Upload
nksnksnd
View
223
Download
0
Embed Size (px)
DESCRIPTION
ICAO
Citation preview
CETTM MTNL
1Managing Traffic with Access Lists
MANAGING TRAFFIC WITH ACCESS LISTS
MODULE ID: ICCNACL002
CETTM MTNL
2Managing Traffic with Access Lists
What is an ACL?
An ACL is a sequential list of permit or deny
statements that apply to addresses, upper-
layer protocols or port numbers.
The router examines each packet to
determine whether to forward or drop it,
based on the conditions specified in the ACL
CETTM MTNL
3Managing Traffic with Access Lists
What is ACLSome ACL decision points are:
IP source address IP destination addresses UDP or TCP protocols upper-layer (TCP/UDP) port numbers
CETTM MTNL
4Managing Traffic with Access Lists
Application of ACL
Packet filtering Controlling vty access to router Defining interesting traffic for DDR( Dial-on-
Demand ) Routing Classify and differentiate traffic for
implementing QoS Controlling Routing Updates.
CETTM MTNL
5Managing Traffic with Access Lists
Rules
Important rules that a packet follows when its being compared with an access list: Its always compared with each line of the access list
in sequential order (top-to-down fashion) Its compared with lines of the access list only until a
match is made i.e. Stop at first match There is an implicit deny at the end of each access
listthis means that if a packet doesnt match the condition on any of the lines in the access list, the packet will be discarded. i.e. Default policy is to deny
CETTM MTNL
6Managing Traffic with Access Lists
Types
There are two main types of access lists: Standard access lists
Extended access lists
Named access lists
CETTM MTNL
7Managing Traffic with Access Lists
Types
Standard access lists: These use only the source IP address in an IP
packet as the condition test. All decisions are made based on source IP
address. This means that standard access lists permit or
deny an entire suite of protocols. They dont distinguish between any of the many
types of IP traffic such as WWW, Telnet, UDP, etc.
Naming is numeric: 1-99 and 1300-1999
CETTM MTNL
8Managing Traffic with Access Lists
Types
Extended access lists: Extended access lists can evaluate many of the
other fields in the layer 3 and layer 4 headers of an IP packet.
They can evaluate source and destination IP addresses, the protocol field in the Network layer header, and port number at the Transport layer header.
This gives extended access lists the ability to make much more granular decisions when controlling traffic.
Naming is numeric: 100-199 and 2000-2699
CETTM MTNL
9Managing Traffic with Access Lists
Type
Named access lists: They are either standard or extended and not
actually a new type. They are created and referred to differently than
standard and extended access lists. They are functionally the same. Naming is alphanumeric
CETTM MTNL
10Managing Traffic with Access Lists
Note
To use an access list as a packet filter, apply it to an interface on the router where the traffic is to be filtered.
specify which direction of traffic the access list should be applied to.
use different access lists for inbound and outbound traffic on a single interface
CETTM MTNL
11Managing Traffic with Access Lists
Classification based on direction
Inbound access lists: When an access list is applied to inbound packets
on an interface, those packets are processed through the access list before being routed to the outbound interface.
Any packets that are denied wont be routed because theyre discarded before the routing process is invoked.
Outbound access lists: When an access list is applied to outbound
packets on an interface, those packets are routed to the outbound interface and then processed through the access list before being queued.
CETTM MTNL
12Managing Traffic with Access Lists
Steps in ACL processing
Queuing of incoming packets at an incoming interfaces input buffer.
Checking packet against inbound access lists applied to the incoming interface.
Routing table lookups for finding next hop. If found one send the packet to exit interface else drop the packet.
Checking post-routed packet against outbound access-list applied to exit interface.
Queuing of outgoing packets at exit interfaces output buffer.
CETTM MTNL
13Managing Traffic with Access Lists
Guideline 01
ACLs can be created for various network protocols; IP, IPX, or AppleTalk.
Note that there can only be one access list, per interface, per direction, per protocol. This means that
when creating IP access lists, you can only have one inbound access list and one outbound access list per interface
CETTM MTNL
14Managing Traffic with Access Lists
Guideline 01
CETTM MTNL
15Managing Traffic with Access Lists
Guideline 02
More specific tests (i.e. more restrictive) are at the top of the ACL
CETTM MTNL
16Managing Traffic with Access Lists
Guideline 03
Any time a new entry is added to the access list, it will be placed at the bottom of the list.
Using a text-editor for access lists is highly suggested, i.e copy running-config to tftp server, make changes and copy it back
CETTM MTNL
17Managing Traffic with Access Lists
Guideline 04
A numbered ACL cannot be edited on the router. You cannot remove one line from an access list. If
you try to do this, you will remove the entire list.
To edit an ACL in CLI: Copy it to a text file. Remove from router configuration with no form
of ACL statement. Make necessary changes to text file. Paste back to global configuration mode.
CETTM MTNL
18Managing Traffic with Access Lists
Guideline 05
Unless your access list ends with a permit any
command, all packets will be discarded if they do
not meet any of the lists tests.
Every list should have at least one permit
statement, or it will deny all traffic.
