list that permits all IP traffic from the hosts on subnets 10.0.0.0/16 through 10.7.0.0/16, permits IP
traffic from the hosts on subnets 10.9.0.0/16 through 10.15.0.0/16, and denies all other IP traffic. Place it outbound on
E0 and inbound on Token Ring 2.
( access-list 108 permit ip 10.0.0.0 0.7.255.255 any
access-list 108 permit ip 10.9.0.0 0.6.255.255 any)

21. Design an access list that permits bi-directional ICMP traffic between subnets 1.0.96.0/20 and 2.0.1.64/27, permits
bi-directional IP traffic between the hosts on subnets 131.5.0.0/16 through 131.8.0.0/16 and the hosts on network
239.5.6.0/24, and denies all other IP traffic except IGRP, which must be permitted everywhere.
( ????)

22. The following statements are executed in the order given:

access-list 1 deny any
access-list 1 permit any
no access-list 1 deny any
access-list 2 deny 1.2.3.4
access-list 2 permit any
interface serial 3
ip access-group 2 in
ip access-group 1 in

What is the result?
(báo lỗi vì ACL 2 cấu hình sai,thiếu host,hay wildcard)

23. Given the statements:

interface ethernet 1
ip access-group 60 in
ip access-group 161 in
(*)access-list 60 deny host 1.3.5.7 0.0.0.0 //dư wildcard
(**)access-list 60 deny 10.0.0.0 0.0.0.0 //cấu hình sai ðịa chỉ mạng (không có máy 10.0.0.0)
(***)access-list 60 deny 54.78.43.2 255.255.255.255 //ACL này sẽ không match bất cứ ðịa chỉ nào viÌ sai wildcard
(****)access-list 60 deny ip host 101.2.5.7 eq telnet //ðây là standard ACL nên không có cấu hình protocol
access-list 161 permit ip 205.6.23.6 34.67.22.3 //thiếu wildcard cho source và dest.
access-list 161 permit ipx a0b1c2 -1//sai tầm của ipx ACL (800-899)
access-list 161 deny telnet //thiếu source và dest.
access-list 161 permit ip host 225.0.0.5 any
access-list 161 deny ip any any

How many errors can you find?

Re: Access Control List?????

Hi lee,

16. Design an access list that permits all IP traffic from the hosts on networks 222.111.3.0/24 through 222.111.7.0/24,
and denies all other IP traffic.
( access-list 106 permit ip 222.111.3.0 0.0.4.255 any )

Mình nghĩ lee làm chưa đúng. Từ 3-7 là 5 subnet cơ mà, chỉ có block size là 4 thôi. Và nếu dùng block size thì start subnet cho block size 4 phải là 4 chứ, block đầu tiên là 0-3, tiếp theo là 4-7. Thêm nữa, wildcard của bạn không ổn. Mình xin đưa idea của mình. Mong mọi người chỉ bảo.
RouterA(config)#access-list 10 permit 222.111.3.0 0.0.0.255
RouterA(config)#access-list 10 permit 222.111.4.0 0.0.3.255

vì phần ACL đệ đọc sách nên nhiều khi hiểu chưa rõ ,nhưng đệ cũng cứ làm rồi load lên nhờ mọi người sửa ,để lần sau gặp không sai nữa ,các huynh thấy phần nào sai cứ tự nhiên nói cho đệ biết để đệ sửa ,cám ơn các huynh nhiều!!!!