Presentation is loading. Please wait.

Presentation is loading. Please wait.

Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 2 – 6 IP Access Lists 1.

Published byAngela Welch Modified over 8 years ago

Similar presentations

Presentation on theme: "Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 2 – 6 IP Access Lists 1."— Presentation transcript:

1 Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 2 – 6 IP Access Lists 1

2 Access Lists IP ACLs cause a router to discard some packets based on criteria defined by the network engineer. The goal of these filters is to prevent unwanted traffic in the network. Access lists should simply be part of an organization’s security policy. IP access lists can also be used to Filter routing updates To match packets for prioritization To match packets for VPN tunneling To match packets for implementing quality-of-service features. You will also see ACLs used as part of configuring Network Address Translation (NAT) Cisco IP Access List Types: Standard Extended 2

3 IP Access Lists Access Lists Engineers need to make two major choices for any ACL that will filter IP packets: which packets to filter where in the network to place the ACL. Cisco IOS software applies the filtering logic of an ACL either as a packet enters an interface or as it exits the interface. 3

4 IP Access Lists Access Lists Here are some key features of Cisco access lists: Packets can be filtered as they enter an interface, before the routing decision. Packets can be filtered before they exit an interface, after the routing decision. Deny is the term used in Cisco IOS software to imply that the packet will be filtered. Permit is the term used in Cisco IOS software to imply that the packet will not be filtered. The filtering logic is configured in the access list. At the end of every access list is an implied “deny all traffic” statement. Therefore, if a packet does not match any of your access list statements, it is blocked. Access lists have two major steps in their logic: matching and action. 4

5 IP Access Lists Access Lists The logic that IOS uses with a multiple-entry ACL can be summarized as follows: The matching parameters of the access-list statement are compared to the packet. If a match is made, the action defined in this access-list statement (permit or deny) is performed. If a match is not made in Step 2, repeat Steps 1 and 2 using each successive statement in the ACL until a match is made. If no match is made with an entry in the access list, the deny action is performed. 5

6 IP Access Lists Access Lists Standard Vs. Extended ACLs Standard IP access lists can examine only the source IP address. Extended access lists can check source and destination IP addresses, as well as source and destination port numbers, along with several other fields. 6

7 IP Access Lists Standard IP Access List Configuration The generic syntax of the standard ACL configuration command is: access-list access-list-number {deny | permit} source [source-wildcard] For standard IP ACLs, the number range for ACLs is 1 to 99 and 1300 to 1999 7

8 IP Access Lists Standard IP Access List Configuration 8

9 IP Access Lists Standard IP Access List Configuration 9

10 IP Access Lists Standard IP Access List Configuration 10

11 IP Access Lists Standard IP Access List Configuration 11

12 IP Access Lists Extended IP Access Control Lists A single extended ACL statement can examine multiple parts of the packet headers, requiring that all the parameters be matched correctly to match that one ACL statement. That matching logic is what makes extended access lists both much more useful and much more complex than standard IP ACLs. 12

13 IP Access Lists Extended IP Access Control Lists 13

14 IP Access Lists Extended IP Access Control Lists 14

15 IP Access Lists Matching TCP and UDP Port Numbers When considering any exam question that involves TCP or UDP ports, keep the following key points in mind: The access-list command must use protocol keyword tcp to be able to match TCP ports and the udp keyword to be able to match UDP ports. The ip keyword does not allow for matching the port numbers. The source port and destination port parameters on the access-list command are positional. In other words, their location in the command determines if the parameter examines the source or destination port. Remember that ACLs can match packets sent to a server by comparing the destination port to the well-known port number. However, ACLs need to match the source port for packets sent by the server. It is useful to memorize the most popular TCP and UDP applications, and their wellknown ports. 15

16 IP Access Lists Matching TCP and UDP Port Numbers 16

17 IP Access Lists Matching TCP and UDP Port Numbers 17

18 IP Access Lists Extended IP ACL Configuration Extended ACLs should be placed as close as possible to the source of the packets to be filtered, because extended ACLs can be configured so that they do not discard packets that should not be discarded. So filtering close to the source of the packets saves some bandwidth. All fields in one access-list command must match a packet for the packet to be considered to match that access-list statement. The extended access-list command uses numbers between 100–199 and 2000–2699, with no number being inherently better than another. 18

