Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Access Control Lists (ACLs). 222 Overview 1.Network administrators must be able to a.deny unwanted access to a network and b.allow authorized users.

Published byJane Wheeler Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Access Control Lists (ACLs). 222 Overview 1.Network administrators must be able to a.deny unwanted access to a network and b.allow authorized users."— Presentation transcript:

1 1 Access Control Lists (ACLs)

2 222 Overview 1.Network administrators must be able to a.deny unwanted access to a network and b.allow authorized users to access necessary services. 2.Security tools such as passwords and physical security devices are helpful. However, they often lack the flexibility of basic traffic filters. 3.Routers provide the capability to filter traffic, such as blocking Internet traffic, with access control lists (ACLs). 4.An ACL is a sequential list of permit or deny statements that apply to addresses or upper-layer protocols.

3 333 Objectives 1.Learn standard and extended ACLs 2.Placement of ACLs 3.Create and apply named ACLs 4.Function of firewalls 5.Use ACLs to restrict virtual terminal access

4 444 Introduction to ACL ACLs are lists of conditions used to test network traffic that tries to travel across a router interface. These lists tell the router what types of packets to accept or deny.

5 555 Introduction to ACL (cont.) 1.ACLs can be created for all routed network protocols such as IP and Internetwork Packet Exchange (IPX). 2.ACLs can be configured at the router to control access to a network or subnet. 3.To filter network traffic, ACLs determine if routed packets are forwarded or blocked at the router interfaces. 4.The router examines each packet and will forward or discard it based on the conditions specified in the ACL. 5.If ACLs are not configured on the router, all packets that pass through the router will be permitted to access the entire network.

6 666 Introduction to ACL (cont.) An ACL makes routing decisions based on source address, destination address, protocols, and upper-layer port numbers

7 777 Introduction to ACL (cont.) ACLs must be defined on a per protocol, per direction, or per port basis

8 888 Introduction to ACL (cont.) ACLs can be used to perform the following tasks: Limit network traffic and increase network performance. Provide traffic flow control. Provide a basic level of security for network access. Decide which types of traffic are forwarded or blocked at the router interfaces. Control which areas a client can access on a network. Screen hosts to permit or deny access to a network segment.

9 999 How ACLs Work An ACL is made up of statements that define whether packets are accepted or rejected at inbound and outbound interfaces

10 10 How ACLs Work (cont.) 1.The order in which ACL statements are placed is important. 2.The Cisco IOS software tests the packet against each condition statement in order from the top of the list to the bottom. 3.Once a match is found in the list, the accept or reject action is performed and no other ACL statements are checked. 4.If a condition statement that permits all traffic is located at the top of the list, no statements added below that will ever be checked. 5.If additional condition statements are needed in an access list, the entire ACL must be deleted and recreated with the new condition statements.

11 11 How ACLs Work (cont.) Add image Add earlier animation

12 12 Creating ACLs 1.ACLs are created in global configuration mode. 2.There are many types of ACLs: standard ACLs, extended ACLs, and named ACLs. 3.When ACLs are configured on a router, each ACL must have a unique identification number assigned to it. 4.This number identifies the type of access list created and must fall within the specific range of numbers that is valid for that type of list.

13 13 Protocols with ACLs Specified by Numbers

14 14 ACL configuration task Step 1 Step 2

15 15 Creating ACLs (cont.)

16 16 Creating ACLs (cont.) 1.In TCP/IP, ACLs are assigned to one or more interfaces and can filter inbound traffic or outbound traffic by using the ip access- group command in interface configuration mode. 2.The access-group command is issued in the interface configuration mode. 3.When an ACL is assigned to an interface, inbound or outbound placement should be specified. The filter direction can be set to check packets that travel into or out of an interface. 4.To determine if an ACL controls inbound or outbound traffic, the network administrator must view the interfaces as if looking at them from inside the router. 5.An ACL containing numbered ACL statements cannot be altered. It must be deleted by using the no access-list list-number

17 17 Rules to create and Apply access lists 1.There should be one access list per protocol per direction. 2.Standard access lists should be applied closest to the destination. 3.Extended access lists should be applied closest to the source. 4.The inbound or outbound interface should be referenced as if looking at the port from inside the router. 5.Statements are processed sequentially from the top of the list to the bottom until a match is found. If no match is found then the packet is denied, and discarded.

