Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control Lists. Types Standard Extended Standard ACLs Use only the packets source address for comparison 1-99.

Similar presentations


Presentation on theme: "Access Control Lists. Types Standard Extended Standard ACLs Use only the packets source address for comparison 1-99."— Presentation transcript:

1 Access Control Lists

2 Types Standard Extended

3 Standard ACLs Use only the packets source address for comparison 1-99

4 Extended ACLs Provide more precise (finer tuned) packet selection based on: Source and destination addresses Protocols Port numbers

5 Steps to Create an ACL Create ACL in global config Assign to interface Decide the direction In Out

6 How do ACLs work? Processing occurs line by line from top to bottom. New lines are added at the end of the current list. Last line of an ACL is an implicit deny any.

7 How does a Standard ACL work? If source IP address is matched: Permit or deny statement is processed Permit – action in ACL is performed Deny – packet is dropped Implicit Deny – If a packets address does not match an earlier statement an implicit deny any occurs at the end of every ACL and the packet is dropped.

8 Wildcard Masks Are used to specify (by bits) the traffic you are trying to filter by address. Use 1s to ignore, 0s to match. In the example below, only the 1 st 2 octets will be examined:

9 Global Standard ACL command access-list access-list-number {permit |deny} source-ip-address wildcard-mask [log] Log – causes each packet that matches this statement to generate a log entry that is recorded by the router.

10 Examples of Standard ACLs To permit all packets for the network number Access-list 20 permit

11 Examples Contd To permit traffic from the host only Access-list 20 permit

12 Examples Contd To permit traffic from any source address. Access-list 20 permit OR Access-list 20 permit any

13 Examples Contd To permit traffic from the subnet through Access-list 20 permit

14 Identical Statements Access-list 22 permit Access-list 22 permit any

15 Identical Statements Access-list 23 permit Access-list 23 permit host

16 How does an Extended ACL work? All conditions must match Test sequence in this order Source Address Destination Address Protocol Port No. or Protocol Options Permit or Deny decision

17 Extended ACL command access-list number {permit|deny} protocol source-ip-address source- wildcard-mask destination-ip-address destination-wildcard-mask eq port- number [log]

18 Some Protocols with Port Numbers FTP – 21 Telnet – 23 SMTP – 25 DNS – 53 TFTP – 69 WWW, HTML – 80 POP SNMP - 161

19 Major differences Standard ACL Use only source address and requires fewer CPU cycles. Place as close to destination as possible. Extended ACL More flexible and requires more CPU cycles. Place as close to source as possible. (This keeps undesired traffic and ICMP messages away from the network backbone.)

20 Do I place an ACL in? In Requires less CPU processing because every packet bypasses processing before it is routed. Filtering decision is made prior to the routing table.

21 Do I place an ACL out? Out Routing decision has been made and the packet is switched to the proper outbound interface before it is tested against the access list. ACLs are outbound unless otherwise specified.


Download ppt "Access Control Lists. Types Standard Extended Standard ACLs Use only the packets source address for comparison 1-99."

Similar presentations


Ads by Google