Presentation is loading. Please wait.

Presentation is loading. Please wait.

Student Guide www.visioninfosystems.org Access List.

Published byBrayan Dillion Modified over 10 years ago

Similar presentations

Presentation on theme: "Student Guide www.visioninfosystems.org Access List."— Presentation transcript:

1 Student Guide www.visioninfosystems.org Access List

2 I NTRODUCTION TO S ECURITY Security is a required solution for a company to prevent its network from Various types of attacks and intruders. There are various solution for security like Firewall Software, etc Cisco has implemented a simple and easy to feature for security called As acess-list.

3 I NTRODUCTION TO A CCESS -L IST An access-list is a list of conditions that controls flow of traffic. Access-list helps for packet filtering, traffic controlling, security, etc. Used to permit or deny packets moving through the router. Permit or deny Telnet (VTY) access to or from a router.

4 Standard Access List Only source IP address is specified in the condition Extended Access List Conditions can contains Source IP, Destination IP, Protocol Field, Port Number Named Access List Functionally the same as standard and extended access lists but with name tag. T YPES OF A CCESS -L IST

5 Packets are compared to each line of the assess list in sequential order Packets are compared with lines of the access list only until a match is made Once a match is made & acted upon no further comparisons take place An implicit deny is at the end of each access list If no matches have been made, the packet will be discarded A CCESS - LIST RULES

6 Inbound Access Lists Packets are processed before being routed to the outbound interface Outbound Access Lists Packets are routed to the outbound interface & then processed through the access list H OW A CCESS -L IST IS APPLIED

7 One access list per interface, per protocol, or per direction More specific tests at the top of the ACL New lists are placed at the bottom of the ACL Individual lines cannot be removed End ACLs with a permit any command Create ACLs & then apply them to an interface ACLs do not filter traffic originated from the router Put Standard ACLs close to the destination Put Extended ACLs close the the source A CCESS -L IST G UIDELINE

8 What are they??? Used with access lists to specify a…. Host Network Part of a network W ILDCARDS

9 64 321684 Rules: When specifying a range of addresses, choose the closest block size Each block size must start at 0 A 0 in a wildcard means that octet must match exactly A 255 in a wildcard means that octet can be any value The command any is the same thing as writing out the wildcard: 0.0.0.0 255.255.255.255 B LOCK S IZE

10 (Remember: specify a range of values in a block size) Requirement: Block access in the range from 172.16.8.0 through 172.16.15.0 = block size 8 Network number = 172.16.8.0 Wildcard = 0.0.7.255 **The wildcard is always one number less than the block size S PECIFYING RANGE OF SUBNET

11 S TANDARD IP ACCESS - LIST In standard access-list on source address is specified It number ranges from 1 – 99 It is generally applied to destination nearest interface

12 Creating a standard IP access list: Router(config)#access-list 10 ? deny Specify packets to reject permit Specify packets to forward Permit or deny? Router(config)#access-list 10 deny ? Hostname or A.B.C.D Address to match any any source host host A single host address Using the host command Router(config)#access-list 10 deny host 172.16.30.2 C REATING STANDARD ACCESS - LIST

13 E XAMPLE - 1 Condition : Sales network cannot access marketing network Others can access marketing network. 10.0.0.0/820.0.0.0/8 Router(config)# access-list 15 deny 10.0.0.0 0.255.255.255 Router(config)#access-list 15 permit any Router(config)#int ethernet2 Router(config-if)#access-group 15 out

14 E XAMPLE - 2 Condition : Human resource department can only access human resources server located on Lab_B router. Others are not allowed. Lab_b(config)#access-list 11 permit 192.168.10.160 0.0.0.31 Lab_b(config)#access-list 11 deny any Lab_b(config)#int ethernet0 Lab_b(config-if)#access-group 11 out

15 E XAMPLE - 3 Internet Conditions Network 172.16.144.0 cannot access internet, others can access internet Host 172.16.144.17 and 172.16.50.173 cannot access network 172.16.92.0 Router(config)# access-list 10 deny 172.16.144.0 0.0.31.255 Router(config)#access-list 10 permit any Router(config)#int serial 0 Router(config-if)#access-group 10 out Router(config)# access-list 11 deny host 172.16.144.17 0.0.0.0 Router(config)# access-list 11 deny host 172.16.50.173 0.0.0.0 Router(config)#access-list 11 permit any Router(config)#int Ethernet 3 Router(config-if)#access-group 11 out

