Accessing_WAN_Chapter5-ACL.ppt

8/11/2019 Accessing_WAN_Chapter5-ACL.ppt

1/86

Rick Graziani [email protected] 1


2/86

Part 1: ACL Fundamentals

CCNA 2 version 3.1


3/86

Qu son los ACLs?

An access list is a sequential series of commands or filters. These lists tell the router what types of packets to:

Aceptar (accept) o

Denegar (deny)

La aceptacin y rechazo se pueden basar en ciertascondiciones especficas

Los ACLs se aplican en las interfaces del router.


4/86

What are ACLs?

El router examina cada paquete para determinar si lo enviahacia adelante o lo elimina, basado en las condicionesespecificadas en el ACL.

Algunos criterios de desicin del ACL son:

Direccin IP origen Direccin IP destino

Protocolos UDP o TCP

Upper-layer (TCP/UDP) port numbers


5/86


6/86

Cmo trabajan los ACL?

An ACL is a group of statements that define whether packets areaccepted or rejected coming into an interface or leaving an interface.

ACL statements operate in sequential, logical order. If a condition match is true, the packet is permitted or denied and the

rest of the ACL statements are not checked.

If all the ACL statements are unmatched, an implicit " deny any"statement is placed at the end of the list by default. (not visible)

When first learning how to create ACLs, it is a good idea to add theimplicit denyat the end of ACLs to reinforce the dynamic

presence of the command line.


7/86Rick Graziani [email protected] 7

Una ACL por protocolo: Para controlar el flujo de trfico de una interfaz, se debe

definir una ACL para cada protocolo habilitado en la

interfaz.

Una ACL por direccin: Las ACL controlan el trfico en una direccin a la vez de

una interfaz. Deben crearse dos ACL por separado para

controlar el trfico entrante y saliente.

Una ACL por interfaz: Las ACL controlan el trfico para una interfaz, por ejemplo,

Fast Ethernet 0/0.


8/86

How ACLs work

Access list statementsoperate in sequential, logicalorder.

They evaluate packets from the top down.

Once there is an access list statement match, the packet

skips the rest of the statements. If a condition match is true, the packet is permitted or

denied.

There can be only one access list per protocolper

interface. There is an implicit deny any at the end of every access

list.

ACLs do not block packets that originate within the

router. (ie. pings, telnets, etc.)


9/86

Two types of ACLs

1. ACL Estndar - Standard IP ACLs

Slo puede filtrar la direccin IP Origen

Se coloca lo mas cerca posible al destino


10/86



Tipos de ACL: Intervalos


12/86

Creating Standard ACLs2 Steps


13/86

Creating ACLs2 Steps

(Standard IP)



Ubicacin de las ACL

Las reglas bsicas son:

Ubicar lasACL extendidaslo ms cerca posible del origendel trfico denegado. De esta manera, el trfico no

deseado se filtra sin atravesar la infraestructura de red.

Como lasACL estndarno especifican las direcciones dedestino, colquelas lo ms cerca del destino posible.


15/86

Ejemplo1

Task:

Permit only the host 172.16.30.2 from exiting the Salesnetwork.

Deny all other hosts on the Sales network from leaving

the 172.16.30.0/24 network.

172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1

.1 .1.2 .2

s0 s0 s1 s0

RouterA RouterB RouterC

Administration Sales Engineering


16/86

Learn by example!

RouterB(config)#access-list 10 permit 172.16.30.2

Implicit deny any-do not need to add this, discussed later

RouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255

172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0

.1 .1 .1

.1 .1.2 .2

s0 s0 s1 s0



Step 1ACL statements Implicit deny any, which is automatically added.

(Standard IP)

Test Condition


17/86

From Cisco Web Site

Applying ACLs

You can define ACLs without applying them. However, the ACLs will have no effect until they are applied to the router's

interface.

It is a good practice to apply the Standard ACLs on the interface closest to thedestinationof the traffic and Extended ACLs on the interface closest to thesource.

Defining In, Out, Source, and Destination

Out- Traffic that has already been routed by the router and is leaving theinterface

In- Traffic that is arriving on the interface and which will be routed router.

