Presentation is loading. Please wait.

Presentation is loading. Please wait.

ACCESS CONTROL LIST Slides Prepared By Adeel Ahmed,

Published byΘεόκριτος Αλεξόπουλος Modified over 5 years ago

Similar presentations

Presentation on theme: "ACCESS CONTROL LIST Slides Prepared By Adeel Ahmed,"— Presentation transcript:

1 ACCESS CONTROL LIST Slides Prepared By Adeel Ahmed,
Updated By, Syed Ameen Quadri.

2 Rules of Access List All deny statements have to be given First There should be at least one Permit statement An implicit deny blocks all traffic by default when there is no match (an invisible statement). Can have one access-list per interface per direction. (i.e.) Two access-list per interface, one in inbound direction and one in outbound direction. Works in Sequential order Editing of access-lists is not possible (i.e) Selectively adding or removing access-list statements is not possible.

3 Standard ACL - Network Diagram
Creation and Implementation is done Closest to the Destination. Standard ACL - Network Diagram /8 S0 /8 S0 JIZ S1 /8 JAD S1 /8 RYD E0 /24 E0 /24 E0 /24 1.1 1.2 1.3 2.1 2.2 2.3 3.1 3.2 3.3 LAN /24 LAN /24 LAN /24 1.1 & 1.2 should not communicate with 2.0 network

4 How Standard ACL Works ? JIZ JAD RYD 1.1 is accessing 2.1 10.0.0.1/8
/8 S0 JIZ S1 /8 JAD S1 /8 RYD E0 /24 E0 /24 E0 /24 1.1 1.1 1.2 1.3 2.1 2.2 2.3 3.1 3.2 3.3 LAN /24 LAN /24 LAN /24 1.1 is accessing 2.1

5 How Standard ACL Works ? access-list 1 deny 192.168.1.1 0.0.0.0
Source IP Source IP Destination IP 1.1 2.1 access-list 1 deny access-list 1 deny access-list 1 permit any

6 How Standard ACL Works ? access-list 1 deny 192.168.1.1 0.0.0.0
Source IP Destination IP 1.1 2.1 access-list 1 deny access-list 1 deny access-list 1 permit any

7 How Standard ACL Works ? JIZ JAD RYD 1.3 is accessing 2.1 10.0.0.1/8
/8 S0 JIZ S1 /8 JAD S1 /8 RYD E0 /24 E0 /24 E0 /24 1.1 1.3 1.2 1.3 2.1 2.2 2.3 3.1 3.2 3.3 LAN /24 LAN /24 LAN /24 1.3 is accessing 2.1

8 How Standard ACL Works ? x access-list 1 deny 192.168.1.1 0.0.0.0
Source IP Source IP Destination IP 1.1 2.1 x access-list 1 deny access-list 1 deny access-list 1 permit any

9 How Standard ACL Works ? access-list 1 deny 192.168.1.1 0.0.0.0
Source IP Destination IP Source IP 1.1 2.1 access-list 1 deny access-list 1 deny access-list 1 permit any x

10 How Standard ACL Works ? access-list 1 deny 192.168.1.1 0.0.0.0
Source IP Source IP Destination IP 1.1 2.1 access-list 1 deny access-list 1 deny access-list 1 permit any

11 access-list 1 permit any
Source IP Destination IP 1.1 2.1 access-list 1 deny access-list 1 deny access-list 1 permit any

12 Standard ACL - Network Diagram
Creation and Implementation is done Closest to the Destination. Standard ACL - Network Diagram /8 S0 /8 S0 JIZ S1 /8 JAD S1 /8 RYD E0 /24 E0 /24 E0 /24 1.1 1.2 1.3 2.1 2.2 2.3 3.1 3.2 3.3 LAN /24 LAN /24 LAN /24 1.1 & 3.0 should not communicate with 2.0 network

13 How Standard ACL Works ? JIZ JAD RYD 1.1 is accessing 2.1 10.0.0.1/8
/8 S0 JIZ S1 /8 JAD S1 /8 RYD E0 /24 E0 /24 E0 /24 1.1 1.1 1.2 1.3 2.1 2.2 2.3 3.1 3.2 3.3 LAN /24 LAN /24 LAN /24 1.1 is accessing 2.1

14 How Standard ACL Works ? access-list 5 deny 192.168.1.1 0.0.0.0
Source IP Source IP Destination IP 1.1 2.1 access-list 5 deny access-list 5 deny access-list 5 permit any

