{"id":456,"date":"2020-04-06T15:51:31","date_gmt":"2020-04-06T13:51:31","guid":{"rendered":"http:\/\/tech.sosthe.sk\/?page_id=456"},"modified":"2020-04-06T15:51:31","modified_gmt":"2020-04-06T13:51:31","slug":"8-acl-access-control-list","status":"publish","type":"page","link":"http:\/\/tech.sosthe.sk\/index.php\/ccna\/cisco-ios\/8-acl-access-control-list\/","title":{"rendered":"8. ACL – Access Control List"},"content":{"rendered":"

Access Control List<\/span><\/em><\/strong>\u00a0(\u010falej len ACL) je zoznam pravidiel, ktor\u00e9 riadi pr\u00edstup k nejak\u00e9mu objektu.\u00a0ACL s\u00fa pou\u017e\u00edvan\u00e9 v rade aplik\u00e1ci\u00ed, \u010dasto u akt\u00edvnych sie\u0165ov\u00fdch prvkov, ale napr\u00edklad aj u opera\u010dn\u00fdch syst\u00e9mov pri riaden\u00ed pr\u00edstupu k objektu (s\u00faboru).\u00a0Ak niekto po\u017eaduje pr\u00edstup k nejak\u00e9mu objektu, tak sa najprv skontroluje ACL priraden\u00fd k tomuto objektu, \u010di je t\u00e1to oper\u00e1cia povolen\u00e1 (pr\u00edpadne povolen\u00e1 komu).<\/span><\/p>\n

Cisco ACL<\/span><\/h4>\n

Na akt\u00edvnych prvkoch Cisco s\u00fa ACL vlastnost\u00ed IOSu.\u00a0M\u00f4\u017eeme ich pou\u017e\u00edva\u0165 na nieko\u013ek\u00fdch miestach, ale naj\u010dastej\u0161ie pou\u017eitie je pre riadenie (obmedzovanie) sie\u0165ovej prev\u00e1dzky, teda pre\u00a0<\/span>filtrovanie paketov<\/span><\/strong><\/em>\u00a0.\u00a0R\u00f4znych typov ACL je cel\u00fd rad, niektor\u00e9 typy ACL sa daj\u00fa aplikova\u0165 na r\u00f4zne miesta a tie\u017e s\u00fa tu ur\u010dit\u00e9 v\u00e4zby.\u00a0Tak\u017ee m\u00e1me napr\u00edklad\u00a0<\/span>IP Extended Named ACL<\/span><\/strong><\/em>\u00a0.\u00a0Pok\u00fasil som sa vytvori\u0165 trochu menej tradi\u010dn\u00e9, ale pre m\u0148a viac praktick\u00fd, zoznam typov ACL.<\/span><\/p>\n

    \n
  • IP ACL<\/span><\/strong>\u00a0– filtruje IPv4 prev\u00e1dzka – IP, TCP, UDP, IGMP (multicast), ICMP<\/span>\n
      \n
    • Port ACL<\/span><\/strong>\u00a0– pre fyzick\u00fd L2 interface (aplikujeme na port), len prich\u00e1dzaj\u00face smer<\/span>\n
        \n
      • Numbered\u00a0<\/span><\/strong>Standard<\/span><\/strong>\u00a0– \u010d\u00edslovan\u00e9, iba zdrojov\u00e1 adresa<\/span><\/li>\n
      • Numbered\u00a0<\/span><\/strong>Extended<\/span><\/strong>\u00a0– \u010d\u00edslovan\u00e9, zdrojov\u00e1 aj cie\u013eov\u00e1 adresa a volite\u013ene port<\/span><\/li>\n
      • Named Standard<\/span><\/strong>\u00a0– pomenovan\u00e9 \u0161tandard<\/span><\/li>\n
      • Named Extended<\/span><\/strong>\u00a0– pomenovan\u00e9 extended<\/span><\/li>\n<\/ul>\n<\/li>\n
      • Router ACL<\/span><\/strong>\u00a0– pre L3 interface – SVI (switch virtual interfaces – L3 interface pre VLAN), fyzick\u00fd L3 interface (port – vznikne pomocou no switchport), L3 EtherChannel (spojenie viac portov);\u00a0kontroluj\u00fa routovanie prev\u00e1dzku, odch\u00e1dzaj\u00face alebo prich\u00e1dzaj\u00face smer<\/span>\n
          \n
        • Standard<\/span><\/strong><\/li>\n
        • extended<\/span><\/strong><\/li>\n
        • Named<\/span><\/strong><\/li>\n<\/ul>\n<\/li>\n
        • VLAN m\u00e1p<\/span><\/strong>\u00a0– kontroluje v\u0161etky pakety (routovanie aj bridgovanie = switchovan\u00e9), m\u00f4\u017eeme kontrolova\u0165 prev\u00e1dzku medzi zariadeniami v r\u00e1mci jednej VLAN.\u00a0Nerie\u0161i sa smer (odch\u00e1dzaj\u00face, prich\u00e1dzaj\u00face)., Aplikuje sa na VLAN.<\/span>\n
            \n
          • Standard<\/span><\/strong><\/li>\n
          • extended<\/span><\/strong><\/li>\n
          • Named<\/span><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n
          • MAC ACL (Ethernet ACL)<\/span><\/strong>\u00a0– non-IP prev\u00e1dzku<\/span>\n
              \n
            • port ACL<\/span><\/strong>\n
                \n
              • Standard<\/span><\/strong><\/li>\n
              • extended<\/span><\/strong><\/li>\n
              • Named Extended<\/span><\/strong><\/li>\n<\/ul>\n<\/li>\n
              • VLAN m\u00e1p<\/span><\/strong>\n
                  \n
                • Named Extended<\/span><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n