CETTM MTNL
19Managing Traffic with Access Lists
Guideline 06
Create access lists and then apply them to an interface. Any access list applied to an interface
Without an access list present will not filter traffic.
CETTM MTNL
20Managing Traffic with Access Lists
Guideline 07
Access lists are designed to filter traffic going through the router. They will not filter traffic that has originated from the router.
Eg. Routing updates, ping, telnet traffic originating from the router
CETTM MTNL
21Managing Traffic with Access Lists
Guideline 08
Standard ACLs should be placed close to the destination. As they filter only on source IP address
Extended ACLs should be placed close to the source. Detailed filtering so bin packets as early as
possible
CETTM MTNL
22Managing Traffic with Access Lists
Wildcard Masks
Wildcard masks are 32 bits long and paired with an IP address.Wildcard masks are used with ACLs to filter groups of IP addresses.
0 Match 1 Dont care
access-list 10 permit 172.16.0.0 0.0.255.255
This statement will permit traffic with source IP: 172.16.[anything].[anything]
CETTM MTNL
23Managing Traffic with Access Lists
Wildcard Masks
access-list 10 permit 172.16.16.0 0.0.15.255
If M = Match D = Dont Care WM = MMMMMMMMMMMMMMMMMMMMDDDDDDDDDDDD
This statement will permit traffic from range 172.16.16.0 to 172.16.31.255
Two keywords used in ACLs: Any - means an IP address of 0.0.0.0 and WM
255.255.255.255 Host - matches an address exactly, or WM 0.0.0.0
CETTM MTNL
24Managing Traffic with Access Lists
Standard ACLs
Creating :
Applying :
CETTM MTNL
25Managing Traffic with Access Lists
Standard ACLs
CETTM MTNL
26Managing Traffic with Access Lists
Extended ACLs
Creating :
Applying :
CETTM MTNL
27Managing Traffic with Access Lists
Extended ACLs
CETTM MTNL
28Managing Traffic with Access Lists
Example 01
Block access from sales to finance
CETTM MTNL
29Managing Traffic with Access Lists
Example 02
Block Accounting access to HR Server
CETTM MTNL
30Managing Traffic with Access Lists
Example 03
Block ftp and telnet access from sales to finance
CETTM MTNL
31Managing Traffic with Access Lists
IP standard access list example 3
CETTM MTNL
32Managing Traffic with Access Lists
IP standard access list example 3 - Contd
A router with four LAN connections and one WAN connection to the Internet.To write an access list that will stop access from each of the four LANs to the Internet. Each of the LANs shows a single hosts IP address, and from that you need to determine the subnet and use wildcards to configure the access list.Router(config)#access-list 1 deny 172.16.128.0 0.0.31.255Router(config)#access-list 1 deny 172.16.48.0 0.0.15.255Router(config)#access-list 1 deny 172.16.192.0 0.0.63.255Router(config)#access-list 1 deny 172.16.88.0 0.0.7.255Router(config)#access-list 1 permit anyRouter(config)#interface serial 0Router(config-if)#ip access-group 1 outthis exercise is to practice how to use block sizes with access lists
CETTM MTNL
33Managing Traffic with Access Lists
Named ACLs
Advantages: Intuitively identify ACLs using names (not just
numbers) No limit on number of named ACLs Modification of a Named ACL without deleting and
reconfiguring it Named ACLs allow individual statements to be
deleted without losing whole list However it is still only possible to add statements
to the end of a list
CETTM MTNL
34Managing Traffic with Access Lists
Named ACLs
CETTM MTNL
35Managing Traffic with Access Lists
Restricting Virtual Terminal Access
Only numbered ACL can be applied to virtual lines
CETTM MTNL
36Managing Traffic with Access Lists
Verifying ACLs
To find Placement and direction of ACL
CETTM MTNL
37Managing Traffic with Access Lists
Verifying ACLs
CETTM MTNL
38Managing Traffic with Access Lists
Verifying ACLs
CETTM MTNL
39Managing Traffic with Access Lists
Note: More than one interface can use the same access-list.
Verifying ACLs
CETTM MTNL
40Managing Traffic with Access Lists
References
Books: Hand book on Internetworking by CISCO CCNA Intro & CCNA ICND by Cisco Internetworks
by CISCO CCNA Study guide by Todd Lamle
URLs: http://www.cisco.com http://en.wikipedia.org
CETTM MTNL
41Managing Traffic with Access Lists
BooksHand book on Internetworking by CISCOCCNA Intro & CCNA ICND by Cisco Internetworks by CISCOCCNA Study guide by Todd LamleURLshttp://www.cisco.comhttp://en.wikipedia.org
Slide 1What is an ACL?Slide 3Application of ACLRulesTypesSlide 7Slide 8Slide 9NoteClassification based on directionSteps in ACL processingGuideline 01Guideline 01Guideline 02Guideline 03Guideline 04Guideline 05Guideline 06Guideline 07Guideline 08Slide 22Slide 23Slide 24Standard ACLsSlide 26Extended ACLsSlide 28Slide 29Slide 30IP standard access list example 3Slide 32Slide 33Named ACLsRestricting Virtual Terminal AccessSlide 36Verifying ACLsSlide 38Slide 39Slide 40Slide 41