SlideShare ist ein Scribd-Unternehmen logo

Uccn1003 -may09_-_lect09_-_access_control_list_acl_

Shu Shin
Shu Shin
Technologie
1 von 62
Downloaden Sie, um offline zu lesen
UCCN 1003 (May 2009) Data Communications & Networks (Lecture 09) Access Control List
1st Question • What is one of the major reasons to do IP subnet? • Answer: – To limit the broadcast domain. – To provide some security in the network. • How (in security)? – Access control list – Packet filtering at the router level – Can block packets based on IP and port numbers.
What is ACL? • ACL = Access List. – essentially a list of conditions that categorize packets. • It is a form of packet filtering in Cisco router. • In practical, there are two steps in using ACL: – Creating the access list – Placing the access list • Easy to learn, hard to master • ACL is used in: – exercising control over network traffic. – filtering unwanted packets when implementing security policies.
“Applying” ACLs • There are two steps for applying ACL: • 1st step: – Create the Access Control List • 2nd step: – Place the Access Control List at the Interface • There 3 types of ACL: – Standard Access List – Extended Access List – Named Access List
“Skills” in ACL • In this lecture, you have to learn: – How to create a standard ACLs • Cisco command of creating standard ACLs – Where to place a standard ACLs • Cisco command of placing standard ACLs – How to create an extended ACLs • Cisco command of creating extended ACLs – Where to place an extended ACLs • Cisco command of placing extended ACLs – The differences between standard and extended ACLs – Further rules and “tricks” for proper placement of ACLs – Creation and application of named ACLs • Named ACLs are derived from standard and extended ACLs – How to use ACLs to implement security policy and network traffic control.
Creating Standard ACLs • Command Syntax: R1(config)#access-list access-list-number {deny | permit} {conditions} • Example: R1(config)#access-list 10 deny host 192.168.1.1 R1(config)#access-list 5 permit any R1(config)#access-list 17 deny 172.16.3.0 0.0.0.255 } } Part 1 Part 2 Part 3 Part 4 • There are 4 parts in the syntax of standard ACL.
General Rule of Standard ACL Syntax • Part 1: – You MUST HAVE the command name “access-list” • Part 2: – Access list number – Use any one number from 1 to 99 for standard ACL • Part 3: – Can only be either permit or deny • Part 4: – The “conditions”, view this part as: • A host • A LAN / IP subnets • Any Host – Is a source IP or source IP subnets
Syntax of Standard ACLs Explained Part 3: • Example: Can either be permit or deny (remark is allowed too) R1(config)#access-list 10 deny host 192.168.1.1 Part 1: Part 4: You must have A host Create ACL this to create a A LAN / IP subnets in global standard ACL Any Host configuration mode Part 2: Access list number. Use 1-99 for standard ACL.
More on Syntax of Part 4 Router(config)#access-list 10 permit ? ? = “Part 4” => 3 types of source host - A single host address any - Any source host hostname or a.b.c.d - Address to match 1st type: 1 IP address or 1 source host IP Router(config)#access-list 10 permit host 192.168.1.1 2nd type: any source IP address Router(config)#access-list 10 permit any 3rd type: source IP subnet Router(config)#access-list 10 permit 192.168.1.0 0.0.0.255 Note: Wildcard mask = 0.0.0.255
Introduction to Wildcard Mask • As you’ve observed, a portion of “part 4” in defining the IP subnet in ACL contain: – A wildcard mask: 0.0.0.255 – Instead of a subnet mask: 255.255.255.0 • For example: An IP subnet of 172.16.1.0 to 172.16.1.255 – With subnet mask (in setting static IP route): • R1(config)#ip route 172.16.1.0 255.255.255.0 10.1.1.2 – With wildcard mask (in setting access list): • R1(config)#access-list 9 permit 172.16.1.0 0.0.0.255 • The first step to know wildcard mask is: – Wildcard mask IS NOT subnet mask. – Wildcard mask DOES NOT HAVE any relation with subnet mask. – Wildcard mask use a different set of rules compared to subnet mask.
Applying Wildcard Mask Router(config)#access-list 10 permit 192.168.1.0 0.0.0.255 • Step #1: Convert the wildcard mask to binary form: – 00000000.00000000.00000000.11111111 • Step #2: Change the ‘1’ to ‘x’ – 00000000.00000000.00000000.xxxxxxxx • Step #3: Change the IP address to binary: – 192.168.1.0 => – 11000000.10101000.00000001.00000000 • Step #4: Match the IP and wildcard mask – 11000000.10101000.00000001.00000000 – 00000000.00000000.00000000.xxxxxxxx • Algorithm: if wildcard bit = ‘0’, retain IP bits, if wildcard bit = ‘x’, replace. • Results: – 11000000.10101000.00000001.xxxxxxxx • In the place of ‘x’, it can be either ‘0’ or ‘1’.
Difference Between Subnet mask and Wildcard mask • Unlike subnet mask, wildcard mask: – Does not restrict to left all ‘0’ and right all ‘1’ – That means, there can be 232 wildcard mask • versus only 32 valid subnet mask – Hence, this is allow: • 01001000.10001111.11111111.00000001 – Does not perform “bitwise and” process with IP address – “Kind of” a reverse arrangement of subnet mask in terms of ‘1’ bit.
How Wildcard Mask Works? R1(config)#access-list 2 deny 172.16.0.1 0.0.255.254 • Question: – In the above statement, what IPs does the ACL deny? • Answer
# Quick Quiz# R1(config)#access-list 2 permit 172.16.1.3 0.0.0.252 • Question: – Given above statement, does the following IP be “permitted” by the access list? – A) 172.16.1.5 – B) 172.16.1.51 – C) 172.16.1.13
# Quick Quiz# R1(config)#access-list 2 permit 172.16.1.3 255.255.255.252 • Question: – Given above statement, (accidentally mistaken subnet mask as wildcard mask) does the following IP be “permitted” by the access list? – A) 172.16.1.5 – B) 172.16.1.51 – C) 172.16.1.13
The ANY and HOST Option R1(config)#access-list 4 permit 0.0.0.0 255.255.255.255 Can be written as: R1(config)#access-list 4 permit any R1(config)#access-list 3 permit 172.16.3.2 0.0.0.0 Can be written as: R1(config)#access-list 2 permit host 172.16.3.2 • There are two special keywords that are used in ACLs, the any and host options. • Simply put, the any option substitutes 0.0.0.0 for the IP address and 255.255.255.255 for the wildcard mask. • This option will match any address that it is compared against. • The host option substitutes for the 0.0.0.0 mask. • This mask requires that all bits of the ACL address and the packet address match. This option will match just one address.
More Rules for Standard ACLs • The “part 4” of Standard ACL works on the source IP address. • 1 ACL list represent by 1 ACL number. • You can assign as many “conditions” into a list (e.g. next slide) • Every Standard ACL list has a hidden “deny all” statement at the last of the list. • Use this command to see the access list – Router#show access-list – Router#show access-list 5 • Use this command to erase a access list – Router(config)#no access-list 15
Multi-condition Standard ACL Router#config t Router(config)#no access-list 5 Router(config)#access-list 5 deny host 172.16.10.1 Router(config)#access-list 5 deny host 172.16.10.2 Router(config)#access-list 5 deny host 172.16.10.3 Router(config)#access-list 5 permit any Router(config)#access-list 7 deny host 172.16.10.3 Router(config)#access-list 7 deny host 192.168.1.4 Router(config)#access-list 7 permit any Router(config)#exit Router#show access-list Standard IP access list 5 deny host 172.16.10.1 deny host 172.16.10.2 deny host 172.16.10.3 permit any Standard IP access list 7 deny host 172.16.10.3 deny host 192.168.1.4 permit any
Placing Standard ACLs - 1 • Syntax: R1(config)#interface {interface-name} R1(config-if)#{protocol} access-group access- list-number {in | out} Fa0/0 in Fa0/1 out Fa0/0 out Fa0/1 in • Example: R1(config)#int fa0/0 R1(config-if)#ip access-group 10 in R1(config-if)#ip access-group 12 out • The ip access-group command links an existing ACL to an interface
Placing Standard ACLs - 2 • You can place – same Access List at different interface Router(config)#int fa0/0 Router(config-if)#ip access-group 10 in Router(config)#int fa0/1 Router(config-if)#ip access-group 10 in – only 2 Access List at same interface for both in and out Router(config)#int fa0/0 Router(config-if)#ip access-group 10 in Router(config-if)#ip access-group 97 out – ACL of different layer 3 protocols at same interface (in and out) Router(config)#int fa0/0 Router(config-if)#ip access-group 10 in Router(config-if)#ip access-group 97 out Router(config-if)#ipx…..
The “Logic” of Standard ACL
ACL and Routing Processes in a Router ip access-group list_number in ip access-group list_number out
Checking and Unbind the “Placement” of ACLs • Use the following commands to verify the placement of ACLs on the interfaces of router. – Router#show ip interface – Router#show running-config • Remember to “unbind” an ACL at the interface level by typing the following commands R1(config)#int fa0/0 R1(config-if)#no ip access-group list_number in
Show running-config R1#show run version 12.2 hostname R1 interface FastEthernet0/0 ip address 192.168.14.1 255.255.255.0 ip access-group 23 in duplex auto speed auto ! • Show running-config command display the binding or placement of access list on a particular interface. • It is also a good practice to test the access lists with sample traffic to ensure that the access list logic is correct.
Show IP Interface R1#show ip interface FastEthernet0/0 is up, line protocol is up (connected) Internet address is 192.168.14.1/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is not set Inbound access list is 1 Proxy ARP is enabled Security level is default Split horizon is enabled … • The show ip interface command displays IP interface information and indicates whether any ACLs are set.
While you delete Access List • When you delete a particular ACLs, – Only the content of the ACL is empty – The binding ACLs is still at the interface – Meaning the Interface still has the ACL – Problem occurs if you “unintentionally” re-use the deleted ACL… Example: R1(config)#no access-list 2 R1(config)#exit R1#show run version 12.2 hostname R1 interface FastEthernet0/0 ip address 192.168.14.1 255.255.255.0 ip access-group 2 in !
# Quick Quiz# running-config hostname Router Question: ! interface FastEthernet0/0 List all the IP addresses ip address 192.168.12.254 255.255.255.0 that can be assigned to ! PC1, so that PC1 can ping interface FastEthernet0/1 PC0. ip address 192.168.1.254 255.255.255.0 ip access-group 10 out ! access-list 10 permit 192.168.12.0 0.0.0.69 !
Answer to the last slide • Accept IP address of 192.168.12.“0x000x0x”, x is wildcard, thus give result to: – 192.168.12.1 – 192.168.12.4 – 192.168.12.5 – 192.168.12.64 – 192.168.12.65 – 192.168.12.68 – 192.168.12.69
Placing ACL at VTY • Here is an example of allowing only host 172.16.10.3 to telnet into a router: Lab_A(config)#access-list 50 permit 172.16.10.3 Lab_A(config)#line vty 0 4 Lab_A(config-line)#access-class 50 in • Because of the implied deny any at the end of the list, the access list stops any host from telnetting into the router except the host 172.16.10.3, regardless of which individual IP address on the router is used as a target. • For VTY line, use access-class to bind the ACL – instead of ip access-group for other type of interfaces.