                  Hlavn\u00e9 delenie je teda pod\u013ea\u00a0<\/span>typu adries<\/span><\/strong>\u00a0, ktor\u00e9 pou\u017e\u00edvame v pravidl\u00e1ch.\u00a0Naj\u010dastej\u0161ie s\u00fa\u00a0<\/span>IP a MAC ACL<\/span><\/strong><\/em>\u00a0, ale aj dnes tie\u017e (zatia\u013e menej vyu\u017e\u00edvan\u00e9)\u00a0<\/span>IPv6 ACL<\/span><\/strong>\u00a0, ktor\u00e9 m\u00f4\u017eu by\u0165\u00a0<\/span>Port<\/span><\/em><\/strong>\u00a0alebo\u00a0<\/span>Router<\/span><\/em><\/strong>\u00a0a iba\u00a0<\/span>Named<\/span><\/em><\/strong>\u00a0.\u00a0V konfigur\u00e1cii sa pou\u017e\u00edvaj\u00fa prefixy miesto Wildcard masky.\u00a0Alebo u\u017e skoro nepou\u017e\u00edvan\u00e9 IPX ACL.<\/span><\/p>\n

                  \u010eal\u0161ie delenie je pod\u013ea toho,\u00a0<\/span>kam<\/span><\/strong><\/em>\u00a0danej ACL\u00a0<\/span>aplikujeme<\/span><\/strong><\/em>\u00a0.\u00a0M\u00f4\u017eeme na\u00a0<\/span>L2 interface<\/span><\/strong><\/em>\u00a0,\u00a0<\/span>L3 interface<\/span><\/strong><\/em>\u00a0a alebo \u0161peci\u00e1lne\u00a0<\/span>VLAN m\u00e1p<\/span><\/strong><\/em>\u00a0.\u00a0Potom u\u017e m\u00e1me vlastn\u00e9 typy ACL, bu\u010f\u00a0<\/span>\u0161tandardn\u00e9<\/span><\/strong><\/em>\u00a0,\u00a0<\/span>roz\u0161\u00edren\u00e9<\/span><\/strong><\/em>\u00a0alebo\u00a0<\/span>pomenovan\u00e9<\/span><\/strong><\/em>\u00a0.<\/span><\/p>\n

                  V tomto \u010dl\u00e1nku sa venujem v\u0161eobecne ACL, potom viac IP ACL a na z\u00e1ver MAC ACL. \u010co sa t\u00fdka aplik\u00e1cie, tak je to s\u00edce v\u0161eobecn\u00e9, ale viac zameran\u00e9 na Port ACL. Router ACL (viac prakticky) sa venujem v \u010fal\u0161om \u010dl\u00e1nku\u00a0<\/span>\u00a0– inter-VLAN routing a ACL – smerovanie medzi VLANy<\/span>\u00a0.\u00a0\u0160pecifick\u00fdm pr\u00edpadom s\u00fa VLAN mapy, o ktor\u00fdch vyjde \u010fal\u0161\u00ed \u010dl\u00e1nok.<\/span><\/p>\n

                  ACL sl\u00fa\u017ei hlavne \u00a0<\/span><\/strong><\/p>\n

                    \n
                  • ako z\u00e1kladn\u00fd sie\u0165ov\u00e1 bezpe\u010dnos\u0165 na blokovanie alebo povolenie (routovan\u00e9ho) prev\u00e1dzky<\/span><\/li>\n
                  • ku kontrole \u0161\u00edrky p\u00e1sma<\/span><\/li>\n
                  • Policy Based Routing<\/span><\/li>\n
                  • vyn\u00fatenie sie\u0165ov\u00fdch polit\u00edk<\/span><\/li>\n
                  • identifik\u00e1ciu alebo klasifik\u00e1ciu prev\u00e1dzky (pre QoS, NAT, a pod.)<\/span><\/li>\n<\/ul>\n

                    Stru\u010dn\u00e1 charakteristika a vlastnosti<\/span><\/h4>\n
                      \n
                    • ACL je sekven\u010dn\u00e1 (raden\u00fd) zoznam pravidiel\u00a0<\/span>permit<\/span><\/strong>\u00a0(povoli\u0165) a\u00a0<\/span>deny<\/span><\/strong>\u00a0(zak\u00e1za\u0165), t\u00fdmto pravidl\u00e1m sa hovor\u00ed\u00a0<\/span>ACE<\/span><\/strong>\u00a0(Access Control Entries).<\/span><\/li>\n
                    • ACL m\u00f4\u017eeme identifikova\u0165\u00a0<\/span>\u010d\u00edslom<\/span><\/strong><\/em>\u00a0alebo\u00a0<\/span>menom<\/span><\/strong><\/em>\u00a0(pomenovan\u00e9 ACL).<\/span><\/li>\n
                    • Nov\u00e9 pravidl\u00e1 sa prid\u00e1vaj\u00fa v\u017edy na koniec zoznamu.<\/span><\/li>\n
                    • Pou\u017e\u00edva sa pravidlo\u00a0<\/span>first-fit<\/span><\/strong><\/em>\u00a0.\u00a0Zoznam sa prech\u00e1dza od za\u010diatku ku koncu, a pokia\u013e d\u00f4jde k zhode, tak sa \u010falej neprech\u00e1dza.<\/span><\/li>\n
                    • Ka\u017ed\u00fd nepr\u00e1zdny zoznam m\u00e1 na konci\u00a0<\/span>defaultn\u00fd pravidlo<\/span><\/strong><\/em>\u00a0, ktor\u00e9 zakazuje v\u0161etko (deny any).\u00a0Pr\u00e1zdny zoznam povo\u013euje v\u0161etko.<\/span><\/li>\n
                    • Je dobr\u00e9 umiest\u0148ova\u0165 viac \u0161pecifick\u00e9 pravidl\u00e1 na za\u010diatok a oby\u010dajn\u00e1 (subnetmi apod) na koniec.<\/span><\/li>\n
                    • Ak sa v ACL vyhodnot\u00ed deny, tak sa odo\u0161le ICMP hos\u0165 nedosiahnute\u013en\u00fd (unreachable).<\/span><\/li>\n
                    • Filtrovanie (pou\u017e\u00edvanie ACL) spoma\u013euje zariadenie (stoj\u00ed v\u00fdpo\u010dtov\u00fd v\u00fdkon).<\/span><\/li>\n
                    • Odch\u00e1dzaj\u00face pravidl\u00e1 (outbound filters) neovplyv\u0148uj\u00fa prev\u00e1dzku, ktor\u00fd poch\u00e1dza lok\u00e1lne z routeru (filtruj\u00fa iba prech\u00e1dzaj\u00face prev\u00e1dzka).<\/span><\/li>\n<\/ul>\n

