Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control List (ACL)

Published byChester Bridges Modified over 8 years ago

Similar presentations

Presentation on theme: "Access Control List (ACL)"— Presentation transcript:

1 Access Control List (ACL)
W.lilakiatsakun

2 Transport Layer Review (1)
TCP (Transmission Control Protocol) HTTP (Web) SMTP (Mail) UDP (User Datagram Protocol) DNS (Domain Name Service) SNMP (Simple Management Protocol)

3 Transport Layer Review (2)

4 Transport Layer Review (3)
TCP Port

5 Transport Layer Review (4)
UDP Port

6 Transport Layer Review (5)
TCP/UDP Common Port

7 Packet Filtering (1) To controls access to a network by analyzing the incoming and outgoing packets and passing or halting them based on stated criteria. A router acts as a packet filter when it forwards or denies packets according to filtering rules.

8 Packet Filtering (2)

9 Packet Filtering (3)

10 Packet Filtering (4) A packet-filtering router uses rules to determine whether to permit or deny traffic based on source and destination IP addresses, source port and destination port, and the protocol of the packet. These rules are defined using access control lists or ACLs.

11 Packet Filtering (5) - Only permit web access to users from network A.
Deny web access to users from network B, Permit them Network B to have all other access."

12 ACL (Access Control List) (1)
An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header. ACLs are also used for selecting types of traffic to be analyzed, forwarded, or processed in other ways.

13 ACL (Access Control List) (2)

14 ACL (Access Control List) (3)

15 ACL guideline (1) Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet. Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network.

16 ACL guideline (2) Configure ACLs on border routers-routers situated at the edges of your networks. This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network. Configure ACLs for each network protocol configured on the border router interfaces. You can configure ACLs on an interface to filter inbound traffic, outbound traffic, or both.

17 ACL Operation (1) Inbound ACLs Outbound ACLs
Incoming packets are processed before they are routed to the outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. Outbound ACLs Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL.

18 ACL Operation (2) Inbound ACLs

19 ACL Operation (3) Outbound ACLs

20 ACL Operation (4)

21 Type of CISCO ACL

22 Standard ACL (1) The two main tasks involved in using ACLs are as follows: Step 1. Create an access list by specifying an access list number or name and access conditions. Step 2. Apply the ACL to interfaces or terminal lines.

23 Numbering and Naming ACL

24 Where to Place ACL (1) Locate extended ACLs as close as possible to the source of the traffic denied. This way, undesirable traffic is filtered without crossing the network infrastructure. Because standard ACLs do not specify destination addresses, place them as close to the destination as possible.

25 Where to Place ACL (2) Standard ACL

26 Where to Place ACL (3) Extended ACL

27 ACL Best Practice (1)

28 ACL Criteria (1)

29 Configuring Standard ACL (1)
Access Control Condition Permit IP from network /24 except Permit IP from network /8 except /16 access-list 2 deny access-list 2 permit access-list 2 deny access-list 2 permit

30 Configuring Standard ACL (2)

31 Configuring Standard ACL (3)

32 Configuring Standard ACL (4)
Router(config)#access-list access-list-number [deny | permit | remark] source [source-wildcard] [log] Removing ACL

33 Configuring Standard ACL (5)
Documenting ACL

34 ACL Wildcard Masking (1)
Wildcard masks use the following rules to match binary 1s and 0s: Wildcard mask bit 0 - Match the corresponding bit value in the address Wildcard mask bit 1 - Ignore the corresponding bit value in the address

35 ACL Wildcard Masking (2)

36 ACL Wildcard Masking (3)

37 ACL Wildcard Masking (4)

38 ACL Wildcard Masking (5)

39 ACL Wildcard Masking (6)

40 Apply Standard ACL (1)

41 Apply Standard ACL (2)

42 Apply Standard ACL (3)

43 Apply Standard ACL (4)

44 Apply Standard ACL (5)

45 Commenting ACL

46 Named ACL (1)

47 Named ACL (2)

48 Verifying ACL

49 Extended ACL (1) Extended ACLs check the source packet addresses, but they also check the destination address, protocols and port numbers (or services). This gives a greater range of criteria on which to base the ACL.

50 Extended ACL (2)

51 Extended ACL (2)

52

53 Configuring Extended ACL (1)
The network administrator needs to restrict Internet access to allow only website browsing. ACL 103 applies to traffic leaving the network ACL 104 to traffic coming into the network.

54 Configuring Extended ACL (2)

55 Configuring Extended ACL (3)
ACL 103 accomplishes the first part of the requirement. It allows traffic coming from any address on the network to go to any destination, subject to the limitation that traffic goes to ports 80 (HTTP) and 443 (HTTPS) only.

56 Configuring Extended ACL (4)
ACL 104 does that by blocking all incoming traffic, except for the established connections. HTTP establishes connections starting with the original request and then through the exchange of ACK, FIN, and SYN messages.

57 Configuring Extended ACL (5)
The established parameter allows responses to traffic that originates from the /24 network to return inbound on the s0/0/0. A match occurs if the TCP datagram has the ACK or reset (RST) bits set, which indicates that the packet belongs to an existing connection.

58 Apply Extended ACL (1)

59 Apply Extended ACL (2)

60 Apply Extended ACL (3)

61 Named Extended ACL

62 Complex ACL

63 Dynamic ACL (1) AKA lock-and-key ACL
Users who want to traverse the router are blocked by the extended ACL until they use Telnet to connect to the router and are authenticated. The Telnet connection is then dropped, and a single-entry dynamic ACL is added to the extended ACL that exists.

64 Dynamic ACL (2)

65 Dynamic ACL (3)

66 Reflexive ACL (1) Reflexive ACLs force the reply traffic from the destination of a known recent outbound packet to go to the source of that outbound packet. This adds greater control to what traffic you allow into your network and increases the capabilities of extended access lists.

67 Reflexive ACL (2)

68 Reflexive ACL (3)

69 Time Based ACL (1) Time-based ACLs are similar to extended ACLs in function, but they allow for access control based on time. To implement time-based ACLs, you create a time range that defines specific times of the day and week.

70 Time Based ACL (2)

71 Time Based ACL (3)

72 Troubleshooting ACL (1)

73 Troubleshooting ACL (2)
UDP

74 Troubleshooting ACL (3)

75 Troubleshooting ACL (4)

76 Troubleshooting ACL (5)

Download ppt "Access Control List (ACL)"

Similar presentations

Access Control List (ACL)

Access Control List (ACL)
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Access Control Lists John Mowry.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Access Control Lists John Mowry.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Basic IP Traffic Management with Access Lists

Basic IP Traffic Management with Access Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 

1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 
Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.

Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.
CCNA 2 v3.1 Module 11.

CCNA 2 v3.1 Module 11.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen

1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen
Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. CCNA ACLs Deepdive February, 2012 Jaskaran Kalsi Assoc. Technical Manager.

Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. CCNA ACLs Deepdive February, 2012 Jaskaran Kalsi Assoc. Technical Manager.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

Similar presentations

Ads by Google