in 60 days – icnd2
DESCRIPTION
In 60 Days – ICND2. Access Lists. Traffic Cops. Decides what can pass through router Set of YES/NO filters Have several uses…. Use ACLs. To filter traffic Reference NAT pools Debugging With route maps for routing. Types of ACL. Standard Extended Named. Standard IP ACL. - PowerPoint PPT PresentationTRANSCRIPT
In 60 Days – ICND2
Access Lists
Traffic Cops
• Decides what can pass through router• Set of YES/NO filters• Have several uses…
Use ACLs
• To filter traffic• Reference NAT pools• Debugging• With route maps for routing
Types of ACL
• Standard• Extended• Named
Standard IP ACL
• Numbered from 1 to 99• Can filter on source
host/network• Can’t filter ports or protocols
Extended IP ACLs
• Numbered from 100-199• Filters port/destination/source
etc.• More complicated to
configure
Named ACLs
• Names instead of numbers• Can be standard or extended• Slightly different commands
Need to Know...
• Port numbers• Command syntax• ACL rules
Common PortsPort Service Port Service
20 FTP Data 80 HTTP
21 FTP Control 110 POP3
22 SSH 119 NNTP
23 Telnet 123 NTP
25 SMTP 161/162 SNMP
53 DNS 443 HTTPS
69 TFTP
Command Syntax
• We will come to this!
ACL Rule #1
• One ACL per interface per direction
One incoming
One outgoing
One incoming
One outgoing
ACL Rule #2
• Processed top down• Incoming 172.16.1.1Permit 10.0.0.0
No match
Permit 192.168.1.1
No match
Permit 172.16.0.0
Match – Permit
Permit 172.16.1.0
Not processed
Deny 172.16.1.1
Not processed
ACL Rule #3
• Implicit ‘deny all’ at bottom• Incoming 172.20.1.1Permit 10.0.0.0
No match
Permit 192.168.1.1
No match
Permit 172.16.0.0
No match
Permit 172.16.1.0
No match
Deny all Match – DROP PACKET
ACL Rule #4
• Router can’t filter self generated traffic
Ping 172.16.1.1 172.16.1.1
ACL – Deny 172.16.1.1BLOCKED
172.16.1.1
ACL – Deny 172.16.1.1UNCHECKED
Ping 172.16.1.1
ACL Rule #5 – Can’t Edit Live
• Can’t edit live standard or extended lists• Can edit named1. Stop access list working
(from interface)2. Copy into notepad – edit -
reapply
ACL Rule #6
• Disable ACL on the interfaceR1(config)#no ip access-group 101 in
ACL Rule #7
• Can reuse the same ACL
S0/1ACL 101 IN
ACL 101 – Deny Web Traffic
S0/0ACL 101 IN
ACL Rule #8
• Keep ‘em short• Most specific rules at top
Permit 10.0.0.0
Permit 192.168.1.1
Permit 172.16.0.0
Deny 172.16.1.1
Should be at top
ACL Rule #9
• Place as close to traffic source as possible
S0/1ACL 101 IN
ACL 101 – Deny Web Traffic
Do not put it here
End