                      Ak chceme upravi\u0165 nejak\u00e9 hotov\u00e9 ACL, tak ho (vo v\u00e4\u010d\u0161ine pr\u00edpadov) mus\u00edme zmaza\u0165 a vytvori\u0165 znova.\u00a0Odpor\u00fa\u010da sa nap\u00edsa\u0165 najprv ACL v textovom editore a n\u00e1sledne skop\u00edrova\u0165 do\u00a0<\/span>CLI<\/span><\/em><\/strong>\u00a0.\u00a0Pr\u00edpadne\u00a0<\/span>Cisco Network Assistant<\/span><\/em><\/strong>\u00a0m\u00e1 n\u00e1stroj na \u00fapravu ACL.<\/span><\/p>\n

                      Pozn .:<\/span><\/em><\/strong>\u00a0V\u00fdnimkou s\u00fa pomenovan\u00e9 ACL, kde s\u00fa ur\u010dit\u00e9 \u00fapravy mo\u017en\u00e9.<\/span><\/p>\n

                        \n
                      • na interfacu m\u00f4\u017eeme kombinova\u0165\u00a0<\/span>IP ACL<\/span><\/strong><\/em>\u00a0a\u00a0<\/span>MAC ACL<\/span><\/strong><\/em>\u00a0, aby sme filtrovali v\u0161etok prev\u00e1dzku<\/span><\/li>\n
                      • tie\u017e m\u00f4\u017eeme pou\u017e\u00edva\u0165 dohromady\u00a0<\/span>Port ACL<\/span><\/strong><\/em>\u00a0,\u00a0<\/span>Router ACL<\/span><\/strong><\/em>\u00a0aj\u00a0<\/span>VLAN m\u00e1p<\/span><\/strong><\/em>\u00a0, ale Port ACL m\u00e1 najv\u00e4\u010d\u0161iu prioritu, potom je Router ACL a a\u017e posledn\u00e1 VLAN m\u00e1p<\/span><\/li>\n<\/ul>\n

                        Wildcard subnet mask<\/span><\/h4>\n

                        U ACL sa Cisco rozhodlo nepou\u017e\u00edva\u0165 tradi\u010dn\u00e9\u00a0<\/span>masky podsiet\u00ed<\/span><\/em><\/strong>\u00a0(subnet mask), ale tzv.\u00a0<\/span>Wildcard mask<\/span><\/strong>\u00a0.\u00a0Je to mal\u00e9 skomplikovanie, ale Nejde o ni\u010d zlo\u017eit\u00e9.\u00a0Iba je potrebn\u00e9 na t\u00fato vlastnos\u0165 nezabudn\u00fa\u0165 pri konfigur\u00e1cii, preto\u017ee by mohlo d\u00f4js\u0165 k mno\u017estvu probl\u00e9mov.\u00a0T\u00e1to maska sa tie\u017e ozna\u010duje ako\u00a0<\/span>inverzne maska<\/span><\/em><\/strong>\u00a0(inverzia mask), \u010do ju lep\u0161ie popisuje.\u00a0Ide toti\u017e o opa\u010dn\u00fa masku k tradi\u010dnej maske.<\/span><\/p>\n

                        V\u00fdpo\u010det inverzne masky<\/span><\/em><\/strong>\u00a0je jednoduch\u00fd, vezmeme postupne v\u0161etky \u0161tyri oktety masky a spo\u010d\u00edtame<\/span>255 - oktet<\/code>.\u00a0Tak\u017ee napr\u00edklad maska<\/span>255.255.255.0<\/code>m\u00e1 inverzn\u00fd verziu<\/span>0.0.0.255<\/code>alebo k<\/span>255.255.192.0<\/code>ich<\/span>0.0.63.255<\/code>.<\/span><\/p>\n

                        Typy ACL<\/span><\/h3>\n

                        Najpou\u017e\u00edvanej\u0161ie je delenie ACL na dva typy<\/span><\/p>\n

                          \n
                        • \u0161tandard ACL<\/span><\/strong>\u00a0– star\u0161\u00ed a jednoduch\u0161ie verzie ACL s menej mo\u017enos\u0165ami konfigur\u00e1cie<\/span><\/li>\n
                        • extended ACL<\/span><\/strong>\u00a0– nov\u0161ie a zlo\u017eitej\u0161ie ACL s viacer\u00fdmi mo\u017enos\u0165ami<\/span><\/li>\n<\/ul>\n

                          \u010ealej existuj\u00fa r\u00f4zne \u0161peci\u00e1lne ACL, ktor\u00e9 s\u00fa \u010dasto odvoden\u00e9 z t\u00fdchto dvoch, ako je\u00a0<\/span>dynamic ACL<\/span><\/em>\u00a0,\u00a0<\/span>context-based ACL<\/span><\/em>\u00a0,\u00a0<\/span>Reflexive ACL<\/span><\/em>\u00a0alebo\u00a0<\/span>named ACL<\/span><\/em>\u00a0.<\/span><\/p>\n

