<![CDATA[
<p><b>* ACL (Access Control List) 접근제어 목록 설정</b></p><p>- 접근제어 목록은 라우터의 출발지 주소와 목적지 주소를 참고하는 라우팅 테이블을 기반으로 만든 패킷 출입 통제 문장이다.</p><p>- 패킷 필터링 - 특정 프로토콜을 사용하는 패킷을 전달여부를 조절할 수 있다. 외부의 FTP나 스트리밍으로 트래픽이 많다면 이를 제한할 수 있다.</p><p>- 표준 ACL: 1~99, 1300~1999<span style="color: #333333; background-color: #ffffff;" data-ke-size="size16"> 번호 사용</span></p><p>- 확장 ACL: 100~199, 2000~2699 번호 사용</p><div class="figure-img" data-ke-type="image" data-ke-style="alignCenter" data-ke-mobilestyle="widthOrigin"><img src="https://t1.daumcdn.net/cafeattach/1UMtP/9cea60530947b1e42235b0e452bd432765523240" class="txc-image" data-img-src="https://t1.daumcdn.net/cafeattach/1UMtP/9cea60530947b1e42235b0e452bd432765523240" data-origin-width="663" data-origin-height="303"></div><div class="table-wrap"><table data-ke-type="table" data-ke-align="alignLeft" style="width: 100%; height: 1564px;" border="1" data-ke-style="style15"><tbody><tr style="height: 18px;"><td style="width: 16.8303%; height: 18px; text-align: center;">단계별</td><td style="width: 65.9733%; height: 18px; text-align: center;">예제 코드</td><td style="width: 17.1963%; height: 18px; text-align: center;">설명</td></tr><tr><td style="width: 16.8303%;">PC 설정</td><td style="width: 65.9733%;">PC0   IP: 1.1.1.2     subnet mask: 255.255.255.0     GW: 1.1.1.1 <br><br>PC1   IP: 1.1.1.3     subnet mask: 255.255.255.0     GW: 1.1.1.1<br><br>PC2   IP: 2.2.2.2     subnet mask: 255.255.255.0     GW: 2.2.2.1<br><br>PC3   IP: 3.3.3.2     subnet mask: 255.255.255.0     GW: 3.3.3.1</td><td style="width: 17.1963%;"></td></tr><tr style="height: 18px;"><td style="width: 16.8303%; height: 18px;">R1 설정</td><td style="width: 65.9733%; height: 18px;">Router# conf t <br>Router(config)# hostname R1<br><br>R1(config)# <span style="color: #006dd7;"><b>int gi0/0</b></span> <br>R1(config-if)# <span style="color: #006dd7;"><b>ip add 1.1.1.1 255.255.255.0</b></span> <br>R1(config-if)# <span style="color: #006dd7;"><b>no shut</b></span> <br>R1(config-if)# exit<br><br>R1(config)# <span style="color: #006dd7;"><b>int s0/2/0</b></span> <br>R1(config-if)# <span style="color: #006dd7;"><b>ip add 203.230.7.1 255.255.255.252</b></span> <br>R1(config-if)# <span style="color: #006dd7;"><b>no shut</b></span> <br>R1(config-if)# exit<br><br>R1(config)#<span style="color: #006dd7;"><b> int s0/2/1</b></span> <br>R1(config-if)#<span style="color: #006dd7;"><b> ip add 203.230.7.10 255.255.255.252</b></span> <br>R1(config-if)# <span style="color: #006dd7;"><b>no shut</b></span> <br>R1(config-if)# exit<br><br>R1(config)# <span style="color: #006dd7;"><b>router ospf 1</b></span> <br>R1(config-router)# <span style="color: #006dd7;"><b>network 1.1.1.1 0.0.0.0 area 0</b></span> <br>R1(config-router)# <span style="color: #006dd7;"><b>network 203.230.7.1 0.0.0.0 area 0</b></span> <br>R1(config-router)# <span style="color: #006dd7;"><b>network 203.230.7.10 0.0.0.0 area 0</b></span></td><td style="width: 17.1963%; height: 18px;"></td></tr><tr style="height: 18px;"><td style="width: 16.8303%; height: 18px;">R2 설정</td><td style="width: 65.9733%; height: 18px;">Router# conf t <br>Router(config)# hostname R2<br><br>R2(config)#<span style="color: #006dd7;"><b> int gi0/0</b></span> <br>R2(config-if)# <span style="color: #006dd7;"><b>ip add 2.2.2.1 255.255.255.0</b></span> <br>R2(config-if)# <span style="color: #006dd7;"><b>no shut</b></span> <br>R2(config-if)# exit<br><br>R2(config)# <span style="color: #006dd7;"><b>int s0/2/0</b></span> <br>R2(config-if)# <span style="color: #006dd7;"><b>ip add 203.230.7.5 255.255.255.252</b></span> <br>R2(config-if)# <span style="color: #006dd7;"><b>no shut</b></span> <br>R2(config-if)# exit<br><br>R2(config)# <span style="color: #006dd7;"><b>int s0/2/1</b></span> <br>R2(config-if)# <span style="color: #006dd7;"><b>ip add 203.230.7.2 255.255.255.252</b></span> <br>R2(config-if)# <span style="color: #006dd7;"><b>no shut</b></span> <br>R2(config-if)# exit<br><br>R2(config)#<span style="color: #006dd7;"><b> router ospf 1</b></span> <br>R2(config-router)# <span style="color: #006dd7;"><b>network 2.2.2.1 0.0.0.0 area 0</b></span> <br>R2(config-router)# <span