1.acls excellent.job

7/30/2019 1.ACLs Excellent.job

1/46

Access Control List (ACL)W.lilakiatsakun


2/46

ACL Fundamental Introduction to ACLs

How ACLs work

Creating ACLsThe function of a wildcard mask


3/46

Introduction to ACL (1)ACLs are lists of conditions used to test

network traffic that tries to travel across arouter interface.

These lists tell the router what types ofpackets to accept or deny.

Acceptance and denial can be based on

specified conditions.ACLs enable management of traffic and

secure access to and from a network.


4/46

ACL


5/46

Introduction to ACL (2)

To filter network traffic, ACLs determine ifrouted packets are forwarded or blocked at therouter interfaces.

The router examines each packet and will

forward or discard it based on the conditionsspecified in the ACL.

An ACL makes routing decisions based on

source address, destination address, protocols,and upper-layer port numbers.

How many of these factors are used in the ACLdepends, in part, on whether we are using a

standard or an extended ACL.


6/46

Cisco IOS check the packet andupper header


7/46

Introduction to ACL (3)ACLs must be defined on a per protocol, per directionor per port basis.

To control traffic flow on an interface, an ACL must bedefined for each protocol enabled on the interface.

ACLs control traffic in one direction at a time on an

interface.Two separate ACLs must be created to controlinbound and outbound traffic.

Every interface can have multiple protocols anddirections defined. If the router has two interfaces configured for IP, AppleTalk, and IPX, 12

separate ACLs would be needed There would be one ACL for each protocol (3), times two for each direction

(2), times two for the number of ports (2).

(2 interfaces for IP in, 2 IP out, 2 IPX in, 2 IPX out, 2 A-Talk in, 2 A-Talk out).


8/46

Access Control Listgrouping in a router


9/46

ACL Tasks(1)

Limit network traffic and increase networkperformance.

For example, ACLs that restrict video traffic could greatlyreduce the network load and increase network performance.

Provide traffic flow control. ACLs can restrict thedelivery of routing updates.

If updates are not required because of network conditions,bandwidth is preserved.

Provide a basic level of security for network access.

ACLs can allow one host to access a part of the network andprevent another host from accessing the same area.

For example, Host A is allowed to access the HumanResources network and Host B is prevented from accessing it.


10/46

ACL Tasks(2)Decide which types of traffic are forwarded or blocked

at the router interfaces.

ACLs can permit e-mail traffic to be routed, but block allTelnet traffic.

Control which areas a client can access on a network.

Screen hosts to permit or deny access to a networksegment.

ACLs can be used to permit or deny a user to access filetypes such as FTP or HTTP.


11/46


How ACLs work



12/46

How ACL works (1)The order in which ACL statements are placed is

important.

The packet is tested against each conditionstatement in order from the top of the list to the

bottom.Once a match is found in the list, the accept or

reject action is performed and no other ACLstatements are checked.

If a condition statement that permits all traffic islocated at the top of the list, no statements addedbelow that will ever be checked.


13/46


14/46

How ACL works (2)ACL statements operate in sequential, logical order. If a condition match is true, the packet is permitted or

denied and the rest of the ACL statements are notchecked.

If all the ACL statements are unmatched, an implicitdeny any statement is placed at the end of the listby default.

The invisible deny any statement at the end of the

ACL will not allow unmatched packets to be accepted.When first learning how to create ACLs, it is a good

idea to add the deny any at the end of ACLs toreinforce the dynamic presence of the implicit deny.


15/46

How ACL works (3)If additional condition statements are needed in

an access list, the entire ACL must bedeleted and recreated with the new conditionstatements!

Nothing is more aggravating than having to re-enter a 50-line ACL just to make one change!

To make the process of revising an ACL simpler

it is a good idea to use a text editor such asNotepad and paste the ACL into the routerconfiguration.


16/46

Routing Process (1)The beginning of the router process is the same,

whether ACLs are used or not.

As a frame enters an interface, the router checks to

see whether the Layer 2 address matches or if itis a broadcast frame.

If the frame address is accepted, the frameinformation is stripped off and the router checks for

anACL on the inbound interface. If anACL exists, the packet is now tested against

the statements in the list.

If the packet matches a statement, the packet is

either accepted or rejected.


17/46

Routing Process (2) If the packet is accepted in the interface, it will then

be checked against routing table entries todetermine the destination interface and switchedto that interface.

Next, the router checks whether the destinationinterface has anACL. (this is still within the same router)

If anACL exists, the packet is tested against thestatements in the list.

If the packet matches a statement, it is either

accepted or rejected.

If there is no ACL or the packet is accepted, thepacket is encapsulated in the new Layer 2protocol and forwarded out the interface to the

next device.


18/46


How ACLs work

Creating ACLs

The function of a wildcard mask


19/46

Creating rules for ACLs (1)There is an implicit deny any at the end of all access

lists. This will not appear in the configuration listing.

Access list entries should filter in the order fromspecific to general.

Specific hosts should be denied first, and groups or generalfilters should come last.

The match condition is examined first. The permit or deny is examined only if the match is true.

Never work with an access list that is actively applied.A text editor should be used to create comments that

outline the logic. Then fill in the statements thatperform the logic.