                          Standard ACL – \u0161tandardn\u00e9 ACL<\/span><\/h4>\n
                            \n
                          • pou\u017e\u00edva \u010d\u00edsla\u00a0<\/span>1 – 99<\/span><\/strong>\u00a0a\u00a0<\/span>1300 – 1999<\/span><\/strong>\u00a0v roz\u0161\u00edrenom m\u00f3de<\/span><\/li>\n
                          • je jednoduch\u00e9 na konfigur\u00e1ciu<\/span><\/li>\n
                          • filtruje (pozer\u00e1 sa) len pod\u013ea zdrojov\u00e9 adresy a pou\u017e\u00edva sa ako odch\u00e1dzaj\u00face<\/span><\/li>\n
                          • pou\u017e\u00edva sa pre blokovanie prev\u00e1dzky bl\u00edzko cie\u013ea<\/span><\/li>\n<\/ul>\n
                            SWITCH (config) # access-list \u010d\u00edslo {deny | permit}<\/em> {hos\u0165 | source source-wildcard | any} [log]<\/strong><\/span><\/pre>\n
                            Pozn .:<\/span><\/em><\/strong>\u00a0<\/strong>Konfigur\u00e1cia \u0161tandard aj extended ACL sa vykon\u00e1va rovnako, rozli\u0161uje sa pod\u013ea pou\u017eit\u00e9ho \u010d\u00edsla.<\/span><\/p>\n
                            Na mieste\u00a0<\/span>deny|permit<\/code>m\u00f4\u017eeme tie\u017e pou\u017ei\u0165 k\u013e\u00fa\u010dov\u00e9 slovo\u00a0<\/span>remark<\/code>\u00a0a za neho vlo\u017ei\u0165 popis (koment\u00e1r) dan\u00e9ho pravidla.<\/span><\/p>\n
                            Volite\u013en\u00fd atrib\u00fat\u00a0<\/span>log<\/code>sp\u00f4sob\u00ed, \u017ee na konzolu a do logu bud\u00fa posielan\u00e9 inform\u00e1cie o paketoch, ktor\u00e9 splnia dan\u00e9 krit\u00e9ria (dan\u00e9 pravidlo).\u00a0Hod\u00ed sa pre ladenie, ale pre ostr\u00fa prev\u00e1dzku pr\u00edli\u0161 za\u0165a\u017euje zariaden\u00ed.<\/span><\/p>\n
                            Pr\u00edklad:<\/span><\/em><\/strong><\/p>\n
                            Nasleduj\u00face ACL s \u010d\u00edslom 5 povo\u013euje pr\u00edstup subnetu 10.5.1.0\/24 mimo adresy 10.5.1.10, v\u0161etky ostatn\u00e9 adresy s\u00fa zak\u00e1zan\u00e9.<\/span><\/p>\n
                            SWITCH (config) # access-list 5 deny host 10.5.1.10<\/strong> \r\nSWITCH (config) # access-list 5 permit 10.5.1.10 0.0.0.255 <\/strong>\r\nSWITCH (config) # access-list 5 deny any<\/strong><\/span><\/pre>\n
                            Pozn .:<\/span><\/em><\/strong>\u00a0Posledn\u00e9 pravidlo je defaultn\u00fd a nevklad\u00e1 sa.<\/span><\/p>\n
                            Extended ACL – roz\u0161\u00edren\u00e9 ACL<\/span><\/h4>\n
                              \n
                            • pou\u017e\u00edva \u010d\u00edsla\u00a0<\/span>100 – 199<\/span><\/strong>\u00a0a\u00a0<\/span>2000 – 2699<\/span><\/strong>\u00a0v roz\u0161\u00edrenom m\u00f3de<\/span><\/li>\n
                            • pozer\u00e1 sa na IP adresu zdroje aj ciele<\/span><\/li>\n
                            • kontroluje rad polo\u017eiek v hlavi\u010dke vrstvy 3 a 4 (protokol, port a pod.)<\/span><\/li>\n
                            • m\u00f4\u017ee blokova\u0165 prev\u00e1dzku kdeko\u013evek (najlep\u0161ie bl\u00edzko zdroja)<\/span><\/li>\n<\/ul>\n
                              Pozn .:<\/span><\/strong><\/em>\u00a0\u010eal\u0161ie \u010d\u00edseln\u00e9 rozsahy sa pou\u017e\u00edvaj\u00fa pre ostatn\u00e9 typy ACL, ako IPX, AppleTalk, XNS, apod.<\/span><\/p>\n
                              Extended ACL m\u00f4\u017ee kontrolova\u0165 tieto parametre<\/span><\/em><\/strong><\/p>\n
                                \n
                              • Vo\u00a0<\/span>3. vrstve<\/span><\/em><\/strong>\u00a0ISO \/ OSI, teda v IP hlavi\u010dke kontroluje:\u00a0<\/span>IP adresy<\/span><\/em>\u00a0,\u00a0<\/span>protokol<\/span><\/em>\u00a0,\u00a0<\/span>\u00fadaje z ToS<\/span><\/em>\u00a0(Type of Service – prioritu 802.1Q slu\u017ebu).<\/span><\/li>\n
                              • Vo\u00a0<\/span>4. vrstve<\/span><\/em><\/strong>\u00a0kontroluje v TCP hlavi\u010dke:\u00a0<\/span>porty a protokoly<\/span><\/em>\u00a0, v UDP hlavi\u010dke:\u00a0<\/span>porty<\/span><\/em>\u00a0, v ICMP hlavi\u010dke\u00a0<\/span>typ spr\u00e1vy<\/span><\/em>\u00a0.<\/span><\/li>\n<\/ul>\n
                                Pozn .:<\/span><\/strong><\/em>\u00a0Pri vyu\u017e\u00edvan\u00ed \u00fadajov z 4. vrstvy (teda portov) je treba uva\u017eova\u0165 fragmentovan\u00fd prev\u00e1dzku, preto\u017ee pri fragment\u00e1cii iba prv\u00fd paket obsahuje \u00fadaje zo 4. vrstvy.\u00a0M\u00f4\u017eeme vyu\u017ei\u0165 k\u013e\u00fa\u010dov\u00e9 slovo<\/span>fragments<\/code>v pravidle.<\/span><\/p>\n