style="color: #006dd7;"><b>network 203.230.7.5 0.0.0.0 area 0</b></span> <br>R2(config-router)# <span style="color: #006dd7;"><b>network 203.230.7.2 0.0.0.0 area 0</b></span></td><td style="width: 17.1963%; height: 18px;"></td></tr><tr style="height: 18px;"><td style="width: 16.8303%; height: 18px;">R3 설정</td><td style="width: 65.9733%; height: 18px;">Router# conf t <br>Router(config)# hostname R3<br><br>R3(config)# <span style="color: #006dd7;"><b>int gi0/0</b></span> <br>R3(config-if)#<span style="color: #006dd7;"><b> ip add 3.3.3.1 255.255.255.0</b></span> <br>R3(config-if)# <span style="color: #006dd7;"><b>no shut</b></span> <br>R3(config-if)# exit<br><br>R3(config)# <span style="color: #006dd7;"><b>int s0/2/0</b></span> <br>R3(config-if)#<span style="color: #006dd7;"><b> ip add 203.230.7.9 255.255.255.252</b></span> <br>R3(config-if)# <span style="color: #006dd7;"><b>no shut</b></span> <br>R3(config-if)# exit<br><br>R3(config)#<span style="color: #006dd7;"><b> int s0/2/1</b></span> <br>R3(config-if)# <span style="color: #006dd7;"><b>ip add 203.230.7.6 255.255.255.252</b></span> <br>R3(config-if)# <span style="color: #006dd7;"><b>no shut</b></span> <br>R3(config-if)# exit<br><br>R3(config)#<span style="color: #006dd7;"><b> router ospf 1</b></span> <br>R3(config-router)# <span style="color: #006dd7;"><b>network 3.3.3.1 0.0.0.0 area 0</b></span> <br>R3(config-router)# <span style="color: #006dd7;"><b>network 203.230.7.9 0.0.0.0 area 0</b></span> <br>R3(config-router)# <span style="color: #006dd7;"><b>network 203.230.7.6 0.0.0.0 area 0</b></span></td><td style="width: 17.1963%; height: 18px;"></td></tr><tr style="height: 18px;"><td style="width: 16.8303%; height: 18px;">PC0 제외설정<br>표준 ACL 설정</td><td style="width: 65.9733%; height: 18px;">R1(config)# <span style="color: #006dd7;"><b>access-list 1 deny 1.1.1.2 0.0.0.0</b></span> <br>R1(config)#<span style="color: #006dd7;"><b> access-list 1 permit any</b></span> <br><br>R1(config)# <span style="color: #006dd7;"><b>int gi0/0</b></span> <br>R1(config-if)# <span style="color: #006dd7;"><b>ip access-group 1 in </b></span> <br>R1(config-if)# ^Z<br>R1# wr</td><td style="width: 17.1963%; height: 18px;">PC0(1.1.1.2)의 출발지 패킷은 제외하고 나머지 허용</td></tr><tr style="height: 18px;"><td style="width: 16.8303%; height: 18px;">PC1 허용설정<br>표준 ACL 설정</td><td style="width: 65.9733%; height: 18px;">R1(config)# <span style="color: #006dd7;"><b>access-list 1 permit 1.1.1.3 0.0.0.0</b></span><br>R1(config)# <span style="color: #006dd7;"><b>access-list 1 deny any</b></span><br><br>R1(config)# <span style="color: #006dd7;"><b>int gi0/0</b></span> <br>R1(config-if)# <span style="color: #006dd7;"><b>ip access-group 1 in</b></span>  <br>R1(config-if)# ^Z<br>R1# wr</td><td style="width: 17.1963%; height: 18px;">PC1(1.1.1.3)<span style="color: #333333;" data-ke-size="size16">의 출발지 </span> 패킷은 허용하고 나머지 제외</td></tr><tr style="height: 18px;"><td style="width: 16.8303%; height: 18px;">ACL 동작 상태 확인</td><td style="width: 65.9733%; height: 18px;">R1#<span style="color: #006dd7;"><b> show access-list 1</b></span> <br><br>Standard IP access list 1 <br>    Permit host 1.1.1.3 (4 match(es))  (출발지 주소 패킷 4개 허용) <br>    deny any (4 match(es))   (그외 주소에서 나온 4개 패킷들은 버림)</td><td style="width: 17.1963%; height: 18px;"></td></tr><tr style="height: 109px;"><td style="width: 16.8303%; height: 109px;">ACL 주석문(Remark) 설정</td><td style="width: 65.9733%; height: 109px;">R1(config)# <span style="color: #006dd7;"><b>access-list 1 remark PC0 packet deny and PC1 packet permit</b><b><br><br></b><span style="color: #333333;">R1(config)#<b> do show run</b><br><br>access-list 1 remark PC0 packet deny and PC1 packet permit<br></span></span></td><td style="width: 17.1963%; height: 109px;"></td></tr><tr style="height: 36px;"><td style="width: 16.8303%; height: 36px;">와일드카드 마스크(Wildcard mask)</td><td style="width: 65.9733%; height: 36px;">와일드카드 마스크는 서브넷 마스크의 반대되는 값<br>서브넷 마스크         와일드카드 마스크<br>255.255.225.0          0.0.0.255<br><br>짝수 IP 주소값 지정:  2032230.7.<span style="color: #ee2323;"><b>0</b></span>   0.0.0.254<br><span style="color: #333333;" data-ke-size="size16">홀수 IP 주소값 지정:  2032230.7.