Access Control Lists Lecture 1

advertisement
Access Control Lists Lecture 1
PJC CCNA Semester 2 Ver. 3.0
by
William Kelly
ACL Definition
An ACL is a sequential group of permit
and/or deny statements that control the
flow of particular protocols or protocol
suits in or out of an interface to a
specific host or group of hosts
ACL Concepts
 Applied to a router’s interface
 Traffic is forwarded or blocked
 Each protocol must have it’s own ACL
defined (You are only allowed 1 ACL
per protocol, per port, per direction)
Why Use ACL’s ?
 Controlling traffic can increase network
performance
 Distribution of routing updates can be
controlled
 Security can be added at the network
boundary
 Specific types of traffic can be permitted
or blocked
 An administrator controls what areas a
client can access
 Screen certain hosts to either allow or
deny access to part of a network
Calculate number of ACL’s
 2 ports, each port running IP, IPX
 2 ports, each port running IP, IPX,
Appletalk
(Remember you need an ACL for each
protocol in each direction on each port)
How ACL’s Work
 Packets enter the interface
 If the packets are routable then they are
routed toward the outbound interface
 If there is no access list then the
packets proceed out the outbound
interface
 If there is an ACL then the packets are
filtered using the sequential ACL
statements
ACL Basic Flowchart
Packets Enter
Match 1st Test
Yes
No
Match
2nd
Test
Yes
Permit
No
Match Last
Test
No (Implicit
Deny
Packets Discarded
Yes
Permit or Deny
Deny
How does a Router Process an ACL?
Does the Layer 2 address
match?
Is there an inbound ACL?
Is there an outbound ACL?
Creating Standard ACL’s
 ACL statements must be in the
correct order! (Use a flowchart to
plan your logic)
 ACL’s can’t be modified (only created
and deleted). Use a text editor to
write your ACL’s
Configuring ACL’s
 ACL’s are created in Global
Configuration Mode
 Standard ACL’s are 1-99 and
Extended ACL’s are 100 – 199
 Plan your ACL’s in a flowchart
considering the protocol or protocol
suite, host or group of hosts, and
interface and direction of filtering
Configuring ACL’s (cont.)
 Define ACL
 Router(config)# access-list
access-list-num
{permit | deny} {test conditions}
 Apply ACL to interface
 Router(config-if)# {protocol}
access-group access-list number
Points to remember creating ACL’s
 Outbound ACL’s are more efficient
 If you need to alter an ACL use
no access-list list-number
(Remember you can’t modify an
standard ACL so you must erase it
and create it again with your
changes. This is why you should
create ACL’s in a text file)
(See Basic Rules in Online Curriculum)
Wildcard Mask Bits
 Wildcard mask bits appear “similar”
to a reverse subnet mask but have
NO RELATIONSHIP TO SUBNET
MASKS!!
 0 means check a position
 1 means don’t check a position
Common Wildcard command and
Abbreviations
 Permit 0.0.0.0 255.255.255.255 is
the same as permit any
 Permit 181.16.1.1 0.0.0.0 is the
same as
permit host 181.16.1.1 (ONLY A
PARTICULAR HOST IS MATCHED!!)
Commands to verify ACL’s
 show ip interface – indicates
whether any ACL’s are set
 show access-lists – Displays the
contents of all the ACL’s
 show running-config – Also shows
access lists and the interface to which
they are assigned
Standard ACL’s
 Allow denying/permitting traffic from
a specific host/group of hosts and/or
protocol suite
 Use number 1 – 99
 Only 1 protocol per port per interface
is allowed
 Can only check source address so
they should be put as close to the
destination as possible
Extended ACL’s
 Allow denying/permitting traffic from
a specific host/group of hosts and/or
protocol suite/protocol and/or
port/group of ports
 Use number 100 – 199
 Only 1 protocol per port per interface
is allowed
 Can check source and destination
address so they should be put as close
to the source as possible
Named ACL’s
 Names for standard and extended
ACL’s can be alphanumeric strings
 Use deny/no deny or permit/no
permit to change conditions of a
named standard or extended ACL
 You can’t use the same alphanumeric
name twice!
Download