Embed Size (px)
DESCRIPTION
Access Control List (ACL). W.lilakiatsakun. Transport Layer Review (1). TCP (Transmission Control Protocol) HTTP (Web) SMTP (Mail) UDP (User Datagram Protocol) DNS (Domain Name Service) SNMP (Simple Management Protocol). Transport Layer Review (2). Transport Layer Review (3). - PowerPoint PPT Presentation
Citation preview
Access Control List (ACL)
W.lilakiatsakun
Transport Layer Review (1)
• TCP (Transmission Control Protocol)– HTTP (Web)– SMTP (Mail)
• UDP (User Datagram Protocol)– DNS (Domain Name Service) – SNMP (Simple Management Protocol)
Transport Layer Review (2)
Transport Layer Review (3)
TCP Port
Transport Layer Review (4)
UDP Port
Transport Layer Review (5)
TCP/UDP Common Port
Packet Filtering (1)
• To controls access to a network by analyzing the incoming and outgoing packets and passing or halting them based on stated criteria.
• A router acts as a packet filter when it forwards or denies packets according to filtering rules.
Packet Filtering (2)
Packet Filtering (3)
Packet Filtering (4)
• A packet-filtering router uses rules to determine whether to permit or deny traffic based on source and destination IP addresses, source port and destination port, and the protocol of the packet.
• These rules are defined using access control lists or ACLs.
Packet Filtering (5)
- Only permit web access to users from network A. - Deny web access to users from network B, - Permit them Network B to have all other access."
ACL (Access Control List) (1)
• An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header.
• ACLs are also used for selecting types of traffic to be analyzed, forwarded, or processed in other ways.
ACL (Access Control List) (2)
ACL (Access Control List) (3)
ACL guideline (1)
• Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet.
• Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network.
ACL guideline (2)
• Configure ACLs on border routers-routers situated at the edges of your networks.– This provides a very basic buffer from the outside
network, or between a less controlled area of your own network and a more sensitive area of your network.
• Configure ACLs for each network protocol configured on the border router interfaces.– You can configure ACLs on an interface to filter
inbound traffic, outbound traffic, or both.
ACL Operation (1)
• Inbound ACLs – Incoming packets are processed before they are
routed to the outbound interface. – An inbound ACL is efficient because it saves the
overhead of routing lookups if the packet is discarded.
• Outbound ACLs – Incoming packets are routed to the outbound
interface, and then they are processed through the outbound ACL.
ACL Operation (2)
Inbound ACLs
ACL Operation (3)
Outbound ACLs
ACL Operation (4)
Type of CISCO ACL
Standard ACL (1)
The two main tasks involved in using ACLs are as follows:Step 1. Create an access list by specifying an access list number or name and access conditions.Step 2. Apply the ACL to interfaces or terminal lines.
Numbering and Naming ACL
Where to Place ACL (1)
• Locate extended ACLs as close as possible to the source of the traffic denied.– This way, undesirable traffic is filtered without
crossing the network infrastructure.
• Because standard ACLs do not specify destination addresses, place them as close to the destination as possible.
Where to Place ACL (2)
Standard ACL
Where to Place ACL (3)
Extended ACL
ACL Best Practice (1)
ACL Criteria (1)
Configuring Standard ACL (1)
Access Control Condition Permit IP from network 192.168.10.0/24 except
192.168.10.1 Permit IP from network 192.0.0.0/8 except
192.168.0.0/16– access-list 2 deny 192.168.10.1– access-list 2 permit 192.168.10.0 0.0.0.255– access-list 2 deny 192.168.0.0 0.0.255.255– access-list 2 permit 192.0.0.0 0.255.255.255
Configuring Standard ACL (2)
Configuring Standard ACL (3)
Configuring Standard ACL (4)
Removing ACL
Router(config)#access-list access-list-number [deny | permit | remark] source [source-wildcard] [log]
Configuring Standard ACL (5)
Documenting ACL
ACL Wildcard Masking (1)
• Wildcard masks use the following rules to match binary 1s and 0s: – Wildcard mask bit 0 - Match the corresponding bit
value in the address – Wildcard mask bit 1 - Ignore the corresponding bit
value in the address
ACL Wildcard Masking (2)
ACL Wildcard Masking (3)
ACL Wildcard Masking (4)
ACL Wildcard Masking (5)
ACL Wildcard Masking (6)
Apply Standard ACL (1)
Apply Standard ACL (2)
Apply Standard ACL (3)
Apply Standard ACL (4)
Apply Standard ACL (5)
Commenting ACL
Named ACL (1)
Named ACL (2)
Verifying ACL
Extended ACL (1)
Extended ACLs check the source packet addresses, but they also check the destination address, protocols and port numbers (or services). This gives a greater range of criteria on which to base the ACL.
Extended ACL (2)
Extended ACL (2)
Configuring Extended ACL (1)
• The network administrator needs to restrict Internet access to allow only website browsing. – ACL 103 applies to traffic leaving the 192.168.10.0
network– ACL 104 to traffic coming into the network.
Configuring Extended ACL (2)
Configuring Extended ACL (3)
• ACL 103 accomplishes the first part of the requirement. – It allows traffic coming from any address on the
192.168.10.0 network to go to any destination, subject to the limitation that traffic goes to ports 80 (HTTP) and 443 (HTTPS) only.
Configuring Extended ACL (4)
• ACL 104 does that by blocking all incoming traffic, except for the established connections. – HTTP establishes connections starting with the
original request and then through the exchange of ACK, FIN, and SYN messages.
Configuring Extended ACL (5)
• The established parameter allows responses to traffic that originates from the 192.168.10.0 /24 network to return inbound on the s0/0/0. • A match occurs if the TCP datagram has the ACK or
reset (RST) bits set, which indicates that the packet belongs to an existing connection.
Apply Extended ACL (1)
Apply Extended ACL (2)
Apply Extended ACL (3)
Named Extended ACL
Complex ACL
Dynamic ACL (1)
• AKA lock-and-key ACL– Users who want to traverse the router are blocked
by the extended ACL until they use Telnet to connect to the router and are authenticated.
– The Telnet connection is then dropped, and a single-entry dynamic ACL is added to the extended ACL that exists.
Dynamic ACL (2)
Dynamic ACL (3)
Reflexive ACL (1)
• Reflexive ACLs force the reply traffic from the destination of a known recent outbound packet to go to the source of that outbound packet.
• This adds greater control to what traffic you allow into your network and increases the capabilities of extended access lists.
Reflexive ACL (2)
Reflexive ACL (3)
Time Based ACL (1)• Time-based ACLs are similar to extended ACLs
in function, but they allow for access control based on time.
• To implement time-based ACLs, you create a time range that defines specific times of the day and week.
Time Based ACL (2)
Time Based ACL (3)
Troubleshooting ACL (1)
Order of rule
Troubleshooting ACL (2)
TFTP use UDP
Troubleshooting ACL (3)
Order of statement
Troubleshooting ACL (4)
No rule to block 192.168.10.1.0
Troubleshooting ACL (5)
