Access Control List (ACLs) can be used for two purposes:
1. To filter traffic
2. To identity traffic
Access lists are set of rules, organized in a rule table. Each rules or line in an access-list provides a
condition, either permit or deny.
This study guide is intended to provide those pursuing the CCNA certification with a framework of what concepts need to be studied. This is not a comprehensive document containing all the secrets of the CCNP nor is it a “braindump” of questions and answers.
I sincerely hope that this document provides some assistance and clarity in your studies.
- Access control lists (ACLs) allow or deny network traffic passing through a router based on source and destination IP addresses, protocols, and port numbers.
- There are two main types of ACLs: standard ACLs which filter based on source IP addresses, and extended ACLs which filter on source/destination IP addresses, protocols, and port numbers.
- ACLs can be numbered or named, with named ACLs allowing selective editing of statements not possible with numbered ACLs.
Access control lists (ACLs) can be used for filtering and identifying network traffic. ACLs are composed of rules that either permit or deny traffic based on conditions like source/destination addresses, protocols, and port numbers. Numbered ACLs range from 1-99 for standard IP and 100-199 for extended IP. Named ACLs have no number limit. Standard ACLs filter based only on source IP while extended ACLs examine both source and destination addresses, protocol, and port numbers.
The document discusses access control lists (ACLs), including:
1) ACLs are used for packet filtering and can allow or deny traffic based on source/destination IP addresses and TCP/UDP ports.
2) Standard ACLs filter based on source IP address, extended ACLs add destination IP address and ports.
3) ACLs are configured with numbers or names and applied to interfaces to filter incoming or outgoing traffic.
The document discusses Access Control Lists (ACLs), which are lists of permit or deny rules that control what traffic can enter or leave a router's interface. There are standard ACLs, which filter traffic based only on the source IP address, and extended ACLs, which can filter traffic based on additional attributes like destination address, protocol, and port numbers. ACL rules are evaluated sequentially, with an implicit "deny all" rule at the end, so ACLs should be placed strategically to filter traffic close to either its source or destination.
Access control lists (ACLs) are used to control network traffic flows between routers by filtering packets. Standard ACLs filter based on source IP address and block bidirectional traffic. Extended ACLs filter on source IP address, destination IP address, protocol and port, and can block traffic in one direction only. Wildcard masks are used in ACLs to specify which IP address bits must match for the ACL entry to apply.
A PROJECT REPORT
On
CISCO CERTIFIED NETWORK ASSOCIATE
A computer network, or simply a network, is a collection of computer and other hardware components interconnected by communication channels that allow sharing of resources and information. Where at least one process in one device is able to send/receive data to/from at least one process residing in a remote device, then the two devices are said to be in a network. Simply, more than one computer interconnected through a communication medium for information interchange is called a computer network.
In this PPT you can learn a firewall and types which help you a lot and you can able to understand. So, that you must read at once I sure that you are understand
Thank you!!!
I
This study guide is intended to provide those pursuing the CCNA certification with a framework of what concepts need to be studied. This is not a comprehensive document containing all the secrets of the CCNP nor is it a “braindump” of questions and answers.
I sincerely hope that this document provides some assistance and clarity in your studies.
- Access control lists (ACLs) allow or deny network traffic passing through a router based on source and destination IP addresses, protocols, and port numbers.
- There are two main types of ACLs: standard ACLs which filter based on source IP addresses, and extended ACLs which filter on source/destination IP addresses, protocols, and port numbers.
- ACLs can be numbered or named, with named ACLs allowing selective editing of statements not possible with numbered ACLs.
Access control lists (ACLs) can be used for filtering and identifying network traffic. ACLs are composed of rules that either permit or deny traffic based on conditions like source/destination addresses, protocols, and port numbers. Numbered ACLs range from 1-99 for standard IP and 100-199 for extended IP. Named ACLs have no number limit. Standard ACLs filter based only on source IP while extended ACLs examine both source and destination addresses, protocol, and port numbers.
The document discusses access control lists (ACLs), including:
1) ACLs are used for packet filtering and can allow or deny traffic based on source/destination IP addresses and TCP/UDP ports.
2) Standard ACLs filter based on source IP address, extended ACLs add destination IP address and ports.
3) ACLs are configured with numbers or names and applied to interfaces to filter incoming or outgoing traffic.
The document discusses Access Control Lists (ACLs), which are lists of permit or deny rules that control what traffic can enter or leave a router's interface. There are standard ACLs, which filter traffic based only on the source IP address, and extended ACLs, which can filter traffic based on additional attributes like destination address, protocol, and port numbers. ACL rules are evaluated sequentially, with an implicit "deny all" rule at the end, so ACLs should be placed strategically to filter traffic close to either its source or destination.
Access control lists (ACLs) are used to control network traffic flows between routers by filtering packets. Standard ACLs filter based on source IP address and block bidirectional traffic. Extended ACLs filter on source IP address, destination IP address, protocol and port, and can block traffic in one direction only. Wildcard masks are used in ACLs to specify which IP address bits must match for the ACL entry to apply.
A PROJECT REPORT
On
CISCO CERTIFIED NETWORK ASSOCIATE
A computer network, or simply a network, is a collection of computer and other hardware components interconnected by communication channels that allow sharing of resources and information. Where at least one process in one device is able to send/receive data to/from at least one process residing in a remote device, then the two devices are said to be in a network. Simply, more than one computer interconnected through a communication medium for information interchange is called a computer network.
In this PPT you can learn a firewall and types which help you a lot and you can able to understand. So, that you must read at once I sure that you are understand
Thank you!!!
I
There are three types of First Hop Redundancy Protocols (FHRP): HSRP, VRRP, and GLBP. HSRP and VRRP elect an active router to forward traffic for a virtual IP address, while GLBP allows multiple routers to act as active forwarders. Only GLBP supports load balancing traffic across multiple routers. All FHRP protocols run per VRF and VDC.
This document provides instructions for basic router operations and commands on a Cisco router including:
- How to access user and privileged modes, exit the router, and use keyboard shortcuts.
- Commands for viewing router information like the IOS version, configurations, interfaces, neighbors, and protocols.
- How to manage configuration files by backing up, restoring, and editing configurations.
- Instructions for configuring passwords, router identification, and auto-install.
- An overview of commands for configuring TCP/IP, IPX/SPX, serial interfaces, and basic routing protocols.
- Details on access lists, frame relay, and PPP configuration.
This document summarizes a presentation about Cisco's CCNP Enterprise ENCOR and ENARSI certification program. It provides information about the trainer, an overview of the CCNP certification requirements and exams, discussion of exam topics, and a question and answer section. The presentation aims to help attendees learn about the CCNP Enterprise certification track and prepare for the ENCOR and ENARSI exams.
Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe) refers to a
family of related protocols handling remote authentication and related services for networked access
control through a centralized server. The original TACACS protocol, which dates back to 1984, was used
for communicating with an authentication server, common in older UNIX networks;
The document discusses OSPF link-state routing protocol. It describes OSPF's use of link-state databases containing topology information and Dijkstra's algorithm to calculate the shortest path to all destinations. It also explains OSPF's hierarchical area-based network structure and use of link-state advertisements to exchange routing information between neighbors.
This document discusses VLANs (virtual local area networks). VLANs logically separate network users and resources connected to switch ports, creating smaller broadcast domains. VLANs simplify network management, provide security over flat networks, and allow flexibility and scalability. VLANs reduce broadcast traffic by containing it within virtual broadcast domains. They allow users to be added to VLANs regardless of physical location and enable adding new VLANs as network growth requires more bandwidth. The document also covers VLAN trunking, identification, membership configuration, and VTP (VLAN Trunking Protocol) which centrally manages VLAN configurations across switches to maintain consistency.
MSTP divides a bridged network into multiple regions called MST regions. Within each region, multiple RSTP instances called MSTIs are enabled to map VLANs and build separate spanning trees. A representative bridge in each region communicates with representatives of other regions to form a common spanning tree (CST) that connects all the MST regions as a single spanning tree across the entire network.
This document discusses common layer 2 security threats and attacks, including MAC layer attacks, VLAN attacks, spoofing attacks, and attacks against switch devices. It describes several specific attacks such as MAC flooding, VLAN hopping, DHCP starvation, and CDP manipulation. The document also provides mitigation strategies for each threat, such as using port security, private VLANs, DHCP snooping, and disabling unused protocols.
The document provides instructions and examples for configuring various routing protocols like RIP, IGRP, EIGRP, OSPF on Cisco routers and switches. It also includes commands for configuring basic device settings like IP addresses, passwords, VLANs, trunk ports and CDP. Examples are given for initial configurations of Cisco 1900 and 2950 switches.
This document provides an overview of routing concepts and protocols. It discusses the basic components of routing including algorithms, databases, and protocols. It describes different routing algorithm types such as static, distance vector, and link state. Specific routing protocols covered include RIP, OSPF, and BGP. It also discusses routing within autonomous systems and between autonomous systems on the internet.
This document summarizes network devices and concepts from a CCNA guide. It describes how repeaters, hubs, wireless access points, bridges, switches and routers segment networks and control traffic. It also defines Ethernet, Fast Ethernet and Gigabit Ethernet standards, and explains half and full-duplex communication modes. The summary provides an overview of common network devices and technologies for local area networks.
The document provides an overview of the Border Gateway Protocol (BGP). It discusses BGP concepts such as autonomous systems, path attributes, and the BGP protocol operation. Key points include that BGP establishes peering sessions to exchange routing information, uses route attributes like AS path, next hop, and communities to determine the best path, and supports techniques like route reflection and confederation to improve scalability in large networks.
This document discusses considerations for selecting switching and routing protocols for network design. It covers switching options like transparent bridging, multilayer switching, and Spanning Tree Protocol enhancements. For routing, it examines static, dynamic, distance-vector, and link-state protocols. Selection criteria include network characteristics, scalability, and ability to adapt to changes. The document provides examples of protocols like RIP, OSPF, IS-IS, and BGP and contrasts their features and use cases.
This document provides a CCNA command cheat sheet covering Cisco IOS commands for both ICND parts 1 & 2 and the current CCNA exam. It includes summaries of Cisco modes and keyboard shortcuts, commands for device configuration, interface configuration, and protocols. Privileged commands are also covered such as show commands for viewing configurations, interfaces, routing tables, and more.
Cisco asa firewall command line technical guideMDEMARCOCCIE
This document provides a summary of common commands used to manage Cisco ASA firewalls. It covers basic connectivity and routing protocols, security configurations, management access, NAT/PAT procedures, and troubleshooting. The commands are intended to streamline the most used operations for network security engineers when administering Cisco ASA firewalls.
A
PROJECT REPORT
On
CISCO CERTIFIED NETWORK ASSOCIATE
A computer network, or simply a network, is a collection of computer and other hardware components interconnected by communication channels that allow sharing of resources and information. Where at least one process in one device is able to send/receive data to/from at least one process residing in a remote device, then the two devices are said to be in a network. Simply, more than one computer interconnected through a communication medium for information interchange is called a computer network.
This study guide is intended to provide those pursuing the CCNA certification with a framework of what concepts need to be studied. This is not a comprehensive document containing all the secrets of the CCNP nor is it a “braindump” of questions and answers.
I sincerely hope that this document provides some assistance and clarity in your studies.
The document discusses Cisco routers and routing concepts. It provides details about Cisco router components, configuration, interfaces, routing protocols like RIP and IGRP, and autonomous systems. Cisco routers range from small access layer routers like the 700 series to large core routers like the 12000 series. Configuration is done through the console port initially and involves tasks like setting the hostname, passwords, interfaces and routing.
CCNA Basic Switching and Switch ConfigurationDsunte Wilson
This document provides an overview of basic switching concepts and Cisco switch configuration. It explains Ethernet and how switches work to segment networks and reduce collisions. Switches operate at the data link layer and learn MAC addresses to forward frames efficiently. The document discusses switch configuration using commands like hostname, interface, duplex, and port security. It compares switching methods like store-and-forward and cut-through forwarding. The summary reiterates how switches divide collision domains to improve performance over shared-medium Ethernet.
ACLs are lists applied to routers to control network access by filtering packets based on conditions like source/destination addresses, protocols, and port numbers. They can limit traffic to increase performance, provide traffic flow control, and provide basic network security. There are standard and extended ACLs, with extended ACLs providing more granular control by checking source/destination addresses and specific protocols and ports. Basic rules for ACLs include applying standard ACLs near the destination and extended ACLs near the source, processing entries sequentially from top to bottom, and filtering from specific to general.
The document is a lab report that describes configuring standard and extended access control lists (ACLs) in a computer network. It defines standard ACLs as using only source IP addresses to permit or deny all protocol traffic between an entire network or sub-network. Extended ACLs can distinguish different protocol traffic like TCP, UDP, and HTTPS using source/destination IP addresses and port numbers to permit or deny specific services. The report provides examples of configuring a standard ACL to deny all traffic from one subnet and an extended ACL to deny traffic between a specific host and server.
