Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access-Lists Securing Your Router and Protecting Your Network.

Published byRuby Jessica McCormick Modified over 8 years ago

Similar presentations

Presentation on theme: "Access-Lists Securing Your Router and Protecting Your Network."— Presentation transcript:

1 Access-Lists Securing Your Router and Protecting Your Network

2 Reasons to use Access-Lists (ACLs) To filter traffic coming into and leaving your network. Securing access to your router. Restrict contents of routing updates Traffic flow control. Plus many other reasons…we will focus on the first two for this class.

3 What is an ACL Access lists filter network traffic by controlling whether routed packets are forwarded or blocked at the router's interfaces.  Your router examines each packet to determine whether to forward or drop the packet, based on the criteria you specified within the access lists.  Access list criteria could be the source address of the traffic, the destination address of the traffic, the upper-layer protocol, or other information. Note that sophisticated users can sometimes successfully evade or fool basic access lists because no authentication is required.

4 Why You Should Configure Access Lists? You should use access lists to secure access for remote users, SNMP access, NTP or any other services that allow read and write access to all or part of your router.  Password/user authentication is enhanced when the traffic can only come from certain ip addresses or specified ranges. You should use access lists to provide a basic level of security for accessing your network.  If you do not configure access lists on your router, all packets passing through the router could be allowed onto all parts of your network.

5 Standard Vs. Extended Access Lists Standard IP access lists use source addresses for matching operations. Extended IP access lists use source and destination addresses for matching operations, and optional protocol type information for finer granularity of control.  Extended ACLs require a greater knowledge of your network’s operation and networking in general. A poorly designed ACL can cause many problems for the users and the technical staff.

6 Planning your ACLs Although each protocol has its own set of specific tasks and rules required for you to provide traffic filtering, in general most protocols require at least two basic steps to be accomplished. The first step is to create an access list definition, and the second step is to apply the access list to an interface.  Creating Access Lists  Applying Access lists to interfaces

7 Creating Access Lists Create access lists for each protocol you wish to filter, per router interface. For some protocols, you create one access list to filter inbound traffic, and one access list to filter outbound traffic. To create an access list, you specify the protocol to filter, you assign a unique name or number to the access list, and you define packet-filtering criteria. A single access list can have multiple filtering criteria statements.

8 Assigning a Unique Name or Number to Each Access List When configuring access lists on a router, you must identify each access list uniquely within a protocol, by assigning either a name or a number to the protocol's access list. Either a name or a number can identify some protocols. When a number is used to identify an access list, the number must be within the specific range of numbers that is valid for the protocol.

9 ACL Numbers IP 1 to 99 Extended IP 100 to 199 Ethernet type code 200 to 299 Ethernet address 700 to 799 Transparent bridging (protocol type) 200 to 299 Transparent bridging (vendor code) 700 to 799 Extended transparent bridging 1100 to 1199 DECnet and extended DECnet 300 to 399 XNS 400 to 499 Extended XNS 500 to 599 AppleTalk 600 to 699 Source-route bridging (protocol type) 200 to 299 Source-route bridging (vendor code) 700 to 799 IPX 800 to 899 Extended IPX 900 to 999 IPX SAP 1000 to 1099

10 Assigning a Unique Name or Number to Each Access List Apollo Domain IP IPX ISO CLNS NetBIOS IPX Source-route bridging NetBIOS

11 Defining Criteria for Forwarding or Blocking Packets When creating an access list, you define criteria, which are applied to each packet that is processed by the router; the router decides whether to forward or block each packet based on whether or not the packet matches the criteria. Typical criteria you define in access lists are packet source addresses, packet destination addresses, or upper-layer protocol of the packet. For a single access list, you can define multiple criteria in multiple, separate access list statements. Each of these statements should reference the same identifying name or number, to tie the statements to the same access list.  You can have as many criteria statements as you want, limited only by the available memory.  Of course, the more statements you have, the more difficult it will be to comprehend and manage your access lists.

12 The Order of Things… Each additional criteria statement that you enter is appended to the end of the access list statements. You cannot delete individual statements after they have been created. You can only delete an entire access list. The order of access list statements is important! When the router is deciding whether to forward or block a packet, the Cisco IOS software tests the packet against each criteria statement in the order the statements were created. After a match is found, no more criteria statements are checked. If you create a criteria statement that explicitly permits all traffic, no statements added later will ever be checked. If you need additional statements, you must delete the access list and retype it with the new entries.

13 The Implicit Deny At the end of every access list is an implied "deny all traffic" criteria statement. Therefore, if a packet does not match any of your criteria statements, the packet will be blocked. This also requires that you specifically put in your permit statements. Do not assume that the router will understand that you only want to deny one thing and let everything else through.  The router wants ACLs to be as strict as possible!

