1 / 68

Any Questions?

Any Questions?. Chapter 6 IP Access Control Lists. Standard IP Access Control Lists Extended IP Access Control Lists Advances in Managing ACL Configuration Miscellaneous ACL Topics. Do I know this?. Go through the Quiz- 5 minutes.

chen
Download Presentation

Any Questions?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Any Questions?

  2. Chapter 6 IP Access Control Lists • Standard IP Access Control Lists • Extended IP Access Control Lists • Advances in Managing ACL Configuration • Miscellaneous ACL Topics

  3. Do I know this? Go through the Quiz- 5 minutes

  4. 1. Barney is a host with IP address 10.1.1.1 in subnet 10.1.1.0/24. Which of the following are things that a standard IP ACL could be configured to do? a. Match the exact source IP address b. Match IP addresses 10.1.1.1 through 10.1.1.4 with one access-list command without matching other IP addresses c. Match all IP addresses in Barney’s subnet with one access-list command without matching other IP addresses d. Match only the packet’s destination IP address

  5. 1. Barney is a host with IP address 10.1.1.1 in subnet 10.1.1.0/24. Which of the following are things that a standard IP ACL could be configured to do? a. Match the exact source IP address b. Match IP addresses 10.1.1.1 through 10.1.1.4 with one access-list command without matching other IP addresses c. Match all IP addresses in Barney’s subnet with one access-list command without matching other IP addresses d. Match only the packet’s destination IP address Answer:A&C

  6. 2. Which of the following wildcard masks is most useful for matching all IP packets in subnet 10.1.128.0, mask 255.255.255.0? a. 0.0.0.0 b. 0.0.0.31 c. 0.0.0.240 d. 0.0.0.255 e. 0.0.15.0 f. 0.0.248.255

  7. 2. Which of the following wildcard masks is most useful for matching all IP packets in subnet 10.1.128.0, mask 255.255.255.0? a. 0.0.0.0 b. 0.0.0.31 c. 0.0.0.240 d. 0.0.0.255 e. 0.0.15.0 f. 0.0.248.255 Answer: D

  8. 3. Which of the following wildcard masks is most useful for matching all IP packets in subnet 10.1.128.0, mask 255.255.240.0? a. 0.0.0.0 b. 0.0.0.31 c. 0.0.0.240 d. 0.0.0.255 e. 0.0.15.255 f. 0.0.248.255

  9. 3. Which of the following wildcard masks is most useful for matching all IP packets in subnet 10.1.128.0, mask 255.255.240.0? a. 0.0.0.0 b. 0.0.0.31 c. 0.0.0.240 d. 0.0.0.255 e. 0.0.15.255 f. 0.0.248.255 Answer: E

  10. 4. Which of the following fields cannot be compared based on an extended IP ACL? a. Protocol b. Source IP address c. Destination IP address d. TOS byte e. URL f. Filename for FTP transfers

  11. 4. Which of the following fields cannot be compared based on an extended IP ACL? a. Protocol b. Source IP address c. Destination IP address d. TOS byte e. URL f. Filename for FTP transfers Answer: E&F

  12. 5. Which of the following access-list commands permits traffic that matches packets going from host 10.1.1.1 to all web servers whose IP addresses begin with 172.16.5? a. access-list 101 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www b. access-list 1951 permit ip host 10.1.1.1 172.16.5.0 0.0.0.255 eq www c. access-list 2523 permit ip host 10.1.1.1 eq www 172.16.5.0 0.0.0.255 d. access-list 2523 permit tcp host 10.1.1.1 eq www 172.16.5.0 0.0.0.255 e. access-list 2523 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www

  13. 5. Which of the following access-list commands permits traffic that matches packets going from host 10.1.1.1 to all web servers whose IP addresses begin with 172.16.5? a. access-list 101 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www b. access-list 1951 permit ip host 10.1.1.1 172.16.5.0 0.0.0.255 eq www c. access-list 2523 permit ip host 10.1.1.1 eq www 172.16.5.0 0.0.0.255 d. access-list 2523 permit tcp host 10.1.1.1 eq www 172.16.5.0 0.0.0.255 e. access-list 2523 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www Answer: A&E

  14. 6. Which of the following access-list commands permits traffic that matches packets going to any web client from all web servers whose IP addresses begin with 172.16.5? a. access-list 101 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www b. access-list 1951 permit ip host 10.1.1.1 172.16.5.0 0.0.0.255 eq www c. access-list 2523 permit tcp any eq www 172.16.5.0 0.0.0.255 d. access-list 2523 permit tcp 172.16.5.0 0.0.0.255 eq www 172.16.5.0 0.0.0.255 e. access-list 2523 permit tcp 172.16.5.0 0.0.0.255 eq www any

