SlideShare ist ein Scribd-Unternehmen logo

Basic ip traffic management with access control lists

Sourabh Badve
Sourabh Badve

Basic ip traffic management with access control lists

Bildung
1 von 32
Basic IP Traffic Management with Access Control Lists
Chapter Objectives  Introduce ACL concepts  Explain the types of ACL  Configure ACL  Introduce wildcard masks  Verify ACL
Recall - I  IGRP is a distant-vector routing protocol, which implies that each router sends all or a part of its routing table in a routing message update  EIGRP was created using IGRP as the base and adding additional functionality to enhance IGRP  The OSPF protocol is designed on the Shortest Path First (SPF) algorithm, which enables to determine the shortest route to each destination  When a network link changes its state, the designated router sends a notification called Link State Advertisement (LSA) across the network
Recall - II  OSPF provides the following advantages:  Open protocol  Loop free topology  Scalable  Hierarchical design  Provides multicasting  There are different OSPF area types that help to handle external routes:  Normal area  Stub area  Totally stubby area  Not-so-stubby area
Access Control List - I  Access Control List (ACL) is a set of commands, which are grouped together to filter the traffic that enters or leaves an interface  The functions of ACLs include the following:  Reduce the network traffic and increase the network performance  Control the flow of traffic in the network  Provide security for network access  Make decision about the type of network to be forwarded or restricted on an interface
Access Control List - II  You must also specify one of the following directions in which the traffic should be filtered:  Inbound  Outbound  The Access lists are available in the following two types:  Numbered ACL  Named ACL  Each of the below ACLs supports two types:  Standard ACL  Extended ACL
ACL Processing  ACL are statements, which are grouped together by using a name or number  When ACL process a packet on the router from the group of statements, the router performs a number of steps to find a match for the ACL statements  The router processes each ACL in the top-down approach  If the router is not able to find a match of packet to the first ACL statement then the router continues with the next statement, following the same process
Configuring ACL  You must know the guidelines to configure the ACL  You can use the access-list command to create an ACL  The syntax to create an ACL is: access-list ACL_# permit|deny conditions  To activate ACL on the interface, enter the following at the command prompt: interface type slot_#|port_# ip access-group ACL_# in|out
ACL Numbers and Protocol Types - I Type Numbers IP Standard 1-99, 1300-1999 Standard Vines 1-99 IP Extended 100-199, 2000-2699 Extended Vines 100-199 Bridging type code (layer-2) 200-299 DECnet 300-399 Standard XNS 400-499 Extended XNS 500-599 Apple Talk 600-699
ACL Numbers and Protocol Types - II Bridging MAC address and vendor code 700-799 IPX Standard 800-899 IPX Extended 900-999 IPX SAP filters 1000-1099 Extended transparent bridging 1100-1199 IPX NLSP 1200-1299
Editing Entries  You may need to add, delete or modify an entry in the ACL  In a numbered ACL, you cannot delete a specific entry  The no access-list command allows you to delete an ACL, The syntax of the command is: no access-list number  The no access-list ACL_# command deletes the entire list
Wildcard Masking  Wildcard masks can be used for matching a range of IP addresses in ACL, instead of manually entering it  A wildcard mask of 0 or 1 in the bit position implies the following:  0 - Specifies that the bit position of the ACL statement address must match the bit position in the IP address of the packet that is to be examined  1 - Specifies that the bit position of the ACL statement address does not have to match the bit position in the IP address of the packet that is to be examined
Subnet Masks and Wildcard Masks Values Bit Value Subnet Mask Wildcard Mask 0 Host component Must match 1 Network component Ignore
Standard Numbered ACL  You can create an entry in a standard numbered IP ACL using the access-list command.The syntax of this command is: access-list 1-99|1300-1999 permit|deny source_address [wildcard_mask] [log]  After creating the standard ACL, you must activate it on the router's interface  The ip access-group command below enables you to activate the ACL on the interface: ip access-group ACL_number in|out
Extended Numbered ACLs  The extended numbered ACLs are more flexible as compared to the standard ACLs  The syntax of the command to configure an extended numbered ACL is: access-list 100-199|2000-2699 permit|deny IP_protocol source_address source_wildcard mask [protocol_information] destination_address destination_wildcard_mask [protocol_information] [log]
