1 / 21

Access Lists

Access Lists. Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that filter traffic both to and from a network segment based on the source address, destination address, protocol type,

Download Presentation

Access Lists

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Access Lists Access Lists • Network traffic flow and security influence the design and management of computer networks • Access lists are permit or deny statements that filter traffic both to and from a network segment based on • the source address, • destination address, • protocol type, • and port number of a packet.

  2. Access Lists Problems with Access Lists • One of the most common problems associated with access lists is a lack of planning • Another troublesome area is the sequential nature in which you must enter the list into the router • Many new network administrators find themselves in trouble when they Telnet into a router and begin applying an access list

  3. Access Lists Access List Rules • Access List are first created, and then they are s are applied to interfaces • Inbound: Direction is into the router • Outbound: Direction is out of the router

  4. Access Lists Access List Rules • Routers apply lists sequentially in the order in which you type them into the router • Routers apply lists to packets sequentially • Packets are processed only until a match is made and then they are acted upon based on the access list criteria contained in access list statements • Implicit deny any • Blocks all packets that do not meet requirements of the access list unless permit any command is used at the end of the list

  5. Access Lists Access List Rules • Access lists must be applied to an interface as either inbound or outbound traffic filters • Only one list, per protocol, per direction can be applied to an interface • You cannot remove one line from an access list. • Access list are effective as soon as they are applied

  6. Access Lists Standard IP Access Lists • Standard IP Access Lists • Filter network traffic based on the source IP address only • Using a standard IP access list, you can filter traffic by a host IP, subnet, or a network address • Wildcard mask • Also called inverse mask • Applied to IP addresses to determine if an access list line will act upon a packet

  7. Access Lists Wildcard mask • Used to specify part of network • Block size: 64, 32, 18, 8, 4 • Examples deny 172.16.10.0 0.0.0.255 deny 172.16.0.0 0.0.255.255 deny 172.16.16.0 0.0.3.255 deny 172.16.16.0 0.0.7.255 deny 172.16.32.0 0.0.31.255

  8. Access Lists Standard IP Access List Examples

  9. Access Lists Monitoring Standard IP Access Lists • Three main commands are available for monitoring access lists on your router: • Show access-lists • Show ip access-lists • Show interfaces or show ip interfaces • It is a good idea to run each of these commands after creating and applying access lists

  10. Access Lists Lab

  11. Access Lists Extended IP Access Lists • IP access lists that filter traffic by: • Source IP address • Destination IP address • Protocol type • Port number • Type R(config)#acces-list ? • Type R(config)#acces-list 110 ? • Type R(config)#acces-list 110 deny ? • Type R(config)#acces-list 110 deny tcp ? • Type R(config)#acces-list 110 deny tcp any ? • Type R(config)#acces-list 110 deny tcp any host 172.16.30.2 ? • Type R(config)#acces-list 110 deny tcp any host 172.16.30.2 eq ?

  12. Access Lists Extended IP Access Lists Interpret these commands R(config)#acces-list 110 deny tcp host 172.16.20.10 host 172.16.30.2 eq 80 R(config)#acces-list 110 deny tcp host 172.16.20.10 any eq 80 R(config)#acces-list 110 deny tcp any any eq 80

  13. Access Lists Extended IP Access List Examples Acme# config terminal Acme(config)# access-list 110 deny tcp any host 172.16.10.5 eq 21 Acme(config)# access-list 110 deny tcp any host 172.16.10.5 eq 23 Acme(config)# access-list 110 permit ip any any Acme(config)# int e0 Acme(config-if)# ip access-group 110 out.

  14. Access Lists Extended IP Access List Examples Type commands to block host 172.22.5.2 from accessing Web Services on server 172.22.2.2

  15. Access Lists Monitoring Extended IP Access Lists

  16. Access Lists Standard IPX Access Lists • Very similar to their IP cousins • One distinct difference • Can filter based on source and destination addresses • Standard IP access lists can only filter based on source addresses • In all other aspects, they act just like standard IP access lists

  17. Access Lists Standard IPX Access List Examples

  18. Access Lists Extended IPX Access Lists • Allow you to filter based on source and destination network or node address, IPX protocol type, or IPX socket number

  19. Access Lists Extended IPX Access Lists

  20. Access Lists IXP SAP Filters • Limit SAP traffic on order to control what resources on the IPX network will be visible to IPX clients • Allows you to limit the “advertising” of particular servers and services to a particular IPX network segment • Since SAP advertisements are broadcast, limiting them reduces network traffic • IPX input SAP filters reduce the number of SAP entries that are placed into a router’s SAP table

  21. Access Lists IPX SAP Filter Example

More Related