15 How Standard ACL Works ? access-list 5 deny 192.168.1.1 0.0.0.0
Source IP Destination IP 1.1 2.1 access-list 5 deny access-list 5 deny access-list 5 permit any

16 How Standard ACL Works ? JIZ JAD RYD 1.3 is accessing 2.1 10.0.0.1/8
/8 S0 JIZ S1 /8 JAD S1 /8 RYD E0 /24 E0 /24 E0 /24 1.1 1.3 1.2 1.3 2.1 2.2 2.3 3.1 3.2 3.3 LAN /24 LAN /24 LAN /24 1.3 is accessing 2.1

17 How Standard ACL Works ? x access-list 5 deny 192.168.1.1 0.0.0.0
Source IP Source IP Destination IP 1.3 2.1 x access-list 5 deny access-list 5 deny access-list 5 permit any

18 How Standard ACL Works ? access-list 5 deny 192.168.1.1 0.0.0.0
Source IP Destination IP Source IP 1.3 2.1 access-list 5 deny access-list 5 deny access-list 5 permit any x

19 How Standard ACL Works ? access-list 5 deny 192.168.1.1 0.0.0.0
Source IP Source IP Destination IP 1.3 2.1 access-list 5 deny access-list 5 deny access-list 5 permit any

20 access-list 5 permit any
Source IP Destination IP 1.3 2.1 access-list 5 deny access-list 5 deny access-list 5 permit any

21 How Standard ACL Works ? JIZ JAD RYD 3.1 is accessing 2.1 10.0.0.1/8
/8 S0 JIZ S1 /8 JAD S1 /8 RYD E0 /24 E0 /24 E0 /24 1.1 3.1 1.2 1.3 2.1 2.2 2.3 3.1 3.2 3.3 LAN /24 LAN /24 LAN /24 3.1 is accessing 2.1

22 How Standard ACL Works ? x access-list 5 deny 192.168.1.1 0.0.0.0
Source IP Source IP Destination IP 3.1 2.1 x access-list 5 deny access-list 5 deny access-list 5 permit any

23 How Standard ACL Works ? access-list 5 deny 192.168.1.1 0.0.0.0
Source IP Source IP Destination IP 3.1 2.1 access-list 5 deny access-list 5 deny access-list 5 permit any

24 How Standard ACL Works ? access-list 5 deny 192.168.1.1 0.0.0.0
Source IP Destination IP 3.1 2.1 access-list 5 deny access-list 5 deny access-list 5 permit any

25 Extended ACL - Network Diagram
Creation and Implementation is done Closest to the Source. Extended ACL - Network Diagram /8 S0 /8 S0 JIZ S1 /8 JAD S1 /8 RYD E0 /24 E0 /24 E0 /24 1.1 1.2 1.3 2.1 2.2 2.3 3.1 3.2 3.3 LAN /24 LAN /24 LAN /24 2.0 should not access with 3.1 (Web Service)

26 2.1 is accessing 3.1 - Web Service
How Extended ACL Works ? /8 S0 /8 S0 JIZ S1 /8 JAD S1 /8 RYD E0 /24 E0 /24 E0 /24 1.1 2.1 1.2 1.3 2.1 2.2 2.3 3.1 3.2 3.3 LAN /24 LAN /24 LAN /24 2.1 is accessing Web Service

27 How Extended ACL Works ? Source IP Destination IP Port - 80 Source IP Destination IP Port - 80 2.1 3.1 access-list 101 deny tcp eq 80 access-list 101 permit ip any any

28 How Extended ACL Works ? Source IP Destination IP Port - 80 2.1 3.1 access-list 101 deny tcp eq 80 access-list 101 permit ip any any

29 2.1 is accessing 3.1 – Telnet Service
How Extended ACL Works ? /8 S0 /8 S0 JIZ S1 /8 JAD S1 /8 RYD E0 /24 E0 /24 E0 /24 1.1 2.1 1.2 1.3 2.1 2.2 2.3 3.1 3.2 3.3 LAN /24 LAN /24 LAN /24 2.1 is accessing 3.1 – Telnet Service

30 How Extended ACL Works ? x
Source IP Destination IP Port - 23 Source IP Destination IP Port - 23 2.1 3.1 x access-list 101 deny tcp eq 80 access-list 101 permit ip any any

31 How Extended ACL Works ? Source IP Destination IP Port - 23 Source IP Destination IP Port - 23 2.1 3.1 access-list 101 deny tcp eq 80 access-list 101 permit ip any any

