ACL Extended - Chabot College

Download Report

Transcript ACL Extended - Chabot College

Chabot College
ELEC 99.08
Extended Access Control Lists
CISCO NETWORKING ACADEMY
ACL Topics
• Extended ACLs
• Editing ACLs
• Anatomy of an ACL
CISCO NETWORKING ACADEMY
Extended ACLs
• Provide more precise (finer tuned)
packet selection based on:
– Source and destination addresses
– Protocols
– Port numbers
• 100-199
CISCO NETWORKING ACADEMY
Steps to Configure ACLs
1) Create ACL (global config mode)
2) Apply to an interface (interface config mode)
CISCO NETWORKING ACADEMY
Extended ACL operation
• Permits or denies if all conditions match:
– Source Address
– Destination Address
– Protocol
– Port No. or Protocol Options
CISCO NETWORKING ACADEMY
Extended ACL Syntax Explained
• Network Computing has published
a great summary chart of the
“anatomy of an ACL”
• A PDF copy of this chart is on the
Semester 2 class page under
“Chabot College Study Sheets”
CISCO NETWORKING ACADEMY
Extended IP ACL command
access-list ACL-number {permit|deny}
protocol source-ip-address source-wildcardmask destination-ip-address destinationwildcard-mask eq port-number
• ACL number: 100-199
• Global Config mode
CISCO NETWORKING ACADEMY
Extended ACL Example
• To permit traffic from the network 192.168.1.0 to
the host 192.168.3.10 only on telnet:
access-list 101 permit tcp 192.168.1.0 0.0.0.255
192.168.3.10 0.0.0.0 eq 23
CISCO NETWORKING ACADEMY
Some Protocols with Port
Numbers
•
•
•
•
•
•
•
•
FTP – 21
Telnet – 23
SMTP – 25
DNS – 53
TFTP – 69
WWW, HTML – 80
POP3 - 110
SNMP - 161
CISCO NETWORKING ACADEMY
ACL Configuration Example
What will this list do?
fre(config)#access-list 101 deny tcp any 192.168.3.10
0.0.0.0 eq 80
fre(config)#access-list 101 permit ip any any
fre(config)#int e0
fre(config-if)#ip-access group 101 in
fre(config-if)#^z
S1
S0
fre
E0
192.168.2.10
oak
E0
192.168.3.0
CISCO NETWORKING ACADEMY
S0
192.168.2.0
192.168.1.10
S1
E0
192.168.1.0
192.168.1.11
hay
192.168.3.10
ACL Configuration Example
What will this list do?
fre(config)#access-list 101 deny tcp 192.168.1.10
0.0.0.0 any eq 80
fre(config)#access-list 101 deny tcp 192.168.1.0
0.0.0.255 any eq 21
fre(config)#access-list 101 permit ip any any
fre(config)#int e0
fre(config-if)#ip-access group 101 in
fre(config-if)#^z
S1
S0
fre
E0
192.168.2.10
oak
E0
192.168.3.0
CISCO NETWORKING ACADEMY
S0
192.168.2.0
192.168.1.10
S1
E0
192.168.1.0
192.168.1.11
hay
192.168.3.10
ACL Configuration Example
What will this list do? (What’s wrong here?)
fre(config)#access-list 101 deny tcp 192.168.1.10
0.0.0.0 any eq 80
fre(config)#int e0
fre(config-if)#ip-access group 101 in
fre(config-if)#^z
S1
S0
fre
E0
192.168.2.10
oak
E0
192.168.3.0
CISCO NETWORKING ACADEMY
S0
192.168.2.0
192.168.1.10
S1
E0
192.168.1.0
192.168.1.11
hay
192.168.3.10
Extended ACL Placement
Blocking traffic from Fremont LAN to Oakland PC
Place extended ACL close to source.
fre(config)#access-list 101 deny ip any host 192.168.3.10
fre(config)#access-list 101 permit ip any any
fre(config)#int e0
fre(config-if)#ip-access group 101 in
S1
S0
fre
E0
192.168.2.10
oak
E0
192.168.3.0
CISCO NETWORKING ACADEMY
S0
192.168.2.0
192.168.1.10
S1
E0
192.168.1.0
192.168.1.11
hay
192.168.3.10
Standard ACL Placement
Blocking traffic from Fremont LAN to Oakland LAN
Place standard ACL close to destination.
oak(config)#access-list 10 deny 192.168.1.0 0.0.0.255
oak(config)#access-list 10 permit any
oak(config)#int e0
oak(config-if)#ip-access group 10 out
S1
S0
fre
E0
192.168.2.10
oak
E0
192.168.3.0
CISCO NETWORKING ACADEMY
S0
192.168.2.0
192.168.1.10
S1
E0
192.168.1.0
192.168.1.11
hay
192.168.3.10
ACL Placement
Blocking traffic from Fremont LAN to Oakland PC
Standard or Extended ACL
Which seems more efficient?
Why?
Extended
Standard
S1
S0
fre
E0
192.168.2.10
oak
E0
192.168.3.0
CISCO NETWORKING ACADEMY
S0
192.168.2.0
192.168.1.10
S1
E0
192.168.1.0
192.168.1.11
hay
192.168.3.10
Editing ACLs
• The exec adds new lines (rules) to an ACL
at the end; probably not where you want
them.
• To change lines in the middle, you must
delete the entire list and re-enter it.
• Or - dump your config out to a text file & edit
it as follows:
CISCO NETWORKING ACADEMY
Editing ACLs
• Use Hyperterm’s “capture text” to save the config as a
text file..
• In your editor, renumber the existing ACL using search
& replace.
• Edit the renumbered ACL.
• Paste the new ACL into your running config.
• On the interface where the old ACL is applied, apply
the new list with the command:
ip access-group XXX in/out
(Make XXX the new ACL number; the old list will automatically be turned off
when you turn on the new list. If you encounter problems with the new list,
you can re-apply the old one with the ip-access group command.)
CISCO NETWORKING ACADEMY
ACL Syntax Summary
• Network Computing has published
a great summary chart of the
“anatomy of an ACL”
• There is a link to this chart on the
Semester 2 class page under
“Chabot College Study Sheets”.
CISCO NETWORKING ACADEMY