200 likes | 390 Views
CCNA ACLs Deepdive February, 2012. Jaskaran Kalsi Assoc. Technical Manager Europe/ CEE / RCIS Cisco Networking Academy . Agenda. CCNA & ACLs. Packet Filtering & ACL Overview. Standard ACL Configuration. Extended ACL Configuration. Demo & Summary. Objective.
E N D
CCNA ACLs DeepdiveFebruary, 2012 Jaskaran Kalsi Assoc. Technical Manager Europe/CEE/RCIS Cisco Networking Academy
Agenda CCNA & ACLs Packet Filtering & ACL Overview Standard ACL Configuration Extended ACL Configuration Demo & Summary
Objective • Provide a brief review of ACLs. • Demonstrate a brief example of how ACLs can be administered. • Provide a brief description of the troubleshooting scenarios that are available. • Focus on the use of Packet Tracer as a simulation tool and create an interactive session where the audience troubleshoots and pre-configured network.
ACLs & NetAcad CCNA • ACLs are an area that not only students struggle with but also instructors. • ACLs are covered in both CCNA Discovery & Exploration. • CCNA Exploration: • CCNA Exploration 4 - Chapter 5 • ACL theory • ACL examples • Packet Tracer Activities
Packet Filtering • Controls access to a network • Analyzes incoming and outgoing packets. • Either permits or denies them based on a predefined set of criteria. • Routers act as packet filters • Make decisions based on source & destination IP addresses. • Source port; Destination port; & protocols can also be a determining factors. • ACLs are sequential lists that include the following: • Permit statement. • Deny statements. • They extract info from the packet header and test it against the permit/deny rules.
How do ACLs work? Inbound ACLs Outbound ACLs
ACLs: Review • Standard Access Control Lists • ACLs numbered 1-99 or 1300-1999 • IPv4 & IPv6 • Filter solely on Layer 3 source information • Extended Access Control Lists
ACLs: Caveats • Standard ACLs - placed as close to the destination as possible • Extended ACLs - placed on routers as close as possible to the source that is being filtered.
ACLs: Standard ACL Config Task: Block host 10.0.0.3 from gaining access on 40.0.0.0. While 10.0.0.3 must be able to communicate with other networks. All other computers from the network of 10.0.0.0 must be able to connect with the network of 40.0.0.0. R2>enable R2#configureterminal R2(config)#access-list 1 deny host 10.0.0.3 R2(config)#access-list 1 permit any R2(config)#interface FastEthernet0/1 R2(config-if)#ip access-group 1 out
ACLs: Extended • Usually range from 100-199 and 2000-2699. • Extended ACLs check sources & destination address; ports; & protocols. • Hence provide a greater range of control and enhance security.
ACLs: Reflexive; Dynamic; Timed • Reflexive ACLs • Dynamically allow reply packets • Work with TCP & UDP sessions initiated internally • Reduced exposure to spoofing and DoS attacks • Dynamic ACLs • Also known as ‘Lock-and-Key’ ACLs • Were available only for IP traffic • Dependent on Telnet connectivity, authentication, & E-ACLs • Time Based ACLs • Allow for access control based upon time of day, day of the week, or day of the month.
Quiz Question • Which three statements should be considered when applying ACLs to a Cisco router? (Choose three) • Place generic ACL entries at the top of the ACL. • Place more specific ACL entries at the top of the ACL. • Router-generated packets pass through ACLs without filtering. • ACLs always search for the most specific entry before taking any filtering action. • An access list applied to any interface without a configured ACL allows all traffic to pass.