1 / 38

CCNA 2 v3. 1 Module 11

CCNA 2 v3. 1 Module 11. CCNA 2 Module 11 Access Control Lists (ACLs). Overview. Denying unwanted access to the network ACL provides basic filtering capabilities based on source/destination IP addresses protocol types and port numbers

Download Presentation

CCNA 2 v3. 1 Module 11

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CCNA 2 v3.1 Module 11

  2. CCNA 2Module 11 Access Control Lists (ACLs)

  3. Overview • Denying unwanted access to the network • ACL provides basic filtering capabilities based on • source/destination IP addresses • protocol types and port numbers • ACL lists permit or deny statements that apply to addresses or upper-layer protocols.

  4. What are ACLs • Lists of acceptance/denial conditions • applied to traffic across a router's interface • Permit or deny traffic to and from the network • based on • Source IP address • Destination IP addresses • Port numbers • Protocols • can be created for all routed network protocols • Example IP, IPX, Appletalk

  5. What are ACLs • Primary reasons to create ACLs • Limit network traffic and increase network performance • Provide traffic flow control • E.g., Restrict the delivery of routing updates – conserve bandwidth • Provide a basic level of security for network access • Student Hosts can access Application package Network • Student Hosts cannot access Administration Network

  6. Decide which types of traffic are forwarded or blocked • Permit e-mail traffic to be routed • Block all telnet traffic • Allow an administrator to control whatareas a client can access on a network • Screen certain hosts to either permit or deny access • to part of a network • Certain types of files – ftp, http etc

  7. How ACLs work • IOS tests the packets by matching each condition statement in order from top of the list to the bottom • If a match is found, perform the accept or reject action defined in that statement • No further ACL statements are checked for that packet • The rest of the statements in the ACL is ignored • The order in which ACL statements are placed is important

  8. If all the ACL statements are unmatched, implicit "deny any" statement is applied by default • Deny any always EXISTS and is APPLIED • Any packets not matched in the ACL will be denied

  9. How ACLs work

  10. How ACL’s work • Router’s routing and filtering process overall • Check L2 destination address of the incoming frame • If matched, accept to test inbound ACL • Accept for routing if ACL permits or no ACL is found • Route to the outbound interface to test outbound ACL • Send to the network if ACL permits or no ACL is found • Discard the packet in any other case

  11. How ACLs work This is where the outgoing frame is examined This is where the incoming frame is examined

  12. Creating ACLs • Assign unique number or name for a control list • Numbers are categorized • Number should be in the range of the right category • Used to identify each ACL rule

  13. Creating ACLs • Define the access list statements • Router(config)#access-list access-list-no {permit|deny} {test-condition} • An access-list-nocan be a name (named ACL) • test-conditions are the targets to control • Assign them to the proper interface • Router(config-if)#{protocol} access-group access-list no {in|out} • In or out is defined looking at inside the router

  14. Example of applying ACL • router#configterminal • Router(config)#access list 2 deny 172.16.1.1 • Router(config)#access list 2 permit 172.16.1.0 0.0.0.255 • Router(config)#access list 2 permit any • Router(config)#interface e0 • Router(config-if)#ip access-group 2 in • Example of canceling an access list • Router(config)# no access-group 2

  15. Creating ACLs • Basic rules • One access list per protocol per direction • Standard access lists should be applied closest to the destination • Extended access control lists should be applied closest to the source • Use the inbound or outbound interface reference as if looking at the port from inside the router

  16. Statements are processed sequentially from the top of list to the bottom until a match is found • There is an implicit deny at the end of all access lists • This will not appear in the configuration listing • If no match is found then the packet is denied • Access list entries should filter in the order from specific to general • The match condition is examined first, then permit|deny

  17. Creating ACLs • Basic rules (continued) • It is not possible to selectively add and remove lines with numbered ACLs • Remove the whole list usingno access-list x command and re-define the ACL • New lines can be added @ named ACL • always added to the end of the access list • The router will discard the packet andsend ICMP host unreachable message to the sender

