1.acls excellent.job
Post on 04-Apr-2018
222 Views
Preview:
TRANSCRIPT
-
7/30/2019 1.ACLs Excellent.job
1/46
Access Control List (ACL)W.lilakiatsakun
-
7/30/2019 1.ACLs Excellent.job
2/46
ACL Fundamental Introduction to ACLs
How ACLs work
Creating ACLsThe function of a wildcard mask
-
7/30/2019 1.ACLs Excellent.job
3/46
Introduction to ACL (1)ACLs are lists of conditions used to test
network traffic that tries to travel across arouter interface.
These lists tell the router what types ofpackets to accept or deny.
Acceptance and denial can be based on
specified conditions.ACLs enable management of traffic and
secure access to and from a network.
-
7/30/2019 1.ACLs Excellent.job
4/46
ACL
-
7/30/2019 1.ACLs Excellent.job
5/46
Introduction to ACL (2)
To filter network traffic, ACLs determine ifrouted packets are forwarded or blocked at therouter interfaces.
The router examines each packet and will
forward or discard it based on the conditionsspecified in the ACL.
An ACL makes routing decisions based on
source address, destination address, protocols,and upper-layer port numbers.
How many of these factors are used in the ACLdepends, in part, on whether we are using a
standard or an extended ACL.
-
7/30/2019 1.ACLs Excellent.job
6/46
Cisco IOS check the packet andupper header
-
7/30/2019 1.ACLs Excellent.job
7/46
Introduction to ACL (3)ACLs must be defined on a per protocol, per directionor per port basis.
To control traffic flow on an interface, an ACL must bedefined for each protocol enabled on the interface.
ACLs control traffic in one direction at a time on an
interface.Two separate ACLs must be created to controlinbound and outbound traffic.
Every interface can have multiple protocols anddirections defined. If the router has two interfaces configured for IP, AppleTalk, and IPX, 12
separate ACLs would be needed There would be one ACL for each protocol (3), times two for each direction
(2), times two for the number of ports (2).
(2 interfaces for IP in, 2 IP out, 2 IPX in, 2 IPX out, 2 A-Talk in, 2 A-Talk out).
-
7/30/2019 1.ACLs Excellent.job
8/46
Access Control Listgrouping in a router
-
7/30/2019 1.ACLs Excellent.job
9/46
ACL Tasks(1)
Limit network traffic and increase networkperformance.
For example, ACLs that restrict video traffic could greatlyreduce the network load and increase network performance.
Provide traffic flow control. ACLs can restrict thedelivery of routing updates.
If updates are not required because of network conditions,bandwidth is preserved.
Provide a basic level of security for network access.
ACLs can allow one host to access a part of the network andprevent another host from accessing the same area.
For example, Host A is allowed to access the HumanResources network and Host B is prevented from accessing it.
-
7/30/2019 1.ACLs Excellent.job
10/46
ACL Tasks(2)Decide which types of traffic are forwarded or blocked
at the router interfaces.
ACLs can permit e-mail traffic to be routed, but block allTelnet traffic.
Control which areas a client can access on a network.
Screen hosts to permit or deny access to a networksegment.
ACLs can be used to permit or deny a user to access filetypes such as FTP or HTTP.
-
7/30/2019 1.ACLs Excellent.job
11/46
ACL Fundamental Introduction to ACLs
How ACLs work
Creating ACLsThe function of a wildcard mask
-
7/30/2019 1.ACLs Excellent.job
12/46
How ACL works (1)The order in which ACL statements are placed is
important.
The packet is tested against each conditionstatement in order from the top of the list to the
bottom.Once a match is found in the list, the accept or
reject action is performed and no other ACLstatements are checked.
If a condition statement that permits all traffic islocated at the top of the list, no statements addedbelow that will ever be checked.
-
7/30/2019 1.ACLs Excellent.job
13/46
-
7/30/2019 1.ACLs Excellent.job
14/46
How ACL works (2)ACL statements operate in sequential, logical order. If a condition match is true, the packet is permitted or
denied and the rest of the ACL statements are notchecked.
If all the ACL statements are unmatched, an implicitdeny any statement is placed at the end of the listby default.
The invisible deny any statement at the end of the
ACL will not allow unmatched packets to be accepted.When first learning how to create ACLs, it is a good
idea to add the deny any at the end of ACLs toreinforce the dynamic presence of the implicit deny.
-
7/30/2019 1.ACLs Excellent.job
15/46
How ACL works (3)If additional condition statements are needed in
an access list, the entire ACL must bedeleted and recreated with the new conditionstatements!
