The Internet and Education

Download Report

Transcript The Internet and Education 

CCNA ACLs Deepdive
February, 2012
Jaskaran Kalsi
Assoc. Technical Manager
Europe/CEE/RCIS
Cisco Networking Academy
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
1
CCNA & ACLs
Packet Filtering & ACL Overview
Standard ACL Configuration
Extended ACL Configuration
Demo & Summary
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
2
 Provide a brief review of ACLs.
 Demonstrate a brief example of how ACLs can be administered.
 Provide a brief description of the troubleshooting scenarios that are
available.
 Focus on the use of Packet Tracer as a simulation tool and create an
interactive session where the audience troubleshoots and preconfigured network.
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
3
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
4
 ACLs are an area that not only students struggle with but also
instructors.
 ACLs are covered in both CCNA Discovery & Exploration.
 CCNA Exploration:
 CCNA Exploration 4 - Chapter 5
 ACL theory
 ACL examples
 Packet Tracer Activities
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
5
 Controls access to a network
 Analyzes incoming and outgoing packets.
 Either permits or denies them based on a predefined set of criteria.
 Routers act as packet filters
 Make decisions based on source & destination IP addresses.
 Source port; Destination port; & protocols can also be a determining factors.
 ACLs are sequential lists that include the following:
 Permit statement.
 Deny statements.
 They extract info from the packet header and test it against the permit/deny rules.
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
6
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
7
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
8
Inbound ACLs
Outbound ACLs
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
9
 Standard Access Control Lists
 ACLs numbered 1-99 or 1300-1999
 IPv4 & IPv6
 Filter solely on Layer 3 source information
 Extended Access Control Lists
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
10
 Standard ACLs - placed as close to the destination as possible
 Extended ACLs - placed on routers as close as possible to the source
that is being filtered.
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
11
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
12
Task: Block host 10.0.0.3 from gaining access on 40.0.0.0. While 10.0.0.3 must
be able to communicate with other networks.
All other computers from the network of 10.0.0.0 must be able to connect with
the network of 40.0.0.0.
R2>enable
R2#configure terminal
R2(config)#access-list 1 deny host 10.0.0.3
R2(config)#access-list 1 permit any
R2(config)#interface FastEthernet 0/1
R2(config-if)#ip access-group 1 out
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
13
 Usually range from 100-199 and 2000-2699.
 Extended ACLs check sources & destination address; ports; & protocols.
 Hence provide a greater range of control and enhance security.
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
14
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
15
 Reflexive ACLs
Dynamically allow reply packets
Work with TCP & UDP sessions initiated internally
Reduced exposure to spoofing and DoS attacks
 Dynamic ACLs
Also known as ‘Lock-and-Key’ ACLs
Were available only for IP traffic
Dependent on Telnet connectivity, authentication, & E-ACLs
 Time Based ACLs
Allow for access control based upon time of day, day of the week, or day of the
month.
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
16
 Which three statements should be considered when applying ACLs to a
Cisco router? (Choose three)
a)
Place generic ACL entries at the top of the ACL.
b)
Place more specific ACL entries at the top of the ACL.
c)
Router-generated packets pass through ACLs without filtering.
d)
ACLs always search for the most specific entry before taking any filtering action.
e)
An access list applied to any interface without a configured ACL allows all traffic to
pass.
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
17
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
18
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
19
Thank you.