  15. 6. Which of the following access-list commands permits traffic that matches packets going to any web client from all web servers whose IP addresses begin with 172.16.5? a. access-list 101 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www b. access-list 1951 permit ip host 10.1.1.1 172.16.5.0 0.0.0.255 eq www c. access-list 2523 permit tcp any eq www 172.16.5.0 0.0.0.255 d. access-list 2523 permit tcp 172.16.5.0 0.0.0.255 eq www 172.16.5.0 0.0.0.255 e. access-list 2523 permit tcp 172.16.5.0 0.0.0.255 eq www any Answer: E

  16. 7. Which of the following fields can be compared using a named extended IP ACL but not a numbered extended IP ACL? a. Protocol b. Source IP address c. Destination IP address d. TOS byte e. None of the other answers are correct.

  17. 7. Which of the following fields can be compared using a named extended IP ACL but not a numbered extended IP ACL? a. Protocol b. Source IP address c. Destination IP address d. TOS byte e. None of the other answers are correct. Answer: E

  18. 8. In a router running IOS 12.3, an engineer needs to delete the second line in ACL 101, which currently has four commands configured. Which of the following options could be used? a. Delete the entire ACL and reconfigure the three ACL statements that should remain in the ACL. b. Delete one line from the ACL using the no access-list... command. c. Delete one line from the ACL by entering ACL configuration mode for the ACL and then deleting only the second line based on its sequence number. d. Delete the last three lines from the ACL from ACL configuration mode, and then add the last two statements back into the ACL.

  19. 8. In a router running IOS 12.3, an engineer needs to delete the second line in ACL 101, which currently has four commands configured. Which of the following options could be used? a. Delete the entire ACL and reconfigure the three ACL statements that should remain in the ACL. b. Delete one line from the ACL using the no access-list... command. c. Delete one line from the ACL by entering ACL configuration mode for the ACL and then deleting only the second line based on its sequence number. d. Delete the last three lines from the ACL from ACL configuration mode, and then add the last two statements back into the ACL. Answer: A & C

  20. 9. What general guideline should you follow when placing extended IP ACLs? a. Perform all filtering on output if at all possible. b. Put more-general statements early in the ACL. c. Filter packets as close to the source as possible. d. Order the ACL commands based on the source IP addresses, lowest to highest, to improve performance.

  21. 9. What general guideline should you follow when placing extended IP ACLs? a. Perform all filtering on output if at all possible. b. Put more-general statements early in the ACL. c. Filter packets as close to the source as possible. d. Order the ACL commands based on the source IP addresses, lowest to highest, to improve performance. Answer: C

  22. 10. Which of the following tools requires the end user to telnet to a router to gain access to hosts on the other side of the router? a. Named ACLs b. Reflexive ACLs c. Dynamic ACLs d. Time-based ACLs Answer: C

  23. Any Questions?

  24. ACL History • Original Support for Numbered ACLS • We will learn this first • Then support for named ACLS • Also cover this • IOS 11.2 • Now support for Sequence numbers for ACLS • WAY easier • IOS 12.3 Pg 231

  25. Access Control Lists • Allow a router to drop packets based on certain criteria • You build a list with multiple lines • Each line is one of the rules to check • Filter router updates • Match packets for • Priority • QOS • VPN Pg 232

  26. ACLs Questions • Which packets to filter • Where to filter them Pg 232

  27. Where to filter Pg 233

  28. Key ACL ideas • Packets can be filtered as they enter an interface, before the routing decision. • Packets can be filtered before they exit an interface, after the routing decision. • Deny is the term used in Cisco IOS software to imply that the packet will be filtered. • Permit is the term used in Cisco IOS software to imply that the packet will not be filtered. • The filtering logic is configured in the access list. • At the end of every access list is an implied “deny all traffic” statement. Therefore, if a packet does not match any of your access list statements, it is blocked. Pg 233

  29. Any Questions?

  30. ACL Logic • Matching • Examine packets to match against ACL statements • Action • Permit of deny Pg 234

  31. ACL Logic-KEY IDEA • The matching parameters of the access-list statement are compared to the packet. • If a match is made, the action defined in this access-list statement (permit or deny) is performed. • If a match is not made in Step 2, repeat Steps 1 and 2 using each successive statement in the ACL until a match is made. • If no match is made with an entry in the access list, the deny action is performed. Pg 234

