Presentation is loading. Please wait.

Presentation is loading. Please wait.

Any Questions?.

Published byKyler Turnley Modified over 10 years ago

Similar presentations

Presentation on theme: "Any Questions?."— Presentation transcript:

1 Any Questions?

2 Chapter 6 IP Access Control Lists
Standard IP Access Control Lists Extended IP Access Control Lists Advances in Managing ACL Configuration Miscellaneous ACL Topics

3 Do I know this? Go through the Quiz- 5 minutes

4 1. Barney is a host with IP address 10. 1. 1. 1 in subnet 10. 1. 1
1. Barney is a host with IP address in subnet /24. Which of the following are things that a standard IP ACL could be configured to do? a. Match the exact source IP address b. Match IP addresses through with one access-list command without matching other IP addresses c. Match all IP addresses in Barney’s subnet with one access-list command without matching other IP addresses d. Match only the packet’s destination IP address

5 1. Barney is a host with IP address 10. 1. 1. 1 in subnet 10. 1. 1
1. Barney is a host with IP address in subnet /24. Which of the following are things that a standard IP ACL could be configured to do? a. Match the exact source IP address b. Match IP addresses through with one access-list command without matching other IP addresses c. Match all IP addresses in Barney’s subnet with one access-list command without matching other IP addresses d. Match only the packet’s destination IP address Answer:A&C

6 2. Which of the following wildcard masks is most useful for matching all IP packets in subnet , mask ? a b c d e f

7 2. Which of the following wildcard masks is most useful for matching all IP packets in subnet , mask ? a b c d e f Answer: D

8 3. Which of the following wildcard masks is most useful for matching all IP packets in subnet , mask ? a b c d e f

9 3. Which of the following wildcard masks is most useful for matching all IP packets in subnet , mask ? a b c d e f Answer: E

10 4. Which of the following fields cannot be compared based on an extended IP ACL?
a. Protocol b. Source IP address c. Destination IP address d. TOS byte e. URL f. Filename for FTP transfers

11 4. Which of the following fields cannot be compared based on an extended IP ACL?
a. Protocol b. Source IP address c. Destination IP address d. TOS byte e. URL f. Filename for FTP transfers Answer: E&F

12 5. Which of the following access-list commands permits traffic that matches packets going from host to all web servers whose IP addresses begin with ? a. access-list 101 permit tcp host eq www b. access-list 1951 permit ip host eq www c. access-list 2523 permit ip host eq www d. access-list 2523 permit tcp host eq www e. access-list 2523 permit tcp host eq www

13 5. Which of the following access-list commands permits traffic that matches packets going from host to all web servers whose IP addresses begin with ? a. access-list 101 permit tcp host eq www b. access-list 1951 permit ip host eq www c. access-list 2523 permit ip host eq www d. access-list 2523 permit tcp host eq www e. access-list 2523 permit tcp host eq www Answer: A&E

14 6. Which of the following access-list commands permits traffic that matches packets going to any web client from all web servers whose IP addresses begin with ? a. access-list 101 permit tcp host eq www b. access-list 1951 permit ip host eq www c. access-list 2523 permit tcp any eq www d. access-list 2523 permit tcp eq www e. access-list 2523 permit tcp eq www any

15 6. Which of the following access-list commands permits traffic that matches packets going to any web client from all web servers whose IP addresses begin with ? a. access-list 101 permit tcp host eq www b. access-list 1951 permit ip host eq www c. access-list 2523 permit tcp any eq www d. access-list 2523 permit tcp eq www e. access-list 2523 permit tcp eq www any Answer: E

16 7. Which of the following fields can be compared using a named extended IP ACL but not a numbered extended IP ACL? a. Protocol b. Source IP address c. Destination IP address d. TOS byte e. None of the other answers are correct.

17 7. Which of the following fields can be compared using a named extended IP ACL but not a numbered extended IP ACL? a. Protocol b. Source IP address c. Destination IP address d. TOS byte e. None of the other answers are correct. Answer: E

18 8. In a router running IOS 12.3, an engineer needs to delete the second line in ACL 101, which currently has four commands configured. Which of the following options could be used? a. Delete the entire ACL and reconfigure the three ACL statements that should remain in the ACL. b. Delete one line from the ACL using the no access-list... command. c. Delete one line from the ACL by entering ACL configuration mode for the ACL and then deleting only the second line based on its sequence number. d. Delete the last three lines from the ACL from ACL configuration mode, and then add the last two statements back into the ACL.