32 How Extended ACL Works ? Source IP Destination IP Port - 23 2.1 3.1 access-list 101 deny tcp eq 80 access-list 101 permit ip any any

33 2.1 is accessing 1.1 - Web Service
How Extended ACL Works ? /8 S0 /8 S0 JIZ S1 /8 JAD S1 /8 RYD E0 /24 E0 /24 E0 /24 1.1 2.1 1.2 1.3 2.1 2.2 2.3 3.1 3.2 3.3 LAN /24 LAN /24 LAN /24 2.1 is accessing Web Service

34 How Extended ACL Works ? x
Source IP Destination IP Port - 80 Source IP Destination IP Port - 80 2.1 1.1 x access-list 101 deny tcp eq 80 access-list 101 permit ip any any

35 How Extended ACL Works ? Source IP Destination IP Port - 80 Source IP Destination IP Port - 80 2.1 1.1 access-list 101 deny tcp eq 80 access-list 101 permit ip any any

36 How Extended ACL Works ? Source IP Destination IP Port - 80 2.1 1.1 access-list 101 deny tcp eq 80 access-list 101 permit ip any any

37 (IOS version 11.2 or later allows Named ACL)
Named Access List Access-lists are identified using Names rather than Numbers. Names are Case-Sensitive No limitation of Numbers here. One Main Advantage is Editing of ACL is Possible (i.e) Removing a specific statement from the ACL is possible. (IOS version 11.2 or later allows Named ACL)

38 Standard Named Access List
Creation of Standard Named Access List Router(config)# ip access-list standard <name> Router(config-std-nacl)# <permit/deny> <source address> <source wildcard mask> Implementation of Standard Named Access List Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <name> <out/in>

39 Extended Named Access List
Creation of Extended Named Access List Router(config)# ip access-list extended <name> Router(config-ext-nacl)# <permit/deny> <protocol> <source address> <source wildcard mask> <destination address> < destination wildcard mask> <operator> <service> Implementation of Extended Named Access List Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <name> <out/in>

40

41 Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright Microsoft Corp. C:\> telnet Connecting ..... ================================ Welcome to Jizan Router User Access Verification password : **** Jizan> enable password : **** Jizan# show ip route Gateway of last resort is not set C /8 is directly connected, Serial0 R /8 [120/1] via , 00:00:25, Serial0 C /24 is directly connected, Ethernet0 R /24 [120/1] via , 00:00:25, Serial0 R /24 [120/2] via , 00:00:25, Serial0 Jizan#

42 Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright Microsoft Corp. C:\> telnet Connecting ..... ================================ Welcome to Jaddah Router User Access Verification password : **** Jaddah> enable password : **** Jaddah# show ip route Gateway of last resort is not set C /8 is directly connected, Serial1 C /8 is directly connected, Serial0 R /24 [120/1] via , 00:00:01, Serial1 C /24 is directly connected, Ethernet0 R /24 [120/1] via , 00:00:12, Serial0 Jaddah#

43 Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright Microsoft Corp. C:\> telnet Connecting ..... ================================ Welcome to Riyadh Router User Access Verification password : **** Riyadh> enable password : **** Riyadh# show ip route Gateway of last resort is not set R /8 [120/1] via , 00:00:04, Serial1 C /8 is directly connected, Serial1 R /24 [120/2] via , 00:00:04, Serial1 R /24 [120/1] via , 00:00:04, Serial1 C /24 is directly connected, Ethernet0 Riyadh#

44 Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright Microsoft Corp. C:\> telnet Connecting ..... ================================ Welcome to Jaddah Router User Access Verification password : **** Jaddah> enable password : **** Jaddah# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Jaddah(config)# interface serial 1 Jaddah(config-if)# ip address Jaddah(config-if)# no shut Jaddah(config-if)# encapsulation hdlc Jaddah(config-if)# interface serial 0 Jaddah(config-if)# ip address Jaddah(config-if)# no shut Jaddah(config-if)# encapsulation hdlc

45 Enter configuration commands, one per line. End with CNTL/Z.
Jaddah# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Jaddah(config)# access-list 1 deny Jaddah(config)# access-list 1 deny Jaddah(config)# Creation of Standard Access List Router(config)# access-list <acl no> <permit/deny> <source address> <source wildcard mask> access-list 1 permit any Jaddah(config)# interface ethernet 0 Jaddah(config-if)# ip access-group 1 out Jaddah(config-if)# Implementation of Standard Access List Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in>