19 IP Access Lists Extended IP ACL Configuration 19

20 IP Access Lists Extended IP ACL Configuration 20

21 IP Access Lists Extended IP ACL Configuration 21

22 IP Access Lists Named IP Access Lists Named ACLs, introduced with IOS version 11.2, can be used to match the same packets, with the same parameters, that can be matched with standard and extended IP ACLs. The most obvious difference is that IOS identifies named ACLs using names you make up, as opposed to numbers—and you have a better chance of remembering names. In addition to using more memorable names, the other major advantage of named ACLs over numbered ACLs, at the time they were introduced into IOS, was that you could delete individual lines in a named IP access list. 22

23 IP Access Lists Named IP Access Lists Two important configuration differences exist between old- style numbered ACLs and the newer named access lists. One key difference is that named access lists use a global command that places the user in a named IP access list submode, under which the matching and permit/deny logic is configured. The other key difference is that when a named matching statement is deleted, only that one statement is deleted. 23

24 IP Access Lists Editing ACLs Using Sequence Numbers Before the introduction of IOS 12.3 all new rules were added to the end of the ACL. New features in IOS 12.3 includes the following: 24

25 IP Access Lists 25

26 IP Access Lists Controlling Telnet and SSH Access with ACLs An engineer can control remote access to a router by using ACLs that look for the well-known ports used by both Telnet (23) and SSH (22). 26

27 IP Access Lists ACL Implementation Considerations Cisco makes the following general recommendations in the courses on which the CCNA exams are based: Create your ACLs using a text editor outside the router, and copy and paste the configurations into the router. (Even with the ability to delete and insert lines into an ACL, creating the commands in an editor will still likely be an easier process.) Place extended ACLs as close as possible to the source of the packet to discard the packets quickly. Place standard ACLs as close as possible to the packet’s destination, because standard ACLs often discard packets that you do not want discarded when they are placed close to the source. Place more-specific statements early in the ACL. Disable an ACL from its interface (using the no ip access-group command) before making changes to the ACL. 27

28 IP Access Lists Reflexive Access Lists Reflexive ACLs, also called IP session filtering, provide a way to prevent a class of security attacks by permitting each allowed TCP or UDP session on an individual basis. Dynamic ACLs Dynamic ACLs solve a different problem that also cannot be easily solved using traditional ACLs. Imagine a set of servers that need to be accessed by a small set of users. With ACLs, you can match the IP addresses of the hosts used by the users. However, if the user borrows another PC, or leases a new address using DHCP, or takes her laptop home, and so on, the legitimate user now has a different IP address. So a traditional ACL would have to be edited to support each new IP address. 28

29 IP Access Lists Dynamic ACLs Dynamic ACLs, also called Lock-and-Key Security, solve this problem by tying the ACL to a user authentication process. Instead of starting by trying to connect to the server, the users must be told to first telnet to a router. The router asks for a username/password combination. If it is authentic, the router dynamically changes its ACL, permitting traffic from the IP address of the host that just sent the authentication packets. After a period of inactivity, the router removes the dynamic entry in the ACL, closing the potential security hole. 29

30 IP Access Lists Dynamic ACLs 30

31 IP Access Lists Time-Based ACLs The term time-based ACL refers to a feature of normal IP ACLs (both numbered and named) in which a time constraint can be added to the configuration commands. In some cases, it may be useful to match packets in an ACL, but only at certain times in the day, or even on particular days of the week. Time-based ACLs allow the addition of time constraints, with IOS keeping or removing the statements from the ACL during the appropriate times of day. 31

Download ppt "Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 2 – 6 IP Access Lists 1."

Similar presentations

Access Control List (ACL)

Access Control List (ACL)
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 4 – Implementing Firewall Technologies.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 4 – Implementing Firewall Technologies.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.

NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 

1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 
CCNA 2 v3.1 Module 11.

CCNA 2 v3.1 Module 11.
Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.

Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen

1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen
The Cisco ACL. 1.The Cisco ACL is simply a means to filter traffic that crosses your router. 2.It has two major syntax types numbered and named lists.

The Cisco ACL. 1.The Cisco ACL is simply a means to filter traffic that crosses your router. 2.It has two major syntax types numbered and named lists.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. CCNA ACLs Deepdive February, 2012 Jaskaran Kalsi Assoc. Technical Manager.

Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. CCNA ACLs Deepdive February, 2012 Jaskaran Kalsi Assoc. Technical Manager.
Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing.

Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing.

Similar presentations

Ads by Google