19 8. In a router running IOS 12.3, an engineer needs to delete the second line in ACL 101, which currently has four commands configured. Which of the following options could be used? a. Delete the entire ACL and reconfigure the three ACL statements that should remain in the ACL. b. Delete one line from the ACL using the no access-list... command. c. Delete one line from the ACL by entering ACL configuration mode for the ACL and then deleting only the second line based on its sequence number. d. Delete the last three lines from the ACL from ACL configuration mode, and then add the last two statements back into the ACL. Answer: A & C

20 9. What general guideline should you follow when placing extended IP ACLs?
a. Perform all filtering on output if at all possible. b. Put more-general statements early in the ACL. c. Filter packets as close to the source as possible. d. Order the ACL commands based on the source IP addresses, lowest to highest, to improve performance.

21 9. What general guideline should you follow when placing extended IP ACLs?
a. Perform all filtering on output if at all possible. b. Put more-general statements early in the ACL. c. Filter packets as close to the source as possible. d. Order the ACL commands based on the source IP addresses, lowest to highest, to improve performance. Answer: C

22 10. Which of the following tools requires the end user to telnet to a router to gain access to hosts on the other side of the router? a. Named ACLs b. Reflexive ACLs c. Dynamic ACLs d. Time-based ACLs Answer: C

23 Any Questions?

24 ACL History Original Support for Numbered ACLS
We will learn this first Then support for named ACLS Also cover this IOS 11.2 Now support for Sequence numbers for ACLS WAY easier IOS 12.3 Pg 231

25 Access Control Lists Allow a router to drop packets based on certain criteria You build a list with multiple lines Each line is one of the rules to check Filter router updates Match packets for Priority QOS VPN Pg 232

26 ACLs Questions Which packets to filter Where to filter them Pg 232

27 Where to filter Pg 233

28 Key ACL ideas Packets can be filtered as they enter an interface, before the routing decision. Packets can be filtered before they exit an interface, after the routing decision. Deny is the term used in Cisco IOS software to imply that the packet will be filtered. Permit is the term used in Cisco IOS software to imply that the packet will not be filtered. The filtering logic is configured in the access list. At the end of every access list is an implied “deny all traffic” statement. Therefore, if a packet does not match any of your access list statements, it is blocked. Pg 233

29 Any Questions?

30 ACL Logic Matching Action
Examine packets to match against ACL statements Action Permit of deny Pg 234

31 ACL Logic-KEY IDEA The matching parameters of the access-list statement are compared to the packet. If a match is made, the action defined in this access-list statement (permit or deny) is performed. If a match is not made in Step 2, repeat Steps 1 and 2 using each successive statement in the ACL until a match is made. If no match is made with an entry in the access list, the deny action is performed. Pg 234

32 Wildcard Masks ACLs can match based on IP addresses
Standard ACLs only on source address Wildcards let you specify a range of addresses in a single statement Stop all hosts on a subnet Logic 0 in mask says compare 1 in mask says it doesn’t matter Can add the mask to the original address Pg 235

33 Mask Examples Pg 235 Wildcard Mas Binary Version of the Mask
Description The entire IP address must match. Just the first 24 bits must match. Just the first 16 bits must match. Just the first 8 bits must match. Automatically considered to match any and all addresses. Just the first 20 bits must match. Just the first 22 bits must match. Pg 235

34 Figure out Wildcard masks
Use the subnet number as the address value in the access-list command. Use a wildcard mask found by subtracting the subnet mask from Example-To match all hosts in subnet Pg 237

35 Any Questions?

36 ACL Command Step 1 Use the address in the access-list command as if it were a subnet number. Step 2 Use the number found by subtracting the wildcard mask from as a subnet mask. Step 3 Treat the values from the first two steps as a subnet number and subnet mask, and find the broadcast address for the subnet. The ACL matches the range of addresses between the subnet number and broadcast address, inclusively. Access-list 1 permit Pg

37 Standard ACL configuration
Memorize syntax (it is not easy) access-list access-list-number {deny | permit} source [source-wildcard] Think about which is the source machine! Don’t forget the deny all at the end default Pg 238

38 ACL Logic Step 1 Plan the location (router and interface) and direction (in or out) on that interface: a. Standard ACLs should be placed near to the destination of the packets so that it does not unintentionally discard packets that should not be discarded. b. Because standard ACLs can only match a packet’s source IP address, identify the source IP addresses of packets as they go in the direction that the ACL is examining. Step 2 Configure one or more access-list global configuration commands to create the ACL, keeping the following in mind: a. The list is searched sequentially, using first-match logic. In other words, when a packet matches one of the access-list statements, the search is over, even if the packet would match subsequent statements. b. The default action, if a packet does not match any of the access-list commands, is to deny (discard) the packet. Step 3 Enable the ACL on the chosen router interface, in the correct direction, using the ip access-group number {in | out} interface subcommand. Pg 239

