Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control Lists CCNA 2 v3 – Module 11

Published byBarbra Butler Modified over 6 years ago

Similar presentations

Presentation on theme: "Access Control Lists CCNA 2 v3 – Module 11"— Presentation transcript:

1 Access Control Lists CCNA 2 v3 – Module 11
NESCOT CATC CCNA2v3 Module 11 DC

2 What are ACLs? ACLs provide basic traffic filtering capabilities.
ACLs enable management of traffic and secure access to and from a network. ACLs can be created for various network protocols; IP, IPX, or AppleTalk. The router examines each packet and either forwards or drops it. This router has one _________ interface and one ________ interface. Each interface can have one ACL __________ and one ACL __________ This router is configured for three routed protocols: Example: Ethernet E0 Serial S0 outbound inbound IP, AppleTalk, IPX. Maximum no. of ACLs that can be configured: (No. of interfaces) x 2 x (no. of routed protocols) = 12 Forwarding decision can be based on a packets: Source address Destination address Protocol Port number NESCOT CATC

3 Why use ACLS? Limit network traffic to increase network _____________.
Provide traffic flow control by restricting the delivery of ________________. __________ - allow one host access but prevent another. Control which types of traffic are __________ or ________ by the router. Ability to control which _______ a client can access. Restrict user access to only certain _____________, (eg. Web pages). If ACLs are not configured, __________ passing through the router will be allowed onto _________ of the network. performance routing updates Security forwarded blocked areas types of files all packets all parts NESCOT CATC

4 How ACLs Work ACL statements operate in sequential, logical order, from top to bottom. If a condition is matched, the packet is permitted or denied and the rest of the ACL isn’t checked. An implicit "deny any" statement is at end of list by default. This last line "deny any" is not visible but it will not allow any unmatched packets to be permitted. ACL on interface? No Route packet to outbound interface Yes Any matches? Yes Frame arrives at inbound interface L2 address match? Yes ACL on interface? No Default Deny Yes Any matches? No Permit? Yes No Default Deny No Permit? Yes Yes Forward packet No

5 Creating ACLs There are many different types of ACLs.
Each ACL is uniquely identified by assigning a number (or a name) to it. This number identifies the type of access list created and must fall within the specific range of numbers:    Rio(config)# access-list ? <1-99> IP standard access list < > IP extended access list < > Protocol type-code access list < > DECnet access list < > Appletalk access list < > bit MAC address access list < > IPX standard access list < > IPX extended access list < > IPX SAP access list < > Extended 48-bit MAC address access list < > IPX summary address access list < > IP standard access list (expanded range) < > IP extended access list (expanded range) NESCOT CATC

6 Applying ACLs Creating the access list is the first half of using them on a router. The second half of the process is assigning them to an interface. Rio(config)# interface fastethernet 0/0 Rio(config-if)# ip access-group ? <1-199> IP access list (standard or extended) < > IP expanded access list (standard or extended) WORD Access-list name Rio(config-if)# ip access-group 10 ? in inbound packets out outbound packets From inside the router A numbered ACL cannot be edited on the router. To edit an ACL: Copy it to a text file. Remove from router configuration with ‘no’ form of ACL statement. Make necessary changes to text file. Paste back to global configuration mode. NESCOT CATC

7 Wildcard Masks Wildcard masks are 32 bits long and paired with an IP address. Wildcard masks are used with ACLs to filter groups of IP addresses. Example 1: Rio(config)# access-list 10 permit By applying the WM to the IP address, the router will ignore the values of the last two octets. This statement will permit traffic with source IP: _______________________ [anything].[anything] Example 2: Rio(config)# access-list 10 permit This WM discounts the value of the last octet, and 4 bits from the 3rd octet (moving right to left). If M = Match D = Don’t Care, WM = MMMMMMMM•MMMMMMMM•MMMMDDDD•DDDDDDDD This statement will permit traffic from range ___________ to _____________ Two keywords used in ACLs: any host - means an IP address of _______ and WM ______________ - matches an address exactly, or WM __________ NESCOT CATC

8 More general statement denying other traffic from 10.0.0.0/24 network
Standard ACLs Standard IP ACLs check only the ______________ of packets to be routed. source address Rio(config)# access-list 50 deny Rio(config)# access-list 50 permit No WM specified, mask = Number between 1 and 99, or 1300 to1999 (recent IOS) Deny or Permit Wildcard Mask Extended ACLs Extended ACLs check the ________ and ___________ packet addresses as well as being able to check for __________ and _____________. source destination protocols port numbers Protocol Source Destination Port 1. access-list 101 permit ip host any access-list 101 deny ip any access-list 101 deny tcp host eq 23 access-list 101 permit tcp any eq telnet 2. 3. 4. Specifically permit all IP traffic from this host (only) to any other network or host More general statement denying other traffic from /24 network Specifically denies host (only) telnet access to /24 network More general statement permitting telnet from all other hosts on /24 network

