Basic IP Traffic Management with       Access Control Lists
Chapter Objectives   Introduce ACL concepts   Explain the types of ACL   Configure ACL   Introduce wildcard masks   V...
Recall - I   IGRP is a distant-vector routing protocol, which    implies that each router sends all or a part of its    r...
Recall - II   OSPF provides the following advantages:     Open protocol     Loop free topology     Scalable     Hiera...
Access Control List - I   Access Control List (ACL) is a set of commands,    which are grouped together to filter the tra...
Access Control List - II   You must also specify one of the following directions in    which the traffic should be filter...
ACL Processing   ACL are statements, which are grouped together by    using a name or number   When ACL process a packet...
Configuring ACL   You must know the guidelines to configure the ACL   You can use the access-list command to create an  ...
ACL Numbers and Protocol Types - I                Type                      Numbers IP Standard                    1-99, 1...
ACL Numbers and Protocol Types - II Bridging MAC address and vendor code   700-799 IPX Standard                           ...
Editing Entries   You may need to add, delete or modify an entry in    the ACL   In a numbered ACL, you cannot delete a ...
Wildcard Masking   Wildcard masks can be used for matching a range of    IP addresses in ACL, instead of manually enterin...
Subnet Masks and Wildcard MasksValues   Bit Value     Subnet Mask       Wildcard Mask      0         Host component      M...
Standard Numbered ACL   You can create an entry in a standard numbered IP    ACL using the access-list command.The syntax...
Extended Numbered ACLs   The extended numbered ACLs are more flexible as    compared to the standard ACLs   The syntax o...
TCP and UDP   The extended ACL can filter the traffic on IP    protocols such as TCP and UDP   The syntax of the command...
Operators for TCP and UDPConnection      Operator       Description         lt            Less than         gt          Gr...
TCP Port Names and Numbers     Name        Command Parameter   Number    FTP Data          ftp-data         20   FTP Contr...
UDP Port Names and Numbers     Name      Command Parameter   Number   DNS Query          dns            53     TFTP       ...
ICMP   ICMP is one of the protocols used with extended    ACL   The ICMP does not use ports like the TCP and UDP   The ...
ICMP Messages             Message Type                   Descriptionadministratively-prohibited   Specifies that the packe...
Controlling Telnet Access to a Router   The standard IP ACLs controls the telnet access to    the router. The access-clas...
Named ACL’s   Named ACLs support both IP and IPX protocols   The ip access-list allows you to create a named ACL   The ...
Verifying and Monitoring AccessControl List   To view the ACLs that are activated on the router’s    interfaces, use the ...
Placing ACL’s   You have to decide the placement of the ACL    depending on the source and destination address to    be f...
Case StudyThe Blue Diamond steel company, Gujarat branch hasrecruited a few engineers in the SoftwareManagement department...
Network of the Organization
Problem  Placement of the standard ACL on the router
Suggested SolutionYou can use standard ACL to prevent the users from accessing the server data. However, the placement   o...
Summary - I   The access control list is a set of commands, which are    grouped together, to filter the traffic that ent...
Summary - II   If the router locates a match between the packet and    statement then the router executes one of the two ...
Summary - III   A wildcard is similar to an inverted subnet mask. If you    want to match on any address in a subnet or n...
Upcoming SlideShare
Loading in …5
×

Basic ip traffic management with access control lists

1,097 views

Published on

Basic ip traffic management with access control lists

Published in: Education
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,097
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Basic ip traffic management with access control lists