20/46

Creating rules for ACLs (2)New lines are always added to the end of the

access list. Ano access-list x command will remove the whole list.

It is not possible to selectively add and remove lines with

numbered ACLsAn IP access list will send an ICMP host

unreachable message to the sender of the rejectedpacket and will discard the packet in the bit bucket.

An access list should be removed carefully. If an access list that is applied to a production interfaceis removed, some versions of IOS will apply a defaultdeny any to the interface and all traffic will be halted.

Outbound filters do not affect traffic that originates

from the local router.


21/46

Creating rules for ACLs (3)There should be one access list per protocol per

direction.

Standard access lists should be applied closest tothe destination.

Extended access lists should be applied closest tothe source.

The inbound or outbound interface should bereferenced as if looking at the port from inside the

router.Statements are processed sequentially from the top

of the list to the bottom until a match is found.

If no match is found then the packet is denied, and

discarded.


22/46

Applying ACLs


23/46


How ACLs work



24/46

The function of a wildcard maskA wildcard mask is a 32-bit quantity that is divided

into four octets.

A wildcard mask is paired with an IP address.

The numbers one and zero in the mask are usedto identify how to treat the corresponding IPaddress bits.

Wildcard masks have no functional relationshipwith subnet masks. They are used for differentpurposes and follow different rules.


25/46

Wildcard Mask Vs Subnet MaskThe subnet mask and the wildcard mask represent

two different things when they are compared toan IP address.

Subnet masks use binary ones and zeros to

identify the network, subnet, and host portion ofan IP address.

Wildcard masks use binary ones and zeros to filterindividual or groups of IP addresses to permit or

deny access to resources based on an IP address.

The only similarity between a wildcard mask anda subnet mask is that they are both thirty-two bitslong and use binary ones and zeros.


26/46

Wildcard Mask EX (1)


27/46



28/46



29/46



30/46

Wildcard Mask KeywordThere are two special keywords that are used in

ACLs, the any and host options.

The any option substitutes 0.0.0.0 for the IP

address and 255.255.255.255 for the wildcardmask.

This option will match any address that it is comparedagainst.

The host option substitutes 0.0.0.0 for the mask.

This mask requires that all bits of the ACL addressand the packet address match. This option will match just one address.


31/46

Standard ACL

Standard ACLs check the source address of IPpackets that are routed.

The ACL will either permit or deny access for anentire protocol suite, based on the network, subnet,and host addresses.

For example, packets that come in Fa0/0 arechecked for their source addresses and protocols.

If they are permitted, the packets are routedthrough the router to an output interface.

If they are not permitted, they are dropped at theincoming interface.


32/46


33/46

Extended ACLs (1)Extended ACLs are used more often than standard

ACLs because they provide a greater range ofcontrol.

Extended ACLs check the source and destinationpacket addresses and can also check for protocolsand port numbers.

This gives greater flexibility to describe what theACL will check.

Access can be permitted or denied based on wherea packet originates, its destination, protocol type,and port addresses.


34/46

Extended ACLs (2) For a single ACL, multiple statements may be

configured.

Each statement should have the same access list

number, to relate the statements to the sameACL. There can be as many condition statements

as needed, limited only by the available routermemory.

Of course, the more statements there are, themore difficult it will be to comprehend and managethe ACL.


35/46


36/46

ACLs LAB11.2.1a standard ACLs configuraiton 1

11.2.1b standard ACLs configuraiton 2

11.2.2 a extended ACLs configuration 111.2.2 b extended ACLs configuration 2


37/46

Named ACL

Named ACLs allow standard and extended ACLs tobe given names instead of numbers.

The following are advantages that are provided bya named access list: Alphanumeric names can be used to identify ACLs.

The IOS does not limit the number of named ACLs thatcan be configured.

Named ACLs provide the ability to modify ACLs without

deletion and reconfiguration. However, a named access list will only allow for

statements to be inserted at the end of a list.

It is a good idea to use a text editor to create named

ACLs.


38/46


39/46


40/46

Placing ACLs (1) Proper ACL placement will filter traffic and make

the network more efficient.

The ACL should be placed where it has thegreatest impact on efficiency.

The general rule is to put the extended ACLs asclose as possible to the source of the trafficdenied.

Standard ACLs do not specify destinationaddresses, so they should be placed as close tothe destination as possible.


41/46

Placing ACLs (2)


42/46

Placing ACLs example(1) In Figure, the administrator wants to deny Telnet or

FTP traffic from the Router A Ethernet LAN segmentto the switched Ethernet LAN Fa0/1 on Router D.

At the same time, other traffic must be permitted.

The recommended solution is an extended ACL thatspecifies both source and destination addresses.

Place this extended ACL in Router A. Then, packetsdo not cross the Router A Ethernet segment or the

serial interfaces of Routers B and C, and do notenter Router D.

Traffic with different source and destinationaddresses will still be permitted.


43/46

Placing ACLs example(2)To prevent traffic from Router A to Router D

segment

a standard ACL should be placed on Fa0/0of Router D.


44/46

Deploy ACLACLs may be used with

Firewall

To protect virtual terminal access

etc

R t i ti Vi t l t i l


45/46

Restricting Virtual terminal access(1)

R t i ti Vi t l t i l


46/46

Restricting Virtual terminal access(2)

1.acls excellent.job

Documents