Track Routers Anexo- What is ACL
Transcript of Track Routers Anexo- What is ACL
-
8/13/2019 Track Routers Anexo- What is ACL
1/36
Dominio de Conocimiento
Routers
Anexo Access ControlLists (ACLs)
-
8/13/2019 Track Routers Anexo- What is ACL
2/36
Objectives
Explainthedifferencesbetweenstandardandextended
ACLs ExplaintherulesforplacementofACLs
CreateandapplynamedACLs Describethefunctionoffirewalls
UseACLs
to
restrict
virtual
terminal
access
-
8/13/2019 Track Routers Anexo- What is ACL
3/36
Introduction
Accesscontrollist(ACL)consistofatablethattellsa
computerOperation
System
(OS)
which
access
rights
each
userhastoaparticularsystemobject,suchasafile
directoryorindividualfile.
Eachobjecthasasecurityattributethatidentifiesitsaccess
controllist.
-
8/13/2019 Track Routers Anexo- What is ACL
4/36
Ciscoapplicationview
ACLsarelistsofconditionsused
totestnetworktrafficthattries
totravelacrossarouter
interface.
Theseliststelltherouterwhat
typesofpacketstoacceptor
deny.Acceptanceanddenialcan
bebased
on
specified
conditions.
ACLsenablemanagementof
trafficandsecureaccesstoand
fromanetwork.
-
8/13/2019 Track Routers Anexo- What is ACL
5/36
ACLsbenefits
Limitnetworktrafficandincreasenetworkperformance.
Providetrafficflowcontrol.
Provideabasiclevelofsecurityfornetworkaccess.
Trafficdecision (forwardedorblockedattherouter
interfaces).
Areaaccessing
toPermitordenyScreenhoststoaccess anetwork
segment.
canprovide
access
control
based
on
Layer
3addresses
for
IPandIPXprotocols.
-
8/13/2019 Track Routers Anexo- What is ACL
6/36
HowACLexecuted
Madedecisionsby
matching
a
condition
statementinanaccess
listandthenperforming
theacceptorreject
actiondefinedinthe
statement.
ACLstatementsoperate
insequential,logical
order
-
8/13/2019 Track Routers Anexo- What is ACL
7/36
EnteringFrametoaRouter
Afterindicate iftheframehaveamatchedlayer2addressoritsabroadcastform,therouterwillcheckifthereACLscommand
present
IfthepacketisacceptedornoACL:thepacketisencapsulatedinthenewLayer2protocolandforwardedouttheinterfacetothenextdevice.
ACLexists:
the
packet
is
tested
against
the
statements
in
thelist.Ifthepacketmatchesastatement,itiseitheracceptedorrejected.
-
8/13/2019 Track Routers Anexo- What is ACL
8/36
ACLrangeforeachprotocols
ACLscan
be
created
for
all
routed
network
protocols
such
asIPandInternetworkPacketExchange(IPX)
ACLs
can
be
configured
at
the
router
to
control
access
to
a
networkorsubnet.
-
8/13/2019 Track Routers Anexo- What is ACL
9/36
ACLrangeforeachprotocols
EachACLmusthavea
uniqueidentification
numberassignedtoit.
Thisnumberidentifies
thetypeofaccesslist
createdand
must
fall
withinthespecificrange
ofnumbersthatisvalid
forthattypeoflist.
-
8/13/2019 Track Routers Anexo- What is ACL
10/36
HowAccessListswork
-
8/13/2019 Track Routers Anexo- What is ACL
11/36
ACLconfiguration
Step1:Router(config)#accesslistaccesslistnumber
{permit/deny}
{test
condition} Step2:Router(config)#{protocol}accessgroupaccesslist
number
AnACLcontainingnumberedACLstatementscannotbe
altered.It
must
be
deleted
by
using
the
no
access
list
list
numbercommandandthenrecreated.
-
8/13/2019 Track Routers Anexo- What is ACL
12/36
ACLconfiguration
PermitACL
line
with
L3
information
only
Ifapacket'sL3informationmatchestheL3informationin
the
ACL
line
,
the
packet's
fragment
offset
is
checked,
it
is
permitted.
Ifapacket'sL3informationdoesnotmatchtheL3
informationintheACLline,thenextACLentryis
processed.
