acl new
TRANSCRIPT
-
8/11/2019 ACL NEW
1/24
aveen Patel
Access Control List ( ACL )
-
8/11/2019 ACL NEW
2/24
aveen Patel
Access Control List ( ACL )
ACLs are basically a set of commands, grouped together by a number or name,
that are used to filter traffic entering or leaving an interface.
ACL commands define specifically which traffic is permitted and denied.
Thus ACLs are statements that specify conditions of how the router handlesthe traffic flow through specified interfaces.
-
8/11/2019 ACL NEW
3/24
aveen Patel
Access Control List ( ACL )
There are many reasons to create ACLs. ACLs can be used to:
Limit network traffic and increase network performance
Provide traffic flow control
Provide a basic level of security for network accessDecide which types of traffic are forwarded or blocked at the router interfaces
Packet filtering
-
8/11/2019 ACL NEW
4/24
aveen Patel
Access Control List ( ACL )
ACLs operate in two ways:
Inbound ACLs: Incoming packets are processed before they are routed to anoutbound interface. An inbound ACL is efficient because it saves theoverhead of routing lookups if the packet will be discarded after it is denied
by the filtering tests.
Outbound ACLs: Incoming packets are routed to the outbound interface andthen processed through the outbound ACL.
-
8/11/2019 ACL NEW
5/24
aveen Patel
Access Control List ( ACL )
-
8/11/2019 ACL NEW
6/24
aveen Patel
Access Control List ( ACL )
The types of ACLs can be classified as follows:
Standard ACL
Extended ACL
-
8/11/2019 ACL NEW
7/24
aveen Patel
Access Control List ( ACL )
Two methods used to identify Standard and Extended ACLs :
Numbered ACLs
Named ACLs
-
8/11/2019 ACL NEW
8/24
aveen Patel
Access Control List ( ACL )
Standard ACLs: Standard IP ACLs check the source addresses of packets thatcan be routed. The result either permits or denies the output for an entire
protocol suite, based on the source network, subnet, or host IP address.
Extended ACLs: Extended IP ACLs check both the source and destination
packet addresses. They can also check for specific protocols, port numbers,and other parameters.
Named ACLs: It use a descriptive name or number for identification.
-
8/11/2019 ACL NEW
9/24
aveen Patel
Access Control List ( ACL )
Standard Access List
The access-list number range is 199 , 1300 -1999
Can block a Network, Host and SubnetTwo way communication is stopped
All services are blocked.
Implemented closest to the destination. (Guideline)
Checks the source IP address.
-
8/11/2019 ACL NEW
10/24
aveen Patel
Access Control List ( ACL )
Standard Access List
-
8/11/2019 ACL NEW
11/24
aveen Patel
Access Control List ( ACL )
Extended Access List
The access-list number range is 100199 , 1300 - 1999
Can block a Network, Host, Subnet and Service
One way communication is stopped
Selected services can be blocked.
Checks source, destination IP address & port number.
Implemented closest to the source. (Guideline).
-
8/11/2019 ACL NEW
12/24
aveen Patel
Access Control List ( ACL )
Access Extended List
-
8/11/2019 ACL NEW
13/24
aveen Patel
Access Control List ( ACL )
ACL Evaluat ion
-
8/11/2019 ACL NEW
14/24
aveen Patel
Access Control List ( ACL )
ACL Configuration Guidelines
Standard or Extended indicate what can be filtered.
One ACL per interface, per protocol, per direction is allowed,
The order of ACL statement control testingPlace the most restrictive statement at the top of list.
There is an Implicit Deny any statement as the last access list test. Every list needatleast one permit statement.
Create ACL before applying them to interface
ACL filter traffic going through the router; they do not apply to traffic originating fromrouter.
-
8/11/2019 ACL NEW
15/24
aveen Patel
Access Control List ( ACL )
ACL Wildcard Masking
Address filtering occurs when you use ACL address wildcard masking toidentify how to check or ignore corresponding IP address bits
A 0 in a bit position of the ACL mask indicates that the corresponding bit inthe address must be matched.
A 1 in a bit position of the ACL mask indicates that the corresponding bit inthe address is not interesting and can be ignored.
-
8/11/2019 ACL NEW
16/24
aveen Patel
Access Control List ( ACL )
-
8/11/2019 ACL NEW
17/24
aveen Patel
Access Control List ( ACL )
Creating an Standard Numbered ACL
Router(config)# access-list no. permit|denysource_IP_address [wildcard_mask]
Activating an ACLRouter(config)# interface type [slot_#]
Router(config-if)# ip access-groupACL no. in|out
-
8/11/2019 ACL NEW
18/24
aveen Patel
Access Control List ( ACL )
Creating an Extended Numbered ACL
Router(config)# access-list no.permit|deny tcp|udpsource_address
source_wildcard destination_address
destination_wildcard [operator ]
Activating an ACL
Router(config)# interface type [slot_#]
Router(config-if)# ip access-groupACL no. in|out
-
8/11/2019 ACL NEW
19/24
aveen Patel
Access Control List ( ACL )
-
8/11/2019 ACL NEW
20/24
aveen Patel
Access Control List ( ACL )
Creating an Standard Named ACL
Router(config)# ip access-list standard name
Router(config-std-nacl)# [sequence-number] deny / permit source [ wildcard ]
Router(config-std-nacl)#exit
Activating an ACL
Router(config)# interface type [slot_#]
Router(config-if)# ip access-groupACL no. in|out
-
8/11/2019 ACL NEW
21/24
aveen Patel
Access Control List ( ACL )
Creating an Extended Named ACL
Router(config)# ip access-list extended name
Router(config-ext-nacl)# [sequence-number] {deny | permit} protocol source source-wildcard destination destination-wildcard [option]
Router(config-ext-nacl)#exit
Activating an ACL
Router(config)# interface type [slot_#]
Router(config-if)# ip access-groupACL no. in|out
-
8/11/2019 ACL NEW
22/24
aveen Patel
Access Control List ( ACL )
SummaryAccess lists offer a powerful tool for network control. These lists add the
flexibility to filter the packet flow into or out of router interfaces. Such controlcan help limit network traffic and restrict network use by certain users ordevices.
An IP access list is a sequential list of permit and deny conditions that apply to IPaddresses or upper-layer IP protocols. Access lists filter traffic going throughthe router, but they do not filter traffic originated from the router.
Access lists are optional mechanisms in Cisco IOS software that you canconfigure to filter or test packets to determine whether to forward them to theirdestination or discard them.
-
8/11/2019 ACL NEW
23/24
aveen Patel
Access Control List ( ACL )
SummaryInbound access lists process incoming packets before they are routed to an
outbound interface, while outbound access lists process packets to an
outbound interface.The Cisco IOS software executes access list statements in sequential
order, so the first statement is processed, then the next, and so on.
Address filtering occurs using access list address wildcard masking toidentify how to check or ignore corresponding IP address bits.
-
8/11/2019 ACL NEW
24/24
aveen Patel
Access Control List ( ACL )
The End