46 Jaddah# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Jaddah(config)# access-list 1 deny Jaddah(config)# access-list 1 deny Jaddah(config)# access-list 1 permit any Jaddah(config)# interface ethernet 0 Jaddah(config-if)# ip access-group 1 out Jaddah(config-if)# ^Z Jaddah# show ip access-list Standard IP access list 1 deny deny permit any Jaddah#

47 Jaddah# show ip int e0 Jaddah# Ethernet0 is up, line protocol is up
Internet address is /24 Broadcast address is Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: Outgoing access list is 1 Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled Jaddah#

48 Jaddah# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Jaddah(config)# access-list 5 deny Jaddah(config)# access-list 5 deny Jaddah(config)# access-list 5 permit any Jaddah(config)# interface ethernet 0 Jaddah(config-if)# ip access-group 5 out Jaddah(config-if)# ^Z Jaddah# show ip access-list Standard IP access list 5 deny deny permit any Jaddah#

49 Jaddah# show ip int e0 Jaddah# Ethernet0 is up, line protocol is up
Internet address is /24 Broadcast address is Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: Outgoing access list is 5 Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled Jaddah#

50 Enter configuration commands, one per line. End with CNTL/Z.
Jaddah# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Jaddah(config)# access-list 5 deny Jaddah(config)# access-list 5 deny Jaddah(config)# Creation of Standard Access List Router(config)# access-list <acl no> <permit/deny> <source address> <source wildcard mask> access-list 5 permit any Jaddah(config)# interface ethernet 0 Jaddah(config-if)# ip access-group 5 out Jaddah(config-if)# Implementation of Standard Access List Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in>

51 Enter configuration commands, one per line. End with CNTL/Z.
Jaddah# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Jaddah(config)# access-list 101 deny tcp eq 80 Jaddah(config)# Creation of Extended Access List Router(config)# access-list <acl no> <permit/deny> <protocol> <source address> <source wildcard mask> <destination address> < destination wildcard mask> <operator> <service> access-list 101 permit ip any any Jaddah(config)# interface ethernet 0 Jaddah(config-if)# ip access-group 101 in Jaddah(config-if)# Implementation of Extended Access List Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in>

52 Jaddah# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Jaddah(config)# access-list 101 deny tcp eq 80 Jaddah(config)# access-list 101 permit ip any any Jaddah(config)# interface ethernet 0 Jaddah(config-if)# ip access-group 101 in Jaddah(config-if)# ^Z Jaddah# show ip access-list Extended IP access list 101 deny tcp host eq www permit ip any any Jaddah#

53 Jaddah# show ip int e0 Jaddah# Ethernet0 is up, line protocol is up
Internet address is /24 Broadcast address is Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: Outgoing access list is not set Inbound access list is 101 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled Jaddah#

Download ppt "ACCESS CONTROL LIST Slides Prepared By Adeel Ahmed,"

Similar presentations

Access Control List (ACL)

Access Control List (ACL)
Configuring and Troubleshooting ACLs

Configuring and Troubleshooting ACLs
IP Forwarding Relates to Lab 3.

IP Forwarding Relates to Lab 3.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Implementing Inter-VLAN Routing

Implementing Inter-VLAN Routing
Basic IP Traffic Management with Access Lists

Basic IP Traffic Management with Access Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 

1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 
Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.

Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
The Cisco ACL. 1.The Cisco ACL is simply a means to filter traffic that crosses your router. 2.It has two major syntax types numbered and named lists.

The Cisco ACL. 1.The Cisco ACL is simply a means to filter traffic that crosses your router. 2.It has two major syntax types numbered and named lists.
OSPF in Multiple Area.

OSPF in Multiple Area.
Network Certification Preparation. Module - 5 Basic troubleshooting of IP addressing issues Basic troubleshooting of RIP and IGRP Basic troubleshooting.

Network Certification Preparation. Module - 5 Basic troubleshooting of IP addressing issues Basic troubleshooting of RIP and IGRP Basic troubleshooting.
© 2002, Cisco Systems, Inc. All rights reserved..

© 2002, Cisco Systems, Inc. All rights reserved..
Advantages of Dynamic Routing over Static Routing : Advertise only the directly connected networks. Updates the topology changes dynamically. Administrative.

Advantages of Dynamic Routing over Static Routing : Advertise only the directly connected networks. Updates the topology changes dynamically. Administrative.
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

Similar presentations

Ads by Google