Chapter 08 - Acl
Transcript of Chapter 08 - Acl
![Page 1: Chapter 08 - Acl](https://reader034.fdocuments.us/reader034/viewer/2022042602/55a471bd1a28ab97568b465f/html5/thumbnails/1.jpg)
Kh
oa
CN
TT
PH
ẠM
VĂ
N T
ÍNH
01-2
004
ACCESS CONTROL ACCESS CONTROL LISTSLISTS
TS, PHẠM VĂN TÍNHTS, PHẠM VĂN TÍNH
PART13
![Page 2: Chapter 08 - Acl](https://reader034.fdocuments.us/reader034/viewer/2022042602/55a471bd1a28ab97568b465f/html5/thumbnails/2.jpg)
Kh
oa
CN
TT
PH
ẠM
VĂ
N T
ÍNH
01-2
004
ObjectiveObjective
Describe the differences between standard and extended ACLs
Explain the rules for placement of ACLs
Create and apply named ACLs
Describe the function of firewalls
Use ACLs to restrict virtual terminal access
![Page 3: Chapter 08 - Acl](https://reader034.fdocuments.us/reader034/viewer/2022042602/55a471bd1a28ab97568b465f/html5/thumbnails/3.jpg)
Kh
oa
CN
TT
PH
ẠM
VĂ
N T
ÍNH
01-2
004
ACCESS CONTROL LIST ACCESS CONTROL LIST
FUNDAMENTALSFUNDAMENTALS
![Page 4: Chapter 08 - Acl](https://reader034.fdocuments.us/reader034/viewer/2022042602/55a471bd1a28ab97568b465f/html5/thumbnails/4.jpg)
Kh
oa
CN
TT
PH
ẠM
VĂ
N T
ÍNH
01-2
004
What are ACLsWhat are ACLs
ACL tell the router what types of packets to accept or deny. Acceptance and denial can be based on specified conditions. ACLs enable management of traffic and secure access to and from a network
![Page 5: Chapter 08 - Acl](https://reader034.fdocuments.us/reader034/viewer/2022042602/55a471bd1a28ab97568b465f/html5/thumbnails/5.jpg)
Kh
oa
CN
TT
PH
ẠM
VĂ
N T
ÍNH
01-2
004
What are ACLsWhat are ACLs
The router examines each packet to determine whether to forward or drop it, based on the conditions specified in the ACL
![Page 6: Chapter 08 - Acl](https://reader034.fdocuments.us/reader034/viewer/2022042602/55a471bd1a28ab97568b465f/html5/thumbnails/6.jpg)
Kh
oa
CN
TT
PH
ẠM
VĂ
N T
ÍNH
01-2
004
What are ACLsWhat are ACLs
ACLs can be created for all routed network protocols, such as Internet Protocol (IP) and Internetwork Packet Exchange (IPX).
ACLs must be defined on a per-protocol, per direction, or per port basis
![Page 7: Chapter 08 - Acl](https://reader034.fdocuments.us/reader034/viewer/2022042602/55a471bd1a28ab97568b465f/html5/thumbnails/7.jpg)
Kh
oa
CN
TT
PH
ẠM
VĂ
N T
ÍNH
01-2
004
the Primary Reasons to Create ACLs the Primary Reasons to Create ACLs
Limit network traffic and increase network performance. For example By restricting video traffic …
Provide traffic flow control.ACLs can restrict the delivery of routing updates. If updates are not required because of network conditions, bandwidth is preserved.
Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For example, Host A is allowed to access the Human Resources network and Host B is prevented from accessing it.
![Page 8: Chapter 08 - Acl](https://reader034.fdocuments.us/reader034/viewer/2022042602/55a471bd1a28ab97568b465f/html5/thumbnails/8.jpg)
Kh
oa
CN
TT
PH
ẠM
VĂ
N T
ÍNH
01-2
004
the Primary Reasons to Create ACLs the Primary Reasons to Create ACLs Decide which types of traffic are
forwarded or blocked at the router interfaces. For Examples: Permit e-mail traffic to be routed, but block all telnet traffic.