There are three types of First Hop Redundancy Protocols (FHRP): HSRP, VRRP, and GLBP. HSRP and VRRP elect an active router to forward traffic for a virtual IP address, while GLBP allows multiple routers to act as active forwarders. Only GLBP supports load balancing traffic across multiple routers. All FHRP protocols run per VRF and VDC.
This document provides instructions for basic router operations and commands on a Cisco router including:
- How to access user and privileged modes, exit the router, and use keyboard shortcuts.
- Commands for viewing router information like the IOS version, configurations, interfaces, neighbors, and protocols.
- How to manage configuration files by backing up, restoring, and editing configurations.
- Instructions for configuring passwords, router identification, and auto-install.
- An overview of commands for configuring TCP/IP, IPX/SPX, serial interfaces, and basic routing protocols.
- Details on access lists, frame relay, and PPP configuration.
This document summarizes a presentation about Cisco's CCNP Enterprise ENCOR and ENARSI certification program. It provides information about the trainer, an overview of the CCNP certification requirements and exams, discussion of exam topics, and a question and answer section. The presentation aims to help attendees learn about the CCNP Enterprise certification track and prepare for the ENCOR and ENARSI exams.
Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe) refers to a
family of related protocols handling remote authentication and related services for networked access
control through a centralized server. The original TACACS protocol, which dates back to 1984, was used
for communicating with an authentication server, common in older UNIX networks;
The document discusses OSPF link-state routing protocol. It describes OSPF's use of link-state databases containing topology information and Dijkstra's algorithm to calculate the shortest path to all destinations. It also explains OSPF's hierarchical area-based network structure and use of link-state advertisements to exchange routing information between neighbors.
This document discusses VLANs (virtual local area networks). VLANs logically separate network users and resources connected to switch ports, creating smaller broadcast domains. VLANs simplify network management, provide security over flat networks, and allow flexibility and scalability. VLANs reduce broadcast traffic by containing it within virtual broadcast domains. They allow users to be added to VLANs regardless of physical location and enable adding new VLANs as network growth requires more bandwidth. The document also covers VLAN trunking, identification, membership configuration, and VTP (VLAN Trunking Protocol) which centrally manages VLAN configurations across switches to maintain consistency.
MSTP divides a bridged network into multiple regions called MST regions. Within each region, multiple RSTP instances called MSTIs are enabled to map VLANs and build separate spanning trees. A representative bridge in each region communicates with representatives of other regions to form a common spanning tree (CST) that connects all the MST regions as a single spanning tree across the entire network.
This document discusses common layer 2 security threats and attacks, including MAC layer attacks, VLAN attacks, spoofing attacks, and attacks against switch devices. It describes several specific attacks such as MAC flooding, VLAN hopping, DHCP starvation, and CDP manipulation. The document also provides mitigation strategies for each threat, such as using port security, private VLANs, DHCP snooping, and disabling unused protocols.
The document provides instructions and examples for configuring various routing protocols like RIP, IGRP, EIGRP, OSPF on Cisco routers and switches. It also includes commands for configuring basic device settings like IP addresses, passwords, VLANs, trunk ports and CDP. Examples are given for initial configurations of Cisco 1900 and 2950 switches.
This document provides an overview of routing concepts and protocols. It discusses the basic components of routing including algorithms, databases, and protocols. It describes different routing algorithm types such as static, distance vector, and link state. Specific routing protocols covered include RIP, OSPF, and BGP. It also discusses routing within autonomous systems and between autonomous systems on the internet.
This document summarizes network devices and concepts from a CCNA guide. It describes how repeaters, hubs, wireless access points, bridges, switches and routers segment networks and control traffic. It also defines Ethernet, Fast Ethernet and Gigabit Ethernet standards, and explains half and full-duplex communication modes. The summary provides an overview of common network devices and technologies for local area networks.
The document provides an overview of the Border Gateway Protocol (BGP). It discusses BGP concepts such as autonomous systems, path attributes, and the BGP protocol operation. Key points include that BGP establishes peering sessions to exchange routing information, uses route attributes like AS path, next hop, and communities to determine the best path, and supports techniques like route reflection and confederation to improve scalability in large networks.
This document discusses considerations for selecting switching and routing protocols for network design. It covers switching options like transparent bridging, multilayer switching, and Spanning Tree Protocol enhancements. For routing, it examines static, dynamic, distance-vector, and link-state protocols. Selection criteria include network characteristics, scalability, and ability to adapt to changes. The document provides examples of protocols like RIP, OSPF, IS-IS, and BGP and contrasts their features and use cases.
This document provides a CCNA command cheat sheet covering Cisco IOS commands for both ICND parts 1 & 2 and the current CCNA exam. It includes summaries of Cisco modes and keyboard shortcuts, commands for device configuration, interface configuration, and protocols. Privileged commands are also covered such as show commands for viewing configurations, interfaces, routing tables, and more.
Cisco asa firewall command line technical guideMDEMARCOCCIE
This document provides a summary of common commands used to manage Cisco ASA firewalls. It covers basic connectivity and routing protocols, security configurations, management access, NAT/PAT procedures, and troubleshooting. The commands are intended to streamline the most used operations for network security engineers when administering Cisco ASA firewalls.
A
PROJECT REPORT
On
CISCO CERTIFIED NETWORK ASSOCIATE
A computer network, or simply a network, is a collection of computer and other hardware components interconnected by communication channels that allow sharing of resources and information. Where at least one process in one device is able to send/receive data to/from at least one process residing in a remote device, then the two devices are said to be in a network. Simply, more than one computer interconnected through a communication medium for information interchange is called a computer network.
This study guide is intended to provide those pursuing the CCNA certification with a framework of what concepts need to be studied. This is not a comprehensive document containing all the secrets of the CCNP nor is it a “braindump” of questions and answers.
I sincerely hope that this document provides some assistance and clarity in your studies.
The document discusses Cisco routers and routing concepts. It provides details about Cisco router components, configuration, interfaces, routing protocols like RIP and IGRP, and autonomous systems. Cisco routers range from small access layer routers like the 700 series to large core routers like the 12000 series. Configuration is done through the console port initially and involves tasks like setting the hostname, passwords, interfaces and routing.
CCNA Basic Switching and Switch ConfigurationDsunte Wilson
This document provides an overview of basic switching concepts and Cisco switch configuration. It explains Ethernet and how switches work to segment networks and reduce collisions. Switches operate at the data link layer and learn MAC addresses to forward frames efficiently. The document discusses switch configuration using commands like hostname, interface, duplex, and port security. It compares switching methods like store-and-forward and cut-through forwarding. The summary reiterates how switches divide collision domains to improve performance over shared-medium Ethernet.
