1 / 30

Access Control Lists (ACLs)

Access Control Lists (ACLs). Asst.Prof. Dr.Anan Phonphoem Department of Computer Engineering, Faculty of Engineering, Kasetsart University, Bangkok, Thailand. Overview. ACL fundamentals ACL operations Types of ACLs (Standard / Extended) Implementing ACLs. Access Control Lists (ACLs).

mnickerson
Download Presentation

Access Control Lists (ACLs)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access Control Lists (ACLs) Asst.Prof. Dr.Anan Phonphoem Department of Computer Engineering, Faculty of Engineering, Kasetsart University, Bangkok, Thailand

  2. Overview • ACL fundamentals • ACL operations • Types of ACLs (Standard / Extended) • Implementing ACLs

  3. Access Control Lists (ACLs) • List of conditions to test the traffic • Router can permit or deny( like a filter) • Provides security • Bandwidth Management • Come in two Types • STANDARD and EXTENDED

  4. ACL Overview

  5. ACL Operations • Packets are compared to each statement in a list sequentially from the top down. • The sooner a decision is made the better. • Well written ACLs take care of the most abundant type of traffic first. • All Access-lists End with an Implicit Deny Allstatement

  6. ACL Operations

  7. Implementing ACLs • Step 1 - Create the Access-list • Step 2 - Apply the Access-list to an Interface • Must be in interface config mode (config-if)# • ip access-group#in/out(routers point of view)

  8. Types of Cisco ACLs

  9. Standard ACLs • Given a # from 1-99 • Filtering based only on Source Address • Should be applied closest to the destination

  10. Extended ACLs • Given a # from 100-199 • Much more flexible and complex • Can filter based on: • Source address • Destination address • Session Layer Protocol (ICMP, TCP, UDP..) • Port Number (80 http, 23 telnet…) • Should be applied closest to the source

  11. Placing ACLs Standard : Closed to destination Extended: Closed to source

  12. Standard ACL format access-list #permit/denysourceIPwildcard

  13. Wildcard Mask • Allows you to indicate a host, subnet, network or range of IP addresses • The two binary values in the wildcard have different meanings: • 0 = Must Match Exactly • 1 = Ignore

  14. Wildcard Mask Example

  15. Wildcard Mask Example NetworkWildcard 172.16.10.0 0.0.0.255 • Result: Match the first three octets exactly but ignore the last octet. • 172.16.10.0 thru 172.16.10.255 is a match since the last octet does not matter.

  16. host and any Keywords • Ex....permit 192.168.10.10 0.0.0.0 • matches all bits • shortcut  host 192.168.10.10 • Ex....deny 0.0.0.0 255.255.255.255 • ignores all bits • shortcut  any

  17. Implementing ACLs • Remember the Implicit Deny All at the end of each access-list. • Two Approaches: • 1. List the traffic you know you want to permit Deny all other traffic • 2. List the traffic you want to deny Permit all other traffic (permit any)

  18. Standard ACL

  19. Standard ACL example (I) R1(config)# access-list 5 deny172.22.5.20.0.0.0 R1(config)# access-list 5 deny172.22.5.30.0.0.0 R1(config)# access-list 5 permit any So what does this access list do? • Deny any host 172.22.5.2 • Deny any host 172.22.5.3 • All other traffic can go

  20. Standard ACL example (II) A(config)#access-list 5 deny172.22.5.20.0.0.0 A(config)#access-list 5 deny172.22.5.30.0.0.0 A(config)#access-list 5 permit any A(config)#access-list 5 deny172.22.5.40.0.0.0 Why does the last line have no affect? How could you correct this situation?

  21. s0/1 fa0/0 Applying ACLs R1(config)# int fa 0/0 R1(config-if)# ip access-group 2 out R1(config)# int s 0/1 R1(config-if)# ip access-group 6 in

  22. Extended ACL

  23. Restricted ACL access

  24. Verifying ACLs • show ip interface • show access-lists • Show running-config

  25. Implementing ACLs Tips • You cannot selectively add or remove statements from an Access-list • Typically modifications are made in a text editor and then pasted to the router as a new access-list • Document your Access-list • After each line indicate exactly what that line is supposed to do.

  26. Implementing ACLs Tips • Verifying Your Access-list • show access-lists • show ip interfaces • Revisit your access-list after a few days • Routers keep track of the number of packets that match each statement in an access-list • Use this information to reorder your access-list and thus improve it efficiency • Never remove an access-list that is applied to a port – this can crash the router!

  27. Summary • Are Created and then Applied to an interface • Are Implemented Sequentially- Top Down • End with an implicit Deny ALL statement • #1-99 Standard and # 100-199 Extended • Standard - source address only • Extended - source, destination, protocol, port

  28. Lab Assignment #1 192.168.11.20 B A C 192.168.10.10 192.168.12.30 A and B can connect to each other. B and C can connect to each other. A and C cannot communicate to each other.

  29. Lab Assignment #2 192.168.11.20 B A C 192.168.10.10 192.168.12.30 A can only access web service of B. B can only ping C. C does not accept any ping from A.

  30. References • C.Dodge slide in Cisco Website • Cisco curriculum materials

More Related