Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1.  Name access list Submitted To, Mr. Parvesh Mor Submitted by, Anil Sharma Reg: 11107936 Permit or deny statements that filter traffic based on the source address,    destination address, protocol type, and port number of a packet Available for IP, IPX, AppleTalk, Introduction: An access list is essentially a list of conditions that categorize packets. They can be really helpful when you need to exercise control over network traffic. An access list would be your tool of choice for decision making in these situation. One of the most common and easiest to understand uses of access list is filtering unwanted packet when implementing security policies. For example, you can set them up to make very specific decisions about regulating traffic pattern so that they will allow only certain host to access web resources on the internet while restricting others. With the right combination of access list, network managers arm themselves with the power to enforce any security any policy they can invent. Some important points under access list • Powerful tools that control access both to and from network segments • Can be used to implement security • Powerful tools that control access both to and from network segments • Can filter unwanted packets • Can be used to implement security Access List Usage: • You can create a standard access list that examines a packet for the packet’s source header information • deny any statement Can filter unwanted packets • and many other protocols – Implicitly blocks all packets that do not meet the requirements of the access list
  2. 2. – • With careful planning, you can create access lists that control which traffic crosses particular links And which segments of your network will have access to others Problems with Access Lists: • • Lack of planning is one of the most common problems associated with access lists The need to enter the list sequentially into the router also presents problems – – • Exists even though it is not shown as part of the access list You cannot move individual statements once they are entered When making changes, you must remove the list, using the no access-list [list number] command, and then retype the commands Access lists begin working the second they are applied to an interface Access List Rules: • Example of the structure of a standard IP access list: RouterA(config)#access-list 1 deny RouterA(config)#access-list 1 deny RouterA(config)# access-list 1 permit any • Router applies each line in the order in which you type it into the access list • The no access-list [list #] command is used to remove an access list • As a general rule, the lines with the most potential matches should be first in the list
  3. 3. – So that packets will not undergo unnecessary processing inbound or outbound traffic filters – Only one list, per protocol, per direction can be applied to an interface – Access lists are effective as soon as they are applied Standard IP Access Lists: • Standard IP access lists • You should avoid unnecessarily long access lists – Filter network traffic based on the source IP address only • After you create access lists, you must apply them to interfaces so they can begin filtering traffic – Using a standard IP access list, you can filter traffic by a host IP, subnet, or a network address – • You apply a list as either an outgoing or an incoming filter • – In summary, all access lists follow these rules: – Routers apply lists sequentially in the order in which you type them into the router – Routers apply lists to packets sequentially, from the top down, one line at a time – Packets are processed only until a match is made – Lists always end with an implicit deny – Access lists must be applied to an interface as either Configure standard IP access lists: • access-list [list #] [permit|deny] [source address] [source wildcard mask] Routers use wildcards to determine which bits in an address will be significant Wildcard mask example:
  4. 4. Wildcard masking matching a single host: example • Standard Examples: • IP Access List If you decide that an access list needs to be removed from an interface – You can remove it with the no ip access-group [list #] command Standard IP access lists permit or deny packets based only on the source address – Addresses can be a single host address, a subnet address, or a full network address • • • • • Correct placement of a list is imperative To view the access lists defined on your router, use the show access-lists command – For IP access lists you could also use the show ip accesslists command Application of the list as an outbound filter on FastEthernet0/0 – See Figure 10-15 Use the show access-lists or show ip access-lists command followed by the show ip interface command – To verify that the list has been entered and applied correctly
  5. 5. Monitoring Lists: • Standard IP Access – Three main commands are available for monitoring access lists on your router – show access-lists – show ip access-lists – show interfaces or show ip interface • Use the no ip accessgroup [list #][direction] command to remove the application of the list Using Named Lists: • Extended IP Access Lists: • Extended IP access lists – – Can filter by source IP address, destination IP address, protocol type, and application port number This granularity allows you to design extended IP access lists that: • • • Permit or deny a single type of IP protocol Filter by a particular port of a particular protocol To configure extended IP access lists, you must create the list and then apply it to an interface using the following syntax Named access lists – Use the no access-list [list #] command to remove the list • access-list [list #] [permit|deny] [protocol] [source IP address] [source wildcard mask] [operator] [port] [destination IP address] [destination wildcard mask] [operator] [port] [log] • In Cisco IOS versions 11.2 and above, names instead of numbers can be used to identify lists To name a standard IP access list, use the following syntax: RouterC(config)#ip standard [name] • access-list To name an extended IP access list, use the following syntax: RouterC(config)#ip extended [name] access-list • Once the list is named, the permit or deny statement is entered • The commands follow the same syntax as unnamed lists – • The beginning part of the command is not included To apply a standard IP named list to an interface, the syntax is: RouterC(config-if)#ip access-group [name] [in | out]
  6. 6. Advantages: – – – – RouterA(config-line)#access-class Allows you to maintain security by using an easily identifiable access list Removes the limit of 100 lists per filter type With named access lists lines can be selectively deleted in the ACL Named ACLs provide greater flexibility to network administrators who work in environments where large numbers of ACLs are needed 12 in • RouterA(config)#access-list permit RouterA(config-line)#access-class 13 in Using Security Device Manager to Create Access Control Lists: • Using the SDM, an administrator can accomplish all the tasks that formerly required use of the CLI interface • SDM allows you to easily create a standard or an extended access list or, as it is known in the SDM, an Access Control List (ACL) Access lists are used for both traffic flow and security • One useful security feature of access lists is restricting access to telnet on your router – • By controlling VTY line access You must first create a standard IP access list that permits the management workstation RouterA(config)#access-list permit 12 • Then, it must be applied to the VTY lines access-class [acl #] in | out • To apply access list 12 to the VTY lines, use the following command: RouterA(config)#line vty 0 4 13 RouterA(config)#line vty 0 4 Controlling VTY Line Access: • The commands to restrict access to the VTY lines to network only are:
  7. 7. Router1: E0:- E1:- Router2: E0:- E1: Router3: E0:- E1:- Router 4: E0:- E1:- Router 5: Router 6: E0/0:E0:- E1:- E0/1:- E0/2:- Router 7: E0:- E1:- Topology: Router 8 :E0:- E1:- Pc1 E0:- Pc2: E0:- Pc3: E0:- Pc4: E0:- Pc5: E0:- Switch1 F/E SWITCH2 0/1 F/E0/1
  8. 8. SWITCH3 FE/E0/1 Reference:     ontrol_list Book – CCNA(Todd Lammle) s/sw/secursw/ps1018/products_tech _note09186a00800a5b9a.shtml uters/asr9000/software/asr9k_r4.2/a ddr_serv/command/reference/b_ipad dr_cr42asr9k_chapter_01.html