Allow an administrator to control what areas a client can access on a network.
Screen certain hosts to either allow or deny access to part of a network. Grant or deny user permission to access only certain types of files, such as FTP or HTTP
![Page 9: Chapter 08 - Acl](https://reader034.fdocuments.us/reader034/viewer/2022042602/55a471bd1a28ab97568b465f/html5/thumbnails/9.jpg)
Kh
oa
CN
TT
PH
ẠM
VĂ
N T
ÍNH
01-2
004
How ACLs workHow ACLs work
ACL and Routing
![Page 10: Chapter 08 - Acl](https://reader034.fdocuments.us/reader034/viewer/2022042602/55a471bd1a28ab97568b465f/html5/thumbnails/10.jpg)
Kh
oa
CN
TT
PH
ẠM
VĂ
N T
ÍNH
01-2
004
Creating ACLsCreating ACLs
![Page 11: Chapter 08 - Acl](https://reader034.fdocuments.us/reader034/viewer/2022042602/55a471bd1a28ab97568b465f/html5/thumbnails/11.jpg)
Kh
oa
CN
TT
PH
ẠM
VĂ
N T
ÍNH
01-2
004
Creating ACLsCreating ACLs
• Step 1 : Create ACLRouter(config)#access-list acl_num {permit|deny} {test_conditions}
• Step 2 : Apply ACL to an Interface Router(config-if)#{protocol} access-group acl_num {in|out}
• Step 3 : Delete a ACL Router(config)#no access-list acl_num
![Page 12: Chapter 08 - Acl](https://reader034.fdocuments.us/reader034/viewer/2022042602/55a471bd1a28ab97568b465f/html5/thumbnails/12.jpg)
Kh
oa
CN
TT
PH
ẠM
VĂ
N T
ÍNH
01-2
004
These basic rules These basic rules
One access list per protocol per direction.
Standard access lists should be applied closest to the destination.
Extended access lists should be applied closest to the source.
Use the inbound or outbound interface reference as if looking at the port from inside the router.
Statements are processed sequentially from the top of list to the bottom until a match is found, if no match is found then the packet is denied.
![Page 13: Chapter 08 - Acl](https://reader034.fdocuments.us/reader034/viewer/2022042602/55a471bd1a28ab97568b465f/html5/thumbnails/13.jpg)
Kh
oa
CN
TT
PH
ẠM
VĂ
N T
ÍNH
01-2
004
These basic rulesThese basic rules
There is an implicit deny at the end of all access lists. This will not appear in the configuration listing.
The match condition is examined first. The permit or deny is examined ONLY if the match is true.
Never work with an access list that is actively applied.
Use a text editor to create comments outlining the logic, then, fill in the statements that perform the logic.
New lines are always added to the end of the access list. A no access-list x command will remove the whole list.
![Page 14: Chapter 08 - Acl](https://reader034.fdocuments.us/reader034/viewer/2022042602/55a471bd1a28ab97568b465f/html5/thumbnails/14.jpg)
Kh
oa
CN
TT
PH
ẠM
VĂ
N T
ÍNH
01-2
004
These basic rulesThese basic rules
An IP access list will send an ICMP host unreachable message to the sender of the rejected packet and will discard the packet in the bit bucket.
Care should be used when removing an access list. If the access list is applied to a production interface and the access list is removed, depending on the version of the IOS, there may be a default deny any applied to the interface, and all traffic will be halted.
Outbound filters do not affect traffic originating from the local router.
![Page 15: Chapter 08 - Acl](https://reader034.fdocuments.us/reader034/viewer/2022042602/55a471bd1a28ab97568b465f/html5/thumbnails/15.jpg)
Kh
oa
CN
TT
PH
ẠM
VĂ
N T
ÍNH
01-2
004
wildcard maskwildcard mask
Wildcard masks are designed to filter individual or groups of IP addresses permitting or denying access to resources based on the address.