TCP and UDP  The extended ACL can filter the traffic on IP protocols such as TCP and UDP  The syntax of the command that allows you to configure an extended ACL for TCP or UDP is: access-list 100-199|2000-2699 permit|deny tcp|udp source_address source_wildcard_mask [operator source_port_#] destination address destination_wildcard_mask [operator destination_port_#][established][log]
Operators for TCP and UDP Connection Operator Description lt Less than gt Greater than neq Not equal to eq Equal to range Range of port numbers
TCP Port Names and Numbers Name Command Parameter Number FTP Data ftp-data 20 FTP Control ftp 21 Telnet telnet 23 SMTP smtp 25 WWW www 80
UDP Port Names and Numbers Name Command Parameter Number DNS Query dns 53 TFTP tftp 69 SNMP snmp 161 IP RIP Rip 520
ICMP  ICMP is one of the protocols used with extended ACL  The ICMP does not use ports like the TCP and UDP  The syntax for filtering ICMP traffic is: access-list 100-199|2000-2699 permit|deny icmp source_address source_wildcard_mask [operator source_port_#] destination address destination_wildcard_mask [icmp_message][log]  ICMP enables you to enter ICMP messages
ICMP Messages Message Type Description administratively-prohibited Specifies that the packet is filtered echo Enables to check the destination echo-reply Displays a message in response to the echo message created by ping host-unreachable Specifies that the subnet is reachable, but the host is not responding net-unreachable Specifies that the network or subnet is not reachable traceroute Enables to filter based on the traceroute information
Controlling Telnet Access to a Router  The standard IP ACLs controls the telnet access to the router. The access-class command enables you to accomplish this. The syntax of this command is: access-class standard_ACL_# in|out  Cisco routers enable you to restrict telnet access for the normal users  You can configure your router to allow telnet access only for the networks administrators
Named ACL’s  Named ACLs support both IP and IPX protocols  The ip access-list allows you to create a named ACL  The syntax for this command is: ip access-list standard/extended ACL_name  After creating a named ACL, you have to activate it on the router interface  The ip access-group command given below enables you to activate the named ACL: ip access-group ACL_name in|out
Verifying and Monitoring Access Control List  To view the ACLs that are activated on the router’s interfaces, use the following command: show ip interfaces  Cisco allows you to monitor each statement in the ACL. To view the statements in the ACL, use the following commands: show access-lists [ACL_#_or_name] show ip access-list [ACL_#_or_name]
Placing ACL’s  You have to decide the placement of the ACL depending on the source and destination address to be filtered  You must consider the following while placing the ACLs:  Standard ACL  Extended ACL
Case Study The Blue Diamond steel company, Gujarat branch has recruited a few engineers in the Software Management department. The company gets a new project from their client in Delhi. The new engineers need to work only on the software application assigned to them and should access the server data. To accomplish this, the network administrator Robert uses the standard ACL. The network of the organization appears as shown in the Figure.
Network of the Organization
Problem Placement of the standard ACL on the router
Suggested Solution You can use standard ACL to prevent the users from accessing the server data. However, the placement of the ACL is a very important. The engineers should be allowed to access the all other computers in the network but not the server
Summary - I  The access control list is a set of commands, which are grouped together, to filter the traffic that enters or leaves an interface  ACL are the statements, which are grouped together by using a name or number. When ACL process a packet on the router from the group of statements, the router performs a number of steps to find a match for the ACL statements  After building IP ACL, you have to apply it to a process in the IOS  The extended numbered ACL’s are more flexible as compared to the standard ACLs
Summary - II  If the router locates a match between the packet and statement then the router executes one of the two actions that are included with the statement. The actions are:  Permit  Deny  A need may arise to add, delete or modify an entry in the ACL. You cannot delete a specific entry in an ACL  To handle the IP addresses in ACL statements, wildcard masks can be used for matching a range of address instead of manually entering it
Summary - III  A wildcard is similar to an inverted subnet mask. If you want to match on any address in a subnet or network then you have to take the subnet mask and invert the bit values  You must consider the following while placing the ACLs:  Standard ACL - Needs to be placed close to the destination device that you want to prevent the source from reaching.  Extended ACL - Needs to be placed close to the source device. The extended ACL can filter on both the source as well as destination address

Empfohlen

Acl
AclAcl
AclRaghu Kiran
 
ccna networking ppt
ccna networking pptccna networking ppt
ccna networking pptEr. Anmol Bhagat
 
OSPF
OSPF OSPF
OSPF NetProtocol Xpert
 
Vpc notes
Vpc notesVpc notes
Vpc notesKrunal Shah
 
Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)ISMT College
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPTAIRTEL
 
VXLAN
VXLANVXLAN
VXLANSAliyev1
 
Bgp
BgpBgp
BgpFebrian ‎
 

Empfohlen

Acl
AclAcl
AclRaghu Kiran
 
ccna networking ppt
ccna networking pptccna networking ppt
ccna networking pptEr. Anmol Bhagat
 
OSPF
OSPF OSPF
OSPF NetProtocol Xpert
 
Vpc notes
Vpc notesVpc notes
Vpc notesKrunal Shah
 
Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)ISMT College
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPTAIRTEL
 
VXLAN
VXLANVXLAN
VXLANSAliyev1
 
Bgp
BgpBgp
BgpFebrian ‎
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalKwonSun Bae
 
Access control list [1]
Access control list [1]Access control list [1]
Access control list [1]Summit Bisht
 
Open shortest path first (ospf)
Open shortest path first (ospf)Open shortest path first (ospf)
Open shortest path first (ospf)Respa Peter
 
BGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsBGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsPavel Odintsov
 
OSPF Basics
OSPF BasicsOSPF Basics
OSPF BasicsMartin Bratina
 
Brkmpl 2333
Brkmpl 2333Brkmpl 2333
Brkmpl 2333ronsito
 
MPLS (Multi-Protocol Label Switching)
MPLS (Multi-Protocol Label Switching)MPLS (Multi-Protocol Label Switching)
MPLS (Multi-Protocol Label Switching)NetProtocol Xpert
 
CCNA ppt
CCNA pptCCNA ppt
CCNA pptSumant Garg
 
AAA Implementation
AAA ImplementationAAA Implementation
AAA ImplementationAhmad El Tawil
 
vlan
vlanvlan
vlanSunrise Dawn
 
SEGMENT Routing
SEGMENT RoutingSEGMENT Routing
SEGMENT RoutingBangladesh Network Operators Group
 
CCNA SUMMER TRAINNING PPT
CCNA SUMMER TRAINNING PPTCCNA SUMMER TRAINNING PPT
CCNA SUMMER TRAINNING PPTNishant Goel
 
Dynamic routing protocols (CCNA)
Dynamic routing protocols (CCNA)Dynamic routing protocols (CCNA)
Dynamic routing protocols (CCNA)Varinder Singh Walia
 
Vlan
Vlan Vlan
Vlan sanss40
 
CCNA Course Training Presentation
CCNA Course Training PresentationCCNA Course Training Presentation
CCNA Course Training PresentationRohit Singh
 
Network virtualization
Network virtualizationNetwork virtualization
Network virtualizationDamian Parniewicz
 
Ospf area types
Ospf area typesOspf area types
Ospf area typesRoger Perkin
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksAPNIC
 
VLAN
VLANVLAN
VLANVarsha Honde
 
GRE (generic routing encapsulation)
GRE (generic routing encapsulation)GRE (generic routing encapsulation)
GRE (generic routing encapsulation)Netwax Lab
 
CCNAv5 - S2: Chapter 9 Access Control Lists
CCNAv5 - S2: Chapter 9 Access Control ListsCCNAv5 - S2: Chapter 9 Access Control Lists
CCNAv5 - S2: Chapter 9 Access Control ListsVuz Dở Hơi
 
Types of ACLs
Types of ACLsTypes of ACLs
Types of ACLsNetProtocol Xpert
 

Weitere ähnliche Inhalte

Was ist angesagt?

Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalKwonSun Bae
 
Access control list [1]
Access control list [1]Access control list [1]
Access control list [1]Summit Bisht
 
Open shortest path first (ospf)
Open shortest path first (ospf)Open shortest path first (ospf)
Open shortest path first (ospf)Respa Peter
 
BGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsBGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsPavel Odintsov
 
Brkmpl 2333
Brkmpl 2333Brkmpl 2333
Brkmpl 2333ronsito
 
MPLS (Multi-Protocol Label Switching)
MPLS (Multi-Protocol Label Switching)MPLS (Multi-Protocol Label Switching)
MPLS (Multi-Protocol Label Switching)NetProtocol Xpert
 
CCNA SUMMER TRAINNING PPT
CCNA SUMMER TRAINNING PPTCCNA SUMMER TRAINNING PPT
CCNA SUMMER TRAINNING PPTNishant Goel
 
CCNA Course Training Presentation
CCNA Course Training PresentationCCNA Course Training Presentation
CCNA Course Training PresentationRohit Singh
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksAPNIC
 
GRE (generic routing encapsulation)
GRE (generic routing encapsulation)GRE (generic routing encapsulation)
GRE (generic routing encapsulation)Netwax Lab
 

Was ist angesagt? (20)

Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 final
 
Access control list [1]
Access control list [1]Access control list [1]
Access control list [1]
 
Open shortest path first (ospf)
Open shortest path first (ospf)Open shortest path first (ospf)
Open shortest path first (ospf)
 
BGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsBGP FlowSpec experience and future developments
BGP FlowSpec experience and future developments
 
OSPF Basics
OSPF BasicsOSPF Basics
OSPF Basics
 
Brkmpl 2333
Brkmpl 2333Brkmpl 2333
Brkmpl 2333
 
MPLS (Multi-Protocol Label Switching)
MPLS (Multi-Protocol Label Switching)MPLS (Multi-Protocol Label Switching)
MPLS (Multi-Protocol Label Switching)
 
CCNA ppt
CCNA pptCCNA ppt
CCNA ppt
 
AAA Implementation
AAA ImplementationAAA Implementation
AAA Implementation
 
vlan
vlanvlan
vlan
 
SEGMENT Routing
SEGMENT RoutingSEGMENT Routing
SEGMENT Routing
 
CCNA SUMMER TRAINNING PPT
CCNA SUMMER TRAINNING PPTCCNA SUMMER TRAINNING PPT
CCNA SUMMER TRAINNING PPT
 
Dynamic routing protocols (CCNA)
Dynamic routing protocols (CCNA)Dynamic routing protocols (CCNA)
Dynamic routing protocols (CCNA)
 
Vlan
Vlan Vlan
Vlan
 
CCNA Course Training Presentation
CCNA Course Training PresentationCCNA Course Training Presentation
CCNA Course Training Presentation
 
Network virtualization
Network virtualizationNetwork virtualization
Network virtualization
 
Ospf area types
Ospf area typesOspf area types
Ospf area types
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building Blocks
 
VLAN
VLANVLAN
VLAN
 
GRE (generic routing encapsulation)
GRE (generic routing encapsulation)GRE (generic routing encapsulation)
GRE (generic routing encapsulation)
 

Andere mochten auch

CCNAv5 - S2: Chapter 9 Access Control Lists
CCNAv5 - S2: Chapter 9 Access Control ListsCCNAv5 - S2: Chapter 9 Access Control Lists
CCNAv5 - S2: Chapter 9 Access Control ListsVuz Dở Hơi
 
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...Disha Bedi
 
Access Control List 1
Access Control List 1Access Control List 1
Access Control List 1Kishore Kumar
 
