Presentation is loading. Please wait.

Presentation is loading. Please wait.

CCNA 2 v3.1 Module 11.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "CCNA 2 v3.1 Module 11."— Presentation transcript:

1 CCNA 2 v3.1 Module 11

2 CCNA 2 Module 11 Access Control Lists (ACLs)

3 Denying unwanted access to the network
Overview Denying unwanted access to the network ACL provides basic filtering capabilities based on source/destination IP addresses protocol types and port numbers ACL lists permit or deny statements that apply to addresses or upper-layer protocols.

4 What are ACLs Lists of acceptance/denial conditions
applied to traffic across a router's interface Permit or deny traffic to and from the network based on Source IP address Destination IP addresses Port numbers Protocols can be created for all routed network protocols Example IP, IPX, Appletalk

5 What are ACLs Primary reasons to create ACLs
Limit network traffic and increase network performance Provide traffic flow control E.g., Restrict the delivery of routing updates – conserve bandwidth Provide a basic level of security for network access Student Hosts can access Application package Network Student Hosts cannot access Administration Network

6 Decide which types of traffic are forwarded or blocked
Permit traffic to be routed Block all telnet traffic Allow an administrator to control what areas a client can access on a network Screen certain hosts to either permit or deny access to part of a network Certain types of files – ftp, http etc

7 How ACLs work IOS tests the packets by matching each condition statement in order from top of the list to the bottom If a match is found, perform the accept or reject action defined in that statement No further ACL statements are checked for that packet The rest of the statements in the ACL is ignored The order in which ACL statements are placed is important

8 If all the ACL statements are unmatched, implicit "deny any" statement is applied by default
Deny any always EXISTS and is APPLIED Any packets not matched in the ACL will be denied

9 How ACLs work

10 How ACL’s work Router’s routing and filtering process overall
Check L2 destination address of the incoming frame If matched, accept to test inbound ACL Accept for routing if ACL permits or no ACL is found Route to the outbound interface to test outbound ACL Send to the network if ACL permits or no ACL is found Discard the packet in any other case

11 How ACLs work This is where the This is where the outgoing frame
is examined This is where the incoming frame is examined

12 Creating ACLs Assign unique number or name for a control list
Numbers are categorized Number should be in the range of the right category Used to identify each ACL rule

13 Creating ACLs Define the access list statements
Router(config)#access-list access-list-no {permit|deny} {test-condition} An access-list-no can be a name (named ACL) test-conditions are the targets to control Assign them to the proper interface Router(config-if)#{protocol} access-group access-list no {in|out} In or out is defined looking at inside the router

14 Example of applying ACL
router#config terminal Router(config)#access list 2 deny Router(config)#access list 2 permit Router(config)#access list 2 permit any Router(config)#interface e0 Router(config-if)#ip access-group 2 in Example of canceling an access list Router(config)# no access-group 2

15 Creating ACLs Basic rules One access list per protocol per direction
Standard access lists should be applied closest to the destination Extended access control lists should be applied closest to the source Use the inbound or outbound interface reference as if looking at the port from inside the router

16 Statements are processed sequentially from the top of list to the bottom until a match is found
There is an implicit deny at the end of all access lists This will not appear in the configuration listing If no match is found then the packet is denied Access list entries should filter in the order from specific to general The match condition is examined first, then permit|deny

17 Creating ACLs Basic rules (continued)
It is not possible to selectively add and remove lines with numbered ACLs Remove the whole list using no access-list x command and re-define the ACL New lines can be named ACL always added to the end of the access list The router will discard the packet and send ICMP host unreachable message to the sender

18 Creating ACLs Basic rules (continued)
Care should be used when removing an access list In some version of IOS, default deny any may not be removed after the access list is removed at an interface Then all traffic will be halted Outbound filters do not affect traffic originating from the local router Outbound filters do not affect traffic originating from the local router

19 The function of a wildcard mask
Designed to specify target individual or groups of IP addresses based on the given address Given with the specified IP address or the network number 32bits long with 0’s and 1’s ‘1’ means No match needed Target address can have any bit value (wildcard; 0 or 1) at the position where the mask bits are 1 ‘0’ means Match needed Target address can only have the same bit value as in the given address at the position where the mask bits are 0

20 If you wanted a specific IP address to be checked
Wildcard if all bits must be checked To deny host Router(config)#access-list 3 deny This can also be written as Router(config)#access-list 3 deny host A wildcard of checks an exact address

21 If you wanted a specific network to be checked
IP network address Class C Wildcard if all bits must be checked None of the host bits will be checked To permit all hosts on network Router(config)#access-list 3 permit

22 Any host on Any network IP address to represent any network 0.0.0.0
Because it does not matter what each bit is Wildcard to prevent all bits being examined To permit any host on any network Router(config)#access-list 3 permit Can also be written as Router(config)#access-list 3 permit any A wildcard mask of means any

23 Even addresses Examples of even addresses After examining the above figures The last digit is always 0 All the other digits can vary depending on the number Therefore the only digit that must be checked is the first digit IP network address Class C Wildcard if even bits must be checked To permit all even hosts on network Router(config)#access-list 3 permit [ ]

24 Odd Address Examples of odd addresses After examining the above figures The last digit is always 1 All the other digits can vary depending on the number Therefore the only digit that must be checked is the first digit IP network address Class C Wildcard if odd bits must be checked To permit all odd hosts on network Router(config)#access-list 3 permit