ACLs are lists applied to routers to control network access by filtering packets based on conditions like source/destination addresses, protocols, and port numbers. They can limit traffic to increase performance, provide traffic flow control, and provide basic network security. There are standard and extended ACLs, with extended ACLs providing more granular control by checking source/destination addresses and specific protocols and ports. Basic rules for ACLs include applying standard ACLs near the destination and extended ACLs near the source, processing entries sequentially from top to bottom, and filtering from specific to general.
The document is a lab report that describes configuring standard and extended access control lists (ACLs) in a computer network. It defines standard ACLs as using only source IP addresses to permit or deny all protocol traffic between an entire network or sub-network. Extended ACLs can distinguish different protocol traffic like TCP, UDP, and HTTPS using source/destination IP addresses and port numbers to permit or deny specific services. The report provides examples of configuring a standard ACL to deny all traffic from one subnet and an extended ACL to deny traffic between a specific host and server.
ACLs control and manage network traffic by allowing or denying packet access based on conditions. Standard ACLs are used to filter traffic by source IP address only, while extended ACLs filter by source/destination IP address, protocols, and ports. ACLs are created with permit or deny statements and applied to interfaces using access lists or to virtual terminal lines using access classes to restrict access. Wildcard masks are used to filter groups of IP addresses in an access list.
Access lists allow routers to filter packets and are supported for several protocols like IP, Ethernet, and IPX. Access lists contain rules that either permit or deny traffic from and to particular sources and destinations. These lists are applied to router interfaces to filter traffic as it passes through. Extended access lists offer more granular control than standard lists by allowing filtering based on transport protocol, port, and source/destination addresses.
The document discusses access lists in Cisco networking. It describes how standard IP access lists filter based on source IP addresses while extended IP access lists can filter on source, destination, protocol and port. It provides examples of creating standard and extended IP access lists and applying them to interfaces to filter traffic. It also covers using access lists to restrict VTY line access and creating access lists using the Security Device Manager user interface.
This chapter discusses network security concepts like types of attacks, mitigation techniques, and access control lists. Standard access lists filter based on source IP addresses while extended lists can filter on additional attributes like destination address, protocol, and port numbers. Access lists are applied to router interfaces to permit or deny traffic and help implement security policies. The document provides examples of how to configure standard and extended access lists on Cisco routers to control network access.
This chapter discusses network security concepts like types of attacks, mitigation techniques, and access control lists. Standard access lists filter based on source IP addresses while extended lists can filter on additional attributes like destination IP, protocol, and port numbers. Access lists are applied to router interfaces to permit or deny traffic and are evaluated sequentially from top to bottom. They help control access to router VTY lines and filter inbound or outbound traffic.
This document provides instructions for creating and applying extended access lists on Cisco routers to filter network traffic. It defines what an extended access list is, how to write access list entries with source/destination IP addresses and port numbers, and how to apply the access list to router interfaces. The document also provides examples of access lists that can block malicious traffic and spoofing while allowing necessary services, with limitations and guidelines discussed.
Access lists are used to filter network traffic by controlling which packets are allowed through an interface. They can filter based on source/destination addresses and protocol/port numbers. Standard access lists filter based only on source IP addresses while extended lists can filter on additional attributes. Access lists are applied sequentially from top to bottom and packets are processed until a match is found. They must be applied to interfaces to take effect and can implement security policies by filtering unwanted traffic.
The document discusses the usage and configuration of access lists on routers to control network traffic and security by filtering packets based on source and destination addresses, protocols, and port numbers. It covers standard and extended IP and IPX access lists, how to establish, apply, and monitor them. Named access lists are also introduced which allow using names instead of numbers to identify lists for improved security and management.
The document discusses the usage and configuration of access lists on routers to control network traffic and security by filtering packets based on source and destination addresses, protocols, and port numbers. It covers standard and extended IP and IPX access lists, how to establish, apply, and monitor them. Named access lists are also introduced which allow using names instead of numbers to identify lists for improved security and management.
The document discusses using access lists to manage IP traffic through a router. It describes how access lists can be used to permit or deny packets moving through the router based on source addresses, destinations, protocols, and ports. It provides examples of standard IP access list configurations to deny specific hosts, subnets, and permit or deny traffic to interfaces.
1 SEC450 ACL Tutorial This document highlights.docxdorishigh
1
SEC450 ACL Tutorial
This document highlights the most important concepts on Access Control List (ACL) that
you need to learn in order to configure ACL in CLI. This tutorial does not intend by any
mean to cover all ACL applications, but only those scenarios used in then SEC450
iLabs.
Introduction to Access Control List
A host-based firewall essentially works closing and/or opening ports in a
computer. The engine behind firewalls is built with Access Control Lists (ACL).
Network-based firewalls are implemented in device-specific appliances and
routers. Basically, firewalls in routers filter packets through interfaces to permit
or deny them.
Ports are layer-4 address specified in TCP/IP protocol suit that identify
networking processes running in clients and servers.
ACLs are configured using shell-specific commands. In Cisco IOS, CLI
commands access-list and access-group are used to create and apply ACL on
an interface.
ACL can be named by number ID or a name. Naming ACL is useful to identify
ACL’s purpose.
ACL are classified in Standard ACL, and Extended ACL.
Standard ACL’s number IDs are assigned from 1 to 99. Extended ACL’s number
IDs are from 100 to 199.
Standard ACL only uses source IP address in an IP packet to filter through an
interface. Hence, standard ACL denies or permits all packets (IP) with the same
source IP regardless upper protocols, destination IP address, etc. Example 1:
Router(config)#access-list 8 deny host 172.12.3.5
Extended ACL does filtering packets based on protocol, source IP address,
source port number, destination IP address and destination port number.
Example 2: Router(config)#access-list 102 deny tcp host 10.0.3.2 host
2
172.129.4.1 Deny tcp packets with source IP address 10.0.3.2 and destination IP
address 172.129.4.1.
Since, Standard ACLs only have source IP address; the rule is to apply them in
an interface as closer as possible to the concerning destination network.
For the contrary, the rule for Extended ACLs is to apply them in an interface as
closer as possible to the source IP address.
Use Extended ACL in all iLabs as they are more granular on packets to filter.
Create Extended ACL in global configuration
You can use access-list command options lt, gt, eq, neq, range (less than,
greater than, equal, not equal, range of ports) to do operation with port numbers.
Example 3: access-list 102 deny tcp any host 11.23.45.7 gt 20 denies all
packets with any source IP address to destination IP address 11.23.45.7 and
destination tcp port greater than 20.
Example 4: access-list 107 permit udp any any permits all packets with udp
protocol with any source IP address to any destination IP address.