Cisco ACL
Cisco ACLCisco ACL
Cisco ACLfaust0
 
Access Control List & its Types
Access Control List & its TypesAccess Control List & its Types
Access Control List & its TypesNetwax Lab
 
Network Design on cisco packet tracer 6.0
Network Design on cisco packet tracer 6.0Network Design on cisco packet tracer 6.0
Network Design on cisco packet tracer 6.0Saurav Pandey
 

Andere mochten auch (7)

CCNAv5 - S2: Chapter 9 Access Control Lists
CCNAv5 - S2: Chapter 9 Access Control ListsCCNAv5 - S2: Chapter 9 Access Control Lists
CCNAv5 - S2: Chapter 9 Access Control Lists
 
Types of ACLs
Types of ACLsTypes of ACLs
Types of ACLs
 
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...
 
Access Control List 1
Access Control List 1Access Control List 1
Access Control List 1
 
Cisco ACL
Cisco ACLCisco ACL
Cisco ACL
 
Access Control List & its Types
Access Control List & its TypesAccess Control List & its Types
Access Control List & its Types
 
Network Design on cisco packet tracer 6.0
Network Design on cisco packet tracer 6.0Network Design on cisco packet tracer 6.0
Network Design on cisco packet tracer 6.0
 

Ähnlich wie Basic ip traffic management with access control lists

Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Shu Shin
 
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Shu Shin
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccnarobertoxe
 
1 SEC450 ACL Tutorial This document highlights.docx
1 SEC450 ACL Tutorial This document highlights.docx1 SEC450 ACL Tutorial This document highlights.docx
1 SEC450 ACL Tutorial This document highlights.docxdorishigh
 
26.2.1 Packet Tracer - Configure Extended IPv4 ACLs - Scenario 1 - ITExamAnsw...
26.2.1 Packet Tracer - Configure Extended IPv4 ACLs - Scenario 1 - ITExamAnsw...26.2.1 Packet Tracer - Configure Extended IPv4 ACLs - Scenario 1 - ITExamAnsw...
26.2.1 Packet Tracer - Configure Extended IPv4 ACLs - Scenario 1 - ITExamAnsw...rediani
 
Student Name _________________________________ Date _____________SE.docx
Student Name _________________________________ Date _____________SE.docxStudent Name _________________________________ Date _____________SE.docx
Student Name _________________________________ Date _____________SE.docxemelyvalg9
 
Standard & Extended ACL Configuration
Standard & Extended ACL ConfigurationStandard & Extended ACL Configuration
Standard & Extended ACL ConfigurationMdAlAmin187
 
CNv6_instructorPPT_Chapter4.pptx
CNv6_instructorPPT_Chapter4.pptxCNv6_instructorPPT_Chapter4.pptx
CNv6_instructorPPT_Chapter4.pptxOritseKings
 
Chapter 08 - Acl
Chapter 08 - AclChapter 08 - Acl
Chapter 08 - Aclphanleson
 
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructorSalem Trabelsi
 
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...Tarun Khaneja
 
Chapter 09 - Access Control Lists
Chapter 09 - Access Control ListsChapter 09 - Access Control Lists
Chapter 09 - Access Control ListsYaser Rahmati
 
Introduction 140318015826-phpapp01
Introduction 140318015826-phpapp01Introduction 140318015826-phpapp01
Introduction 140318015826-phpapp01amit singh
 
CCNA (R & S) Module 02 - Connecting Networks - Chapter 4
CCNA (R & S) Module 02 - Connecting Networks - Chapter 4CCNA (R & S) Module 02 - Connecting Networks - Chapter 4
CCNA (R & S) Module 02 - Connecting Networks - Chapter 4Waqas Ahmed Nawaz
 

Ähnlich wie Basic ip traffic management with access control lists (20)

CCNA CHAPTER8 BY jetarvind kumar madhukar
CCNA CHAPTER8 BY jetarvind kumar madhukarCCNA CHAPTER8 BY jetarvind kumar madhukar
CCNA CHAPTER8 BY jetarvind kumar madhukar
 