172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1

.1 .1.2 .2

s0 s0 s1 s0




18/86

CASO 1: Aplicando en la interfase Ethernet

RouterB(config)#access-list 10 permit 172.16.30.2 0.0.0.0



RouterB(config)# interface e 0

RouterB(config-if)# ip access-group 10 in

172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1

.1 .1.2 .2

s0 s0 s1 s0



Step 2Apply to an interface(s)


19/86




RouterB(config)# interface s 0

RouterB(config-if)# ip access-group 10 out



172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1.1 .1.2 .2

s0 s0 s1 s0



Step 2Or the outgoing interfaces Which is preferable and why?

CASO 2: Aplicando en las interfases Seriales


20/86








172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1

.1 .1.2 .2

s0 s0 s1 s0



Because of the implicit deny any, this has an adverse affect of also denying

packets from Administration from reaching Engineering, and denying packets from

Engineering from reaching Administration.

CASO 2: Aplicando en las interfases Seriales


21/86

ACL: La mejor opcin






172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1

.1 .1.2 .2

s0 s0 s1 s0



Preferred, this access list will work to all existing and new interfaces on RouterB.


22/86

Ejemplo 2

Task:

Permit only the hosts 172.16.30.2, 172.16.30.3,172.16.30.4, 172.16.30.5 from exiting the Sales

network.

Deny all other hosts on the Sales network from leaving

the 172.16.30.0/24 network.

172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1

.1 .1.2 .2

s0 s0 s1 s0




23/86









172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1

.1 .1.2 .2

s0 s0 s1 s0



Once a condition is met, all other statements are ignored, so the implicit

deny anyonly applies to not-matched packets.

Ejemplo 2


24/86


25/86

Example 3

Task:

Deny only the host 172.16.30.2 from exiting the Salesnetwork.

Permit all other hosts on the Sales network to leave the

172.16.30.0/24 network.

Keyword any can be used to represent all IP Addresses.

172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1

.1 .1.2 .2

s0 s0 s1 s0



Ejemplo 3


26/86

Example 3


RouterB(config)#access-list 10 permit any





172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1

.1 .1.2 .2

s0 s0 s1 s0



Order matters! What if these two statements were reversed? Does the

impl ic i t deny anyever get a match? No, the permit any will cover all other

packets.

Ejemplo 3


27/86

Example 3







172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0

.1 .1 .1

.1 .1.2 .2

s0 s0 s1 s0



El orden importa: In this case all packets would be permitted, because all packets

would match the first access list statement. Once a condition is met, all other

statements are ignored. The second access list statement and the implicit deny any

would never be used. This would not do what we want.

Ejemplo 3


28/86

Note on inbound access lists

When an access lists applied to an inbound interface, the packets arechecked against the access list before any routing table lookupprocess occurs.

We will see how outbound access listwork in a moment, but they areapplied after the forwarding decision is made, after the routing tablelookup process takes place and an exit interface is determined.

Once a packet is denied by an ACL, the router sends an ICMPDestination Unreachable message, with the code value set toAdministratively Prohibited to the source of the packet.



Implicit deny any(do not need to add this, discussed later):





29/86


30/86

Time for Wildcard Masks!

A wildcard maskis a 32-bit quantity that is divided into four octets. A wildcard mask is paired with an IP address. The numbers one and zero in the mask are used to identify how to

treat the corresponding IP address bits.

The term wildcard masking is a nickname for the ACL mask-bitmatching process and comes from of an analogy of a wildcard thatmatches any other card in the game of poker.

Wildcard masks have no functional relationship with subnet masks. They are used for different purposes and follow different rules.

Subnet masks start from the left side of an IP address and worktowards the right to extend the network field by borrowing bits from thehost field.

Wildcard masks are designed to filter individual or groups of IPaddresses permitting or denying access to resources based on the

address.


31/86

Wildcard Masks!

Trying to figure out how wildcard masks work by relatingthem to subnet masking will only confuse the entire matter.

The only similarity between a wildcard mask and a subnet

mask is that they are both thirty-two bits long and use ones

and zeros for the mask.

