Access Control Lists Lecture 1
Download
Report
Transcript Access Control Lists Lecture 1
Access Control Lists Lecture 1
PJC CCNA Semester 2 Ver. 3.0
by
William Kelly
ACL Definition
An ACL is a sequential group of permit
and/or deny statements that control the
flow of particular protocols or protocol
suits in or out of an interface to a
specific host or group of hosts
ACL Concepts
Applied to a router’s interface
Traffic is forwarded or blocked
Each protocol must have it’s own ACL
defined (You are only allowed 1 ACL
per protocol, per port, per direction)
Why Use ACL’s ?
Controlling traffic can increase network
performance
Distribution of routing updates can be
controlled
Security can be added at the network
boundary
Specific types of traffic can be permitted
or blocked
An administrator controls what areas a
client can access
Screen certain hosts to either allow or
deny access to part of a network
Calculate number of ACL’s
2 ports, each port running IP, IPX
2 ports, each port running IP, IPX,
Appletalk
(Remember you need an ACL for each
protocol in each direction on each port)
How ACL’s Work
Packets enter the interface
If the packets are routable then they are
routed toward the outbound interface
If there is no access list then the
packets proceed out the outbound
interface
If there is an ACL then the packets are
filtered using the sequential ACL
statements
ACL Basic Flowchart
Packets Enter
Match 1st Test
Yes
No
Match
2nd
Test
Yes
Permit
No
Match Last
Test
No (Implicit
Deny
Packets Discarded
Yes
Permit or Deny
Deny
How does a Router Process an ACL?
Does the Layer 2 address
match?
Is there an inbound ACL?
Is there an outbound ACL?
Creating Standard ACL’s
ACL statements must be in the
correct order! (Use a flowchart to
plan your logic)
ACL’s can’t be modified (only created
and deleted). Use a text editor to
write your ACL’s
Configuring ACL’s
ACL’s are created in Global
Configuration Mode
Standard ACL’s are 1-99 and
Extended ACL’s are 100 – 199
Plan your ACL’s in a flowchart
considering the protocol or protocol
suite, host or group of hosts, and
interface and direction of filtering
Configuring ACL’s (cont.)
Define ACL
Router(config)# access-list
access-list-num
{permit | deny} {test conditions}
Apply ACL to interface
Router(config-if)# {protocol}
access-group access-list number
Points to remember creating ACL’s
Outbound ACL’s are more efficient
If you need to alter an ACL use
no access-list list-number
(Remember you can’t modify an
standard ACL so you must erase it
and create it again with your
changes. This is why you should
create ACL’s in a text file)
(See Basic Rules in Online Curriculum)
Wildcard Mask Bits
Wildcard mask bits appear “similar”
to a reverse subnet mask but have
NO RELATIONSHIP TO SUBNET
MASKS!!
0 means check a position
1 means don’t check a position
Common Wildcard command and
Abbreviations
Permit 0.0.0.0 255.255.255.255 is
the same as permit any
Permit 181.16.1.1 0.0.0.0 is the
same as
permit host 181.16.1.1 (ONLY A
PARTICULAR HOST IS MATCHED!!)
Commands to verify ACL’s
show ip interface – indicates
whether any ACL’s are set
show access-lists – Displays the
contents of all the ACL’s
show running-config – Also shows
access lists and the interface to which
they are assigned
Standard ACL’s
Allow denying/permitting traffic from
a specific host/group of hosts and/or
protocol suite
Use number 1 – 99
Only 1 protocol per port per interface
is allowed
Can only check source address so
they should be put as close to the
destination as possible
Extended ACL’s
Allow denying/permitting traffic from
a specific host/group of hosts and/or
protocol suite/protocol and/or
port/group of ports
Use number 100 – 199
Only 1 protocol per port per interface
is allowed
Can check source and destination
address so they should be put as close
to the source as possible
Named ACL’s
Names for standard and extended
ACL’s can be alphanumeric strings
Use deny/no deny or permit/no
permit to change conditions of a
named standard or extended ACL
You can’t use the same alphanumeric
name twice!