100 likes | 344 Vues
ACL. CK NG Technical Marketing. Speaker 2006/XX/XX. Speaker 2007/XX/XX. WWW.Edge-Core.com. www.Edge-Core.com. Access Control List. The Benefits of ACL Firewall from the edge Prevent unauthorized device from access the network Restrict access to network resources
E N D
ACL CK NG Technical Marketing Speaker 2006/XX/XX Speaker 2007/XX/XX WWW.Edge-Core.com www.Edge-Core.com
Access Control List • The Benefits of ACL • Firewall from the edge • Prevent unauthorized device from access the network • Restrict access to network resources • Prevent virus or hacker attack • Isolated traffic between subnetwork • Offload the burden of firewall • Filtered unwanted packets from the edge which cannot be controlled by firewall • 3 Types of ACL • MAC Access Control List • IP Standard Access Control List • IP extended Access Control List
ACL Definition • A list of ACE • Each ACE specifies permit or deny and a set of conditions the packet must satisfy in order to match the ACE • Syntax of ACE can be extended • Example of ACE • L3 ACE “permit tcp any host 10.1.1.1 “ • L2 ACE “deny 00-10-11-00-00-01 any vid 3“ • An ACL is a sequential list (ACE) of permit or deny conditions that apply to IP addresses, MAC addresses, or other more specific criteria. • If a list contains all permit rules, a packet will be accepted as soon as it passes any of the rules. • However, if a list contains all deny rules, then a packet will be rejected as soon as it fails any one of the rules.
ACL Flow Permit Outgoing Packet Y Y Y Match the First ACE Match the Second ACE Match the Last ACE … Incoming Packet N N N Deny Packet Discard
MAC ACL Type DATA CRC Preamble DEST SRC 8100 PID/VID • MAC Access Control List • Source/ Destination MAC and bitmask • CoS/ Vid/ Ether-type and bitmask Preamble DEST MAC SRC MAC DATA CRC Type
MAC ACL Internet RADIUS Server ES4626-SFP Access Distribution Core ES4524D Deny 00-10-b5-01-01-02 MAC Address 0010B5010102
IP Standard ACL Preamble DEST SRC • IP Standard Access Control List • source IP and subnet Mask SIP DIP Type 0800 IP Header DATA CRC
IP Standard ACL Internet RADIUS Server ES4626-SFP Access Distribution Core ES4524D Deny host 192.168.1.100 IP Address 192.168.1.100
IP Extended ACL Preamble DEST SRC • IP extended Access Control List • Source/ Destination ip and subnet mask • Service Type: ToS, Precedence bits, DSCP and bit mask • Protocol number: TCP/UDP/ Others • Source/ Destination port number and bit mask • Control code and bit mask DSCP Src Port Dest Port TOS Type 0800 IP Header TCP/UDP Header DATA CRC TOS IP Precedence
IP Extended ACL Internet Server ES4626-SFP Access Distribution Core ES4524D access-list ip extended netbios_filter deny any any destination-port 135 deny any any destination-port 137 deny any any destination-port 138 deny any any destination-port 139 deny any any destination-port 445