Router ACLs
Transcript of Router ACLs
-
7/29/2019 Router ACLs
1/73
0.0.0.0
permit
Exten
de
d
Standard
access-groudeny
access-list
CLAccess
ListsWorkbook
Version 1.4
Wildcard Mask
Any
Student Name:
-
7/29/2019 Router ACLs
2/73
Inside Cover
IP Standard
IP Extended
Ethernet Type Code
Ethernet Address
DECnet and Extended DECnetXNS
Extended XNS
Appletalk
48-bit MAC Addresses
IPX Standard
IPX Extended
IPX SAP (service advertisement protocol)
IPX SAP SPXExtended 48-bit MAC Addresses
IPX NLSP
IP Standard, expanded range
IP Extended, expanded range
SS7 (voice)
Standard Vines
Extended Vines
Simple Vines
Transparent bridging (protocol type)
Transparent bridging (vendor type)
Extended Transparent bridging
Source-route bridging (protocol type)
Source-route bridging (vendor type)
Access-List Numbers99
199
299
799
399499
599
699
799
899
999
1099
10991199
1299
1999
2699
2999
100
200
300
299799
1199
299
799
1
100
200
700
300400
500
600
700
800
900
1000
10001100
1200
1300
2000
2700
1
101
201
200700
1100
200
700
to
to
to
to
toto
to
to
to
to
to
to
toto
to
to
to
to
to
to
to
toto
to
to
to
Produced by: Robb Jones
[email protected] County Career & Technology Center
Cisco Networking Academy
Frederick County Public SchoolsFrederick, Maryland, USA
Special Thanks to Melvin Baker, Jim Dorsch, and Brent Sieling
for taking the time to check this workbook for errors, and making suggestions for improvements.
-
7/29/2019 Router ACLs
3/73
1
ACLs......are a sequential list of instructions that tell a router which packets to
permit or deny.
The router checks to see if the packet is routable. If it is it looks upthe route in its routing table.
The router then checks for an ACL on that outbound interface.
If there is no ACL the router switches the packet out that interface to itsdestination.
If there is an ACL the router checks the packet against the access list
statements sequentially. Then permits or denys each packet as it ismatched.
If the packet does not match any statement written in the ACL it isdenyed because there is an implicit deny any statement at the end ofevery ACL.
General Access Lists Information
Access Lists......are read sequentially....are set up so that as soon as the packet matches a statement it
stops comparing and permits or denys the packet....need to be written to take care of the most abundant traffic first....must be configured on your router before you can deny packets.
...can be written for all supported routed protocols; but each routedprotocol must have a different ACL for each interface.
...must be applied to an interface to work.
What are Access Control Lists?
How routers use Access Lists(Outbound Port - Default)
-
7/29/2019 Router ACLs
4/73
Standard Access Lists
Standard Access Lists......are numbered from 1 to 99....filter (permit or deny) only source addresses....do not have any destination information so it must placed as close
to the destination as possible....work at layer 3 of the OSI model.
2
Why standard ACLs are placed close to thedestination.
If you want to block traffic from Juans computer from reachingJanets computer with a standard access list you would place theACL close to the destination on Router D, interface E0. Sinceits using only the source address to permit or deny packets theACL here will not effect packets reaching Routers B, or C.
Router A
Router B
Router C
Router D
If you place the ACL on router A to block traffic to Router Dit will also block all packets going to Routers B, and C;because all the packets will have the same source address.
JuansComputer
JanetsComputer
JimmysComputer
Matts
Computer
E0
E0 E0
E0
S0
S1 S0
S0S1
S1
-
7/29/2019 Router ACLs
5/73
3
Lisas
Computer
Standard Access List PlacementSample Problems
In order to permit packets from Juans computer to arrive atJans computer you would place the standard access list atrouter interface ______.FA1
Lisa has been sending unnecessary information to Paul. Wherewould you place the standard ACL to deny all traffic from Lisa to Paul?
Router Name ______________ Interface ___________
Where would you place the standard ACL to deny traffic from Paul toLisa?Router Name ______________ Interface ___________
Router B E1
Router A E0
PaulsComputer
FA1FA0
Router A
JuansComputer
Jans
Computer
S0S1
E0 E1
Router BRouter A
-
7/29/2019 Router ACLs
6/73
S0 S1E0 FA1
S0S1
Router B
Router C
Standard Access List Placement
4
Router A
S0S1
E0 FA1
SarahsComputer
JackiesComputer
Router FRouter E
Router D
S1
S0
S1
E0
S1
LindasComputer
MelvinsComputer
Jims
Computer
JeffsComputer
GeorgesComputer
KathysComputer
CarrolsComputer
RickysComputer
JennysComputer
Amandas
Compute
-
7/29/2019 Router ACLs
7/73
5
Router DE0
Standard Access List Placement
1. Where would you place a standard access list topermit traffic from Rickys computer to reach Jeffscomputer?
2. Where would you place a standard access list todeny traffic from Melvins computer from reachingJennys computer?
3. Where would you place a standard access list todeny traffic to Carrols computer from Sarahscomputer?
4. Where would you place a standard access list topermit traffic to Rickys computer from Jeffscomputer?
5. Where would you place a standard access list todeny traffic from Amandas computer from reachingJeff and Jims computer?
6. Where would you place a standard access list topermit traffic from Jackies computer to reach Lindascomputer?
7. Where would you place a standard access list topermit traffic from Rickys computer to reach Carroland Amandas computer?