This is not entirely true.

Although it is very important that you understand how awildcard mask works, it can also be thought as an inverse

subnet mask.

We will see examples in a moment


32/86

Wildcard Masks!

Wildcard masking used to identify how to treat the corresponding IP address bits.

0- checkthe corresponding bit value. 1- do not check(ignore) that corresponding bit value.

A zeroin a bit position of the access list mask indicates that the correspondingbit in the address must be checked and must match for condition to be true.

A onein a bit position of the access list mask indicates the corresponding bit inthe address is not interesting, does not need to match, and can be ignored.

10101100.00010000.00000000.00000000

00000000.00000000.11111111.11111111

------------------------------------

10101100.00010000.any value.any value

A Match Matching packets will look like this

Test Condition

The packet

Test

Conditon


33/86

Wildcard Masks!

0- checkthe corresponding bit value.

1- do not check(ignore) that corresponding bit value.

10101100.00010000.00000000.00000000

00000000.00000000.11111111.11111111

------------------------------------

10101100.00010000.any value.any value

A Match

Must Match No Match Necessary

Resulting in the bits that must match or doesnt matter.

Matching packets will look like this.

Test Condition

Test

Conditon

The packet


34/86

Ejemplo 4Usando Wildcard Masks

Task:

Want RouterA to permit entire sales network and justthe 172.16.50.2 station.

Deny all other traffic from entering Administrative

network.

172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1.1 .1.2 .2

s0 s0 s1 s0




35/86

Example 4Using Wildcard Masks

172.16.30.0 0.0.0.255

0 check - make sure first octet is 172 0 check - make sure second octet is 16 0 check - make sure third octet is 30 255 - dont check (permitany fourth octet)

172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1.1 .1.2 .2

s0 s0 s1 s0



RouterA(config)#access-list 11 permit 172.16.30.0 0.0.0.255


172.16.50.2 0.0.0.0

0 check - make sure first octet is 172 0 check - make sure second octet is 16 0 check - make sure third octet is 50 0 check - make sure fourth octet is 2


36/86


172.16.30.0 10101100 . 00010000 . 00011110 . 00000000

0.0.0.255 00000000 . 00000000 . 00000000 . 11111111

-----------------------------------------

172.16.30.0 10101100 . 00010000 . 00011110 . 00000000

172.16.30.1 10101100 . 00010000 . 00011110 . 00000001

... (through)

172.16.30.255 10101100 . 00010000 . 00011110 . 11111111

172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1.1 .1.2 .2

s0 s0 s1 s0




0 = check, we want this to match, 1 = dont check (dont care)

Test

Conditon

The

packet(s)


37/86


172.16.50.2 10101100 . 00010000 . 00110010 . 00000010

0.0.0.0 00000000 . 00000000 . 00000000 . 00000000

-----------------------------------------

172.16.50.2 10101100 . 00010000 . 00110010 . 00000010

172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1.1 .1.2 .2

s0 s0 s1 s0





Test

Conditon

The

packet(s)


38/86


172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1.1 .1.2 .2

s0 s0 s1 s0





RouterA(config)# interface e 0

RouterA(config-if)#ip access-group 11 out

Dont forget to apply the access-list to an interface.


39/86


172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1.1 .1.2 .2

s0 s0 s1 s0




RouterA(config)#access-list 11 permit 172.16.50.2 0.0.0.0RouterA(config)#access-list 11 deny 0.0.0.0 255.255.255.255



Remember that implicit deny any? Its a good idea for beginners to include

the deny any statement just as a reminder.

E l 4 U i Wild d M k


40/86


172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1.1 .1.2 .2

s0 s0 s1 s0



RouterA(config)#access-list 11 deny 0.0.0.0 255.255.255.255


0.0.0.0 00000000 . 00000000 . 00000000 . 00000000

255.255.255.255 11111111 . 11111111 . 11111111 . 11111111

-----------------------------------------

0.0.0.0 00000000 . 00000000 . 00000000 . 00000000

0.0.0.1 00000000 . 00000000 . 00000000 . 00000001

... (through)

255.255.255.255 11111111 . 11111111 . 11111111 . 11111111

Test

Conditon

The

packet(s)

k d


41/86

any keyword

172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1.1 .1.2 .2

s0 s0 s1 s0




Or

RouterA(config)#access-list 11 deny any

any = 0.0.0.0 255.255.255.255

Simply put, the anyoption substitutes 0.0.0.0 for the IP address and255.255.255.255 for the wildcard mask.