Nothing is more aggravating than having to re-enter a 50-line ACL just to make one change!
To make the process of revising an ACL simpler
it is a good idea to use a text editor such asNotepad and paste the ACL into the routerconfiguration.
-
7/30/2019 1.ACLs Excellent.job
16/46
Routing Process (1)The beginning of the router process is the same,
whether ACLs are used or not.
As a frame enters an interface, the router checks to
see whether the Layer 2 address matches or if itis a broadcast frame.
If the frame address is accepted, the frameinformation is stripped off and the router checks for
anACL on the inbound interface. If anACL exists, the packet is now tested against
the statements in the list.
If the packet matches a statement, the packet is
either accepted or rejected.
-
7/30/2019 1.ACLs Excellent.job
17/46
Routing Process (2) If the packet is accepted in the interface, it will then
be checked against routing table entries todetermine the destination interface and switchedto that interface.
Next, the router checks whether the destinationinterface has anACL. (this is still within the same router)
If anACL exists, the packet is tested against thestatements in the list.
If the packet matches a statement, it is either
accepted or rejected.
If there is no ACL or the packet is accepted, thepacket is encapsulated in the new Layer 2protocol and forwarded out the interface to the
next device.
-
7/30/2019 1.ACLs Excellent.job
18/46
ACL Fundamental Introduction to ACLs
How ACLs work
Creating ACLs
The function of a wildcard mask
-
7/30/2019 1.ACLs Excellent.job
19/46
Creating rules for ACLs (1)There is an implicit deny any at the end of all access
lists. This will not appear in the configuration listing.
Access list entries should filter in the order fromspecific to general.
Specific hosts should be denied first, and groups or generalfilters should come last.
The match condition is examined first. The permit or deny is examined only if the match is true.
Never work with an access list that is actively applied.A text editor should be used to create comments that
outline the logic. Then fill in the statements thatperform the logic.
-
7/30/2019 1.ACLs Excellent.job
20/46
Creating rules for ACLs (2)New lines are always added to the end of the
access list. Ano access-list x command will remove the whole list.
It is not possible to selectively add and remove lines with
numbered ACLsAn IP access list will send an ICMP host
unreachable message to the sender of the rejectedpacket and will discard the packet in the bit bucket.
An access list should be removed carefully. If an access list that is applied to a production interfaceis removed, some versions of IOS will apply a defaultdeny any to the interface and all traffic will be halted.
Outbound filters do not affect traffic that originates
from the local router.
-
7/30/2019 1.ACLs Excellent.job
21/46
Creating rules for ACLs (3)There should be one access list per protocol per
direction.
Standard access lists should be applied closest tothe destination.
Extended access lists should be applied closest tothe source.
The inbound or outbound interface should bereferenced as if looking at the port from inside the
router.Statements are processed sequentially from the top
of the list to the bottom until a match is found.
If no match is found then the packet is denied, and
discarded.
-
7/30/2019 1.ACLs Excellent.job
22/46
Applying ACLs
-
7/30/2019 1.ACLs Excellent.job
23/46
ACL Fundamental Introduction to ACLs
How ACLs work
Creating ACLsThe function of a wildcard mask
-
7/30/2019 1.ACLs Excellent.job
24/46
The function of a wildcard maskA wildcard mask is a 32-bit quantity that is divided
into four octets.
A wildcard mask is paired with an IP address.
The numbers one and zero in the mask are usedto identify how to treat the corresponding IPaddress bits.
Wildcard masks have no functional relationshipwith subnet masks. They are used for differentpurposes and follow different rules.
-
7/30/2019 1.ACLs Excellent.job
25/46
Wildcard Mask Vs Subnet MaskThe subnet mask and the wildcard mask represent
two different things when they are compared toan IP address.
Subnet masks use binary ones and zeros to
identify the network, subnet, and host portion ofan IP address.
Wildcard masks use binary ones and zeros to filterindividual or groups of IP addresses to permit or
deny access to resources based on an IP address.
The only similarity between a wildcard mask anda subnet mask is that they are both thirty-two bitslong and use binary ones and zeros.
-
7/30/2019 1.ACLs Excellent.job
26/46
Wildcard Mask EX (1)
-
7/30/2019 1.ACLs Excellent.job
27/46
Wildcard Mask EX (2)
-
7/30/2019 1.ACLs Excellent.job
28/46
Wildcard Mask EX (3)
-
7/30/2019 1.ACLs Excellent.job
29/46
Wildcard Mask EX (4)
-
7/30/2019 1.ACLs Excellent.job
30/46
Wildcard Mask KeywordThere are two special keywords that are used in
ACLs, the any and host options.
