Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control Lists Mark Clements. 17 March 2009ITCN 2 This Week – Access Control Lists What are ACLs? What are they for? How do they work? Standard.

Published byStuart Pitts Modified over 9 years ago

Similar presentations

Presentation on theme: "Access Control Lists Mark Clements. 17 March 2009ITCN 2 This Week – Access Control Lists What are ACLs? What are they for? How do they work? Standard."— Presentation transcript:

1 Access Control Lists Mark Clements

2 17 March 2009ITCN 2 This Week – Access Control Lists What are ACLs? What are they for? How do they work? Standard ACLs Extended ACLs Where to place them

3 17 March 2009ITCN 3 Reasons for ACLs Limit network traffic to where we define and increase network performance Provide traffic flow control – ACLs can restrict or reduce the contents of routing updates Provide a basic level of security for network access Decide which types of traffic are forwarded or blocked at router interfaces

4 17 March 2009ITCN 4 Consider an arbitrary Network

5 17 March 2009ITCN 5 Routers and ACLs Router can read packets Packets contain much data We can choose to act upon this data Permits us to allow or deny whichever part of this data we wish ACLs implement this policy

6 17 March 2009ITCN 6 The task of ACLs An ACL is a group of statements that define how or whether packets: Enter inbound interfaces Exit outbound interfaces of the router Relay through the router or not

7 17 March 2009ITCN 7 The Order of ACLs is important IOS tests the packet against each condition statement in the order in which the statements were created Note: After a match is found, no more condition statements are checked If you create a condition statement that permits all traffic, no statements added later will ever be checked If all the ACL statements are unmatched, an implicit "deny any" statement is imposed

8 17 March 2009ITCN 8 ACL Statement Order Implicit ‘last statement’ denies all traffic Must make statements preceding this allow the permitted traffic to flow Construct statements carefully Anything not explicitly permitted will be denied

9 17 March 2009ITCN 9 Standard ACLs You use standard ACLs when you : want to block all traffic from a network allow all traffic from a specific network deny entire protocol suites e.g. www or icmp Standard ACLs check the source address of packets that could be routed across your network Standard ACLs are not used very often

10 17 March 2009ITCN 10 Extended ACLs These are used whenever we want to be more specific about the type of traffic to block e.g. a certain host or an entire protocol e.g. www or ftp or icmp (ping) These are used very frequently

11 17 March 2009ITCN 11 Creating ACLs Enter global configuration mode i.e. Router(config)# Enter the command ip access-list [standard|extended] number (to identify it) Router prompt changes accordingly

12 Using Notepad Create ACLs in Notepad (or other text editor) They can be easily manipulated and reordered – This is not possible on a router – it is necessary to delete the entire list and start again Once the ACL is correct, it can be pasted into the router’s CLI 17 March 2009ITCN 12

13 17 March 2009ITCN 13 Standard and Extended ACLs ACL 1 to 99 are for standard ACL statements Router(config-std-nacl)# ACL 100 to 199 are for extended ACL statements Router(config-ext-nacl)# Logically order the ACL Permitted IP protocols must be specified – all other protocols should be denied

14 17 March 2009ITCN 14 Which Interface to place the ACL? ACLs assigned to one or more interfaces Can filter inbound or outbound traffic Outbound ACLs are generally more efficient than inbound – Only checks packets on that interface Inbound ACLs must check all packets before switching packet to outbound interface

15 17 March 2009ITCN 15 Wildcard Mask This identifies a host or range of addresses It is the binary inversion of the subnet mask i.e. in a ‘class C’ address range we use the subnet mask 255.255.255.0 To specify the same range with a wildcard mask we use 0.0.0.255 (all 1s are now 0s and all 0s are now 1s)

16 17 March 2009ITCN 16 Wildcard Mask Bits Sometimes we need to specify a range of IP addressesSometimes we need to specify a range of IP addresses Wild card mask is 32-bit quantity divided into four octetsWild card mask is 32-bit quantity divided into four octets Each octet contains 8 bits Each octet contains 8 bits Wildcard mask bit 0 means "check corresponding bit value" Wildcard mask bit 0 means "check corresponding bit value" Wildcard mask bit 1 means "do not check (ignore) that corresponding bit value" Wildcard mask bit 1 means "do not check (ignore) that corresponding bit value"