<span style="color: #ee2323;"><b>1</b></span>   0.0.0.254</span><br><br>네트워크 203.230.7.1/24 ~ 203.230.7.5/24만 정의하고자 한다면 <br><span style="color: #333333;" data-ke-size="size16">203.230.7.0/29 로</span><br>서브넷 마스크        203.230.7.0  255.255.255.248<br><span style="color: #333333;" data-ke-size="size16">와일드카드마스크   203.230.7.0  0.0.0.7</span></td><td style="width: 17.1963%; height: 36px;"></td></tr><tr style="height: 127px;"><td style="width: 16.8303%; height: 127px;">ACL 문장구성 및 순서</td><td style="width: 65.9733%; height: 127px;">R1(config)# <span style="color: #006dd7;"><b>access-list 1 deny host 1.1.1.2</b></span>               ① <br>R1(config)# <span style="color: #006dd7;"><b>access-list 1 permit 1.1.1.0  0.0.0.255</b></span>     ② <br><br>R1(config)# <span style="color: #006dd7;"><b>int gi0/0</b></span> <br>R1(config-if)# <span style="color: #006dd7;"><b>ip access-list 1 in</b></span><br><br>PC0> ping 2.2.2.1      (불가)</td><td style="width: 17.1963%; height: 127px;">②의 목록을 첫 줄에 작성하고 <br>①을 둘째 줄에 작성하면 <br>1.1.1.2가 외부와 통신하는 것을 막을 수 없음</td></tr><tr style="height: 218px;"><td style="width: 16.8303%; height: 218px;">ACL을 이용한 원격 접속 제어</td><td style="width: 65.9733%; height: 218px;">R2(config)# <span style="color: #006dd7;"><b>access-list 1 permit host 1.1.1.2 </b></span>            ① <br><br>R2(config)#<span style="color: #006dd7;"><b> line vty 0 4</b></span> <br>R2(config-line)# <span style="color: #006dd7;"><b>password cisco</b></span> <br>R2(config-line)# <span style="color: #006dd7;"><b>login</b></span> <br><br>R2(config-line)# <span style="color: #006dd7;"><b>access-class 1 in</b></span> <br><br>PC0> telnet 2.2.2.1     (R2에 접속 허용)<br><span style="color: #333333;" data-ke-size="size16">PC1> telnet 2.2.2.1     (접속 불가)</span><br>PC2> telnet 2.2.2.1<span style="color: #333333;" data-ke-size="size16">     (접속 불가)</span><br>PC3> telnet 2.2.2.1<span style="color: #333333;" data-ke-size="size16">     (접속 불가)</span></td><td style="width: 17.1963%; height: 218px;">①을 설정한 후 “access-list 1 deny any” 명령어가 없어도 ACL이 “permit”으로  이루진 경우 “deny any”는 따로 선언하지 않아도 암묵적으로(implicit deny)  라우터에 정의됨</td></tr><tr style="height: 236px;"><td style="width: 16.8303%; height: 236px;">확장 ACL의 설정<br><br>PC0->R3 ping (x)</td><td style="width: 65.9733%; height: 236px;">R1(config)# <span style="color: #006dd7;"><b>access-list 100 deny icmp host 1.1.1.2 host 203.230.7.9 <span style="color: #f89009;">echo</span></b></span><span style="color: #f89009;"> </span> <br>R1(config)# <span style="color: #006dd7;"><b>access-list 100 deny icmp host 1.1.1.2 host 203.230.7.6 <span style="color: #f89009;">echo</span></b></span> <br>R1(config)# <span style="color: #006dd7;"><b>access-list 100 deny icmp host 1.1.1.2 host 3.3.3.1 <span style="color: #f89009;">echo</span></b></span> <br>R1(config)# <span style="color: #006dd7;"><b>access-list 100 permit ip any any</b></span> <br><br>R1(config)# <span style="color: #006dd7;"><b>int gi0/0</b></span> <br>R1(config-if)# <span style="color: #006dd7;"><b>ip access-group 100 in </b></span><br><br>PC0> ping 203.230.7.9     (불가)<br>PC0> ping 203.230.7.6     (불가)<br>PC0> ping 3.3.3.1           (불가)<br>PC0> telnet 3.3.3.1         (접속 가능)</td><td style="width: 17.1963%; height: 236px;">PC0가 R3으로 Ping 불가/ Telnet 접속 가능토록  R1에서 설정</td></tr><tr style="height: 186px;"><td style="width: 16.8303%; height: 186px;">확장 ACL의 설정<br><br>PC0->R3 <br>ping 불가</td><td style="width: 65.9733%; height: 186px;">R3(config)# <span style="color: #006dd7;"><b>access-list 100 deny icmp host 1.1.1.2 host 203.230.7.9 <span style="color: #f89009;">echo</span></b></span><span style="color: #f89009;"> </span> <br>R3(config)# <span style="color: #006dd7;"><b>access-list 100 deny icmp host 1.1.1.2 host 203.230.7.6 <span style="color: #f89009;">echo</span></b></span> <br>R3(config)# <span style="color: #006dd7;"><b>access-list 100 deny icmp host 1.1.1.2 host 3.3.3.1 <span style="color: #f89009;">echo</span></b></span> <br>R3(config)# <span style="color: #006dd7;"><b>access-list 100 permit ip any any</b></span> <br><br>R3(config)# <span