Transcript ACLs
CCNA
Access Control Lists (ACLs)
© 2004 Cisco Systems, Inc. All rights reserved.
1
Objectives
© 2004, Cisco Systems, Inc. All rights reserved.
2
What are ACLs?
• ACLs are lists of conditions used to test
network traffic that tries to travel across a
router interface. These lists tell the router
what types of packets to accept or deny.
© 2004, Cisco Systems, Inc. All rights reserved.
3
How ACLs Work
© 2004, Cisco Systems, Inc. All rights reserved.
4
Protocols with ACLs Specified by
Numbers
© 2004, Cisco Systems, Inc. All rights reserved.
5
Creating ACLs
© 2004, Cisco Systems, Inc. All rights reserved.
6
The Function of a Wildcard Mask
© 2004, Cisco Systems, Inc. All rights reserved.
7
Verifying ACLs
• There are many show commands that will
verify the content and placement of ACLs
on the router.
show ip interface
show access-lists
Show running-config
© 2004, Cisco Systems, Inc. All rights reserved.
8
Standard ACLs
© 2004, Cisco Systems, Inc. All rights reserved.
9
Extended ACLs
© 2004, Cisco Systems, Inc. All rights reserved.
10
Placing ACLs
• Standard ACLs should be placed close to the
destination.
• Extended ACLs should be placed close to the source.
© 2004, Cisco Systems, Inc. All rights reserved.
11
Firewalls
A firewall is an architectural structure that
exists between the user and the outside world
to protect the internal network from intruders.
© 2004, Cisco Systems, Inc. All rights reserved.
12
Restricting Virtual Terminal Access
© 2004, Cisco Systems, Inc. All rights reserved.
13
Summary
© 2004, Cisco Systems, Inc. All rights reserved.
14
Standard ACL - Example 1
Requirement:
- Bob is not allowed to access Server 1
© 2004, Cisco Systems, Inc. All rights reserved.
15
Standard ACL - Example 1
On R1:
Problem: The list also stops Bob from getting packets to Server 2
© 2004, Cisco Systems, Inc. All rights reserved.
16
Standard ACL - Example 2
Requirement:
1. Sam is not allowed access to
Bugs or Daffy.
2. Hosts on the Seville Ethernet
are not allowed access to hosts
on Yosemite Ethernet.
3. All other combinations are
allowed.
© 2004, Cisco Systems, Inc. All rights reserved.
17
Standard ACL - Example 2
Yosemite:
Seville:
Problem: If some link fails, packets will be routed without filtering.
© 2004, Cisco Systems, Inc. All rights reserved.
18
Standard ACL - Example 2
Alternative solution
At Yosemite:
© 2004, Cisco Systems, Inc. All rights reserved.
19
Extended ACL - Example 1
Requirement:
•
Bob is denied access to all FTP servers on R1’s Ethernet.
•
Larry is denied access to Server’s Web server.
© 2004, Cisco Systems, Inc. All rights reserved.
20
Extended ACL - Example 1
At R1:
© 2004, Cisco Systems, Inc. All rights reserved.
21
Extended ACL - Example 1
Alternative solution
At R3:
At R2:
interface Ethernet0
ip address 172.16.2.1 255.255.255.0
ip access-group 102 in
© 2004, Cisco Systems, Inc. All rights reserved.
22
Extended ACL - Example 2
Requirement:
1. Sam is not allowed access to
Bugs or Daffy.
2. Hosts on the Seville Ethernet
are not allowed access to hosts
on Yosemite Ethernet.
3. All other combinations are
allowed.
© 2004, Cisco Systems, Inc. All rights reserved.
23
Extended ACL - Example 2
At Yosemite:
© 2004, Cisco Systems, Inc. All rights reserved.
24