Download - CCNAv3.3 210
-
8/6/2019 CCNAv3.3 210
1/52
1
CCNA Semester 2
Chapter 10Chap
ter 10
ACCESS CONTROLACCESS CONTROLLIST (ACLS)LIST (ACLS)
-
8/6/2019 CCNAv3.3 210
2/52
2
ObjectivesObjectives
Describe the differences between standard
and extended ACLs Explain the rules for placement of ACLs
Create and apply named ACLs
Describe the function of firewalls Use ACLs to restrict virtual terminal access
-
8/6/2019 CCNAv3.3 210
3/52
3
Table of ContentTable of Content
1Access Control List Fundamentals
2 Access Control Lists (ACLs)
-
8/6/2019 CCNAv3.3 210
4/52
4
ACCESS CONTROL LISTACCESS CONTROL LIST
FUNDAMENTALSFUNDAMENTALS
-
8/6/2019 CCNAv3.3 210
5/52
5
What are ACLsWhat are ACLs
-
8/6/2019 CCNAv3.3 210
6/52
6
What are ACLsWhat are ACLs
ACLs are lists of conditions that you apply toa router's interface.
These lists tell the router what kinds ofpackets to accept and what kinds of packetsto deny.
Acceptance and denial can be based oncertain specification, such as source,destination address, protocols, port.
-
8/6/2019 CCNAv3.3 210
7/527
ACLs check the packet and headerACLs check the packet and header
-
8/6/2019 CCNAv3.3 210
8/528
How ACLs control traffic flowHow ACLs control traffic flow
IP
IPX
AppleTalk
IP
IPX
AppleTalk
One list, per port, per direction, per
protocol
-
8/6/2019 CCNAv3.3 210
9/529
The primary reasons to create ACLsThe primary reasons to create ACLs
Filtering packets internally
Protecting the internal network from illegalInternet access
Restricting access to virtual terminal ports
-
8/6/2019 CCNAv3.3 210
10/521
How the ACL work:How the ACL work: order of ACL statementsorder of ACL statements
-
8/6/2019 CCNAv3.3 210
11/521
ACL and Routing process in a routerACL and Routing process in a router
ACLson
Interface?Statement
ListMatch?
RoutePacket toOutboundinterface
Layer2Addressmatch
Permitpacket?
Yes Yes Yes Yes
No
DefaultDeny
No
ACLson
Interface?Statement
ListMatch?
Permitpacket?
Yes
Yes Yes
No
DefaultDeny
No
SendTo thedevice
No
-
8/6/2019 CCNAv3.3 210
12/521
access-listaccess-list-number{permit | deny } {test-conditions}ccess-listaccess-list-number{permit | deny } {test-conditions}
Router (config)#
Creating ACLs:Creating ACLs: Step 1Step 1
ACL command Description
access-list defines an access list
access-list-number protocol-dependent ACL numberPermit defines a statement to allow traffic
Deny defines a statement to disallow traffic
test-conditions ACL test conditions
Defines an ACL
Alert an ACL use no access-list access-list-number
-
8/6/2019 CCNAv3.3 210
13/521
ACL numbersACL numbers
-
8/6/2019 CCNAv3.3 210
14/521
Creating ACLs:Creating ACLs: Step 2Step 2
{protocol} access-groupaccess-list-number in/out{protocol} access-groupaccess-list-number in/out
Router (config-if)#
ACL command Description
protocol a protocol specified for the interface
access-group any packets that pass the ACL testconditions can be permitted to use any
interface in the access group ofinterfaces
access-list-number the ACL identified by this ACL numberto be associated to this interface
In/out Apply inbound or outbound traffic
Applies access list to interface
-
8/6/2019 CCNAv3.3 210
15/521
Creating ACLs:Creating ACLs: Step 2 (cont.)Step 2 (cont.)
{protocol} access-classaccess-list-number{protocol} access-classaccess-list-number
Router (config-line)#
ACL command Description
protocol a protocol specified for the interface
access-class any packets that pass the ACL test
conditions can be permitted/deny touse any vty line
access-list-number the ACL identified by this ACL numberto be associated to this interface
Applies access list to VTY 0 4 line
-
8/6/2019 CCNAv3.3 210
16/521
These basic rules should be followed (1)These basic rules should be followed (1)
One access list per protocol; per direction.
Standard access lists should be applied closest tothe destination.
Extended access lists should be applied closest tothe source.
Use the inbound or outbound interface referenceas if looking at the port from inside the router.
Statements are processed sequentially from thetop of list to the bottom until a match is found, ifno match is found then the packet is denied.
There is an implicit deny at the end of all accesslists.
-
8/6/2019 CCNAv3.3 210
17/521
These basic rules should be followed (2)These basic rules should be followed (2)
Access list entries should filter in the orderfrom specific to general. Specific hosts shouldbe denied first, and groups or general filtersshould come last.
The match condition is examined first. Thepermit or deny is examined ONLY if thematch is true.
Never work with an access list that is activelyapplied.
Use a text editor to create commentsoutlining the logic, then, fill in the statementsthat perform the logic.
-
8/6/2019 CCNAv3.3 210
18/521
These basic rules should be followed (3)These basic rules should be followed (3)
New lines are always added to the end of the accesslist. A no access-listxcommand will remove thewhole list. It is not possible to selectively add andremove lines with numbered ACLs.
An IP access list will send an ICMP host unreachablemessage to the sender of the rejected packet andwill discard the packet in the bit bucket.
Care should be used when removing an access list. Ifthe access list is applied to a production interfaceand the access list is removed, depending on theversion of the IOS, there may be a default deny anyapplied to the interface, and all traffic will be halted.
Outbound filters do not affect traffic originating fromthe local router.
