Published on

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Layer 2 of 2 Emphasize: An access list is a mechanism for identifying particular traffic. One application of an access list is for filtering traffic into or out of a router interface.
  • Permission for router Manage IP Traffic Filter packet which pas thru Either can permit or Deny
  • If u want to permit only one from a network then permit shud be first
  • Layer 3 of 3 Purpose: Describe an inbound versus outbound access list on an interface.
  • Layer 3 of 3 Emphasize: Layer 3—Adds the Novell IPX access lists covered in Chapter 11, “Configuring Novell IPX,” and the number ranges for these types of access lists. As of Release 11.2.4(F), IPX also supports named access lists. Point out that number ranges generally allow 100 different access lists per type of protocol. When a given hundred-number range designates a standard access list, the rule is that the next hundred-number range is for extended access lists for that protocol. Exceptions to the numbering classification scheme include AppleTalk and DECnet, where the same number range can identify various access list types. For the most part, number ranges do not overlap between different protocols. Note: With Cisco IOS 12.0, the IP access-lists range has been expanded to also include: <1300-1999> IP standard access list (expanded range) <2000-2699> IP extended access list (expanded range)
  • Acl

    1. 1. Access Control Lists
    2. 2. <ul><ul><li>Manage IP traffic as network access grows </li></ul></ul><ul><ul><li>Filter packets as they pass through the router </li></ul></ul>Why Use Access Lists?
    3. 3. What are ACLs? <ul><li>ACLs are lists of conditions that are applied to traffic traveling across a router's interface.  </li></ul><ul><li>These lists tell the router what types of packets to accept or deny. </li></ul><ul><li>Acceptance and denial can be based on specified conditions. </li></ul><ul><li>ACLs can be configured at the router to control access to a network or subnet. </li></ul><ul><li>Some ACL decision points are source and destination addresses, protocols, and upper-layer port numbers. </li></ul>
    4. 4. Reasons to Create ACLs <ul><li>The following are some of the primary reasons to create ACLs: </li></ul><ul><li>Limit network traffic and increase network performance. </li></ul><ul><li>Provide traffic flow control. </li></ul><ul><li>Provide a basic level of security for network access. </li></ul><ul><li>Decide which types of traffic are forwarded or blocked at the router interfaces </li></ul><ul><li>For example: Permit e-mail traffic to be routed, but block all telnet traffic. </li></ul><ul><li>If ACLs are not configured on the router, all packets passing through the router will be allowed onto all parts of the network. </li></ul>
    5. 5. ACL’s <ul><li>Different access list for Telnet </li></ul><ul><li>Implicit deny at bottom </li></ul><ul><li>All restricted statements should be on first </li></ul><ul><li>There are two types </li></ul><ul><ul><li>Standard </li></ul></ul><ul><ul><li>Extended </li></ul></ul>
    6. 6. IP Packet <ul><li>SRC IP Address </li></ul><ul><li>DEST IP Address </li></ul><ul><li>Protocol type </li></ul><ul><li>SRC Port </li></ul><ul><li>DEST Port </li></ul>
    7. 7. <ul><ul><li>Standard </li></ul></ul><ul><ul><ul><li>Checks source address </li></ul></ul></ul><ul><ul><ul><li>Permits or denies entire protocol suite </li></ul></ul></ul><ul><ul><li>Extended </li></ul></ul><ul><ul><ul><li>Checks source and destination address </li></ul></ul></ul><ul><ul><ul><li>Generally permits or denies specific protocols </li></ul></ul></ul>Types of Access Lists
    8. 8. How to Identify Access Lists <ul><ul><li>Standard IP lists (1-99) test conditions of all IP packets from source addresses. </li></ul></ul><ul><ul><li>Extended IP lists (100-199) test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports. </li></ul></ul><ul><ul><li>Standard IP lists (1300-1999) (expanded range). </li></ul></ul><ul><ul><li>Extended IP lists (2000-2699) (expanded range). </li></ul></ul>
    9. 9. Standard ACLs <ul><li>The full syntax of the standard ACL command is: </li></ul><ul><li>Router(config)# access-list access-list-number {deny | permit} source [ source-wildcard ] </li></ul><ul><li>The no form of this command is used to remove a standard ACL. This is the syntax: </li></ul><ul><li>Router(config)# no access-list access-list-number </li></ul>Config# Access-list 1 deny Config# access-list 1 permit any
    10. 10. The ANY and HOST keyword <ul><li>Access-list 1 permit </li></ul><ul><li>Or </li></ul><ul><li>permit host </li></ul>Access-list 1 permit Or permit any
    11. 11. The ip access-group command { in | out }
    12. 12. Extended ACLs <ul><li>Extended ACLs are used more often than standard ACLs because they provide a greater range of control. </li></ul><ul><li>Extended ACLs check the source and destination packet addresses as well as being able to check for protocols and port numbers. </li></ul><ul><li>Logical operations may be specified such as, equal (eq), not equal (neq), greater than (gt), and less than (lt), that the extended ACL will perform on specific protocols. </li></ul><ul><li>Extended ACLs use an access-list-number in the range 100 to 199 (also from 2000 to 2699 in recent IOS). </li></ul>
    13. 13. Extended ACL Syntax
    14. 14. Deny FTP access-list 101 deny tcp any any eq 21 access-list 101 permit ip any any or access-list 101 deny tcp any any eq ftp access-list 101 permit ip any any
    15. 15. Rules <ul><li>For extended access list apply near to the source </li></ul><ul><li>For standard access list apply near to the destination </li></ul>
    16. 16. Verify Access List
    17. 17. Basic Rules for ACLs <ul><li>Standard IP access lists should be applied closest to the destination. </li></ul><ul><li>Extended IP access lists should be applied closest to the source. </li></ul><ul><li>Use the inbound or outbound interface reference as if looking at the port from inside the router. </li></ul><ul><li>Statements are processed sequentially from the top of list to the bottom until a match is found, if no match is found then the packet is denied. </li></ul><ul><li>There is an implicit deny at the end of all access lists. This will not appear in the configuration listing. </li></ul><ul><li>Access list entries should filter in the order from specific to general. Specific hosts should be denied first, and groups or general filters should come last. </li></ul><ul><li>Never work with an access list that is actively applied. </li></ul><ul><li>New lines are always added to the end of the access list. </li></ul><ul><li>A no access-list x command will remove the whole list. It is not possible to selectively add and remove lines with numbered ACLs. </li></ul><ul><li>Outbound filters do not affect traffic originating from the local router. </li></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.