# Quick Quiz# Question: What is the following ACL actually doing?
Case Study: Apply Standard ACL in Security Policy • In the right figure you have a router with four LAN connections and one WAN connection to the Internet. • You need to write an ACL that will stop 3 LANs from accessing the Internet, except 172.16.50.173/20 • Each of the LANs shows a single host’s IP address, and from that you need to determine the subnet and use wildcards to configure the ACL. • How will you do this?
Answer to the last slide Router(config)#access-list 1 deny 172.16.128.0 0.0.31.255 Router(config)#access-list 1 deny 172.16.192.0 0.0.63.255 Router(config)#access-list 1 deny 172.16.88.0 0.0.7.255 Router(config)#access-list 1 permit any Router(config)#interface s0 Router(config-if)#ip access-group 1 out Important note: For ACL that only has “deny” statement REMEMBER to put in this statement last Router(config)#access-list 1 permit any to negate the implicate “deny all” statement at the last of the ACL
Now: Syntax for Extended ACL
Creating IP Extended List R1(config)#access-list 114 permit tcp 172.16.6.0 0.0.0.255 any eq telnet R1(config)#access-list 114 permit tcp 172.16.6.0 0.0.0.255 any eq ftp R1(config)#access-list 114 permit tcp 172.16.6.0 0.0.0.255 any eq ftp-data Part 1 Part 2 Part 3 Part 4 Part 5 Part 6 Part 8 Part 7 • In Extended Access List – We have both source IP and destination IP – We have layer-4 protocols and layer-5 protocols – We have a different access-list number range – Instead of “4 parts” in standard ACL, we have 8 parts in extended ACL
Extended ACL – Part 1 & 2 • Part 1: The command “access-list” is still the same. • Part 2: The access-list number range for extended ACL is 100 to 199, and 2000 to 2699 – You must match the ACL number according to the following guideline!!
Extended ACL – Part 3 & 4 • Part 3: – deny or permit • Part 4: – Layer 3 protocol – Layer 4 protocol
Extended ACL – Part 5 and 6 • Part 5: – Source address • Host, any, IP subnet • Same as standard ACL • Part 6: – “Normally” Destination address
Extended ACL – Part 7 • Part 7 – Normally conditional phrase • gt = greater than • eq = equal • lt = less than • neq = not equal
Checking Your Extended ACL • Show access-list commands displays the contents of all ACLs on the router.
Extended ACL – Part 8 • Part 8: – Port numbers – Port number equivalent network service • telnet (port 22)
Extended List Placement R1(config-if)#ip access-group 110 in R1(config-if)#ip access-group 110 out R1#show ip interface R1#show run • Same rules applied as standard ACL. – For placement or assigning – For unbinding – For checking placement
Case Study: Apply Extended ACL in Security Policy • We need to stop Telnet access to the networks attached to the Ethernet 1 and Ethernet 2 • How do you solve this?
Answer to the last slide Router(config)#access-list 110 deny tcp any 172.16.48.0 0.0.15.255 eq 23 Router(config)#access-list 110 deny tcp any 172.16.192.0 0.0.63.255 eq 23 Router(config)#access-list 110 permit ip any any Router(config)#interface Ethernet 1 Router(config-if)#ip access-group 110 out Router(config-if)#interface Ethernet 2 Router(config-if)#ip access-group 110 out Comment: Can we have another placement of ACL?
Conditional Flow of Extended ACLs • Extended ACLs check the source and destination packet addresses as well as being able to check for protocols and port numbers. • This gives greater flexibility to describe what the ACL will check. Packets can be permitted or denied access based on where the packet originated and its destination as well as protocol type and port addresses. • An extended ACL can allow e-mail traffic from Fa0/0 to specific S0/0 destinations, while denying file transfers and web browsing. When packets are discarded, some protocols send an echo packet to the sender, stating that the destination was unreachable.
Creating Named ACLs - 1 • A named ACL is created with the ip access-list command. • The advantages that a named access list provides are: – Intuitively identify an ACL using an alphanumeric name. – Eliminate the limit of 798 simple and 799 extended ACLs • Named ACLs provide the ability to modify ACLs without deleting and then reconfiguring them. • It is important to note that a named access list will allow the deletion of statements but will only allow for statements to be inserted at the end of a list. Even with named ACLs it is a good idea to use a text editor to create them. • Consider the following before implementing named ACLs. – Named ACLs are not compatible with Cisco IOS releases prior to Release 11.2. – The same name may not be used for multiple ACLs. For example, it is not permissible to specify both a standard and extended ACL named George.
Creating Named ACLs (Standard) • IP named ACLs were introduced in Cisco IOS Software Release 11.2, allowing standard and extended ACLs to be given names instead of numbers. continue
Placing Name ACLs • Same as standard ACL and extended ACL • Using ip access-group command
Creating Named ACLs – Extended -1
Creating Named ACLs – Extended -2
Inserting a line in Named ACL - 1
Inserting a line in Named ACL - 2
Note on Standard and Extended ACL • What we have learnt so far are all IP-based. • Cisco ACL does accept other “layer-3” protocols such as – Appletalk – IPX – DECNet • For this subject and CCNA, we just need to worry for standard and extended
Summary: IP Standard and Extended List • IP Standard access lists – These use only the source IP address in an IP packet as the condition test. – All decisions are made based on source IP address. This means that standard access lists basically permit or deny an entire suite of protocols. – They don’t distinguish between any of the many types of IP traffic such as WWW, Telnet, UDP, etc. • IP Extended access lists – Extended access lists can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. – They can evaluate source and destination IP addresses, the protocol field in the Network layer header, and port number at the Transport layer header. – This gives extended access lists the ability to make much more granular decisions when controlling traffic.
Access-List Grouping in a Router • ACLs must be defined on a per-protocol, per direction, or per port basis. • To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface. • ACLs control traffic in one direction at a time on an interface. • A separate ACL would need to be created for each direction, one for inbound and one for outbound traffic. • Finally every interface can have multiple protocols and directions defined. • If the router has two interfaces configured for IP, AppleTalk, and IPX, 12 separate ACLs would be needed. – One ACL for each protocol, times two for direction in and out, times two for the number of ports.
Rules of Access-List Number and Binding • You create a standard IP access list by using the access-list numbers 1–99 or 1300–1999 (expanded range). • Access-list types are generally differentiated using a number. • You CAN’T create a Appletalk access-list with numbers 300-399, since 300-399 belongs to DECnet access-list. • The protocols for which you can specify access lists depend on your IOS version. – The protocols supported in the previous slides are: IP, IPX, Appletalk, DECnet • Example of wrong matching of list number and protocol when placing ACLs at the interface (appletalk should match a range of 600-699) R1(config)#access-list 10 deny host 192.168.1.1 R1(config)#int fa0/0 R1(config)#appletalk access-group 10 in Wrong Matching between protocol & access-list number !!!
ACL and Firewall • A firewall is an architectural structure that exists between the user and the outside world to protect the internal network from intruders.
Other Uses of ACLs • Blocking Routing Protocols Advertisement. • Limit network traffic and increase network performance. By restricting video traffic, for example, ACLs could greatly reduce the network load and consequently increase network performance. • Provide traffic flow control. ACLs can restrict the delivery of routing updates. If updates are not required because of network conditions, bandwidth is preserved. • Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For example, Host A is allowed to access the Human Resources network and Host B is prevented from accessing it. • Decide which types of traffic are forwarded or blocked at the router interfaces. Permit e-mail traffic to be routed, but block all telnet traffic. • Allow an administrator to control what areas a client can access on a network. • Screen certain hosts to either allow or deny access to part of a network. Grant or deny user permission to access only certain types of files, such as FTP or HTTP. • If ACLs are not configured on the router, all packets passing through the router will be allowed onto all parts of the network.
Summary: Monitoring ACL
Summary: Application of ACL • ACL can – deny unwanted access to the network or LAN – permit certain user to access to the network – deny internal users of a LAN to access certain services. – permit internal user to access only certain services • Security tools, such as passwords, callback equipment, host software firewall, and physical security devices are helpful, however – they lack the flexibility of basic traffic filtering and the specific controls at the LAN level. – For example, a network administrator • may want to allow LAN users access to the Internet, • but not permit external users telnet access into the LAN. • Some form of firewall mechanism or packet filtering has to be carried at the router/LAN level.
Summary: ACL at Router Interface • ACLs are lists of conditions that are applied to traffic traveling across a router's interface. • These lists tell the router what types of packets to accept or deny at the Interface. • ACLs can be created for all routed network protocols, such as Internet Protocol (IP) and Internetwork Packet Exchange (IPX). ACLs can be configured at the router to control access to a network or subnet.
Summary: Placing ACLs • The general rule is to put the extended ACLs as close as possible to the source of the traffic denied. • Standard ACLs do not specify destination addresses, so they should be placed as close to the destination as possible.
Summary: How ACL “Logic” Works • An ACL is a group of statements that define whether packets are accepted or rejected at inbound and outbound interfaces. • These decisions are made by matching a condition statement in an access list and then performing the accept or reject action defined in the statement. • The order in which ACL statements are placed is important. • The Cisco IOS software tests the packet against each condition statement in order from the top of the list to the bottom. • Once a match is found in the list, the accept or reject action is performed and no other ACL statements are checked. • If a condition statement that permits all traffic is located at the top of the list, no statements added below that will ever be checked.

