A bit of ACL…

Download Report

Transcript A bit of ACL… 

A bit of ACL…
Special Thanks to Mr. Edd Spidell of Cranston
Vocational Technical School for this PPT.
Keeping the world
safe by preventing
your students from
accessing it…
What are Access Control Lists?
 They are statements used to control the
flow of network traffic and provide varying
levels of network security.
 The lists contain Permit or Deny
statements that filter network traffic based
on the source address, destination address,
and protocol type of a packet.
How can we let Jabba
get access to Yoda but
not to the Internet?
To prevent Jabba’s access to the
Internet, we could:
 Put him in CCRI’s new computer wing and
watch him try to reach the keyboard….or
to get back out…
 Have Princess Leah join him for lunch…
 Use ACL’s on an interface to limit traffic…
Your final answer is?
We would use ACL’s
but the others would be fun too…
 We would configure the router port that is the
gateway for Jabba to prevent access.
 SkyWalker#config t
 SkyWalker(config)#access-list 1 deny 200.100.20.3
0.0.0.0
 SkyWalker(config)#access-list 1 permit any
 SkyWalker(config)#int e1
 SkyWalker(config-if)#ip access-group 1 in
 SkyWalker(config-if)#^z
This is a Standard Access List which is
denying packets based on the source address.
To remove an ACL, we must go
back into the router configuration.
 SkyWalker#config t
 SkyWalker(config)#no access-list 1
 SkyWalker(config)#int e1
 SkyWalker(config-if)#no ip access-group 1
in
 SkyWalker(config-if)#^Z
If we cut a deal with Jabba so he
could use the Internet, but
prevent him from downloading
from FTP sites, we can use
Extended Access Control Lists
 Unlike standard lists, the EACL’s can filter
by source IP, destination IP, protocol
type,and application port number. For this
instance, we will be using Port 21 (FTP).
To block Jabba’s FTP access…
 SkyWalker#config t
 SkyWalker(config)#access-list 100 deny tcp
200.100.20.3 0.0.0.0 200.100.20.1 0.0.0.0 eq 21
 SkyWalker(config)#access-list 100 permit ip any
any
 SkyWalker(config)#int e1
 SkyWalker(config-if)#ip access-group 100 in
 SkyWalker(config-if)#^Z
To remove the EACL…
 SkyWalker#config t
 SkyWalker(config)#no access-list 100
 SkyWalker(config)#int e1
 SkyWalker(config-if)#no ip access-group
100 in
 SkyWalker(config-if)#^Z
Wildcard Masks
 Routers use them to determine which bits in an
address are significant.
 0’s(zeros) are significant, 1’s(ones) are not.
 For example: 200.100.20.3 0.0.0.0
 The 0.0.0.0 makes the access list match to the
host (Jabba’s) exactly.
 Another example: 200.100.20.0 0.0.0.255
 The 0.0.0.255 makes the access list apply to both
Yoda and Jabba on the .20 subnet.
You know there is much more to
be learned…
 Due to time constraints and my limited
knowledge on this subject, I defer to those of you
that have a better understanding of what I have
tried to present.
 In summary, my opinion is that this subject is
probably the most important part of the entire
curriculum so far, and at the same time, the most
involved from a learning standpoint.