18 18 Rules to create and Apply access lists (cont.) 6.There is an implicit deny any at the end of all access lists. 7.Access list entries should filter in the order from specific to general. Specific hosts should be denied first, and groups or general filters should come last. 8.The match condition is examined first. The permit or deny is examined only if the match is true. 9.Never work with an access list that is actively applied. 10.A text editor should be used to create comments that outline the logic. Then fill in the statements that perform the logic.

19 19 11.New lines are always added to the end of the access list. A no access-list x command will remove the whole list. It is not possible to selectively add and remove lines with numbered ACLs. 12.An IP access list will send an ICMP host unreachable message to the sender of the rejected packet 13.An access list should be removed carefully. If an access list that is applied to a production interface is removed, some versions of IOS will apply a default deny any to the interface and all traffic will be halted. Rules to create and Apply access lists (cont.)

20 20 The Function of a Wildcard Mask 1.A wildcard mask is a 32-bit quantity that is divided into four octets. 2.A wildcard mask is paired with an IP address. 3.The numbers one and zero in the mask are used to identify how to treat the corresponding IP address bits. 4.The term wildcard mask represents the ACL mask-bit matching process. 5.Wildcard masks have no functional relationship with subnet masks. They are used for different purposes and follow different rules.

21 21 The permit/deny parameter PermitDeny ICMP MessageForward Packet After you’ve typed access-list and chosen the correct access-list-number, you type either permit or deny depending on the action you wish to take.

22 22 The {test-conditions} parameter –In the {test conditions} portion of the ACL, you will specify various parameters depending on the type of access list. –Common to most access lists is the source address’ ip mask and wildcard mask. –The source address can be a subnet, a range of addresses, or a single host. It is also referred to as the ip mask because the wildcard mask uses the source address to check bits. –The wildcard mask tells the router what bits to check. We will spend some time now learning its function. Lab-A(config)#access-list 1 deny 192.5.5.10 0.0.0.0 ip maskwildcard mask

23 23 The Wildcard Mask –A wildcard mask is written to tell the router what bits in the address to match and what bits to ignore. –A “0” bit means means check this bit position. A “1” means ignore this bit position. This is completely different than the ANDing process we studied in Semester 1. –Our previous example of 192.5.5.10 0.0.0.0 can be rewritten in binary as: 11000000.00000101.00000101.00001010 (Source address) 00000000.00000000.00000000.00000000 (Wildcard mask) –What do all the bits turned off in the wildcard mask tell the router?

24 24 The Wildcard Mask This table from the curriculum may help:

25 25 Masking Practice –On the next several slides, we will practice making wildcard masks to fit specific guidelines. Don’t worry if you don’t get it right away. Like subnetting, wildcard masking is a difficult concept that takes practice to master. –Write an ip mask and wildcard mask to check for all hosts on the network: 192.5.5.0 255.255.255.0 –Answer: 192.5.5.0 0.0.0.255 Notice that this wildcard mask is a mirror image of the default subnet mask for a Class C address. WARNING: This is a helpful rule only when looking at whole networks or subnets.

