50 likes | 222 Views
Access Lists. Lecture 7 Hassan Shuja 04/25/2006. Access Lists. Access Lists (ACL) Access lists are used to filter traffic that passes through a router Some key features of Cisco ACL Packets can be filtered as they enter an interface Packets can be filtered before they exit an interface
E N D
Access Lists Lecture 7 Hassan Shuja 04/25/2006
Access Lists • Access Lists (ACL) • Access lists are used to filter traffic that passes through a router • Some key features of Cisco ACL • Packets can be filtered as they enter an interface • Packets can be filtered before they exit an interface • Deny is the term used in Cisco IOS to block a packet at the interface that is doing the filtering • Permit is the term used in Cisco IOS to allow a packet through the interface that is doing the filtering • At the end of every ACL is an implied “deny all traffic” statement. Therefore, if a packet does not match any of your access list statements, it is blocked • ACL filter packets by looking at the IP, TCP, and UDP headers in the packet • There are two types of ACLs • The standard ACL only examine the source IP address • The extended ACL can examine the source and destination IP address, as well as the source and destination port numbers • ACLs use a wildcard mask instead of a subnet mask • Wildcard masks are the inverse of the subnet mask, the 1s are 0s and the 0s are 1s
Access Lists • Standard Access Lists • Standard ACLs are numbered in the range of 1 to 99 or 1300 to 1999 • The following is the syntax for a standard ACL • “access-list number permit/deny ipaddress wildcard mask” • “access-list 1 permit 172.16.0.0 0.0.255.255” • “access-list 1 deny 165.31.0.0 0.0.255.255” • Configuration is done in configuration mode • A standard ACL needs to be enabled under the interface before it will work • The command used to apply an ACL to an interface is “ip access-group” • This command is run under the interface mode • To enable an ACL The interfaces on router need to be designated as the “inside” and “outside” interface • “ip access-group 1 out” or “ip access-group 1 in”
Access Lists • Extended Access Lists • Extended ACLs are numbered in the range of 100 to 199 or 2000 to 2699 • The following is the syntax for a extended ACL • “access-list number permit/deny protocolsource IPaddress source wildcard mask destination IP address destination wildcard mask eq port number” • “access-list 101 permit tcp 172.16.0.0 0.0.255.255 165.33.15.0 0.0.0.255 eq 23” • “access-list 101 deny udp host 130.85.5.5 209.80.1.0 0.0.255.255 eq 80” • “host” can be used to specify one ip address • “eq” stands for equal and is telling the exact port to filter traffic on • Ports can be compared by using less than (lt) or greater than (gt) • Configuration is done in configuration mode • An extended ACL needs to be enabled under the interface before it will work • The command used to apply an ACL to an interface is “ip access-group” • This command is run under the interface mode • To enable an ACL The interfaces on router need to be designated as the “inside” and “outside” interface • “ip access-group 101 out” or “ip access-group 101 in” • Remarks can be written to identify the ACL • “access-list 101 remark this access list is used to deny web traffic”