515_lecture8

7/28/2019 515_lecture8

1/47

7/28/2019 515_lecture8

2/47

Permit or deny traffic

Identify traffic based on

Protocol Source address

Destination address

Port number

2

7/28/2019 515_lecture8

3/47

Conceptual syntax to block access from

network 4 to network 1

Access-list 1 deny network 4 Access-list 1 permit any

Implicit deny any

3

7/28/2019 515_lecture8

4/47

4

7/28/2019 515_lecture8

5/47

7/28/2019 515_lecture8

6/47

Accidental telnet block

Reload command reload in [hh:] [mm] [month day |

month day ]

RouterB# reload in 00:30

6

7/28/2019 515_lecture8

7/47

Routers apply lists sequentially as they areconfigured. All new lines are added to theend of the list.

Packets are processed only until a match ismade.

Lists always end with an implicit deny.

7

7/28/2019 515_lecture8

8/47

As a general rule, the lines with the mostpotential matches should be first in the list.

Packets will not undergo unnecessary

processing.

You should avoid unnecessarily long ACLs.

After you create ACLs, you must apply them

to interfaces so they can begin filteringtraffic.

You apply a list as either an outgoing or anincoming filter.

8

7/28/2019 515_lecture8

9/47

Only one list, per protocol, per direction can

be applied to an interface.

Access Control Lists are effective as soon asthey are applied to the interface.

9

7/28/2019 515_lecture8

10/47

10

7/28/2019 515_lecture8

11/47

11

7/28/2019 515_lecture8

12/47

12

7/28/2019 515_lecture8

13/47

13

7/28/2019 515_lecture8

14/47

Filter network traffic based only on sourceaddress

access-list[list #] [permit|deny] [source address]

[source wildcard mask] [list #]: Standard IP Access Control Lists are

represented by a number in the range of 199

[permit|deny]: Used to specify the action of the

Access Control List line [source address]: The IP address of the source

[source wildcard mask]: Determines which bits of thesource address are significant

14

7/28/2019 515_lecture8

15/47

15

7/28/2019 515_lecture8

16/47

Wildcard Mask Binary Version Description

0.0.0.0 (host) 00000000.00000000.00000000.00000000 The entire IP address must match

0.0.0.255 00000000.00000000.00000000.11111111 Just the first 24 bits must match

0.0.255.255 00000000.00000000.11111111.11111111 Just the first 16 bits must match

0.255.255.25500000000. 11111111.11111111.11111111

Just the first 8 bits must match

255.255.255.255(any)11111111. 11111111.11111111.11111111

Dont even bother to compare;

its automatically considered tomatch (0 bits need to match)

0.0.15.255 00000000. 00000000.00001111.11111111 Just the first 20 bits must match

0.0.3.255 00000000. 00000000.00000011.11111111 Just the first 22 bits must match

16

7/28/2019 515_lecture8

17/47

17

7/28/2019 515_lecture8

18/47

18

7/28/2019 515_lecture8

19/47

19

7/28/2019 515_lecture8

20/47

20

7/28/2019 515_lecture8

21/47

Access Control List command examples

Single IP access-list 1 permit 192.168.10.1 0.0.0.0

access-list 1 permit 192.168.10.1 access-list 1 permit host 192.168.10.1

Network access-list 1 permit 192.168.10.0 0.0.0.255

All packets access-list 1 permit 0.0.0.0 255.255.255.255

access-list 1 permit any

21

7/28/2019 515_lecture8

22/47

22

7/28/2019 515_lecture8

23/47

7/28/2019 515_lecture8

24/47

Outbound ACLs are generally more efficient

than inbound. A router with an inbound ACL

must check every packet to see whether it

matches the ACL condition before switching

the packet to an outbound interface.

With inbound ACLs, the router can filter

packets and protect itself before damage is

inflicted.

24

7/28/2019 515_lecture8

25/47

25

7/28/2019 515_lecture8

26/47

26

7/28/2019 515_lecture8

27/47

27

7/28/2019 515_lecture8

28/47

7/28/2019 515_lecture8

29/47

29

7/28/2019 515_lecture8

30/47

30

7/28/2019 515_lecture8

31/47

31

7/28/2019 515_lecture8

32/47

32

7/28/2019 515_lecture8

33/47

show access-list

show ip access-list

show interfaces

show ip interfaces

33

7/28/2019 515_lecture8

34/47

7/28/2019 515_lecture8

35/47

access-list[list #] [permit|deny] [protocol] [sourceIP address] [source wildcard mask] [operator][port] [destination IP address] [destinationwildcard mask] [operator] [port] [log] [list #]: Number in the range of 100199 [permit|deny]: Used to specify the nature of the Access

Control List line

[protocol]: The IP protocol to be filtered can be IP(which includes all protocols in the TCP/IP suite), TCP,

UDP, ICMP, or others [source IP address]: The IP address of the source

[source wildcard mask]: Determines which bits of thesource address are significant

35

7/28/2019 515_lecture8

36/47

access-list[list #] [permit|deny] [protocol] [sourceIP address] [source wildcard mask] [operator][port] [destination IP address] [destinationwildcard mask] [operator] [port] [log] (continued) [destination IP address]: The IP address of the

destination

[destination wildcard mask]: Determine which bits ofthe destination address are significant

[operator]: Can contain lt (less than), gt (greater than),

eq (equal to), or neq (not equal to) [port]: Port number of the protocol to be filtered

[log]: Turns on logging of Access Control List activity

36

7/28/2019 515_lecture8

37/47

37

7/28/2019 515_lecture8

38/47

38

7/28/2019 515_lecture8

39/47

39

7/28/2019 515_lecture8

40/47

40

7/28/2019 515_lecture8

41/47

7/28/2019 515_lecture8

42/47

7/28/2019 515_lecture8

43/47

show access-list

show ip access-list

show interfaces

show ip interfaces

43

7/28/2019 515_lecture8

44/47

7/28/2019 515_lecture8

45/47

45

7/28/2019 515_lecture8

46/47

Cisco IOS version 11.2 and above

Named ACL examples

RouterC(config)# ip access-list standard [name]

RouterC(config)# ip access-list extended [name]

RouterC(config-std-nacl)# deny{source [source-

wildcard] | any}

RouterC(config-std-nacl)# permit{source [source-

wildcard] | any}

RouterC(config-if)# ip access-group [name] [in | out]

46

7/28/2019 515_lecture8

47/47

Restricting access to telnet

Access control examples

Individual hosts

RouterA(config)# access-list 12 permit 192.168.12.12 0.0.0.0 RouterA(config)# access-list 12 permit host 192.168.12.12

Network access RouterA(config)# access-list 12 permit 192.168.12.0 0.0.0.255

Apply Access Control List to interface

RouterA(config)# line vty 0 4

RouterA(config-line)# access-class 12 in

47

515_lecture8

Documents

Transcript of 515_lecture8