26 26 Masking Practice –Write an ip mask and wildcard mask to check for all hosts in the subnet: 192.5.5.32 255.255.255.224 If you answered 192.5.5.32 0.0.0.31 YOU’RE RIGHT!! 0.0.0.31 is the mirror image of 255.255.255.224 Let’s look at both in binary: –11111111.11111111.11111111.11100000 (255.255.255.224) –00000000.00000000.00000000.00011111 (0.0.0.31) To prove this wildcard mask will work, let’s look at a host address within the.32 subnet--192.5.5.55 –11000000.00000101.00000101.00110111 (192.5.5.55) host address –11000000.00000101.00000101.00100000 (192.5.5.32) ip mask –00000000.00000000.00000000.00011111 (0.0.0.31) wildcard mask

27 27 Masking Practice –Notice in the previous example (repeated below), some bits were colored blue. These bits are the bits that must match. –11000000.00000101.00000101.00110111 (192.5.5.55) host address –11000000.00000101.00000101.00100000 (192.5.5.32) ip mask –00000000.00000000.00000000.00011111 (0.0.0.31) wildcard mask Remember: a “0” bit in the wildcard mask means check the bit; a “1” bit in the wildcard mask means ignore. The “0”s must match between the address of the packet (192.5.5.55) being filtered and the ip mask configured in the access list (192.5.5.32) –Write an ip mask and wildcard mask for the subnet 192.5.5.64 with a subnet mask of 255.255.255.192? Answer: 192.5.5.64 0.0.0.63

28 28 Masking Practice 1.Write an ip mask and wildcard mask for the subnet 172.16.128.0 with a subnet mask of 255.255.128.0? Answer: 172.16.128.0 0.0.127.255 2.Write an ip mask and wildcard mask for the subnet 172.16.16.0 with a subnet mask of 255.255.252.0? Answer: 172.16.16.0 0.0.3.255 3.Write an ip mask and wildcard mask for the subnet 10.0.8.0 with a subnet mask of 255.255.248.0? Answer: 10.0.8.0 0.0.7.255 4.By now, you should have the hang of ip mask and wildcard masks when dealing with a subnet. If not, go back & review.

29 29 Masking a Host Range 1.Masking will not be so easy during the “Hands On” final. You’ll need to be able to deny a portion of a subnet while permitting another. 2.To mask a range of host within a subnet, it is often necessary to work on the binary level. 3.For example, –students use the range 192.5.5.0 to 192.5.5.127 –teachers use the range 192.5.5.128 to 192.5.5.255. –Both groups are on network 192.5.5.0 255.255.255.0 4.How do you write an ip mask and wildcard mask to deny one group, yet permit another?

30 30 Masking a Host Range Let’s write the masks for the students. 1.First, write on the first and last host address in binary. Since the first 3 octets are identical, we can skip those. All their bits must be “0” First Host’s 4th octet: 00000000 Last Host’s 4th octet: 01111111 2.Second, look for the leading bits that are shared by both (in blue below) 0 0000000 01111111 3.These “bits in common” are to be checked just like the common bits in the 192.5.5 portion of the addresses. Examples: Host Ranges 192.5.5.1 to.127 and.128 to.255

31 31 Masking a Host Range 1.Third, add up the decimal value of the “1” bits in the last host’s address (127) 2.Finally, determine the ip mask and wildcard mask »The ip mask can be any host address in the range, but convention says use the first one »The wildcard mask is all “0”s for the common bits 192.5.5.0 0.0.0.127 What about the teachers? What would be their ip mask and wildcard mask? 192.5.5.128 ( 1 0000000) to 192.5.5.255 ( 1 1111111) Answer: 192.5.5.128 0.0.0.127 Notice anything? What stayed the same? changed? Examples: Host Ranges 192.5.5.1 to.127 and.128 to.255

32 32 Time Saver

33 33 Verifying ACLs There are many show commands that will verify the content and placement of ACLs on the router. show ip interface show access-lists Show running-config

34 34 #show ip interface

35 35 #show access-lists

36 36 #show running-config

37 37 Standard ACLs

38 38 Standard ACLs (cont.) The full syntax of the standard ACL command is as follows: 1.Router(config)#access-listaccess-list-number deny permit remarksource [source- wildcard ] [log] 2.Router(config)#access-list 1 permit 171.69.2.88 3.Router(config)#access-list 1 remark Permit only Jones workstation through access- list 1 permit 171.69.2.88 [The remark keyword makes the access list easier to understand. Each remark is limited to 100 characters] 4.Router(config)#no access-listaccess-list-number 5.Router(config)#ip access-group {access-list-number | access-list-name } {in | out }

39 39 Standard ACLs (cont.) 1.Standard ACLs check the source address of IP packets that are routed. 2.The ACL will either permit or deny access for an entire protocol suite, based on the network, subnet, and host addresses.

