access control lists · access control lists (acl) traffic filtering permit or deny packets moving...
TRANSCRIPT
CCNA Course
Access Control Lists
Access Control Lists (ACL)
Traffic Filtering Permit or deny packets moving through router
Permit or deny (VTY) access to or from a router
Traffic Identifying for special handling Network Address Translation (NAT)
Create dial-on demand (DDR) interesting traffic that triggers dialing to a remote location
ACL Rules A single ACL is both a single entity and, at the same
time, a list of one or more configuration commands.
As a single entity, the configuration enables the entire ACL on an interface, in a specific direction
list of commands, each command has different matching logic that the router must apply to each packet when filtering using that ACL
Once a packet matches one line in the ACL, the router takes the action listed in that line of the ACL
Packets are compared to each line (command) of the assess control list in sequential order
ACL Rules Packets are compared with lines (commands) of the
access control list only until a match is made
Once a match is made & acted upon no further comparisons take place
An implicit “deny” is at the end of each access control list
If no matches have been made, the packet will be discarded
ACL Guidelines
One access list per interface, per protocol, or per direction
More specific tests at the top of the ACL
New commands are placed at the bottom of the ACL
Sequence number for each line, so individual lines can be removed
End ACLs with a permit any command
Create ACLs & then apply them to an interface
ACLs do not filter traffic originated from the router
Put Standard ACLs close to the destination
Put Extended ACLs close the the source
ACL Operation Inbound Access Control Lists
Packets are processed before being routed to the outbound interface
ACL Operation
Outbound Access Lists
Packets are routed to the outbound interface & then processed through the access list
Types of ACLs Standard Access List (1 – 99) & Expanded (1300 –
1999)
Filter by source IP addresses only
Extended Access List (100 – 199) & expanded (2000 – 2699)
Filter by Source IP, Destination
IP, Protocol Field, Port Number
Named Access List
The same as standard
and extended access lists.
Extended ACLs
For protocol type use a keyword, such as tcp, udp, or icmp, matching IP packets that happen to have a TCP, UDP, or ICMP header, respectively, following the IP header.
You can use the keyword ip, which means “all ip packets.”
Can match UDP and TCP port numbers
Many operands can be used for port numbers
Named ACLs Named ACL has the following features:
Using names instead of numbers to identify the ACL
Using ACL subcommands, not global commands, to define the action and matching parameters
ACL editing features that allow the CLI user to delete individual lines from the ACL and insert new lines
Numbered ACL can be edited, each line is automatically assigned by sequence number
Secure Devices Using ACLs
Users can remotely access network devices like routers and switches through vty lines using Telnet and SSH
ACL can be used to limit the remote access of such devices
ACL apply to inbound connections of the vty lines
Outbound ACL can be used for vty lines to filter Telnet and SSH going from the device to access another device
Network Address Translation
CCNA Course
IP Addresses Shortage Solutions
IPv6 is a long-term solution
Classless Inter-Domain Routing (CIDR) is short-term solution
Private IP addressing is short-term solution
Private IP addresses
Class A: 10.0.0.0 – 10.255.255.255
Class B: 172.16.0.0 – 172.31.255.255
Class C: 192.168.0.0 – 192.168.255.255
Why NAT You need to connect to the Internet and your hosts
don’t have globally unique IP addresses.
You change to a new ISP that requires you to renumber your network.
You need to merge two intranets with duplicate addresses.
NAT Terms Inside Local
The term “inside” refers to an address used for a host inside an enterprise. It is the actual IP address assigned to a host in the private enterprise network.
Inside Global
NAT uses an inside global address to represent the inside host as the packet is sent through the outside network, typically the Internet.
A NAT router changes the source IP address of a packet sent by an inside host from an inside local address to an inside global address as the packet goes from the inside to the outside network.
Inside and Outside
Types of NAT
Static NAT
Dynamic NAT
Overloading with Port Address
Translation (PAT)
Static NAT
Static NAT - Mapping an unregistered IP address to a registered IP address on a one-to-one basis. Particularly useful when a device needs to be accessible from outside the network.
In static NAT, the computer with the IP address of 192.168.32.10 will always translate to 213.18.123.110.
Dynamic NAT
Mapping of an inside local address to an inside global address happens dynamically
Overload NAT with PAT PAT translates not only IP address, but also the port number
Many TCP or UDP flows from different hosts look like the same number of flows from one host
Server doesn’t care whether it has one connection each three different hosts or three connections to a single host IP address