ccna2 m11 access control lists
TRANSCRIPT
-
5/27/2018 CCNA2 M11 Access Control Lists
1/22
CCNA Semester2
Module 11
Access Control Lists
Objectives
Standard and extended ACLs
The rules for placement of ACLs
Create and apply named ACLs
-
5/27/2018 CCNA2 M11 Access Control Lists
2/22
Access Control List
Fundamentals
What are ACLs
ACLs are lists of conditions that are applied to traffic
traveling across a router's interface.
These lists tell the router what types of packets to accept
ordeny.
Acceptance and denial can be based on specified
conditions.
-
5/27/2018 CCNA2 M11 Access Control Lists
3/22
ACL
Reasons to create ACLs
Limit network traffic and increase network
performance.
Provide traffic flow control.
Provide a basic level of security for network
access.
Decide which types of traffic are forwarded or
blocked at the router interfaces.
-
5/27/2018 CCNA2 M11 Access Control Lists
4/22
Testing packets with ACLs
The orderin which you
place ACL statements is
important.
A packet is checked againsteach condition statement,
in the order in which the
statements were created.
After a match is found, no
more condition statements
are checked.
If all the ACL statements are
unmatched, an implicit
"deny any" statement is
imposed.
Configuration task list
ACL are classified as: numbered ofnamed ACL,
each has 2 types: standard and extended.
Configuration task includes 2 steps:
Create an ACL
ApplyACL to interface
-
5/27/2018 CCNA2 M11 Access Control Lists
5/22
Assigning ACL number
ACL number must be within the specific range
specified for the protocol.
Modification of a numbered ACL involves deleting theentire list and creating a new one
Remove numbered ACL:
no access-list list-number
Apply Access Lists
An ACL can be assigned to one or more interfaces and
can filter inbound or outbound traffic.
ACLs must be defined on a per-protocol, per direction,
orper interface basis.
Eg: Only 1 IP access list on interface s0 inbound
direction
-
5/27/2018 CCNA2 M11 Access Control Lists
6/22
Types of Access Control Lists
Standard ACL Overview
When you want to: block all traffic from a network,
allow all traffic from a network,
permit or deny an entire protocol suite.
Standard ACLs check the source address of
packets that could be routed. Results in either permit or deny of an entire
protocol suite, based on the network, subnet,and host addresses.
-
5/27/2018 CCNA2 M11 Access Control Lists
7/22
Standard ACL commands
access-listaccess-list-number
{deny | permit} source [source-wildcard] [log]
access-listaccess-list-number
{deny | permit} source [source-wildcard] [log]
Router (config)#
ip access-groupaccess-list-number{ in | out }ip access-groupaccess-list-number{ in | out }
Router (config-if)#
Access list number: 1 99 or 1300 1999 in
recent IOS
Wildcard mask bits
A wildcard mask is a 32-bit quantity that is divided into
four octets, with each octet containing 8 bits.
A wildcard mask bit 0 means "check the corresponding
bit value.
A wildcard mask bit 1 means "do not check (ignore) that
corresponding bit value".
-
5/27/2018 CCNA2 M11 Access Control Lists
8/22
Wildcard & Subnet mask
Wildcard mask operate differently from IP
subnet mask.
Subnet mask: The zeros and ones determine the network(or subnet) and host portions of the corresponding IP
address.
Wildcard mask: The zeros and ones determine whether
the corresponding bits in an IP address should be
checked or ignored for ACL purposes.
Wildcard any
-
5/27/2018 CCNA2 M11 Access Control Lists
9/22
Wildcard host
Examples: any, host
Router(config)# access-list 1 permit 0.0.0.0
255.255.255.255
Router(config)# access-list 1 permit any
Router(config)# access-list 1 permit
172.30.16.29 0.0.0.0
Router(config)# access-list 1 permit host
172.30.16.29
-
5/27/2018 CCNA2 M11 Access Control Lists
10/22
Verifying ACLs
show ip interface command displays IP interface
information and indicates whether any ACLs are
set. show access-lists command displays the
contents of all ACLs on the router.
show running-config command will also reveal the
access lists on a router and the interface
assignment information.
