CCNA Discovery 3 - Chapter 8

1,520 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,520
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

CCNA Discovery 3 - Chapter 8

  1. 1. Filtering Traffic Using Access Control Lists Introducing Routing and Switching in the Enterprise – Chapter 8Version 4.0 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 1
  2. 2. Objectives Describe traffic filtering and explain how Access Control Lists (ACLs) can filter traffic at router interfaces. Analyze the use of wildcard masks. Configure and implement ACLs. Create and apply ACLs to control specific types of traffic. Log ACL activity and integrate ACL best practices. © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 2
  3. 3. Describe Traffic Filtering Analyze the contents of a packet Allow or block the packet Based on source IP, destination IP, MAC address, protocol, application type © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 3
  4. 4. Describe Traffic FilteringDevices providing traffic filtering: Firewalls built into integrated routers Dedicated security appliances Servers © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 4
  5. 5. Describe Traffic Filtering Uses for ACLs:  Specify internal hosts for NAT  Classify traffic for QoS  Restrict routing updates, limit debug outputs, control virtual terminal access © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 5
  6. 6. Describe Traffic FilteringPossible issues with ACLs: Increased load on router Possible network disruption Unintended consequences from incorrect placement © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 6
  7. 7. Describe Traffic Filtering  Standard ACLs filter based on source IP address  Extended ACLs filter on source and destination, as well as protocol and port number  Named ACLs can be either standard or extended © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 7
  8. 8. Describe Traffic Filtering  ACLs consist of statements  At least one statement must be a permit statement  Final statement is an implicit deny  ACL must be applied to an interface in order to work © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 8
  9. 9. Describe Traffic Filtering ACL is applied inbound or outbound Direction is from the router’s perspective Each interface can have one ACL per direction for each network protocol © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 9
  10. 10. Analyze the Use of Wildcard Masks Wildcard mask can block a range of addresses or a whole network with one statement 0s indicate which part of an IP address must match the ACL 1s indicate which part does not have to match specifically © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 10
  11. 11. Analyze the Use of Wildcard Masks Use the host parameter in place of a 0.0.0.0 wildcard Use the any parameter in place of a 255.255.255.255 wildcard © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 11
  12. 12. Configure and Implement Access Control Lists Determine traffic filtering requirements Decide which type of ACL to use Determine the router and interface on which to apply the ACL Determine in which direction to filter traffic © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 12
  13. 13. Configure and Implement Access Control Lists: Numbered Standard ACL  Use access-list command to enter statements  Use the same number for all statements  Number ranges: 1-99, 1300-1999  Apply as close to the destination as possible © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 13
  14. 14. Configure and Implement Access Control Lists: Numbered Extended ACL  Use access-list command to enter statements  Use the same number for all statements  Number ranges: 100-199, 2000-2699  Specify a protocol to permit or deny  Place as close to the source as possible © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 14
  15. 15. Configure and Implement Access Control Lists: Named ACLs Descriptive name replaces number range Use ip access-list command to enter initial statement Start succeeding statements with either permit or deny Apply in the same way as standard or extended ACL © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 15
  16. 16. Configure and Implement Access Control Lists: VTY access Create the ACL in line configuration mode Use the access-class command to initiate the ACL Use a numbered ACL Apply identical restrictions to all VTY lines © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 16
  17. 17. Create and Apply ACLs to Control Specific Types of Traffic  Use a specified condition when filtering on port numbers: eq, lt, gt  Deny all appropriate ports for multi-port applications like FTP  Use the range operator to filter a group of ports © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 17
  18. 18. Create and Apply ACLs to Control Specific Types of Traffic  Block harmful external traffic while allowing internal users free access  Ping: allow echo replies while denying echo requests from outside the network  Stateful Packet Inspection © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 18
  19. 19. Create and Apply ACLs to Control Specific Types of Traffic  Account for NAT when creating and applying ACLs to a NAT interface  Filter public addresses on a NAT outside interface  Filter private addresses on a NAT inside interface © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 19
  20. 20. Create and Apply ACLs to Control Specific Types of Traffic  Examine every ACL one line at a time to avoid unintended consequences © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 20
  21. 21. Create and Apply ACLs to Control Specific Types of Traffic  Apply ACLs to VLAN interfaces or subinterfaces just as with physical interfaces © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 21
  22. 22. Log ACL Activity and ACL Best Practices  Logging provides additional details on packets denied or permitted  Add the log option to the end of each ACL statement to be tracked © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 22
  23. 23. Log ACL Activity and ACL Best Practices Syslog messages:  Status of router interfaces  ACL messages  Bandwidth, protocols in use, configuration events © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 23
  24. 24. Log ACL Activity and ACL Best Practices  Always test basic connectivity before applying ACLs  Add deny ip any to the end of an ACL when logging  Use reload in 30 when testing ACLs on remote routers © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 24
  25. 25. Summary ACLs enable traffic management and secure access to and from a network and its resources Apply an ACL to filter inbound or outbound traffic ACLs can be standard, extended, or named Using a wildcard mask provides flexibility There is an implicit deny statement at the end of an ACL Account for NAT when creating and applying ACLs Logging provides additional details on filtered traffic © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 25
  26. 26. © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 26

×