Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Chabot College ELEC 99.08 Access Control Lists - Introduction CISCO NETWORKING ACADEMY

advertisement 
Chabot College
ELEC 99.08
Access Control Lists - Introduction
CISCO NETWORKING ACADEMY
ACL Topics
•
•
•
•
•
Function of ACLs
ACL Types & Syntax
Wildcard Bitmasks
Placement of ACLs
Commands
CISCO NETWORKING ACADEMY
Typical Functions
• Security
• Firewalling
CISCO NETWORKING ACADEMY
Types
• Standard
• Extended
CISCO NETWORKING ACADEMY
Standard ACLs
• Use rules based only the packet’s
source address
• 1-99
CISCO NETWORKING ACADEMY
Extended ACLs
• Provide more precise (finer tuned)
packet selection based on:
– Source and destination addresses
– Protocols
– Port numbers
• 100-199
CISCO NETWORKING ACADEMY
Steps to Configure ACLs
1) Create ACL (global config mode)
– The list may contain many rules, each on one line.
– The list is identified by a number or name.
2) Apply to an interface (interface config mode)
CISCO NETWORKING ACADEMY
How do ACLs work?
• Processing occurs line by line from top to
bottom of the list.
• Each line tests a packet for a “match”.
• If there is a match, a “permit” or “deny”
rule is applied.
• When a “match” occurs, no further rules
are checked.
• Invisible last line of an ACL is an implicit
“deny any.”
CISCO NETWORKING ACADEMY
How do ACLs work?
• ACL example:
oak#sh ru
oak#...
oak#access-list 10 deny 192.168.1.0 0.0.0.255
oak#access-list 10 permit any
oak#access-list 10 deny any (implicit)
oak#...
CISCO NETWORKING ACADEMY
How does a Standard ACL
work?
• Permits or denies if source IP address
is matched:
– Permit – packet is allowed
– Deny – packet is dropped
– Implicit Deny – If a packet’s address does
not match an earlier statement, an implicit
deny any occurs at the end of every ACL
and the packet is dropped.
CISCO NETWORKING ACADEMY
Wildcard Masks
• Are used to specify (by bits) the part of
the ip address to be matched.
• Looks like a subnet mask but it its not!
• Example:
172.16.0.0 0.0.255.255
The network address to be matched
CISCO NETWORKING ACADEMY
The wildcard bitmask
Wildcard Masks
• Specify the part of the ip address to be
matched.
• Use 0s to match,1s to ignore.
(Reverse of subnet masks!)
• In the example below, only the 1st
2 octets will be examined for a match:
172.16.0.0 0.0.255.255
Match this part of the address
CISCO NETWORKING ACADEMY
This is the wildcard bitmask
Wildcard Masks
172.16.0.0 0.0.255.255
address to match
wildcard bitmask
172
16
0
0
10101100
00010000
00000000
00000000
Wildcard 00000000
Mask
0
00000000
0
11111111
11111111
255
Address
Check for
a match
CISCO NETWORKING ACADEMY
255
Ignore
Wildcard Masks
• In this example, which octets will be
examined for a match?
172.16.5.0 0.0.0.255
CISCO NETWORKING ACADEMY
Wildcard Masks
• In this example, which octets will be
examined for a match?
172.16.5.0 0.0.0.255
• The first 3:
172.16.5.0 0.0.0.255
Match this part of the address
CISCO NETWORKING ACADEMY
Wildcard Masks
• In this example, which octets will be
examined for a match?
172.16.5.2 0.0.0.0
CISCO NETWORKING ACADEMY
Wildcard Masks
• In this example, which octets will be
examined for a match?
172.16.5.2 0.0.0.0
• All 4 octets:
172.16.5.2 0.0.0.0
Match the entire address
(permit or deny this specific host)
CISCO NETWORKING ACADEMY
Wildcard Masks
• In Cisco 2, we will work only with
wildcard bitmasks that are 0 or 255 for
an entire octet.
• In Cisco 3, you’ll work with masks
where the change from 0 to 1 does not
fall on an octet boundary:
– e.g. 0.0.15.255
CISCO NETWORKING ACADEMY
Keyword: “any”
• Identical statements
– access-list 22 permit 0.0.0.0 255.255.255.255
– access-list 22 permit any
CISCO NETWORKING ACADEMY
Keyword: “host”
• Identical statements
– Access-list 23 permit 172.16.1.1 0.0.0.0
– Access-list 23 permit host 172.16.1.1
CISCO NETWORKING ACADEMY
Standard IP ACL command
access-list ACL-number {permit |deny}
source-ip-address wildcard-mask
• ACL number: 1-99
• Global Config mode
CISCO NETWORKING ACADEMY
Standard ACL Example
• To permit all packets from the network
number 172.16.0.0
access-list 20 permit 172.16.0.0 0.0.255.255
CISCO NETWORKING ACADEMY
Standard ACL Example
• To permit traffic from the host
172.16.1.1 only
access-list 20 permit 172.16.1.1 0.0.0.0
OR
access-list 20 permit host 172.16.1.1
CISCO NETWORKING ACADEMY
Standard ACL Example
• To permit traffic from any source address.
access-list 20 permit 0.0.0.0 255.255.255.255
OR
access-list 20 permit any
CISCO NETWORKING ACADEMY
How does an Extended ACL
work?
