CCNA Guide to Cisco Networking - PowerPoint PPT Presentation

1 / 48

About This Presentation

Title:

CCNA Guide to Cisco Networking

Description:

[operator]: Can contain lt (less than), gt (greater than), eq (equal to), or neq (not equal to) ... The list is applied using the access-class command ... – PowerPoint PPT presentation

Number of Views:54

Avg rating:3.0/5.0

Slides: 49

Provided by: bbr78

Category:

more less

Transcript and Presenter's Notes

Title: CCNA Guide to Cisco Networking

1
CCNA Guide to Cisco Networking

Chapter 10 Access Lists

2
Objectives

Describe the usage and rules of access lists
Establish standard IP access lists
Produce extended IP access lists
Apply access lists to interfaces
Monitor and verify access lists

3
Access Lists Usage and Rules

Permit or deny traffic
Identify traffic based on
Protocol
Source address
Destination address
Port number

4
Access Lists Usage

Conceptual syntax to block access from network 4
to network 1
Access-list 1 deny network 4
Access-list 1 permit any
Implicit deny any

5
Access Lists Usage (continued)
6
Problems With Access Lists

Lack of planning
What needs to be filtered?
Where does it need to be filtered?
Access lists are filters that
Can have multiple lines of instruction
Each line of instruction is applied sequentially
until a match is found
Access list changes
Make changes to a text editor
Notepad.exe
Remove entire access list
Cut and paste entire new access list

7
Problems With Access Lists (continued)

Accidental telnet block
reload command
reload in hh mm month day month day
Routerb reload in 0030

8
Access List Rules

Create and apply ACLs sequentially
All new lines are added to the end of the list
Apply the ACLs through the eyes of the
man-in-the-the-router
ip access-group 1 in
ip access-group 1 out
One ACL per direction, per protocol, per interface

9
Access List Rules (continued)

Access lists have the following rules
Routers apply lists sequentially as they are
configured
Routers apply lists to packets sequentially, from
the top down, one line at a time
Packets are processed only until a match is made
Lists always end with an implicit deny
Access lists must be applied to an interface as
either inbound or outbound traffic filters

10
Access List Rules (continued)

Access lists have the following rules (continued)
ACL numbers 1 thru 99
Only one list, per protocol, per direction can be
applied to an interface
Access lists are effective as soon as they are
applied to the interface
Place standard ACLs close to destination
Place extended ACLs close to source

11
Access List Rules (continued)
12
Access List Rules (continued)
13
Standard IP Access Lists

Filter network traffic based only on source
address
access-list list permitdeny source
address source wildcard mask
list Standard IP access lists are
represented by a number in the range of 199
permitdeny Used to specify the action of the
access list line
source address The IP address of the source
source wildcard mask Determine which bits of
the source address are significant

14
Standard IP Access Lists (continued)
15
Standard IP Access Lists (continued)
16
Standard IP Access Lists (continued)
17
Standard IP Access Lists (continued)
18
Standard IP Access Lists (continued)
19
Standard IP Access List Examples

Access list command examples
Single IP
Access-list 1 permit 192.168.10.1 0.0.0.0
Access-list 1 permit 192.168.10.1
Access-list 1 permit host 192.168.10.1
Network
Access-list 1 permit 192.168.10.0 0.0.0.255
All packets
Access-list 1 permit 0.0.0.0 255.255.255.255
Access-list 1 permit any

20
Standard IP Access List Examples (continued)
21
Standard IP Access List Examples (continued)
22
Standard IP Access List Examples (continued)
23
Standard IP Access List Examples (continued)
24
Standard IP Access List Examples (continued)
25
Standard IP Access List Examples (continued)
26
Standard IP Access List Examples (continued)
27
Standard IP Access List Examples (continued)
28
Standard IP Access List Examples (continued)
29
Standard IP Access List Examples (continued)
30
Monitoring Standard IP Access Lists

show access-list command
show ip access-list command
show interfaces command
show ip interfaces command

31
Extended IP Access Lists

Filter based on
Protocol type
Source IP address
Destination IP address
Port number
ACL numbers 100 thru 199

32
Extended IP Access Lists (continued)

access-list list permitdeny protocol
source IP address source wildcard mask
operator port destination IP address
destination wildcard mask operator port
log
list Number in the range of 100199
permitdeny Used to specify the nature of the
access list line
protocol The IP protocol to be filtered can be
IP (which includes all protocols in the TCP/IP
suite), TCP, UDP, ICMP, or others
source IP address The IP address of the source
source wildcard mask Determine which bits of
the source address are significant

33
Extended IP Access Lists (continued)

access-list list permitdeny protocol
source IP address source wildcard mask
operator port destination IP address
destination wildcard mask operator port
log (continued)
destination IP address The IP address of the
destination
destination wildcard mask Determine which bits
of the destination address are significant
operator Can contain lt (less than), gt
(greater than), eq (equal to), or neq (not equal
to)
port Port number of the protocol to be
filtered
log Turns on logging of access list activity

34
Extended IP Access List Examples
35
Extended IP Access List Examples (continued)
36
Extended IP Access List Examples (continued)
37
Extended IP Access List Examples (continued)
38
Extended IP Access List Examples (continued)
39
The Established Parameter

Permit traffic on the 15.0.0.0 network as long as
long as the traffic originated from the 15.0.0.0
network
access-list 100 permit tcp any 15.0.0.0
0.255.255.255 established

40
Monitoring Extended IP Access Lists

show access-list command
show ip access-list command
show interfaces command
show ip interfaces command

41
Monitoring Extended IP Access Lists (continued)
42
Monitoring Extended IP Access Lists (continued)
43
Using Named Lists

Cisco IOS version 11.2 and above
Named ACL examples
RouterC(config) ip access-list standard name
RouterC(config) ip access-list extended name
RouterC(config-std-nacl) denysource
source-wildcard any
RouterC(config-std-nacl) permitsource
source-wildcard any
RouterC(config-if) ip access-group name in
out

44
Controlling VTY Line Access

Restricting access to telnet
Access control examples
Individual hosts
RouterA(config) access-list 12 permit
192.168.12.12 0.0.0.0
RouterA(config) access-list 12 permit host
192.168.12.12
Network access
RouterA(config) access-list 12 permit
192.168.12.0 0.0.0.255
Apply access list to interface
RouterA(config) line vty 0 4
RouterA(config-line) access-class 12 in

45
Summary

Access lists are one of the most important IOS
tools for controlling network traffic and
security
Access lists are created in a two-step process
First, you create the list in global
configuration mode, using the specific syntax of
the type of list you want to create
Then, you apply the list to an interface in
interface configuration mode to make it active

46
Summary (continued)

All access lists are created sequentially and
applied sequentially to all packets that enter an
interface where the list is applied
By default, access lists always end in an
implicit deny any, which will drop any packet
that does not meet an access list criterion
Only one access list per direction (inbound or
outbound) per protocol can be applied to an
interface
Standard IP access lists allow you to filter
traffic based on the source IP address of a
packet
They should be applied to an interface as close
to the destination as possible to avoid
accidentally blocking valid traffic

47
Summary (continued)

Extended IP access lists filter traffic based on
source, destination, protocol type, and
application type
They allow for more specific control over network
traffic
They should be placed as close to the source as
possible to keep unnecessary traffic from getting
onto the internetwork

48
Summary (continued)