Sei sulla pagina 1di 4

LAB

Access-list

`Using wildcard-mask

• In order to support the filtering and


management machenism, we should have a
proper ip assignment scheme
• We tend to divide network elements into 2
parts :
– Key divices: routers, switches, servers, hubs…
– Normal stations: PCs, laptops, IP phones…
then
• We need to apply different policies for these 2
so wildcard-mask must be able to distinguish
them

1
`Using wildcard-mask

• We may devide network IP range into 2 halves,


the lower half for key devices, the higher half
for normal stations, then use the highest bit in
the IP host portion to filter.
• E.g: subnet 210.13.22.64/27, check the 28th bit

– Key devices half: 210.13.22.65 – 210.13.22.79


filter: 210.13.22.64 0.0.0.15
– Normal stations half: 210.13.22.80 – 210.13.22.94
filter: 210.13.22.80 0.0.0.15

`Using wildcard-mask

• In the network, there are team A and team B,


all team A have odd IP number and all team B
have even IP number, how to filter traffic from
each team?

– Team A: 210.13.22.65 0.0.0.14


– Team B: 210.13.22.64 0.0.0.14

2
`Using wildcard-mask
Web Server

•In Engineering network:


198.6.23.16/28 E0 E0

-Prevent all stations from telnet to R_C R_D


any key network devices S0 S0

S0 S0
-All stations only allowed to fpt to
R_E
File Server and access web in Web F0/0
Server
-File Server offers only ftp service E0
to inner-network and Web Server. E0
R_A R_B Enginering
E1 E1
•All stations in all Ethernet
networks are not allowed to
telnet to any router
File Server

`ACL Challenge
220.16.30.0/24
•Outer-network can’t ping into inner-
network
•Do not allow outer-network to access
inner-network with TCP traffic. R1

•Hosts in Net1 are not allowed to access


to Net3 Net3
•The Web Server(.66) is available to all .96 192.168.10.0/24
users within inner-network (Web only)
R2 R3
•Packets between PC1(.48) and PC3
(.80) are only allowed if routed across
the direct serial link
•Telnet to routers only from PC1
PC1 PC2 PC3 Web
•Net2 and Net3 can go freely to the Net1 Net2
outer-network, Net1 can only go by WEB
.32 .64
•All other kind of traffic is allowed

3
`LAB Topology

Static

IGRP 88
REQUIREMENTS:
- In each network, normal stations take upper IP range, key devices take lower IP range
- Allow all host to access Internet except using FTP
- Allow entire Ethernet network attached to RD full access to Proxy Server and Mail Server
- Allow public access to web site on Mail Server but not to all other services
- Only stations attached to RE are allowed to telnet Routers
- Allow all hosts on the internal network to use FTP, telnet, HTTP, DNS and no other
services
- Disallow all other access

Potrebbero piacerti anche