Ifapacket'sFO>0,thepacketispermitted.
Else,thenextACLentryisprocessed.
-
8/13/2019 Track Routers Anexo- What is ACL
13/36
ACLconfigurationExample
1. Router(config)#accesslist6deny172.13.0.00.0.255.255
2. Router(config)#
access
list
6permit
172.0.0.0
0.255.255.255
3. Router(config)#interfacee0
4. Router(configif)#ipaccessgroup6in
IfwewanttodeleteormodifytheACL:
Router(config)#noaccesslist6
-
8/13/2019 Track Routers Anexo- What is ACL
14/36
WildcardMask
WildcardMaskingforIPaddressbitsusesthenumber1
and
the
number
0
to
identify
how
to
treat
the
correspondingIPaddressbits.
Awildcardmaskbit0meanscheckthe
correspondingbitvalue.
Awildcardmaskbit1meansdonotcheck
(ignore)thatcorrespondingbitvalue.
-
8/13/2019 Track Routers Anexo- What is ACL
15/36
WildcardMask
Wildcardmaskingforaccesslistsoperatesdifferentlyfrom
an
IP
subnet
mask.
Azeroinabitpositionoftheaccesslistmaskindicatesthat
thecorrespondingbitintheaddressmustbechecked;
A
onein
a
bit
position
of
the
access
list
mask
indicates
the
correspondingbitintheaddressisnotinterestingand
canbeignored.
-
8/13/2019 Track Routers Anexo- What is ACL
16/36
WildcardMask
AnadministratorwantstotestanIPaddressforsubnets
that
will
be
permitted
or
denied.
AssumetheIPaddressisClassB(firsttwooctetsarethe
networknumber)witheightbitsofsubnetting(thethird
octetisforsubnets).
TheadministratorwantstouseIPwildcardmaskingbitsto
matchsubnets172.30.16.0to172.30.31.0
-
8/13/2019 Track Routers Anexo- What is ACL
17/36
WildcardMask
Bycarefullysettingwildcardmasks,
anadministratorcanselectsingleor
severalIP
addresses
for
permit
or
deny
tests.
Refertotheexampleinthegraphic
-
8/13/2019 Track Routers Anexo- What is ACL
18/36
WildcardMaskApplication
-
8/13/2019 Track Routers Anexo- What is ACL
19/36
Any,Host,OptionalFormat
Theanyoptionsubstitutes0.0.0.0fortheIPaddressand255.255.255.255forthewildcardmask.Thisoptionwillmatchanyaddressthatitiscomparedagainst.
The
hostoption
substitutes
0.0.0.0
for
the
mask.
This
mask
requiresthatallbitsoftheACLaddressandthepacketaddressmatch.Thisoptionwillmatchjustoneaddress.
-
8/13/2019 Track Routers Anexo- What is ACL
20/36
VerifyingtheACLconfiguration
Show accesslistscommand:
displaytheaccesslists
configuration
-
8/13/2019 Track Routers Anexo- What is ACL
21/36
VerifyingtheACLconfiguration
Show ip interface
command:
display the access-listsinterface assignments
-
8/13/2019 Track Routers Anexo- What is ACL
22/36
VerifyingtheACLconfiguration
Show running-config
command:
display the configurationoutput, including access-
lists and assignments
-
8/13/2019 Track Routers Anexo- What is ACL
23/36
StandardACLs
checksthesourceaddressofIPpacketsthatarerouted.
TheACLwilleitherpermitordenyaccessforanentire
protocolsuite,
based
on
the
network,
subnet,
and
host
addresses.
thestandardACLcommandisasfollows:
Router(config)#access
listaccesslistnumber
deny
/
permit/remarksource[sourcewildcard][log]
-
8/13/2019 Track Routers Anexo- What is ACL
24/36
StandardACLs,theremarkkeyword
Makestheaccesslisteasiertounderstand.