This option will match any address that it is compared against.

k d F E l 3


42/86

any keyword From Example 3

Previous example:

Deny only the host 172.16.30.2 from exiting the Sales network. Permit all other hosts on the Sales network to leave the 172.16.30.0/24

network.

Keyword any can be used to represent all IP Addresses.

172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1.1 .1.2 .2

s0 s0 s1 s0



RouterB(config)#access-list 10 deny 172.16.30.2


or


A t b t tb d li t


43/86

A note about outbound access lists

172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1.1 .1.2 .2

s0 s0 s1 s0








This will deny packets from 172.16.30.0/24 from reaching all devices in the

172.16.10.0/24 Administration LAN, except RouterAs Ethernet 0 interface, of

172.16.10.1. The access list will need to be applied on Router As Serial 0

interface for it to be denied on RouterAs Ethernet 0 interface. A better

soluton is to use an Extended Access list. (coming)

Denied

Denied

But can

reachthis

interface

ACL h t ti


44/86

ACL: host option


RouterB(config)#access-list 10 permit host 192.168.1.100

Permit the following hosts:

Network/Subnet Mask Address/Wildcard Mask

A. 172.16.10.100 172.16.10.100 0.0.0.0

B. 192.168.1.100 192.168.1.100 0.0.0.0

The hostoption substitutes for the 0.0.0.0 mask.

This mask requires that all bits of the ACL address and the packet addressmatch.

The host keyword precedes the IP address. This option will match just one address.

172.16.10.100 0.0.0.0 replaced b y host 172.16.10.100

192.168.1.100 0.0.0.0 replaced b y host 192.168.1.100

V if i A Li t


45/86

Verifying Access Lists

V if i A Li t


46/86


V if i A Li t


47/86


Note: More than one interface can use the same access-

list.

Filt l t fi T l t


48/86


Filtrar el trfico Telnet

Slo se

pueden

aplicar listas

de acceso

numeradas alas VTY.


49/86


50/86

Part 2: ACL Operations

CCNA 2 version 3.1

Inbound Standard Access Lists


51/86

Inbound Standard Access Lists

With inboundAccess Lists the IOS checks the packets beforeit is sent to theRouting Table Process.

With outboundAccess Lists, the IOS checks the packets afterit is sent to theRouting Table Process, except destined for the routers own interface.

This is because the output interface is not known until the forwarding

decision is made.

Inbound Access Lists


RouterA(config-if)#ip access-group 11 in

Standard ACL


52/86

Standard ACL

We will see why in a moment.

The full syntaxof the standard ACL command is:

Router(config)#access-listaccess-list-number{deny |permit} source [source-wildcard] [log]

The no formof this command is used to remove a standard ACL. This isthe syntax: (Deletes entire ACL!)

Router(config)#no access-listaccess-list-number


53/86

Extended Access Lists


54/86

Extended Access Lists

Operator and operandcan also referto ICMP Types and Codes orwhatever the protocolis beingchecked.

If the operator and operandfollowthe source addressit refers to thesource port

If the operator and operandfollowthe destination addressit refers tothe destination port.

Extended Access Lists Examples


55/86

Extended Access Lists - Examples

The ip access-groupcommand links an existing extended ACL toan interface. Remember that only one ACL per interface, per direction, per protocol

is allowed. The format of the command is:

Router(config-if)#ip access-group access-list-number{in | out}

port number or protocol name

Ejemplo 1: ACL Extendida


56/86


Task

What if we wanted Router A to permit only the Engineering workstation172.16.50.2 to be able to access the web server in Administrative

network with the IP address 172.16.10.2 and port address 80.

All other traffic is denied.

