1 / 50

Filtering Traffic Using Access Control Lists

Filtering Traffic Using Access Control Lists. Introducing Routing and Switching in the Enterprise – Chapter 8. Objectives. Describe traffic filtering and explain how Access Control Lists (ACLs) can filter traffic at router interfaces. Analyze the use of wildcard masks.

urian
Download Presentation

Filtering Traffic Using Access Control Lists

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Filtering Traffic Using Access Control Lists Introducing Routing and Switching in the Enterprise– Chapter 8

  2. Objectives • Describe traffic filtering and explain how Access Control Lists (ACLs) can filter traffic at router interfaces. • Analyze the use of wildcard masks. • Configure and implement ACLs. • Create and apply ACLs to control specific types of traffic. • Log ACL activity and integrate ACL best practices.

  3. Describe Traffic Filtering • Analyze the contents of a packet • Allow or block the packet • Based on source IP, destination IP, MAC address, protocol, application type

  4. Packet Filtering Can be simple or complex, denying or permitting traffic based on: • Source IP address • Destination IP address • MAC addresses • Protocols • Application type

  5. Describe Traffic Filtering (8.1.1) Devices providing traffic filtering: • Firewalls built into integrated routers • Dedicated security appliances • Servers

  6. Describe Traffic Filtering (8.1.2) Uses for ACLs: • Specify internal hosts for NAT • Classify traffic for QoS • Restrict routing updates, limit debug outputs, control virtual terminal access

  7. Describe Traffic Filtering Possible issues with ACLs: • Increased load on router • Possible network disruption • Unintended consequences from incorrect placement

  8. Describe Traffic Filtering • Standard ACLs filter based on source IP address • Extended ACLs filter on source and destination, as well as protocol and port number • Named ACLs can be either standard or extended

  9. Describe Traffic Filtering • ACLs consist of statements • At least one statement must be a permit statement • Final statement is an implicit deny • ACL must be applied to an interface in order to work

  10. Activity 6.1.2.3

  11. Activity 6.1.2.3

  12. Describe Traffic Filtering • ACL is applied inbound or outbound • Direction is from the router’s perspective • Each interface can have one ACL per direction for each network protocol

  13. An administrator applies either an inbound or outbound ACL to a router interface. The inbound or outbound direction is always from the perspective of the router. Traffic coming in an interface is inbound and traffic going out an interface is outbound. Describe Traffic Filtering (8.1.4)

  14. Activity 8.1.4

  15. Analyze the Use of Wildcard Masks

  16. Analyze the Use of Wildcard Masks • Wildcard mask can block a range of addresses or a whole network with one statement • 0s indicate which part of an IP address must match the ACL • 1s indicate which part does not have to match specifically

  17. Analyze the Use of Wildcard Masks

  18. Analyze the Use of Wildcard Masks • Use the host parameter in place of a 0.0.0.0 wildcard • Use the any parameter in place of a 255.255.255.255 wildcard

  19. Activity 8.2.1.3

  20. Activity 8.2.1.3

  21. Configure and Implement Access Control Lists • Determine traffic filtering requirements • Decide which type of ACL to use • Determine the router and interface on which to apply the ACL • Determine in which direction to filter traffic

  22. Explanation – Screen 8.2.2.3

  23. Activity - 8.2.2.4

  24. Activity - 8.2.2.4

  25. Configure and Implement Access Control Lists: Numbered Standard ACL • Use access-list command to enter statements • Use the same number for all statements • Number ranges: 1-99, 1300-1999 • Apply as close to the destination as possible

  26. Configure and Implement Access Control Lists: Numbered Standard ACL

  27. Configure and Implement Access Control Lists: Numbered Extended ACL • Use access-list command to enter statements • Use the same number for all statements • Number ranges: 100-199, 2000-2699 • Specify a protocol to permit or deny • Place as close to the source as possible

  28. Configure and Implement Access Control Lists: Numbered Extended ACL

  29. Activity 8.3.1.4

  30. Activity 8.3.1.4

  31. Show ip interface

  32. Show access-lists

  33. Activity 8.3.3.3

  34. Activity 8.3.3.3

  35. Configure and Implement Access Control Lists: Named ACLs • Descriptive name replaces number range • Use ip access-list command to enter initial statement • Start succeeding statements with either permit or deny • Apply in the same way as standard or extended ACL

  36. Create and Apply ACLs to Control Specific Types of Traffic • Use a specified condition when filtering on port numbers: eq, lt, gt • Deny all appropriate ports for multi-port applications like FTP • Use the range operator to filter a group of ports

  37. Activity 8.3.4.3

  38. Activity 8.3.4.3

  39. Create and Apply ACLs to Control Specific Types of Traffic • Block harmful external traffic while allowing internal users free access • Ping: allow echo replies while denying echo requests from outside the network • Stateful Packet Inspection

  40. Configure and Implement Access Control Lists: VTY access • Create the ACL in line configuration mode • Use the access-class command to initiate the ACL • Use a numbered ACL • Apply identical restrictions to all VTY lines

  41. Create and Apply ACLs to Control Specific Types of Traffic • Account for NAT when creating and applying ACLs to a NAT interface • Filter public addresses on a NAT outside interface • Filter private addresses on a NAT inside interface

  42. Create and Apply ACLs to Control Specific Types of Traffic • Examine every ACL one line at a time to avoid unintended consequences

  43. Create and Apply ACLs to Control Specific Types of Traffic • Apply ACLs to VLAN interfaces or subinterfaces just as with physical interfaces

  44. Log ACL Activity and ACL Best Practices • Logging provides additional details on packets denied or permitted • Add the log option to the end of each ACL statement to be tracked

  45. Log ACL Activity and ACL Best Practices Syslog messages: • Status of router interfaces • ACL messages • Bandwidth, protocols in use, configuration events

  46. Log ACL Activity and ACL Best Practices • Always test basic connectivity before applying ACLs • Add deny ip any to the end of an ACL when logging • Use reload in 30 when testing ACLs on remote routers

  47. Summary • ACLs enable traffic management and secure access to and from a network and its resources • Apply an ACL to filter inbound or outbound traffic • ACLs can be standard, extended, or named • Using a wildcard mask provides flexibility • There is an implicit deny statement at the end of an ACL • Account for NAT when creating and applying ACLs • Logging provides additional details on filtered traffic

More Related