Acl
-
Upload
mohammed-faris-majeed -
Category
Technology
-
view
83 -
download
1
Transcript of Acl
![Page 1: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/1.jpg)
![Page 2: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/2.jpg)
• ACL is a set of rules which will allow or deny the specific
traffic moving through the router
• It is a Layer 3 security which controls the flow of traffic from
one router to another.
• It is also called as Packet Filtering Firewall.
Access Control List
![Page 3: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/3.jpg)
Types of Access-list
ACCESS-LIST
NUMBERED NAMED
STANDARD EXTENDED STANDARD EXTENDED
![Page 4: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/4.jpg)
Standard Access List
• The access-list number range is 1 – 99
• Can block a Network, Host and Subnet
• Two way communication is stopped
• All services are blocked.
• Implemented closest to the destination.
• Filtering is done based on only source IP address
• The access-list number range is 100 – 199
• Can block a Network, Host, Subnet and Service
• One way communication is stopped
• Selected services can be blocked.
• Implemented closest to the source.
• Checks source, destination, protocol, port no
Extended Access List
![Page 5: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/5.jpg)
• Deny : Blocking a Network/Host/Subnet/Service
• Permit : Allowing a Network/Host/Subnet/Service
• Source Address : The address of the PC from where
the request starts.
• Destination address : The address of the PC where the
request ends.
• Inbound : Traffic coming into the interface
• Outbound : Traffic going out of the interface
Terminology
![Page 6: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/6.jpg)
• All deny statements have to be given First
• There should be at least one Permit statement
• An implicit deny blocks all traffic by default when
there is no match (an invisible statement).
• Can have one access-list per interface per
direction. (i.e.) Two access-list per interface, one in
inbound direction and one in outbound direction.
• Works in Sequential order
• Editing of access-lists is not possible (i.e)
Selectively adding or removing access-list
statements is not possible.
Rules of Access List
![Page 7: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/7.jpg)
• Tells the router which addressing bits must match in
the address of the ACL statement.
• It’s the inverse of the subnet mask, hence is also
called as Inverse mask.
• A bit value of 0 indicates MUST MATCH (Check Bits)
• A bit value of 1 indicates IGNORE (Ignore Bits)
• Wild Card Mask for a Host will be always 0.0.0.0
Wild Card Mask
![Page 8: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/8.jpg)
• A wild card mask can be calculated using
the formula :
Global Subnet Mask – Customized Subnet Mask
-------------------------------Wild Card Mask
E.g.255.255.255.255
– 255.255.255.240 ---------------------
0. 0. 0. 15
Wild Card Mask
![Page 9: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/9.jpg)
Network Diagram
E0 10.1.1.1/8
HYD
LAN – 10.0.0.0/8
E0 20.1.1.1/8
KSA
LAN – 20.0.0.0/8
E0 30.1.1.1/8
UAE
LAN – 30.0.0.0/8
1.1.1.1/8S0
S11.1.1.2/8
2.2.2.1/8S0
S12.2.2.2/8
![Page 10: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/10.jpg)
• The access-list number range is (1–99) & (1600- 1999)
• Can block a Network, Host and Subnet
• Two way communication is stopped
• All services are blocked.
• Implemented closest to the destination.
• Filtering is done based on only source IP address
Standard Access List
![Page 11: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/11.jpg)
Creation of Standard Access List(config)# access-list <acl no> <permit/deny>
<source add> <source WCM>
Implementation of Standard Access List(config)# interface <interface type> <interface no>
(config-if)# ip access-group <number> <out/in>
To Verify :# show access-list
# show access-list <no>
![Page 12: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/12.jpg)
• The access-list number range is (100 – 199) & (2000-2699)
• Can block a Network, Host, Subnet and Service
• One way communication is stopped
• Selected services can be blocked.
• Implemented closest to the source.
• Checks source, destination, protocol, port no.
Extended Access List
![Page 13: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/13.jpg)
IP
TCP
HTTP
TELNET
FTP
SMTP
UDP
DNS
TFTP
DHCP
NNTP
ICMP
PING
TRACEROUTE
![Page 14: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/14.jpg)
Operators : eq (equal to) neq (not equal to) lt (less than) gt (greater than)
![Page 15: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/15.jpg)
Creation of Extended Access List
(config)# access-list <acl no> <permit/deny>
<protocol> <source add> <source WCM>
<destination add> < destination WCM>
<operator> <service>
Implementation of Extended Access List
(config)# interface <interface type> <interface no>
(config-if)# ip access-group <number> <out/in>
![Page 16: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/16.jpg)
• Access-lists are identified using Names rather than
Numbers.
• Names are Case-Sensitive
• No limitation of Numbers here.
• One Main Advantage is Editing of ACL is Possible (i.e)
Removing a specific statement from the ACL is
possible.
(IOS version 11.2 or later allows Named ACL)
Named Access List
![Page 17: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/17.jpg)
Standard Named Access List
Creation of Standard Named Access List
(config)# ip access-list standard <name>
(config-std-nacl)# <permit/deny> <source
address> <source wildcard mask>
Implementation(config)#interface <interface type><interface no>
(config-if)#ip access-group <name> <out/in>
![Page 18: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/18.jpg)
Extended Named Access List
Creation of Extended Named Access List
(config)# ip access-list extended <name>
(config-ext-nacl)#<permit/deny> <protocol>
<source add> <source WCM> <dest. add>
<dest. WCM> <operator><service>
Implementation
(config)# interface <interface type><interface no>
(config-if)#ip access-group <name> <out/in>
![Page 19: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/19.jpg)
![Page 20: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/20.jpg)
![Page 21: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/21.jpg)
![Page 22: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/22.jpg)
![Page 23: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/23.jpg)
![Page 24: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/24.jpg)
![Page 25: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/25.jpg)
![Page 26: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/26.jpg)
![Page 27: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/27.jpg)
![Page 28: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/28.jpg)
![Page 29: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/29.jpg)
![Page 30: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/30.jpg)
![Page 31: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/31.jpg)
![Page 32: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/32.jpg)
![Page 33: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/33.jpg)
![Page 34: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/34.jpg)
![Page 35: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/35.jpg)
![Page 36: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/36.jpg)
![Page 37: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/37.jpg)
![Page 38: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/38.jpg)
![Page 39: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/39.jpg)
![Page 40: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/40.jpg)
![Page 41: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/41.jpg)
![Page 42: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/42.jpg)
![Page 43: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/43.jpg)
![Page 44: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/44.jpg)
![Page 45: Acl](https://reader033.fdocuments.us/reader033/viewer/2022052523/5561b0c0d8b42ae1538b5875/html5/thumbnails/45.jpg)