Upload
vicky-kamboj
View
497
Download
3
Tags:
Embed Size (px)
Citation preview
Copyrights to 2021hackerCopyrights to 2021hacker1
2021hacker.blogspot.com
Copyrights to 2021hackerCopyrights to 2021hacker
Manage IP traffic as network access growsManage IP traffic as network access grows Filter packets as they pass through the routerFilter packets as they pass through the router
Why Use Access Lists?Why Use Access Lists?
Copyrights to 2021hackerCopyrights to 2021hacker3
What are ACLs?What are ACLs?
ACLs are lists of conditions that are applied to traffic traveling across a router's interface.
These lists tell the router what types of packets to accept or deny.
Acceptance and denial can be based on specified conditions.
ACLs can be configured at the router to control access to a network or subnet.
Some ACL decision points are source and destination addresses, protocols, and upper-layer port numbers.
Copyrights to 2021hackerCopyrights to 2021hacker4
Reasons to Create ACLsReasons to Create ACLs
The following are some of the primary reasons to create ACLs:
Limit network traffic and increase network performance. Provide traffic flow control. Provide a basic level of security for network access. Decide which types of traffic are forwarded or blocked at the router interfacesFor example: Permit e-mail traffic to be routed, but block all telnet traffic. If ACLs are not configured on the router, all packets passing through the router will be allowed onto all parts of the network.
Copyrights to 2021hackerCopyrights to 2021hacker5
ACL’sACL’s
Different access list for TelnetDifferent access list for Telnet Implicit deny at bottomImplicit deny at bottom All restricted statements should be on firstAll restricted statements should be on first There are two typesThere are two types
StandardStandard ExtendedExtended
Copyrights to 2021hackerCopyrights to 2021hacker6
IP PacketIP Packet
SRC IP AddressDEST IP AddressProtocol typeSRC PortDEST Port
Copyrights to 2021hackerCopyrights to 2021hacker7
StandardChecks source addressPermits or denies entire protocol suite
ExtendedChecks source and destination addressGenerally permits or denies specific protocols
Types of Access Lists
Copyrights to 2021hackerCopyrights to 2021hacker
How to Identify Access ListsHow to Identify Access Lists
Standard IP lists (1-99) test conditions of all IP packets from Standard IP lists (1-99) test conditions of all IP packets from source addresses.source addresses.
Extended IP lists (100-199) test conditions of source and Extended IP lists (100-199) test conditions of source and destination addresses, specific TCP/IP protocols, and destination addresses, specific TCP/IP protocols, and destination ports.destination ports.
Standard IP lists (1300-1999) (expanded range).Standard IP lists (1300-1999) (expanded range). Extended IP lists (2000-2699) (expanded range).Extended IP lists (2000-2699) (expanded range).
Copyrights to 2021hackerCopyrights to 2021hacker9
Standard ACLsStandard ACLs
The full syntax of the standard ACL command is:
Router(config)#access-list access-list-number {deny | permit} source [source-wildcard ]
The no form of this command is used to remove a standard ACL. This is the syntax:Router(config)#no access-list access-list-number
Config# Access-list 1 deny 192.168.1.0 0.0.0.255Config# access-list 1 permit any
Copyrights to 2021hackerCopyrights to 2021hacker10
The ANY and HOST keywordThe ANY and HOST keyword
Access-list 1 permit 200.0.0.9 0.0.0.0Access-list 1 permit 200.0.0.9 0.0.0.0
OrOr
permit host 200.0.0.9permit host 200.0.0.9
Access-list 1 permit 0.0.0.0 255.255.255.255
Orpermit any
Copyrights to 2021hackerCopyrights to 2021hacker11
The ip access-group commandThe ip access-group command
{ in | out }
Copyrights to 2021hackerCopyrights to 2021hacker12
Extended ACLsExtended ACLs
Extended ACLs are used more often than standard ACLs because they provide a greater range of control.
Extended ACLs check the source and destination packet addresses as well as being able to check for protocols and port numbers.
Logical operations may be specified such as, equal (eq), not equal (neq), greater than (gt), and less than (lt), that the extended ACL will perform on specific protocols.
Extended ACLs use an access-list-number in the range 100 to 199 (also from 2000 to 2699 in recent IOS).
Copyrights to 2021hackerCopyrights to 2021hacker13
Extended ACL SyntaxExtended ACL Syntax
Copyrights to 2021hackerCopyrights to 2021hacker14
Deny FTPDeny FTP
access-list 101 deny tcp any any eq 21
access-list 101 permit ip any any
or
access-list 101 deny tcp any any eq ftp
access-list 101 permit ip any any
Copyrights to 2021hackerCopyrights to 2021hacker15
RulesRulesFor extended access list apply near For extended access list apply near
to the sourceto the sourceFor standard access list apply near to For standard access list apply near to
the destinationthe destination
Copyrights to 2021hackerCopyrights to 2021hacker16
Verify Access ListVerify Access List
Copyrights to 2021hackerCopyrights to 2021hacker17
Basic Rules for ACLsBasic Rules for ACLs
Standard IP access lists should be applied closest to the destination. Extended IP access lists should be applied closest to the source. Use the inbound or outbound interface reference as if looking at the port from inside the router. Statements are processed sequentially from the top of list to the bottom until a match is found, if no match is found then the packet is denied. There is an implicit deny at the end of all access lists. This will not appear in the configuration listing. Access list entries should filter in the order from specific to general. Specific hosts should be denied first, and groups or general filters should come last. Never work with an access list that is actively applied. New lines are always added to the end of the access list. A no access-list x command will remove the whole list. It is not possible to selectively add and remove lines with numbered ACLs. Outbound filters do not affect traffic originating from the local router.