1 / 48

Filtering Traffic Using Access Control Lists

Filtering Traffic Using Access Control Lists. Introducing Routing and Switching in the Enterprise – Chapter 8. Objectives. Describe traffic filtering and explain how Access Control Lists (ACLs) can filter traffic at router interfaces. Analyze the use of wildcard masks.

Download Presentation

Filtering Traffic Using Access Control Lists

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Filtering Traffic Using Access Control Lists Introducing Routing and Switching in the Enterprise– Chapter 8

  2. Objectives • Describe traffic filtering and explain how Access Control Lists (ACLs) can filter traffic at router interfaces. • Analyze the use of wildcard masks. • Configure and implement ACLs. • Create and apply ACLs to control specific types of traffic. • Log ACL activity and integrate ACL best practices.

  3. A typical TCP Conversation

  4. TCP Port Numbers

  5. UDP Port Numbers

  6. What is an ACL

  7. Traffic Filtering • Analyze the contents of a packet • Allow or block the packet • Based on source IP, destination IP, MAC address, protocol, application type

  8. Traffic Filtering Devices providing traffic filtering: • Firewalls built into integrated routers • Dedicated security appliances • Servers

  9. Traffic Filtering Uses for ACLs: • Specify internal hosts for NAT • Classify traffic for QoS • Restrict routing updates, limit debug outputs, control virtual terminal access

  10. Traffic Filtering Possible issues with ACLs: • Increased load on router • Possible network disruption

  11. Describe Traffic Filtering • Standard ACLs filter based on source IP address • Extended ACLs filter on source and destination, as well as protocol and port number • Named ACLs can be either standard or extended

  12. Describe Traffic Filtering • ACLs consist of statements • At least one statement must be a permit statement • Final statement is an implicit deny • ACL must be applied to an interface in order to work

  13. Describe Traffic Filtering • ACL is applied inbound or outbound • Direction is from the router’s perspective • Each interface can have one ACL per direction for each network protocol

  14. Inbound ACLs • Incoming packets are processed before they are routed to the outbound interface. • An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. • If the packet is permitted by the tests, it is then processed for routing.

  15. Outbound ACLs • Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL.

  16. Analyze the Use of Wildcard Masks • Wildcard mask can block a range of addresses or a whole network with one statement • 0s indicate which part of an IP address must match the ACL • 1s indicate which part does not have to match specifically

  17. Analyze the Use of Wildcard Masks • Use the host parameter in place of a 0.0.0.0 wildcard • Use the any parameter in place of a 255.255.255.255 wildcard

  18. Wild card mask abbreviations host any

  19. Wild card mask abbreviations any host

  20. Standard ACL Example 1

  21. Standard ACL Example 2

  22. Standard ACL Example 3

  23. Configure and Implement Access Control Lists • Determine traffic filtering requirements • Decide which type of ACL to use • Determine the router and interface on which to apply the ACL • Determine in which direction to filter traffic

  24. Configure and Implement Access Control Lists: Numbered Standard ACL • Use access-list command to enter statements • Use the same number for all statements • Number ranges: 1-99, 1300-1999 • Apply as close to the destination as possible

  25. Configure and Implement Access Control Lists: Numbered Extended ACL • Use access-list command to enter statements • Use the same number for all statements • Number ranges: 100-199, 2000-2699 • Specify a protocol to permit or deny • Place as close to the source as possible

  26. Configure and Implement Access Control Lists: Named ACLs • Descriptive name replaces number range • Use ip access-list command to enter initial statement • Start succeeding statements with either permit or deny • Apply in the same way as standard or extended ACL

  27. Numbering and Naming ACLs • Locate extended ACLs as close as possible to the source of the traffic denied. This way, undesirable traffic is filtered without crossing the network infrastructure. • Because standard ACLs do not specify destination addresses, place them as close to the destination as possible.

  28. Configure and Implement Access Control Lists: VTY access • Create the ACL in line configuration mode • Use the access-class command to initiate the ACL • Use a numbered ACL • Apply identical restrictions to all VTY lines

  29. Standard ACL to control VTY Access

  30. Editing ACLs in a text editor Copy Paste

  31. Remarks in ACLs

  32. Named ACL syntax

  33. Named ACL Example

  34. Show access-lists command

  35. Adding lines to a Named access-lists

  36. Create and Apply ACLs to Control Specific Types of Traffic • Use a specified condition when filtering on port numbers: eq, lt, gt • Deny all appropriate ports for multi-port applications like FTP • Use the range operator to filter a group of ports

  37. Create and Apply ACLs to Control Specific Types of Traffic • Block harmful external traffic while allowing internal users free access • Ping: allow echo replies while denying echo requests from outside the network • Stateful Packet Inspection

  38. Create and Apply ACLs to Control Specific Types of Traffic • Account for NAT when creating and applying ACLs to a NAT interface • Filter public addresses on a NAT outside interface • Filter private addresses on a NAT inside interface

  39. Create and Apply ACLs to Control Specific Types of Traffic • Examine every ACL one line at a time to avoid unintended consequences

  40. Create and Apply ACLs to Control Specific Types of Traffic • Apply ACLs to VLAN interfaces or subinterfaces just as with physical interfaces

  41. Log ACL Activity and ACL Best Practices • Logging provides additional details on packets denied or permitted • Add the log option to the end of each ACL statement to be tracked

  42. Log ACL Activity and ACL Best Practices Syslog messages: • Status of router interfaces • ACL messages • Bandwidth, protocols in use, configuration events

  43. Log ACL Activity and ACL Best Practices • Always test basic connectivity before applying ACLs • Add deny ip any to the end of an ACL when logging • Use reload in 30 when testing ACLs on remote routers

  44. Packet Tracer Labs

  45. Additional Labs

  46. Summary • ACLs enable traffic management and secure access to and from a network and its resources • Apply an ACL to filter inbound or outbound traffic • ACLs can be standard, extended, or named • Using a wildcard mask provides flexibility • There is an implicit deny statement at the end of an ACL • Account for NAT when creating and applying ACLs • Logging provides additional details on filtered traffic

More Related