  18. Creating ACLs • Basic rules (continued) • Care should be used when removing an access list • In some version of IOS, default deny any may not be removed after the access list is removed at an interface • Then all traffic will be halted Outbound filters do not affect traffic originating from the local router • Outbound filters do not affect traffic originating from the local router

  19. The function of a wildcard mask • Designed to specify target individual or groups of IP addresses based on the given address • Given with the specified IP address or the network number • 32bits long with 0’s and 1’s • ‘1’ means • No match needed • Target address can have any bit value (wildcard; 0 or 1) at the position where the mask bits are 1 • ‘0’ means • Match needed • Target address can only have the same bit value as in the given address at the position where the mask bits are 0

  20. If you wanted a specific IP address to be checked • IP address • 227.254.3.5 • 11100011.11111110.00000011.00000101 • Wildcard if all bits must be checked • 0.0.0.0 • 00000000.00000000.00000000.00000000 • To deny host 227.254.3.5 • Router(config)#access-list 3 deny 227.254.3.5 0.0.0.0 • This can also be written as • Router(config)#access-list 3 deny host 227.254.3.5 • A wildcard of 0.0.0.0 checks an exact address

  21. If you wanted a specific network to be checked • IP network address Class C • 227.254.3.0 • 11100011.11111110.00000011.00000000 • Wildcard if all bits must be checked • 0.0.0.255 • 00000000.00000000.00000000.11111111 • None of the host bits will be checked • To permit all hosts on network 227.254.3.0 • Router(config)#access-list 3 permit 227.254.3.0 0.0.0.255

  22. Any host on Any network • IP address to represent any network • 0.0.0.0 • Because it does not matter what each bit is • Wildcard to prevent all bits being examined • 255.255.255.255 • 11111111.11111111.11111111.11111111 • To permit any host on any network • Router(config)#access-list 3 permit 0.0.0.0 255.255.255.255 • Can also be written as • Router(config)#access-list 3 permit any • A wildcard mask of 255.255.255.255 means any

  23. Even addresses • Examples of even addresses • 00000000 0 00000010 2 • 00000100 4 00000110 6 • 11111100 252 11111110 254 • After examining the above figures • The last digit is always 0 • All the other digits can vary depending on the number • Therefore the only digit that must be checked is the first digit • IP network address Class C • 227.254.3.0 • 11100011.11111110.00000011.00000000 • Wildcard if even bits must be checked • 0.0.0.254 • 00000000.00000000.00000000.11111110 • To permit all even hosts on network 227.254.3.0 • Router(config)#access-list 3 permit 227.254.3.0 0.0.0.254 [ ]

  24. Odd Address • Examples of odd addresses • 00000001 1 00000011 3 • 00000101 5 00000111 7 • 11111101 253 11111111 255 • After examining the above figures • The last digit is always 1 • All the other digits can vary depending on the number • Therefore the only digit that must be checked is the first digit • IP network address Class C • 227.254.3.0 • 11100011.11111110.00000011.00000000 • Wildcard if odd bits must be checked • 0.0.0.254 • 00000000.00000000.00000000.11111110 • To permit all odd hosts on network 227.254.3.0 • Router(config)#access-list 3 permit 227.254.3.1 0.0.0.254

  25. Verifying ACLs • Show ip interface • displays IP interface information and indicates whether any ACLs are set • Show access-lists • displays the contents of all ACLs on the router • Show access-list 1 • Displays the content of ACL 1 on the router • Show running config • reveal the access lists on a router and the interface assignment information

  26. Standard ACLs • Checks source IP address • Host IP address, subnet, or network address • Affects entire protocol suit • TCP, HTTP, IP etc.. • Valid numbers • Standard IP ACL 1-99 (1300 to 1999 in recent IOS) • Always applied to port closest to destination • Adding an ACL • router(config)#access-list access-list-number {permit|deny} source {source-wildcard} [log] • Log sends information about matched packet to console • Removing an ACL • Router(config)#no access-list access-list-number

