Power Point Chapter 11 CCNA2

advertisement
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
SEMESTER 2/ MODULE 11
Access Control List
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Overview
- Access Control Lists (ACLs)
- ACL Configuration Tasks
- Standard ACLs
- Extended ACLs
- Named ACLs
- Placing ACLs
- Verifying ACLs
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
What are ACLs?
-
ACLs are lists of instructions you apply to a router interface.
These lists tell the router what kinds of packets to accept and what kinds of packets to
deny.
Acceptance and denial can be based on certain specifications, such as source address,
destination address, and port number.
ACLs are used to manage traffic and scan specific packets by applying the ACL to a
router interface.
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Reasons to create ACLs
-
Limit network traffic and increase network performance.
Provide traffic flow control.
Provide a basic level of security for network access.
Decide which types of traffic are forwarded or blocked at the router interfaces.
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Testing Packets with ACLs
-
The order in which you place ACL
statements is important.
When the router is deciding whether
to forward or block a packet, the
Cisco Internetwork Operating
System (IOS) software tests the
packet against each condition
statement, in the order in which the
statements were created.
NOTE: After a match is found, no more
condition statements are checked.
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
How ACLs Work?
- An ACL is a group of statements that
define how packets:
-
-
-
-
Enter inbound interfaces
Relay through the router
Exit outbound interfaces
ACL statements operate in
sequential, logical order.
If a condition match is true, the
packet is permitted or denied and the
rest of the ACL statements are not
checked.
If the packet does not match any of
the written ACL statements, then the
packet will match the final implicit
"deny any" statement.
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Flowchart of ACLs Test Matching
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Creating ACLs
There are two basic steps for creating ACL:
First: Create an ACL definition
- Create ACLs by using the global configuration mode
- Specify an ACL number
- Must carefully select and logically order the ACL statements
- Select which IP protocols to check; any other protocols are not checked
Second: Apply the ACL to an interface
- Apply ACLs specified above to one or more interfaces
- They can filter inbound traffic or outbound traffic, depending on the
configuration.
- A router with an inbound ACL must check every packet to see whether it matches
the ACL condition before switching the packet to an outbound interface.
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
ACL Numbers
-
When configuring ACLs on a router, you must identify each ACL uniquely by
assigning a number to the ACL for a protocol.
When you use a number to identify an ACL, the number must be within the
specific range of numbers that is valid for the protocol.
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Wildcard Mask Bits
-
A wildcard mask is a 32-bit number that is divided into four octets, with each
octet containing 8 bits.
The 0s and 1s in a wildcard determine whether the corresponding bits in the IP
address should be checked or ignored for ACL purposes.
A wildcard mask bit 0 means 'check the corresponding bit value.
A wildcard mask bit 1 means 'do not check (ignore) that corresponding bit value.
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Wildcard Mask Bits
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
The Any Command
-
-
EX, If you want to specify that any destination address will be permitted in an ACL test.
To indicate any IP address, you would enter 0.0.0.0. Then, to indicate that the ACL should
ignore (that is, allow without checking) any value, the corresponding wildcard mask bits
for this address would be all ones (that is, 255.255.255.255).
Instead of typing 0.0.0.0 255.255.255.255, you can use the word any by itself as the
keyword.
INSTEAD OF THIS:
-
Router(config)# access-list 1 permit 0.0.0.0 255.255.255.255
YOU CAN USE THIS:
-
Router(config)# access-list 1 permit any
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
The host Command
-
You can use the abbreviation host to test the specific IP host address in an ACL
condition.
EX, instead of typing 172.30.16.29 0.0.0.0, you can use the word host in front of
the address.
INSTEAD OF THIS:
-
Router(config)# access-list 1 permit 172.30.16.29 0.0.0.0
YOU CAN USE THIS:
Router(config)# access-list 1 permit host 172.30.16.29
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Standard ACLs
-
Standard ACLs will be used when want to block all traffic from a network, allow
all traffic from a specific network, or deny protocol suites.
Standard ACLs check the source address of packets that could be routed.
The result permits or denies output for an entire protocol suite, based on the
network, subnet, and host addresses.