Empfohlen

Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Shu Shin
 
CCNA part 7 acl
CCNA part 7 aclCCNA part 7 acl
CCNA part 7 aclSandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccnaLakshan Perera
 
10 module
10 module10 module
10 moduleAsif
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccnarobertoxe
 
Cisco ACL
Cisco ACLCisco ACL
Cisco ACLfaust0
 
Basic ip traffic management with access control lists
Basic ip traffic management with access control listsBasic ip traffic management with access control lists
Basic ip traffic management with access control listsSourabh Badve
 
Acl cisco
Acl ciscoAcl cisco
Acl ciscoTapan Khilar
 

Empfohlen

Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Shu Shin
 
CCNA part 7 acl
CCNA part 7 aclCCNA part 7 acl
CCNA part 7 aclSandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccnaLakshan Perera
 
10 module
10 module10 module
10 moduleAsif
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccnarobertoxe
 
Cisco ACL
Cisco ACLCisco ACL
Cisco ACLfaust0
 
Basic ip traffic management with access control lists
Basic ip traffic management with access control listsBasic ip traffic management with access control lists
Basic ip traffic management with access control listsSourabh Badve
 
Acl cisco
Acl ciscoAcl cisco
Acl ciscoTapan Khilar
 
Acl
AclAcl
AclRaghu Kiran
 
CIsco ACL- Network and host security
CIsco ACL- Network and host securityCIsco ACL- Network and host security
CIsco ACL- Network and host securityShiv Koppad
 
20 access lists[1]
20 access lists[1]20 access lists[1]
20 access lists[1]Gerard Vevele
 
Acl cisco
Acl ciscoAcl cisco
Acl ciscoTapan Khilar
 
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A PixConfiguring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pixangelitoh11
 
List of usernames and passwords for Huawei routers
List of usernames and passwords for Huawei routersList of usernames and passwords for Huawei routers
List of usernames and passwords for Huawei routersHuanetwork
 
CCNA ppt Day 7
CCNA ppt Day 7CCNA ppt Day 7
CCNA ppt Day 7VISHNU N
 
Access Control List 1
Access Control List 1Access Control List 1
Access Control List 1Kishore Kumar
 
Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.igede tirtanata
 
CCNA ppt Day 4
CCNA ppt Day 4CCNA ppt Day 4
CCNA ppt Day 4VISHNU N
 
Ata basicconfig
Ata basicconfigAta basicconfig
Ata basicconfigSergey Bernikov
 
4.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 14.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 1mps125
 
Manejo de redes
Manejo de redesManejo de redes
Manejo de redesDiegoTorres519
 
BACIK CISCO SKILLS
BACIK CISCO SKILLSBACIK CISCO SKILLS
BACIK CISCO SKILLSPeťko Z Chochoľova
 
Helpful Cisco Tips and Tricks for New Network Engineers
Helpful Cisco Tips and Tricks for New Network EngineersHelpful Cisco Tips and Tricks for New Network Engineers
Helpful Cisco Tips and Tricks for New Network EngineersLizbeth E. Melendez
 
Cisco CCNA- NAT Configuration
Cisco CCNA- NAT ConfigurationCisco CCNA- NAT Configuration
Cisco CCNA- NAT ConfigurationHamed Moghaddam
 
Cisco CCNA-Standard Access List
Cisco CCNA-Standard Access ListCisco CCNA-Standard Access List
Cisco CCNA-Standard Access ListHamed Moghaddam
 
Lab practice 1 configuring basic routing and switching (with answer)
Lab practice 1 configuring basic routing and switching (with answer) Lab practice 1 configuring basic routing and switching (with answer)
Lab practice 1 configuring basic routing and switching (with answer) Arz Sy
 
Basic cisco commands_by_marcus_nielson_2
Basic cisco commands_by_marcus_nielson_2Basic cisco commands_by_marcus_nielson_2
Basic cisco commands_by_marcus_nielson_2MAFANTIRI SELLO
 
02 Information System Security
02 Information System Security02 Information System Security
02 Information System SecurityShu Shin
 
Uccn1003 -may10_-_lect01a_-_intro_to_network_applications_services
Uccn1003 -may10_-_lect01a_-_intro_to_network_applications_servicesUccn1003 -may10_-_lect01a_-_intro_to_network_applications_services
Uccn1003 -may10_-_lect01a_-_intro_to_network_applications_servicesShu Shin
 
Website development pass year
Website development pass yearWebsite development pass year
Website development pass yearShu Shin
 

Weitere ähnliche Inhalte

Was ist angesagt?

CIsco ACL- Network and host security
CIsco ACL- Network and host securityCIsco ACL- Network and host security
CIsco ACL- Network and host securityShiv Koppad
 
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A PixConfiguring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pixangelitoh11
 
List of usernames and passwords for Huawei routers
List of usernames and passwords for Huawei routersList of usernames and passwords for Huawei routers
List of usernames and passwords for Huawei routersHuanetwork
 
CCNA ppt Day 7
CCNA ppt Day 7CCNA ppt Day 7
CCNA ppt Day 7VISHNU N
 
Access Control List 1
Access Control List 1Access Control List 1
Access Control List 1Kishore Kumar
 
Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.igede tirtanata
 
CCNA ppt Day 4
CCNA ppt Day 4CCNA ppt Day 4
CCNA ppt Day 4VISHNU N
 
4.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 14.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 1mps125
 
Helpful Cisco Tips and Tricks for New Network Engineers
Helpful Cisco Tips and Tricks for New Network EngineersHelpful Cisco Tips and Tricks for New Network Engineers
Helpful Cisco Tips and Tricks for New Network EngineersLizbeth E. Melendez
 
Cisco CCNA- NAT Configuration
Cisco CCNA- NAT ConfigurationCisco CCNA- NAT Configuration
Cisco CCNA- NAT ConfigurationHamed Moghaddam
 
Cisco CCNA-Standard Access List
Cisco CCNA-Standard Access ListCisco CCNA-Standard Access List
Cisco CCNA-Standard Access ListHamed Moghaddam
 
Lab practice 1 configuring basic routing and switching (with answer)
Lab practice 1 configuring basic routing and switching (with answer) Lab practice 1 configuring basic routing and switching (with answer)
Lab practice 1 configuring basic routing and switching (with answer) Arz Sy
 
Basic cisco commands_by_marcus_nielson_2
Basic cisco commands_by_marcus_nielson_2Basic cisco commands_by_marcus_nielson_2
Basic cisco commands_by_marcus_nielson_2MAFANTIRI SELLO
 

Was ist angesagt? (19)

Acl
AclAcl
Acl
 
CIsco ACL- Network and host security
CIsco ACL- Network and host securityCIsco ACL- Network and host security
CIsco ACL- Network and host security
 
20 access lists[1]
20 access lists[1]20 access lists[1]
20 access lists[1]
 
Acl cisco
Acl ciscoAcl cisco
Acl cisco
 
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A PixConfiguring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pix
 
List of usernames and passwords for Huawei routers
List of usernames and passwords for Huawei routersList of usernames and passwords for Huawei routers
List of usernames and passwords for Huawei routers
 
CCNA ppt Day 7
CCNA ppt Day 7CCNA ppt Day 7
CCNA ppt Day 7
 
Access Control List 1
Access Control List 1Access Control List 1
Access Control List 1
 
Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.
 
CCNA ppt Day 4
CCNA ppt Day 4CCNA ppt Day 4
CCNA ppt Day 4
 
Ata basicconfig
Ata basicconfigAta basicconfig
Ata basicconfig
 
4.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 14.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 1
 
Manejo de redes
Manejo de redesManejo de redes
Manejo de redes
 
BACIK CISCO SKILLS
BACIK CISCO SKILLSBACIK CISCO SKILLS
BACIK CISCO SKILLS
 
Helpful Cisco Tips and Tricks for New Network Engineers
Helpful Cisco Tips and Tricks for New Network EngineersHelpful Cisco Tips and Tricks for New Network Engineers
Helpful Cisco Tips and Tricks for New Network Engineers
 
Cisco CCNA- NAT Configuration
Cisco CCNA- NAT ConfigurationCisco CCNA- NAT Configuration
Cisco CCNA- NAT Configuration
 
Cisco CCNA-Standard Access List
Cisco CCNA-Standard Access ListCisco CCNA-Standard Access List
Cisco CCNA-Standard Access List
 
Lab practice 1 configuring basic routing and switching (with answer)
Lab practice 1 configuring basic routing and switching (with answer) Lab practice 1 configuring basic routing and switching (with answer)
Lab practice 1 configuring basic routing and switching (with answer)
 
Basic cisco commands_by_marcus_nielson_2
Basic cisco commands_by_marcus_nielson_2Basic cisco commands_by_marcus_nielson_2
Basic cisco commands_by_marcus_nielson_2
 

Andere mochten auch

02 Information System Security
02 Information System Security02 Information System Security
02 Information System SecurityShu Shin
 
Uccn1003 -may10_-_lect01a_-_intro_to_network_applications_services
Uccn1003 -may10_-_lect01a_-_intro_to_network_applications_servicesUccn1003 -may10_-_lect01a_-_intro_to_network_applications_services
Uccn1003 -may10_-_lect01a_-_intro_to_network_applications_servicesShu Shin
 
Website development pass year
Website development pass yearWebsite development pass year
Website development pass yearShu Shin
 
Презенация мини-семинар "Социални мрежи"
Презенация мини-семинар "Социални мрежи"Презенация мини-семинар "Социални мрежи"
Презенация мини-семинар "Социални мрежи"eTel (Bulgaria)
 
\"Guerrilla Marketing\" в Интернет - Жанер Найденова
\"Guerrilla Marketing\" в Интернет - Жанер Найденова\"Guerrilla Marketing\" в Интернет - Жанер Найденова
\"Guerrilla Marketing\" в Интернет - Жанер НайденоваDigital Agency Interactive Share
 
Как и дали средностатистически хакерспейс ще промени живота ти
Как и дали средностатистически хакерспейс ще промени живота тиКак и дали средностатистически хакерспейс ще промени живота ти
Как и дали средностатистически хакерспейс ще промени живота тиVladimir Vassilev
 
Аудио-визуална база - система за управление
Аудио-визуална база - система за управлениеАудио-визуална база - система за управление
Аудио-визуална база - система за управлениеNIT- New Internet Technologies PLC
 
Безопасност и защита
Безопасност и защитаБезопасност и защита
Безопасност и защитаFatih Dmrl
 
Network Security and Network Attacks
Network Security and Network AttacksNetwork Security and Network Attacks
Network Security and Network AttacksSvetlin Nakov
 
интернет Yordan
интернет Yordanинтернет Yordan
интернет Yordanvyapova
 
56. dram и sram
56. dram и sram56. dram и sram
56. dram и sramdnaidenowa
 
интернет развитие
интернет развитиеинтернет развитие
интернет развитиеKanio
 
Адаптация на Linux за ARM устройства
Адаптация на Linux за ARM устройстваАдаптация на Linux за ARM устройства
Адаптация на Linux за ARM устройстваLeon Anavi
 
Как SEO ни помага да повишим продажбите си онлайн?
Как SEO ни помага да повишим продажбите си онлайн?Как SEO ни помага да повишим продажбите си онлайн?
Как SEO ни помага да повишим продажбите си онлайн?Petar Dyaksov
 
63.кеш памет
63.кеш памет63.кеш памет
63.кеш паметdnaidenowa
 

Andere mochten auch (20)

02 Information System Security
02 Information System Security02 Information System Security
02 Information System Security
 
Uccn1003 -may10_-_lect01a_-_intro_to_network_applications_services
Uccn1003 -may10_-_lect01a_-_intro_to_network_applications_servicesUccn1003 -may10_-_lect01a_-_intro_to_network_applications_services
Uccn1003 -may10_-_lect01a_-_intro_to_network_applications_services
 
Website development pass year
Website development pass yearWebsite development pass year
Website development pass year
 
Xp, vista, win7
Xp, vista, win7Xp, vista, win7
Xp, vista, win7
 
Chap6
Chap6Chap6
Chap6
 
Презенация мини-семинар "Социални мрежи"
Презенация мини-семинар "Социални мрежи"Презенация мини-семинар "Социални мрежи"
Презенация мини-семинар "Социални мрежи"
 
\"Guerrilla Marketing\" в Интернет - Жанер Найденова
\"Guerrilla Marketing\" в Интернет - Жанер Найденова\"Guerrilla Marketing\" в Интернет - Жанер Найденова
\"Guerrilla Marketing\" в Интернет - Жанер Найденова
 
Как и дали средностатистически хакерспейс ще промени живота ти
Как и дали средностатистически хакерспейс ще промени живота тиКак и дали средностатистически хакерспейс ще промени живота ти
Как и дали средностатистически хакерспейс ще промени живота ти
 
Аудио-визуална база - система за управление
Аудио-визуална база - система за управлениеАудио-визуална база - система за управление
Аудио-визуална база - система за управление
 
Лекция първа Security
Лекция първа SecurityЛекция първа Security
Лекция първа Security
 
Present tsa 10
Present tsa 10Present tsa 10
Present tsa 10
 
Безопасност и защита
Безопасност и защитаБезопасност и защита
Безопасност и защита
 
Network Security and Network Attacks
Network Security and Network AttacksNetwork Security and Network Attacks
Network Security and Network Attacks
 
интернет Yordan
интернет Yordanинтернет Yordan
интернет Yordan
 
56. dram и sram
56. dram и sram56. dram и sram
56. dram и sram
 
хакери
хакерихакери
хакери
 
интернет развитие
интернет развитиеинтернет развитие
интернет развитие
 
Адаптация на Linux за ARM устройства
Адаптация на Linux за ARM устройстваАдаптация на Linux за ARM устройства
Адаптация на Linux за ARM устройства
 
Как SEO ни помага да повишим продажбите си онлайн?
Как SEO ни помага да повишим продажбите си онлайн?Как SEO ни помага да повишим продажбите си онлайн?
Как SEO ни помага да повишим продажбите си онлайн?
 
63.кеш памет
63.кеш памет63.кеш памет
63.кеш памет
 

Ähnlich wie Uccn1003 -may09_-_lect09_-_access_control_list_acl_

Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)ISMT College
 
Lab8 Controlling traffic using Extended ACL Objectives Per.pdf
Lab8 Controlling traffic using Extended ACL Objectives Per.pdfLab8 Controlling traffic using Extended ACL Objectives Per.pdf
Lab8 Controlling traffic using Extended ACL Objectives Per.pdfadityacommunication1
 
Chapter 4 overview
Chapter 4 overviewChapter 4 overview
Chapter 4 overviewali raza
 
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructorSalem Trabelsi
 
1 SEC450 ACL Tutorial This document highlights.docx
1 SEC450 ACL Tutorial This document highlights.docx1 SEC450 ACL Tutorial This document highlights.docx
1 SEC450 ACL Tutorial This document highlights.docxdorishigh
 
CCNA Security - Chapter 4
CCNA Security - Chapter 4CCNA Security - Chapter 4
CCNA Security - Chapter 4Irsandi Hasan
 
Modul 5 access control list
Modul 5 access control listModul 5 access control list
Modul 5 access control listdiah risqiwati
 
Student Name _________________________________ Date _____________SE.docx
Student Name _________________________________ Date _____________SE.docxStudent Name _________________________________ Date _____________SE.docx
Student Name _________________________________ Date _____________SE.docxemelyvalg9
 
CNv6_instructorPPT_Chapter4.pptx
CNv6_instructorPPT_Chapter4.pptxCNv6_instructorPPT_Chapter4.pptx
CNv6_instructorPPT_Chapter4.pptxOritseKings
 
CCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentalsCCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentalsAhmed Habib
 
Standard & Extended ACL Configuration
Standard & Extended ACL ConfigurationStandard & Extended ACL Configuration
Standard & Extended ACL ConfigurationMdAlAmin187
 
Guide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric VanderburgGuide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric VanderburgEric Vanderburg
 
Router security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summaryRouter security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summarymoonmanik
 

Ähnlich wie Uccn1003 -may09_-_lect09_-_access_control_list_acl_ (20)

Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccna
 
Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)
 
Lab8 Controlling traffic using Extended ACL Objectives Per.pdf
Lab8 Controlling traffic using Extended ACL Objectives Per.pdfLab8 Controlling traffic using Extended ACL Objectives Per.pdf
Lab8 Controlling traffic using Extended ACL Objectives Per.pdf
 
Chapter 4 overview
Chapter 4 overviewChapter 4 overview
Chapter 4 overview
 
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
 
1 SEC450 ACL Tutorial This document highlights.docx
1 SEC450 ACL Tutorial This document highlights.docx1 SEC450 ACL Tutorial This document highlights.docx
1 SEC450 ACL Tutorial This document highlights.docx
 
CCNA Security - Chapter 4
CCNA Security - Chapter 4CCNA Security - Chapter 4
CCNA Security - Chapter 4
 
Modul 5 access control list
Modul 5 access control listModul 5 access control list
Modul 5 access control list
 
Student Name _________________________________ Date _____________SE.docx
Student Name _________________________________ Date _____________SE.docxStudent Name _________________________________ Date _____________SE.docx
Student Name _________________________________ Date _____________SE.docx
 
Icnd210 s06l02
Icnd210 s06l02Icnd210 s06l02
Icnd210 s06l02
 
CNv6_instructorPPT_Chapter4.pptx
CNv6_instructorPPT_Chapter4.pptxCNv6_instructorPPT_Chapter4.pptx
CNv6_instructorPPT_Chapter4.pptx
 
CCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentalsCCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentals
 
Acl
AclAcl
Acl
 
Ip Access Lists
Ip Access ListsIp Access Lists
Ip Access Lists
 
Standard & Extended ACL Configuration
Standard & Extended ACL ConfigurationStandard & Extended ACL Configuration
Standard & Extended ACL Configuration
 