17 17 March 2009ITCN 17

18 17 March 2009ITCN 18 Example What is the dotted decimal wildcard mask you would use to check for all traffic from hosts in the range 193.60.64.1 to 193.60.64.31 ? Hint – convert to binary first Write first and last addresses to compare like and unlike bits Convert back to decimal afterwards

19 Quad Zero Address 0.0.0.0 is known as the Quad Zero address and it is ‘shorthand’ for any IP address. 17 March 2009ITCN 19

20 17 March 2009ITCN 20 Useful Commands – ANY To specify that any source address will be permitted to pass Router(config-std-nacl)# access-list 1 permit 0.0.0.0 255.255.255.255 Is the same as (but shorter) Router(config-std-nacl)# access-list 1 permit any

21 17 March 2009ITCN 21 HOST Command A specific IP host address will be denied in an ACL test Router(config-std-nacl)# access- list 1 deny 172.30.16.29 0.0.0.0 Is the same as (but this is shorter) Router(config-std-nacl)# access- list 1 deny host 172.30.16.29

22 17 March 2009ITCN 22 Examples of ACLs access-list 33 permit 192.168.0.0 0.0.255.255 (permits all traffic in the range 192.168.0.0 to 192.168.255.255) access-list 44 deny 192.168.13.7 0.0.0.0 (denies traffic from only the host 192.168.13.7) access-list 55 permit 0.0.0.0 any (permits all traffic from any network )

23 17 March 2009ITCN 23 Extended ACLs Provide a greater range of control than standard ACLs E.g. we can allow Web traffic but deny File Transfer Protocol (FTP) or TELNET or other traffic Extended ACLs check for both source and destination packet addresses. Specific protocols, port numbers and other parameters can be checked for Packets can be permitted or denied output based on where the packet originated and based on its destination

24 17 March 2009ITCN 24 Extended ACL example chatham(config)#ip access-list extended 150 chatham(config-ext-nacl)#? default Set a command to its defaults deny Specify packets to reject exit Exit from access-list configuration mode no Negate a command or set its defaults permit Specify packets to forward remark Access list entry comment chatham(config-ext-nacl)#permit tcp 192.168.1.1 0.0.0.255 192.168.2.3 0.0.0.255

25 17 March 2009ITCN 25 Well-known Port numbers Some ports are commonly used Their numbers are well-known PC can be configured by a hacker to use a different port !

26 17 March 2009ITCN 26 in

27 17 March 2009ITCN 27 Placing Standard and Extended ACLs Put the Extended ACLs as close as possible to the source machine or range (on your network) for the traffic type denied Standard ACLs do not specify destination addresses, so you have to put the standard ACL as near to the destination machine (or range) we want to deny as possible

28 17 March 2009ITCN 28 Applying ACLs to an interface Once you have written an ACL, you need to apply it to an interface either IN or OUT If we have written access-list 101, we could apply it to the Fa0/0 interface inbound int fa0/0 ip access-group 101 in ACLs can also be placed on an interface in the outbound direction

29 17 March 2009ITCN 29 Placing ACLs Imagine you are standing INSIDE the router The direction of the ACL for an interface will be the same as our perspective standing INSIDE the router

30 17 March 2009ITCN 30 Conclusion ACLs will check packets for certain conditions Standard ACLs test simple conditions Extended ACLs test for more rigorous conditions Define ACL – Apply to interface Place ACLs sensibly Be sure to order ACLs sensibly too!

Download ppt "Access Control Lists Mark Clements. 17 March 2009ITCN 2 This Week – Access Control Lists What are ACLs? What are they for? How do they work? Standard."

Similar presentations

Access Control List (ACL)

Access Control List (ACL)
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Basic IP Traffic Management with Access Lists

Basic IP Traffic Management with Access Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.

NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
Institute of Technology, Sligo Dept of Computing Access Control Lists Semester 3, Chapter 6.

Institute of Technology, Sligo Dept of Computing Access Control Lists Semester 3, Chapter 6.
CCNA 2 v3.1 Module 11.

CCNA 2 v3.1 Module 11.
Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.

Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.
Access Lists Lists of conditions that control access.

Access Lists Lists of conditions that control access.
Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.

Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen

1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen
Access Control Lists Written by Bill Reed 03/11/05.

Access Control Lists Written by Bill Reed 03/11/05.
CISCO NETWORKING ACADEMY Chabot College ELEC 99.08 Access Control Lists - Introduction.

CISCO NETWORKING ACADEMY Chabot College ELEC Access Control Lists - Introduction.

Similar presentations

Ads by Google