style="color: #006dd7;"><b>int se0/2/0</b></span> <br>R3(config-if)# <span style="color: #006dd7;"><b>ip access-group 100 in </b></span> <br>R3(config-if)# exit <br><br>R3(config)#<span style="color: #006dd7;"><b> int se0/2/1</b></span> <br>R3(config-if)#<span style="color: #006dd7;"><b> ip access-group 100 in</b></span></td><td style="width: 17.1963%; height: 186px;">PC0가 R3으로 Ping 불가/ Telnet 접속 가능토록  R3에서 설정 </td></tr><tr style="height: 154px;"><td style="width: 16.8303%; height: 154px;">확장 ACL의 설정<br><br>PC1->R2<br>텔넷 접속불가</td><td style="width: 65.9733%; height: 154px;">R1(config)# <span style="color: #006dd7;"><b>access-list 100 deny tcp host 1.1.1.3 host 203.230.7.2 eq <span style="color: #409d00;">telnet </span></b></span> <br>R1(config)#<span style="color: #006dd7;"><b> access-list 100 deny tcp host 1.1.1.3 host 203.230.7.5 eq <span style="color: #409d00;">telnet</span></b></span> <br>R1(config)# <span style="color: #006dd7;"><b>access-list 100 deny tcp host 1.1.1.3 host 2.2.2.1 eq <span style="color: #409d00;">telnet</span></b></span> <br>R1(config)# <span style="color: #006dd7;"><b>access-list 100 permit ip any any</b></span> <br><br>R1(config)# <span style="color: #006dd7;"><b>int gi0/0</b></span> <br>R1(config-if)# <span style="color: #006dd7;"><b>ip access-group 100 in </b></span><br><br>PC1> ping 2.2.2.1    (접속 성공)<br>PC1> telnet 2.2.2.1  (접속 불가)</td><td style="width: 17.1963%; height: 154px;">PC1만 R2에 Telnet 접속 불가로  R1에서 설정</td></tr><tr style="height: 46px;"><td style="width: 16.8303%; height: 46px;"><span style="color: #333333;" data-ke-size="size16">Named 표준 ACL</span><br><br>PC0->모두 (0)<br>PC1->모두 (x)</td><td style="width: 65.9733%; height: 46px;">R1(config)#<span style="color: #006dd7;"><b> ip access-list standard infocomm</b></span> <br>R1(config-std-nalc)# <span style="color: #006dd7;"><b>permit host 1.1.1.3</b></span> <br>R1(config-line)# <span style="color: #006dd7;"><b>deny any</b></span> <br>R1(config-line)# exit <br><br>R1(config)#<span style="color: #006dd7;"><b> int gi0/0</b></span> <br>R1(config-if)# <span style="color: #006dd7;"><b>ip access-group inforcomm in</b></span></td><td style="width: 17.1963%; height: 46px;">PC0는 모든 장치에 통신 불가<br>PC1은 모든 장치에 통신 가능</td></tr><tr style="height: 254px;"><td style="width: 16.8303%; height: 254px;"><span style="color: #333333;" data-ke-size="size16">Named 확장 ACL</span><br><br>PC0->R3<br>ping(x) 불가<br>telnet(o) 가능</td><td style="width: 65.9733%; height: 254px;">R1(config)# <span style="color: #006dd7;"><b>ip access-list extended ping</b></span> <br>R1(config-std-nalc)#<span style="color: #006dd7;"><b> deny icmp host 1.1.1.2 host 1.1.1.3</b></span> <br>R1(config-std-nalc)# <span style="color: #006dd7;"><b>deny icmp host 1.1.1.2 host 203.230.7.6</b></span> <br>R1(config-std-nalc)# <span style="color: #006dd7;"><b>deny icmp host 1.1.1.2 host 203.230.7.9</b></span> <br>R1(config-std-nalc)# <span style="color: #006dd7;"><b>permit ip any any</b></span> <br>R1(config-std-nalc)# exit <br><br>R1(config)#<span style="color: #006dd7;"><b> int gi0/0</b></span> <br>R1(config-if)# <span style="color: #006dd7;"><b>ip access-group ping in</b></span> <br>R1(config-if)# exit <br><br>R1(config)# <span style="color: #006dd7;"><b>do show access-lists</b></span>    (결과는 뒤 페이지) <br>R1(config)# exit <br><br>PC0> ping 3.3.3.1           (불가)<br>PC0> ping 203.230.7.6     (불가)<br>PC0> ping 203.230.7.3     (불가)<br>PC0> telnet 3.3.3.1         (접속 가능)</td><td style="width: 17.1963%; height: 254px;"></td></tr></tbody></table></div><p> </p><p>* PC1과 PC3를 <b>서버로 교체한 후</b> PC1과  PC3가 사용했던 IP주소를 이들 서버에 할당한 후</p><p><b>PC2가 Server0의 http와 ftp에 접속할 수 없도록 R2에 설정하는 ACL작성</b></p><div class="figure-img" data-ke-type="image" data-ke-style="alignCenter" data-ke-mobilestyle="widthOrigin"><img src="https://t1.daumcdn.net/cafeattach/1UMtP/4c71ca34f4e8f7f8b4aa1cb1c72176a26303ba36" class="txc-image" data-img-src="https://t1.daumcdn.net/cafeattach/1UMtP/4c71ca34f4e8f7f8b4aa1cb1c72176a26303ba36" data-origin-width="713" data-origin-height="303"></div><div class="table-wrap"><table data-ke-type="table" data-ke-align="alignLeft" style="width: 