16 Why?? Without an ACL any user can Telnet into the router via VTY and gain access Controlling access Create a standard IP access list Permitting only the host/hosts authorized to Telnet into the router Apply the ACL to the VTY line with the access-class command VTY (T ELNET ) C ONTROL

17 Lab_A(config)#access-list 50 permit 172.16.10.3 Lab_A(config)#line vty 0 4 Lab_A(config-line)#access-class 50 in E XAMPLE

18 Allows you to choose... IP Source Address IP Destination Address Protocol Port number Starts with number 100-199 E XTENDED IP A CCESS - LIST

19 #1: Select the access list: RouterA(config)#access-list 110 #2: Decide on deny or permit: RouterA(config)#access-list 110 deny #3: Choose the protocol type: RouterA(config)#access-list 110 deny tcp #4: Choose source IP address of the host or network: RouterA(config)#access-list 110 deny tcp any #5: Choose destination IP address RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 #6: Choose the type of service, port, & logging RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log E XTENDED IP ACCESS - LIST STEPS

20 RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log RouterA(config)#access-list 110 permit ip any 0.0.0.0 255.255.255.255 RouterA(config)#ip access-group 110 in or RouterA(config)#ip access-group 110 out C ONTINUE …

21 E XAMPLE - 1 Condition : Sales network cannot access marketing network Others can access marketing network. 10.0.0.0/820.0.0.0/8 Router(config)# access-list 101 deny ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 Router(config)#access-list 15 permit ip any any Router(config)#int ethernet2 Router(config-if)#access-group 101 out

22 E XAMPLE - 2 Condition : Human resource department can only access human resources server located on Lab_B router. Others are not allowed. Lab_b(config)#access-list 110 permit ip 192.168.10.160 0.0.0.31 192.168.10.192 0.0.0.31 Lab_b(config)#access-list 110 ip deny any any Lab_b(config)#int ethernet0 Lab_b(config-if)#access-group 110 out

23 E XAMPLE - 3 Internet Conditions Network 172.16.144.0 cannot access FTP Service on internet, others can access. Host 172.16.144.17 and 172.16.50.173 cannot access network 172.16.92.0 Router(config)#access-list 110 deny tcp 172.16.144.0 0.0.31.255 any eq 21 Router(config)#access-list 110 permit tcp any any Router(config)#int serial 0 Router(config-if)#access-group 10 out Router(config)# access-list 111 deny ip host 172.16.144.17 0.0.0.0 172.16.92.0 0.0.7.255 Router(config)# access-list 111 deny ip host 172.16.50.173 0.0.0.0 172.16.92.0 0.0.7.255 Router(config)#access-list 111 permit ip any any Router(config)#int Ethernet 3 Router(config-if)#access-group 111 out

24 Another way to create standard and extended access lists. Allows the use of descriptive names to ease network management. Syntax changes: Lab_A(config)#ip access-list standard BlockSales Lab_A(config-std-nacl)#deny 172.16.40.0 0.0.0.255 Lab_A(config-std-nacl)#permit any N AMED A CCESS - LIST

25 Display all access lists & their parameters show access-list Show only the parameters for the access list 110 show access-list 110 Shows only the IP access lists configured show ip access-list Shows which interfaces have access lists set show ip interface Shows the access lists & which interfaces have access lists set show running-config M ONITORING IP ACCESS - LIST

Download ppt "Student Guide www.visioninfosystems.org Access List."

Similar presentations

Packet filtering using cisco access listsINET97 / track 2 # 1 packet filters using cisco access lists Fri 19 June 97.

Packet filtering using cisco access listsINET97 / track 2 # 1 packet filters using cisco access lists Fri 19 June 97.
Timing: This chapter takes about 2 hours to cover.

Timing: This chapter takes about 2 hours to cover.
Any Questions?.

Any Questions?.
Access Control Lists. Types Standard Extended Standard ACLs Use only the packets source address for comparison 1-99.

Access Control Lists. Types Standard Extended Standard ACLs Use only the packets source address for comparison 1-99.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition

CCNA Guide to Cisco Networking Fundamentals Fourth Edition
Access Control List (ACL)

Access Control List (ACL)
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
CCENT Study Guide Chapter 12 Security.

CCENT Study Guide Chapter 12 Security.
What is access control list (ACL)?

What is access control list (ACL)?
Configuring and Troubleshooting ACLs

Configuring and Troubleshooting ACLs
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
Route Optimisation RD-CSY3021.

Route Optimisation RD-CSY3021.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Basic IP Traffic Management with Access Lists

Basic IP Traffic Management with Access Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.

NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.

Similar presentations

Ads by Google