1 / 15

Managing Traffic with Access Lists

Overview. Introduction to Access Lists.Standard Access Lists.Extended Access Lists.Named Access Lists.Monitoring Access Lists.. Introduction to Access Lists. ACLs are lists of conditions that are applied to traffic traveling across a router's interface.These lists tell the router what types of packets to accept or deny.ACLs enable management of traffic and secure access to and from a network. ACLs filter network traffic by controlling whether routed packets are forwarded or block29885

corby
Télécharger la présentation

Managing Traffic with Access Lists

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Managing Traffic with Access Lists

    2. Overview Introduction to Access Lists. Standard Access Lists. Extended Access Lists. Named Access Lists. Monitoring Access Lists.

    3. Introduction to Access Lists ACLs are lists of conditions that are applied to traffic traveling across a router's interface. These lists tell the router what types of packets to accept or deny. ACLs enable management of traffic and secure access to and from a network. ACLs filter network traffic by controlling whether routed packets are forwarded or blocked at the router's interfaces. There are three types of access lists: Standard access lists Extended access lists Named access lists specifying the direction of traffic, you can use different access lists for inbound and outbound traffic on a single interface: Inbound access lists When an access list is applied to inbound packets on an interface, those packets are processed through the access list before being routed to the outbound interface. Outbound access lists When an access list is applied to outbound packets on an interface, those packets are routed to the outbound interface and then processed through the access list before being queued.

    4. Introduction to Access Lists

    5. Standard Access Lists Standard IP access lists filter network traffic by examining the source IP address in a packet. You create a standard IP access list by using the access-list numbers 1–99 or 1300–1999. To configure standard ACL on a router: First: Create conditions Determine specific IP Router(config)#access-list 10 deny host 172.16.30.2 Router(config)#access-list 10 deny 172.16.30.2 0.0.0.0 Determine any packet Lab_A(config)#access-list 10 deny any Lab_A(config)#access-list 10 deny 0.0.0.0 255.255.255.255 Second: Assign ACL on interface Router(config)#int f0/0 Router(config-if)#ip access-group 10 in

    6. Standard Access List Example You are a network administrator and want to create ACL as the following:Users on the Sales LAN should not have access to the Finance LAN, but they should be able to access the Internet and the marketing department. The Marketing LAN needs to access the Finance LAN for application services.

    7. Standard Access List Example First: Create conditions Lab_A#config t Lab_A(config)#access-list 10 deny 172.16.40.0 0.0.0.255 Lab_A(config)#access-list 10 permit any Second: Assign ACL on interface Lab_A(config)#int e1 Lab_A(config-if)#ip access-group 10 in

    8. Standard Access List Example You want to stop the Accounting users from accessing the Human Resources Server attached to the Lab_B router, but allow all other users access to that LAN. What standard access list would you create and where would you place it?

    9. Standard Access List Example First: Create conditions Lab_B#config t Lab_B(config)#access-list 10 deny 192.168.10.128 0.0.0.31 Lab_B(config)#access-list 10 permit any Second: Assign ACL on interface Lab_B(config)#interface E0 Lab_B(config-if)#ip access-group 10 in

    10. Standard Access List Example You need to write an access list that will stop access from each of the four LANs shown in the diagram to the Internet. Each of the LANs shows a single host’s IP address, and from that you need to determine the subnet and use wildcards to configure the access list.

    11. Standard Access List Example Controlling VTY (Telnet) Access 1. Create a standard IP access list that permits only the host or hosts you want to be able to telnet into the routers. 2. Apply the access list to the VTY line with the access-class command. Lab_A(config)#access-list 50 permit host 172.16.10.3 Lab_A(config)#line vty 0 4 Lab_A(config-line)#access-class 50 in

    12. Extended Access Lists Extended IP access lists filter network traffic by specifying source and destination address as well as the protocol and port number. You create a extended IP access list by using the access-list numbers 100–199 or 2000–2699. First: Create conditions Lab_A(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 eq -----> Match only packets on a given port number Lab_A(config)#access-list 110 permit ip any any Second: Assign ACL on interface Router(config)#int f0/0 Router(config-if)#ip access-group 110 in

    13. Extended Access List Example Create extended ACL to deny access to a host at 172.16.30.5 on the Finance department LAN for both Telnet and FTP services. All other services on this and all other hosts are acceptable for the sales and marketing departments to access.

    14. Extended Access List Example First: Create conditions Lab_A#config t Lab_A(config)#access-list 110 deny tcp any host 172.16.30.5 eq 21 ------> FTP Lab_A(config)#access-list 110 deny tcp any host 172.16.30.5 eq 23 ------> Telnet Lab_A(config)#access-list 110 permit ip any any Second: Assign ACL on interface Lab_B(config)#interface E0 Lab_B(config-if)#ip access-group 110 in

    15. Named Access Lists Named access lists allow you to use names to both create and apply either standard or extended access lists. To create named access list: - First: Create ACL Lab_A(config)#ip access-list standard BlockSales Second: Create conditions Lab_A(config-std-nacl)#deny 172.16.40.0 0.0.0.255 Lab_A(config-std-nacl)#permit any Third: Assign ACL to interface Lab_A(config)#int e1 Lab_A(config-if)#ip access-group BlockSales in

    16. Monitoring Access Lists

More Related