Chapter 9
Chapter 9Chapter 9
Chapter 9
 
Guide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric VanderburgGuide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric Vanderburg
 
ENSA_Module_4.pptx
ENSA_Module_4.pptxENSA_Module_4.pptx
ENSA_Module_4.pptx
 
CCNA Access Lists
CCNA Access ListsCCNA Access Lists
CCNA Access Lists
 
Router security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summaryRouter security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summary
 

Mehr von Shu Shin

Information System Security introduction
Information System Security introductionInformation System Security introduction
Information System Security introductionShu Shin
 
Chap12 part 1_
Chap12 part 1_Chap12 part 1_
Chap12 part 1_Shu Shin
 

Mehr von Shu Shin (20)

Information System Security introduction
Information System Security introductionInformation System Security introduction
Information System Security introduction
 
Chap12 part 1_
Chap12 part 1_Chap12 part 1_
Chap12 part 1_
 
Chap11
Chap11Chap11
Chap11
 
Chap10
Chap10Chap10
Chap10
 
Chap9
Chap9Chap9
Chap9
 
Chap8
Chap8Chap8
Chap8
 
Chap7
Chap7Chap7
Chap7
 
Chap6
Chap6Chap6
Chap6
 
Chap5
Chap5Chap5
Chap5
 
Chap4
Chap4Chap4
Chap4
 
Chap3
Chap3Chap3
Chap3
 
Chap2
Chap2Chap2
Chap2
 
Chap1
Chap1Chap1
Chap1
 
Chap13
Chap13Chap13
Chap13
 
Chap13
Chap13Chap13
Chap13
 
Chap11
Chap11Chap11
Chap11
 
Chap10
Chap10Chap10
Chap10
 
Chap9
Chap9Chap9
Chap9
 
Chap7
Chap7Chap7
Chap7
 
Chap5
Chap5Chap5
Chap5
 

Kürzlich hochgeladen

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 

Kürzlich hochgeladen (20)

