Embed Size (px)
Citation preview
Student Guide
www.visioninfosystems.org
Access List
INTRODUCTION TO SECURITY
Security is a required solution for a company to prevent its network fromVarious types of attacks and intruders.
There are various solution for security likeFirewallSoftware, etc
Cisco has implemented a simple and easy to feature for security called As acess-list.
INTRODUCTION TO ACCESS-LIST
An access-list is a list of conditions that controls flow of traffic. Access-list helps for packet filtering, traffic controlling, security, etc. Used to permit or deny packets moving through the router. Permit or deny Telnet (VTY) access to or from a router.
Standard Access List Only source IP address is specified in the condition
Extended Access List Conditions can contains Source IP, Destination IP, Protocol
Field, Port Number
Named Access List Functionally the same as standard and extended access
lists but with name tag.
TYPES OF ACCESS-LIST
Packets are compared to each line of the assess list in sequential order
Packets are compared with lines of the access list only until a match is made
Once a match is made & acted upon no further comparisons take place
An implicit “deny” is at the end of each access list If no matches have been made, the packet will be discarded
ACCESS-LIST RULES
Inbound Access Lists Packets are processed before being routed to the
outbound interface
Outbound Access Lists Packets are routed to the outbound interface & then
processed through the access list
HOW ACCESS-LIST IS APPLIED
One access list per interface, per protocol, or per direction
More specific tests at the top of the ACL
New lists are placed at the bottom of the ACL
Individual lines cannot be removed
End ACLs with a permit any command
Create ACLs & then apply them to an interface
ACLs do not filter traffic originated from the router
Put Standard ACLs close to the destination
Put Extended ACLs close the the source
ACCESS-LIST GUIDELINE
What are they??? Used with access lists to specify a….
Host Network Part of a network
WILDCARDS
64 32 16 84
Rules: When specifying a range of addresses, choose the closest
block size Each block size must start at 0 A ‘0’ in a wildcard means that octet must match exactly A ‘255’ in a wildcard means that octet can be any value The command any is the same thing as writing out the
wildcard: 0.0.0.0 255.255.255.255
BLOCK SIZE
(Remember: specify a range of values in a block size)
Requirement: Block access in the range from 172.16.8.0 through 172.16.15.0 = block size 8
Network number = 172.16.8.0Wildcard = 0.0.7.255
**The wildcard is always one number less than the block size
SPECIFYING RANGE OF SUBNET
STANDARD IP ACCESS-LIST
In standard access-list on source address is specified It number ranges from 1 – 99 It is generally applied to destination nearest interface
Creating a standard IP access list:Router(config)#access-list 10 ?
deny Specify packets to reject
permit Specify packets to forward
Permit or deny?
Router(config)#access-list 10 deny ?
Hostname or A.B.C.D Address to match
any any source host
host A single host address
Using the host command
Router(config)#access-list 10 deny host 172.16.30.2
CREATING STANDARD ACCESS-LIST
EXAMPLE - 1Condition :Sales network cannot access marketing networkOthers can access marketing network.
10.0.0.0/8 20.0.0.0/8
Router(config)# access-list 15 deny 10.0.0.0 0.255.255.255Router(config)#access-list 15 permit any
Router(config)#int ethernet2Router(config-if)#access-group 15 out
EXAMPLE - 2Condition :Human resource department can only access human resources server located on Lab_B router. Others are not allowed.
Lab_b(config)#access-list 11 permit 192.168.10.160 0.0.0.31Lab_b(config)#access-list 11 deny any
Lab_b(config)#int ethernet0Lab_b(config-if)#access-group 11 out
EXAMPLE - 3
Internet
Conditions Network 172.16.144.0 cannot access internet,
others can access internet Host 172.16.144.17 and 172.16.50.173 cannot
access network 172.16.92.0
Router(config)# access-list 10 deny 172.16.144.0 0.0.31.255Router(config)#access-list 10 permit any
Router(config)#int serial 0Router(config-if)#access-group 10 out
Router(config)# access-list 11 deny host 172.16.144.17 0.0.0.0Router(config)# access-list 11 deny host 172.16.50.173 0.0.0.0Router(config)#access-list 11 permit any
Router(config)#int Ethernet 3Router(config-if)#access-group 11 out
Why?? Without an ACL any user can Telnet into the router
via VTY and gain access
Controlling access Create a standard IP access list
Permitting only the host/hosts authorized to Telnet into the router
Apply the ACL to the VTY line with the access-class command
VTY (TELNET) CONTROL
Lab_A(config)#access-list 50 permit 172.16.10.3
Lab_A(config)#line vty 0 4
Lab_A(config-line)#access-class 50 in
EXAMPLE
Allows you to choose...
IP Source Address IP Destination Address Protocol Port number Starts with number 100-199
EXTENDED IP ACCESS-LIST
#1: Select the access list:
RouterA(config)#access-list 110
#2: Decide on deny or permit:
RouterA(config)#access-list 110 deny
#3: Choose the protocol type:
RouterA(config)#access-list 110 deny tcp
#4: Choose source IP address of the host or network:
RouterA(config)#access-list 110 deny tcp any
#5: Choose destination IP address
RouterA(config)#access-list 110 deny tcp any host 172.16.30.2
#6: Choose the type of service, port, & logging
RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log
EXTENDED IP ACCESS-LIST STEPS
RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log
RouterA(config)#access-list 110 permit ip any 0.0.0.0 255.255.255.255
RouterA(config)#ip access-group 110 in
or
RouterA(config)#ip access-group 110 out
CONTINUE…
EXAMPLE - 1Condition :Sales network cannot access marketing networkOthers can access marketing network.
10.0.0.0/8 20.0.0.0/8
Router(config)# access-list 101 deny ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255Router(config)#access-list 15 permit ip any any
Router(config)#int ethernet2Router(config-if)#access-group 101 out
EXAMPLE - 2Condition :Human resource department can only access human resources server located on Lab_B router. Others are not allowed.
Lab_b(config)#access-list 110 permit ip 192.168.10.160 0.0.0.31 192.168.10.192 0.0.0.31Lab_b(config)#access-list 110 ip deny any any
Lab_b(config)#int ethernet0Lab_b(config-if)#access-group 110 out
EXAMPLE - 3
Internet
Conditions Network 172.16.144.0 cannot access FTP
Service on internet, others can access. Host 172.16.144.17 and 172.16.50.173 cannot
access network 172.16.92.0
Router(config)#access-list 110 deny tcp 172.16.144.0 0.0.31.255 any eq 21Router(config)#access-list 110 permit tcp any any
Router(config)#int serial 0Router(config-if)#access-group 10 out
Router(config)# access-list 111 deny ip host 172.16.144.17 0.0.0.0 172.16.92.0 0.0.7.255Router(config)# access-list 111 deny ip host 172.16.50.173 0.0.0.0 172.16.92.0 0.0.7.255Router(config)#access-list 111 permit ip any any
Router(config)#int Ethernet 3Router(config-if)#access-group 111 out
Another way to create standard and extended access lists. Allows the use of descriptive names to ease network
management.
Syntax changes: Lab_A(config)#ip access-list standard BlockSales Lab_A(config-std-nacl)#deny 172.16.40.0 0.0.0.255 Lab_A(config-std-nacl)#permit any
NAMED ACCESS-LIST
Display all access lists & their parametersshow access-list
Show only the parameters for the access list 110
show access-list 110
Shows only the IP access lists configuredshow ip access-list
Shows which interfaces have access lists setshow ip interface
Shows the access lists & which interfaces have access lists set
show running-config
MONITORING IP ACCESS-LIST