100%; height: 891px;" border="1" data-ke-style="style15"><tbody><tr style="height: 18px;"><td style="width: 18.6683%; height: 18px; text-align: center;">단계별</td><td style="width: 63.6747%; height: 18px; text-align: center;">예제 코드</td><td style="width: 17.6569%; height: 18px; text-align: center;">설명</td></tr><tr style="height: 127px;"><td style="width: 18.6683%; height: 127px;">토폴로지 설정</td><td style="width: 63.6747%; height: 127px;">PC: 위와 동일<br><br>라우터: 위와 동일<br><br>서버 0:   IP: <span style="color: #006dd7;"><b>1.1.1.3</b></span> 255.255.255.0,  GW: 1.1.1.1<br><br>서버 1:<span style="color: #333333; background-color: #ffffff;" data-ke-size="size16">   IP: </span><span style="color: #006dd7;" data-ke-size="size16"><b>3.3.3.2</b></span><span style="color: #333333; background-color: #ffffff;" data-ke-size="size16"> 255.255.255.0,  GW: 3.3.3.1</span></td><td style="width: 17.6569%; height: 127px;"></td></tr><tr style="height: 50px;"><td style="width: 18.6683%; height: 50px;">Named 확장 ACL <br>설정하기 (제1방법)<br><br>PC2->Sever0<br>http(x), ftp(x)</td><td style="width: 63.6747%; height: 50px;">R2(config)# <span style="color: #006dd7;"><b>access-list 100 deny tcp host 2.2.2.2 host 1.1.1.3 eq www</b></span><br>R2(config)# <span style="color: #006dd7;"><b>access-list 100 deny tcp host 2.2.2.2 host 1.1.1.3 eq ftp</b></span><br>R2(config)# <span style="color: #006dd7;"><b>access-list 100 deny tcp host 2.2.2.2 host 1.1.1.3 eq 20</b></span><br>R2(config)# <span style="color: #006dd7;"><b>access-list 100 permit ip any any</b></span><br><br>R2(config)# <span style="color: #006dd7;"><b>int gi0/0</b></span><br>R2(config-if)#<span style="color: #006dd7;"><b> ip access-group 100 in</b></span></td><td style="width: 17.6569%; height: 50px;"></td></tr><tr style="height: 163px;"><td style="width: 18.6683%; height: 163px;">Named 확장 ACL <br>설정하기 (제2방법)<br><br><span style="color: #333333;" data-ke-size="size16">PC2->Sever0</span><br><span style="color: #333333;" data-ke-size="size16">http(x), ftp(x)</span></td><td style="width: 63.6747%; height: 163px;">R2(config)# <span style="color: #006dd7;"><b>ip access-list extended http_ftp</b></span> <br>R2(config-ext-nacl)# <span style="color: #006dd7;"><b>deny tcp host 2.2.2.2 host 1.1.1.3 eq www</b></span> <br>R2(config-ext-nacl)# <span style="color: #006dd7;"><b>deny tcp host 2.2.2.2 host 1.1.1.3 eq ftp</b></span> <br>R2(config-ext-nacl)# <span style="color: #006dd7;"><b>deny tcp host 2.2.2.2 host 1.1.1.3 eq 20</b></span> <br>R2(config-ext-nacl)# <span style="color: #006dd7;"><b>permit ip any any</b></span> <br>R2(config-ext-nacl)# exit <br><br>R2(config)# <span style="color: #006dd7;"><b>int gi0/0</b></span> <br>R2(config-if)#<span style="color: #006dd7;"><b> ip access-group http_ftp in</b></span></td><td style="width: 17.6569%; height: 163px;"></td></tr><tr style="height: 461px;"><td style="width: 18.6683%; height: 461px;">PC2에서 <br><br>Server0: http (x)<br>Server1: http (0)</td><td style="width: 63.6747%; height: 461px;"><div class="figure-img" data-ke-type="image" data-ke-style="alignCenter" data-ke-mobilestyle="widthOrigin"><img src="https://t1.daumcdn.net/cafeattach/1UMtP/19ff1f600a7ce0e4f91b42a999b72fe7c3687b5d" class="txc-image" data-img-src="https://t1.daumcdn.net/cafeattach/1UMtP/19ff1f600a7ce0e4f91b42a999b72fe7c3687b5d" data-origin-width="845" data-origin-height="727"></div></td><td style="width: 17.6569%; height: 461px;"></td></tr><tr style="height: 72px;"><td style="width: 18.6683%; height: 72px;">PC2에서 <br>Server0: ftp (x)<br>Server1: ftp (o)</td><td style="width: 63.6747%; height: 72px;">PC2> ftp 1.1.1.3       (Server0 접속 불가)<br><br>PC2> ftp 3.3.3.3       (Server1<span style="color: #333333;" data-ke-size="size16"> 접속 OK</span>)<br><br><div class="figure-img" data-ke-type="image" data-ke-style="alignCenter" data-ke-mobilestyle="widthOrigin"><img src="https://t1.daumcdn.net/cafeattach/1UMtP/5a92bee16d8681845e0b17a1d86401c794016119" class="txc-image" data-img-src="https://t1.daumcdn.net/cafeattach/1UMtP/5a92bee16d8681845e0b17a1d86401c794016119" data-origin-width="939" data-origin-height="723"></div></td><td style="width: 17.6569%; height: 72px;"></td></tr></tbody></table></div><p> </p><p><b>* TCP Established  (실제 장비에서 test)</b></p><p> </p><p>- R1에 tcp established를 설정하여 출발지 주소가 1.1.1.0/24인 경우에만 R2와 통신이 가능하도록 설정해보자.