• Permits or denies if all conditions match:
– Source Address
– Destination Address
– Protocol
– Port No. or Protocol Options
CISCO NETWORKING ACADEMY
Extended IP ACL command
access-list ACL-number {permit|deny}
protocol source-ip-address source-wildcardmask destination-ip-address destinationwildcard-mask eq port-number
• ACL number: 100-199
• Global Config mode
CISCO NETWORKING ACADEMY
Extended ACL Example
• To permit traffic from the network 192.168.1.0 to
the host 192.168.3.10 only on telnet:
access-list 101 permit tcp 192.168.1.0 0.0.0.255
192.168.3.10 0.0.0.0 eq telnet
• More about extended ACLs later...
CISCO NETWORKING ACADEMY
Major differences
• Standard ACL
– Use only source address
– Requires fewer CPU cycles.
– Place as close to destination as possible.
(because they can only check source address)
• Extended ACL
– Uses source, destination, protocol, port
– Requires more CPU cycles.
– Place as close to source as possible.
(This stops undesired traffic early.)
CISCO NETWORKING ACADEMY
Command to apply IP ACL
ip access-group ACL-number {in |out}
• Interface Config mode
• The group of rules in the list is applied to the
interface being configured.
• Use “in” and “out” as if looking at the interface
from inside the router.
CISCO NETWORKING ACADEMY
Do I place an ACL in?
• In
– Coming into the router.
– Requires less CPU processing because
every packet bypasses processing before
it is routed.
– Filtering decision is made prior to the
routing table.
CISCO NETWORKING ACADEMY
Do I place an ACL out?
• Out
– Going out of the router.
– Routing decision has been made and the
packet is switched to the proper outbound
interface before it is tested against the
access list.
– ACLs are outbound unless otherwise
specified.
CISCO NETWORKING ACADEMY
ACL Configuration Example
What will this list do?
oak(config)#access-list 10 permit 192.168.1.0 0.0.0.255
oak(config)#access-list 10 permit 192.168.2.10 0.0.0.0
oak(config)#int e0
oak(config-if)#ip-access group 10 out
oak(config-if)#^z
S1
S0
fre
E0
S0
192.168.3.0
192.168.2.10
oak
E0
192.168.2.0
CISCO NETWORKING ACADEMY
S1
E0
192.168.1.0
192.168.1.10
hay
192.168.3.10
ACL Configuration Example
What’s the problem here?
oak(config)#access-list 10 permit any
oak(config)#access-list 10 deny 192.168.2.10 0.0.0.0
oak(config)#int e0
oak(config-if)#ip-access group 10 out
oak(config-if)#^z
S1
S0
fre
E0
S0
192.168.3.0
192.168.2.10
oak
E0
192.168.2.0
CISCO NETWORKING ACADEMY
S1
E0
192.168.1.0
192.168.1.10
hay
192.168.3.10
Commands to show ACLs
show access-lists
• Privileged exec mode
• Displays the ACLs on the router.
show ip interface
• Privileged exec mode
• Shows which ACLs are set on that interface.
CISCO NETWORKING ACADEMY
Related documents
Cuyamaca College Network, Security and System Administration
Cuyamaca College Network, Security and System Administration
Chabot College ELEC 99.05 Why Subnet? CISCO NETWORKING ACADEMY
Chabot College ELEC 99.05 Why Subnet? CISCO NETWORKING ACADEMY
Cisco Presentation Guide
Cisco Presentation Guide
COMPUTER NETWORKING (CISCO/LAN) ACADEMY
COMPUTER NETWORKING (CISCO/LAN) ACADEMY
WWW+Internet+networking - Edulink
WWW+Internet+networking - Edulink
CCENT 640-822 ICND1 Exam Topics Review
CCENT 640-822 ICND1 Exam Topics Review
Chabot College ELEC 99.08 Network Address Translation CISCO NETWORKING ACADEMY
Chabot College ELEC 99.08 Network Address Translation CISCO NETWORKING ACADEMY
Download
advertisement