39 ACL Example Pg 240 Created access-list by adding statement
interface Ethernet0 ip address ip access-group 1 out ! access-list 1 remark stop all traffic whose source IP is Bob access-list 1 deny access-list 1 permit Created access-list by adding statement Add access-list to interface in or out Pg 240

40 Example Pg 242 Yosemite config interface serial 0
ip access-group 3 out ! access-list 3 deny host access-list 3 permit any Seville Configuration interface serial 1 ip access-group 4 out access-list 4 deny access-list 4 permit any Pg 242

41 Any Questions?

42 Extended ACL concepts Pg 244

43 Extended IP ACLS Can match on more fields Pg 245 Type of Access List
What Can Be Matched Both standard and extended ACLs Source IP address Portions of the source IP address using a wildcard mask Only extended ACLs Destination IP address Portions of the destination IP address using a wildcard mask Protocol type (TCP, UDP, ICMP, IGRP, IGMP, and others) Source port Destination port All TCP flows except the first IP TOS IP precedence Pg 245

44 Examples Pg 246

45 ACLS and Port numbers Pg 246
The access-list command must use protocol keyword tcp to be able to match TCP ports and the udp keyword to be able to match UDP ports. The ip keyword does not allow for matching the port numbers. The source port and destination port parameters on the access-list command are positional. In other words, their location in the command determines if the parameter examines the source or destination port. Remember that ACLs can match packets sent to a server by comparing the destination port to the well-known port number. However, ACLs need to match the source port for packets sent by the server. It is useful to memorize the most popular TCP and UDP applications, and their wellknown ports, as listed in Table 6-5, as shown later in this chapter. Pg 246

46 ACLs in Use Connecting to a server
Think about addressing and traffic flow access-list 101 permit tcp eq 21 Notice location of eq Pg 247

47 ACL in use Connection from server Pg 248
access-list 101 permit tcp eq Notice location of eq Pg 248

48 Extended ACL commands Pg 249 Command Configuration Mode and
Description access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [log | log-input] Global command for extended numbered access lists. Use a number between 100 and 199 or 2000 and 2699, inclusive. access-list access-list-number {deny | permit} {tcp | udp} source source-wildcard [operator [port]] estination destination-wildcard [operator [port]] [established] [log] A version of the access-list command with TCPspecific parameters. Pg 249

49 Extended ACL hints Extended ACLs should be placed as close as possible to the source of the packets to be filtered, because extended ACLs can be configured so that they do not discard packets that should not be discarded. So filtering close to the source of the packets saves some bandwidth. All fields in one access-list command must match a packet for the packet to be considered to match that access-list statement. The extended access-list command uses numbers between 100–199 and 2000–2699, with no number being inherently better than another. Pg 249

50 Extended ACL Operators
Operator in the access-list Command Meaning Eq Equal to Neq Not equal to Lt Less than Gt Greater than Range Range of port numbers Pg 250

51 Extended ACL example Pg 250 interface Serial0
ip address ip access-group 101 in ! interface Serial1 ip address access-list 101 remark Stop Bob to FTP servers, and Larry to Server1 web access-list 101 deny tcp host eq ftp access-list 101 deny tcp host host eq www access-list 101 permit ip any any Pg 250

52 Any Questions?

53 Advanced ACL management
Named ACL an ACL Sequence numbers No new filtering features Management simplified Pg 253

54 Named ACLs New in 11.2 Use names instead of numbers
Easier for us to remember Allow deletion of a single line if there is a mistake With traditional ACL config, you have to start over This feature possible on regular ACLS since 12.3 Pg 253

55 Configuration Changes
Global command enters a sub-command structure Router(config)#ip access-list extended barney Router(config-ext-nacl)#permit tcp host eq www any When a match statement is deleted, only that line is deleted Pg 254

56 Configuration Enter configuration commands, one per line. End with Ctrl-Z. Router(config)#ip access-list extended barney Router(config-ext-nacl)#permit tcp host eq www any Router(config-ext-nacl)#deny udp host Router(config-ext-nacl)#deny ip ! The next statement is purposefully wrong so that the process of changing ! the list can be seen. Router(config-ext-nacl)#deny ip Router(config-ext-nacl)#deny ip host host Router(config-ext-nacl)#deny ip host host Router(config-ext-nacl)#permit ip any any Router(config-ext-nacl)#interface serial1 Router(config-if)#ip access-group barney out Router(config-if)#^Z Router#show running-config Building configuration... Pg 254

57 Named ACL in Running config
interface serial 1 ip access-group barney out ! ip access-list extended barney permit tcp host eq www any deny udp host deny ip deny ip deny ip host host deny ip host host permit ip any any Router#conf t Pg 254