  1. 1. Basic IP Traffic Management with Access Control Lists
  2. 2. Chapter Objectives Introduce ACL concepts Explain the types of ACL Configure ACL Introduce wildcard masks Verify ACL
  3. 3. Recall - I IGRP is a distant-vector routing protocol, which implies that each router sends all or a part of its routing table in a routing message update EIGRP was created using IGRP as the base and adding additional functionality to enhance IGRP The OSPF protocol is designed on the Shortest Path First (SPF) algorithm, which enables to determine the shortest route to each destination When a network link changes its state, the designated router sends a notification called Link State Advertisement (LSA) across the network
  4. 4. Recall - II OSPF provides the following advantages:  Open protocol  Loop free topology  Scalable  Hierarchical design  Provides multicasting There are different OSPF area types that help to handle external routes:  Normal area  Stub area  Totally stubby area  Not-so-stubby area
  5. 5. Access Control List - I Access Control List (ACL) is a set of commands, which are grouped together to filter the traffic that enters or leaves an interface The functions of ACLs include the following:  Reduce the network traffic and increase the network performance  Control the flow of traffic in the network  Provide security for network access  Make decision about the type of network to be forwarded or restricted on an interface
  6. 6. Access Control List - II You must also specify one of the following directions in which the traffic should be filtered:  Inbound  Outbound The Access lists are available in the following two types:  Numbered ACL  Named ACL Each of the below ACLs supports two types:  Standard ACL  Extended ACL
  7. 7. ACL Processing ACL are statements, which are grouped together by using a name or number When ACL process a packet on the router from the group of statements, the router performs a number of steps to find a match for the ACL statements The router processes each ACL in the top-down approach If the router is not able to find a match of packet to the first ACL statement then the router continues with the next statement, following the same process
  8. 8. Configuring ACL You must know the guidelines to configure the ACL You can use the access-list command to create an ACL The syntax to create an ACL is: access-list ACL_# permit|deny conditions To activate ACL on the interface, enter the following at the command prompt: interface type slot_#|port_# ip access-group ACL_# in|out
  9. 9. ACL Numbers and Protocol Types - I Type Numbers IP Standard 1-99, 1300-1999 Standard Vines 1-99 IP Extended 100-199, 2000-2699 Extended Vines 100-199 Bridging type code (layer-2) 200-299 DECnet 300-399 Standard XNS 400-499 Extended XNS 500-599 Apple Talk 600-699
  10. 10. ACL Numbers and Protocol Types - II Bridging MAC address and vendor code 700-799 IPX Standard 800-899 IPX Extended 900-999 IPX SAP filters 1000-1099 Extended transparent bridging 1100-1199 IPX NLSP 1200-1299
  11. 11. Editing Entries You may need to add, delete or modify an entry in the ACL In a numbered ACL, you cannot delete a specific entry The no access-list command allows you to delete an ACL, The syntax of the command is: no access-list number The no access-list ACL_# command deletes the entire list
  12. 12. Wildcard Masking Wildcard masks can be used for matching a range of IP addresses in ACL, instead of manually entering it A wildcard mask of 0 or 1 in the bit position implies the following:  0 - Specifies that the bit position of the ACL statement address must match the bit position in the IP address of the packet that is to be examined  1 - Specifies that the bit position of the ACL statement address does not have to match the bit position in the IP address of the packet that is to be examined
  13. 13. Subnet Masks and Wildcard MasksValues Bit Value Subnet Mask Wildcard Mask 0 Host component Must match 1 Network component Ignore
  14. 14. Standard Numbered ACL You can create an entry in a standard numbered IP ACL using the access-list command.The syntax of this command is: access-list 1-99|1300-1999 permit|deny source_address [wildcard_mask] [log] After creating the standard ACL, you must activate it on the routers interface The ip access-group command below enables you to activate the ACL on the interface: ip access-group ACL_number in|out
  15. 15. Extended Numbered ACLs The extended numbered ACLs are more flexible as compared to the standard ACLs The syntax of the command to configure an extended numbered ACL is: access-list 100-199|2000-2699 permit|deny IP_protocol source_address source_wildcard mask [protocol_information] destination_address destination_wildcard_mask [protocol_information] [log]
  16. 16. TCP and UDP The extended ACL can filter the traffic on IP protocols such as TCP and UDP The syntax of the command that allows you to configure an extended ACL for TCP or UDP is: access-list 100-199|2000-2699 permit|deny tcp|udp source_address source_wildcard_mask [operator source_port_#] destination address destination_wildcard_mask [operator destination_port_#][established][log]
