1 / 14

Access Control Lists (ACL)

Access Control Lists (ACL). Access-List Overview. A Filter through which all traffic must pass Used to Permit or Deny Access to Network Provides Security Bandwidth Management Come in two flavors STANDARD AND EXTENDED. What is an Access-List.

giselle-brown
Download Presentation

Access Control Lists (ACL)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access Control Lists (ACL)

  2. Access-List Overview • A Filter through which all traffic must pass • Used to Permit or Deny Access to Network • Provides Security • Bandwidth Management • Come in two flavors • STANDARD AND EXTENDED

  3. What is an Access-List • A List of Criteria to which all Packets are compared. • Is this Packet from Network 10.5.2.0 • Yes - Forward the Packet • No - Check with Next Statement • Is this a Telnet Protocol Packet from 25.25.0.0 • Yes - Forward the Packet • No - Check Next Statement • Deny All Other Traffic

  4. How an Access-List Works • Packets are compared to Each Statement in an Access-list SEQUENTIALLY - From the Top Down. • The sooner a decision is made the better. • Well written Access-lists take care of the most abundant type of traffic first. • All Access-lists End with an Implicit Deny All statement

  5. Standard Access Lists • Are given a # from 1-99 • Filtering based only on Source Address • Should be applied closest to the Destination

  6. Extended Access-lists • Are given a # from 100-199 • Much more flexible and complex • Can filter based on: • Source address • Destination address • Session Layer Protocol (ICMP, TCP, UDP..) • Port Number (80 http, 23 telnet…) • Should be applied closest to the Source

  7. Two Steps - Create and Apply • Step 1 - Create the Access-list • access-list #permit/denysource IPwildcard • # - 1-99 • permit/deny - switch the packet or drop it • source IP - source IP address to which the packet should be compared. Can also use ANY • wildcard - see next page • Step 2 -Apply the Access-list to an Interface • Must be in interface config mode (config-if)# • IP access-group # in/out (routers point of view)

  8. Wildcards • Allows you to indicate a Range of IP addresses • Two Values are Used: • 0 = Must Match Exactly • 1 = Does Not Matter

  9. Wildcard Examples Network Wildcard • 195.34.5.12 0.0.0.0 • Result: Match all four octets • Only 195.34.5.12 is a match • Could also use host 195.34.5.12 in place of the wildcard. Host indicates an exact match is needed.

  10. Wildcard Examples • Network Wildcard • 172.16.10.0 0.0.0.255 • Result: Match the first three octets exactly but ignore the last octet. • 172.16.10.0 thru 172.16.10.255 is a match since the last octet does not matter.

  11. Implementing Access-lists • Remember the Implicit Deny All at the end of each access-list. • Two Approaches: • 1. List the traffic you know you want to permit • Deny all other traffic • 2. List the traffic you want to deny • Permit all other traffic (permit any)

  12. Implementing Access-lists • You cannot selectively add or remove statements from an Access-list • Typically modifications are made in a text editor and then pasted to the router as a new access-list. The new access list is then applied and the old one removed • Document your Access-list • After each line indicate exactly what that line is supposed to do.

  13. Implementing Access-lists • Verifying Your Access-list • Show Access-lists • Show IP Interfaces • Revisit your access-list after a few days • Routers keep track of the number of packets that match each statement in an access-list • Use this information to reorder your access-list and thus improve it efficiency • Never remove an access-list that is applied to a port - this can crash a router.

  14. Summary: Access-Lists • Are Created and then Applied to an interface • Are Implemented Sequentially- Top Down • End with an implicit Deny ALL statement • #1-99 Standard and # 100-199 Extended • Standard - source address only • Extended - source, destination, protocol, port

More Related