+ All Categories
Home > Documents > 2-ch11_ACLintro

2-ch11_ACLintro

Date post: 04-Apr-2018
Category:
Upload: florea-dan-mihai
View: 215 times
Download: 0 times
Share this document with a friend

of 34

Transcript
  • 7/29/2019 2-ch11_ACLintro

    1/34

    CISCO NETWORKING ACADEMY

    Chabot College

    ELEC 99.08

    Access Control Lists - Introduction

  • 7/29/2019 2-ch11_ACLintro

    2/34

    CISCO NETWORKING ACADEMY

    ACL Topics

    Function of ACLs

    ACL Types & Syntax

    Wildcard Bitmasks

    Placement of ACLs

    Commands

  • 7/29/2019 2-ch11_ACLintro

    3/34

    CISCO NETWORKING ACADEMY

    Typical Functions

    Security

    Firewalling

  • 7/29/2019 2-ch11_ACLintro

    4/34

    CISCO NETWORKING ACADEMY

    Types

    Standard

    Extended

  • 7/29/2019 2-ch11_ACLintro

    5/34

    CISCO NETWORKING ACADEMY

    Standard ACLs

    Use rules based only the packets

    source address

    1-99

  • 7/29/2019 2-ch11_ACLintro

    6/34

    CISCO NETWORKING ACADEMY

    Extended ACLs

    Provide more precise (finer tuned)

    packet selection based on:

    Source and destination addresses

    Protocols

    Port numbers

    100-199

  • 7/29/2019 2-ch11_ACLintro

    7/34CISCO NETWORKING ACADEMY

    Steps to Configure ACLs

    1) Create ACL (global config mode) The list may contain many rules, each on one line.

    The list is identified by a number or name.

    2) Apply to an interface (interface config mode)

  • 7/29/2019 2-ch11_ACLintro

    8/34CISCO NETWORKING ACADEMY

    How do ACLs work?

    Processing occurs line by line from top to

    bottom of the list.

    Each line tests a packet for a match. If there is a match, a permit or deny

    rule is applied.

    When a match occurs, no further rulesare checked.

    Invisible last line of an ACL is an implicit

    deny any.

  • 7/29/2019 2-ch11_ACLintro

    9/34CISCO NETWORKING ACADEMY

    How do ACLs work?

    ACL example:

    oak#sh ru

    oak#...

    oak#access-list 10 deny 192.168.1.0 0.0.0.255

    oak#access-list 10 permit any

    oak#access-list 10 deny any (implicit)

    oak#...

  • 7/29/2019 2-ch11_ACLintro

    10/34CISCO NETWORKING ACADEMY

    How does a Standard ACL

    work? Permits or denies if source IP address

    is matched:

    Permit packet is allowed

    Deny packet is dropped

    Implicit DenyIf a packets address does

    not match an earlier statement, an implicitdeny any occurs at the end of every ACLand the packet is dropped.

  • 7/29/2019 2-ch11_ACLintro

    11/34CISCO NETWORKING ACADEMY

    Wildcard Masks

    Are used to specify (by bits) the part of

    the ip address to be matched.

    Looks like a subnet mask but it its not!

    Example:

    172.16.0.0 0.0.255.255

    The network address to be matched The wildcard bitmask

  • 7/29/2019 2-ch11_ACLintro

    12/34CISCO NETWORKING ACADEMY

    Wildcard Masks

    Specify the part of the ip address to be

    matched.

    Use 0s to match,1s to ignore.(Reverse of subnet masks!)

    In the example below, only the 1st

    2 octets will be examined for a match:172.16.0.0 0.0.255.255

    Match this part of the address This is the wildcard bitmask

  • 7/29/2019 2-ch11_ACLintro

    13/34CISCO NETWORKING ACADEMY

    Wildcard Masks

    10101100 00010000 00000000 00000000172 16 0 0Address

    WildcardMask

    11111111

    Ignore

    1111111100000000

    2552550 0

    Check fora match

    00000000

    172.16.0.0 0.0.255.255wildcard bitmaskaddress to match

  • 7/29/2019 2-ch11_ACLintro

    14/34CISCO NETWORKING ACADEMY

    Wildcard Masks

    In this example, which octets will be

    examined for a match?

    172.16.5.0 0.0.0.255

  • 7/29/2019 2-ch11_ACLintro

    15/34CISCO NETWORKING ACADEMY

    Wildcard Masks

    In this example, which octets will be

    examined for a match?

    172.16.5.0 0.0.0.255

    The first 3:

    172.16.5.0 0.0.0.255

    Match this part of the address

  • 7/29/2019 2-ch11_ACLintro

    16/34CISCO NETWORKING ACADEMY

    Wildcard Masks

    In this example, which octets will be

    examined for a match?

    172.16.5.2 0.0.0.0

  • 7/29/2019 2-ch11_ACLintro

    17/34CISCO NETWORKING ACADEMY

    Wildcard Masks

    In this example, which octets will be

    examined for a match?

