1 / 21

Access Control Lists

Access Control Lists. Types. Standard Extended. Standard ACLs. Use only the packet’s source address for comparison 1-99. Extended ACLs. Provide more precise (finer tuned) packet selection based on: Source and destination addresses Protocols Port numbers 100-199.

mechelle-george
Download Presentation

Access Control Lists

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access Control Lists

  2. Types • Standard • Extended

  3. Standard ACLs • Use only the packet’s source address for comparison • 1-99

  4. Extended ACLs • Provide more precise (finer tuned) packet selection based on: • Source and destination addresses • Protocols • Port numbers • 100-199

  5. Steps to Create an ACL • Create ACL in global config • Assign to interface • Decide the direction • In • Out

  6. How do ACLs work? • Processing occurs line by line from top to bottom. • New lines are added at the end of the current list. • Last line of an ACL is an implicit “deny any.”

  7. How does a Standard ACL work? • If source IP address is matched: • Permit or deny statement is processed • Permit – action in ACL is performed • Deny – packet is dropped • Implicit Deny – If a packet’s address does not match an earlier statement an implicit deny any occurs at the end of every ACL and the packet is dropped.

  8. Wildcard Masks • Are used to specify (by bits) the traffic you are trying to filter by address. • Use 1s to ignore, 0s to match. • In the example below, only the 1st 2 octets will be examined: • 172.16.0.0 0.0.255.255

  9. Global Standard ACL command • access-listaccess-list-number {permit |deny} source-ip-addresswildcard-mask [log] • Log – causes each packet that matches this statement to generate a log entry that is recorded by the router.

  10. Examples of Standard ACLs • To permit all packets for the network number 172.16.0.0 • Access-list 20 permit 172.16.0.0 0.0.255.255

  11. Examples Cont’d • To permit traffic from the host 172.16.1.1 only • Access-list 20 permit 172.16.1.1 0.0.0.0

  12. Examples Cont’d • To permit traffic from any source address. • Access-list 20 permit 0.0.0.0 255.255.255.255 OR • Access-list 20 permit any

  13. Examples Cont’d • To permit traffic from the subnet 12.16.0.0 through 12.31.0.0 • Access-list 20 permit 12.16.0.0 0.15.255.255

  14. Identical Statements • Access-list 22 permit 0.0.0.0 255.255.255.255 • Access-list 22 permit any

  15. Identical Statements • Access-list 23 permit 172.16.1.1 0.0.0.0 • Access-list 23 permit host 172.16.1.1

  16. How does an Extended ACL work? • All conditions must match • Test sequence in this order • Source Address • Destination Address • Protocol • Port No. or Protocol Options • Permit or Deny decision

  17. Extended ACL command • access-listnumber {permit|deny} protocolsource-ip-addresssource-wildcard-maskdestination-ip-addressdestination-wildcard-maskeqport-number [log]

  18. Some Protocols with Port Numbers • FTP – 21 • Telnet – 23 • SMTP – 25 • DNS – 53 • TFTP – 69 • WWW, HTML – 80 • POP3 - 110 • SNMP - 161

  19. Major differences • Standard ACL • Use only source address and requires fewer CPU cycles. • Place as close to destination as possible. • Extended ACL • More flexible and requires more CPU cycles. • Place as close to source as possible. (This keeps undesired traffic and ICMP messages away from the network backbone.)

  20. Do I place an ACL in? • In • Requires less CPU processing because every packet bypasses processing before it is routed. • Filtering decision is made prior to the routing table.

  21. Do I place an ACL out? • Out • Routing decision has been made and the packet is switched to the proper outbound interface before it is tested against the access list. • ACLs are outbound unless otherwise specified.

More Related