Access Control Lists
-
Upload
mechelle-george -
Category
Documents
-
view
21 -
download
0
description
Transcript of Access Control Lists
![Page 1: Access Control Lists](https://reader035.fdocuments.us/reader035/viewer/2022062407/56812cfe550346895d91d3d9/html5/thumbnails/1.jpg)
Access Control Lists
![Page 2: Access Control Lists](https://reader035.fdocuments.us/reader035/viewer/2022062407/56812cfe550346895d91d3d9/html5/thumbnails/2.jpg)
Types Standard Extended
![Page 3: Access Control Lists](https://reader035.fdocuments.us/reader035/viewer/2022062407/56812cfe550346895d91d3d9/html5/thumbnails/3.jpg)
Standard ACLs Use only the packet’s source
address for comparison 1-99
![Page 4: Access Control Lists](https://reader035.fdocuments.us/reader035/viewer/2022062407/56812cfe550346895d91d3d9/html5/thumbnails/4.jpg)
Extended ACLs Provide more precise (finer tuned)
packet selection based on: Source and destination addresses Protocols Port numbers
100-199
![Page 5: Access Control Lists](https://reader035.fdocuments.us/reader035/viewer/2022062407/56812cfe550346895d91d3d9/html5/thumbnails/5.jpg)
Steps to Create an ACL Create ACL in global config Assign to interface Decide the direction
In Out
![Page 6: Access Control Lists](https://reader035.fdocuments.us/reader035/viewer/2022062407/56812cfe550346895d91d3d9/html5/thumbnails/6.jpg)
How do ACLs work? Processing occurs line by line from
top to bottom. New lines are added at the end of
the current list. Last line of an ACL is an implicit
“deny any.”
![Page 7: Access Control Lists](https://reader035.fdocuments.us/reader035/viewer/2022062407/56812cfe550346895d91d3d9/html5/thumbnails/7.jpg)
How does a Standard ACL work? If source IP address is matched:
Permit or deny statement is processed
Permit – action in ACL is performed Deny – packet is dropped Implicit Deny – If a packet’s address does
not match an earlier statement an implicit deny any occurs at the end of every ACL and the packet is dropped.
![Page 8: Access Control Lists](https://reader035.fdocuments.us/reader035/viewer/2022062407/56812cfe550346895d91d3d9/html5/thumbnails/8.jpg)
Wildcard Masks Are used to specify (by bits) the
traffic you are trying to filter by address.
Use 1s to ignore, 0s to match. In the example below, only the 1st
2 octets will be examined: 172.16.0.0 0.0.255.255
![Page 9: Access Control Lists](https://reader035.fdocuments.us/reader035/viewer/2022062407/56812cfe550346895d91d3d9/html5/thumbnails/9.jpg)
Global Standard ACL command access-list access-list-number
{permit |deny} source-ip-address wildcard-mask [log]
Log – causes each packet that matches this statement to generate a log entry that is recorded by the router.
![Page 10: Access Control Lists](https://reader035.fdocuments.us/reader035/viewer/2022062407/56812cfe550346895d91d3d9/html5/thumbnails/10.jpg)
Examples of Standard ACLs To permit all packets for the
network number 172.16.0.0 Access-list 20 permit 172.16.0.0
0.0.255.255
![Page 11: Access Control Lists](https://reader035.fdocuments.us/reader035/viewer/2022062407/56812cfe550346895d91d3d9/html5/thumbnails/11.jpg)
Examples Cont’d To permit traffic from the host
172.16.1.1 only Access-list 20 permit 172.16.1.1
0.0.0.0
![Page 12: Access Control Lists](https://reader035.fdocuments.us/reader035/viewer/2022062407/56812cfe550346895d91d3d9/html5/thumbnails/12.jpg)
Examples Cont’d To permit traffic from any source
address. Access-list 20 permit 0.0.0.0
255.255.255.255OR
Access-list 20 permit any
![Page 13: Access Control Lists](https://reader035.fdocuments.us/reader035/viewer/2022062407/56812cfe550346895d91d3d9/html5/thumbnails/13.jpg)
Examples Cont’d To permit traffic from the subnet
12.16.0.0 through 12.31.0.0 Access-list 20 permit 12.16.0.0
0.15.255.255
![Page 14: Access Control Lists](https://reader035.fdocuments.us/reader035/viewer/2022062407/56812cfe550346895d91d3d9/html5/thumbnails/14.jpg)
Identical Statements Access-list 22 permit 0.0.0.0
255.255.255.255 Access-list 22 permit any
![Page 15: Access Control Lists](https://reader035.fdocuments.us/reader035/viewer/2022062407/56812cfe550346895d91d3d9/html5/thumbnails/15.jpg)
Identical Statements Access-list 23 permit 172.16.1.1
0.0.0.0 Access-list 23 permit host
172.16.1.1
![Page 16: Access Control Lists](https://reader035.fdocuments.us/reader035/viewer/2022062407/56812cfe550346895d91d3d9/html5/thumbnails/16.jpg)
How does an Extended ACL work? All conditions must match Test sequence in this order
Source Address Destination Address Protocol Port No. or Protocol Options Permit or Deny decision
![Page 17: Access Control Lists](https://reader035.fdocuments.us/reader035/viewer/2022062407/56812cfe550346895d91d3d9/html5/thumbnails/17.jpg)
Extended ACL command access-list number {permit|
deny} protocol source-ip-address source-wildcard-mask destination-ip-address destination-wildcard-mask eq port-number [log]
![Page 18: Access Control Lists](https://reader035.fdocuments.us/reader035/viewer/2022062407/56812cfe550346895d91d3d9/html5/thumbnails/18.jpg)
Some Protocols with Port Numbers FTP – 21 Telnet – 23 SMTP – 25 DNS – 53 TFTP – 69 WWW, HTML – 80 POP3 - 110 SNMP - 161
![Page 19: Access Control Lists](https://reader035.fdocuments.us/reader035/viewer/2022062407/56812cfe550346895d91d3d9/html5/thumbnails/19.jpg)
Major differences Standard ACL
Use only source address and requires fewer CPU cycles.
Place as close to destination as possible. Extended ACL
More flexible and requires more CPU cycles. Place as close to source as possible. (This
keeps undesired traffic and ICMP messages away from the network backbone.)
![Page 20: Access Control Lists](https://reader035.fdocuments.us/reader035/viewer/2022062407/56812cfe550346895d91d3d9/html5/thumbnails/20.jpg)
Do I place an ACL in? In
Requires less CPU processing because every packet bypasses processing before it is routed.
Filtering decision is made prior to the routing table.
![Page 21: Access Control Lists](https://reader035.fdocuments.us/reader035/viewer/2022062407/56812cfe550346895d91d3d9/html5/thumbnails/21.jpg)
Do I place an ACL out? Out
Routing decision has been made and the packet is switched to the proper outbound interface before it is tested against the access list.
ACLs are outbound unless otherwise specified.