                                SWITCH (config) # access-list \u010d\u00edslo {deny | permit} protokol<\/em> {hos\u0165 | source source-wildcard | any} [port] {hos\u0165 | destination destination-wildcard | any} [port]<\/strong> <\/span><\/pre>\n
                                Vy\u0161\u0161ie uveden\u00fd z\u00e1pis extended ACL je len zjednodu\u0161en\u00fd, je tu mo\u017en\u00e9 pou\u017ei\u0165 rad \u010fal\u0161\u00edch parametrov a vytvori\u0165 napr\u00edklad dynamick\u00fd ACL \u010di obmedzi\u0165 \u010dasovo platnos\u0165 ACL.<\/span><\/p>\n
                                Ako\u00a0<\/span>protokol<\/span><\/strong>\u00a0je mo\u017en\u00e9 pou\u017ei\u0165 IP, TCP, ICMP, UDP alebo aj rad \u010fal\u0161\u00edch.\u00a0Pod\u013ea zvolen\u00e9ho protokolu sa men\u00ed aj parametre, ktor\u00e9 m\u00f4\u017eeme v ACL pou\u017ei\u0165, napr\u00edklad port je mo\u017en\u00e9 pou\u017ei\u0165 len pri TCP a UDP.<\/span><\/p>\n
                                Pozn .:<\/span><\/strong><\/em>\u00a0Ak chceme filtrova\u0165 v\u0161etky protokoly, tak pou\u017eijeme<\/span>\u00a0IP<\/span><\/strong>\u00a0, ostatn\u00e9 patr\u00ed pod neho.<\/span><\/p>\n
                                Obmedzenie na\u00a0<\/span>port<\/span><\/strong>\u00a0sa zad\u00e1va pomocou oper\u00e1tora, m\u00f4\u017eeme pou\u017ei\u0165 oper\u00e1tory\u00a0<\/span>eq<\/code>(rovn\u00e1 sa),\u00a0<\/span>neq<\/code>(nerovn\u00e1),\u00a0<\/span>gt<\/code>(v\u00e4\u010d\u0161ie ako),\u00a0<\/span>lt<\/code>(men\u0161ie ako) a\u00a0<\/span>range<\/code>(rozsah).\u00a0Oper\u00e1tor s portom sa zad\u00e1va za zdrojov\u00fa adresu alebo za cie\u013eov\u00fa adresu a port sa potom aplikuje pri zdroji alebo cie\u013ea.<\/span><\/p>\n
                                Treba si dobre premyslie\u0165, kam umiestni\u0165 kontrolu portu (\u010di k zdroju alebo k cie\u013eu), pod\u013ea toho, \u010di aplikujeme ACL ako vstupn\u00e9 alebo v\u00fdstupn\u00e9 (je pop\u00edsan\u00e9 \u010falej).\u00a0Nasleduj\u00faci pr\u00edklad ukazuje dve mo\u017enosti.<\/span><\/p>\n
                                SWITCH (config) # access-list 105 permit tcp 10.1.0.0 0.0.0.255 any eq www<\/strong> \r\nSWITCH (config) # access-list 105 permit tcp 10.1.0.0 0.0.0.255 eq www any<\/strong><\/span><\/pre>\n
                                Pr\u00edklad:<\/span><\/em><\/strong><\/p>\n
                                ACL \u010d\u00edslo 105 povo\u013euje pr\u00edstup na server 10.5.1.10 odkia\u013eko\u013evek, ale iba na port 80 (teda http) a ping.<\/span><\/p>\n
                                SWITCH (config) # access-list 105 permit tcp any hos\u0165 10.5.1.10 eq 80<\/strong>  \r\nSWITCH (config) # access-list 105 permit ICMP any any echo<\/strong>  \r\nSWITCH (config) # access-list 105 permit ICMP any any echo-reply <\/strong>SWITCH ( config) # access-list 105 deny ip any any<\/strong>  <\/span><\/pre>\n
                                Pozn .:<\/span><\/em><\/strong>\u00a0Posledn\u00e9 pravidlo je defaultn\u00fd a nevklad\u00e1 sa.<\/span><\/p>\n
                                Named ACL – pomenovan\u00e9 ACL<\/span><\/h4>\n
                                  \n
                                • m\u00f4\u017eeme ho pou\u017ei\u0165 pre \u0161tandard aj extended ACL<\/span><\/li>\n
                                • umo\u017e\u0148uje upravova\u0165 \u010di maza\u0165 jednotliv\u00e9 pravidl\u00e1 v ACL<\/span><\/li>\n
                                • men\u00e1 sa lep\u0161ie pam\u00e4taj\u00fa<\/span><\/li>\n
                                • m\u00f4\u017eeme pou\u017ei\u0165 „neobmedzen\u00fd“ po\u010det pomenovan\u00fdch ACL<\/span><\/li>\n
                                • ako meno m\u00f4\u017eeme pou\u017ei\u0165 aj \u010d\u00edslo, ale to mus\u00ed patri\u0165 do spr\u00e1vneho rozsahu<\/span><\/li>\n<\/ul>\n
                                  Pozn .:<\/span><\/em><\/strong>\u00a0Hoci maj\u00fa pomenovan\u00e9 ACL ur\u010dit\u00e9 v\u00fdhody, tak Cisco v niektor\u00fdch materi\u00e1loch odpor\u00fa\u010da sk\u00f4r pou\u017e\u00edva\u0165 be\u017en\u00e9 ACL.\u00a0Pomenovan\u00e1 ACL nejd\u00fa pou\u017ei\u0165 \u00faplne v\u0161ade, ja v\u0161ak s nimi v praxi nemal probl\u00e9m.<\/span><\/p>\n
                                  Pomenovan\u00e9 ACL sa vytv\u00e1ra in\u00fdm sp\u00f4sobom.\u00a0Najprv vytvor\u00edme ACL a z\u00e1rove\u0148 sa prepneme do\u00a0<\/span>konfigura\u010dn\u00e9ho ACL m\u00f3du<\/span><\/strong><\/em>\u00a0.<\/span><\/p>\n
                                  SWITCH (config) # ip access-list {\u0161tandard | extended} meno<\/strong><\/span><\/pre>\n