</p><div class="figure-img" data-ke-type="image" data-ke-style="alignCenter" data-ke-mobilestyle="widthOrigin"><img src="https://t1.daumcdn.net/cafeattach/1UMtP/a1ea3d5482097815394b869f95c1ff4ba648818d" class="txc-image" data-img-src="https://t1.daumcdn.net/cafeattach/1UMtP/a1ea3d5482097815394b869f95c1ff4ba648818d" data-origin-width="496" data-origin-height="127"></div><div class="table-wrap"><table data-ke-type="table" data-ke-align="alignLeft" style="width: 100%;" border="1" data-ke-style="style15"><tbody><tr><td style="width: 14.0013%; text-align: center;">단계별</td><td style="width: 49.9052%; text-align: center;">예제 코드</td><td style="width: 11.0935%; text-align: center;">설명</td></tr><tr><td style="width: 14.0013%;">R1 설정</td><td style="width: 49.9052%;"><span style="color: #333333;" data-ke-size="size16">Router# conf t</span><br><span style="color: #333333;" data-ke-size="size16">Router(config)# hostname R1</span><br><br><span style="color: #333333;" data-ke-size="size16">R1(config)# </span><span style="color: #006dd7;" data-ke-size="size16"><b>int fa0/0</b></span><br><span style="color: #333333;" data-ke-size="size16">R1(config-if)# </span><span style="color: #006dd7;" data-ke-size="size16"><b>ip add 203.230.7.1 255.255.255.0</b></span><br><span style="color: #333333;" data-ke-size="size16">R1(config-if)# </span><span style="color: #006dd7;" data-ke-size="size16"><b>no shut</b></span><br><span style="color: #333333;" data-ke-size="size16">R1(config-if)# exit<br><br></span> <span style="color: #333333;" data-ke-size="size16">R1(config)# </span><span style="color: #006dd7;" data-ke-size="size16"><b>int loopback 0</b></span><br><span style="color: #333333;" data-ke-size="size16">R1(config-if)# </span><span style="color: #006dd7;" data-ke-size="size16"><b>ip add 1.1.1.1 255.255.255.0</b></span><br><span style="color: #333333;" data-ke-size="size16">R1(config-if)# </span><span style="color: #006dd7;" data-ke-size="size16"><b>no shut</b></span><br><span style="color: #333333;" data-ke-size="size16">R1(config-if)# exit</span></td><td style="width: 11.0935%;"><span style="color: #333333;" data-ke-size="size16"> </span></td></tr><tr><td style="width: 14.0013%;">R2 설정</td><td style="width: 49.9052%;"><span style="color: #333333;" data-ke-size="size16">Router# conf t</span><br><span style="color: #333333;" data-ke-size="size16">Router(config)# hostname R2</span><br><br><span style="color: #333333;" data-ke-size="size16">R2(config)# </span><span style="color: #006dd7;" data-ke-size="size16"><b>int fa0/0</b></span><br><span style="color: #333333;" data-ke-size="size16">R2(config-if)# </span><span style="color: #006dd7;" data-ke-size="size16"><b>ip add 203.230.7.2 255.255.255.0</b></span><br><span style="color: #333333;" data-ke-size="size16">R2(config-if)# </span><span style="color: #006dd7;" data-ke-size="size16"><b>no shut</b></span><br><span style="color: #333333;" data-ke-size="size16">R2(config-if)# exit<br><br><span style="color: #333333;" data-ke-size="size16">R2(config)# </span><span style="color: #006dd7;" data-ke-size="size16"><b>int loopback 0</b></span><br><span style="color: #333333;" data-ke-size="size16">R2(config-if)# </span><span style="color: #006dd7;" data-ke-size="size16"><b>ip add 2.2.2.2 255.255.255.0</b></span><br><span style="color: #333333;" data-ke-size="size16">R2(config-if)# </span><span style="color: #006dd7;" data-ke-size="size16"><b>no shut</b></span><br></span><span style="color: #333333;" data-ke-size="size16"><span style="color: #333333;" data-ke-size="size16">R2(co</span></span><span style="color: #333333;" data-ke-size="size16"><span style="color: #333333;" data-ke-size="size16">nfig-if)# exit</span></span></td><td style="width: 11.0935%;"><span style="color: #333333;" data-ke-size="size16"> </span></td></tr><tr><td style="width: 14.0013%;">R1에서 <br>tcp established <br>설정</td><td style="width: 