25 Verifying ACLs Show ip interface displays IP interface information and indicates whether any ACLs are set Show access-lists displays the contents of all ACLs on the router Show access-list 1 Displays the content of ACL 1 on the router Show running config reveal the access lists on a router and the interface assignment information

26 Standard ACLs Host IP address, subnet, or network address
Checks source IP address Host IP address, subnet, or network address Affects entire protocol suit TCP, HTTP, IP etc.. Valid numbers Standard IP ACL (1300 to 1999 in recent IOS) Always applied to port closest to destination Adding an ACL router(config)#access-list access-list-number {permit|deny} source {source-wildcard} [log] Log sends information about matched packet to console Removing an ACL Router(config)#no access-list access-list-number

27 Extended ACLs Checks the source and destination packet addresses
Provides a greater range of control and flexibility Checks the source and destination packet addresses Checks protocol types and port numbers Valid numbers Extended IP ALC ~2699 in recent IOS Always applied to port closest to source Adding an Extended ACL Router(config)#access-list access-list-number {permit|deny} protocol source [source-mask destination destination-mask operator operand] [ established] Protocols - IP, TCP, UDP, ICMP, IGRP, GRE Operator is lt (<), gt (>), eq (=), or neq (≠) Operand is a port number or application layer protocol

28 Extended ACLs Well-known ports for TCP/IP applications
Linking an existing extended ACL to an interface Router(config)#interface fa0/0 Router(config-if)#ip access-group access-list-number {in|out} Only one ACL per interface, per direction, per protocol

29 Examples of Extended ACL’s

30 Named ACLs Router(config)#ip access-list {extended|standard} name
Introduced in IOS 11.2 Give standard and extend ACLs names instead of numbers Procedure for defining a named ACL Define a named ACL Router(config)#ip access-list {extended|standard} name router(config)#ip access-list extended test Add each permit/deny statement router(config-ext-nacl)#access-list permit….. Apply the named access list to the interface Router(config)#interface serial0/0 Router(config-if)#ip access-group test out

31 Named ACLs Advantages Intuitively identify an ACL using an alphanumeric name. Eliminate the limit of 798 simple and 799 extended ACLs Can modify ACLs without deleting and then reconfiguring them allow the deletion of statements only allow for statements to be inserted at the end of a list it is a good idea to use a text editor to create them

32 Example Named ACL Router(config)# ip access-list standard George
Router(config)# deny host Router(config)# access-list permit any Router(config)# interface fa0/0 Router(config)# ip access-group George out

33 Placing ACLs General rules in placing ACLs
Place ACLs where it can maximize increasing efficiency Put the extended ACLs as close as possible to the source of the traffic denied Unnecessary traffic will be minimized Standard ACLs should be placed as close to the destination as possible ACL does not know the destination

34 Firewalls Definition An architectural structure between the user and the outside world to protect the internal network from intruders General features Consists of several equipments working together Prevents unwanted and illegal access Internal router External router Firewall

35 Firewalls Operation of the firewall
The external router directs all traffic to the application gateway The internal router accepts packets only from the application gateway The gateway controls the delivery of network-based services both into and from the internal network Processes every packet to block or pass according to the filtering rule

36 Firewalls Use of ACLs in the firewall routers
Control traffic entering or exiting a specific part of the internal network Provides basic security from the outside network into a more private area of the network Ex) If the only application that is permitted is mail, then configure ACL so that only mail packets can be allowed through the router. This protects the application gateway and avoids overwhelming it with packets that it would otherwise discard.

37 Restricting virtual terminal access
Properties of virtual line Access to vty is accomplished using the Telnet to a nonphysical interface Standard and extended ACLs are not designed to block packets originating from the router Telnet into/from a router can be blocked by Either defining inbound/outbound extended ACL for TCP 23 port on each of the physical network interfaces (complicated) Or defining the vty ACL on the virtual lines (simple)

38 Restricting virtual terminal access
Blocking packets to vty using vty ACL There is only one type of vty access list Only numbered ACL can be applied to virtual lines Identical restrictions should be placed on all vty lines A user can attempt to connect to any of them Defining an ACL Router(config)#access-list 2 permit Router(config)#access-list 2 deny any Apply ACL to vty line Router(config)#line vty 0 4 Router(config-line)#password cisco Router(config-line)#login Router(config-line)#access-class 2 in

Download ppt "CCNA 2 v3.1 Module 11."

Similar presentations

Access Control List (ACL)

Access Control List (ACL)
What is access control list (ACL)?

What is access control list (ACL)?
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Basic IP Traffic Management with Access Lists

Basic IP Traffic Management with Access Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.

NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 

1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 
Institute of Technology, Sligo Dept of Computing Access Control Lists Semester 3, Chapter 6.

Institute of Technology, Sligo Dept of Computing Access Control Lists Semester 3, Chapter 6.
Access Lists Lists of conditions that control access.

Access Lists Lists of conditions that control access.
Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.

Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen

1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen
Ch. 11 – Access Control Lists

Ch. 11 – Access Control Lists
© 2002, Cisco Systems, Inc. All rights reserved..

© 2002, Cisco Systems, Inc. All rights reserved..

Similar presentations

Ads by Google