The any option substitutes 0.0.0.0 for the IP
address and 255.255.255.255 for the wildcardmask.
This option will match any address that it is comparedagainst.
The host option substitutes 0.0.0.0 for the mask.
This mask requires that all bits of the ACL addressand the packet address match. This option will match just one address.
-
7/30/2019 1.ACLs Excellent.job
31/46
Standard ACL
Standard ACLs check the source address of IPpackets that are routed.
The ACL will either permit or deny access for anentire protocol suite, based on the network, subnet,and host addresses.
For example, packets that come in Fa0/0 arechecked for their source addresses and protocols.
If they are permitted, the packets are routedthrough the router to an output interface.
If they are not permitted, they are dropped at theincoming interface.
-
7/30/2019 1.ACLs Excellent.job
32/46
-
7/30/2019 1.ACLs Excellent.job
33/46
Extended ACLs (1)Extended ACLs are used more often than standard
ACLs because they provide a greater range ofcontrol.
Extended ACLs check the source and destinationpacket addresses and can also check for protocolsand port numbers.
This gives greater flexibility to describe what theACL will check.
Access can be permitted or denied based on wherea packet originates, its destination, protocol type,and port addresses.
-
7/30/2019 1.ACLs Excellent.job
34/46
Extended ACLs (2) For a single ACL, multiple statements may be
configured.
Each statement should have the same access list
number, to relate the statements to the sameACL. There can be as many condition statements
as needed, limited only by the available routermemory.
Of course, the more statements there are, themore difficult it will be to comprehend and managethe ACL.
-
7/30/2019 1.ACLs Excellent.job
35/46
-
7/30/2019 1.ACLs Excellent.job
36/46
ACLs LAB11.2.1a standard ACLs configuraiton 1
11.2.1b standard ACLs configuraiton 2
11.2.2 a extended ACLs configuration 111.2.2 b extended ACLs configuration 2
-
7/30/2019 1.ACLs Excellent.job
37/46
Named ACL
Named ACLs allow standard and extended ACLs tobe given names instead of numbers.
The following are advantages that are provided bya named access list: Alphanumeric names can be used to identify ACLs.
The IOS does not limit the number of named ACLs thatcan be configured.
Named ACLs provide the ability to modify ACLs without
deletion and reconfiguration. However, a named access list will only allow for
statements to be inserted at the end of a list.
It is a good idea to use a text editor to create named
ACLs.
-
7/30/2019 1.ACLs Excellent.job
38/46
-
7/30/2019 1.ACLs Excellent.job
39/46
-
7/30/2019 1.ACLs Excellent.job
40/46
Placing ACLs (1) Proper ACL placement will filter traffic and make
the network more efficient.
The ACL should be placed where it has thegreatest impact on efficiency.
The general rule is to put the extended ACLs asclose as possible to the source of the trafficdenied.
Standard ACLs do not specify destinationaddresses, so they should be placed as close tothe destination as possible.
-
7/30/2019 1.ACLs Excellent.job
41/46
Placing ACLs (2)
-
7/30/2019 1.ACLs Excellent.job
42/46
Placing ACLs example(1) In Figure, the administrator wants to deny Telnet or
FTP traffic from the Router A Ethernet LAN segmentto the switched Ethernet LAN Fa0/1 on Router D.
At the same time, other traffic must be permitted.
The recommended solution is an extended ACL thatspecifies both source and destination addresses.
Place this extended ACL in Router A. Then, packetsdo not cross the Router A Ethernet segment or the
serial interfaces of Routers B and C, and do notenter Router D.
Traffic with different source and destinationaddresses will still be permitted.
-
7/30/2019 1.ACLs Excellent.job
43/46
Placing ACLs example(2)To prevent traffic from Router A to Router D
segment
a standard ACL should be placed on Fa0/0of Router D.
-
7/30/2019 1.ACLs Excellent.job
44/46
Deploy ACLACLs may be used with
Firewall
To protect virtual terminal access
etc
R t i ti Vi t l t i l
-
7/30/2019 1.ACLs Excellent.job
45/46
Restricting Virtual terminal access(1)
R t i ti Vi t l t i l
-
7/30/2019 1.ACLs Excellent.job
46/46
Restricting Virtual terminal access(2)
top related