access list project
DESCRIPTION
This Project Installs the Securities on Different Routers located at different cities using CCNA tools Packet Tracer.TRANSCRIPT
SIX WEEKS INDUSTRIAL TRAININGSIX WEEKS INDUSTRIAL TRAINING1
Guided By :-Mr Barinder Singh
Presented By :-
2
NETMAX TECHNOLOGIES as an organization is established in 2001 in the field of Network Support, Network training, Software training and Embedded systems.
NETMAX TECHNOLOGIES also provide Technical Research & Development support and consultancy to some companies.
NETMAX TECHNOLOGIES provide the following Courses in IT & Embedded Systems given below:
Network Training:
CISCO CCNA, CCNP RED HAT LINUX 5 WINDOWS 2000, 2003 (MCP,MCSA & MCSE) MCITP 2008.
3
Software Training:C++C JAVA ( CORE JAVA & ADVANCE JAVA)ASP.NET We provide Technical support and consultancy to electronics
companies in the field of Embedded micro controllers like 8 bit and 16 bit family based embedded system design, analog systems design. Power electronics including dc/dc converters, ac/dc converters, thyristor firing based circuit, battery charging and monitor circuits etc.
4
5
Manage IP traffic as network access grows Filter packets as they pass through the router
6
ACLs are lists of conditions that are applied to traffic traveling across a router's interface.
These lists tell the router what types of packets to accept or deny.
Acceptance and denial can be based on specified conditions.
ACLs can be configured at the router to control access to a network or subnet.
Some ACL decision points are source and destination addresses, protocols, and upper-layer port numbers.
ACLs are lists of conditions that are applied to traffic traveling across a router's interface.
These lists tell the router what types of packets to accept or deny.
Acceptance and denial can be based on specified conditions.
ACLs can be configured at the router to control access to a network or subnet.
Some ACL decision points are source and destination addresses, protocols, and upper-layer port numbers.
7
The following are some of the primary reasons to create ACLs:
Limit network traffic and increase network performance.
Provide traffic flow control.
Provide a basic level of security for network access.
Decide which types of traffic are forwarded or blocked at the router interfaces
For example: Permit e-mail traffic to be routed, but block all telnet traffic.
If ACLs are not configured on the router, all packets passing through the router
will be allowed onto all parts of the network.
The following are some of the primary reasons to create ACLs:
Limit network traffic and increase network performance.
Provide traffic flow control.
Provide a basic level of security for network access.
Decide which types of traffic are forwarded or blocked at the router interfaces
For example: Permit e-mail traffic to be routed, but block all telnet traffic.
If ACLs are not configured on the router, all packets passing through the router
will be allowed onto all parts of the network.
8
Different access list for Telnet
When configuring ISDN you need to use access list
Implicit deny at bottom
All restricted statements should be on first
There are two types
Standard
Extended
Different access list for Telnet
When configuring ISDN you need to use access list
Implicit deny at bottom
All restricted statements should be on first
There are two types
Standard
Extended
9
N1 N2
N3 N4 N5 N6
192.168.12.0
A
B C
192.168.34.0192.168.56.0
192.168.12.2 192.168.12.3
10
SRC IP AddressDEST IP AddressProtocol typeSRC PortDEST Port
SRC IP AddressDEST IP AddressProtocol typeSRC PortDEST Port
The first 2 bytes in the TCP/UDP header are the source port numberThe next 2 bytes in the TCP/UDP header are the Destination port number
The first 2 bytes in the TCP/UDP header are the source port numberThe next 2 bytes in the TCP/UDP header are the Destination port number
11
StandardChecks source addressPermits or denies entire protocol suite
ExtendedChecks source and destination addressGenerally permits or denies specific
protocols.
StandardChecks source addressPermits or denies entire protocol suite
ExtendedChecks source and destination addressGenerally permits or denies specific
protocols.
12
Standard IP lists (1-99) test conditions of all IP packets from source addresses.
Extended IP lists (100-199) test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports.
Standard IP lists (1300-1999) (expanded range). Extended IP lists (2000-2699) (expanded range).
Standard IP lists (1-99) test conditions of all IP packets from source addresses.
Extended IP lists (100-199) test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports.
Standard IP lists (1300-1999) (expanded range). Extended IP lists (2000-2699) (expanded range).