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 

Uccn1003 -may09_-_lect09_-_access_control_list_acl_

  • 1. UCCN 1003 (May 2009) Data Communications & Networks (Lecture 09) Access Control List
  • 2. 1st Question • What is one of the major reasons to do IP subnet? • Answer: – To limit the broadcast domain. – To provide some security in the network. • How (in security)? – Access control list – Packet filtering at the router level – Can block packets based on IP and port numbers.
  • 3. What is ACL? • ACL = Access List. – essentially a list of conditions that categorize packets. • It is a form of packet filtering in Cisco router. • In practical, there are two steps in using ACL: – Creating the access list – Placing the access list • Easy to learn, hard to master • ACL is used in: – exercising control over network traffic. – filtering unwanted packets when implementing security policies.
  • 4. “Applying” ACLs • There are two steps for applying ACL: • 1st step: – Create the Access Control List • 2nd step: – Place the Access Control List at the Interface • There 3 types of ACL: – Standard Access List – Extended Access List – Named Access List
  • 5. “Skills” in ACL • In this lecture, you have to learn: – How to create a standard ACLs • Cisco command of creating standard ACLs – Where to place a standard ACLs • Cisco command of placing standard ACLs – How to create an extended ACLs • Cisco command of creating extended ACLs – Where to place an extended ACLs • Cisco command of placing extended ACLs – The differences between standard and extended ACLs – Further rules and “tricks” for proper placement of ACLs – Creation and application of named ACLs • Named ACLs are derived from standard and extended ACLs – How to use ACLs to implement security policy and network traffic control.
  • 6. Creating Standard ACLs • Command Syntax: R1(config)#access-list access-list-number {deny | permit} {conditions} • Example: R1(config)#access-list 10 deny host 192.168.1.1 R1(config)#access-list 5 permit any R1(config)#access-list 17 deny 172.16.3.0 0.0.0.255 } } Part 1 Part 2 Part 3 Part 4 • There are 4 parts in the syntax of standard ACL.
  • 7. General Rule of Standard ACL Syntax • Part 1: – You MUST HAVE the command name “access-list” • Part 2: – Access list number – Use any one number from 1 to 99 for standard ACL • Part 3: – Can only be either permit or deny • Part 4: – The “conditions”, view this part as: • A host • A LAN / IP subnets • Any Host – Is a source IP or source IP subnets
  • 8. Syntax of Standard ACLs Explained Part 3: • Example: Can either be permit or deny (remark is allowed too) R1(config)#access-list 10 deny host 192.168.1.1 Part 1: Part 4: You must have A host Create ACL this to create a A LAN / IP subnets in global standard ACL Any Host configuration mode Part 2: Access list number. Use 1-99 for standard ACL.
  • 9. More on Syntax of Part 4 Router(config)#access-list 10 permit ? ? = “Part 4” => 3 types of source host - A single host address any - Any source host hostname or a.b.c.d - Address to match 1st type: 1 IP address or 1 source host IP Router(config)#access-list 10 permit host 192.168.1.1 2nd type: any source IP address Router(config)#access-list 10 permit any 3rd type: source IP subnet Router(config)#access-list 10 permit 192.168.1.0 0.0.0.255 Note: Wildcard mask = 0.0.0.255
  • 10. Introduction to Wildcard Mask • As you’ve observed, a portion of “part 4” in defining the IP subnet in ACL contain: – A wildcard mask: 0.0.0.255 – Instead of a subnet mask: 255.255.255.0 • For example: An IP subnet of 172.16.1.0 to 172.16.1.255 – With subnet mask (in setting static IP route): • R1(config)#ip route 172.16.1.0 255.255.255.0 10.1.1.2 – With wildcard mask (in setting access list): • R1(config)#access-list 9 permit 172.16.1.0 0.0.0.255 • The first step to know wildcard mask is: – Wildcard mask IS NOT subnet mask. – Wildcard mask DOES NOT HAVE any relation with subnet mask. – Wildcard mask use a different set of rules compared to subnet mask.
  • 11. Applying Wildcard Mask Router(config)#access-list 10 permit 192.168.1.0 0.0.0.255 • Step #1: Convert the wildcard mask to binary form: – 00000000.00000000.00000000.11111111 • Step #2: Change the ‘1’ to ‘x’ – 00000000.00000000.00000000.xxxxxxxx • Step #3: Change the IP address to binary: – 192.168.1.0 => – 11000000.10101000.00000001.00000000 • Step #4: Match the IP and wildcard mask – 11000000.10101000.00000001.00000000 – 00000000.00000000.00000000.xxxxxxxx • Algorithm: if wildcard bit = ‘0’, retain IP bits, if wildcard bit = ‘x’, replace. • Results: – 11000000.10101000.00000001.xxxxxxxx • In the place of ‘x’, it can be either ‘0’ or ‘1’.
  • 12. Difference Between Subnet mask and Wildcard mask • Unlike subnet mask, wildcard mask: – Does not restrict to left all ‘0’ and right all ‘1’ – That means, there can be 232 wildcard mask • versus only 32 valid subnet mask – Hence, this is allow: • 01001000.10001111.11111111.00000001 – Does not perform “bitwise and” process with IP address – “Kind of” a reverse arrangement of subnet mask in terms of ‘1’ bit.
  • 13. How Wildcard Mask Works? R1(config)#access-list 2 deny 172.16.0.1 0.0.255.254 • Question: – In the above statement, what IPs does the ACL deny? • Answer
  • 14. # Quick Quiz# R1(config)#access-list 2 permit 172.16.1.3 0.0.0.252 • Question: – Given above statement, does the following IP be “permitted” by the access list? – A) 172.16.1.5 – B) 172.16.1.51 – C) 172.16.1.13
  • 15. # Quick Quiz# R1(config)#access-list 2 permit 172.16.1.3 255.255.255.252 • Question: – Given above statement, (accidentally mistaken subnet mask as wildcard mask) does the following IP be “permitted” by the access list? – A) 172.16.1.5 – B) 172.16.1.51 – C) 172.16.1.13
  • 16. The ANY and HOST Option R1(config)#access-list 4 permit 0.0.0.0 255.255.255.255 Can be written as: R1(config)#access-list 4 permit any R1(config)#access-list 3 permit 172.16.3.2 0.0.0.0 Can be written as: R1(config)#access-list 2 permit host 172.16.3.2 • There are two special keywords that are used in ACLs, the any and host options. • Simply put, the any option substitutes 0.0.0.0 for the IP address and 255.255.255.255 for the wildcard mask. • This option will match any address that it is compared against. • The host option substitutes for the 0.0.0.0 mask. • This mask requires that all bits of the ACL address and the packet address match. This option will match just one address.
  • 17. More Rules for Standard ACLs • The “part 4” of Standard ACL works on the source IP address. • 1 ACL list represent by 1 ACL number. • You can assign as many “conditions” into a list (e.g. next slide) • Every Standard ACL list has a hidden “deny all” statement at the last of the list. • Use this command to see the access list – Router#show access-list – Router#show access-list 5 • Use this command to erase a access list – Router(config)#no access-list 15
  • 18. Multi-condition Standard ACL Router#config t Router(config)#no access-list 5 Router(config)#access-list 5 deny host 172.16.10.1 Router(config)#access-list 5 deny host 172.16.10.2 Router(config)#access-list 5 deny host 172.16.10.3 Router(config)#access-list 5 permit any Router(config)#access-list 7 deny host 172.16.10.3 Router(config)#access-list 7 deny host 192.168.1.4 Router(config)#access-list 7 permit any Router(config)#exit Router#show access-list Standard IP access list 5 deny host 172.16.10.1 deny host 172.16.10.2 deny host 172.16.10.3 permit any Standard IP access list 7 deny host 172.16.10.3 deny host 192.168.1.4 permit any
  • 19. Placing Standard ACLs - 1 • Syntax: R1(config)#interface {interface-name} R1(config-if)#{protocol} access-group access- list-number {in | out} Fa0/0 in Fa0/1 out Fa0/0 out Fa0/1 in • Example: R1(config)#int fa0/0 R1(config-if)#ip access-group 10 in R1(config-if)#ip access-group 12 out • The ip access-group command links an existing ACL to an interface
  • 20. Placing Standard ACLs - 2 • You can place – same Access List at different interface Router(config)#int fa0/0 Router(config-if)#ip access-group 10 in Router(config)#int fa0/1 Router(config-if)#ip access-group 10 in – only 2 Access List at same interface for both in and out Router(config)#int fa0/0 Router(config-if)#ip access-group 10 in Router(config-if)#ip access-group 97 out – ACL of different layer 3 protocols at same interface (in and out) Router(config)#int fa0/0 Router(config-if)#ip access-group 10 in Router(config-if)#ip access-group 97 out Router(config-if)#ipx…..
  • 21. The “Logic” of Standard ACL
  • 22. ACL and Routing Processes in a Router ip access-group list_number in ip access-group list_number out
  • 23. Checking and Unbind the “Placement” of ACLs • Use the following commands to verify the placement of ACLs on the interfaces of router. – Router#show ip interface – Router#show running-config • Remember to “unbind” an ACL at the interface level by typing the following commands R1(config)#int fa0/0 R1(config-if)#no ip access-group list_number in
  • 24. Show running-config R1#show run version 12.2 hostname R1 interface FastEthernet0/0 ip address 192.168.14.1 255.255.255.0 ip access-group 23 in duplex auto speed auto ! • Show running-config command display the binding or placement of access list on a particular interface. • It is also a good practice to test the access lists with sample traffic to ensure that the access list logic is correct.
  • 25. Show IP Interface R1#show ip interface FastEthernet0/0 is up, line protocol is up (connected) Internet address is 192.168.14.1/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is not set Inbound access list is 1 Proxy ARP is enabled Security level is default Split horizon is enabled … • The show ip interface command displays IP interface information and indicates whether any ACLs are set.
  • 26. While you delete Access List • When you delete a particular ACLs, – Only the content of the ACL is empty – The binding ACLs is still at the interface – Meaning the Interface still has the ACL – Problem occurs if you “unintentionally” re-use the deleted ACL… Example: R1(config)#no access-list 2 R1(config)#exit R1#show run version 12.2 hostname R1 interface FastEthernet0/0 ip address 192.168.14.1 255.255.255.0 ip access-group 2 in !
  • 27. # Quick Quiz# running-config hostname Router Question: ! interface FastEthernet0/0 List all the IP addresses ip address 192.168.12.254 255.255.255.0 that can be assigned to ! PC1, so that PC1 can ping interface FastEthernet0/1 PC0. ip address 192.168.1.254 255.255.255.0 ip access-group 10 out ! access-list 10 permit 192.168.12.0 0.0.0.69 !
  • 28. Answer to the last slide • Accept IP address of 192.168.12.“0x000x0x”, x is wildcard, thus give result to: – 192.168.12.1 – 192.168.12.4 – 192.168.12.5 – 192.168.12.64 – 192.168.12.65 – 192.168.12.68 – 192.168.12.69
  • 29. Placing ACL at VTY • Here is an example of allowing only host 172.16.10.3 to telnet into a router: Lab_A(config)#access-list 50 permit 172.16.10.3 Lab_A(config)#line vty 0 4 Lab_A(config-line)#access-class 50 in • Because of the implied deny any at the end of the list, the access list stops any host from telnetting into the router except the host 172.16.10.3, regardless of which individual IP address on the router is used as a target. • For VTY line, use access-class to bind the ACL – instead of ip access-group for other type of interfaces.
