210 likes | 314 Views
CN2668 Routers and Switches. Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+. Agenda. Chapter 10: Access Lists Exercise Quiz. Access Lists: Usage and Rules.
E N D
CN2668Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Agenda • Chapter 10: Access Lists • Exercise • Quiz
Access Lists: Usage and Rules • Permit or deny statements that filter traffic based on the source address, destination address, protocol type, and port number of a packet
Access List Usage • Examines a packet for the source header information • deny any statement • Implicitly blocks all packets that do not meet the requirements of the access list • It blocks even though it is not shown in the access list • Permit any statement • Allow everything beside what you state to deny in access list
Problems with Access Lists • Lack of planning • The need to enter the list sequentially into the router • You cannot move individual statements once they are entered • When making changes, you must remove the list, using the no access-list [list number] command, and then retype the commands • Access lists begin working the second they are applied to an interface • Use reload in [hh:mm] or reload at hh:mm [month day | day month] to reset the router if you messed up • If you did not save it to the startup configuration • Use reload cancel to reset the reload
Access List Rules • Example of the structure of a standard IP access list: RouterA(config)#access-list 1 deny 172.22.5.2 0.0.0.0 RouterA(config)#access-list 1 deny 172.22.5.3 0.0.0.0 RouterA(config)# access-list 1 permit any • Router applies each line in the order in which you type it into the access list • The no access-list [list #] command is used to remove an access list otherwise newline will be appended to the end of the list
Access List Rules (Continued) • Most specific rule should be first in the list • So that packets will not undergo unnecessary processing • You should avoid unnecessarily long access lists
Access List Rules (Continued) • Access lists must be applied to an interface as either inbound or outbound traffic filters • Ip access-group 1 [in | out] • Only one list, per protocol, per direction can be applied to an interface
Standard IP Access Lists • Filter network traffic based on the source IP address only • Filter traffic by a host IP, subnet, or a network address • It should be placed as close to the destination as possible • Configure standard IP access lists: • access-list [list #] [permit|deny] [source address] [source wildcard mask] • See Table 10-1 on Page 265
Standard IP Access List Examples • Based on Figure 10-9 and 10-9 on Page 268 • You will not be able to block anything since access list is applied outbound • You should apply access list as inbound on Serial0/1 interface instead if you want to block all traffic from the other subnet
Standard IP Access List Examples (Continued) • To view the access lists defined on your router, use the show access-lists command • For IP access lists, you could use the show ip access-lists command • See Figure 10-11 and 10-12 on Page 270 • If an access list needs to be removed • no ip access-group [list #] • See Figure 10-13 and 10-14 on Page 271
Extended IP Access Lists • Can filter by source IP address, destination IP address, protocol type, and application port number • This granularity allows you to design extended IP access lists that: • Permit or deny a single type of IP protocol • Filter by a particular port of a particular protocol
Extended IP Access Lists (Continued) • Create the list • Apply it to an interface • access-list [list #] [permit|deny] [protocol] [source IP address] [source wildcard mask] [operator] [port] [destination IP address] [destination wildcard mask] [operator] [port] [log]
Extended IP Access List Examples • Based on Figure 10-18 on Page 274 • Access-list 100-199 are for IP Extended access list • You can use host instead of wildcard mask as shown in Figure 10-20 on Page 276 • It should be placed as close to the source as possible
The “Established” Parameter • Permits traffic from any host on any network to any destination, as long as the traffic was in response to a request initiated inside the network • Example: access-list 100 permit tcp any 15.0.0.0 0.255.255.255 established • The traffic will be allowed as long as it was sent from 15.0.0.0
Using Named Lists • Named access lists • In Cisco IOS versions 11.2 and above, names instead of numbers can be used to identify lists • To name a standard IP access list, use the following syntax: RouterC(config)#ip access-list standard [name] • To name an extended IP access list, use the following syntax: RouterC(config)#ip access-list extended [name]
Using Named Lists (Continued) • Advantages: • Allows you to maintain security by using an easily identifiable access list • With named access lists lines can be selectively deleted in the ACL • Removes the limit of 100 lists per filter type • Named ACLs provide greater flexibility to network administrators who work in environments where large numbers of ACLs are needed
Controlling VTY Line Access • Access lists are used for both traffic flow and security • You must first create a standard IP access list that permits the management workstation RouterA(config)#access-list 12 permit 192.168.12.12 0.0.0.0 • Then, it must be applied to the VTY lines access-class [acl #] in | out
Controlling VTY Line Access (Continued) • To apply access list 12 to the VTY lines, use the following command: RouterA(config)#line vty 0 4 RouterA(config-line)#access-class 12 in • The commands to restrict access to the VTY lines to network 192.168.12.0/24 only are: RouterA(config)#access-list 13 permit 192.168.12.0 0.0.0.255 RouterA(config)#line vty 0 4 RouterA(config-line)#access-class 13 in
Assignment • Lab