58 Removing a statement Router(config)#ip access-list extended barney
Router(config-ext-nacl)#no deny ip Router(config-ext-nacl)#^Z Router#show access-list Extended IP access list barney 10 permit tcp host eq www any 20 deny udp host 30 deny ip 50 deny ip host host 60 deny ip host host 70 permit ip any any Pg 254

59 ACLs and Sequence Numbers
An individual ACL permit or deny statement can be deleted just by referencing the sequence number, without deleting the rest of the ACL. Newly added permit and deny commands can be configured with a sequence number, dictating the location of the statement within the ACL. Newly added permit and deny commands can be configured without a sequence number, with IOS creating a sequence number and placing the command at the end of the ACL. Pg 256

60 ACL Sequence Number example
! Step 1: The 3-line Standard Numbered IP ACL is configured. R1#configure terminal Enter configuration commands, one per line. End with Ctrl-Z. R1(config)#ip access-list standard 24 R1(config-std-nacl)#permit R1(config-std-nacl)#permit R1(config-std-nacl)#permit ! Step 2: Displaying the ACL’s contents, without leaving configuration mode. R1(config-std-nacl)#do show ip access-list 24 Standard IP access list 24 10 permit , wildcard bits 20 permit , wildcard bits 30 permit , wildcard bits Pg 257

61 Sequenced ACL management
! Step 3: Still in ACL 24 configuration mode, the line with sequence number 20 is deleted. R1(config-std-nacl)#no 20 ! Step 4: Displaying the ACL’s contents again, without leaving configuration mode. ! Note that line number 20 is no longer listed. R1(config-std-nacl)#do show ip access-list 24 Standard IP access list 24 10 permit , wildcard bits 30 permit , wildcard bits ! Step 5: Inserting a new first line in the ACL. R1(config-std-nacl)#5 deny ! Step 6: Displaying the ACL’s contents one last time, with the new statement (sequence ! number 5) listed first. 35 deny Pg 257

62 Misc ACL Topics Control Telnet and SSH with ACL
Assign an ACL to the vty lines line vty 0 4 login password cisco access-class 3 in ! ! Next command is a global command access-list 3 permit Pg 259

63 ACL considerations Create your ACLs using a text editor outside the router, and copy and paste the configurations into the router. (Even with the ability to delete and insert lines into an ACL, creating the commands in an editor will still likely be an easier process.) Place extended ACLs as close as possible to the source of the packet to discard the packets quickly. Place standard ACLs as close as possible to the packet’s destination, because standard ACLs often discard packets that you do not want discarded when they are placed close to the source. Place more-specific statements early in the ACL. Disable an ACL from its interface (using the no ip access-group command) before making changes to the ACL. Pg 260

64 Any Questions?

65 Reflexive ACLS Allow an ACL to add statements when a communication session is started Pg 263

66 Dynamic ACLS Force authentication and then dyanmically change the ACL
Step 1 The user connects to the router using Telnet. Step 2 The user supplies a username/password, which the router compares to a list, authenticating the user. Step 3 After authentication, the router dynamically adds an entry to the beginning of the ACL, permitting traffic sourced by the authenticated host. Step 4 Packets sent by the permitted host go through the router to the server. Pg 264

67 Time Based ACL only works during certain times of day Pg 264

68 Any Questions?

Download ppt "Any Questions?."

Similar presentations

Timing: This chapter takes about 2 hours to cover.

Timing: This chapter takes about 2 hours to cover.
Student Guide www.visioninfosystems.org Access List.

Student Guide Access List.
Access Control Lists. Types Standard Extended Standard ACLs Use only the packets source address for comparison 1-99.

Access Control Lists. Types Standard Extended Standard ACLs Use only the packets source address for comparison 1-99.
Access Control List (ACL)

Access Control List (ACL)
CCENT Study Guide Chapter 12 Security.

CCENT Study Guide Chapter 12 Security.
What is access control list (ACL)?

What is access control list (ACL)?
Configuring and Troubleshooting ACLs

Configuring and Troubleshooting ACLs
Route Optimisation RD-CSY3021.

Route Optimisation RD-CSY3021.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.

NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.

Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.
Institute of Technology, Sligo Dept of Computing Access Control Lists Semester 3, Chapter 6.

Institute of Technology, Sligo Dept of Computing Access Control Lists Semester 3, Chapter 6.
CCNA 2 v3.1 Module 11.

CCNA 2 v3.1 Module 11.
Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.

Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.
Access Lists Lists of conditions that control access.

Access Lists Lists of conditions that control access.

Similar presentations

Ads by Google