                                  \u010ealej zad\u00e1vame jednotliv\u00e9 pravidl\u00e1 pod\u013ea typu ACL a s rovnak\u00fdmi mo\u017enos\u0165ami ako u \u010d\u00edslovan\u00fdch ACL.\u00a0\u010c\u00edslo riadka (na za\u010diatku pr\u00edkazu) je nepovinn\u00e9.<\/span><\/p>\n
                                  SWITCH (config-ext-nacl) # [\u010d\u00edslo riadka] permit | deny. <\/strong>..<\/span><\/pre>\n
                                  Ak si zobraz\u00edme ACL, tak uvid\u00edme, \u017ee jednotliv\u00e9 riadky s\u00fa o\u010d\u00edslovan\u00e9.\u00a0Pomocou t\u00fdchto \u010d\u00edsel m\u00f4\u017eeme pravidl\u00e1 maza\u0165 a nov\u00e9 pravidl\u00e1 m\u00f4\u017eeme vklada\u0165 na ur\u010dit\u00e9 miesto.<\/span><\/p>\n
                                  Pozn .:<\/span><\/strong><\/em>\u00a0Automatick\u00e1 \u010d\u00edsla riadku sa vytv\u00e1raj\u00fa po desiatkach (prv\u00e9 pravidlo 10, potom 20, 30 …) a riadky sa \u010d\u00edsluj\u00fa aj u nepomenovan\u00fdch ACL.\u00a0Ak zad\u00e1vame vlastn\u00e9 \u010d\u00edsla, tak tie sa pou\u017eij\u00fa a vid\u00edme je pri zobrazen\u00ed ACL.\u00a0Ak sa v\u0161ak pozrieme do running-config, tak tu tieto \u010d\u00edsla nie s\u00fa a po re\u0161tarte switcha sa automaticky pre\u010d\u00edsluj\u00fa.<\/span><\/p>\n
                                  Pr\u00edklad:<\/span><\/em><\/strong><\/p>\n
                                  SWITCH (config) # ip access-list extended meno<\/strong>  \r\nSWITCH (config-ext-nacl) # deny ip 192.168.190.100 0.0.0.1 host 192.168.190.200<\/strong>  \r\nSWITCH (config-ext-nacl) # permit ip any any<\/strong> <\/span><\/pre>\n
                                  Mal\u00e9 rady<\/span><\/h4>\n
                                    \n
                                  • k\u013e\u00fa\u010dov\u00e9 slovo host<\/span><\/strong>\u00a0– miesto\u00a0<\/span>10.0.5.2 0.0.0.0<\/span><\/strong>\u00a0m\u00f4\u017eeme pou\u017ei\u0165\u00a0<\/span>host 10.0.5.2<\/span><\/strong><\/li>\n
                                  • k\u013e\u00fa\u010dov\u00e9 slovo any<\/span><\/strong>\u00a0– miesto\u00a0<\/span>0.0.0.0 255.255.255.255<\/span><\/strong>\u00a0d\u00e1me\u00a0<\/span>any<\/span><\/strong><\/li>\n
                                  • Nemo\u017eno editova\u0165 alebo meni\u0165 poradie v be\u017en\u00fdch ACL, pravidl\u00e1 sa prid\u00e1vaj\u00fa na koniec.\u00a0Ak chceme nie\u010do zmeni\u0165, tak mus\u00edme cel\u00e9 ACL zmaza\u0165 a znova vytvori\u0165.<\/span><\/li>\n
                                  • Pri odstr\u00e1nen\u00ed ACL sa m\u00f4\u017ee sta\u0165, \u017ee ak je st\u00e1le aplikovan\u00e9 na interface, tak sa nahrad\u00ed defaultn\u00fdm z\u00e1kazom v\u0161etk\u00e9ho.\u00a0Spr\u00e1vne by v\u0161ak pri neexistencii ACL malo prech\u00e1dza\u0165 v\u0161etko.<\/span><\/li>\n<\/ul>\n
                                    Konfigur\u00e1cia ACL<\/span><\/h3>\n
                                    Konfigur\u00e1cia ACL sa vykon\u00e1va v dvoch krokoch<\/span><\/p>\n
                                      \n
                                    • vytvorenie ACL<\/span><\/strong>\u00a0– najprv vytvor\u00edme pravidl\u00e1 pod\u013ea typu ACL, vi\u010f.\u00a0predch\u00e1dzaj\u00face odseky<\/span><\/li>\n
                                    • aplik\u00e1cie ACL na rozhranie<\/span><\/strong>\u00a0– n\u00e1sledne mus\u00edme toto ACL priradi\u0165 k nejak\u00e9mu objektu, v tomto pr\u00edpade interfacu, to sa rob\u00ed v\u017edy rovnako<\/span><\/li>\n<\/ul>\n
                                      Aplik\u00e1cia ACL<\/span><\/h4>\n
                                      T\u00fdm, \u017ee aplikujeme ACL na\u00a0<\/span>interface<\/span><\/em><\/strong>\u00a0, tak riadime pr\u00edstup paketov k tomuto interfacu.\u00a0ACL (v rozsahu popisovanom v tomto \u010dl\u00e1nku) m\u00f4\u017eeme aplikova\u0165 na nejak\u00e9 rozhranie, ktor\u00fdm m\u00f4\u017ee by\u0165 port, s\u00e9riov\u00e1 linka, VLAN, a pod.<\/span><\/p>\n
                                      M\u00f4\u017eeme aplikova\u0165 iba jedno ACL pre interface, smer a protokol.\u00a0Protokolom je myslen\u00e9 IP, IPX, Apple Talk pod. Tak\u017ee napr\u00edklad pre jeden port v TCP \/ IP sieti m\u00f4\u017eeme aplikova\u0165 maxim\u00e1lne dve ACL (jedno vstupn\u00e9 – inbound a jedno v\u00fdstupn\u00e9 – outbound).<\/span><\/p>\n
                                      Pri umiest\u0148ovan\u00ed ACL je treba dobre rozm\u00fd\u0161\u013ea\u0165, aby bolo umiestnenie efekt\u00edvne.\u00a0Pokia\u013e to ide, tak je dobr\u00e9 voli\u0165 \u010do najbli\u017e\u0161ie zdroju, aby nebola za\u0165a\u017eovan\u00e1 sie\u0165.\u00a0M\u00f4\u017eeme v\u0161ak umiest\u0148ova\u0165 ACL iba na zariadenia, ktor\u00e9 kontrolujeme, tak\u017ee \u010dasto je potrebn\u00e9 nastavi\u0165 ACL bl\u00edzko cie\u013ea.<\/span><\/p>\n