172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1

.1 .1.2 .2

s0 s0 s1 s0



Port

80

Example 1

Ej l 1 AC E did


57/86

Example 1

RouterA(config)#access-list 110 permit tcp host 172.16.50.2host 172.16.10.2 eq 80

RouterA(config)#inter e 0


172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1.1 .1.2 .2

s0 s0 s1 s0



Port

80

Why is better to place the ACL on RouterA instead of RouterC? Why is the e0 interface used instead of s0 on RouterA?

Well see in a moment!


Example 2

Ej l 2 ACL E t did


58/86

Example 2

Task

What if we wanted Router A to permit any workstation on the Salesnetwork be able to access the web server in Administrative network

with the IP address 172.16.10.2 and port address 80.

All other traffic is denied.

172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1.1 .1.2 .2

s0 s0 s1 s0



Port

80


Example 2

Ej l 2 ACL E t did


59/86

Example 2

172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1

.1 .1.2 .2

s0 s0 s1 s0



Port

80

RouterA(config)#access-list 110 permit tcp 172.16.30.00.0.0.255 host 172.16.10.2 eq 80

RouterA(config)#inter e 0


When configuring access list statements, use the ?to walk yourselfthrough the command!



60/86


61/86

ACLs con Nombre (Named ACLs)


62/86


IP named ACLs were introduced in Cisco IOS Software Release 11.2. Allows standard and extended ACLs to be given names instead of

numbers.

The advantages that a named access list provides are:1. Intuitively identify an ACL using an alphanumeric name.

2. Eliminate the limit of 798 simple and 799 extended ACLs

3. Named ACLs provide the ability to modify ACLs without deleting

and then reconfiguring them.

4. It is important to note that a named access list will allow the

deletion of statements but will only allow for statements to be

inserted at the end of a list.

5. Even with named ACLs it is a good idea to use a text editor to

create them.

ACLs Nombradas


63/86


ACLs Nombradas


64/86




65/86

A named ACL is created with the ip access-listcommand.

This places the user in the ACL configuration mode.


Named ACLs


66/86

Named ACLs

In ACL configuration mode, specify one or more conditions to bepermitted or denied.

This determines whether the packet is passed or dropped when theACL statement matches.

Named ACLs


67/86

Named ACLs

Edicin de Access Lists


68/86


Edicin de Access Lists

Placing ACLs


69/86

Placing ACLs

The general rule:

Standard ACLsdo not specify destination addresses, so they shouldbe placed as close to the destination as possible.

Put the extended ACLsas close as possible to the source of the trafficdenied.

Source

10.0.0.0/8Destination 172.16.0.0/16

Placing ACLs


70/86

Placing ACLs

If the ACLs are placed in the proper location, not only can traffic befiltered, but it can make the whole network more efficient.

If traffic is going to be filtered, the ACL should be placed where it hasthe greatest impact on increasing efficiency.

Source

10.0.0.0/8Destination 172.16.0.0/16

Placing ACLs Extended Example


71/86


Policy is to deny telnet or FTP Router A LAN to Router D LAN. All other traffic must be permitted.

Several approaches can accomplish this policy. The recommended approach uses an extended ACL specifying bothsource and destination addresses.

deny telnet

deny ftp

permit any Source

10.0.0.0/8Destination 172.16.0.0/16



72/86


Place this extended ACL in Router A. Then, packets do not cross Router A's Ethernet, do not cross the serial

interfaces of Routers B and C, and do not enter Router D.

Traffic with different source and destination addresses will still be permitted.

deny telnet

deny ftp

permit any

interface fastethernet 0/1

access-group 101 in

access-list 101 deny tcp any 172.16.0.0 0.0.255.255 eq telnet

access-list 101 deny tcp any 172.16.0.0 0.0.255.255 eq ftp

access-list 101 permit ip any any

RouterA

Source

10.0.0.0/8Destination 172.16.0.0/16



73/86


If thepermit ip any anyis not used, then no traffic is permitted. Be sure topermit ip and not just tcp or all udp traffic will be denied.

deny telnet

deny ftp

permit any


access-group 101 in

access-list 101 deny tcp any 172.16.0.0 0.0.255.255 eq telnet

access-list 101 deny tcp any 172.16.0.0 0.0.255.255 eq ftp

access-list 101 permit ip any any

RouterA

Source

10.0.0.0/8Destination 172.16.0.0/16

Placing ACLsStandard Example


74/86

g p

Standard ACLs do not specify destination addresses, so they shouldbe placed as close to the destination as possible.