49.9052%;">R1(config)# <span style="color: #006dd7;"><b>access-list 100 permit tcp any 1.0.0.0 0.255.255.255 established</b></span> <br>R1(config)# <span style="color: #006dd7;"><b>access-list 100 deny ip any any </b></span> <br><br>R1(config)# <span style="color: #006dd7;"><b>int fa0/0</b></span> <br>R1(config-if)# <span style="color: #006dd7;"><b>ip access-group 100 in</b></span> <br><br>R1(config-if)# ^Z<br>R1# wr</td><td style="width: 11.0935%;"><span style="color: #333333;" data-ke-size="size16">출발지가 1.1.1.0/24인 호스트들은 접속 가능</span></td></tr><tr><td style="width: 14.0013%;">R1에서 <br>tcp established <br>설정 확인<br><br>출발지주소 1.1.1.0/24는 외부와 통신 가능<br><br>외부에서 1.1.1.0/24로 TCP 통신은 불가</td><td style="width: 49.9052%;">R1(config)# <span style="color: #006dd7;"><b>telnet 203.230.7.2</b></span> <br><br>Trying 203.230.7.2 ... <br>% Connection timed out; remote host not responding <br><br>R1(config)#<span style="color: #006dd7;"> <b>telnet 203.230.7.2/source-interface loopback 0</b></span> <br><br>% Invalid input detected at '^' marker.     (패킷트레이서에서는 실행되지 않음) <br><br>(아래는 실제 라우터에서 실행할 때 결과임) <br><br>R1(config)# <span style="color: #006dd7;"><b>telnet 203.230.7.2/source-interface loopback 0</b></span> <br><br>Trying 203.230.7.2 ... Open <br>User Access Verification <br><br>Password: <br><br>R2>en <br>R2# <span style="color: #006dd7;"><b>telnet 1.1.1.1</b></span> <br><br>Trying 1.1.1.1 ... <br>% Destination unreachable; gateway or host down<br><br>(아래는 실제 라우터에서 실행할 때 결과임) <br><br>R2# <span style="color: #006dd7;"><b>telnet 203.230.7.1</b></span> <br>Trying 203.230.7.1 ... <br>% Destination unreachable; gateway or host down <br><br>[Connection to 203.230.7.2 closed by foreign host] <br><br>R1# <span style="color: #006dd7;"><b>show access-lists</b></span></td><td style="width: 11.0935%;"></td></tr><tr><td style="width: 14.0013%;">Named 확장 ACL에서 중간 삽입 가능<br><br><br>확장 ACL은 지우고 다시 설정해야 함</td><td style="width: 49.9052%;">R2(config)# <span style="color: #006dd7;"><b>ip access-list extended inokyuni</b></span> <br>R2(config-ext-nacl)# <span style="color: #006dd7;"><b>permit tcp any host 1.1.1.1</b></span> <br>R2(config-ext-nacl)# <span style="color: #006dd7;"><b>deny ip any any</b></span> <br>R2(config-ext-nacl)# exit <br><br>R2(config)# <span style="color: #006dd7;"><b>do show access-list</b></span> <br><br>Extended IP access list inokyuni <br>    10 permit tcp any host 1.1.1.1 <br>    20 deny ip any any <br><br>R2(config)# <span style="color: #006dd7;"><b>ip access-list extended inokyuni</b></span> <br>R2(config-ext-nacl)# <span style="color: #8a3db6;"><b>15 permit tcp any host 203.230.7.1</b></span> <br>R2(config-ext-nacl)# exit <br><br>R2(config)# <span style="color: #006dd7;"><b>do show access-list</b></span> <br><br>Extended IP access list inokyuni <br>    10 permit tcp any host 1.1.1.1 <br>    <span style="color: #f89009;">15 permit tcp any host 203.230.7.1</span>   (중간에 15번이 삽입됨) <br>    20 deny ip any any <br><br>R2(config)# exit  <br>R2#</td><td style="width: 11.0935%;"></td></tr><tr><td style="width: 14.0013%;">락-앤-키(Lock-and-Key) 인증</td><td style="width: 49.9052%;"><br>R1(config)# <span style="color: #006dd7;"><b>username inokyuni password infocomm</b></span> <br>R1(config)# <span style="color: #006dd7;"><b>ip access-list extended LK</b></span> <br>R1(config-ext-nacl)# <span style="color: #006dd7;"><b>permit tcp any host 203.230.7.1 eq telnet</b></span> <br>R1(config-ext-nacl)# <span style="color: #006dd7;"><b>dynamic LK_test permit ip any any</b></span>  (이 명령 불가) <br>R1(config-ext-nacl)# <span style="color: #006dd7;"><b>deny ip any any</b></span> <br>R1(config-ext-nacl)# exit  <br><br>R1(config)# <span style="color: #006dd7;"><b>int fa0/0</b></span> <br>R1(config-if)# <span style="color: #006dd7;"><b>ip access-group LK in </b></span> <br>R1(config-if)# exit <br><br>R1(config)# <span style="color: #006dd7;"><b>line vty 0 4</b></span> <br>R1(config-line)# <span style="color: #006dd7;"><b>login local</b></span> <br><br>R1(config-line)# <span style="color: #006dd7;"><b>autocommand access-enable host timeout 1</b></span> <br>  (텔넷 접속에서 인증이 되었으면 