Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.

Published byMagnus Mitchell Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching."— Presentation transcript:

1 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching in the Enterprise – Chapter 8

2 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 2 Objectives  Describe traffic filtering and explain how Access Control Lists (ACLs) can filter traffic at router interfaces.  Analyze the use of wildcard masks.  Configure and implement ACLs.  Create and apply ACLs to control specific types of traffic.  Log ACL activity and integrate ACL best practices.

3 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 3 A typical TCP Conversation

4 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 4 TCP Port Numbers

5 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 5 UDP Port Numbers

6 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 6 What is an ACL

7 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 7 Traffic Filtering  Analyze the contents of a packet  Allow or block the packet  Based on source IP, destination IP, MAC address, protocol, application type

8 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 8 Traffic Filtering Devices providing traffic filtering:  Firewalls built into integrated routers  Dedicated security appliances  Servers

9 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 9 Uses for ACLs:  Specify internal hosts for NAT  Classify traffic for QoS  Restrict routing updates, limit debug outputs, control virtual terminal access Traffic Filtering

10 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 10 Traffic Filtering Possible issues with ACLs:  Increased load on router  Possible network disruption

11 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 11 Describe Traffic Filtering  Standard ACLs filter based on source IP address  Extended ACLs filter on source and destination, as well as protocol and port number  Named ACLs can be either standard or extended

12 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 12 Describe Traffic Filtering  ACLs consist of statements  At least one statement must be a permit statement  Final statement is an implicit deny  ACL must be applied to an interface in order to work

13 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 13 Describe Traffic Filtering  ACL is applied inbound or outbound  Direction is from the router’s perspective  Each interface can have one ACL per direction for each network protocol

14 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 14 Inbound ACLs Incoming packets are processed before they are routed to the outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. If the packet is permitted by the tests, it is then processed for routing.

15 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 15 Outbound ACLs Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL.

16 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 16 Analyze the Use of Wildcard Masks  Wildcard mask can block a range of addresses or a whole network with one statement  0s indicate which part of an IP address must match the ACL  1s indicate which part does not have to match specifically

17 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 17 Analyze the Use of Wildcard Masks  Use the host parameter in place of a 0.0.0.0 wildcard  Use the any parameter in place of a 255.255.255.255 wildcard

18 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 18 Wild card mask abbreviations host any

19 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 19 Wild card mask abbreviations host any

20 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 20 Standard ACL Example 1

21 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 21 Standard ACL Example 2

22 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 22 Standard ACL Example 3

23 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 23 Configure and Implement Access Control Lists  Determine traffic filtering requirements  Decide which type of ACL to use  Determine the router and interface on which to apply the ACL  Determine in which direction to filter traffic

24 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 24 Configure and Implement Access Control Lists: Numbered Standard ACL  Use access-list command to enter statements  Use the same number for all statements  Number ranges: 1-99, 1300-1999  Apply as close to the destination as possible

25 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 25 Configure and Implement Access Control Lists: Numbered Extended ACL  Use access-list command to enter statements  Use the same number for all statements  Number ranges: 100-199, 2000-2699  Specify a protocol to permit or deny  Place as close to the source as possible

26 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 26 Configure and Implement Access Control Lists: Named ACLs  Descriptive name replaces number range  Use ip access-list command to enter initial statement  Start succeeding statements with either permit or deny  Apply in the same way as standard or extended ACL

27 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 27 Numbering and Naming ACLs  Locate extended ACLs as close as possible to the source of the traffic denied. This way, undesirable traffic is filtered without crossing the network infrastructure.  Because standard ACLs do not specify destination addresses, place them as close to the destination as possible.

28 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 28

29 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 29 Configure and Implement Access Control Lists: VTY access  Create the ACL in line configuration mode  Use the access-class command to initiate the ACL  Use a numbered ACL  Apply identical restrictions to all VTY lines

30 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 30 Standard ACL to control VTY Access

31 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 31 Editing ACLs in a text editor Paste Copy

32 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 32 Remarks in ACLs

33 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 33 Named ACL syntax

34 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 34 Named ACL Example

35 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 35 Show access-lists command

36 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 36 Adding lines to a Named access-lists

37 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 37 Create and Apply ACLs to Control Specific Types of Traffic  Use a specified condition when filtering on port numbers: eq, lt, gt  Deny all appropriate ports for multi-port applications like FTP  Use the range operator to filter a group of ports

38 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 38 Create and Apply ACLs to Control Specific Types of Traffic  Block harmful external traffic while allowing internal users free access  Ping: allow echo replies while denying echo requests from outside the network  Stateful Packet Inspection

39 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 39 Create and Apply ACLs to Control Specific Types of Traffic  Account for NAT when creating and applying ACLs to a NAT interface  Filter public addresses on a NAT outside interface  Filter private addresses on a NAT inside interface

40 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 40 Create and Apply ACLs to Control Specific Types of Traffic  Examine every ACL one line at a time to avoid unintended consequences

41 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 41 Create and Apply ACLs to Control Specific Types of Traffic  Apply ACLs to VLAN interfaces or subinterfaces just as with physical interfaces

42 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 42 Log ACL Activity and ACL Best Practices  Logging provides additional details on packets denied or permitted  Add the log option to the end of each ACL statement to be tracked

43 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 43 Log ACL Activity and ACL Best Practices Syslog messages:  Status of router interfaces  ACL messages  Bandwidth, protocols in use, configuration events

44 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 44 Log ACL Activity and ACL Best Practices  Always test basic connectivity before applying ACLs  Add deny ip any to the end of an ACL when logging  Use reload in 30 when testing ACLs on remote routers

45 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 45 Packet Tracer Labs

46 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 46 Additional Labs

47 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 47 Summary  ACLs enable traffic management and secure access to and from a network and its resources  Apply an ACL to filter inbound or outbound traffic  ACLs can be standard, extended, or named  Using a wildcard mask provides flexibility  There is an implicit deny statement at the end of an ACL  Account for NAT when creating and applying ACLs  Logging provides additional details on filtered traffic

48 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 48

Download ppt "© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching."

Similar presentations

Access Control List (ACL)

Access Control List (ACL)
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Access Control Lists John Mowry.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Access Control Lists John Mowry.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Basic IP Traffic Management with Access Lists

Basic IP Traffic Management with Access Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.

NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 

1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 
CCNA 2 v3.1 Module 11.

CCNA 2 v3.1 Module 11.
1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)

1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)
Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.

Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen

1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen
© 2002, Cisco Systems, Inc. All rights reserved..

© 2002, Cisco Systems, Inc. All rights reserved..

Similar presentations

Ads by Google