Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control Lists (ACLs)

Published byCynthia Lee Modified over 5 years ago

Similar presentations

Presentation on theme: "Access Control Lists (ACLs)"— Presentation transcript:

1 Access Control Lists (ACLs)
Asst.Prof. Dr.Anan Phonphoem Department of Computer Engineering, Faculty of Engineering, Kasetsart University, Bangkok, Thailand

2 Overview ACL fundamentals ACL operations
Types of ACLs (Standard / Extended) Implementing ACLs

3 Access Control Lists (ACLs)
List of conditions to test the traffic Router can permit or deny( like a filter) Provides security Bandwidth Management Come in two Types STANDARD and EXTENDED

4 ACL Overview

5 ACL Operations Packets are compared to each statement in a list sequentially from the top down. The sooner a decision is made the better. Well written ACLs take care of the most abundant type of traffic first. All Access-lists End with an Implicit Deny All statement

6 ACL Operations

7 Implementing ACLs Step 1 - Create the Access-list
Step 2 - Apply the Access-list to an Interface Must be in interface config mode (config-if)# ip access-group # in/out (routers point of view)

8 Types of Cisco ACLs

9 Standard ACLs Given a # from 1-99
Filtering based only on Source Address Should be applied closest to the destination

10 Extended ACLs Given a # from 100-199 Much more flexible and complex
Can filter based on: Source address Destination address Session Layer Protocol (ICMP, TCP, UDP..) Port Number (80 http, 23 telnet…) Should be applied closest to the source

11 Placing ACLs Standard : Closed to destination
Extended: Closed to source

12 Standard ACL format # permit/deny switch the packet or drop it
access-list # permit/deny sourceIP wildcard # 1-99 permit/deny switch the packet or drop it sourceIP source IP address to which the packet should be compared. Can also use ANY wildcard (inverse mask) see next slides

13 Wildcard Mask Allows you to indicate a host, subnet, network or range of IP addresses The two binary values in the wildcard have different meanings: 0 = Must Match Exactly 1 = Ignore

14 Wildcard Mask Example

15 Wildcard Mask Example Network Wildcard 172.16.10.0 0.0.0.255
Result: Match the first three octets exactly but ignore the last octet. thru is a match since the last octet does not matter.

16 host and any Keywords Ex. ...permit 192.168.10.10 0.0.0.0
matches all bits shortcut  host Ex. ...deny ignores all bits shortcut  any

17 Implementing ACLs Remember the Implicit Deny All at the end of each access-list. Two Approaches: 1. List the traffic you know you want to permit Deny all other traffic 2. List the traffic you want to deny Permit all other traffic (permit any)

18 Standard ACL

19 Standard ACL example (I)
R1(config)# access-list 5 deny R1(config)# access-list 5 deny R1(config)# access-list 5 permit any So what does this access list do? Deny any host Deny any host All other traffic can go

20 Standard ACL example (II)
A(config)#access-list 5 deny A(config)#access-list 5 deny A(config)#access-list 5 permit any A(config)#access-list 5 deny Why does the last line have no affect? How could you correct this situation?

21 Applying ACLs R1(config)# int fa 0/0
R1(config-if)# ip access-group 2 out fa0/0 s0/1 R1(config)# int s 0/1 R1(config-if)# ip access-group 6 in

22 Extended ACL

23 Restricted ACL access

24 Verifying ACLs show ip interface show access-lists Show running-config

25 Implementing ACLs Tips
You cannot selectively add or remove statements from an Access-list Typically modifications are made in a text editor and then pasted to the router as a new access-list Document your Access-list After each line indicate exactly what that line is supposed to do.

26 Implementing ACLs Tips
Verifying Your Access-list show access-lists show ip interfaces Revisit your access-list after a few days Routers keep track of the number of packets that match each statement in an access-list Use this information to reorder your access-list and thus improve it efficiency Never remove an access-list that is applied to a port – this can crash the router!

27 Summary Are Created and then Applied to an interface
Are Implemented Sequentially- Top Down End with an implicit Deny ALL statement #1-99 Standard and # Extended Standard - source address only Extended - source, destination, protocol, port

28 Lab Assignment #1 A and B can connect to each other.
B A C A and B can connect to each other. B and C can connect to each other. A and C cannot communicate to each other.

29 Lab Assignment #2 A can only access web service of B.
B A C A can only access web service of B. B can only ping C. C does not accept any ping from A.

30 References C.Dodge slide in Cisco Website Cisco curriculum materials

Download ppt "Access Control Lists (ACLs)"

Similar presentations

Access Control Lists. Types Standard Extended Standard ACLs Use only the packets source address for comparison 1-99.

Access Control Lists. Types Standard Extended Standard ACLs Use only the packets source address for comparison 1-99.
Access Control List (ACL)

Access Control List (ACL)
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Access Control Lists John Mowry.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Access Control Lists John Mowry.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Basic IP Traffic Management with Access Lists

Basic IP Traffic Management with Access Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.

NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 

1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 
Institute of Technology, Sligo Dept of Computing Access Control Lists Semester 3, Chapter 6.

Institute of Technology, Sligo Dept of Computing Access Control Lists Semester 3, Chapter 6.
Copyright 2000 C. Dodge Access Control List Wildcards (Inverse Mask) Computer Networking II.

Copyright 2000 C. Dodge Access Control List Wildcards (Inverse Mask) Computer Networking II.
CCNA 2 v3.1 Module 11.

CCNA 2 v3.1 Module 11.
Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.

Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.
Access Lists Lists of conditions that control access.

Access Lists Lists of conditions that control access.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.

Similar presentations

Ads by Google