Extended ACL can do packet filtering based on source port number and
destination port number.
Extended ACL Syntax can be as follows:
access-list <#,name> <protocol> ...
An access control list (ACL) is a sequential list of permit or deny statements that apply to network traffic and are used to control what traffic is allowed or denied on a network interface. ACLs can filter traffic based on source/destination IP addresses, protocols, and port numbers. Standard ACLs filter only on source IP addresses while extended ACLs can filter on additional parameters. ACLs are applied to interfaces using the ip access-group command to implement the access control on inbound or outbound traffic on that interface.
Student Name _________________________________ Date _____________SE.docxemelyvalg9
Student Name _________________________________ Date _____________SEC450 iLab3 Report
Initial Configuration ISP Router
version 12.3(4)T7
!
hostname ISP_Router
!
interface FastEthernet0/0
ip address 200.100.0.1 255.255.255.0
!
interface FastEthernet1/0
ip address 200.100.40.1 255.255.255.0
!
interface Serial0/0
ip address 200.100.10.1 255.255.255.0
!
interface Serial0/1
ip address 200.100.20.1 255.255.255.0
!
router rip
network 200.100.0.0
network 200.100.10.0
network 200.100.20.0
network 200.100.40.0
!
line con 0
line aux 0
line vty 0 4
password cisco
line vty 5 15
password cisco
!
end
Note: RED text indicates the required questions to answer
Task to Set up Security Policy for Offsite Database Server
#1. Explain the meaning of the "three P's" best practice rule to create ACL in routers
#2. Explain the difference between the following two access-list commands
a) access-list 101 permit tcp any any eq 80
b) access-list 101 permit tcp any eq 80 any
#3. What are well-known, registered, and ephemeral UDP/TCP ports?
#4. What is wrong with ACL 105?
access-list 105 permit tcp any any
access-list 105 deny tcp host 201.141.0.3 any
#5. What well-known TCP port does Oracle Database (sql net) server use?
#6. A company is managing an Oracle Database located in a Public Server to support day-to-day operations in Dallas and Chicago networks. The company has requested its Internet Access Provider (ISP) to create the necessary ACL at the ISP router securing that only responses from Oracle server to certain hosts are allowed to enter Dallas and Chicago LANs.
ISP network engineers decided to use extended ACL, and applies it to F0/0 interface in ISP router. Why did they decide to create an extended ACL and apply it in interface F0/0 for inbound traffic?
#7. Copy below ISP router’s initial running-config file from page 2, and add the commands needed to create and apply the ACL in the ISP router.
Answer all questions in this document and upload it in Week 3 iLab Dropbox.
3
Revision Date: 1103
1
SEC450 ACL Tutorial
This document highlights the most important concepts on Access Control List (ACL) that
you need to learn in order to configure ACL in CLI. This tutorial does not intend by any
mean to cover all ACL applications, but only those scenarios used in then SEC450
iLabs.
Introduction to Access Control List
A host-based firewall essentially works closing and/or opening ports in a
computer. The engine behind firewalls is built with Access Control Lists (ACL).
Network-based firewalls are implemented in device-specific appliances and
routers. Basically, firewalls in routers filter packets through interfaces to permit
or deny them.
Ports are layer-4 address specified in TCP/IP protocol suit that identify
networking processes running in clients and servers.
ACLs are configured using shell-specific commands. In Cisco IOS, CLI
commands.
Cisco discovery drs ent module 8 - v.4 in english.igede tirtanata
The document contains questions and answers about configuring and applying access control lists (ACLs) on routers. Some key points:
- ACL entries are assigned sequence numbers, with new entries added at the end by default.
- Inbound ACLs are more efficient than outbound ACLs as they can deny packets before routing lookups.
- ACLs can be used to filter traffic, specify NAT source addresses, and identify traffic for QoS among other uses.
- Standard ACLs filter based on source address only while extended ACLs can filter on additional fields and factors.
The document discusses access control lists (ACLs), explaining that ACLs allow routers to filter network traffic by creating lists of conditions to categorize packets and then applying those lists to interfaces. It covers the basics of creating standard ACLs with permit and deny statements for source IP addresses and applying the ACLs to interfaces to filter incoming and outgoing traffic.
The ACL in the previous slide is denying host 172.16.10.3 telnet access to the router interfaces. By applying this ACL to the vty lines with the access-class command, it will only permit telnet connections from 172.16.10.3 and deny all other hosts.
The document contains questions about network access control lists (ACLs). Some key points:
- ACLs can be used to filter traffic by source/destination IP addresses, protocols, ports and more. Standard ACLs filter based on source IP, extended ACLs add destination IP and other criteria.
- The position and direction an ACL is applied impacts what traffic it filters. Inbound ACLs filter traffic as it enters an interface while outbound ACLs filter traffic exiting an interface.
- ACL rules are processed sequentially, with the first match determining if a packet is permitted or denied. Administrators must carefully craft rule orders and contents to implement desired security policies.
This document summarizes a chapter on network security from a CCNA certification study guide. It discusses types of security attacks and how to mitigate them using appliances like IDS and firewalls. It also covers using access control lists (ACLs) to filter network traffic by source/destination IP addresses, protocols, and port numbers. Standard ACLs filter by source IP only, while extended ACLs can filter additional fields. Named ACLs provide descriptive names. The document provides examples of creating and applying standard, extended, and named ACLs to network interfaces to control network access.
The document describes setting up static routes on 7 routers (R1-R7) to allow connectivity between all routers and PCs in a network topology. It involves configuring IP addresses and static routes on each router's interfaces according to the topology diagram, so that each router has a route to every other subnet and can ping all other routers and PCs.
This document outlines the steps to configure HSRP (Hot Standby Router Protocol) on two multi-layer switches (MLS1 and MLS2) including: configuring IP addresses, EIGRP routing, web server and NTP server, setting MLS1 as the active router, tracking the state of interfaces, using HSRP for load balancing between the routers, and enabling NAT on the border router for internal traffic.
The document provides instructions for a lab on route redistribution between OSPF, EIGRP and RIP routing protocols. It involves configuring the routing protocols on various routers as specified in the topology, including redistributing routes between protocols. It also requires summarizing loopback routes between areas and protocols.
Route redistribution involves sharing routes between different routing protocols. Challenges include incompatible metrics between protocols and routing loops or suboptimal paths that can occur from redistributing routes back into their origin domain. Route maps, distribution lists, and adjusting administrative distances can control redistribution and prevent issues like feedback of routes into their source protocol.
The document describes tasks for configuring a zone-based firewall on Router 1:
1. Create an inside and outside zone on Router 1's interfaces; apply an inspect policy between the zones to allow necessary traffic.
