1 / 18

Access Control Lists Lecture 1

Access Control Lists Lecture 1. PJC CCNA Semester 2 Ver. 3.0 by William Kelly. ACL Definition. An ACL is a sequential group of permit and/or deny statements that control the flow of particular protocols or protocol suits in or out of an interface to a specific host or group of hosts.

Gabriel
Télécharger la présentation

Access Control Lists Lecture 1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access Control Lists Lecture 1 PJC CCNA Semester 2 Ver. 3.0 by William Kelly

  2. ACL Definition An ACL is a sequential group of permit and/or deny statements that control the flow of particular protocols or protocol suits in or out of an interface to a specific host or group of hosts

  3. ACL Concepts • Applied to a router’s interface • Traffic is forwarded or blocked • Each protocol must have it’s own ACL defined (You are only allowed 1 ACL per protocol, per port, per direction)

  4. Why Use ACL’s? • Controlling traffic can increase network performance • Distribution of routing updates can be controlled • Security can be added at the network boundary • Specific types of traffic can be permitted or blocked • An administrator controls what areas a client can access • Screen certain hosts to either allow or deny access to part of a network

  5. Calculate number of ACL’s • 2 ports, each port running IP, IPX • 2 ports, each port running IP, IPX, Appletalk (Remember you need an ACL for each protocol in each direction on each port)

  6. How ACL’s Work • Packets enter the interface • If the packets are routable then they are routed toward the outbound interface • If there is no access list then the packets proceed out the outbound interface • If there is an ACL then the packets are filtered using the sequential ACL statements

  7. ACL Basic Flowchart

  8. How does a Router Process an ACL? • Does the Layer 2 address match? • Is there an inbound ACL? • Is there an outbound ACL?

  9. Creating Standard ACL’s • ACL statements must be in the correct order! (Use a flowchart to plan your logic) • ACL’s can’t be modified (only created and deleted). Use a text editor to write your ACL’s

  10. Configuring ACL’s • ACL’s are created in Global Configuration Mode • Standard ACL’s are 1-99 and Extended ACL’s are 100 – 199 • Plan your ACL’s in a flowchart considering the protocol or protocol suite, host or group of hosts, and interface and direction of filtering

  11. Configuring ACL’s (cont.) • Define ACL • Router(config)# access-list access-list-num {permit | deny} {test conditions} • Apply ACL to interface • Router(config-if)# {protocol} access-group access-list number

  12. Points to remember creating ACL’s • Outbound ACL’s are more efficient • If you need to alter an ACL use no access-list list-number (Remember you can’t modify an standard ACL so you must erase it and create it again with your changes. This is why you should create ACL’s in a text file) (See Basic Rules in Online Curriculum)

  13. Wildcard Mask Bits • Wildcard mask bits appear “similar” to a reverse subnet mask but have NO RELATIONSHIP TO SUBNET MASKS!! • 0 means check a position • 1 means don’t check a position

  14. Common Wildcard command and Abbreviations • Permit 0.0.0.0 255.255.255.255is the same as permit any • Permit 181.16.1.1 0.0.0.0is the same aspermit host 181.16.1.1(ONLY A PARTICULAR HOST IS MATCHED!!)

  15. Commands to verify ACL’s • show ip interface – indicates whether any ACL’s are set • show access-lists – Displays the contents of all the ACL’s • show running-config – Also shows access lists and the interface to which they are assigned

  16. Standard ACL’s • Allow denying/permitting traffic from a specific host/group of hosts and/or protocol suite • Use number 1 – 99 • Only 1 protocol per port per interface is allowed • Can only check source address so they should be put as close to the destination as possible

  17. Extended ACL’s • Allow denying/permitting traffic from a specific host/group of hosts and/or protocol suite/protocol and/or port/group of ports • Use number 100 – 199 • Only 1 protocol per port per interface is allowed • Can check source and destination address so they should be put as close to the source as possible

  18. Named ACL’s • Names for standard and extended ACL’s can be alphanumeric strings • Use deny/no deny or permit/no permit to change conditions of a named standard or extended ACL • You can’t use the same alphanumeric name twice!

More Related