Scribd
Upload
76 views52 pages

CCNAv3.3 210

This document discusses access control lists (ACLs) and how to configure them on Cisco routers. It explains that ACLs allow administrators to filter network traffic by permitting or denying packets based on criteria like source/destination addresses, protocols, and port numbers. Standard ACLs filter based on source IP addresses, while extended ACLs provide more granular control by also considering destination addresses, protocols, and port numbers. The document provides examples of how to create, apply, and verify both standard and extended ACLs on router interfaces and virtual terminal lines to restrict network access.

Uploaded by

Tung Hoang
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
76 views52 pages

CCNAv3.3 210

This document discusses access control lists (ACLs) and how to configure them on Cisco routers. It explains that ACLs allow administrators to filter network traffic by permitting or denying packets based on criteria like source/destination addresses, protocols, and port numbers. Standard ACLs filter based on source IP addresses, while extended ACLs provide more granular control by also considering destination addresses, protocols, and port numbers. The document provides examples of how to create, apply, and verify both standard and extended ACLs on router interfaces and virtual terminal lines to restrict network access.

Uploaded by

Tung Hoang
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 52

CCNA Semester 2 Chapter 10 ACCESS CONTROL LIST (ACLS)

Objectives

Describe the differences between standard and extended ACLs Explain the rules for placement of ACLs Create and apply named ACLs Describe the function of firewalls Use ACLs to restrict virtual terminal access

Table of Content
1 Access Control List Fundamentals 2 Access Control Lists (ACLs)

ACCESS CONTROL LIST FUNDAMENTALS

What are ACLs

What are ACLs

ACLs are lists of conditions that you apply to a router's interface. These lists tell the router what kinds of packets to accept and what kinds of packets to deny. Acceptance and denial can be based on certain specification, such as source, destination address, protocols, port.
6

ACLs check the packet and header

How ACLs control traffic flow

IP IPX Apple Talk

IP IPX Apple Talk

One list, per port, per direction, per protocol

The primary reasons to create ACLs

Filtering packets internally Protecting the internal network from illegal Internet access Restricting access to virtual terminal ports

How the ACL work: order of ACL statements

ACL and Routing process in a router


No Layer2 Address match No Yes ACLs Yes on Interface? Statement List Match? No Default Deny Yes Permit packet? Route Yes Packet to Outbound interface

Default Deny Yes Send To the device No Yes ACLs on Interface? No

Yes

Permit packet?

Statement List Match?

Creating ACLs: Step 1


Router (config)#

access-list access-list-number { permit || deny } {test-conditions} access-list access-list-number { permit deny } {test-conditions}

Defines an ACL Alert an ACL use no access-list access-list-number


ACL command access-list access-list-number Permit Deny test-conditions
1

Description defines an access list protocol-dependent ACL number defines a statement to allow traffic defines a statement to disallow traffic ACL test conditions

ACL numbers

Creating ACLs: Step 2


Router (config-if)#

{protocol} access-group access-list-number in/out {protocol} access-group access-list-number in/out

Applies access list to interface


ACL command protocol access-group Description a protocol specified for the interface any packets that pass the ACL test conditions can be permitted to use any interface in the access group of interfaces the ACL identified by this ACL number to be associated to this interface Apply inbound or outbound traffic

access-list-number In/out
1

Creating ACLs: Step 2 (cont.)


Router (config-line)#

{protocol} access-class access-list-number {protocol} access-class access-list-number

Applies access list to VTY 0 4 line


ACL command protocol access-class Description a protocol specified for the interface any packets that pass the ACL test conditions can be permitted/deny to use any vty line the ACL identified by this ACL number to be associated to this interface

access-list-number

These basic rules should be followed (1)


One access list per protocol; per direction. Standard access lists should be applied closest to the destination. Extended access lists should be applied closest to the source. Use the inbound or outbound interface reference as if looking at the port from inside the router. Statements are processed sequentially from the top of list to the bottom until a match is found, if no match is found then the packet is denied. There is an implicit deny at the end of all access lists.
1

These basic rules should be followed (2)


Access list entries should filter in the order from specific to general. Specific hosts should be denied first, and groups or general filters should come last. The match condition is examined first. The permit or deny is examined ONLY if the match is true. Never work with an access list that is actively applied. Use a text editor to create comments outlining the logic, then, fill in the statements that perform the logic.