2. Configure R2 to ping R3 by name by adding DNS and host entries.
3. Configure R2 to copy a file from R4's HTTP server using the file path and name.
4. Configure R2 as the NTP server and have the other routers synchronize to it after applying necessary firewall policies.
The document provides the configuration steps for a lab exercise on BGP. The steps include:
1. Configuring IBGP and EBGP neighborships between routers as shown in the topology diagram using loopback addresses.
2. Advertising loopback networks in BGP to ensure all routers have the routing information.
3. Configuring route reflectors to reduce the number of neighbor relationships needed.
4. Setting preferences for best paths between routers for certain networks.
This document provides instructions for completing 12 tasks to configure access control lists on routers. The tasks include configuring IP addresses, inter-VLAN routing, EIGRP routing, DNS, Telnet/SSH access, and ACLs to restrict traffic between VLANs and access to websites based on the VLAN. Detailed configuration steps are provided for each router to implement the access controls and routing as outlined in the tasks.
1. The document provides instructions for configuring OSPF routing, filtering LSAs, and summarizing routes between OSPF areas on a network with multiple routers.
2. Tasks include configuring OSPF on each router, filtering routes between areas, redistributing EIGRP routes into OSPF, and using prefix lists and route summarization.
3. The solution shows the OSPF and redistribution configurations needed on each router to implement the requested tasks and filters.
The document describes the tasks and solution for a lab on VLANs and trunking. The tasks are to: 1) Configure IP addresses as shown in the topology, 2) Create DHCP servers for VLANs 10 and 20, 3) Configure SW1 as the VTP server and the others as clients with the domain "netwaxlab.com", 4) Ensure PCs get IP addresses via DHCP, and 5) Allow communication between PCs 9 and 10 which have different IPs on the same VLAN. The solution describes the configurations needed on the switches to accomplish these tasks.
The document provides instructions for configuring an ASA firewall to:
1. Configure security levels and interfaces for DMZ and DMZ1 subnets.
2. Enable ping access between the DMZ and DMZ1 interfaces.
3. Restrict telnet access to the ASA to only the R2 host.
4. Enable SSH access to the ASA from the ISP subnet only.
5. Apply PAT for the Inside, DMZ and DMZ1 interfaces.
6. Allow the ISP to telnet to the R2 host using port 2487.
The document describes tasks to configure NAT on routers R1 and R2. This includes dynamically NATing internal networks and loopbacks to external IP ranges, PAT for some internal networks, and static NAT for R7's loopbacks. EIGRP is configured internally with redistribution. Access-lists are used to define the NAT source addresses and pools are used to map them to external IP ranges. Connectivity to external sites is tested with ping.
This document provides instructions for configuring cut-through proxy on an ASA firewall. It includes steps to configure interfaces, ACLs, AAA authentication with an ISE server, a virtual Telnet IP, and verification tests. The goal is to allow a client to Telnet to a virtual IP on the ASA that will authenticate with ISE and cut through to permit access to a real host IP if authentication succeeds.
The document describes the steps to configure dynamic routing, site-to-site VPN, and network access between devices in a lab topology. The tasks include: 1) Configuring IP addresses and dynamic routing protocols on routers and firewalls, 2) Establishing connectivity between all devices, 3) Implementing NAT and VPN services on the firewalls to allow communication between specified subnets, and 4) Opening a non-standard port for remote access between two routers via one of the firewalls.
1. The document describes configuring IP addresses, DNS, a site-to-site GRE VPN between routers R5 and R6, and a DMVPN network between routers R1, R2, and R3.
2. For the GRE VPN, ISAKMP and IPsec are configured on R5 and R6 using a preshared key of "netwaxlab" to secure the GRE tunnel.
3. For the DMVPN, R1 is configured as a hub router and R2 and R3 as spoke routers. ISAKMP and IPsec are configured using a preshared key of "netwaxlab" to secure the GRE tunnels between the routers.
The document describes configuring VRRP (Virtual Router Redundancy Protocol) on routers R1 and R2. It involves:
1. Configuring R1 as the master for VRRP group 1 using virtual IP 10.0.0.254 and authentication.
2. Configuring R2 as the master for load-balanced VRRP group 2 using virtual IP 10.0.0.193 and a different authentication string.
3. Enabling tracking on both routers so that the priority of the backup router decreases if the route to the opposite network fails, allowing it to take over as master.
1. The document describes tasks for configuring a role-based CLI, including configuring IP addresses, routing protocols, VPN tunnels, and access privileges for different devices.
2. It provides configuration steps for R2 and R3 to enable PAT for inside networks and configure a site-to-site VPN between them with IPsec.
3. PC5 is given full access to R13 but can only use show commands on R14, while PC4 is limited to the show history command on R11.
1. The document describes configuring high availability routing between two firewalls (ASA1 and ASA2) using failover, and between two routers (MLS3 and R2) using HSRP.
2. It provides configuration examples for failover on the ASAs, HSRP on MLS3 and R2, PAT on the ASA and R2, and EIGRP routing between the ASA and MLS3.
3. It also specifies default gateways for different PCs to reach R1 via the active HSRP router.
1. The document describes the configuration steps for a lab exercise involving BGP routing. It includes tasks to configure IP addresses, IBGP, HSRP, servers, and BGP routing on multiple routers as shown in the given topology diagram.
2. Key steps are to configure IBGP between routers R1-R4, HSRP between R5-R6, servers on R6, and BGP routing between all routers as specified in the tasks and topology, including IBGP, EBGP, route reflectors, and BGP confederations.
3. The goal is to verify connectivity between loopbacks and servers across the different BGP and IBGP domains as configured.
1. The document describes tasks for configuring OSPF routing on a network topology.
2. Key configurations include enabling OSPF on each router, configuring authentication for Area 1, summarizing loopback routes on R4, and preventing Area 3 routers from receiving routes from other areas.
3. PAT is configured on routers R1 and R11 to allow traffic from multiple private networks to use a single public IP address.
The document provides instructions for configuring IPv6 on a network topology. It includes tasks to configure IPv6 addresses on routers, configure Frame-Relay over IPv6, assign IPv6 addresses to routers through autoconfiguration, and configure OSPF routing between the routers.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
1. Access Control List & its Types
Access Control List (ACLs) can be used for two purposes:
1. To filter traffic
2. To identity traffic
Access lists are set of rules, organized in a rule table. Each rules or line in an access-list provides a
condition, either permit or deny.
Uses of access lists are filtering unwanted packets when implementing security policies.
Access lists can be used to permit or deny packets moving through the router, permit or deny Telnet
access to or from a router.