9 Named ACLs IP named ACLs were introduced in Cisco IOS Software Release 11.2. Advantages are: Intuitively identify ACLs using names (not just numbers). Extend possibilities beyond 798 simple and 799 extended ACLs Modification of a NACL without deleting and reconfiguring it. NACLs allow individual statements to be deleted without losing whole list. It is still only possible to add statements to the end of a list. Standard or Extended Administrator assigned name Rio(config)# ip access-list extended Server-Access Rio(config-ext-nacl)# permit tcp any host eq smtp Rio(config-ext-nacl)# permit udp any host eq 53 Rio(config-ext-nacl)# [Control + Z] Rio(config)# interface f 0/0 Rio(config-if)# ip access-group Server-Access out NESCOT CATC

10 Placing ACLs Verifying ACLs Command Description
ACLs placed in proper location filter traffic and increase network efficiency. The general rule is to put extended ACLs close to the source of denied traffic. Standard ACLs do not specify destination addresses, so they should be placed as close to the destination as possible. Administrators can only place ACLs on devices under their control. Verifying ACLs These show commands verify the content and placement of ACLs: Command Description Interface information includes number of inbound or outbound ACL. Lists contents of all ACLs on the router Interface placement and ACL contents in current configuration show ip interface show access-list show running-config NESCOT CATC

11 ACL Rules One access list per ________, per _________, per _________.
Standard access lists should be applied closest to the ___________. Extended access lists should be applied closest to the ________. Use the inbound or outbound interface reference as if looking at the port from ________________. The ______________ at the end of all access lists will not appear in the configuration listing. Access list entries should filter in the order from specific to ________. The permit or deny is examined ONLY if the _____________. New lines are always added to the _____ of the access list. ___________________________ will remove the whole list. It is not possible to selectively add and remove lines with _________ ACLs. An IP ACL will send ____________________ to sender of rejected packet. In some situations, removing an access list may result in a default ____________ being applied to the interface. Outbound filters do not affect traffic originating at _____________. protocol interface direction destination source inside the router implicit deny general match is true end no access-list [number] numbered ICMP host unreachable ‘deny any’ the local router NESCOT CATC

12 Firewalls A network firewall can be one or several machines working together to prevent unwanted access. External Internal Web Server DMZ FTP Server Firewalls control access to services both into and from the internal network. ACLs are used in firewalls between the internal and external network. A De-Militarised Zone contains network services available to Internet traffic. The firewall router provides isolation for the internal network and the DMZ. Border routers (at the edge of a network) use ACLs to provide security benefits. NESCOT CATC

13 Restricting VTY Access
A router has both physical ports (Fa0/0, S0/0) and ________ ports. These virtual ports are called __________. There are five such vty lines, numbered __ to __ (0 to 15 on later IOS). VTY access can be restricted on routers by using ____________. Access to vty is accomplished using _________. Identical restrictions should be placed on all vty lines as it is not possible to control _____________________________. The process of creating a vty access list is the same as for ____________. Applying the ACL to a terminal line (vty, aux or con) requires the command ____________ instead of _______________.     Only ___________ ACLs can be applied to vty lines. virtual vty lines 4 access lists Telnet which line a user will connect on an interface access-class access-group numbered Rio(config)# line vty 0 4 Rio(config-line)# login Rio(config-line)# password Cisco Rio(config-line)# access-class 2 in Rio(config-line)# end Rio# NESCOT CATC

Download ppt "Access Control Lists CCNA 2 v3 – Module 11"

Similar presentations

Access Control List (ACL)

Access Control List (ACL)
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Basic IP Traffic Management with Access Lists

Basic IP Traffic Management with Access Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.

NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
CCNA 2 v3.1 Module 11.

CCNA 2 v3.1 Module 11.
Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.

Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.
Access Lists Lists of conditions that control access.

Access Lists Lists of conditions that control access.
Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.

Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen

1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen
Ch. 11 – Access Control Lists

Ch. 11 – Access Control Lists
CISCO NETWORKING ACADEMY Chabot College ELEC 99.08 Access Control Lists - Introduction.

CISCO NETWORKING ACADEMY Chabot College ELEC Access Control Lists - Introduction.
© 2002, Cisco Systems, Inc. All rights reserved..

© 2002, Cisco Systems, Inc. All rights reserved..

Similar presentations

Ads by Google