-
8/6/2019 CCNAv3.3 210
19/521
The function of a wildcard maskThe function of a wildcard mask
A wildcard mask is a 32-bit quantity that isdivided into four octets, with each octet
containing 8 bits. A wildcard mask bit 0 means "check the
corresponding bit value.
A wildcard mask bit 1 means "do not check(ignore) that corresponding bit value".
-
8/6/2019 CCNAv3.3 210
20/522
Wildcard mask bits Wildcard mask bits
-
8/6/2019 CCNAv3.3 210
21/52
2
The function of a wildcard mask:The function of a wildcard mask: ExampleExample
No match Packet rejected
-
8/6/2019 CCNAv3.3 210
22/52
2
The function of a wildcard mask :The function of a wildcard mask : ExampleExample
-
8/6/2019 CCNAv3.3 210
23/52
2
WildcardWildcard anyany
-
8/6/2019 CCNAv3.3 210
24/52
2
WildcardWildcard hosthost
-
8/6/2019 CCNAv3.3 210
25/52
2
Verifying ACLs:Verifying ACLs: show ip interfaceshow ip interface
-
8/6/2019 CCNAv3.3 210
26/52
2
Verifying ACLs:Verifying ACLs: show access-listsshow access-lists
-
8/6/2019 CCNAv3.3 210
27/52
2
Verifying ACLs:Verifying ACLs: show running-configshow running-config
-
8/6/2019 CCNAv3.3 210
28/52
2
STANDARD ACLsSTANDARD ACLs
-
8/6/2019 CCNAv3.3 210
29/52
-
8/6/2019 CCNAv3.3 210
30/52
3
How the Inbound Standard ACL work?How the Inbound Standard ACL work?
Isthere a
Standard access listOn this
interface
Does sourceAddress match ACL
List entry
Route Packetto properoutboundinterface
Is thisan IP
packet
IsThis the
Last entry in theACL
Yes Yes Yes Permit
No
Move to nextstatement
No
Permit orDeny condition
SendDestinationNot foundmessage
Deny
No Yes
No
-
8/6/2019 CCNAv3.3 210
31/52
3
Standard ACL commandsStandard ACL commands
Access list number: 1 99
Commands:
Router# show access-lists
access-list access-list-number{deny | permit} source [source-wildcard] [log]
access-list access-list-number{deny | permit} source [source-wildcard] [log]
Router (config)#
ip access-group access-list-number{ in | out }ip access-group access-list-number{ in | out }
Router (config-if)#
-
8/6/2019 CCNAv3.3 210
32/52
3
Standard ACL examplesStandard ACL examples
-
8/6/2019 CCNAv3.3 210
33/52
3
Permit my network only.
Standard IP Access List Example 1Standard IP Access List Example 1
-
8/6/2019 CCNAv3.3 210
34/52
3
Deny a specific host.
Standard IP Access List Example 2Standard IP Access List Example 2
-
8/6/2019 CCNAv3.3 210
35/52
-
8/6/2019 CCNAv3.3 210
36/52
3
EXTENDED ACLsEXTENDED ACLs
-
8/6/2019 CCNAv3.3 210
37/52
3
Extended ACLs:Extended ACLs: OverviewOverview
-
8/6/2019 CCNAv3.3 210
38/52
-
8/6/2019 CCNAv3.3 210
39/52
-
8/6/2019 CCNAv3.3 210
40/52
4
Reserved port numbersReserved port numbers
-
8/6/2019 CCNAv3.3 210
41/52
4
Extended ACL examplesExtended ACL examples
-
8/6/2019 CCNAv3.3 210
42/52
4
Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0.
Permit all other traffic.
Extended Access List Example 1Extended Access List Example 1
-
8/6/2019 CCNAv3.3 210
43/52
4
Deny only Telnet from subnet 172.16.4.0 out of E0. Permit all other traffic.
Extended Access List Example 2Extended Access List Example 2
-
8/6/2019 CCNAv3.3 210
44/52
4
NAME ACLsNAME ACLs
-
8/6/2019 CCNAv3.3 210
45/52
-
8/6/2019 CCNAv3.3 210
46/52
4
Name ACL commandsName ACL commands
ip access-list {standard | extended} nameip access-list {standard | extended} nameRouter (config)#
deny {source [source-wildcard] | any}permit {source [source-wildcard] | any}deny {source [source-wildcard] | any}permit {source [source-wildcard] | any}
Router(config {std- | ext-}nacl)#
ip access-group name {in | out}ip access-group name {in | out}
Router(config-if)#
show access-listsshow access-lists
Router#
-
8/6/2019 CCNAv3.3 210
47/52
-
8/6/2019 CCNAv3.3 210
48/52
4
Placing ACLsPlacing ACLs
Place extended access lists close to the source.
Place standard access lists close to the destination.
-
8/6/2019 CCNAv3.3 210
49/52
4
Restricting virtual terminal accessRestricting virtual terminal access
41 20 3
Virtual port
(VTY 0-4)
Physical port
FastEthernet0/0
-
8/6/2019 CCNAv3.3 210
50/52
5
Restricting virtual terminal accessRestricting virtual terminal access
The following should be considered whenconfiguring access lists on vty lines:
When controlling access to an interface, a nameor number can be used.
Only numbered access lists can be applied tovirtual lines.
Set identical restrictions on all the virtual terminallines, because a user can attempt to connect toany of them.
-
8/6/2019 CCNAv3.3 210
51/52
5
SummarySummary
An ACL sequential list of permit or denystatements that apply to addresses or upper-layer protocols
The order in which ACL statements are placedis important.
Standard ACLs check the source address of IP
packets that are routed Extended ACLs are used more often than
standard ACLs because the provide a greaterrange of control.
-
8/6/2019 CCNAv3.3 210
52/52
Q&AQ&A