When we apply an access list on an interface it doesn’t stop routing advertisements, it just controls their
content. Once lists are built, they can be applied to either inbound or outbound traffic on any interface.
There are a few important rules that a packet follows when it’s being compared with an access list-
1. It’s always compared with each line of the access list in sequential order-i.e.; it’s always start
with the first line of the access-list, then go to line 2, then line 3, and so on.
2. Access Control List & its Types
2. It’s compared with lines of the access list only until a match is made. Once the packet matches
the condition on a line of the access list, the packet is acted upon, and no further comparisons
take place.
3. There is an implicit “deny” at the end of each access-list – this means that if a packet doesn’t
match the condition on any of the lines in the access list, the packet will be discarded.
When activating an ACL on an interface, you must specify in which direction the traffic should be
filtered:
Inbound Access Lists
When an access list is applied to inbound packets on an interface, those packets are processed through
the access list before being routed to the outbound interface. Any packet that are denied won’t be
routed because they’re discarded before the routing process is invoked.
Outbound Access Lists
When an access list is applied to outbound packets on an interface, those packets are routed to the
outbound interface and then processed through the access list before being queued.
Data Flow Diagram of ACL
3. Access Control List & its Types
Universal fact about Access control list:
1. ACLs come in two varieties: Numbered and Named.
2. Each of these references to ACLs supports two types of filtering: standard and extended.
3. Standard IP ACLs can filter only on the source IP address inside a packet.
4. Whereas an extended IP ACLs can filter on the source and destination IP addresses in the packet.
5. There are two actions an ACL can take: permit or deny.
6. Statements are processed top-down.
7. Once a match is found, no further statements are processed—therefore, order is important.
8. If no match is found, the imaginary implicit deny statement at the end of the ACL drops the
packet.
9. An ACL should have at least one permit statement; otherwise, all traffic will be dropped because
of the hidden implicit deny statement at the end of every ACL.
Access List Ranges
Type Range
IP Standard 1–99
IP Extended 100–199
IP Standard Expanded Range 1300–1999
IP Extended Expanded Range 2000–2699
Placement of ACLs
1. Standard ACLs should be placed as close to the destination devices as possible.
2. Extended ACLs should be placed as close to the source devices as possible.
There are some general access-lists guidelines:
1. We can assign only one access list per interface, per protocol, per direction. This means that
when creating IP access lists, we can only have one inbound access list and one outbound access
list per interface.
2. Organize your access lists so that the more specific tests are at the top of the access list.
3. Any time a new entry is added to the access list, it will be placed at the bottom of the list. Using a
text editor for access lists is highly suggested.
4. You cannot remove one line from an access list. If you try to do this, you will remove the entire
list. It is best to copy the access list to a text editor before trying to edit the list. The only
exception is when using named access list.
4. Access Control List & its Types
5. Unless your access list ends with a permit any command, all packets will be discarded if they do
not meet any of the lists. Every list should have at least one permit statement, or it will deny all
traffic.
6. Create access lists and then apply them to an interface. Without applying on any interface access
list won’t work.
7. Access lists are designed to filter traffic going through the router. They will not filter traffic that
has originated from the router.
8. Place IP standard access lists as close to the destination as possible. This is the reason we don’t
really want to use standard access list in our networks. We cannot put a standard access list
close to the source host or network because we can only filter based on source address and
nothing would be forwarded.
9. Place Ip extended access lists as close to the source as possible. Since extended access lists can
filter on very specific addresses and protocols, you don’t want your traffic to traverse the entire
network and then be denied. By placing this list as close to the source address as possible, you
can filter traffic before it uses up your precious bandwidth.
There are two types of access lists –
Standard Access List
These use only the source IP address in an IP packet as the condition test. All decisions are made based
on source IP address. This means that standard access lists basically permit or deny an entire suite of
protocols. They don’t distinguish between any of the many of IP traffic such as WWW, Telnet and UDP
etc.
You are telling the router that you want to create a standard IP access list, so the router will expect
syntax specifying only the source IP address in the test lines.
Router (config)#access-list 10 ?
Deny – Specify packets to reject
Permit – Specify packets to forward
Router (config)#access-list 10 deny ?
Hostname or A.B.C.D Address to match
Any any source host
Host A single host addresses
The next step requires a more detailed explanation. There are three options available. You can use the
any parameter to permit or deny any host or network. You can use an IP address to specify either a
single host or range of them. Or you can use the host command to specify a specific host only. The any
5. Access Control List & its Types
command is pretty obvious – any source address matches the statement, so every packet compared
against this line will match. The host command is relatively simple.
Router (config)#access-list 10 deny host 172.168.30.2
This tells the list to deny any packets from host 172.16.30.2. The default parameter is host. In other
words if you type access-list 10 deny 172.16.30.2 the router assumes you mean host 172.16.30.2
But there’s another way to specify either a particular host or a range of hosts – you can use wild card
masking.
Wild cards are used with access lists to specify an individual host, a network or a certain range of a
network or networks. Some of the different block sizes available are 64,32,16,8 and 4.
Wild cards are used with the host or network address to tell the router a range of available addresses to
filter. To specify a host, the address would look like this.
172.16.30.5 0.0.0.0
The four zeros represent each octet of the address. Whenever a zero is present, it means that octet in
the address must match exactly. To specify that an octet can be any value, the value of 255 is used. As
an example here’s how a /24 subnet is specified with a wildcard:
172.16.30.0 0.0.0.255
This tells the router to match up the first three octets exactly, but the fourth octet can be any value.
Let’s say that you want to block access to part of network that is range from 172.16.8.0 through
172.16.15.0.
That is a bloc size of 8. Your network number would be 172.16.8.0, and the wild card would be
0.0.7.255. Woh!
What is that ? The 7.255 is what the router uses to determine the block size. The network and wild card
tell the router to start at 172.16.8.0 and go up a block size of eight addresses to network 172.16.15.0
Router (config)#access-list 10 deny 172.16.10.0 0.0.0.255
The following example tells the router to match first three octets exactly but that the fourth octet can
be anything.
Router (config)#access-list 10 deny 172.16.0.0 0.0.255.255
This example tells the router to match the first two octets and that the last two octets can be any value.
Router (config)#access-list 10 deny 172.16.16.0 0.0.3.255
6. Access Control List & its Types
The above configuration tells the router to start at network 172.16.16.0 and use a block size of 4. The
range would them be 172.16.16.0 through 172.16.19.0.
