Curso personalizado de capacitación al area sistemas para NNN ( reservado )

                        5/1 al 27/1 del 2010, Academia local Cisco, Rosario

                        Instructor: Ernesto Vilarrasa

 

         Administración  / Spanning tree /  VLAN  / Wireless LAN / Seguridad

                                                                                                                                                         Parte 1

                                                                                                                                                            Parte 2

                                                                                                                                                               Parte 3

 

                   Listas de acceso ( ACL ):

 

                     

Este ejemplo de lista de acceso permite, desde la VLAN 10 acceder por Telnet a los switch de la VLAN 1, sólo a

dos hosts, resolver DNS a todos los host de la VLAN contra el server 192.168.3.252, conectividad total sólo a 

los hosts 192.168.10.100 a 103, transacciones DHCP a todos los host de la VLAN y denegar el resto del tráfico.

El envío de los informes de las ACL se envían mediante syslog a un server.

 

logging host 192.168.3.103 host a donde se enviarán los informes

logging trap 6 nivel de información enviada

logging trap informational igual al comando anterior

access-list 110 permit tcp host 192.168.10.102 any eq telnet log

access-list 110 permit tcp host 192.168.10.101 any eq telnet log

access-list 110 permit ip 192.168.10.100 0.0.0.3 any

access-list 110 permit udp any host 192.168.3.252 eq domain log

access-list 110 permit udp any any eq bootps log

access-list 110 deny   icmp any any log

access-list 110 deny   ip any any log

 

Explicación línea: access-list 110 permit ip 192.168.10.100 0.0.0.3 any

 

    8421 Peso bits

000000XX 0.0.0.3 (wildcard)

01100100 64+32+4=100 match

01100101 64+32+4+1=101 match

01100110 64+32+4+2=102 match

01100111 64+32+4+3=103 match

01101000 64+32+8=104 no match

 

Router#conf t aplicamos la ACL a la interfaz correspondiente a la VLAN 10

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#int fast 0/0.10

Router(config-subif)#ip access-group 110 in                                

Router(config-subif)#^Z

Router#

Router#show ip int

FastEthernet0/0.10 is up, line protocol is up

  Internet address is 192.168.10.1/24

  Broadcast address is 255.255.255.255

  Address determined by non-volatile memory

  MTU is 1500 bytes

  Helper address is 192.168.3.252

  Directed broadcast forwarding is disabled

  Outgoing access list is not set

  Inbound  access list is 110 verificamos su aplicacion

  Proxy ARP is enabled

 

Router#sh access-lists 110 verificamos

Extended IP access list 110

    permit tcp host 192.168.10.102 any eq telnet

    permit tcp host 192.168.10.101 any eq telnet (12 match(es))

    permit ip 192.168.10.100 0.0.0.3 any

    permit udp any host 192.168.3.252 eq domain

    permit udp any any eq bootps

    deny icmp any any (1 match(es))

    deny ip any any (13 match(es))

Router#

 

Verificamos en el Syslog server:

 

 

Nivel de syslog: