CHAPTER ONE Access Lists
Objectives <ul><li>Describe the usage and rules of access lists </li></ul><ul><li>Establish standard IP access lists </li>...
Access Lists: Usage and Rules <ul><li>Network traffic flow and security influence the design and management of computer ne...
Access List Usage <ul><li>Implicit deny any </li></ul><ul><ul><li>Blocks all packets that do not meet requirements of the ...
Problems with Access Lists <ul><li>One of the most common problems associated with access lists is a lack of planning </li...
Access List Rules Figure 10-2: No access-list command
Access List Rules <ul><li>Inbound </li></ul><ul><ul><li>Direction parameter used when applying an access list </li></ul></...
Access List Rules Figure 10-3: The man in the router
Access List Rules <ul><li>Routers apply lists sequentially in the order in which you type them into the router </li></ul><...
Access List Rules <ul><li>Lists always end with an implicit deny </li></ul><ul><li>Access lists must be applied to an inte...
Standard IP Access Lists <ul><li>Standard IP Access Lists </li></ul><ul><ul><li>Filter network traffic based on the source...
Standard IP Access Lists Table 10-1: Wildcard mask examples
Standard IP Access Lists Figure 10-4: Wildcard masking example matching a single host
Standard IP Access Lists Figure 10-5: Wildcard masking example matching a complete subnet
Standard IP Access Lists <ul><li>Partial masking </li></ul><ul><ul><li>When an octet in a wildcard mask contains a mix of ...
Standard IP Access Lists Figure 10-7: Wildcard masking example without match
Standard IP Access List Examples Figure 10-8: Sample IP network
Standard IP Access List Examples Figure 10-9: Creating a standard IP access list
Standard IP Access List Examples Figure 10-10: Sample IP network with two Ethernet interfaces on RouterB
Standard IP Access List Examples Figure 10-11: Show access-lists and show ip access-lists commands
Standard IP Access List Examples Figure 10-12: Show ip interface command
Standard IP Access List Examples Figure 10-13: Removing an ip access list from an interface
Standard IP Access List Examples Figure 10-14: Show ip interface after removal of access list 1 from e0
Standard IP Access List Examples Figure 10-15: Creation and application of standard IP access list
Standard IP Access List Examples Figure 10-16: Show access-list and show ip interface commands
Standard IP Access List Examples Figure 10-17: Access list that blocks multiple subnets
Monitoring Standard IP Access Lists <ul><li>Three main commands are available for monitoring access lists on your router: ...
Extended IP Access Lists <ul><li>IP access lists that filter traffic by: </li></ul><ul><ul><li>Source IP address </li></ul...
Extended IP Access List Examples Figure 10-18: Sample IP network with a Web server
Extended IP Access List Examples <ul><li>Unlike standard IP access lists, extended access lists do not have a default wild...
Extended IP Access List Examples Figure 10-19: Extended IP access list example
Extended IP Access List Examples Figure 10-19 (cont.): Extended IP access list example
Extended IP Access List Examples Figure 10-20: Extended IP access list example continued
Extended IP Access List Examples Figure 10-20 (cont.): Extended IP access list example continued
Extended IP Access List Examples Figure 10-21: Applying an extended ip access list to an interface
Extended IP Access List Examples Figure 10-22: Removing an extended ip access list from an interface
The “Established” Parameter <ul><li>Network administrators often want to block all TCP/IP traffic outside their network fr...
Monitoring Extended IP Access Lists Figure 10-23: Show ip access-lists command
Monitoring Extended IP Access Lists Figure 10-24: Clear access-list counters command
Standard IPX Access Lists <ul><li>Very similar to their IP cousins </li></ul><ul><ul><li>One distinct difference </li></ul...
Standard IPX Access List Examples Figure 10-25: Sample IPX network
Standard IPX Access List Examples Figure 10-26: Standard IPX access-list configuration
Monitoring Standard IPX Lists Figure 10-27: Show access-list command
Extended IPX Access Lists <ul><li>Allow you to filter based on source and destination network or node address, IPX protoco...
Extended IPX Access Lists Figure 10-28 (cont.): Configuring extended IPX access-lists
Monitoring Extended IPX Access Lists Figure 10-29: show access-lists command
IXP SAP Filters <ul><li>Limit SAP traffic on order to control what resources on the IPX network will be visible to IPX cli...
IXP SAP Filter Example Figure 10-30: IPX SAP filter example
IXP SAP Filter Example Figure 10-31: Applying an IPX SAP filter to an interface
Monitoring IXP SAP Filters <ul><li>Like all other access lists, the show access-lists command displays all lists including...
Using Named Lists <ul><li>In Cisco versions 11.2 and above, you can use names instead of numbers to identify your lists </...
Chapter Summary <ul><li>Access lists are one of the most important IOS tools for controlling network traffic and security ...
Chapter Summary <ul><li>Standard IP access lists filter traffic based on the source IP address of a packet </li></ul><ul><...
Chapter Summary <ul><li>Ranges of numbers represent all access lists </li></ul>Table 10-2: Access list number ranges
Upcoming SlideShare
Loading in...5
×

Chapter 10

424

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
424
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Chapter 10

  1. 1. CHAPTER ONE Access Lists
  2. 2. Objectives <ul><li>Describe the usage and rules of access lists </li></ul><ul><li>Establish standard IP access lists </li></ul><ul><li>Produce extended IP access lists </li></ul><ul><li>Develop standard IPX access lists </li></ul><ul><li>Create extended IPX access lists </li></ul><ul><li>Define IPX SAP filters </li></ul><ul><li>Apply access lists to interfaces </li></ul><ul><li>Monitor and verify access lists </li></ul>
  3. 3. Access Lists: Usage and Rules <ul><li>Network traffic flow and security influence the design and management of computer networks </li></ul><ul><li>Access lists solve many of the problems associated with these two tasks </li></ul><ul><li>Access lists are permit or deny statements that filter traffic based on the source address, destination address, protocol type, and port number of a packet </li></ul>
  4. 4. Access List Usage <ul><li>Implicit deny any </li></ul><ul><ul><li>Blocks all packets that do not meet requirements of the access list </li></ul></ul>Figure 10-1: Sample network
  5. 5. Problems with Access Lists <ul><li>One of the most common problems associated with access lists is a lack of planning </li></ul><ul><li>Another troublesome area is the sequential nature in which you must enter the list into the router </li></ul><ul><li>Many new network administrators find themselves in trouble when they Telnet into a router and begin applying an access list </li></ul>
  6. 6. Access List Rules Figure 10-2: No access-list command
  7. 7. Access List Rules <ul><li>Inbound </li></ul><ul><ul><li>Direction parameter used when applying an access list </li></ul></ul><ul><ul><li>Direction is into the router </li></ul></ul><ul><li>Outbound </li></ul><ul><ul><li>Direction parameter used when applying an access list </li></ul></ul><ul><ul><li>Direction is out of the router </li></ul></ul>
  8. 8. Access List Rules Figure 10-3: The man in the router
  9. 9. Access List Rules <ul><li>Routers apply lists sequentially in the order in which you type them into the router </li></ul><ul><li>Routers apply lists to packets sequentially </li></ul><ul><li>Packets are processed only until a match is made and then they are acted upon based on the access list criteria contained in access list statements </li></ul>
  10. 10. Access List Rules <ul><li>Lists always end with an implicit deny </li></ul><ul><li>Access lists must be applied to an interface as either inbound or outbound traffic filters </li></ul><ul><li>Only one list, per protocol, per direction can be applied to an interface </li></ul><ul><li>Access list are effective as soon as they are applied </li></ul>
  11. 11. Standard IP Access Lists <ul><li>Standard IP Access Lists </li></ul><ul><ul><li>Filter network traffic based on the source IP address only </li></ul></ul><ul><ul><li>Using a standard IP access list, you can filter traffic by a host IP, subnet, or a network address </li></ul></ul><ul><li>Wildcard mask </li></ul><ul><ul><li>Also called inverse mask </li></ul></ul><ul><ul><li>Applied to IP addresses to determine if an access list line will act upon a packet </li></ul></ul>
  12. 12. Standard IP Access Lists Table 10-1: Wildcard mask examples
  13. 13. Standard IP Access Lists Figure 10-4: Wildcard masking example matching a single host
  14. 14. Standard IP Access Lists Figure 10-5: Wildcard masking example matching a complete subnet
  15. 15. Standard IP Access Lists <ul><li>Partial masking </li></ul><ul><ul><li>When an octet in a wildcard mask contains a mix of binary 1s and 0s </li></ul></ul>Figure 10-6: Wildcard masking example using partial masking
  16. 16. Standard IP Access Lists Figure 10-7: Wildcard masking example without match
  17. 17. Standard IP Access List Examples Figure 10-8: Sample IP network
  18. 18. Standard IP Access List Examples Figure 10-9: Creating a standard IP access list
  19. 19. Standard IP Access List Examples Figure 10-10: Sample IP network with two Ethernet interfaces on RouterB
  20. 20. Standard IP Access List Examples Figure 10-11: Show access-lists and show ip access-lists commands
  21. 21. Standard IP Access List Examples Figure 10-12: Show ip interface command
  22. 22. Standard IP Access List Examples Figure 10-13: Removing an ip access list from an interface
  23. 23. Standard IP Access List Examples Figure 10-14: Show ip interface after removal of access list 1 from e0
  24. 24. Standard IP Access List Examples Figure 10-15: Creation and application of standard IP access list
  25. 25. Standard IP Access List Examples Figure 10-16: Show access-list and show ip interface commands
  26. 26. Standard IP Access List Examples Figure 10-17: Access list that blocks multiple subnets
  27. 27. Monitoring Standard IP Access Lists <ul><li>Three main commands are available for monitoring access lists on your router: </li></ul><ul><ul><li>Show access-lists </li></ul></ul><ul><ul><li>Show ip access-lists </li></ul></ul><ul><ul><li>Show interfaces or show ip interfaces </li></ul></ul><ul><li>It is a good idea to run each of these commands after creating and applying access lists </li></ul>
  28. 28. Extended IP Access Lists <ul><li>IP access lists that filter traffic by: </li></ul><ul><ul><li>Source IP address </li></ul></ul><ul><ul><li>Destination IP address </li></ul></ul><ul><ul><li>Protocol type </li></ul></ul><ul><ul><li>Port number </li></ul></ul>
  29. 29. Extended IP Access List Examples Figure 10-18: Sample IP network with a Web server
  30. 30. Extended IP Access List Examples <ul><li>Unlike standard IP access lists, extended access lists do not have a default wildcard mask of 0.0.0.0 </li></ul><ul><ul><li>You must specify the wildcard mask for the source IP address </li></ul></ul><ul><li>The host keyword is short for a wildcard mask of 0.0.0.0 </li></ul><ul><ul><li>The line will only be applied to packets that match the one source address specified with host keyword </li></ul></ul>
  31. 31. Extended IP Access List Examples Figure 10-19: Extended IP access list example
  32. 32. Extended IP Access List Examples Figure 10-19 (cont.): Extended IP access list example
  33. 33. Extended IP Access List Examples Figure 10-20: Extended IP access list example continued
  34. 34. Extended IP Access List Examples Figure 10-20 (cont.): Extended IP access list example continued
  35. 35. Extended IP Access List Examples Figure 10-21: Applying an extended ip access list to an interface
  36. 36. Extended IP Access List Examples Figure 10-22: Removing an extended ip access list from an interface
  37. 37. The “Established” Parameter <ul><li>Network administrators often want to block all TCP/IP traffic outside their network from coming into their network </li></ul><ul><li>If you use deny statements to deny all traffic coming in, no one will be able to browse the Web, ping, or other network activities that involve a response to a request </li></ul><ul><li>The easiest way around this problem is to use an extended ip access list with an established parameter </li></ul>
  38. 38. Monitoring Extended IP Access Lists Figure 10-23: Show ip access-lists command
  39. 39. Monitoring Extended IP Access Lists Figure 10-24: Clear access-list counters command
  40. 40. Standard IPX Access Lists <ul><li>Very similar to their IP cousins </li></ul><ul><ul><li>One distinct difference </li></ul></ul><ul><li>Can filter based on source and destination addresses </li></ul><ul><ul><li>Standard IP access lists can only filter based on source addresses </li></ul></ul><ul><li>In all other aspects, they act just like standard IP access lists </li></ul>
  41. 41. Standard IPX Access List Examples Figure 10-25: Sample IPX network
  42. 42. Standard IPX Access List Examples Figure 10-26: Standard IPX access-list configuration
  43. 43. Monitoring Standard IPX Lists Figure 10-27: Show access-list command
  44. 44. Extended IPX Access Lists <ul><li>Allow you to filter based on source and destination network or node address, IPX protocol type, or IPX socket number </li></ul>Figure 10-28: Configuring extended IPX access-lists
  45. 45. Extended IPX Access Lists Figure 10-28 (cont.): Configuring extended IPX access-lists
  46. 46. Monitoring Extended IPX Access Lists Figure 10-29: show access-lists command
  47. 47. IXP SAP Filters <ul><li>Limit SAP traffic on order to control what resources on the IPX network will be visible to IPX clients </li></ul><ul><ul><li>Allows you to limit the “advertising” of particular servers and services to a particular IPX network segment </li></ul></ul><ul><ul><li>Since SAP advertisements are broadcast, limiting them reduces network traffic </li></ul></ul><ul><li>IPX input SAP filters reduce the number of SAP entries that are placed into a router’s SAP table </li></ul>
  48. 48. IXP SAP Filter Example Figure 10-30: IPX SAP filter example
  49. 49. IXP SAP Filter Example Figure 10-31: Applying an IPX SAP filter to an interface
  50. 50. Monitoring IXP SAP Filters <ul><li>Like all other access lists, the show access-lists command displays all lists including all SAP filters defined on the router </li></ul><ul><li>To make sure the list was applied successfully to the interface, use the show ipx interface command </li></ul><ul><li>To remove the sap filter, use the no access-list [ list # ] command </li></ul><ul><li>To remove the applications of sap filter from an interface, use the no ipx input-sap-filter [ list # ] or no ipx output-sap-filter [ list # ] command </li></ul>
  51. 51. Using Named Lists <ul><li>In Cisco versions 11.2 and above, you can use names instead of numbers to identify your lists </li></ul><ul><ul><li>These are known as named access lists </li></ul></ul><ul><li>You cannot use the same name for multiple lists </li></ul><ul><ul><li>Even different types of lists cannot have the same name </li></ul></ul><ul><li>The naming feature allows you to maintain security by using an easily identifiable access list </li></ul>
  52. 52. Chapter Summary <ul><li>Access lists are one of the most important IOS tools for controlling network traffic and security </li></ul><ul><li>Access lists are created in a two-step process </li></ul><ul><li>All access lists are created sequentially and applied sequentially to all packets that enter an interface where the list is applied </li></ul><ul><li>Access lists, by default, always end in an implicit deny any </li></ul><ul><li>Only one access list per direction per protocol can be applied to an interface </li></ul>
  53. 53. Chapter Summary <ul><li>Standard IP access lists filter traffic based on the source IP address of a packet </li></ul><ul><li>Extended IP access lists filter traffic based on the source, destination, protocol type, and application type </li></ul><ul><li>Standard IPX access lists are more complex that standard IP lists </li></ul><ul><li>Extended IPX lists allow you to filter based on IPX protocol type and IPX parameters </li></ul><ul><li>IPX SAP filters allow you to limit the amount of SAP traffic passed by your routers </li></ul>
  54. 54. Chapter Summary <ul><li>Ranges of numbers represent all access lists </li></ul>Table 10-2: Access list number ranges
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×