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
 
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccna
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccna
 
1 SEC450 ACL Tutorial This document highlights.docx
1 SEC450 ACL Tutorial This document highlights.docx1 SEC450 ACL Tutorial This document highlights.docx
1 SEC450 ACL Tutorial This document highlights.docx
 
26.2.1 Packet Tracer - Configure Extended IPv4 ACLs - Scenario 1 - ITExamAnsw...
26.2.1 Packet Tracer - Configure Extended IPv4 ACLs - Scenario 1 - ITExamAnsw...26.2.1 Packet Tracer - Configure Extended IPv4 ACLs - Scenario 1 - ITExamAnsw...
26.2.1 Packet Tracer - Configure Extended IPv4 ACLs - Scenario 1 - ITExamAnsw...
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccna
 
Student Name _________________________________ Date _____________SE.docx
Student Name _________________________________ Date _____________SE.docxStudent Name _________________________________ Date _____________SE.docx
Student Name _________________________________ Date _____________SE.docx
 
Configuring Standard ACLs
Configuring Standard ACLsConfiguring Standard ACLs
Configuring Standard ACLs
 
Standard & Extended ACL Configuration
Standard & Extended ACL ConfigurationStandard & Extended ACL Configuration
Standard & Extended ACL Configuration
 
CNv6_instructorPPT_Chapter4.pptx
CNv6_instructorPPT_Chapter4.pptxCNv6_instructorPPT_Chapter4.pptx
CNv6_instructorPPT_Chapter4.pptx
 
Chapter 08 - Acl
Chapter 08 - AclChapter 08 - Acl
Chapter 08 - Acl
 
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference GuideAruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
 
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
 
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
 
CCNA
CCNACCNA
CCNA
 
Chapter 09 - Access Control Lists
Chapter 09 - Access Control ListsChapter 09 - Access Control Lists
Chapter 09 - Access Control Lists
 
Introduction 140318015826-phpapp01
Introduction 140318015826-phpapp01Introduction 140318015826-phpapp01
Introduction 140318015826-phpapp01
 
CCNA (R & S) Module 02 - Connecting Networks - Chapter 4
CCNA (R & S) Module 02 - Connecting Networks - Chapter 4CCNA (R & S) Module 02 - Connecting Networks - Chapter 4
CCNA (R & S) Module 02 - Connecting Networks - Chapter 4
 

Mehr von Sourabh Badve

Basic router configuration
Basic router configurationBasic router configuration
Basic router configurationSourabh Badve
 

Mehr von Sourabh Badve (8)

Ipsec 2
Ipsec 2Ipsec 2
Ipsec 2
 
Ip routing
Ip routingIp routing
Ip routing
 
Cyber crime
Cyber crime Cyber crime
Cyber crime
 
Cryptography
CryptographyCryptography
Cryptography
 
Basic router configuration
Basic router configurationBasic router configuration
Basic router configuration
 
Corporate security
Corporate securityCorporate security
Corporate security
 
Cyber laws
Cyber lawsCyber laws
Cyber laws
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 

Kürzlich hochgeladen

Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 

Kürzlich hochgeladen (20)

Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 

Basic ip traffic management with access control lists

  • 1. Basic IP Traffic Management with Access Control Lists
  • 2. Chapter Objectives  Introduce ACL concepts  Explain the types of ACL  Configure ACL  Introduce wildcard masks  Verify ACL
  • 3. Recall - I  IGRP is a distant-vector routing protocol, which implies that each router sends all or a part of its routing table in a routing message update  EIGRP was created using IGRP as the base and adding additional functionality to enhance IGRP  The OSPF protocol is designed on the Shortest Path First (SPF) algorithm, which enables to determine the shortest route to each destination  When a network link changes its state, the designated router sends a notification called Link State Advertisement (LSA) across the network
  • 4. Recall - II  OSPF provides the following advantages:  Open protocol  Loop free topology  Scalable  Hierarchical design  Provides multicasting  There are different OSPF area types that help to handle external routes:  Normal area  Stub area  Totally stubby area  Not-so-stubby area
  • 5. Access Control List - I  Access Control List (ACL) is a set of commands, which are grouped together to filter the traffic that enters or leaves an interface  The functions of ACLs include the following:  Reduce the network traffic and increase the network performance  Control the flow of traffic in the network  Provide security for network access  Make decision about the type of network to be forwarded or restricted on an interface
  • 6. Access Control List - II  You must also specify one of the following directions in which the traffic should be filtered:  Inbound  Outbound  The Access lists are available in the following two types:  Numbered ACL  Named ACL  Each of the below ACLs supports two types:  Standard ACL  Extended ACL
  • 7. ACL Processing  ACL are statements, which are grouped together by using a name or number  When ACL process a packet on the router from the group of statements, the router performs a number of steps to find a match for the ACL statements  The router processes each ACL in the top-down approach  If the router is not able to find a match of packet to the first ACL statement then the router continues with the next statement, following the same process
  • 8. Configuring ACL  You must know the guidelines to configure the ACL  You can use the access-list command to create an ACL  The syntax to create an ACL is: access-list ACL_# permit|deny conditions  To activate ACL on the interface, enter the following at the command prompt: interface type slot_#|port_# ip access-group ACL_# in|out
  • 9. ACL Numbers and Protocol Types - I Type Numbers IP Standard 1-99, 1300-1999 Standard Vines 1-99 IP Extended 100-199, 2000-2699 Extended Vines 100-199 Bridging type code (layer-2) 200-299 DECnet 300-399 Standard XNS 400-499 Extended XNS 500-599 Apple Talk 600-699
  • 10. ACL Numbers and Protocol Types - II Bridging MAC address and vendor code 700-799 IPX Standard 800-899 IPX Extended 900-999 IPX SAP filters 1000-1099 Extended transparent bridging 1100-1199 IPX NLSP 1200-1299
  • 11. Editing Entries  You may need to add, delete or modify an entry in the ACL  In a numbered ACL, you cannot delete a specific entry  The no access-list command allows you to delete an ACL, The syntax of the command is: no access-list number  The no access-list ACL_# command deletes the entire list
  • 12. Wildcard Masking  Wildcard masks can be used for matching a range of IP addresses in ACL, instead of manually entering it  A wildcard mask of 0 or 1 in the bit position implies the following:  0 - Specifies that the bit position of the ACL statement address must match the bit position in the IP address of the packet that is to be examined  1 - Specifies that the bit position of the ACL statement address does not have to match the bit position in the IP address of the packet that is to be examined
  • 13. Subnet Masks and Wildcard Masks Values Bit Value Subnet Mask Wildcard Mask 0 Host component Must match 1 Network component Ignore
  • 14. Standard Numbered ACL  You can create an entry in a standard numbered IP ACL using the access-list command.The syntax of this command is: access-list 1-99|1300-1999 permit|deny source_address [wildcard_mask] [log]  After creating the standard ACL, you must activate it on the router's interface  The ip access-group command below enables you to activate the ACL on the interface: ip access-group ACL_number in|out
  • 15. Extended Numbered ACLs  The extended numbered ACLs are more flexible as compared to the standard ACLs  The syntax of the command to configure an extended numbered ACL is: access-list 100-199|2000-2699 permit|deny IP_protocol source_address source_wildcard mask [protocol_information] destination_address destination_wildcard_mask [protocol_information] [log]
