in 60 days – icnd2 access lists traffic cops decides what can pass through router set of yes/no...
DESCRIPTION
Traffic Cops Decides what can pass through router Set of YES/NO filters Have several uses…TRANSCRIPT
In 60 Days – ICND2Access Lists
Traffic Cops• Decides what can pass through
router• Set of YES/NO filters• Have several uses…
Use ACLs• To filter traffic• Reference NAT pools• Debugging• With route maps for routing
Types of ACL• Standard• Extended• Named
Standard IP ACL• Numbered from 1 to 99• Can filter on source
host/network• Can’t filter ports or protocols
Extended IP ACLs• Numbered from 100-199• Filters port/destination/source
etc.• More complicated to
configure
Named ACLs• Names instead of numbers• Can be standard or extended• Slightly different commands
Need to Know...• Port numbers• Command syntax• ACL rules
Common PortsPort Service Port Service20 FTP Data 80 HTTP21 FTP Control 110 POP322 SSH 119 NNTP23 Telnet 123 NTP25 SMTP 161/162 SNMP53 DNS 443 HTTPS69 TFTP
Command Syntax• We will come to this!
ACL Rule #1• One ACL per interface per
directionOne incoming
One outgoing
One incoming
One outgoing
ACL Rule #2• Processed top down• Incoming 172.16.1.1Permit 10.0.0.0
No match
Permit 192.168.1.1
No match
Permit 172.16.0.0
Match – Permit
Permit 172.16.1.0
Not processed
Deny 172.16.1.1
Not processed
ACL Rule #3• Implicit ‘deny all’ at bottom• Incoming 172.20.1.1Permit 10.0.0.0
No match
Permit 192.168.1.1
No match
Permit 172.16.0.0
No match
Permit 172.16.1.0
No match
Deny all Match – DROP PACKET
ACL Rule #4• Router can’t filter self
generated trafficPing 172.16.1.1 172.16.1.1
ACL – Deny 172.16.1.1BLOCKED
172.16.1.1
ACL – Deny 172.16.1.1UNCHECKED
Ping 172.16.1.1
ACL Rule #5 – Can’t Edit Live
• Can’t edit live standard or extended lists• Can edit named1. Stop access list working
(from interface)2. Copy into notepad – edit -
reapply
ACL Rule #6• Disable ACL on the interfaceR1(config)#no ip access-group 101 in
ACL Rule #7• Can reuse the same ACL
S0/1ACL 101 IN
ACL 101 – Deny Web Traffic
S0/0ACL 101 IN
ACL Rule #8• Keep ‘em short• Most specific rules at top
Permit 10.0.0.0Permit 192.168.1.1Permit 172.16.0.0Deny 172.16.1.1
Should be at top
ACL Rule #9• Place as close to traffic
source as possibleS0/1
ACL 101 IN
ACL 101 – Deny Web Traffic
Do not put it here
End