                                      Aplik\u00e1cia ACL<\/span><\/em><\/strong>\u00a0je jednoduch\u00e1.\u00a0Prepneme sa na dan\u00fd interface a pomocou pr\u00edkazu ip<\/span>access-group<\/code>nastav\u00edme ACL ur\u010dit\u00e9ho \u010d\u00edsla alebo mena, spolu s ur\u010den\u00edm smeru.<\/span><\/p>\n
                                      SWITCH (config-if) # ip access-group {\u010d\u00edslo | meno ACL} {in | out}<\/strong><\/span><\/pre>\n
                                      Pozn .:<\/span><\/em><\/strong>\u00a0Na ot\u00e1zku jedn\u00e9ho \u010ditate\u013ea som sa do\u010d\u00edtal, \u017ee smer<\/span>\u00a0out<\/span><\/strong>\u00a0nie je podporovan\u00fd na<\/span>\u00a0L2 interface<\/span><\/strong>\u00a0(tzn. Portoch), ale iba na L3 (typicky VLAN a routovanie port).\u00a0A to sa t\u00fdka iba L3 (C3750) a vy\u0161\u0161\u00edch switchov, L2 switch (C2960) m\u00e1 iba in ACL.\u00a0Tak\u017ee smer<\/span>\u00a0out<\/span><\/strong>\u00a0vyu\u017eijeme iba na routeroch a L3 switchoch.\u00a0Pokia\u013e n\u00e1m ide o port ACL a switch, tak mus\u00edme dan\u00fd port previes\u0165 na routovanie, pomocou<\/span>no switchport<\/code>a nastavenie IP adresy.<\/span><\/p>\n
                                      Pr\u00edklad:<\/span><\/em><\/strong><\/p>\n
                                      SWITCH (config) # interface Serial0<\/strong>  \r\nSWITCH (config-if) # <\/span>ip access-group 5 i<\/span>n<\/span><\/strong><\/pre>\n
                                      Ur\u010denie smeru<\/span><\/strong><\/p>\n
                                      Ur\u010denie smeru, v ktorom m\u00e1 ACL p\u00f4sobi\u0165 nie je zlo\u017eit\u00e9.\u00a0Treba sa pozrie\u0165 na switch, kde ho aplikujeme a rozhodn\u00fa\u0165, \u010di chceme obmedzi\u0165 pakety, ktor\u00e9 z neho odch\u00e1dza (out) alebo hne\u010f na vstupe, tie ktor\u00e9 prich\u00e1dza (in).<\/span><\/p>\n
                                      Standard ACL<\/span><\/em><\/strong>\u00a0sa umiest\u0148uje bl\u00edzko cie\u013ea a mal by teda by\u0165 v\u017edy odch\u00e1dzaj\u00face –<\/span>out<\/code>.\u00a0Na nasleduj\u00facom obr\u00e1zku obmedzujeme prev\u00e1dzku, ktor\u00fd prich\u00e1dza na server.<\/span><\/p>\n
                                      \"\"<\/p>\n
                                      Extended ACL<\/span><\/em><\/strong>\u00a0sa v\u00e4\u010d\u0161inou sna\u017e\u00edme umiestni\u0165 \u010do najbli\u017e\u0161ie k zdroju a v tom pr\u00edpade je filter vstupn\u00e9 –<\/span>in<\/code>.<\/span><\/p>\n
                                      \"\"<\/p>\n
                                      Kontrola ACL<\/span><\/h3>\n
                                      P\u00e1r show pr\u00edkazov pre kontrolu ACL.<\/span><\/p>\n
                                      SWITCH # show ip interface       <\/strong> \/\/ zobraz\u00ed info interface a je tu vidie\u0165, ak je aplikovan\u00fd ACL \r\nSWITCH # show access-lists        <\/strong>\/\/ zoznam ACL (IP aj MAC) s pravidlami \r\nSWITCH # show ip access-lists     <\/strong>\/\/ zoznam IP ACL \r\nSWITCH # show <\/strong>running-config <\/strong>\/\/ v be\u017eiaci konfigur\u00e1cii s\u00fa take vidie\u0165 ACL aj ich aplik\u00e1cie     <\/span><\/pre>\n
                                      \u010eal\u0161ou met\u00f3dou pre ladenie ACL je vyu\u017eitie logovanie.\u00a0Ku ka\u017ed\u00e9mu pravidlu m\u00f4\u017eeme na koniec prida\u0165 k\u013e\u00fa\u010dov\u00e9 slovo log a potom s\u00fa logovanie v\u0161etky pakety, ktor\u00e9 splnia toto pravidlo.<\/span><\/p>\n
                                      Napr\u00edklad ak chceme vidie\u0165 komunik\u00e1ciu, ktor\u00e1 nie je zachyten\u00e1 \u017eiadnym pravidlom v ACL a je teda zak\u00e1zan\u00e1, m\u00f4\u017eeme na koniec prida\u0165 pravidlo<\/span><\/p>\n
                                      SWITCH (config) # access-list 5 deny any log<\/strong> <\/span><\/pre>\n
                                      ACL pre VTY<\/span><\/h3>\n
                                      Mimo fyzick\u00fdch interface (ako s\u00fa porty) m\u00e1me aj virtu\u00e1lne, napr. Virtual Terminal (VTY, kam m\u00f4\u017eeme pristupova\u0165 cez telnet \u010di ssh).\u00a0Na VTY by sme mali aplikova\u0165 iba jedno ACL, aj ke\u010f sa vytv\u00e1ra viac spojen\u00ed pre viac u\u017e\u00edvate\u013eov (preto\u017ee ich nem\u00f4\u017eeme rozli\u0161ova\u0165 – \u200b\u200bnevieme, cez ktor\u00e9 sa u\u017e\u00edvate\u013e pripoj\u00ed).<\/span><\/p>\n