  • 16. TCP and UDP  The extended ACL can filter the traffic on IP protocols such as TCP and UDP  The syntax of the command that allows you to configure an extended ACL for TCP or UDP is: access-list 100-199|2000-2699 permit|deny tcp|udp source_address source_wildcard_mask [operator source_port_#] destination address destination_wildcard_mask [operator destination_port_#][established][log]
  • 17. Operators for TCP and UDP Connection Operator Description lt Less than gt Greater than neq Not equal to eq Equal to range Range of port numbers
  • 18. TCP Port Names and Numbers Name Command Parameter Number FTP Data ftp-data 20 FTP Control ftp 21 Telnet telnet 23 SMTP smtp 25 WWW www 80
  • 19. UDP Port Names and Numbers Name Command Parameter Number DNS Query dns 53 TFTP tftp 69 SNMP snmp 161 IP RIP Rip 520
  • 20. ICMP  ICMP is one of the protocols used with extended ACL  The ICMP does not use ports like the TCP and UDP  The syntax for filtering ICMP traffic is: access-list 100-199|2000-2699 permit|deny icmp source_address source_wildcard_mask [operator source_port_#] destination address destination_wildcard_mask [icmp_message][log]  ICMP enables you to enter ICMP messages
  • 21. ICMP Messages Message Type Description administratively-prohibited Specifies that the packet is filtered echo Enables to check the destination echo-reply Displays a message in response to the echo message created by ping host-unreachable Specifies that the subnet is reachable, but the host is not responding net-unreachable Specifies that the network or subnet is not reachable traceroute Enables to filter based on the traceroute information
  • 22. Controlling Telnet Access to a Router  The standard IP ACLs controls the telnet access to the router. The access-class command enables you to accomplish this. The syntax of this command is: access-class standard_ACL_# in|out  Cisco routers enable you to restrict telnet access for the normal users  You can configure your router to allow telnet access only for the networks administrators
  • 23. Named ACL’s  Named ACLs support both IP and IPX protocols  The ip access-list allows you to create a named ACL  The syntax for this command is: ip access-list standard/extended ACL_name  After creating a named ACL, you have to activate it on the router interface  The ip access-group command given below enables you to activate the named ACL: ip access-group ACL_name in|out
  • 24. Verifying and Monitoring Access Control List  To view the ACLs that are activated on the router’s interfaces, use the following command: show ip interfaces  Cisco allows you to monitor each statement in the ACL. To view the statements in the ACL, use the following commands: show access-lists [ACL_#_or_name] show ip access-list [ACL_#_or_name]
  • 25. Placing ACL’s  You have to decide the placement of the ACL depending on the source and destination address to be filtered  You must consider the following while placing the ACLs:  Standard ACL  Extended ACL
  • 26. Case Study The Blue Diamond steel company, Gujarat branch has recruited a few engineers in the Software Management department. The company gets a new project from their client in Delhi. The new engineers need to work only on the software application assigned to them and should access the server data. To accomplish this, the network administrator Robert uses the standard ACL. The network of the organization appears as shown in the Figure.
  • 27. Network of the Organization
  • 28. Problem Placement of the standard ACL on the router
  • 29. Suggested Solution You can use standard ACL to prevent the users from accessing the server data. However, the placement of the ACL is a very important. The engineers should be allowed to access the all other computers in the network but not the server
  • 30. Summary - I  The access control list is a set of commands, which are grouped together, to filter the traffic that enters or leaves an interface  ACL are the statements, which are grouped together by using a name or number. When ACL process a packet on the router from the group of statements, the router performs a number of steps to find a match for the ACL statements  After building IP ACL, you have to apply it to a process in the IOS  The extended numbered ACL’s are more flexible as compared to the standard ACLs
  • 31. Summary - II  If the router locates a match between the packet and statement then the router executes one of the two actions that are included with the statement. The actions are:  Permit  Deny  A need may arise to add, delete or modify an entry in the ACL. You cannot delete a specific entry in an ACL  To handle the IP addresses in ACL statements, wildcard masks can be used for matching a range of address instead of manually entering it
  • 32. Summary - III  A wildcard is similar to an inverted subnet mask. If you want to match on any address in a subnet or network then you have to take the subnet mask and invert the bit values  You must consider the following while placing the ACLs:  Standard ACL - Needs to be placed close to the destination device that you want to prevent the source from reaching.  Extended ACL - Needs to be placed close to the source device. The extended ACL can filter on both the source as well as destination address