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Standard ACLs
- The full syntax of the command is:
Router(config)# access-list access-list-number {deny | permit} source [source-wildcard ]
- Type no in front of the command when want to remove a standard ACL:
Router(config)# no access-list access-list-number
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Standard ACLs
-
In order to apply ACL conditions to an interface, ip access-group command must
be used.
Remember that only one ACL per port per protocol per direction is allowed.
The format of the command is:
Router(config-if)# ip access-group access-list-number {in | out}
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Standard ACLs
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Standard ACLs
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Standard ACLs
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Standard ACLs
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Standard ACLs
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Standard ACLs
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Extended ACLs
-
Extended ACLs are used most often to test conditions because they provide a
greater range of control than standard ACLs.
Extended ACLs check for both source and destination packet addresses.
They can also check for specific protocols, port numbers, and other parameters.
This gives more flexibility to describe what checking the ACL will do.
Packets can be permitted or denied output based on where the packet originated
and based on its destination.
EX, the extended ACL can allow e-mail traffic from E0 to specific S0
destinations, while denying remote logins or file transfers.
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Extended ACLs
-
-
Extended ACL statements check for source address and destination address.
At the end of the extended ACL statement, you gain additional precision from a
field that specifies the optional TCP or User Datagram Protocol (UDP) protocol
port number.
These can be the well-known port numbers for TCP/IP.
Extended ACLs use a number in the range 100 to 199.
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Extended ACLs
- The complete form of the access-list command:
Router(config)# access-list access-list-number {permit| deny} protocol sourceaddress source-mask destination-address destination-mask [operator port]
- The ip access-group command applies an extended ACL to an interface. The
format of the command is:
Router(config-if)# ip access-group access-list-number { in| out}
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Extended ACLs
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Extended ACLs
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Extended ACLs
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Extended ACLs
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Extended ACLs
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Extended ACLs
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Extended ACLs
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Configuring Named ACLs
Consider the following before implementing named ACLs:
- Named ACLs are not compatible with Cisco IOS releases prior to Release 11.2.
- You cannot use the same name for multiple ACLs. In addition, ACLs of different
types cannot have the same name. For example, it is illegal to specify a standard
ACL named George and an extended ACL with the same name.
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Configuring Named ACLs
-
To name the ACL, use the following command:
Router(config)# ip access-list {standard | extended} name
-
In ACL configuration mode, specify one or more conditions permitted or denied.
This determines whether the packet is passed or dropped:
Router(config)# deny {source [source-wildcard] | any}
or
Router(config)# permit {source [source-wildcard] | any}
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Configuring Named ACLs
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Configuring Named ACLs
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Configuring Named ACLs
-
The full syntax for deny command is:
Router(config)# deny {source [source-wildcard] | any}
-
To remove a deny condition, using the following syntax:
Router(config)# no deny {source [source-wildcard] | any}
-
The full syntax of permit command is:
Router(config)# permit {source [source-wildcard] | any}
-
To remove a condition from an ACL, using the following syntax:
Router(config)# no permit {source [source-wildcard]| any}
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Configuring Named ACLs
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Configuring Named ACLs
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Restrict Virtual Terminal ACLs
The following should be considered when configuring access lists on vty
lines:
- When controlling access to an interface, a name or number can be used.
- Only numbered access lists can be applied to virtual lines.
- Set identical restrictions on all the virtual terminal lines, because a user can
attempt to connect to any of them.
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Restrict Virtual Terminal ACLs
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Placing ACLs
-
The rule is to put the extended ACLs as close as possible to the source of the traffic
denied.
Standard ACLs do not specify destination addresses, so you have to put the standard
ACL as near the destination as possible.
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Verify ACLs
-
The show ip interface command displays IP interface information and indicates
whether any ACLs are set.
-
The show access-lists command displays the contents of all ACLs.
NOTE: By entering the ACL name or number as an option for this command, you
can see a specific list.
CISCO NETWORKING ACADEMY PROGRAM
SEMESTER 2/ MODULE 11
ACLs
Verify ACLs
Download