Thefollowingentryisnotrightawayclearitsobjective:
Router(config)#accesslist1permit171.69.2.88
Itismucheasiertoreadaremarkabouttheentrytounderstanditseffect,asfollows:
Router(config)#accesslist
1remark
Permit
only
Jones
workstationthroughaccesslist1permit171.69.2.88
-
8/13/2019 Track Routers Anexo- What is ACL
25/36
StandardACLs
ToremoveastandardACLuseno statement.Thesyntaxis
asfollows:
Router(config)#noaccesslistaccesslistnumber
Theipaccessgroupcommandlinksanexistingstandard
ACLtoaninterface:
Router(configif)#ipaccessgroup{accesslistnumber|
accesslistname}{in|out}
-
8/13/2019 Track Routers Anexo- What is ACL
26/36
ExtendedACLs
Becauseofthegreaterrangeofcontrolproviding,theyareusedmoreoftenthenstandardACLs.
ExtendedACLscheckthesourceanddestinationpacket
addressesand
can
also
check
for
protocols
and
port
numbersgivesgreaterflexibilitytodescribewhattheACLwillcheck.
Accesscanbepermittedordeniedbasedonwherea
packetoriginates,
its
destination,
protocol
type,
and
port
addresses.
Whenpacketsarediscarded,someprotocolssendanechopackettothesender,statingthatthedestinationwas
unreachable.
-
8/13/2019 Track Routers Anexo- What is ACL
27/36
ExtendedACLsStatements
Accesslistnumberrangeof100 199and2000 2699
Sourcedestination
IP
address
Layer4protocolnumber Appliedtoportclosesttosourcehost
-
8/13/2019 Track Routers Anexo- What is ACL
28/36
ExtendedACLsParameter
Dynamic:Identifies
the
access
list
as
adynamic
access
list
Timeout:specifiestheabsolutelengthoftime
Protocol:nameornumber(0 255)ofanInternetprotocol
Source:Numberofthenetworkorhostwhichitbeingsendfrom(32bitquantityinfourpart any host)
Destination:Number
of
the
network
or
host
to
which
the
packet
is
being
sent(32bitquantityinfourpart any host)
-
8/13/2019 Track Routers Anexo- What is ACL
29/36
ExtendedACLsParameter
source Wildcard:Wildcardbitstobeappliedtosource
(32bitquantityinfourpart any host)
Destination Wildcard:Wildcardbitstobeappliedto
destination(32bitquantityinfourpart any host)
OtherparametersincludedintheExtendedACLs:
Procedure,tos,
log,
log
input,
time
range,
icmp
type
-
8/13/2019 Track Routers Anexo- What is ACL
30/36
Transport ApplicationlayerPorts
-
8/13/2019 Track Routers Anexo- What is ACL
31/36
NamedAccesslist
ModifyingaNamed
Accesslist:anyadditions
willbemadetotheend
oftheACL
CreatingNamedAccess
list
-
8/13/2019 Track Routers Anexo- What is ACL
32/36
Advantagesthatareprovidedbyanamedaccesslist
Alphanumericnamescan
beused
to
identify
ACLs.
TheIOSdoesnotlimitthe
numberofnamedACLs
thatcanbeconfigured.
NamedACLsprovidethe
abilitytomodifyACLs
withoutdeletionand
reconfiguration.
-
8/13/2019 Track Routers Anexo- What is ACL
33/36
PlacingACLs
ExtendedACLsas
closeaspossible
tothe
source
of
thetrafficdenied.
StandardACLsdo
notspecify
destination
addresses,sothey
shouldbeplaced
as
close
to
the
destinationas
possible.
-
8/13/2019 Track Routers Anexo- What is ACL
34/36
Firewall
It is an architecturalstructure that existsbetween the user andthe outside world toprotect the internal
network fromintruders.
ACLs should be usedin firewall routers,which are often
positioned betweenthe internal networkand an externalnetwork, such as theInternet.
The firewall routerprovides a point ofisolation so that therest of the internalnetwork structure isnot affected.
-
8/13/2019 Track Routers Anexo- What is ACL
35/36
Restrictingvirtualterminalaccess
it can provide additionalsecurity for our system byusing access lists to restrictaccess to vty lines
Associate the access list withinbound Telnet sessions.
host1(config)#line vty 12 15host1(config-line)#access-class Boston in
Configure an access list.
host1(config)#access-list
Boston permit any
-
8/13/2019 Track Routers Anexo- What is ACL
36/36
Fin
del
Anexo
Access
Control
Lists(ACL)