Transcript TCP Port
Access Control List (ACL)
W.lilakiatsakun
Transport Layer Review (1)
• TCP (Transmission Control Protocol)
– HTTP (Web)
– SMTP (Mail)
• UDP (User Datagram Protocol)
– DNS (Domain Name Service)
– SNMP (Simple Management Protocol)
Transport Layer Review (2)
Transport Layer Review (3)
TCP Port
Transport Layer Review (4)
UDP Port
Transport Layer Review (5)
TCP/UDP Common Port
Packet Filtering (1)
• To controls access to a network by
analyzing the incoming and outgoing
packets and passing or halting them based
on stated criteria.
• A router acts as a packet filter when it
forwards or denies packets according to
filtering rules.
Packet Filtering (2)
Packet Filtering (3)
Packet Filtering (4)
• A packet-filtering router uses rules to
determine whether to permit or deny
traffic based on source and destination IP
addresses, source port and destination
port, and the protocol of the packet.
• These rules are defined using access
control lists or ACLs.
Packet Filtering (5)
- Only permit web access to users from network A.
- Deny web access to users from network B,
- Permit them Network B to have all other access."
ACL (Access Control List) (1)
• An ACL is a router configuration script that
controls whether a router permits or
denies packets to pass based on criteria
found in the packet header.
• ACLs are also used for selecting types of
traffic to be analyzed, forwarded, or
processed in other ways.
ACL (Access Control List) (2)
ACL (Access Control List) (3)
ACL guideline (1)
• Use ACLs in firewall routers positioned
between your internal network and an
external network such as the Internet.
• Use ACLs on a router positioned between
two parts of your network to control traffic
entering or exiting a specific part of your
internal network.
ACL guideline (2)
• Configure ACLs on border routers-routers
situated at the edges of your networks.
– This provides a very basic buffer from the
outside network, or between a less controlled
area of your own network and a more
sensitive area of your network.
• Configure ACLs for each network protocol
configured on the border router interfaces.
– You can configure ACLs on an interface to
filter inbound traffic, outbound traffic, or both.
ACL Operation (1)
• Inbound ACLs
– Incoming packets are processed before they
are routed to the outbound interface.
– An inbound ACL is efficient because it saves the
overhead of routing lookups if the packet is
discarded.
• Outbound ACLs
– Incoming packets are routed to the outbound
interface, and then they are processed through
the outbound ACL.
ACL Operation (2)
Inbound ACLs
ACL Operation (3)
Outbound ACLs
ACL Operation (4)
Type of CISCO ACL
Standard ACL (1)
The two main tasks involved in using ACLs are as follows:
Step 1. Create an access list by specifying an access list number
or name and access conditions.
Step 2. Apply the ACL to interfaces or terminal lines.
Numbering and Naming ACL
Where to Place ACL (1)
• Locate extended ACLs as close as possible
to the source of the traffic denied.
– This way, undesirable traffic is filtered
without crossing the network infrastructure.
• Because standard ACLs do not specify
destination addresses, place them as close
to the destination as possible.
Where to Place ACL (2)
Standard ACL
Where to Place ACL (3)
Extended ACL
ACL Best Practice (1)
ACL Criteria (1)
Configuring Standard ACL (1)
Access Control Condition
Permit IP from network 192.168.10.0/24
except 192.168.10.1
Permit IP from network 192.0.0.0/8 except
192.168.0.0/16
– access-list 2 deny 192.168.10.1
– access-list 2 permit 192.168.10.0 0.0.0.255
– access-list 2 deny 192.168.0.0 0.0.255.255
– access-list 2 permit 192.0.0.0 0.255.255.255
Configuring Standard ACL (2)
Configuring Standard ACL (3)
Configuring Standard ACL (4)
Router(config)#access-list access-list-number [deny | permit | remark] source
[source-wildcard] [log]
Removing ACL
Configuring Standard ACL (5)
Documenting ACL
ACL Wildcard Masking (1)
• Wildcard masks use the following rules to
match binary 1s and 0s:
– Wildcard mask bit 0 - Match the
corresponding bit value in the address
– Wildcard mask bit 1 - Ignore the
corresponding bit value in the address
ACL Wildcard Masking (2)
ACL Wildcard Masking (3)
ACL Wildcard Masking (4)
ACL Wildcard Masking (5)
ACL Wildcard Masking (6)
Apply Standard ACL (1)
Apply Standard ACL (2)
Apply Standard ACL (3)
Apply Standard ACL (4)
Apply Standard ACL (5)
Commenting ACL
Named ACL (1)
Named ACL (2)
Verifying ACL
Extended ACL (1)
Extended ACLs check the source packet addresses,
but they also check the destination address,
protocols and port numbers (or services).
This gives a greater range of criteria on which to base
the ACL.
Extended ACL (2)
Extended ACL (2)
Configuring Extended ACL (1)
• The network administrator needs to
restrict Internet access to allow only
website browsing.
– ACL 103 applies to traffic leaving the
192.168.10.0 network
– ACL 104 to traffic coming into the network.
Configuring Extended ACL (2)
Configuring Extended ACL (3)
• ACL 103 accomplishes the first part of the
requirement.
– It allows traffic coming from any address on
the 192.168.10.0 network to go to any
destination, subject to the limitation that
traffic goes to ports 80 (HTTP) and 443
(HTTPS) only.
Configuring Extended ACL (4)
• ACL 104 does that by blocking all
incoming traffic, except for the established
connections.
– HTTP establishes connections starting with
the original request and then through the
exchange of ACK, FIN, and SYN messages.
Configuring Extended ACL (5)
• The established parameter allows responses
to traffic that originates from the
192.168.10.0 /24 network to return inbound
on the s0/0/0.
• A match occurs if the TCP datagram has the ACK
or reset (RST) bits set, which indicates that the
packet belongs to an existing connection.
Apply Extended ACL (1)
Apply Extended ACL (2)
Apply Extended ACL (3)
Named Extended ACL
Complex ACL
Dynamic ACL (1)
• AKA lock-and-key ACL
– Users who want to traverse the router are
blocked by the extended ACL until they use
Telnet to connect to the router and are
authenticated.
– The Telnet connection is then dropped, and a
single-entry dynamic ACL is added to the
extended ACL that exists.
Dynamic ACL (2)
Dynamic ACL (3)
Reflexive ACL (1)
• Reflexive ACLs force the reply traffic from
the destination of a known recent
outbound packet to go to the source of
that outbound packet.
• This adds greater control to what traffic
you allow into your network and increases
the capabilities of extended access lists.
Reflexive ACL (2)
Reflexive ACL (3)
Time Based ACL (1)
• Time-based ACLs are similar to extended
ACLs in function, but they allow for access
control based on time.
• To implement time-based ACLs, you
create a time range that defines specific
times of the day and week.
Time Based ACL (2)
Time Based ACL (3)
Troubleshooting ACL (1)
Troubleshooting ACL (2)
UDP
Troubleshooting ACL (3)
Troubleshooting ACL (4)
Troubleshooting ACL (5)