Transcript ACLs
CCNA Access Control Lists (ACLs) © 2004 Cisco Systems, Inc. All rights reserved. 1 Objectives © 2004, Cisco Systems, Inc. All rights reserved. 2 What are ACLs? • ACLs are lists of conditions used to test network traffic that tries to travel across a router interface. These lists tell the router what types of packets to accept or deny. © 2004, Cisco Systems, Inc. All rights reserved. 3 How ACLs Work © 2004, Cisco Systems, Inc. All rights reserved. 4 Protocols with ACLs Specified by Numbers © 2004, Cisco Systems, Inc. All rights reserved. 5 Creating ACLs © 2004, Cisco Systems, Inc. All rights reserved. 6 The Function of a Wildcard Mask © 2004, Cisco Systems, Inc. All rights reserved. 7 Verifying ACLs • There are many show commands that will verify the content and placement of ACLs on the router. show ip interface show access-lists Show running-config © 2004, Cisco Systems, Inc. All rights reserved. 8 Standard ACLs © 2004, Cisco Systems, Inc. All rights reserved. 9 Extended ACLs © 2004, Cisco Systems, Inc. All rights reserved. 10 Placing ACLs • Standard ACLs should be placed close to the destination. • Extended ACLs should be placed close to the source. © 2004, Cisco Systems, Inc. All rights reserved. 11 Firewalls A firewall is an architectural structure that exists between the user and the outside world to protect the internal network from intruders. © 2004, Cisco Systems, Inc. All rights reserved. 12 Restricting Virtual Terminal Access © 2004, Cisco Systems, Inc. All rights reserved. 13 Summary © 2004, Cisco Systems, Inc. All rights reserved. 14 Standard ACL - Example 1 Requirement: - Bob is not allowed to access Server 1 © 2004, Cisco Systems, Inc. All rights reserved. 15 Standard ACL - Example 1 On R1: Problem: The list also stops Bob from getting packets to Server 2 © 2004, Cisco Systems, Inc. All rights reserved. 16 Standard ACL - Example 2 Requirement: 1. Sam is not allowed access to Bugs or Daffy. 2. Hosts on the Seville Ethernet are not allowed access to hosts on Yosemite Ethernet. 3. All other combinations are allowed. © 2004, Cisco Systems, Inc. All rights reserved. 17 Standard ACL - Example 2 Yosemite: Seville: Problem: If some link fails, packets will be routed without filtering. © 2004, Cisco Systems, Inc. All rights reserved. 18 Standard ACL - Example 2 Alternative solution At Yosemite: © 2004, Cisco Systems, Inc. All rights reserved. 19 Extended ACL - Example 1 Requirement: • Bob is denied access to all FTP servers on R1’s Ethernet. • Larry is denied access to Server’s Web server. © 2004, Cisco Systems, Inc. All rights reserved. 20 Extended ACL - Example 1 At R1: © 2004, Cisco Systems, Inc. All rights reserved. 21 Extended ACL - Example 1 Alternative solution At R3: At R2: interface Ethernet0 ip address 172.16.2.1 255.255.255.0 ip access-group 102 in © 2004, Cisco Systems, Inc. All rights reserved. 22 Extended ACL - Example 2 Requirement: 1. Sam is not allowed access to Bugs or Daffy. 2. Hosts on the Seville Ethernet are not allowed access to hosts on Yosemite Ethernet. 3. All other combinations are allowed. © 2004, Cisco Systems, Inc. All rights reserved. 23 Extended ACL - Example 2 At Yosemite: © 2004, Cisco Systems, Inc. All rights reserved. 24