14 Wildcard Masks (aka Inverse Masks) Wildcard Masks are used with IP addresses in IP ACLs to specify what should be permitted and denied. Masks to configure IP addresses on interfaces start with 255 and have the large values on the left side (for example, IP address 209.165.202.129 with a 255.255.255.224 mask). Masks for IP ACLs are the reverse (for example, mask 0.0.0.255). This is sometimes called an inverse mask or a wildcard mask. When the value of the mask is broken down into binary (0s and 1s), the results determine which address bits are to be considered in processing the traffic. A 0 indicates that the address bits must be considered (exact match); a 1 in the mask is a "don't care".

15 Creating Standard and Extended Access Lists Step 1  access-list access-list-number remark  Indicates the purpose of the deny or permit statement.  Example; access-list 2 permit 10.0.0.0

16 Creating Standard and Extended Access Lists Step 2  access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard  Defines an extended IP access list number and the access conditions.  Example access-list 102 permit tcp 10.0.0.0 0.255.255.255 11.0.0.0 0.255.255.255

17 Creating Standard and Extended Access Lists In addition to defining ACL source and destination, it is possible to define ports, ICMP message types, and other parameters.  access-list 102 permit tcp host 10.1.1.1 host 172.16.1.1 eq ? bgp Border Gateway Protocol (179) chargen Character generator (19) cmd Remote commands (rcmd, 514)

18 Applying Access Lists After you create an access list, you can apply it to one or more interfaces. Access lists can be applied on either outbound or inbound interfaces  Out - Traffic that has already been through the router and is leaving the interface; the source would be where it's been (on the other side of the router) and the destination is where it's going.  In - Traffic that is arriving on the interface and which will go through the router; the source would be where it's been and the destination is where it's going (on the other side of the router).

19 Applying Access Lists To control access to a virtual terminal line and the addresses in an access list, use the following command in line configuration mode. Only numbered access lists can be applied to lines. Set identical restrictions on all the virtual terminal lines, because a user can attempt to connect to any of them.  access-class access-list-number {in | out}  Example access-class 9 in

20 Applying Access Lists To control access to an interface, use the following command in interface configuration mode. ip access-group {access-list-number | name} {in | out}  Example ip access-group 102 in

21 Access-lists For inbound access lists, after receiving a packet, the Cisco IOS software checks the source address of the packet against the access list. If the access list permits the address, the software continues to process the packet. If the access list rejects the address, the software discards the packet and returns an ICMP Host Unreachable message.  Note that ICMP messages sent from your network can be used against you. They are useful to hackers for mapping your network, determining the devices that you are using, etc. For more information see: http://www.spirit.com/Network/net0700.html http://www.spirit.com/Network/net0700.html

22 Access-lists For outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the source address of the packet against the access list. If the access list permits the address, the software sends the packet. If the access list rejects the address, the software discards the packet and returns an ICMP Host Unreachable message.  Note that ICMP messages sent from your network can be used against you. They are useful to hackers for mapping your network, determining the devices that you are using, etc. For more information see: http://www.spirit.com/Network/net0700.html http://www.spirit.com/Network/net0700.html

23 Applying Access Lists When you apply an access list that has not yet been defined to an interface, the software will act as if the access list has not been applied to the interface and will accept all packets. Remember this behavior if you use undefined access lists as a means of security in your network.

24 Access-list examples Applying the list to a line  interface line vty 0 4  ip access-class 2 in (access lists are designated out by default) Standard Access-list  access-list 2 permit (allowed IP address)  access-list 2 deny any any. (This line is not needed because all access lists have an implicit deny all by default)

25 Access-list examples Extended Access-lists  access-list 102 permit tcp (ip address wildcard mask)(ip address wildcard mask) gt 1023  access-list 102 permit tcp (ip address wildcard mask)(ip address wildcard mask) eq 25  access-list 102 permit icmp (ip address wildcard mask)(ip address wildcard mask)

26 Access-list examples Applying the list to an interface  interface ethernet 0  ip access-group 102 in

27 How do I remove an ACL from an interface? To remove an ACL from an interface, go into configuration mode and enter no in front of the access-group command, as shown in the following example.  Example interface Ethernet 0 no ip access-group 102 in

Download ppt "Access-Lists Securing Your Router and Protecting Your Network."

Similar presentations

Access Control List (ACL)

Access Control List (ACL)
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Access Control Lists John Mowry.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Access Control Lists John Mowry.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Basic IP Traffic Management with Access Lists

Basic IP Traffic Management with Access Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.

NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 

1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 
Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.

Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.
Institute of Technology, Sligo Dept of Computing Access Control Lists Semester 3, Chapter 6.

Institute of Technology, Sligo Dept of Computing Access Control Lists Semester 3, Chapter 6.
CCNA 2 v3.1 Module 11.

CCNA 2 v3.1 Module 11.
Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.

Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.
Access Lists Lists of conditions that control access.

Access Lists Lists of conditions that control access.
Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.

Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.

Similar presentations

Ads by Google