If a standardACL is put too close to the source, it will not only denythe intended traffic, but all other traffic to all other networks.

Source

10.0.0.0/8Destination 172.16.0.0/16

deny 10.0.0.0

permit any


access-group 10 in

access-list 10 deny 10.0.0.0 0.255.255.255

access-list 10 permit any

RouterD

Placing ACLsStandard Example


75/86

g p

Better to use extended access lists, and place them close to thesource, as this traffic will travel all the way to RouterD before being

denied.

Source

10.0.0.0

deny 10.0.0.0

permit any


access-group 10 in

access-list 10 deny 10.0.0.0 0.255.255.255

access-list 10 permit any

RouterD

Destination 172.16.0.0/16

ACLs Complejas


76/86


ACLs Complejas

Tipos de ACLs complejas

1. ACLs Dinmicas


77/86


1. ACLs Dinmicas

Las ACL dinmicas dependen de la conectividad Telnet,

de la autenticacin (local o remota) y de las ACLextendidas.

Est disponible slo para trfico IP.


78/86


La configuracin de las ACL dinmicas comienza con la

aplicacin de una ACL extendida para bloquear trficoqueatraviesa de router.

Los usuarios que deseen atravesar el router sonbloqueados por la ACL extendida hasta que utilizan Telnet

para conectarse al router y ser autenticados. En ese momento, se interrumpe la conexin a Telnet, y se

agrega una ACL dinmica de nica entrada a la ACL

extendida existente.

Esta entrada permite el trfico por un perodo determinado;es posible que se produzcan errores por inactividad ysuperacin del tiempo de espera

Configuracin de ACLs


79/86


g

Configuracin de ACLs


80/86


g

2. ACLs Reflexivas


81/86


2. ACLs Reflexivas

Los administradores de red utilizan las ACL reflexivas para

permitir el trfico IP en sesiones que se originan en su redy, al mismo tiempo, denegar el trfico IP en sesiones que

se originan fuera de la red.

El router examina el trfico saliente y, cuando ve una

conexin, agrega una entrada a una ACL temporal parapermitir la devolucin de respuestas.

Las ACL reflexivas proporcionan una forma ms exacta defiltrado de sesin que una ACL extendida que utiliza el

parmetro established presentado anteriormente.


82/86


3. ACLs basadas en el tiempo


83/86


Para implementar las ACL basadas en el tiempo, debe

crear un rango horario que defina la hora especfica del day la semana.

Debe identificar el rango de tiempo con un nombre y,luego, remitirse a l mediante una funcin. Las

restricciones temporales son impuestas en la mismafuncin.

Ventajas:

Ofrecen al administrador de red ms control de los

permisos y denegaciones de acceso a los recursos.


84/86


Firewalls


85/86

A firewall is an architectural structure that exists between the user andthe outside world to protect the internal network from intruders.

In most circumstances, intruders come from the global Internet and thethousands of remote networks that it interconnects. Typically, a network firewall consists of several different machines that

work together to prevent unwanted and illegal access.

ACLs should be used in firewall routers, which are often positionedbetween the internal network and an external network, such as theInternet.

The firewall router provides a point of isolation so that the rest of theinternal network structure is not affected.

ACLs can be used on a router positioned between the two parts of thenetwork to control traffic entering or exiting a specific part of the

internal network.

Firewalls


86/86

ISPs use ACLs to deny RFC 1918 addresses into their networks asthese are non-routable Internet addresses.

IP packets coming into your network should never have a source

addresses that belong to your network. (This should be applied on allnetwork entrance routers.)

There are several other simple access lists which should be added tonetwork entrance routers.

Accessing_WAN_Chapter5-ACL.ppt

Documents

Transcript of Accessing_WAN_Chapter5-ACL.ppt