    172.16.5.2 0.0.0.0

    All 4 octets:

    172.16.5.2 0.0.0.0

    Match the entire address(permit or deny this specific host)

  • 7/29/2019 2-ch11_ACLintro

    18/34CISCO NETWORKING ACADEMY

    Wildcard Masks

    In Cisco 2, we will work only with

    wildcard bitmasks that are 0 or 255 for

    an entire octet. In Cisco 3, youll work with masks

    where the change from 0 to 1 does not

    fall on an octet boundary: e.g. 0.0.15.255

  • 7/29/2019 2-ch11_ACLintro

    19/34CISCO NETWORKING ACADEMY

    Keyword: any

    Identical statements

    access-list 22 permit 0.0.0.0 255.255.255.255

    access-list 22 permit any

  • 7/29/2019 2-ch11_ACLintro

    20/34CISCO NETWORKING ACADEMY

    Keyword: host

    Identical statements

    Access-list 23 permit 172.16.1.1 0.0.0.0

    Access-list 23 permit host 172.16.1.1

  • 7/29/2019 2-ch11_ACLintro

    21/34CISCO NETWORKING ACADEMY

    Standard IP ACL command

    access-listACL-number{permit |deny}source-ip-addresswildcard-mask

    ACL number: 1-99 Global Config mode

  • 7/29/2019 2-ch11_ACLintro

    22/34CISCO NETWORKING ACADEMY

    Standard ACL Example

    To permit all packets from the network

    number 172.16.0.0

    access-list 20 permit 172.16.0.0 0.0.255.255

  • 7/29/2019 2-ch11_ACLintro

    23/34

    CISCO NETWORKING ACADEMY

    Standard ACL Example

    To permit traffic from the host

    172.16.1.1 only

    access-list 20 permit 172.16.1.1 0.0.0.0OR

    access-list 20 permit host 172.16.1.1

  • 7/29/2019 2-ch11_ACLintro

    24/34

    CISCO NETWORKING ACADEMY

    Standard ACL Example

    To permit traffic from any source address.

    access-list 20 permit 0.0.0.0 255.255.255.255

    OR

    access-list 20 permit any

  • 7/29/2019 2-ch11_ACLintro

    25/34

    CISCO NETWORKING ACADEMY

    How does an Extended ACL

    work? Permits or denies if all conditions match:

    Source Address

    Destination Address

    Protocol

    Port No. or Protocol Options

  • 7/29/2019 2-ch11_ACLintro

    26/34

    CISCO NETWORKING ACADEMY

    Extended IP ACL command

    access-listACL-number{permit|deny}protocol source-ip-address source-wildcard-

    mask destination-ip-addressdestination-wildcard-maskeqport-number

    ACL number: 100-199

    Global Config mode

  • 7/29/2019 2-ch11_ACLintro

    27/34

    CISCO NETWORKING ACADEMY

    Extended ACL Example

    To permit traffic from the network 192.168.1.0 to

    the host 192.168.3.10 only on telnet:

    access-list 101 permit tcp 192.168.1.0 0.0.0.255

    192.168.3.10 0.0.0.0 eq telnet

    More about extended ACLs later...

  • 7/29/2019 2-ch11_ACLintro

    28/34

    CISCO NETWORKING ACADEMY

    Major differences

    Standard ACL

    Use only source address

    Requires fewer CPU cycles. Place as close to destination as possible.

    (because they can only check source address)

    Extended ACL

    Uses source, destination, protocol, port

    Requires more CPU cycles.

    Place as close to source as possible.

    (This stops undesired traffic early.)

  • 7/29/2019 2-ch11_ACLintro

    29/34

    CISCO NETWORKING ACADEMY

    Command to apply IP ACL

    ip access-groupACL-number{in |out}

    Interface Config mode

    The group of rules in the list is applied to theinterface being configured.

    Use in and out as if looking at the interface

    from inside the router.

  • 7/29/2019 2-ch11_ACLintro

    30/34

    CISCO NETWORKING ACADEMY

    Do I place an ACL in?

    In

    Coming into the router.

    Requires less CPU processing becauseevery packet bypasses processing before

    it is routed.

    Filtering decision is made prior to therouting table.

  • 7/29/2019 2-ch11_ACLintro

    31/34

    CISCO NETWORKING ACADEMY

    Do I place an ACL out?

    Out

    Going out of the router.

    Routing decision has been made and thepacket is switched to the proper outbound

    interface before it is tested against theaccess list.

    ACLs are outbound unless otherwise

    specified.

  • 7/29/2019 2-ch11_ACLintro

    32/34

    CISCO NETWORKING ACADEMY

    ACL Configuration Example

    oak(config)#access-list 10 permit 192.168.1.0 0.0.0.255

    oak(config)#access-list 10 permit 192.168.2.10 0.0.0.0

    oak(config)#int e0oak(config-if)#ip-access group 10 out

    oak(config-if)#^z

    fre

    hay

    oak

    192.168.3.0

    E0

    S0

    S1S0

    S1

    What will this list do?

    E0E0

    192.168.2.0

    192.168.1.0

    192.168.1.10 192.168.2.10 192.168.3.10

  • 7/29/2019 2-ch11_ACLintro

    33/34

    CISCO NETWORKING ACADEMY

    ACL Configuration Example

    oak(config)#access-list 10 permit any

    oak(config)#access-list 10 deny 192.168.2.10 0.0.0.0

    oak(config)#int e0oak(config-if)#ip-access group 10 out

    oak(config-if)#^z

    fre

    hay

    oak

    192.168.3.0

    E0

    S0

    S1S0

    S1

    Whats the problem here?

    E0E0

    192.168.2.0

    192.168.1.0

    192.168.1.10 192.168.2.10 192.168.3.10

  • 7/29/2019 2-ch11_ACLintro

    34/34

    Commands to show ACLs

    show access-lists

    Privileged exec mode

    Displays the ACLs on the router.show ip interface

    Privileged exec mode

    Shows which ACLs are set on that interface.


Recommended