8. Where would you place a standard access list todeny traffic to Jennys computer from Jackiescomputer?
9. Where would you place a standard access list topermit traffic from Georges computer to reach Lindaand Sarahs computer?
10. Where would you place an ACL to deny traffic fromJeffs computer from reaching Georges computer?
11. Where would you place a standard access list todeny traffic to Sarahs computer from Rickyscomputer?
12. Where would you place an ACL to deny traffic fromLindas computer from reaching Jackies computer?
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router AE0
-
7/29/2019 Router ACLs
8/73
Extended Access Lists......are numbered from 100 to 199....filter (permit or deny) based on the: source address
destination addressprotocolport number
... are placed close to the source.
...work at both layer 3 and 4 of the OSI model.
Extended Access Lists
Why extended ACLs are placed close to the source.
If you want to deny traffic from Juans computer from reachingJanets computer with an extended access list you would placethe ACL close to the source on Router A, interface E0. Since itcan permit or deny based on the destination address it can reducebackbone overhead and not effect traffic to Routers B, or C.
If you place the ACL on Router E to block traffic from RouterA, it will work. However, Routers B, and C will have to routethe packet before it is finally blocked at Router E. Thisincreases the volume of useless network traffic.
6
Router A
Router B
Router C
Router D
JuansComputer
JanetsComputer
JimmysComputer
Matts
Computer
E0
FA0
E0
E0
S0
S1S0
S0S1
S1
-
7/29/2019 Router ACLs
9/73
7
Juans
Computer
JansComputer
Extended Access List PlacementSample Problems
In order to permit packets from Juans computer to arrive atJans computer you would place the extended access list atrouter interface ______.E0
Lisa has been sending unnecessary information to Paul. Where wouldyou place the extended ACL to deny all traffic from Lisa to Paul?Router Name ______________ Interface ___________
Where would you place the extended ACL to deny traffic from Paul toLisa?Router Name ______________ Interface ___________
Router A FA0
Router B FA1
E1E0
Router A
S0S1
FA0 FA1
Router BRouter A
LisasComputer
PaulsComputer
-
7/29/2019 Router ACLs
10/73
8
S0 S1FA0 E1
S0S1
Router B
Router C
Extended Access List Placement
Router A
S0S1
FA0 FA1
SarahsComputer
JackiesComputer
Router FRouter E
Router D
S1
S0
S1
FA0
S1
LindasComputer
MelvinsComputer
Jims
Computer
JeffsComputer
GeorgesComputer
KathysComputer
CarrolsComputer
RickysComputer
JennysComputer Amanda
Compute
-
7/29/2019 Router ACLs
11/73
9
Extended Access List Placement
Router Name_________________Interface ____________________
Router Name_________________
Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
1. Where would you place an ACL to deny traffic fromJeffs computer from reaching Georges computer?
2. Where would you place an extended access list to
permit traffic from Jackies computer to reach Lindascomputer?
3. Where would you place an extended access list todeny traffic to Carrols computer from Rickyscomputer?
4. Where would you place an extended access list todeny traffic to Sarahs computer from Jackiescomputer?
5. Where would you place an extended access list topermit traffic from Carrols computer to reach Jeffscomputer?
6. Where would you place an extended access list todeny traffic from Melvins computer from reaching Jeffand Jims computer?
7. Where would you place an extended access list topermit traffic from Georges computer to reach Jeffscomputer?
8. Where would you place an extended access list topermit traffic from Jims computer to reach Carrol andAmandas computer?
9. Where would you place an ACL to deny traffic fromLindas computer from reaching Kathys computer?
10. Where would you place an extended access listto deny traffic to Jennys computer from Sarahs
computer?
11. Where would you place an extended access list topermit traffic from Georges computer to reach Lindaand Sarahs computer?
12. Where would you place an extended access listto deny traffic from Lindas computer from reachingJennys computer?
Router DFA0
Router F
FA1
-
7/29/2019 Router ACLs
12/73
Access Lists on your incoming port......requires less CPU processing....filters and denys packets before the router has to make a
routing decision.
Access Lists on your outgoing port......are outbound by default unless otherwise specified....increases the CPU processing time because the routing decision
is made and the packet switched to the correct outgoing portbefore it is tested against the ACL.
Choosing to Filter Incoming or Outgoing Packets
Breakdown of a Standard ACL Statement
access-list 1 permit 192.168.90.36 0.0.0.0
permitor
deny
autonomousnumber1 to 99
sourceaddress
wildcardmask
access-list 78 deny host 192.168.90.36 log
permit or deny
autonomousnumber1 to 99
sourceaddress
indicates aspecific host
address
(Optional)generates a log
entry on therouter for eachpacket thatmatches thisstatement
10
-
7/29/2019 Router ACLs
13/73
Breakdown of an Extended ACL Statement
access-list 125 permit ip 192.168.90.36 0.0.0.0 192.175.63.12 0.0.0.0
permit or deny
autonomousnumber
100 to 199
sourcewildcardmask
destinationaddress
destinationwildcardmask
access-list 178 deny tcp host 192.168.90.36 host 192.175.63.12 eq 23 log
permitor
deny
autonomousnumber
100 to 199
sourceaddress
indicates aspecific
host
protocolicp,
icmp,tcp, udp,
ip,etc.
destinationaddress
operatoreq for =gt for >lt for