13
The full syntax of the standard ACL command is:
Router(config)#access-list access-list-number {deny | permit} source [source-wildcard ]
The no form of this command is used to remove a standard ACL. This is the syntax:Router(config)#no access-list access-list-number
The full syntax of the standard ACL command is:
Router(config)#access-list access-list-number {deny | permit} source [source-wildcard ]
The no form of this command is used to remove a standard ACL. This is the syntax:Router(config)#no access-list access-list-number
Config# Access-list 1 deny 192.168.1.0 0.0.0.255Config# access-list 1 permit any Config# Access-list 1 deny 192.168.1.0 0.0.0.255Config# access-list 1 permit any
14
Access-list 99 permit 192.168.1.1 wildcard maskAll 32 bits of an IP Address can be filteredWildcard inverse mask0=must match1= ignore
Access-list 99 permit 192.168.1.1 wildcard maskAll 32 bits of an IP Address can be filteredWildcard inverse mask0=must match1= ignore
MASK (192.168.1.1) Matching IP
0.0.0.0 (host) 192.168.1.1
0.0.0.255 192.168.1.0-255
0.0.255.255 192.168.0-255.0-255
0.255.255.255 192.0-255.0-255.0-255
255.255.255.255 0-255.0-255.0-255.0-255 (any)
15
Access-list 1 permit 200.0.0.9 0.0.0.0
Or
permit host 200.0.0.9
Access-list 1 permit 200.0.0.9 0.0.0.0
Or
permit host 200.0.0.9
Access-list 1 permit 0.0.0.0 255.255.255.255
Or
permit any
Access-list 1 permit 0.0.0.0 255.255.255.255
Or
permit any
16
17
• If no access list statement matches, then discard the packet.
18
First Hit or Best Fit?1. Access-list 99 deny host 192.168.1.1 0.0.0.0
access-list 99 permit any 255.255.255.255
2. Access-list 99 permit 192.168.1.0 0.0.0.255Access-list 99 deny host 192.168.1.1access-list 99 permit any
3. Access-list 99 deny host 192.168.1.1
4. Implicit deny at the end of every ACL
First Hit or Best Fit?1. Access-list 99 deny host 192.168.1.1 0.0.0.0
access-list 99 permit any 255.255.255.255
2. Access-list 99 permit 192.168.1.0 0.0.0.255Access-list 99 deny host 192.168.1.1access-list 99 permit any
3. Access-list 99 deny host 192.168.1.1
4. Implicit deny at the end of every ACL
19
ACLs are created in the global configuration mode. There are many different
types of ACLs including standard, extended, IPX, AppleTalk, and others. When
configuring ACLs on a router, each ACL must be uniquely identified by assigning a
number to it. This number identifies the type of access list created and must fall
within the specific range of numbers that is valid for that type of list.
Since IP is by far the most popular routed protocol, addition ACL numbers have been added to newer router IOSs. Standard IP: 1300-1999Extended IP: 2000-2699
20
{ in | out }
21
Account should be denied access to Sales
To steps to configure•Create a standard Access list•Apply ACL to proper interface inbound or outbound
192.168.0.5255.255.255.252
192.168.0.9255.255.255.252
A B
S0 S0
E0
E0
192.168.0.18255.255.255.248
S0 S1192.168.0.17255.255.255.248
192.168.0.6255.255.255.252
192.168.0.10255.255.255.252
192.168.0.33255.255.255.240
192.168.0.34255.255.255.240
22
A B
S0 S0
E0
E0
192.168.0.18255.255.255.248
S0 S1192.168.0.17255.255.255.248
192.168.0.5255.255.255.252
192.168.0.6255.255.255.252
192.168.0.9255.255.255.252
192.168.0.10255.255.255.252
192.168.0.33255.255.255.240
192.168.0.34255.255.255.240
Config# Access-list 1 deny 192.168.0.18 0.0.0.7Config# access-list 1 permit any
Config#int e 0 Config-if# ip access-group 1 out
Extended ACLs23
Extended ACLs are used more often than standard ACLs because they provide a greater range of control.
Extended ACLs check the source and destination packet addresses as well as being able to check for protocols and port numbers.
At the end of the extended ACL statement, additional precision is gained from a field that specifies the optional Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port number.
Logical operations may be specified such as, equal (eq), not equal (neq), greater than (gt), and less than (lt), that the extended ACL will perform on specific protocols.
Extended ACLs use an access-list-number in the range 100 to 199 (also from 2000 to 2699 in recent IOS).
24
Access-list acl# {permit/Deny}
• Protocol• Src IP src
WCM• Dst IP dst
WCM• Opetrator port
• Protocol– OSPF– EIGRP– ICMP– TCP– UDP
RPIf you need to Block a routing protocol
IP• Operator
– eq– gt– lt– neq
25
26
28
192.168.0.34 should be denied FTP of 192.168.0.18
On Router R1Config# Access-list 100 deny tcp 192.168.0.34 0.0.0.0
192.168.0.18 0.0.0.0 eq 21Config# access-list 100 permit IP any any
Config#int s0Config-if# ip access-group 100 IN
S0
S0
E0E0
A B
192.168.0.18 should be denied website of 192.168.0.34
On Router R3Config# Access-list 100 deny tcp 192.168. 0.18 0.0.0.0
192.168.0.34 0.0.0.0 eq 80Config# access-list 100 permit IP any any
Config#int s0Config-if# ip access-group 100 IN
S1S0
192.168.0.18255.255.255.248
192.168.0.17255.255.255.248
192.168.0.5255.255.255.252
192.168.0.6255.255.255.252
192.168.0.9255.255.255.252
192.168.0.10255.255.255.252
192.168.0.33255.255.255.240
192.168.0.34255.255.255.240
29
access-list 101 deny tcp any any eq 21
access-list 101 permit ip any any
or
access-list 101 deny tcp any any eq ftp
access-list 101 permit ip any any
30
For extended access list apply near to the source For standard access list apply near to the destination
31
IP named ACLs were introduced in Cisco IOS Software Release 11.2, allowing standard and extended ACLs to be given names instead of numbers.
