Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.

Published byWhitney Morrison Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5."— Presentation transcript:

1 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5

2 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 2 Objectives  Explain how ACLs are used to secure a medium-size Enterprise branch office network.  Configure standard ACLs in a medium-size Enterprise branch office network.  Configure extended ACLs in a medium-size Enterprise branch office network.  Describe complex ACLs in a medium-size Enterprise branch office network.  Implement, verify and troubleshoot ACLs in an enterprise network environment.

3 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 3 Explain How ACLs are Used to Secure a Medium-Size Enterprise Branch Office Network  Describe the steps that occur in a complete TCP conversation

4 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 4 Explain How ACLs are Used to Secure a Medium-Size Enterprise Branch Office Network  Explain how a packet filter allows or blocks traffic

5 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 5 Explain How ACLs are Used to Secure a Medium-Size Enterprise Branch Office Network  Describe how ACLs control access to networks Access Control Lists (ACLs) give networkers the ability to control (permit or deny) any type of traffic on their networks.

6 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 6 Explain How ACLs are Used to Secure a Medium-Size Enterprise Branch Office Network

7 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 7 Explain How ACLs are Used to Secure a Medium-Size Enterprise Branch Office Network  Use a flow chart to show how ACLs operate When traffic is referred to as inbound or outbound, students need to imagine that they are inside the router observing the traffic. If the packets are getting closer to them, it is inbound. If the packets are getting further from them, it is outbound.

8 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 8 Explain How ACLs are Used to Secure a Medium-Size Enterprise Branch Office Network When traffic is referred to as inbound or outbound, students need to imagine that they are inside the router observing the traffic. If the packets are getting closer to them, it is inbound. If the packets are getting further from them, it is outbound.

9 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 9 Explain How ACLs are Used to Secure a Medium-Size Enterprise Branch Office Network  Describe the types and formats of ACLs

10 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 10 Explain How ACLs are Used to Secure a Medium-Size Enterprise Branch Office Network  Explain how Cisco ACLs can be identified using standardized numbering or names

11 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 11 Explain How ACLs are Used to Secure a Medium-Size Enterprise Branch Office Network  Describe where ACLs should be placed in a network

12 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 12 Explain How ACLs are Used to Secure a Medium-Size Enterprise Branch Office Network  Explain the considerations for creating ACLs

13 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 13 Configure Standard ACLs in a Medium- Size Enterprise Branch Office Network  Explain why the order in which criteria statements are entered into an ACL is important

14 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 14 Configure Standard ACLs in a Medium- Size Enterprise Branch Office Network  Explain how to configure a standard ACL

15 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 15 Configure Standard ACLs in a Medium- Size Enterprise Branch Office Network  Describe how to use wildcard masks with ACLs

16 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 16 Configure Standard ACLs in a Medium- Size Enterprise Branch Office Network  Describe how to apply a standard ACL to an interface

17 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 17 Applying an ACL to an interface

18 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 18 Deny FTP

19 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 19 Deny Telnet

20 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 20 Configure Standard ACLs in a Medium- Size Enterprise Branch Office Network  Explain the process for editing numbered ACLs

21 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 21 Configure Standard ACLs in a Medium- Size Enterprise Branch Office Network  Explain how to create a named ACL Named ACLs can be used as an alternative to numbered ACLs in order to allow line by line editing of statements within the ACL. This is not possible in numbered ACLs. Named ACLs also allow administrators to quickly know the purpose of an ACL via the name used. When using named ACLs, each statement is numbered, which allows administrator to delete and add specific statements wherever they are needed in the ACL.

22 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 22 Configure Standard ACLs in a Medium- Size Enterprise Branch Office Network  Describe how to monitor and verify ACLs

23 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 23 Configure Standard ACLs in a Medium- Size Enterprise Branch Office Network  Explain the process for editing named ACLs

24 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 24 Named ACL Example

25 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 25 Configure Extended ACLs in a Medium- Size Enterprise Branch Office Network  Explain how an extended ACL provides more filtering then a standard ACL Through the use of Access Control Lists, network professionals can control the flow of traffic on their networks. Traffic can be either permitted or denied based upon criteria such as source and destination IP address, port number, and protocol.

26 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 26 Configure Extended ACLs in a Medium- Size Enterprise Branch Office Network  Describe how to configure extended ACLs

27 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 27 Configure Extended ACLs in a Medium- Size Enterprise Branch Office Network  Describe how to apply an extended ACL to an interface

28 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 28 Configure Extended ACLs in a Medium- Size Enterprise Branch Office Network  Describe how to create named extended ACLs

29 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 29 Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network  List the three types of complex ACLs

30 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 30 Dynamic ACLs  Lock-and-key is a traffic filtering security feature that uses dynamic ACLs, which are sometimes referred to as lock-and-key ACLs. –Dynamic ACLs are dependent on Telnet connectivity, authentication (local or remote), and extended ACLs. –Dynamic ACL configuration starts with the application of an extended ACL to block traffic through the router. Users who want to traverse the router are blocked by the extended ACL until they use Telnet to connect to the router and are authenticated. –The Telnet connection is then dropped, and a single-entry dynamic ACL is added to the extended ACL that exists. –This permits traffic for a particular period; idle and absolute timeouts are possible.

31 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 31 Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network  Explain how and when to use dynamic ACLs In the figure the user at PC1 is an administrator that requires a back door access to the 192.168.30.0 /24 network located on router R3. A dynamic ACL has been configured to allow FTP and HTTP on router R3 access but only for a limited time.

