Presentation is loading. Please wait.

Presentation is loading. Please wait.

WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11."— Presentation transcript:

1 WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11

2 Contents Introduction ACLs Operation Wildcard Mask Standard ACLs Extended ACLs Named ACLs

3 Introduction Routers provide basic traffic filtering capabilities, such as blocking Internet traffic, with access control lists (ACLs). An ACL is a sequential list of permit or deny statements that apply to addresses or upper-layer protocols. ACLs can be as simple as a single line intended to permit packets from a specific host, or they can be extremely complex sets of rules and conditions that can precisely define traffic and shape the performance of router processes.

4 Introduction ACLs enable management of traffic and secure access to and from a network. ACLs can be created for all routed network protocols ACLs filter network traffic by controlling whether routed packets are forwarded or blocked at the router's interfaces ACLs must be defined on a per-protocol, per direction, or per port basis A separate ACL would need to be created for each direction, one for inbound and one for outbound traffic

5 Introduction ACLs Checking

6 Introduction Primary reasons to create ACLs: Limit network traffic and increase network performance. Provide traffic flow control. Provide a basic level of security for network access. Decide which types of traffic are forwarded or blocked

7 ACLs Operation An ACL is a group of statements that define whether packets are accepted or rejected at inbound and outbound interfaces. The order in which ACL statements are placed is important. Once a match is found in the list, no other ACL statements are checked. If an ACL exists, the packet is now tested against the statements in the list. If the packet matches a statement, the action of accepting or rejecting the packet is performed. If all the ACL statements are unmatched, an implicit "deny any" statement is placed at the end of the list by default.

8 ACLs Operation

9 ACLs are created in the global configuration mode. When configuring ACLs on a router, each ACL must be uniquely identified by assigning a number to it. The number must fall within the specific range of numbers that is valid for that type of list.

10 ACLs Operation Create Access List Router(config)#access-list access-list-number {permit | deny} {test-conditions} Assign to Interface Router(config-if)#{protocol} access-group access- list-number { in | out } Delete Access-List Router(config)# no access-list access-list-number

11 ACLs Operation Basic rules on creating and applying access lists: One access list per protocol per direction. Standard access lists should be applied closest to the destination. Extended access lists should be applied closest to the source. There is an implicit deny at the end of all access lists. Access list entries should filter in the order from specific to general. An IP access list will send an ICMP host unreachable message to the sender of the rejected packet and will discard the packet in the bit bucket.

12 ACLs Operation Router#show ip interface displays IP interface information and indicates whether any ACLs are set. Router#show access-lists displays the contents of all ACLs on the router. Router#show running-config reveal the access lists on a router and the interface assignment information.

13 Wildcard Mask A wildcard mask is paired with an IP address. The numbers one and zero in the mask are used to identify how to treat the corresponding IP address bits. Wildcard masks are designed to filter individual or groups of IP addresses permitting or denying access to resources based on the address. Zero (0)means let the value through to be checked One (1) or X means block the value from being compared. Any IP address that is checked by a particular ACL statement will have the wildcard mask of that statement applied to it. If no wildcard mask, the default mask is used, which is 0.0.0.0.

14 Wildcard Mask

15 any option substitutes 0.0.0.0 for the IP address and 255.255.255.255 for the wildcard mask. host option substitutes for the 0.0.0.0 mask. This mask requires that all bits of the ACL address and the packet address match

16 Standard ACLs Standard ACLs check the source address of IP packets that are routed. It permit or deny access for an entire protocol suite, based on the network, subnet, and host addresses. Standard ACL with a number in the range of 1 to 99 (1300 to 1999 in recent IOS). Router(config)# access-list access-list-number {deny | permit} source [source-wildcard ] [log] Standard access lists should be applied closest to the destination.

17 Extended ACLs Extended ACLs check the source and destination packet addresses as well as being able to check for protocols and port numbers. An extended ACL can allow e-mail traffic from Fa0/0 to specific S0/0 destinations, while denying file transfers and web browsing. Logical operations may be specified such as, equal (eq), not equal (neq), greater than (gt), and less than (lt), Extended ACLs use an access-list-number in the range 100 to 199 (2000 to 2699 in recent IOS). Extended access lists should be applied closest to the source.

18 Extended ACLs

19 Named ACLs IP named ACLs were introduced in Cisco IOS Software Release 11.2, allowing standard and extended ACLs to be given names instead of numbers. Advantages Intuitively identify an ACL using an alphanumeric name. Eliminate the limit of 798 simple and 799 extended ACLs Provide the ability to modify ACLs without deleting and then reconfiguring them.

20 Named ACLs Create Named ACLs

21 Named ACLs Restricting virtual terminal access Applying the ACL to a terminal line requires the access-class command instead of the access-group command. When controlling access to an interface, a name or number can be used. Only numbered access lists can be applied to virtual lines. Set identical restrictions on all the virtual terminal lines, because a user can attempt to connect to any of them

22 Named ACLs Creating Virtual Terminal Access List

23

Download ppt "WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11."

Similar presentations

Access Control List (ACL)

Access Control List (ACL)
What is access control list (ACL)?

What is access control list (ACL)?
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Access Control Lists John Mowry.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Access Control Lists John Mowry.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Basic IP Traffic Management with Access Lists

Basic IP Traffic Management with Access Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.

NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 

1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 
Institute of Technology, Sligo Dept of Computing Access Control Lists Semester 3, Chapter 6.

Institute of Technology, Sligo Dept of Computing Access Control Lists Semester 3, Chapter 6.
CCNA 2 v3.1 Module 11.

CCNA 2 v3.1 Module 11.
Access Lists Lists of conditions that control access.

Access Lists Lists of conditions that control access.
Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.

Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen

1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen
CISCO NETWORKING ACADEMY Chabot College ELEC 99.08 Access Control Lists - Introduction.

CISCO NETWORKING ACADEMY Chabot College ELEC Access Control Lists - Introduction.

Similar presentations

Ads by Google