Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control Lists Written by Bill Reed 03/11/05.

Similar presentations


Presentation on theme: "Access Control Lists Written by Bill Reed 03/11/05."— Presentation transcript:

1 Access Control Lists Written by Bill Reed 03/11/05

2 Access Control Lists Written by Bill Reed 03/11/05 During this presentation we will: Discuss the usage for ACLs in our networks Look at the syntax of the ACL commands Examine the application of our ACLs Explore the mechanisms behind the wild card mask Test our understanding with some exercises

3 Access Control Lists Written by Bill Reed 03/11/05 ACL usage ACLs are used to regulate traffic that can traverse our networks This can be for security reasons such as limiting access to restricted network segments and the systems within them ACLs can also be used to filter routing protocol updates on segments where they are unnecessary or undesirable

4 Access Control Lists Written by Bill Reed 03/11/05 ACL command syntax Access-list 101 Condition = permit or deny Protocol = IP, ICMP, TCP, UDP Source IP & WCM = 192.168.0.55 0.0.0.255 Dest IP & WCM = 100.50.50.50 0.255.255.255 Port / Service = 80 or HTTP, 21 or FTP

5 Access Control Lists Written by Bill Reed 03/11/05 ACL application rules Access control lists are all about matching Access control lists are applied in the order that they are written Once an ACLs parameters are matched the ACLs condition is applied There is an unseen entry created whenever an ACL is compiled called the explicit deny rule The explicit deny acts as a catch all at the end of the ACL ACLs have restrictions regarding editing

6 Access Control Lists Written by Bill Reed 03/11/05 Wild Card Masks The basic rules for WCMs are very simple 0 = must match 1 = I don’t care By comparing the individual bits of our WCM with the addresses of the traffic passing through the interface the WCM tries to match the mask with the address 192.168.0.5511000000 10101000 00000000 00110110 0.0.0.25500000000 00000000 00000000 11111111

7 Access Control Lists Written by Bill Reed 03/11/05 Wild Card Masks Address in packet = 192.168.0.1011000000 10101000 00000000 00001010 Address in ACL = 192.168.0.5511000000 10101000 00000000 00110110 Wild card mask = 0.0.0.25500000000 00000000 00000000 11111111 0 = must match 1 = I don’t care

8 Access Control Lists Written by Bill Reed 03/11/05 Wild Card Masks WCMs can also specify ranges of addresses and individual addresses Range based WCMs are built on contiguous ones in our binary masks 1, 3, 7, 15, 31, 63 are all acceptable values for our range statements in the WCM The basic rules still apply 0 = Must match, 1 = I don’t care

9 Access Control Lists Written by Bill Reed 03/11/05 Wild Card Masks Given a mask of 0.0.0.3 3 = 00000011 Remember 1 means I don’t care Any combination of values in the least significant 2 bits will match the ACL I.e.: 00 / 01 / 10 / 11 This leads to an octet value of anything between 0 & 3 matching the ACL and the condition being applied

10 Access Control Lists Written by Bill Reed 03/11/05 Wild Card Masks 7 = 00000111values between 0 & 7 will match 15 = 00001111 values between 0 & 15 will match 31 = 00011111values between 0 & 31 will match What will a WCM of 0.0.0.254 match when applied to an address of 192.168.0.1 ?

11 Access Control Lists Written by Bill Reed 03/11/05 Wild Card Masks Once our ACL is written we only need to apply it to the interface and specify the direction that traffic will be interrogated We use the command ip access-group and the number of the ACL to apply the command to the interface On the end of the ACL command statement we specify the direction with the key word in or out

12 Access Control Lists Written by Bill Reed 03/11/05 Exercise


Download ppt "Access Control Lists Written by Bill Reed 03/11/05."

Similar presentations


Ads by Google