The characteristics of named accesslist: Identify an ACL using an alphanumeric name. You can delete individual statements in a named access
list Named access lists must be specified as standard or
extended You can use the ip access-list command to create
named access lists.
Named ACLs are not compatible with Cisco IOS releases prior to Release 11.2.
The same name may not be used for multiple ACLs.
32
Numbered Access list did not give you any hint, What is filtered
Named ACL’s are both basic and advanced filtering tool
Name cannot start with a number or !
Cannot have space in the name
Should not have ? Character anywhere in the name
Name is case sensitive
33
R1(config)#ip access-list standard blocksalesR1(config-std-nacl)#deny 172.16.40.0
0.0.0.255R1(config-std-nacl)#permit anyR1(config-std-nacl)#exitR1(config)#^ZR1#
#Int e 0#Ip access-group blocksales out
34
35
Standard IP access lists should be applied closest to the destination. Extended IP access lists should be applied closest to the source. Use the inbound or outbound interface reference as if looking at the port from inside the router. Statements are processed sequentially from the top of list to the bottom until a match is found, if no match is found then the packet is denied. There is an implicit deny at the end of all access lists. This will not appear in the configuration listing. Access list entries should filter in the order from specific to general. Specific hosts should be denied first, and groups or general filters should come last. Never work with an access list that is actively applied. New lines are always added to the end of the access list. A no access-list x command will remove the whole list. It is not possible to selectively add and remove lines with numbered ACLs. Outbound filters do not affect traffic originating from the local router.
According to our project we are having three locations at pta.,chd and delhi having two departments i.e sale and mkt in each respectively. The three different locations are made to communicate with each other through the use of different routing protocols.For securities we create the rules on router to control the traffic according to the requirement.The working of this project is also shown in the simmulator.
We want that sale dept systems can communicate with marketing dept,so we will take a manageable switch and create vlans for each dept and assign the ports to the vlan and attach the particular dept sys in its vlan. The broadcasting remains in the vlan
Configuration of vlan :Switch>enableSwitch#vlan databaseSwitch(vlan)# vlan 2 name saleSwitch(vlan)# vlan 3 name mkt.Switch(vlan)exitSwitch# config tSwitch(config)# int range f0/1 , f0/2Switch(config)# switchport access vlan 2Switch(config)# exitSwitch#config tSwitch(config)# int range f0/3 , f0/4Switch(config)# switchport access vlan 3Switch(config)# exitSwitch#wr
Suppose we want that vlan2 communicates with vlan3, so we will take a router and configure intervlan on it.
Configuration of intervlan on router:Router>enableRouter#config tRouter(config)#hostname patialapatiala(config)#int f0/0patiala(config)#no shutdown Patiala(config)#int f0/0.1Patiala(config)#encapsulation dot1q 2Patiala(config)#ip address 192.168.10.1 255.255.255.0Patiala(config)#no shutdownPatiala(config)#int f0/0.2 Patiala(config)#encapsulation dot1q 3Patiala(config)#ip address 192.168.11.1 255.255.255.0Patiala(config)#no shutdownPatiala(config)#exitPatiala(config)#wr
After doing this all the sale dept systems communicate with mkt dept. systems.Now if we want that the following sale dept systems can’t communicate with mkt dept systems configure with ip 192.168.13.2Sale dept system 192.168.10.2 ,192.168.10.16. For this we will create the acls on router to manage the traffic
How to configure the acls:patiala > enablePatiala #config tPatiala (config)#access – list 130 deny ip 192.168.10.2 0.0.0.0 192.168.13.2 0.0.0.0Patiala (config)#access – list 130 deny ip 192.168.10.16 0.0.0.0 192.168.13.2 0.0.0.0Patiala (config)# access – list 130 permit ip any any
For applying these acls we use the interface through which the data is sent and received on the network.Patiala (config )#int f0/0.1Patiala (config)#ip access –group 130 inPatiala (config)#exitPatiala#wr
We are having the three companies on the different locations and we will configure the router,switches in the same way as we configure on Patiala router but we will also control the traffic on the different locations so that some Patiala systems can’t communicate with some chd and some delhi systems.
For example we want that the system with ip 192.168.11.2 i.e at pta location can’t communicate with the system with ip 192.168.14.2 and 192.168.17.2 which are at chd and delhi locations respectively.
For this we will again create the acls on router to manage the traffic.
patiala > enablePatiala #config tPatiala (config)#access – list 130 deny ip 192.168.11.2 0.0.0.0 192.168.14.2 0.0.0.0Patiala (config)#access – list 130 deny ip 192.168.11.2 0.0.0.0 192.168.17.2 0.0.0.0Patiala (config)# access – list 130 permit ip any anyFor applying these acls we use the interface through which the data is sent and received on the networkPatiala (config )#int f0/0.2Patiala (config)#ip access –group 130 inPatiala (config)#exitPatiala#wr
44