40 40 Extended ACLs 1.Extended ACLs are used more often than standard ACLs because they provide a greater range of control. 2.Extended ACLs check the source and destination packet addresses and can also check for protocols and port numbers. 3.This gives greater flexibility to describe what the ACL will check. 4.Access can be permitted or denied based on where a packet originates, its destination, protocol type, and port addresses.

41 41 Extended ACLs (cont.)

42 42 Extended ACLs (cont.) 1.For a single ACL, multiple statements may be configured. 2.Each statement should have the same access list number, to relate the statements to the same ACL. 3.There can be as many condition statements as needed, limited only by the available router memory.

43 43 Extended ACLs (cont.) Router(config-if)#ip access-group access-list-number {in | out }

44 44 Named ACLs 1.Named ACLs allow standard and extended ACLs to be given names instead of numbers. 2.The following are advantages that are provided by a named access list: Alphanumeric names can be used to identify ACLs. The IOS does not limit the number of named ACLs that can be configured. Named ACLs provide the ability to modify ACLs without deletion and reconfiguration. However, a named access list will only allow for statements to be inserted at the end of a list.

45 45 Named ACLs (cont.)

46 46 Named ACLs (cont.)

47 47 Placing ACLs Standard ACLs should be placed close to the destination. Extended ACLs should be placed close to the source.

48 48 Firewalls A firewall is an architectural structure that exists between the user and the outside world to protect the internal network from intruders. Exterior Router Interior Router 1.The interior router accepts packets only from the application gateway. 2.The gateway controls the delivery of network-based services both into and from the internal network.

49 49 Restricting Virtual Terminal Access 1.Standard and extended access lists apply to packets that travel through a router. 2.They are not designed to block packets that originate within the router. 3.Just as there are physical ports or interfaces, such as Fa0/0 and S0/0 on the router, there are also virtual ports. These virtual ports are called vty lines. 4.There are five vty lines, which are numbered 0 through 4. 5.For security purposes, users can be denied or permitted virtual terminal access to the router but denied access to destinations from that router

50 50 Restricting Virtual Terminal Access (cont.) 1.The Telnet protocol can also be used to create a nonphysical vty connection to the router. There is only one type of vty access list. 2.Identical restrictions should be placed on all vty lines since it is not possible to control the line on which a user will connect. 3.Applying the ACL to a terminal line requires the access-class command instead of the access-group command. 4.Only numbered access lists can be applied to virtual lines.

51 51 Restricting Virtual Terminal Access (cont.)

52 52 The End

Download ppt "1 Access Control Lists (ACLs). 222 Overview 1.Network administrators must be able to a.deny unwanted access to a network and b.allow authorized users."

Similar presentations

Access Control List (ACL)

Access Control List (ACL)
What is access control list (ACL)?

What is access control list (ACL)?
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Access Control Lists John Mowry.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Access Control Lists John Mowry.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Basic IP Traffic Management with Access Lists

Basic IP Traffic Management with Access Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.

NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 

1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 
Institute of Technology, Sligo Dept of Computing Access Control Lists Semester 3, Chapter 6.

Institute of Technology, Sligo Dept of Computing Access Control Lists Semester 3, Chapter 6.
CCNA 2 v3.1 Module 11.

CCNA 2 v3.1 Module 11.
Access Lists Lists of conditions that control access.

Access Lists Lists of conditions that control access.
Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.

Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen

1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen

Similar presentations

Ads by Google