  • 30. # Quick Quiz# Question: What is the following ACL actually doing?
  • 31. Case Study: Apply Standard ACL in Security Policy • In the right figure you have a router with four LAN connections and one WAN connection to the Internet. • You need to write an ACL that will stop 3 LANs from accessing the Internet, except 172.16.50.173/20 • Each of the LANs shows a single host’s IP address, and from that you need to determine the subnet and use wildcards to configure the ACL. • How will you do this?
  • 32. Answer to the last slide Router(config)#access-list 1 deny 172.16.128.0 0.0.31.255 Router(config)#access-list 1 deny 172.16.192.0 0.0.63.255 Router(config)#access-list 1 deny 172.16.88.0 0.0.7.255 Router(config)#access-list 1 permit any Router(config)#interface s0 Router(config-if)#ip access-group 1 out Important note: For ACL that only has “deny” statement REMEMBER to put in this statement last Router(config)#access-list 1 permit any to negate the implicate “deny all” statement at the last of the ACL
  • 33. Now: Syntax for Extended ACL
  • 34. Creating IP Extended List R1(config)#access-list 114 permit tcp 172.16.6.0 0.0.0.255 any eq telnet R1(config)#access-list 114 permit tcp 172.16.6.0 0.0.0.255 any eq ftp R1(config)#access-list 114 permit tcp 172.16.6.0 0.0.0.255 any eq ftp-data Part 1 Part 2 Part 3 Part 4 Part 5 Part 6 Part 8 Part 7 • In Extended Access List – We have both source IP and destination IP – We have layer-4 protocols and layer-5 protocols – We have a different access-list number range – Instead of “4 parts” in standard ACL, we have 8 parts in extended ACL
  • 35. Extended ACL – Part 1 & 2 • Part 1: The command “access-list” is still the same. • Part 2: The access-list number range for extended ACL is 100 to 199, and 2000 to 2699 – You must match the ACL number according to the following guideline!!
  • 36. Extended ACL – Part 3 & 4 • Part 3: – deny or permit • Part 4: – Layer 3 protocol – Layer 4 protocol
  • 37. Extended ACL – Part 5 and 6 • Part 5: – Source address • Host, any, IP subnet • Same as standard ACL • Part 6: – “Normally” Destination address
  • 38. Extended ACL – Part 7 • Part 7 – Normally conditional phrase • gt = greater than • eq = equal • lt = less than • neq = not equal
  • 39. Checking Your Extended ACL • Show access-list commands displays the contents of all ACLs on the router.
  • 40. Extended ACL – Part 8 • Part 8: – Port numbers – Port number equivalent network service • telnet (port 22)
  • 41. Extended List Placement R1(config-if)#ip access-group 110 in R1(config-if)#ip access-group 110 out R1#show ip interface R1#show run • Same rules applied as standard ACL. – For placement or assigning – For unbinding – For checking placement
  • 42. Case Study: Apply Extended ACL in Security Policy • We need to stop Telnet access to the networks attached to the Ethernet 1 and Ethernet 2 • How do you solve this?
  • 43. Answer to the last slide Router(config)#access-list 110 deny tcp any 172.16.48.0 0.0.15.255 eq 23 Router(config)#access-list 110 deny tcp any 172.16.192.0 0.0.63.255 eq 23 Router(config)#access-list 110 permit ip any any Router(config)#interface Ethernet 1 Router(config-if)#ip access-group 110 out Router(config-if)#interface Ethernet 2 Router(config-if)#ip access-group 110 out Comment: Can we have another placement of ACL?
  • 44. Conditional Flow of Extended ACLs • Extended ACLs check the source and destination packet addresses as well as being able to check for protocols and port numbers. • This gives greater flexibility to describe what the ACL will check. Packets can be permitted or denied access based on where the packet originated and its destination as well as protocol type and port addresses. • An extended ACL can allow e-mail traffic from Fa0/0 to specific S0/0 destinations, while denying file transfers and web browsing. When packets are discarded, some protocols send an echo packet to the sender, stating that the destination was unreachable.
  • 45. Creating Named ACLs - 1 • A named ACL is created with the ip access-list command. • The advantages that a named access list provides are: – Intuitively identify an ACL using an alphanumeric name. – Eliminate the limit of 798 simple and 799 extended ACLs • Named ACLs provide the ability to modify ACLs without deleting and then reconfiguring them. • It is important to note that a named access list will allow the deletion of statements but will only allow for statements to be inserted at the end of a list. Even with named ACLs it is a good idea to use a text editor to create them. • Consider the following before implementing named ACLs. – Named ACLs are not compatible with Cisco IOS releases prior to Release 11.2. – The same name may not be used for multiple ACLs. For example, it is not permissible to specify both a standard and extended ACL named George.
  • 46. Creating Named ACLs (Standard) • IP named ACLs were introduced in Cisco IOS Software Release 11.2, allowing standard and extended ACLs to be given names instead of numbers. continue
  • 47. Placing Name ACLs • Same as standard ACL and extended ACL • Using ip access-group command
  • 48. Creating Named ACLs – Extended -1
  • 49. Creating Named ACLs – Extended -2
  • 50. Inserting a line in Named ACL - 1
  • 51. Inserting a line in Named ACL - 2
  • 52. Note on Standard and Extended ACL • What we have learnt so far are all IP-based. • Cisco ACL does accept other “layer-3” protocols such as – Appletalk – IPX – DECNet • For this subject and CCNA, we just need to worry for standard and extended
  • 53. Summary: IP Standard and Extended List • IP Standard access lists – These use only the source IP address in an IP packet as the condition test. – All decisions are made based on source IP address. This means that standard access lists basically permit or deny an entire suite of protocols. – They don’t distinguish between any of the many types of IP traffic such as WWW, Telnet, UDP, etc. • IP Extended access lists – Extended access lists can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. – They can evaluate source and destination IP addresses, the protocol field in the Network layer header, and port number at the Transport layer header. – This gives extended access lists the ability to make much more granular decisions when controlling traffic.
  • 54. Access-List Grouping in a Router • ACLs must be defined on a per-protocol, per direction, or per port basis. • To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface. • ACLs control traffic in one direction at a time on an interface. • A separate ACL would need to be created for each direction, one for inbound and one for outbound traffic. • Finally every interface can have multiple protocols and directions defined. • If the router has two interfaces configured for IP, AppleTalk, and IPX, 12 separate ACLs would be needed. – One ACL for each protocol, times two for direction in and out, times two for the number of ports.
  • 55. Rules of Access-List Number and Binding • You create a standard IP access list by using the access-list numbers 1–99 or 1300–1999 (expanded range). • Access-list types are generally differentiated using a number. • You CAN’T create a Appletalk access-list with numbers 300-399, since 300-399 belongs to DECnet access-list. • The protocols for which you can specify access lists depend on your IOS version. – The protocols supported in the previous slides are: IP, IPX, Appletalk, DECnet • Example of wrong matching of list number and protocol when placing ACLs at the interface (appletalk should match a range of 600-699) R1(config)#access-list 10 deny host 192.168.1.1 R1(config)#int fa0/0 R1(config)#appletalk access-group 10 in Wrong Matching between protocol & access-list number !!!
  • 56. ACL and Firewall • A firewall is an architectural structure that exists between the user and the outside world to protect the internal network from intruders.
  • 57. Other Uses of ACLs • Blocking Routing Protocols Advertisement. • Limit network traffic and increase network performance. By restricting video traffic, for example, ACLs could greatly reduce the network load and consequently increase network performance. • Provide traffic flow control. ACLs can restrict the delivery of routing updates. If updates are not required because of network conditions, bandwidth is preserved. • Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For example, Host A is allowed to access the Human Resources network and Host B is prevented from accessing it. • Decide which types of traffic are forwarded or blocked at the router interfaces. Permit e-mail traffic to be routed, but block all telnet traffic. • Allow an administrator to control what areas a client can access on a network. • Screen certain hosts to either allow or deny access to part of a network. Grant or deny user permission to access only certain types of files, such as FTP or HTTP. • If ACLs are not configured on the router, all packets passing through the router will be allowed onto all parts of the network.
  • 59. Summary: Application of ACL • ACL can – deny unwanted access to the network or LAN – permit certain user to access to the network – deny internal users of a LAN to access certain services. – permit internal user to access only certain services • Security tools, such as passwords, callback equipment, host software firewall, and physical security devices are helpful, however – they lack the flexibility of basic traffic filtering and the specific controls at the LAN level. – For example, a network administrator • may want to allow LAN users access to the Internet, • but not permit external users telnet access into the LAN. • Some form of firewall mechanism or packet filtering has to be carried at the router/LAN level.
  • 60. Summary: ACL at Router Interface • ACLs are lists of conditions that are applied to traffic traveling across a router's interface. • These lists tell the router what types of packets to accept or deny at the Interface. • ACLs can be created for all routed network protocols, such as Internet Protocol (IP) and Internetwork Packet Exchange (IPX). ACLs can be configured at the router to control access to a network or subnet.
  • 61. Summary: Placing ACLs • The general rule is to put the extended ACLs as close as possible to the source of the traffic denied. • Standard ACLs do not specify destination addresses, so they should be placed as close to the destination as possible.
  • 62. Summary: How ACL “Logic” Works • An ACL is a group of statements that define whether packets are accepted or rejected at inbound and outbound interfaces. • These decisions are made by matching a condition statement in an access list and then performing the accept or reject action defined in the statement. • The order in which ACL statements are placed is important. • The Cisco IOS software tests the packet against each condition statement in order from the top of the list to the bottom. • Once a match is found in the list, the accept or reject action is performed and no other ACL statements are checked. • If a condition statement that permits all traffic is located at the top of the list, no statements added below that will ever be checked.