Lession 8_Access Control Lists
-
Upload
gauravjuneja4 -
Category
Documents
-
view
217 -
download
0
Transcript of Lession 8_Access Control Lists
-
7/27/2019 Lession 8_Access Control Lists
1/29
-
7/27/2019 Lession 8_Access Control Lists
2/29
2
Limit network traffic to where we define and
increase network performance
Provide a basic level of security for network
access Decide which types of traffic are forwarded or
blocked at router interfaces
-
7/27/2019 Lession 8_Access Control Lists
3/29
Router can read packets
Packets contain much data
We can choose to act upon this data
Permits us to allow or deny whichever part of
this data we wish
ACLs implement this policy
-
7/27/2019 Lession 8_Access Control Lists
4/29
4
-
7/27/2019 Lession 8_Access Control Lists
5/29
Standard
Extended
-
7/27/2019 Lession 8_Access Control Lists
6/29
Use only the packets source address forcomparison
1-99
-
7/27/2019 Lession 8_Access Control Lists
7/29
Provide more precise (finer tuned) packetselection based on:
Source and destination addresses
Protocols Port numbers
100-199
-
7/27/2019 Lession 8_Access Control Lists
8/298
IOS tests the packet against each conditionstatement in the order in which the statementswere created
Note:After a match is found, no more condition
statements are checked If you create a condition statement that permitsall traffic, no statements added later will ever bechecked
If all the ACL statements are unmatched, animplicit "deny any" statement is imposed
-
7/27/2019 Lession 8_Access Control Lists
9/29
Create ACL in global config
Assign to interface
Decide the direction
In Out
-
7/27/2019 Lession 8_Access Control Lists
10/29
If source IP address is matched: Permit or deny statement is processed
Permit action in ACL is performed
Deny packet is dropped Implicit DenyIf a packets address does not
match an earlier statement an implicit deny
any occurs at the end of every ACL and the
packet is dropped.
-
7/27/2019 Lession 8_Access Control Lists
11/29
11
This identifies a host or range of addresses
It is the binary inversion of the subnet mask
i.e. in a class C address range we use the
subnet mask 255.255.255.0
To specify the same range with a wildcard mask
we use 0.0.0.255 (all 1s are now 0s and all 0s
are now 1s)
-
7/27/2019 Lession 8_Access Control Lists
12/29
access-listaccess-list-number{permit|deny} source-ip-addresswildcard-mask [log]
Log causes each packet that matches this
statement to generate a log entry that isrecorded by the router.
-
7/27/2019 Lession 8_Access Control Lists
13/29
To permit all packets for the network number172.16.0.0
Access-list 20 permit 172.16.0.0 0.0.255.255
-
7/27/2019 Lession 8_Access Control Lists
14/29
To permit traffic from the host 172.16.1.1 only Access-list 20 permit 172.16.1.1 0.0.0.0
-
7/27/2019 Lession 8_Access Control Lists
15/29
To permit traffic from any source address. Access-list 20 permit 0.0.0.0 255.255.255.255
OR
Access-list 20 permit any
-
7/27/2019 Lession 8_Access Control Lists
16/29
To permit traffic from the subnet 12.16.0.0through 12.31.0.0
Access-list 20 permit 12.16.0.0 0.15.255.255
-
7/27/2019 Lession 8_Access Control Lists
17/29
Access-list 22 permit 0.0.0.0255.255.255.255
Access-list 22 permit any
-
7/27/2019 Lession 8_Access Control Lists
18/29
Access-list 23 permit 172.16.1.1 0.0.0.0
Access-list 23 permit host 172.16.1.1
-
7/27/2019 Lession 8_Access Control Lists
19/29
All conditions must match
Test sequence in this order
Source Address
Destination Address Protocol
Port No. or Protocol Options
Permit or Deny decision
-
7/27/2019 Lession 8_Access Control Lists
20/29
access-listnumber {permit|deny} protocolsource-ip-addresssource-wildcard-mask
destination-ip-addressdestination-wildcard-
maskeqport-number [log]
-
7/27/2019 Lession 8_Access Control Lists
21/29
17 March 2009 ITCN21 in
-
7/27/2019 Lession 8_Access Control Lists
22/29
access-list 101 permit ip 10.1.1.0 0.0.0.255172.16.1.0 0.0.0.255 This command is used to perm it IP traff ic from
10.1.1.0 network to 172.16.1.0 network . A llpackets wi th a sou rce address not in th is
range w il l be rejected. access-list 102 permit ip 10.1.1.0 0.0.0.255
172.16.1.0 0.0.0.255
access-list 102 deny ip any any
This command is used to perm it IP traff ic from10.1.1.0 network to 172.16.1.0 network . Allpackets wi th a sou rce address not in th isrange w il l be rejected.
-
7/27/2019 Lession 8_Access Control Lists
23/29
access-list 101 permit tcp host 10.1.1.2host 172.16.1.1 eq telnet This command is used to permit Telnet traf f ic
from mach ine 10.1.1.2 to mach ine 172.16.1.1.
access-list 101 permit tcp host 10.1.1.2host 172.16.1.1 This command is used to permi t tcp traf f ic
from 10.1.1.2 ho st mach ine to 172.16.1.1 ho st
machine.
-
7/27/2019 Lession 8_Access Control Lists
24/29
access-list 101 permit udp host 10.1.1.2host 172.16.1.1 This command is used to permi t udp tra ff ic
from 10.1.1.2 ho st mach ine to 172.16.1.1 ho st
machine. access-list 101 permit ip 10.1.1.0 0.0.0.255
172.16.1.0 0.0.0.255 This command is used to permi t ip t raf f ic f rom
10.1.1.0 network to 172.16.1.0network.
-
7/27/2019 Lession 8_Access Control Lists
25/29
FTP 21
Telnet 23
SMTP 25
DNS 53 TFTP 69
WWW, HTML 80
POP3 - 110 SNMP - 161
-
7/27/2019 Lession 8_Access Control Lists
26/29
Standard ACL Use only source address and requires fewer
CPU cycles.
Place as close to destination as possible.
Extended ACL
More flexible and requires more CPU cycles.
Place as close to source as possible. (This
keeps undesired traffic and ICMP messagesaway from the network backbone.)
-
7/27/2019 Lession 8_Access Control Lists
27/29
27
Imagine you are standing INSIDE the router
The direction of the ACL for an interface will be
the same as our perspective standing INSIDE
the router
-
7/27/2019 Lession 8_Access Control Lists
28/29
In Requires less CPU processing because every
packet bypasses processing before it is
routed.
Filtering decision is made prior to the routingtable.
-
7/27/2019 Lession 8_Access Control Lists
29/29
Out Routing decision has been made and the
packet is switched to the proper outbound
interface before it is tested against the access
list. ACLs are outbound unless otherwise
specified.