A wildcard mask is a 32-bit quantity that is divided into four octets.
A wildcard mask is paired with an IP address.
The numbers one and zero in the mask are used to identify how to treat the corresponding IP address bits.
Wildcard masks have no functional relationship with subnet masks.
wildcard mask
![Page 16: Chapter 08 - Acl](https://reader034.fdocuments.us/reader034/viewer/2022042602/55a471bd1a28ab97568b465f/html5/thumbnails/16.jpg)
Kh
oa
CN
TT
PH
ẠM
VĂ
N T
ÍNH
01-2
004
Verifying ACLsVerifying ACLs
show ip interface
show access-lists
show running-config
Show examples
![Page 17: Chapter 08 - Acl](https://reader034.fdocuments.us/reader034/viewer/2022042602/55a471bd1a28ab97568b465f/html5/thumbnails/17.jpg)
Kh
oa
CN
TT
PH
ẠM
VĂ
N T
ÍNH
01-2
004
Type of ACLsType of ACLs
Standard ACL
![Page 18: Chapter 08 - Acl](https://reader034.fdocuments.us/reader034/viewer/2022042602/55a471bd1a28ab97568b465f/html5/thumbnails/18.jpg)
Kh
oa
CN
TT
PH
ẠM
VĂ
N T
ÍNH
01-2
004
Placing ACLsPlacing ACLs
![Page 19: Chapter 08 - Acl](https://reader034.fdocuments.us/reader034/viewer/2022042602/55a471bd1a28ab97568b465f/html5/thumbnails/19.jpg)
Kh
oa
CN
TT
PH
ẠM
VĂ
N T
ÍNH
01-2
004
Restricting virtual terminal Restricting virtual terminal accessaccess
Only numbered access lists can be applied to virtual lines.
Only standard access lists can be applied to virtual lines.
to create the vty access list is the same as described for an interface.
applying the ACL to a terminal line requires the access-class command instead of the access-group command
![Page 20: Chapter 08 - Acl](https://reader034.fdocuments.us/reader034/viewer/2022042602/55a471bd1a28ab97568b465f/html5/thumbnails/20.jpg)
Kh
oa
CN
TT
PH
ẠM
VĂ
N T
ÍNH
01-2
004
Creating & Applying VTALCreating & Applying VTAL
![Page 21: Chapter 08 - Acl](https://reader034.fdocuments.us/reader034/viewer/2022042602/55a471bd1a28ab97568b465f/html5/thumbnails/21.jpg)
Kh
oa
CN
TT
PH
ẠM
VĂ
N T
ÍNH
01-2
004
SummarySummary
ACLs perform several functions within a router, including implementing security/access procedures.
ACLs are used to control and manage traffic.
For some protocols, two ACLs can be applied to an interface: one inbound ACL and one outbound ACL.
With ACLs, after a packet is matched to an ACL statement, it can be denied or permitted access to the router.
Wildcard mask bits use the number one (1) and the number zero (0) to identify how to treat the corresponding IP address bits.
![Page 22: Chapter 08 - Acl](https://reader034.fdocuments.us/reader034/viewer/2022042602/55a471bd1a28ab97568b465f/html5/thumbnails/22.jpg)
Kh
oa
CN
TT
PH
ẠM
VĂ
N T
ÍNH
01-2
004
SummarySummary
Access list creation and application is verified through the use of various IOS show commands.
The two main types of ACLs are standard and extended.
Named ACLs allow for the use of a name to identify the access list instead of a number.
ACLs can be configured for all routed network protocols.
ACLs are placed where they allow the most efficient control.
ACLs are typically used in firewall routers.
Access lists can also restrict virtual terminal access to the router.