                                      ACL pre VTY sa vytv\u00e1raj\u00fa rovnako, ale aplik\u00e1cia sa vykon\u00e1va pomocou pr\u00edkazu\u00a0<\/span>access-class<\/code>.<\/span><\/p>\n
                                      SWITCH (config) # line vty 0 4<\/strong>  \r\nSWITCH (config-line) # access-class 2 in<\/strong> <\/span><\/pre>\n
                                      Named Extended MAC ACL – pomenovan\u00e9 roz\u0161\u00edren\u00e9 MAC ACL<\/span><\/h3>\n
                                      Rovnako ako\u00a0<\/span>IP ACL<\/span><\/strong>\u00a0m\u00f4\u017eeme vytv\u00e1ra\u0165\u00a0<\/span>MAC ACL<\/span><\/strong>\u00a0, ktor\u00e9 filtruj\u00fa komunik\u00e1ciu pomocou\u00a0<\/span>MAC adries<\/span><\/strong><\/em>\u00a0a pou\u017e\u00edvaj\u00fa sa na interface druhej vrstvy (pod\u013ea OSI modelu).\u00a0Konfigur\u00e1cia a pou\u017eitie je podobn\u00e9.<\/span><\/p>\n
                                      Pozn .:<\/span><\/strong><\/em>\u00a0M\u00f4\u017eeme pou\u017ei\u0165 bu\u010f<\/span>\u00a0\u010d\u00edslovan\u00e9 \u0161tandardn\u00e9 MAC ACL<\/span><\/strong><\/em>\u00a0(\u010d\u00edsla 700 – 799),<\/span>\u00a0o\u010d\u00edslovan\u00e9 roz\u0161\u00edren\u00e9 MAC ACL<\/span><\/strong><\/em>\u00a0(\u010d\u00edsla 1100 – 1199) alebo<\/span>\u00a0pomenovan\u00e9 roz\u0161\u00edren\u00e9 MAC ACL<\/span><\/strong><\/em>\u00a0.\u00a0Na rade switchov je ale k dispoz\u00edcii iba<\/span>\u00a0pomenovanej roz\u0161\u00edren\u00e9 MAC ACL<\/span><\/strong><\/em>\u00a0.<\/span><\/p>\n
                                      SWITCH (config) # mac access-list extended jmeno<\/strong><\/span><\/pre>\n
                                      T\u00fdm prejdeme do\u00a0<\/span>extended MAC access-list<\/span><\/strong><\/em>\u00a0konfigura\u010dn\u00e9ho m\u00f3du, kde definujeme jednotliv\u00e9 pravidl\u00e1.<\/span><\/p>\n
                                      SWITCH (config-ext-Maclou) # [\u010d\u00edslo riadka] {deny | permit} {hos\u0165 source MAC | source MAC mask | any} {hos\u0165 destination MAC | destination MAC mask | any}<\/strong><\/span><\/pre>\n
                                      Pozn .:<\/span><\/strong><\/em>\u00a0Vy\u0161\u0161ie uveden\u00e9 pravidlo m\u00f4\u017ee obsahova\u0165 i rad volite\u013en\u00fdch parametrov, ktor\u00e9 ur\u010duj\u00fa napr\u00edklad EtherType alebo COS.<\/span><\/p>\n
                                      Pr\u00edklad:<\/span><\/em><\/strong><\/p>\n
                                      SWITCH (config) # mac access-list extended test<\/strong>  \r\nSWITCH (config-ext-Maclou) # permit hos\u0165 0000.1111.2222 any <\/strong>\r\nSWITCH (config-ext-Maclou) # deny any any<\/strong><\/span><\/pre>\n
                                      MAC ACL<\/span><\/strong><\/em>\u00a0sa aplikuje na interface 2. vrstvy a m\u00f4\u017eeme aplikova\u0165 iba jeden MAC ACL na interface.\u00a0Aplik\u00e1cia m\u00f4\u017ee by\u0165 len na vstupe (in).\u00a0Pre aplik\u00e1ciu sl\u00fa\u017ei pr\u00edkaz:<\/span><\/p>\n
                                      SWITCH (config-if) # mac access-group meno-ACL in<\/strong><\/span><\/pre>\n
                                      Pre zobrazenie aplik\u00e1cie MAC ACL na porty m\u00f4\u017eeme pou\u017ei\u0165 pr\u00edkaz:<\/span><\/p>\n
                                      SWITCH # show mac access-group<\/strong><\/span><\/pre>\n","protected":false},"excerpt":{"rendered":"
                                      Access Control List\u00a0(\u010falej len ACL) je zoznam pravidiel, ktor\u00e9 riadi pr\u00edstup k nejak\u00e9mu objektu.\u00a0ACL s\u00fa pou\u017e\u00edvan\u00e9 v rade aplik\u00e1ci\u00ed, \u010dasto u akt\u00edvnych sie\u0165ov\u00fdch prvkov, ale…<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":431,"menu_order":2,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"_links":{"self":[{"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/pages\/456"}],"collection":[{"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/comments?post=456"}],"version-history":[{"count":1,"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/pages\/456\/revisions"}],"predecessor-version":[{"id":459,"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/pages\/456\/revisions\/459"}],"up":[{"embeddable":true,"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/pages\/431"}],"wp:attachment":[{"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/media?parent=456"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}