Show ip interface
-
5/27/2018 CCNA2 M11 Access Control Lists
11/22
Show access-lists
Standard ACL examples
-
5/27/2018 CCNA2 M11 Access Control Lists
12/22
ACL Requirement
1. Do not allow traffic between outside and
network 172.16.3.0
2. - Node 172.16.4.13 can only access Internet- Network 172.16.4.0 (accept 172.16.4.13) can
not access Internet
Extended ACL Overview
Provide a greater range of control than standard
ACLs including:
Protocols (IP, IPX, ICMP, TCP)
Source address (IP address, IPX address)
Destination address
Services or ports (Telnet, HTTP, FTP ) Other parameters (SYN, ACK, Echo)
-
5/27/2018 CCNA2 M11 Access Control Lists
13/22
Extended ACL commands
access-listACL-number{permit | deny}
protocol source [source-mask operator extended-para]
destination [destination-mask operator extended-para]
[log | log input]
access-listACL-number{permit | deny}
protocolsource [source-mask operator extended-para]
destination [destination-mask operator extended-para]
[log | log input]
Router (config)#
ip access-groupaccess-list-number{ in | out }ip access-groupaccess-list-number{ in | out }
Router (config-if)#
Access list number: 100 199 or 2000 2699 in recent IOS
Extended ACL parameters
Parameters Description
access-list Defines an access list
access-list-number Protocol-dependent ACL number (100-199)
permit/deny Defines a statement to allow/block traffic
source-mask/destination-mask Wildcard mask: zeros must match bit; ones do not match bit
operator Logical operator:
lt: less than
gt: greater than
eq: equal to
neq: not equal to
extended-para Extended parameter of the protocols used, eg : port (for TCP/UDP),
echo (for ICMP)
log [log input] Records all ACL matches including violations
in|out applies this access list to inbound or outbound traffic
protocol The protocol in question, including: IP, TCP, UDP, ICMP, GRE, ICMP
source/destination Source/destination address
-
5/27/2018 CCNA2 M11 Access Control Lists
14/22
Extended ACL: TCP/UDP protocol
access-listaccess-list-number{permit | deny}
[tcp | udp]source [s-mask operator s-port]
destination [d-mask operator d-port][established]
[log | log input]
access-listaccess-list-number{permit | deny}
[tcp | udp]source [s-mask operators-port]
destination [d-mask operatord-port][established]
[log | log input]
Router (config)#
established: only match if ACK bit is set
ip access-groupaccess-list-number{ in | out }ip access-groupaccess-list-number{ in | out }
Router (config-if)#
Reserved port numbers
-
5/27/2018 CCNA2 M11 Access Control Lists
15/22
Extended ACL: ICMP protocol
access-listaccess-list-number{permit | deny}
icmpsource [source-mask destination
destination-mask] [icmp-type | [[icmp-type icmp-
code] | [icmp-message]][log | log input]
access-listaccess-list-number{permit | deny}
icmpsource [source-mask destination
destination-mask][icmp-type | [[icmp-type icmp-
code] | [icmp-message]][log | log input]
Router (config)#
ip access-groupaccess-list-number{ in | out }ip access-groupaccess-list-number{ in | out }
Router (config-if)#
Extended ACL: ICMP parameters
Parameters Description
Icmp type (Optional) A number from between 0 and 255
specifying the ICMP message type
Icmp code (Optional) ICMP packets that are filtered by ICMP
message type can also be filtered by the ICMP
message code. The code is a number from 0 to
255.
icmp-message (Optional) ICMP packets can be filtered by an
ICMP message type name or ICMP message type
and code name.
-
5/27/2018 CCNA2 M11 Access Control Lists
16/22
Named ACL Overview
Uses a name string to identify standard and
extended IP ACLs instead of the numeric (1 to
199) representation. Considerations:
Named ACLs are not compatible with Cisco IOS releases
prior to Release 11.2.
You cannot use the same name for multiple ACLs.
Named ACLs vs. Numbered ACLs
Named ACLs have individual configuration
mode with shorter and clearer command line.
Named ACLs can be used to remove individual
entries from a specific ACL.
Using name is more understandable than using
number
Eliminate the limit of 798 simple and 799
extended ACLs
-
5/27/2018 CCNA2 M11 Access Control Lists
17/22
Named ACL commands
Router(config)# ip access-list {standard |
extended} name
Router(config {std- | ext-}nacl)# deny
{source [source-wildcard] | any}
Router(config {std- | ext-}nacl)# permit
{source [source-wildcard] | any}.
Router(config-if)# ip access-group name {in |
out}
Router# show access-lists
Named ACL example
-
5/27/2018 CCNA2 M11 Access Control Lists
18/22
Inbound and Outbound
If the ACL is inbound, when the router receivesa packet and prior to the routing process, routerchecks the ACL's statements for a match.
If the ACL is outbound, after receiving androuting a packet to the outbound interface,router checks the ACL's statements for a match.
Recommended Rule
Place extended ACLs as close to the source ofthe traffic denied as possible.
Place the standard ACL as close to thedestination as possible.
Place ACLs on the inbound interfaces may helpto reduce routing processing tasks.
Place ACLs on the outbound interfaces mayavoid filterring unnessecary traffic.
-
5/27/2018 CCNA2 M11 Access Control Lists
19/22
Firewall architecture
Control VTY access with Access list
Instead of applying ACL on all router interfaces to filter telnetsessions to router interfaces, use ACL on vty lines.
Access into and out of virtual terminal line ports can be controlledby IP numbered ACLs.
line vty 0 4
loginpassword cisco
access-class access-list-number {in|out}
Interface access lists are applied only to traffics passing the router,not to traffics originated from the router.
-
5/27/2018 CCNA2 M11 Access Control Lists
20/22
VTY Control Example
Extended ACL examples
RA
172.16.3.100
-
5/27/2018 CCNA2 M11 Access Control Lists
21/22
Access List Requirements
1. Preventstelnettelnetandftpftp access from Internet to 172.16.3.100 and172.16.4.13
2. Prevents all hosts except 172.16.4.13 on network 172.16.4.0 toaccess server 65.10.13.133
3. Prevents all hosts, except 172.16.3.100, on network 172.16.3.0 toaccess 172.16.4.13 using webweb andtftptftp
4. Allow all hosts on local network as well as Internet to accesscompanys web site on server 172.16.4.13. Block all other types ofaccess to this server.
ACL ChallengeOuter-network cant ping into inner-
network
Do not allow outer-network to access
inner-network except web service in
Web Server(.66).
Traffic between Net1 and Net3 is not
allowed
Other networks can only access webservice in Web Server
Packets between PC1(.48) and PC3
(.80) are only allowed if routed across
the direct serial link
Telnet to routers only from PC1
All other kind of traffic is allowed
R_1
R_2 R_3
Internet
Net2
.64
Net3
.96
Net1
.32
192.169.10.0/24
PC1 PC2PC3 Web
E1
E0
S0 S1
S1
S0
S0
S1
E0E0
-
5/27/2018 CCNA2 M11 Access Control Lists
22/22
Summary
ACL definition
How ACL works
Wild-card mask
Standard numbered ACL configuration
Extended numbered ACL configuration
Named numbered ACL configuration
Placing ACLs
CCNA2 Module11