Access Control Lists Lecture 1

dingdongboomΔίκτυα και Επικοινωνίες

27 Οκτ 2013 (πριν από 3 χρόνια και 9 μήνες)

82 εμφανίσεις

Access Control Lists Lecture 1

PJC CCNA Semester 2 Ver. 3.0

by

William Kelly


ACL Definition

An ACL is a sequential group of permit

and/or deny statements that control the

flow of particular protocols or protocol

suits in or out of an interface to a

specific host or group of hosts




ACL Concepts


Applied to a router’s interface


Traffic is forwarded or blocked


Each protocol must have it’s own ACL
defined (You are
only
allowed 1 ACL
per protocol, per port, per direction)


Why Use ACL’s

?


Controlling traffic can increase network
performance


Distribution of routing updates can be
controlled


Security can be added at the network
boundary


Specific types of traffic can be permitted
or blocked


An administrator controls what areas a
client can access


Screen certain hosts to either allow or
deny access to part of a network




Calculate number of ACL’s


2 ports, each port running IP, IPX


2 ports, each port running IP, IPX,
Appletalk


(
Remember you need an ACL for each


protocol in each direction on each port)



How ACL’s Work


Packets enter the interface


If the packets are routable then they are
routed toward the outbound interface


If there is no access list then the
packets proceed out the outbound
interface


If there is an ACL then the packets are
filtered using the sequential ACL
statements


ACL Basic Flowchart

How does a Router Process an ACL?


Does the Layer 2 address
match?


Is there an inbound ACL?


Is there an outbound ACL?

Creating Standard ACL’s


ACL statements must be in the
correct order! (Use a flowchart to
plan your logic)


ACL’s can’t be modified (only created
and deleted). Use a text editor to
write your ACL’s

Configuring ACL’s


ACL’s are created in Global
Configuration Mode


Standard ACL’s are 1
-
99 and
Extended ACL’s are 100


199


Plan your ACL’s in a flowchart
considering the protocol or protocol
suite, host or group of hosts, and
interface and direction of filtering

Configuring ACL’s (cont.)


Define ACL


Router(config)# access
-
list
access
-
list
-
num


{permit | deny} {test conditions}


Apply ACL to interface


Router(config
-
if)# {protocol}
access
-
group access
-
list number


Points to remember creating ACL’s


Outbound ACL’s are more efficient


If you need to alter an ACL use



no access
-
list
list
-
number

(Remember you can’t modify an
standard ACL so you must erase it
and create it again with your
changes. This is why you should
create ACL’s in a text file)

(See Basic Rules in Online Curriculum)

Wildcard Mask Bits


Wildcard mask bits appear “similar”
to a reverse subnet mask but have
NO RELATIONSHIP TO SUBNET
MASKS!!


0 means check a position


1 means don’t check a position



Common Wildcard command and
Abbreviations


Permit 0.0.0.0 255.255.255.255

is
the same as
permit any


Permit 181.16.1.1 0.0.0.0

is the
same as

permit host 181.16.1.1

(ONLY A
PARTICULAR HOST IS MATCHED!!)

Commands to verify ACL’s


show ip interface



indicates
whether any ACL’s are set


show access
-
lists



Displays the
contents of all the ACL’s


show running
-
config



Also shows
access lists and the interface to which
they are assigned

Standard ACL’s


Allow denying/permitting traffic from
a specific host/group of hosts and/or
protocol suite


Use number 1


99


Only 1 protocol per port per interface
is allowed


Can only check source address so
they should be put as close to the
destination as possible

Extended ACL’s


Allow denying/permitting traffic from
a specific host/group of hosts and/or
protocol suite/protocol and/or
port/group of ports


Use number 100


199


Only 1 protocol per port per interface
is allowed


Can check source and destination
address so they should be put as close
to the source as possible



Named ACL’s


Names for standard and extended
ACL’s can be alphanumeric strings


Use deny/no deny or permit/no
permit to change conditions of a
named standard or extended ACL


You can’t use the same alphanumeric
name twice!