ACL Introduction
Transcript of ACL Introduction
-
8/14/2019 ACL Introduction
1/14
Access Control Lists
-
8/14/2019 ACL Introduction
2/14
STANDARD
ACCESS CONTROL LISTS
Are number from 1 to 99
Filter (permit or deny) only source addresses Do not have any destination information so itmust be placed as close to the destination aspossible Work at layer 3 of the OSI model
-
8/14/2019 ACL Introduction
3/14
hy Standard ACLs are placed close to the destination?
If you want to block traffic from Juans computer from reaching Janets computer with thestandard access list, you would place the ACL close to the destination on Router D,
interface E0. Since, it is using only the source address to permit or deny packets. The ACLhere will not affect packets reaching Routers B and C.
Router A
Router B
Router C
Router D
E0
S0
S1
E0
S0
S1
S0
S1
E0
E0
Juans computer
Janets computer
ACLhere
E0
If you place the ACL on Router A to block traffic to RouterD, it will also block all packets going to Routers B and C
because all the packets will have the same sourceaddress
-
8/14/2019 ACL Introduction
4/14
Standard Access List Placement Sample ProblemsPROBLEM # 1
Router A
FA0 FA1
Juans computerJans computer
In order to permit packets from Juans computer to arrive at Janscomputer, you would place the standard access list at routerinterface _____________.
FA1
-
8/14/2019 ACL Introduction
5/14
Standard Access List Placement Sample ProblemsPROBLEM # 2
Router A
FA0 FA1
Erickas computerPoolos computer
Ericka has been sending unnecessary information to Paolo.Where would you place the standard ACL to deny all traffic from Ericka toPaolo?
Router Name ______________ Interface ____________Where would you place the standard ACL to deny all traffic from Paolo to
Ericka?Router Name ______________ Interface ____________
Router B
S0S1
Router B FA1
Router A FA0
-
8/14/2019 ACL Introduction
6/14
Standard Access List Placement : EXERCISE
Router A
Router B
Router C
Router D
Router E
Router F
E0
S1
S0
S1S0
S1
FA1
S1E0
S0
S1
E0
S0 S1 FA1
Rickyscomputer
Jennyscomputer
Amandascomputer
Kathyscomputer
Carolscompute
Georges
computer
Jeffscomputer
Jims
computer
Sarahscomputer
Lindascomputer
Jackiescomputer
Melvinscomputer
-
8/14/2019 ACL Introduction
7/14
EXTENDED
ACCESS CONTROL LIST
Are numbered from 100 to 199 Filter (permit or deny) based on : source address,
destination address, protocol and port number Are placed close to the source Work at both Layers 3 and 4 of the OSI model
-
8/14/2019 ACL Introduction
8/14
hy Extended ACLs are placed close to the source?
If you want to block traffic from Juans computer from reaching Janets computer with theextended access list, you would place the ACL close to the source on Router A,
interface E0. Since it can permit or deny packets based the destination address, it canreduce backbone overhead and not affect traffic in Routers B and C.
Router A
Router B
Router C
Router D
E0
S0
S1
E0
S0
S1
S0
S1
E0
E0
Juans computer
Janets computer
ACLhere
If you place the ACL on Router D to block the traffic fromRouter A, it will work. However, Routers B and C will have to
route the packet before it is finally blocked at Router D. Thisincreases the volume of useless network traffic
-
8/14/2019 ACL Introduction
9/14
Extended Access List Placement Sample ProblemsPROBLEM # 1
Router A
E0 E1
Juans computerJans computer
In order to permit packets from Juans computer to arrive at Janscomputer, you would place the standard access list at routerinterface _____________.
E0
-
8/14/2019 ACL Introduction
10/14
Extended Access List Placement Sample ProblemsPROBLEM # 2
Router A
FA0 FA1
Erickas computerPoolos computer
Ericka has been sending unnecessary information to Paolo.Where would you place the standard ACL to deny all traffic from Ericka toPaolo?
Router Name ______________ Interface ____________Where would you place the standard ACL to deny all traffic from Paolo to
Ericka?Router Name Interface
Router B
S0S1
Router A FA0
Router B FA1
-
8/14/2019 ACL Introduction
11/14
Router A
Router B
Router C
Router D
Router E
Router F
E0
S1
S0
S1S0
S1
FA1
S1E0
S0
S1
E0
S0 S1 FA1
Rickyscomputer
Jennyscomputer
Amandascomputer
Kathyscomputer
Carolscompute
Georges
computer
Jeffscomputer
Jims
computer
Sarahscomputer
Lindascomputer
Jackiescomputer
Melvinscomputer
EXTENDED Access List Placement : EXERCISE
-
8/14/2019 ACL Introduction
12/14
Breakdown of a Standard ACL Statement
access-list 1 permit 192.168.90.36 0.0.0.0
access-list # (1-
99)
permit or
deny
sourceaddress
sourceaddress
access-list 78 deny host 192.168.90.36
access-list # (1-
99)
permit ordeny
Indicates aspecific
hostaddress
wildcard
mask
-
8/14/2019 ACL Introduction
13/14
Breakdown of an Extended ACL Statement
access-list 125 permit ip 192.168.90.36 0.0.0.0192.175.63.12 0.0.0.0access-list
# (100-199)
permit or
deny
Source wildcardmask
Indicates aspecific host
addresspermit or
deny
Indicates aspecific
hostaddress
Destination
address
Protocolicmp,tcp,u
dp,ip etc
source
address
destinationwildcard mask
access-list 178 deny tcp host 192.168.90.36 host192.175.63.12
access-list# (100-
199)
Protocolicmp,tcp,udp,ip etc
sourceaddress
destinationaddress
Protocols include: IP,TCP,UDP,ICMP,IGMP,IGRP,EIGRP,OSPF. To match any internet protocol, use IP
-
8/14/2019 ACL Introduction
14/14
ss-list 125 permit ip 192.168.90.36 0.0.0.0 192.175.63.0 0.
10) 125 -
GIVEN:
___________________
11) ip - ___________________
12) 192.168.90.36 - ___________________
13) 0.0.0.0 - ___________________
14) 192.175.63.0 - ___________________
15) 0.0.0.255 - ___________________