  32. Wildcard Masks • ACLs can match based on IP addresses • Standard ACLs only on source address • Wildcards let you specify a range of addresses in a single statement • Stop all hosts on a subnet • Logic • 0 in mask says compare • 1 in mask says it doesn’t matter • Can add the mask to the original address Pg 235

  33. Mask Examples Pg 235

  34. Figure out Wildcard masks • Use the subnet number as the address value in the access-list command. • Use a wildcard mask found by subtracting the subnet mask from 255.255.255.255. • Example-To match all hosts in subnet 172.16.8.0 255.255.252.0 Pg 237

  35. Any Questions?

  36. ACL Command • Step 1 Use the address in the access-list command as if it were a subnet number. • Step 2 Use the number found by subtracting the wildcard mask from 255.255.255.255 as a subnet mask. • Step 3 Treat the values from the first two steps as a subnet number and subnet mask, and find the broadcast address for the subnet. The ACL matches the range of addresses between the subnet number and broadcast address, inclusively. • Access-list 1 permit 172.16.200.0 0.0.7.255 Pg 237-238

  37. Standard ACL configuration • Memorize syntax (it is not easy) • access-list access-list-number {deny | permit} source [source-wildcard] • Think about which is the source machine! • Don’t forget the deny all at the end • default Pg 238

  38. ACL Logic Step 1 Plan the location (router and interface) and direction (in or out) on that interface: a. Standard ACLs should be placed near to the destination of the packets so that it does not unintentionally discard packets that should not be discarded. b. Because standard ACLs can only match a packet’s source IP address, identify the source IP addresses of packets as they go in the direction that the ACL is examining. Step 2 Configure one or more access-list global configuration commands to create the ACL, keeping the following in mind: a. The list is searched sequentially, using first-match logic. In other words, when a packet matches one of the access-list statements, the search is over, even if the packet would match subsequent statements. b. The default action, if a packet does not match any of the access-list commands, is to deny (discard) the packet. Step 3 Enable the ACL on the chosen router interface, in the correct direction, using the ip access-group number {in | out} interface subcommand. Pg 239

  39. ACL Example • interface Ethernet0 • ip address 172.16.1.1 255.255.255.0 • ip access-group 1 out • ! • access-list 1 remark stop all traffic whose source IP is Bob • access-list 1 deny 172.16.3.10 0.0.0.0 • access-list 1 permit 0.0.0.0 255.255.255.255 • Created access-list by adding statement • Add access-list to interface in or out Pg 240

  40. Example Yosemite config interface serial 0 ip access-group 3 out ! access-list 3 deny host 10.1.2.1 access-list 3 permit any Seville Configuration interface serial 1 ip access-group 4 out ! access-list 4 deny 10.1.3.0 0.0.0.255 access-list 4 permit any Pg 242

  41. Any Questions?

  42. Extended ACL concepts Pg 244

  43. Extended IP ACLS • Can match on more fields Pg 245

  44. Examples Pg 246

  45. ACLS and Port numbers • The access-list command must use protocol keyword tcp to be able to match TCP ports and the udp keyword to be able to match UDP ports. The ip keyword does not allow for matching the port numbers. • The source port and destination port parameters on the access-list command are positional. In other words, their location in the command determines if the parameter examines the source or destination port. • Remember that ACLs can match packets sent to a server by comparing the destination port to the well-known port number. However, ACLs need to match the source port for packets sent by the server. • It is useful to memorize the most popular TCP and UDP applications, and their wellknown ports, as listed in Table 6-5, as shown later in this chapter. Pg 246

  46. ACLs in Use • Connecting to a server • Think about addressing and traffic flow access-list 101 permit tcp 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21 • Notice location of eq Pg 247

  47. ACL in use • Connection from server • access-list 101 permit tcp 172.16.3.0 0.0.0.255 eq 21 172.16.1.0 0.0.0.255 • Notice location of eq Pg 248

  48. Extended ACL commands Pg 249

  49. Extended ACL hints • Extended ACLs should be placed as close as possible to the source of the packets to be filtered, because extended ACLs can be configured so that they do not discard packets that should not be discarded. So filtering close to the source of the packets saves some bandwidth. • All fields in one access-list command must match a packet for the packet to be considered to match that access-list statement. • The extended access-list command uses numbers between 100–199 and 2000–2699, with no number being inherently better than another. Pg 249

  50. Extended ACL Operators Pg 250

More Related