Router (config)#access-list 10 deny 172.16.16.0 0.0.7.255
The example below shows an access list starting at 172.16.16.0 and going up a block size of 8 to
172.16.23.0
Access-list 10 deny 172.16.32.0 0.0.15.255
This example starts at network 172.16.32.0 and goes up a block size of 16 to 172.16.47.0
Router (config)#access-list 10 deny 172.16.64.0 0.0 63.255
This example starts at network 172.16.64.0 and goes up a block size of 64 to 172.16.127.0
Router (config)#access-list 10 deny 192.168.160.0 0.0.31.255
This example starts at network 192.168.160.0 and goes up a block size of 32 to 192.168.191.255.
Block size range
0 to 7, 8 to 15, 16 to 23, 0 to 31, 32 to 63, 64 to 95
The command any is the same thing as writing our the wild card
0.0.0.0 255.255.255.255
Extended Access List
Extended Access Lists can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP
packet. They can evaluate source and destination IP addresses, the protocol field in the Network layer
header, and port number at the Transport layer header. This gives extended access lists the ability to
make much more granular decisions when controlling traffic.
By using extended access lists, you can effectively allow user’s access to a physical LAN and stops them
from accessing specific hosts or even specific services on those hosts.
Router (config) #access-list 110 deny tcp ?
Router (config) #access-list 110 deny tcp any host 172.16.30.2 ?
Router (config) #access-list 110 deny tcp any host 172.16.30.2 eq ?
You can choose a port number or use the application or protocol name. At this point, let’s block Telnet
(Port -23) to host 172.16.30.2 only. If the users want to FTP, fine, that’s allowed. The log command is
7. Access Control List & its Types
used to log message every time the access list is hit. This can be an extremely cool way to monitor
inappropriate access attempts.
Router (config) #access-list 110 deny tcp any host 172.16.30.2 eq 23 log
You need to keep in mind that the next line is an implicit deny any by default. If you apply this access list
to an interface, you might as well just shut the interface down, since by default there is an implicit deny
all at the end of every access list you’ve got to follow up the access list with the following command.
Router (config) #access-list 110 permit ip any any
Once the access list is created, you need to apply it to an interface
Router (config-if) #ip access-group in
Router (config-if) #ip access-group out
Named ACLs
One of the disadvantages of using IP standard and IP extended ACLs is that you reference them by
number, which is not too descriptive of its use. With a named ACL, this is not the case because you can
name your ACL with a descriptive name. The ACL named DenyMike is a lot more meaningful than an ACL
simply numbered 1. There are both IP standard and IP extended named ACLs.
Another advantage to Named ACLs is that they allow you to remove individual lines out of an ACL. With
numbered ACLs, you cannot delete individual statements. Instead, you will need to delete your existing
access list and re-create the entire list.
Named access list are just another way to create standard and extended list.
Router (config) #ip access-list?
Notice that I started IP access-list, not access-list. This allows me to enter a named access list.
Router (config) #ip access-list standard block sales
I’ve specified a standard access list, and then added a name: Block sales. Notice that I could’ve used a
number for a standard access list, but intend, I chose to use a descriptive name.
#deny 172.16.40.0 0.0.0.255
#permit any
#exit
#int e1
8. Access Control List & its Types
#ip access-group block sales out
#exit
Commands used to verify access list configuration:
1. Show Access-list- Display all access lists and their parameters configured on the router. This
command does not show you which interface the list is set on.
2. Show access-list 110- Shows only the parameters for the access list 110. This command does not
show you the interface the list is set on.
3. Show Ip access list- shows only the ip access list configured on the router.
4. Show Ip interface- Shows which interface have access lists set.
5. Show-run-config- shows the access lists and which interface have access lists set.
6. Remarks
The remark keyword is really important because it arms you with the ability to include
comments, or rather remarks, regarding the entries you’ve made in both your IP standard and
extended ACLs. Even though you have the option of placing your remarks either before or after a
permit or deny statement, I totally recommend that you chose to position them consistently so
you don’t get confused about which remark is relevant to which one of your permit or deny
statements.
Router (config) #access-list 110 remark permit Bob from sales only to finance
Router (config) #access-list 110 permit ip host 172.16.40.1 172.16.30.0 0.0.0.255
7. Blocking SNMP Packets
Router (config) #access-list 110 deny udp any any eq snmp
Router (config) #int s0/0
Router (config-if) #access-group 110 in
8. Disabling Echo
Router (config) #no service tcp-small-servers
Router (config) #no service udp-small-servers
9. Turning off BootP and Auto-Config
Router (config) #no ip boot server
Router (config) #no service config
9. Access Control List & its Types
10. Disabling HTTP Interface
Router (config) #no ip http server
11. Disabling Ip Source Routing
Router (config) #no ip source-route
12. Disabling Proxy ARP
Router (config) #int fa0/0
Router (config-if) #no ip proxy-arp
13. Disabling redirect Message
Router (config) #int s0/0
Router (config-if) #no Ip redirects
14. Disabling the Generation of ICMP Unreachable Messages
Router (config) #int s0/0
Router (config-if) #no ip unreachables
15. Disabling Multicast Route Caching
Router (config) #int s0/0
Router (config-if) #no ip mroute-cache
16. Disabling the Maintenance Operation Protocol (MOP)
Router (config) #int s0/0
Router (config-if) #no mop enabled
17. Turning off the x.25 PAD Service
Router (config) #no service pad
18. Enabling the Nagle TCP congestion Algorithm
Router (config) #service nagle
19. Logging Every Event
Router (config) #logging trap debugging
10. Access Control List & its Types
Router (config) #logging 192.168.254.251
Router #sh logging
20. Disabling Cisco Discovery Protocol
Router (config) #no cdp run
For interface
Router (config-if) #no cdp enable
21. Disabling the Default Forwarded UDP Protocols When you use the ip helper-address command
as follows on an interface, your router will forward UDP broadcasts to the listed server or
servers:
Router (config) #int fa0/0
Router (config-if) #ip helper-address 192.168.254.251
You would generally use the ip helper-address command when you want to forward DHCP client
requests to a DHCP server. The problem is that not only does this forward port 67 (BOOTP server
request), it forwards seven other ports by default as well. To disable the unused ports, use the
following commands.
Router (config) #no ip forward-protocol udp 69
Router (config) #no ip forward-protocol udp 53
Router (config) #no ip forward-protocol udp 37
Router (config) #no ip forward-protocol udp 137
Router (config) #no ip forward-protocol udp 138
Router (config) #no ip forward-protocol udp 68
Router (config) #no ip forward-protocol udp 49
Now, only the BOOTP server request (67) will be forwarded to the DHCP server. If you want to
forward a certain port—say, TACACS+, for example—use the following command:
Router (config) #ip forward-protocol udp 49
22. Cisco’s Auto Secure
Router #auto secure