Download presentation
Presentation is loading. Please wait.
1
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching in the Enterprise – Chapter 8
2
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 2 Objectives Describe traffic filtering and explain how Access Control Lists (ACLs) can filter traffic at router interfaces. Analyze the use of wildcard masks. Configure and implement ACLs. Create and apply ACLs to control specific types of traffic. Log ACL activity and integrate ACL best practices.
3
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 3 Describe Traffic Filtering Analyze the contents of a packet Allow or block the packet Based on source IP, destination IP, MAC address, protocol, application type
4
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 4 Packet Filtering Can be simple or complex, denying or permitting traffic based on: Source IP address Destination IP address MAC addresses Protocols Application type
5
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 5 Describe Traffic Filtering (8.1.1) Devices providing traffic filtering: Firewalls built into integrated routers Dedicated security appliances Servers
6
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 6 Describe Traffic Filtering (8.1.2) Uses for ACLs: Specify internal hosts for NAT Classify traffic for QoS Restrict routing updates, limit debug outputs, control virtual terminal access
7
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 7 Describe Traffic Filtering Possible issues with ACLs: Increased load on router Possible network disruption Unintended consequences from incorrect placement
8
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 8 Describe Traffic Filtering Standard ACLs filter based on source IP address Extended ACLs filter on source and destination, as well as protocol and port number Named ACLs can be either standard or extended
9
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 9 Describe Traffic Filtering ACLs consist of statements At least one statement must be a permit statement Final statement is an implicit deny ACL must be applied to an interface in order to work
10
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 10 Activity 6.1.2.3
11
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 11 Activity 6.1.2.3
12
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 12 Describe Traffic Filtering ACL is applied inbound or outbound Direction is from the router’s perspective Each interface can have one ACL per direction for each network protocol
13
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 13 Describe Traffic Filtering (8.1.4) An administrator applies either an inbound or outbound ACL to a router interface. The inbound or outbound direction is always from the perspective of the router. Traffic coming in an interface is inbound and traffic going out an interface is outbound.
14
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 14 Activity 8.1.4
15
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 15 Analyze the Use of Wildcard Masks
16
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 16 Analyze the Use of Wildcard Masks Wildcard mask can block a range of addresses or a whole network with one statement 0s indicate which part of an IP address must match the ACL 1s indicate which part does not have to match specifically
17
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 17 Analyze the Use of Wildcard Masks
18
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 18 Analyze the Use of Wildcard Masks Use the host parameter in place of a 0.0.0.0 wildcard Use the any parameter in place of a 255.255.255.255 wildcard
19
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 19 Activity 8.2.1.3
20
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 20 Activity 8.2.1.3
21
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 21 Configure and Implement Access Control Lists Determine traffic filtering requirements Decide which type of ACL to use Determine the router and interface on which to apply the ACL Determine in which direction to filter traffic
22
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 22 Explanation – Screen 8.2.2.3
23
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 23 Activity - 8.2.2.4
24
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 24 Activity - 8.2.2.4
25
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 25 Configure and Implement Access Control Lists: Numbered Standard ACL Use access-list command to enter statements Use the same number for all statements Number ranges: 1-99, 1300-1999 Apply as close to the destination as possible
26
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 26 Configure and Implement Access Control Lists: Numbered Standard ACL
27
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 27 Configure and Implement Access Control Lists: Numbered Extended ACL Use access-list command to enter statements Use the same number for all statements Number ranges: 100-199, 2000-2699 Specify a protocol to permit or deny Place as close to the source as possible
28
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 28 Configure and Implement Access Control Lists: Numbered Extended ACL
29
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 29 Activity 8.3.1.4
30
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 30 Activity 8.3.1.4
31
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 31
32
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 32 Show ip interface
33
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 33 Show access-lists
34
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 34 Activity 8.3.3.3
35
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 35 Activity 8.3.3.3
36
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 36 Configure and Implement Access Control Lists: Named ACLs Descriptive name replaces number range Use ip access-list command to enter initial statement Start succeeding statements with either permit or deny Apply in the same way as standard or extended ACL
37
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 37 Create and Apply ACLs to Control Specific Types of Traffic Use a specified condition when filtering on port numbers: eq, lt, gt Deny all appropriate ports for multi-port applications like FTP Use the range operator to filter a group of ports
38
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 38
39
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 39 Activity 8.3.4.3
40
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 40 Activity 8.3.4.3
41
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 41 Create and Apply ACLs to Control Specific Types of Traffic Block harmful external traffic while allowing internal users free access Ping: allow echo replies while denying echo requests from outside the network Stateful Packet Inspection
42
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 42 Configure and Implement Access Control Lists: VTY access Create the ACL in line configuration mode Use the access-class command to initiate the ACL Use a numbered ACL Apply identical restrictions to all VTY lines
43
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 43 Create and Apply ACLs to Control Specific Types of Traffic Account for NAT when creating and applying ACLs to a NAT interface Filter public addresses on a NAT outside interface Filter private addresses on a NAT inside interface
44
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 44 Create and Apply ACLs to Control Specific Types of Traffic Examine every ACL one line at a time to avoid unintended consequences
45
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 45 Create and Apply ACLs to Control Specific Types of Traffic Apply ACLs to VLAN interfaces or subinterfaces just as with physical interfaces
46
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 46 Log ACL Activity and ACL Best Practices Logging provides additional details on packets denied or permitted Add the log option to the end of each ACL statement to be tracked
47
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 47 Log ACL Activity and ACL Best Practices Syslog messages: Status of router interfaces ACL messages Bandwidth, protocols in use, configuration events
48
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 48 Log ACL Activity and ACL Best Practices Always test basic connectivity before applying ACLs Add deny ip any to the end of an ACL when logging Use reload in 30 when testing ACLs on remote routers
49
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 49 Summary ACLs enable traffic management and secure access to and from a network and its resources Apply an ACL to filter inbound or outbound traffic ACLs can be standard, extended, or named Using a wildcard mask provides flexibility There is an implicit deny statement at the end of an ACL Account for NAT when creating and applying ACLs Logging provides additional details on filtered traffic
50
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 50
Similar presentations