These basic rules should be followed (3)


New lines are always added to the end of the access list. A no access-list x command will remove the whole list. It is not possible to selectively add and remove lines with numbered ACLs. An IP access list will send an ICMP host unreachable message to the sender of the rejected packet and will discard the packet in the bit bucket. Care should be used when removing an access list. If the access list is applied to a production interface and the access list is removed, depending on the version of the IOS, there may be a default deny any applied to the interface, and all traffic will be halted. Outbound filters do not affect traffic originating from the local router.
1

The function of a wildcard mask

A wildcard mask is a 32-bit quantity that is divided into four octets, with each octet containing 8 bits. A wildcard mask bit 0 means "check the corresponding bit value. A wildcard mask bit 1 means "do not check (ignore) that corresponding bit value".

Wildcard mask bits <2>

The function of a wildcard mask: Example

No match Packet rejected


2

The function of a wildcard mask : Example

Wildcard any

Wildcard host

Verifying ACLs: show ip interface

Verifying ACLs: show access-lists

Verifying ACLs: show running-config

STANDARD ACLs

Standard ACLs: Overview

How the Inbound Standard ACL work?


No
Is this an IP packet

No Yes
Is Yes there a Standard access list On this interface Does source Yes Address match ACL List entry

Permit or Deny condition

Permit Route Packet


to proper outbound interface

No
Move to next statement

Deny

No

Is This the Last entry in the ACL

Yes

Send Destination Not found message

Standard ACL commands


Router (config)# access-list access-list-number access-list access-list-number {deny || permit} source [source-wildcard] [log] {deny permit} source [source-wildcard] [log] Router (config-if)#

ip access-group access-list-number { in || out } ip access-group access-list-number { in out } Access list number: 1 99 Commands: Router# show access-lists
3

Standard ACL examples

Standard IP Access List Example 1

Permit my network only.


3

Standard IP Access List Example 2

Deny a specific host.


3

Standard IP Access List Example 3

Deny a specific subnet.


3

EXTENDED ACLs

Extended ACLs: Overview

How the Extended ACL work?


No
Is there an ACL on This interface

No Yes Yes Does source address Match ACL list entry


Does destination address match ACL list entry

Permit

Yes

Does Protocol and Port match

Yes

Permit or Deny condition

Route Packet to proper outbound interface

No

Deny

Move to next statement

No

Is This the Last entry in the ACL

Yes

Send Destination Not found message

Extended ACL commands


Router (config)# access-list access-list-number {permit || deny} access-list access-list-number {permit deny} protocol protocol source source-mask [ operator s.port ] source source-mask [ operator s.port ] destination destination-mask [operator d.port] destination destination-mask [operator d.port] [established] [established] Router (config-if)# ip access-group access-list-number { in || out } ip access-group access-list-number { in out }

Access list number: 100 199 Commands:


Router# show access-lists
3

Reserved port numbers

Extended ACL examples

Extended Access List Example 1

Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0. Permit all other traffic.

Extended Access List Example 2

Deny only Telnet from subnet 172.16.4.0 out of E0. Permit all other traffic.
4

NAME ACLs

Name ACLs: Overview


Intuitively identify an ACL using an alphanumeric name. Eliminate the limit of 798 simple and 799 extended ACLs Named ACLs provide the ability to modify ACLs without deleting and then reconfiguring them. Considerations: IP named ACLs were introduced in Cisco IOS Software Release 11.2. Only allow for statements to be inserted at the end of a list. You cannot use the same name for multiple ACLs. In addition, ACLs of different types cannot have the same name.
4

Name ACL commands


Router (config)#

ip access-list {standard || extended} name ip access-list {standard extended} name


Router(config {std- | ext-}nacl)#

deny {source [source-wildcard] || any} deny {source [source-wildcard] any} permit {source [source-wildcard] || any} permit {source [source-wildcard] any}
Router(config-if)#

ip access-group name {in | out} ip access-group name {in | out}


Router#

show access-lists show access-lists


4

Name ACL examples

Placing ACLs

Place extended access lists close to the source. Place standard access lists close to the destination.
4

Restricting virtual terminal access


Physical port FastEthernet0/ 0

01 23 4
Virtual port (VTY 0-4)

Restricting virtual terminal access

The following should be considered when configuring access lists on vty lines:
When controlling access to an interface, a name or number can be used. Only numbered access lists can be applied to virtual lines. Set identical restrictions on all the virtual terminal lines, because a user can attempt to connect to any of them.
5

Summary
An ACL sequential list of permit or deny statements that apply to addresses or upperlayer protocols The order in which ACL statements are placed is important. Standard ACLs check the source address of IP packets that are routed Extended ACLs are used more often than standard ACLs because the provide a greater range of control.
5

Q&A

You might also like