220 likes | 373 Views
Access Lists. Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that filter traffic both to and from a network segment based on the source address, destination address, protocol type,
E N D
Access Lists Access Lists • Network traffic flow and security influence the design and management of computer networks • Access lists are permit or deny statements that filter traffic both to and from a network segment based on • the source address, • destination address, • protocol type, • and port number of a packet.
Access Lists Problems with Access Lists • One of the most common problems associated with access lists is a lack of planning • Another troublesome area is the sequential nature in which you must enter the list into the router • Many new network administrators find themselves in trouble when they Telnet into a router and begin applying an access list
Access Lists Access List Rules • Access List are first created, and then they are s are applied to interfaces • Inbound: Direction is into the router • Outbound: Direction is out of the router
Access Lists Access List Rules • Routers apply lists sequentially in the order in which you type them into the router • Routers apply lists to packets sequentially • Packets are processed only until a match is made and then they are acted upon based on the access list criteria contained in access list statements • Implicit deny any • Blocks all packets that do not meet requirements of the access list unless permit any command is used at the end of the list
Access Lists Access List Rules • Access lists must be applied to an interface as either inbound or outbound traffic filters • Only one list, per protocol, per direction can be applied to an interface • You cannot remove one line from an access list. • Access list are effective as soon as they are applied
Access Lists Standard IP Access Lists • Standard IP Access Lists • Filter network traffic based on the source IP address only • Using a standard IP access list, you can filter traffic by a host IP, subnet, or a network address • Wildcard mask • Also called inverse mask • Applied to IP addresses to determine if an access list line will act upon a packet
Access Lists Wildcard mask • Used to specify part of network • Block size: 64, 32, 18, 8, 4 • Examples deny 172.16.10.0 0.0.0.255 deny 172.16.0.0 0.0.255.255 deny 172.16.16.0 0.0.3.255 deny 172.16.16.0 0.0.7.255 deny 172.16.32.0 0.0.31.255
Access Lists Standard IP Access List Examples
Access Lists Monitoring Standard IP Access Lists • Three main commands are available for monitoring access lists on your router: • Show access-lists • Show ip access-lists • Show interfaces or show ip interfaces • It is a good idea to run each of these commands after creating and applying access lists
Access Lists Lab
Access Lists Extended IP Access Lists • IP access lists that filter traffic by: • Source IP address • Destination IP address • Protocol type • Port number • Type R(config)#acces-list ? • Type R(config)#acces-list 110 ? • Type R(config)#acces-list 110 deny ? • Type R(config)#acces-list 110 deny tcp ? • Type R(config)#acces-list 110 deny tcp any ? • Type R(config)#acces-list 110 deny tcp any host 172.16.30.2 ? • Type R(config)#acces-list 110 deny tcp any host 172.16.30.2 eq ?
Access Lists Extended IP Access Lists Interpret these commands R(config)#acces-list 110 deny tcp host 172.16.20.10 host 172.16.30.2 eq 80 R(config)#acces-list 110 deny tcp host 172.16.20.10 any eq 80 R(config)#acces-list 110 deny tcp any any eq 80
Access Lists Extended IP Access List Examples Acme# config terminal Acme(config)# access-list 110 deny tcp any host 172.16.10.5 eq 21 Acme(config)# access-list 110 deny tcp any host 172.16.10.5 eq 23 Acme(config)# access-list 110 permit ip any any Acme(config)# int e0 Acme(config-if)# ip access-group 110 out.
Access Lists Extended IP Access List Examples Type commands to block host 172.22.5.2 from accessing Web Services on server 172.22.2.2
Access Lists Monitoring Extended IP Access Lists
Access Lists Standard IPX Access Lists • Very similar to their IP cousins • One distinct difference • Can filter based on source and destination addresses • Standard IP access lists can only filter based on source addresses • In all other aspects, they act just like standard IP access lists
Access Lists Standard IPX Access List Examples
Access Lists Extended IPX Access Lists • Allow you to filter based on source and destination network or node address, IPX protocol type, or IPX socket number
Access Lists Extended IPX Access Lists
Access Lists IXP SAP Filters • Limit SAP traffic on order to control what resources on the IPX network will be visible to IPX clients • Allows you to limit the “advertising” of particular servers and services to a particular IPX network segment • Since SAP advertisements are broadcast, limiting them reduces network traffic • IPX input SAP filters reduce the number of SAP entries that are placed into a router’s SAP table
Access Lists IPX SAP Filter Example