Add to collection(s) Add to saved
  1. No category

Pertemuan 25 Access Control Lists (ACLs) 1

advertisement 
Pertemuan 25
Access Control Lists (ACLs)
1
Discussion Topics
•
•
•
•
•
•
Standard ACLs
Extended ACLs
Named ACLs
Placing ACLs
Firewalls
Restricting virtual terminal access
2
Standard ACLs
Extended ACLs
Named ACLs
Placing ACLs
• Standard ACLs should be placed close to the
destination.
• Extended ACLs should be placed close to the source.
Firewalls
A firewall is an architectural structure that exists
between the user and the outside world to protect
the internal network from intruders.
Restricting Virtual Terminal
Access
Learn by example!
172.16.20.0/24
RouterA
.1
s0
s0
.1
.2
e0
Administration
172.16.10.3/24
172.16.10.2/24
172.16.40.0/24
RouterB
s1
.1
.1 e0
Sales
172.16.30.3/24
172.16.30.2/24
s0
.2 RouterC
.1 e0
Engineering
172.16.50.3/24
172.16.50.2/24
• Task:
– Permit only the host 172.16.30.2 from exiting
the Sales network.
– Deny all other hosts on the Sales network from
leaving the 172.16.30.0/24 network.
9
Learn by example!
172.16.20.0/24
RouterA
.1
s0
s0
.1
.2
e0
Administration
172.16.10.3/24
172.16.10.2/24
172.16.40.0/24
RouterB
s1
.1
.1 e0
Sales
172.16.30.3/24
172.16.30.2/24
s0
.2 RouterC
.1 e0
Engineering
172.16.50.3/24
172.16.50.2/24
Step 1 – ACL statements Implicit deny any, which is automatically added.
Test Condition
RouterB(config)#access-list 10 permit 172.16.30.2
Implicit “deny any” -do not need to add this, discussed later
RouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255
(Standard IP)
10
From Cisco Web Site
172.16.20.0/24
RouterA
.1
s0
s0
.1
.2
e0
Administration
172.16.10.3/24
172.16.10.2/24
172.16.40.0/24
RouterB
s1
.1
.1 e0
Sales
s0
.2 RouterC
.1 e0
Engineering
172.16.30.3/24
172.16.30.2/24
172.16.50.3/24
172.16.50.2/24
Applying ACLs
• You can define ACLs without applying them.
• However, the ACLs will have no effect until they are applied to the router's
interface.
• It is a good practice to apply the Standard ACLs on the interface closest to the
destination of the traffic and Extended ACLs on the interface closest to the
source. (coming later)
Defining In, Out, Source, and Destination
• Out - Traffic that has already been routed by the router and is leaving the
interface
11
• In - Traffic that is arriving onRick
theGraziani
interface and which will be routed router.
graziani@cabrillo.edu
Learn by example!
172.16.20.0/24
RouterA
.1
s0
s0
.1
.2
RouterB
s1
.1
.1 e0
e0
Sales
Administration
172.16.10.3/24
172.16.10.2/24
172.16.40.0/24
s0
.2 RouterC
.1 e0
Engineering
172.16.30.3/24
172.16.30.2/24
172.16.50.3/24
172.16.50.2/24
Step 2 – Apply to an interface(s)
RouterB(config)#access-list 10 permit 172.16.30.2
Implicit “deny any” -do not need to add this, discussed later
RouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255
RouterB(config)# interface e 0
RouterB(config-if)# ip access-group 10 in
Rick Graziani
graziani@cabrillo.edu
12
Learn by example!
172.16.20.0/24
RouterA
.1
s0
s0
.1
.2
e0
Administration
172.16.10.3/24
172.16.10.2/24
172.16.40.0/24
RouterB
s1
.1
.1 e0
Sales
s0
.2 RouterC
.1 e0
Engineering
172.16.30.3/24
172.16.30.2/24
172.16.50.3/24
172.16.50.2/24
Step 2 – Or the outgoing interfaces… Which is preferable and why?
RouterB(config)#access-list 10 permit 172.16.30.2
Implicit “deny any” -do not need to add this, discussed later
RouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255
RouterB(config)# interface s 0
RouterB(config-if)# ip access-group 10 out
RouterB(config)# interface s 1
RouterB(config-if)# ip access-group 10 out
Rick Graziani
graziani@cabrillo.edu
13
Learn by example!
172.16.20.0/24
RouterA
.1
s0
s0
.1
.2
e0
Administration
172.16.10.3/24
172.16.10.2/24
172.16.40.0/24
RouterB
s1
.1
.1 e0
Sales
172.16.30.3/24
172.16.30.2/24
s0
.2 RouterC
.1 e0
Engineering
172.16.50.3/24
172.16.50.2/24
Because of the implicit deny any, this has an adverse affect of also denying
packets from Administration from reaching Engineering, and denying packets from
Engineering from reaching Administration.
RouterB(config)#access-list 10 permit 172.16.30.2
Implicit “deny any” -do not need to add this, discussed later
RouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255
RouterB(config)# interface s 0
RouterB(config-if)# ip access-group 10 out
RouterB(config)# interface s 1
RouterB(config-if)# ip access-group 10 out
14
Learn by example!
172.16.20.0/24
RouterA
.1
s0
s0
.1
.2
e0
Administration
172.16.10.3/24
172.16.10.2/24
172.16.40.0/24
RouterB
s1
.1
.1 e0
Sales
172.16.30.3/24
172.16.30.2/24
s0
.2 RouterC
.1 e0
Engineering
172.16.50.3/24
172.16.50.2/24
Preferred, this access list will work to all existing and new interfaces on RouterB.
RouterB(config)#access-list 10 permit 172.16.30.2
Implicit “deny any” -do not need to add this, discussed later
RouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255
RouterB(config)# interface e 0
RouterB(config-if)# ip access-group 10 in
15
Summary
Related documents
ACLS Cover Page - Florida Heart CPR
ACLS Cover Page - Florida Heart CPR
Router(config-router)#passive
Router(config-router)#passive
Chapter 11 - WordPress.com
Chapter 11 - WordPress.com
Chapter 12
Chapter 12
Chapter12 - Cal State L.a.
Chapter12 - Cal State L.a.
ACLS PREP COURSE - emc
ACLS PREP COURSE - emc
2016 ACLS Class Schedule - Clark Memorial Hospital
2016 ACLS Class Schedule - Clark Memorial Hospital
CCNA 1 Chapter 11 V4.0 Answers 2011
CCNA 1 Chapter 11 V4.0 Answers 2011
Click HERE for the brouchure
Click HERE for the brouchure
Download
advertisement