Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Lecture #5 Access Control Lists (ACLs) Asst.Prof. Dr.Anan Phonphoem Department of Computer Engineering, Faculty of Engineering, Kasetsart University,

Published byLionel Johnston Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Lecture #5 Access Control Lists (ACLs) Asst.Prof. Dr.Anan Phonphoem Department of Computer Engineering, Faculty of Engineering, Kasetsart University,"— Presentation transcript:

1 1 Lecture #5 Access Control Lists (ACLs) Asst.Prof. Dr.Anan Phonphoem Department of Computer Engineering, Faculty of Engineering, Kasetsart University, Bangkok, Thailand

2 2 Overview ACL fundamentals ACL operations Types of ACLs (Standard / Extended) Implementing ACLs

3 3 Access Control Lists (ACLs) List of conditions to test the traffic Router can permit or deny( like a filter) Provides Security Bandwidth Management Come in two Types STANDARD and EXTENDED

4 4 What is ACL? A List of Criteria to which all Packets are compared. Is this Packet from Network 10.5.2.0 Yes - Forward the Packet No - Check with Next Statement Is this a Telnet Protocol Packet from 25.25.0.0 Yes - Forward the Packet No - Check Next Statement Deny All Other Traffic

5 5 ACL Operations Packets are compared to Each Statement in an Access-list SEQUENTIALLY- From the Top Down. The sooner a decision is made the better. Well written Access-lists take care of the most abundant type of traffic first. All Access-lists End with an Implicit Deny All statement

6 6 ACL operations

7 7 ACL numbers

8 8 Standard ACL Are given a # from 1-99 Filtering based only on Source Address Should be applied closest to the Destination

9 9 Extended ACL Are given a # from 100-199 Much more flexible and complex Can filter based on: Source address Destination address Session Layer Protocol (ICMP, TCP, UDP..) Port Number (80 http, 23 telnet…) Should be applied closest to the Source

10 10 Implementing ACLs Step 1 - Create the Access-list Step 2 -Apply the Access-list to an Interface Must be in interface config mode (config-if)# IP access-group # in/out (routers point of view)

11 11 Standard ACL format # 1-99 permit/denyswitch the packet or drop it sourceIPsource IP address to which the packet should be compared. Can also use ANY wildcard (inverse mask) see next slides access-list # permit/deny sourceIP wildcard

12 12 Wildcard Mark Allows you to indicate a host, subnet, network or range of IP addresses The two binary values in the wildcard have different meanings: 0 = Must Match Exactly 1 = Ignore

13 13 Wildcard Mark

14 14 Wildcard Example Network Wildcard 172.16.10.00.0.0.255 Result: Match the first three octets exactly but ignore the last octet. 172.16.10.0 thru 172.16.10.255 is a match since the last octet does not matter.

15 15 Implementing ACLs Remember the Implicit Deny All at the end of each access-list. Two Approaches: 1. List the traffic you know you want to permit Deny all other traffic 2. List the traffic you want to deny Permit all other traffic (permit any)

16 16 Standard ACL

17 17 Standard ACL example (I) A(config)#access-list 5 deny 172.22.5.2 0.0.0.0 A(config)#access-list 5 deny 172.22.5.3 0.0.0.0 A(config)#access-list 5 permit any So what does this access list do? Deny any host 172.22.5.2 Deny any host 172.22.5.3 All other traffic can go

18 18 Standard ACL example (II) A(config)#access-list 5 deny 172.22.5.2 0.0.0.0 A(config)#access-list 5 deny 172.22.5.3 0.0.0.0 A(config)#access-list 5 permit any A(config)#access-list 5 deny 172.22.5.4 0.0.0.0 Why does the last line have no affect? How could you correct this situation?

19 19 Extended ACL

20 20 Placing ACLs Standard : Closed to source Extended: Closed to destination

21 21 Firewall DMZ External Internal

22 22 Restricted ACL access

23 23 Verifying ACLs show ip interface show access-lists Show running-config

24 24 Implementing ACLs Tips You cannot selectively add or remove statements from an Access-list Typically modifications are made in a text editor and then pasted to the router as a new access-list. The new access list is then applied and the old one removed Document your Access-list After each line indicate exactly what that line is supposed to do.

25 25 Implementing ACLs Tips Verifying Your Access-list Show Access-lists Show IP Interfaces Revisit your access-list after a few days Routers keep track of the number of packets that match each statement in an access-list Use this information to reorder your access-list and thus improve it efficiency Never remove an access-list that is applied to a port - this can crash a router.

26 26 Summary Are Created and then Applied to an interface Are Implemented Sequentially- Top Down End with an implicit Deny ALL statement #1-99 Standard and # 100-199 Extended Standard - source address only Extended - source, destination, protocol, port

27 27 References C.Dodge slide in Cisco Website Cisco curriculum materials

Download ppt "1 Lecture #5 Access Control Lists (ACLs) Asst.Prof. Dr.Anan Phonphoem Department of Computer Engineering, Faculty of Engineering, Kasetsart University,"

Similar presentations

Access Control List (ACL)

Access Control List (ACL)
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Access Control Lists John Mowry.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Access Control Lists John Mowry.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Basic IP Traffic Management with Access Lists

Basic IP Traffic Management with Access Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.

NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 

1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 
Institute of Technology, Sligo Dept of Computing Access Control Lists Semester 3, Chapter 6.

Institute of Technology, Sligo Dept of Computing Access Control Lists Semester 3, Chapter 6.
Copyright 2000 C. Dodge Access Control List Wildcards (Inverse Mask) Computer Networking II.

Copyright 2000 C. Dodge Access Control List Wildcards (Inverse Mask) Computer Networking II.
CCNA 2 v3.1 Module 11.

CCNA 2 v3.1 Module 11.
Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.

Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.
Access Lists Lists of conditions that control access.

Access Lists Lists of conditions that control access.
Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.

Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Similar presentations

Ads by Google