  27. Extended ACLs • Provides a greater range of control and flexibility • Checks the source and destination packet addresses • Checks protocol types and port numbers • Valid numbers • Extended IP ALC 100-199 2000~2699 in recent IOS • Always applied to port closest to source • Adding an Extended ACL • Router(config)#access-list access-list-number {permit|deny} protocol source [source-mask destination destination-mask operator operand] [ established] • Protocols - IP, TCP, UDP, ICMP, IGRP, GRE • Operator is lt (<), gt (>), eq (=), or neq (≠) • Operand is a port number or application layer protocol

  28. Extended ACLs • Well-known ports for TCP/IP applications • Linking an existing extended ACL to an interface • Router(config)#interface fa0/0 • Router(config-if)#ip access-group access-list-number {in|out} • Only one ACL per interface, per direction, per protocol

  29. Examples of Extended ACL’s

  30. Named ACLs • Introduced in IOS 11.2 • Give standard and extend ACLs names instead of numbers • Procedure for defining a named ACL • Define a named ACL • Router(config)#ip access-list {extended|standard} name • router(config)#ip access-list extended test • Add each permit/deny statement • router(config-ext-nacl)#access-list permit….. • Apply the named access list to the interface • Router(config)#interface serial0/0 • Router(config-if)#ip access-group test out

  31. Named ACLs • Advantages • Intuitively identify an ACL using an alphanumeric name. • Eliminate the limit of 798 simple and 799 extended ACLs • Can modify ACLs without deleting and then reconfiguring them • allow the deletion of statements • only allow for statements to be inserted at the end of a list • it is a good idea to use a text editor to create them

  32. Example Named ACL • Router(config)# ip access-list standard George • Router(config)# deny host 172.16.70.35 • Router(config)# access-list permit any • Router(config)# interface fa0/0 • Router(config)# ip access-group George out

  33. Placing ACLs • General rules in placing ACLs • Place ACLs where it can maximize increasing efficiency • Put the extended ACLs as close as possible to the source of the traffic denied • Unnecessary traffic will be minimized • Standard ACLs should be placed as close to the destination as possible • ACL does not know the destination

  34. Firewall External router Internal router Firewalls • Definition • An architectural structure between the user and the outside world to protect the internal network from intruders • General features • Consists of several equipments working together • Prevents unwanted and illegal access

  35. Firewalls • Operation of the firewall • The external router directs all traffic to the application gateway • The internal router accepts packets only from the application gateway • The gateway controls the delivery of network-based services both into and from the internal network • Processes every packet to block or pass according to the filtering rule

  36. Firewalls • Use of ACLs in the firewall routers • Control traffic entering or exiting a specific part of the internal network • Provides basic security from the outside network into a more private area of the network • Ex) If the only application that is permitted is mail, then configure ACL so that only mail packets can be allowed through the router. • This protects the application gateway and avoids overwhelming it with packets that it would otherwise discard.

  37. Restricting virtual terminal access • Properties of virtual line • Access to vty is accomplished using the Telnet to a nonphysical interface • Standard and extended ACLs are not designed to block packets originating from the router • Telnet into/from a router can be blocked by • Either defining inbound/outbound extended ACL for TCP 23 port on each of the physical network interfaces (complicated) • Or defining the vty ACL on the virtual lines (simple)

  38. Restricting virtual terminal access • Blocking packets to vty using vty ACL • There is only one type of vty access list • Only numbered ACL can be applied to virtual lines • Identical restrictions should be placed on all vty lines • A user can attempt to connect to any of them • Defining an ACL • Router(config)#access-list 2 permit 172.16.1.0 0.0.0.0 • Router(config)#access-list 2 deny any • Apply ACL to vty line • Router(config)#line vty 0 4 • Router(config-line)#password cisco • Router(config-line)#login • Router(config-line)#access-class 2 in

More Related