  17. 17. Operators for TCP and UDPConnection Operator Description lt Less than gt Greater than neq Not equal to eq Equal to range Range of port numbers
  18. 18. TCP Port Names and Numbers Name Command Parameter Number FTP Data ftp-data 20 FTP Control ftp 21 Telnet telnet 23 SMTP smtp 25 WWW www 80
  19. 19. UDP Port Names and Numbers Name Command Parameter Number DNS Query dns 53 TFTP tftp 69 SNMP snmp 161 IP RIP Rip 520
  20. 20. ICMP ICMP is one of the protocols used with extended ACL The ICMP does not use ports like the TCP and UDP The syntax for filtering ICMP traffic is: access-list 100-199|2000-2699 permit|deny icmp source_address source_wildcard_mask [operator source_port_#] destination address destination_wildcard_mask [icmp_message][log] ICMP enables you to enter ICMP messages
  21. 21. ICMP Messages Message Type Descriptionadministratively-prohibited Specifies that the packet is filteredecho Enables to check the destinationecho-reply Displays a message in response to the echo message created by pinghost-unreachable Specifies that the subnet is reachable, but the host is not respondingnet-unreachable Specifies that the network or subnet is not reachabletraceroute Enables to filter based on the traceroute information
  22. 22. Controlling Telnet Access to a Router The standard IP ACLs controls the telnet access to the router. The access-class command enables you to accomplish this. The syntax of this command is: access-class standard_ACL_# in|out Cisco routers enable you to restrict telnet access for the normal users You can configure your router to allow telnet access only for the networks administrators
  23. 23. Named ACL’s Named ACLs support both IP and IPX protocols The ip access-list allows you to create a named ACL The syntax for this command is: ip access-list standard/extended ACL_name After creating a named ACL, you have to activate it on the router interface The ip access-group command given below enables you to activate the named ACL: ip access-group ACL_name in|out
  24. 24. Verifying and Monitoring AccessControl List To view the ACLs that are activated on the router’s interfaces, use the following command: show ip interfaces Cisco allows you to monitor each statement in the ACL. To view the statements in the ACL, use the following commands: show access-lists [ACL_#_or_name] show ip access-list [ACL_#_or_name]
  25. 25. Placing ACL’s You have to decide the placement of the ACL depending on the source and destination address to be filtered You must consider the following while placing the ACLs:  Standard ACL  Extended ACL
  26. 26. Case StudyThe Blue Diamond steel company, Gujarat branch hasrecruited a few engineers in the SoftwareManagement department. The company gets a newproject from their client in Delhi. The new engineersneed to work only on the software applicationassigned to them and should access the server data.To accomplish this, the network administrator Robertuses the standard ACL. The network of theorganization appears as shown in the Figure.
  27. 27. Network of the Organization
  28. 28. Problem Placement of the standard ACL on the router
  29. 29. Suggested SolutionYou can use standard ACL to prevent the users from accessing the server data. However, the placement of the ACL is a very important. The engineersshould be allowed to access the all other computers in the network but not the server
  30. 30. Summary - I The access control list is a set of commands, which are grouped together, to filter the traffic that enters or leaves an interface ACL are the statements, which are grouped together by using a name or number. When ACL process a packet on the router from the group of statements, the router performs a number of steps to find a match for the ACL statements After building IP ACL, you have to apply it to a process in the IOS The extended numbered ACL’s are more flexible as compared to the standard ACLs
  31. 31. Summary - II If the router locates a match between the packet and statement then the router executes one of the two actions that are included with the statement. The actions are:  Permit  Deny A need may arise to add, delete or modify an entry in the ACL. You cannot delete a specific entry in an ACL To handle the IP addresses in ACL statements, wildcard masks can be used for matching a range of address instead of manually entering it
  32. 32. Summary - III A wildcard is similar to an inverted subnet mask. If you want to match on any address in a subnet or network then you have to take the subnet mask and invert the bit values You must consider the following while placing the ACLs:  Standard ACL - Needs to be placed close to the destination device that you want to prevent the source from reaching.  Extended ACL - Needs to be placed close to the source device. The extended ACL can filter on both the source as well as destination address

×