32 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 32 When to Use Dynamic ACLs  When to Use Dynamic ACLs –When you want a specific remote user or group of remote users to access a host within your network, connecting from their remote hosts via the Internet. –When you want a subset of hosts on a local network to access a host on a remote network that is protected by a firewall.  Benefits of Dynamic ACLs –Use of a challenge mechanism to authenticate individual users –Simplified management in large internetworks –In many cases, reduction of the amount of router processing that is required for ACLs –Reduction of the opportunity for network break-ins by network hackers –Creation of dynamic user access through a firewall, without compromising other configured security restrictions

33 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 33 What are Reflexive ACLs?  Network administrators use reflexive ACLs to allow IP traffic for sessions originating from their network while denying IP traffic for sessions originating outside the network. –The router examines the outbound traffic and when it sees a new connection, it adds an entry to a temporary ACL to allow replies back in. –Reflexive ACLs contain only temporary entries. –These entries are automatically created when a new IP session begins, for example, with an outbound packet, and the entries are automatically removed when the session ends.  Reflexive ACLs can be defined only with extended named IP ACLs. –They cannot be defined with numbered or standard named ACLs or with other protocol ACLs.

34 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 34 What are Reflexive ACLs?  Reflexive ACLs provide a truer form of session filtering than an extended ACL that uses the established parameter introduced earlier. –Although similar in concept to the established parameter, reflexive ACLs also work for UDP and ICMP, which have no ACK or RST bits. –The established option also does not work with applications that dynamically alter the source port for the session traffic. –The permit established statement only checks ACK and RST bits-not source and destination address.  Benefits of Reflexive ACLs: –Help secure your network against network hackers and can be included in a firewall defense. –Provide a level of security against spoofing and certain DoS attacks. For example, source and destination addresses and port numbers, not just ACK and RST bits, are checked. –Simple to use and, compared to basic ACLs, provide greater control over which packets enter your network.

35 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 35 Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network  Reflexive ACL Example  The figure shows an example for which the administrator needs a reflexive ACL that permits ICMP outbound and inbound traffic, while it permits only TCP traffic that has been initiated from inside the network.  Assume that all other traffic will be denied.  The reflexive ACL is applied to the outbound interface of R2.  Although the complete configuration for reflexive ACLs is outside the scope of this course, the figure shows an example of the steps that are required to configure a reflexive ACL.

36 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 36 What are Time-based ACLs?  Time-based ACLs are similar to extended ACLs in function, but they allow for access control based on time. –To implement time-based ACLs, you create a time range that defines specific times of the day and week. –You identify the time range with a name and then refer to it by a function. The time restrictions are imposed on the function itself.  Time-based ACLs have many benefits: –Offers the network administrator more control over permitting or denying access to resources. –Allows network administrators to control logging messages. ACL entries can log traffic at certain times of the day, but not constantly. Therefore, administrators can simply deny access without analyzing the many logs that are generated during peak hours.

37 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 37 Time-Based ACLs  Time Based ACL Example –Although the complete configuration details for time-based ACLs are outside the scope of this course, the following example shows the steps that are required. –In the example, a Telnet connection is permitted from the inside network to the outside network on Monday, Wednesday, and Friday during business hours. –The time range relies on the router system clock. The feature works best with Network Time Protocol (NTP) synchronization, but the router clock can be used.  Step 1. Define the time range to implement the ACL and give it a name-EVERYOTHERDAY, in this case.  Step 2. Apply the time range to the ACL.  Step 3. Apply the ACL to the interface.

38 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 38 Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network  Describe how to troubleshoot common ACL problems

39 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 39 Implement, Verify and Troubleshoot ACLs in an Enterprise Network Environment  Create, place and verify a standard/ extended ACL and verify its placement.  Verify ACL’s functionality and troubleshoot as needed.

40 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 40 Configuring ACL

41 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 41 Example1

42 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 42 Example 2

43 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 43 Example 3

44 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 44 Summary  An Access List (ACL) is: A series of permit and deny statements that are used to filter traffic  Standard ACL –Identified by numbers 1 - 99 and 1300 - 1999 –Filter traffic based on source IP address  Extended ACL –Identified by number 100 -199 & 2000 - 2699 –Filter traffic based on Source IP address Destination IP address Protocol Port number

45 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 45 Summary  Named ACL –Used with IOS 11.2 and above –Can be used for either standard or extended ACL  ACL’s use Wildcard Masks (WCM) –Described as the inverse of a subnet mask Reason –0  check the bit –1  ignore the bit

46 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 46 Summary  Implementing ACLs –1 st create the ACL –2 nd place the ACL on an interface Standard ACL are placed nearest the destination Extended ACL are placed nearest the source  Use the following commands for verifying & troubleshooting an ACL –Show access-list –Show interfaces –Show run

47 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 47 Summary  Complex ACL –Dynamic ACL –Reflexive ACL –Time based ACL

48 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 48

Download ppt "© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5."

Similar presentations

Access Control List (ACL)

Access Control List (ACL)
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implementing IP Addressing Services Accessing the WAN – Chapter 7.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implementing IP Addressing Services Accessing the WAN – Chapter 7.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Access Control Lists John Mowry.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Access Control Lists John Mowry.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 4 – Implementing Firewall Technologies.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 4 – Implementing Firewall Technologies.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.

Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.
Access Control Lists (ACLs)

Access Control Lists (ACLs)
Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.

Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.
Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.

Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen

1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen

Similar presentations

Ads by Google