통신이 가능하도록 설정하고, 타임아웃 값을 설정) <br><br>또는 <br><br>R1(config)# <span style="color: #006dd7;"><b>username inokyuni password infocomm</b></span> <br>R1(config)# <span style="color: #006dd7;"><b>access-list 100 permit tcp any host 203.230.7.1 eq telnet</b></span> <br>R1(config)# <span style="color: #006dd7;"><b>access-list 100 dynamic LK_test timeout 1 permit ip any any</b></span> <br>R1(config)# <span style="color: #006dd7;"><b>access-list 100 deny ip any any</b></span> <br><br>R1(config)# <span style="color: #006dd7;"><b>int se0/0/0</b></span> <br>R1(config-if)#<span style="color: #006dd7;"><b> ip access-group 100 in </b></span> <br>R1(config-if)# exit <br><br>R1(config)# <span style="color: #006dd7;"><b>line vty 0 4</b></span> <br>R1(config-line)# <span style="color: #006dd7;"><b>login local</b></span> <br>R1(config-line)# <span style="color: #006dd7;"><b>autocommand access-enable host timeout 1</b></span> <br>R1(config-line)# exit</td><td style="width: 11.0935%;"></td></tr><tr><td style="width: 14.0013%;">락앤키 확인</td><td style="width: 49.9052%;">R2# ping 1.1.1.1<br><br><span style="color: #333333; background-color: #ffffff;" data-ke-size="size16">R2# ping 203.230.7.1<br><br><span style="color: #333333; background-color: #ffffff;" data-ke-size="size16">R2# telnet 203.230.7.1     (텔넷으로 사용자 인증을 거친 후 테스트를 해보자)<br><br><span style="color: #333333; background-color: #ffffff;" data-ke-size="size16">R2# ping 1.1.1.1<br><br><span style="color: #333333; background-color: #ffffff;" data-ke-size="size16">R2# ping 203.230.7.1<br><br></span></span></span></span>R1# show access-lists</td><td style="width: 11.0935%;"></td></tr><tr><td style="width: 14.0013%;">RACL(Reflexive ACL)<br><br>내부->외부 (OK)<br>외부->내부 (불가)</td><td style="width: 49.9052%;">R2(config)#<span style="color: #006dd7;"><b> ip access-list extended in_in</b></span> <br>R2(config-ext-nacl)# <span style="color: #006dd7;"><b>permit tcp any any reflect tcp</b></span>   (이 명령 불가) <br>R2(config-ext-nacl)# <span style="color: #006dd7;"><b>permit udp any any reflect udp</b></span>   (이 명령 불가) <br>R2(config-ext-nacl)# <span style="color: #006dd7;"><b>deny ip any any</b></span> <br>R2(config-ext-nacl)# exit <br><br>R2(config)# <span style="color: #006dd7;"><b>ip access-list extended out_out</b></span> <br>R2(config-ext-nacl)# <span style="color: #006dd7;"><b>eval‎uate tcp</b></span>   (이 명령 불가) <br>R2(config-ext-nacl)# <span style="color: #006dd7;"><b>eval‎uate udp</b></span>   (이 명령 불가) <br>R2(config-ext-nacl)# <span style="color: #006dd7;"><b>deny ip any any</b></span> <br>R2(config-ext-nacl)# exit <br><br>R2(config)#<span style="color: #006dd7;"><b> int fa0/0</b></span> <br>R2(config-if)# <span style="color: #006dd7;"><b>ip access-group in_in in</b></span>  <br>R2(config-if)# <span style="color: #006dd7;"><b>ip access-group out_out out</b></span> <br>R2(config-if)# exit <br>R2(config)#</td><td style="width: 11.0935%;"></td></tr><tr><td style="width: 14.0013%;">시간기반<br>(time-based) 의 <br>ACL 특정시간에만 동작</td><td style="width: 49.9052%;">R1(config)# <span style="color: #006dd7;"><b>time range weekday</b></span>   (이 명령 불가)   <br>R1(config-time-range)# <span style="color: #006dd7;"><b>periodic ?</b></span>  <br>  Friday Friday <br>  Monday Monday <br><br>  Wednesday Wednesday <br>  daily daily <br>  weekday weekday <br>  weekend weekend<br><br>R1(config-time-range)# <span style="color: #006dd7;"><b>periodic weekdays 8:00 to 18:00</b></span> <br>R1(config-time-range)# exit <br><br>R1(config)# <span style="color: #006dd7;"><b>access-list 100 permit ip any any time-range weekday</b></span> <br>R1(config)# <span style="color: #006dd7;"><b>access-list 100 deny ip any any time-range weekday </b></span><br><br>R1(config)# <span style="color: #006dd7;"><b>int fa0/0</b></span> <br>R1(config-if)# <span style="color: #006dd7;"><b>ip access</b></span> <br>R1(config-if)# <span style="color: #006dd7;"><b>ip access-group 100 in</b></span></td><td style="width: 11.0935%;"></td></tr></tbody></table></div><p> </p>
<!-- -->
]]>
카페 게시글
통신네트웍및실습(1112)
ACL(Access Control List) 접근제어 목록
한창호
추천 0
조회 436
22.07.14 15:30
댓글 0
다음검색
