515_lecture8
Transcript of 515_lecture8
-
7/28/2019 515_lecture8
1/47
-
7/28/2019 515_lecture8
2/47
Permit or deny traffic
Identify traffic based on
Protocol Source address
Destination address
Port number
2
-
7/28/2019 515_lecture8
3/47
Conceptual syntax to block access from
network 4 to network 1
Access-list 1 deny network 4 Access-list 1 permit any
Implicit deny any
3
-
7/28/2019 515_lecture8
4/47
4
-
7/28/2019 515_lecture8
5/47
-
7/28/2019 515_lecture8
6/47
Accidental telnet block
Reload command reload in [hh:] [mm] [month day |
month day ]
RouterB# reload in 00:30
6
-
7/28/2019 515_lecture8
7/47
Routers apply lists sequentially as they areconfigured. All new lines are added to theend of the list.
Packets are processed only until a match ismade.
Lists always end with an implicit deny.
7
-
7/28/2019 515_lecture8
8/47
As a general rule, the lines with the mostpotential matches should be first in the list.
Packets will not undergo unnecessary
processing.
You should avoid unnecessarily long ACLs.
After you create ACLs, you must apply them
to interfaces so they can begin filteringtraffic.
You apply a list as either an outgoing or anincoming filter.
8
-
7/28/2019 515_lecture8
9/47
Only one list, per protocol, per direction can
be applied to an interface.
Access Control Lists are effective as soon asthey are applied to the interface.
9
-
7/28/2019 515_lecture8
10/47
10
-
7/28/2019 515_lecture8
11/47
11
-
7/28/2019 515_lecture8
12/47
12
-
7/28/2019 515_lecture8
13/47
13
-
7/28/2019 515_lecture8
14/47
Filter network traffic based only on sourceaddress
access-list[list #] [permit|deny] [source address]
[source wildcard mask] [list #]: Standard IP Access Control Lists are
represented by a number in the range of 199
[permit|deny]: Used to specify the action of the
Access Control List line [source address]: The IP address of the source
[source wildcard mask]: Determines which bits of thesource address are significant
14
-
7/28/2019 515_lecture8
15/47
15
-
7/28/2019 515_lecture8
16/47
Wildcard Mask Binary Version Description
0.0.0.0 (host) 00000000.00000000.00000000.00000000 The entire IP address must match
0.0.0.255 00000000.00000000.00000000.11111111 Just the first 24 bits must match
0.0.255.255 00000000.00000000.11111111.11111111 Just the first 16 bits must match
0.255.255.25500000000. 11111111.11111111.11111111
Just the first 8 bits must match
255.255.255.255(any)11111111. 11111111.11111111.11111111
Dont even bother to compare;
its automatically considered tomatch (0 bits need to match)
0.0.15.255 00000000. 00000000.00001111.11111111 Just the first 20 bits must match
0.0.3.255 00000000. 00000000.00000011.11111111 Just the first 22 bits must match
16
-
7/28/2019 515_lecture8
17/47
17
-
7/28/2019 515_lecture8
18/47
18
-
7/28/2019 515_lecture8
19/47
19
-
7/28/2019 515_lecture8
20/47
20
-
7/28/2019 515_lecture8
21/47
Access Control List command examples
Single IP access-list 1 permit 192.168.10.1 0.0.0.0
access-list 1 permit 192.168.10.1 access-list 1 permit host 192.168.10.1
Network access-list 1 permit 192.168.10.0 0.0.0.255
All packets access-list 1 permit 0.0.0.0 255.255.255.255
access-list 1 permit any
21
-
7/28/2019 515_lecture8
22/47
22
-
7/28/2019 515_lecture8
23/47
-
7/28/2019 515_lecture8
24/47
Outbound ACLs are generally more efficient
than inbound. A router with an inbound ACL
must check every packet to see whether it
matches the ACL condition before switching
the packet to an outbound interface.
With inbound ACLs, the router can filter
packets and protect itself before damage is
inflicted.
24
-
7/28/2019 515_lecture8
25/47
25
-
7/28/2019 515_lecture8
26/47
26
-
7/28/2019 515_lecture8
27/47
27
-
7/28/2019 515_lecture8
28/47
-
7/28/2019 515_lecture8
29/47
29
-
7/28/2019 515_lecture8
30/47
30
-
7/28/2019 515_lecture8
31/47
31
-
7/28/2019 515_lecture8
32/47
32
-
7/28/2019 515_lecture8
33/47
show access-list
show ip access-list
show interfaces
show ip interfaces
33
-
7/28/2019 515_lecture8
34/47
-
7/28/2019 515_lecture8
35/47
access-list[list #] [permit|deny] [protocol] [sourceIP address] [source wildcard mask] [operator][port] [destination IP address] [destinationwildcard mask] [operator] [port] [log] [list #]: Number in the range of 100199 [permit|deny]: Used to specify the nature of the Access
Control List line
[protocol]: The IP protocol to be filtered can be IP(which includes all protocols in the TCP/IP suite), TCP,
UDP, ICMP, or others [source IP address]: The IP address of the source
[source wildcard mask]: Determines which bits of thesource address are significant
35
-
7/28/2019 515_lecture8
36/47
access-list[list #] [permit|deny] [protocol] [sourceIP address] [source wildcard mask] [operator][port] [destination IP address] [destinationwildcard mask] [operator] [port] [log] (continued) [destination IP address]: The IP address of the
destination
[destination wildcard mask]: Determine which bits ofthe destination address are significant
[operator]: Can contain lt (less than), gt (greater than),
eq (equal to), or neq (not equal to) [port]: Port number of the protocol to be filtered
[log]: Turns on logging of Access Control List activity
36
-
7/28/2019 515_lecture8
37/47
37
-
7/28/2019 515_lecture8
38/47
38
-
7/28/2019 515_lecture8
39/47
39
-
7/28/2019 515_lecture8
40/47
40
-
7/28/2019 515_lecture8
41/47
-
7/28/2019 515_lecture8
42/47
-
7/28/2019 515_lecture8
43/47
show access-list
show ip access-list
show interfaces
show ip interfaces
43
-
7/28/2019 515_lecture8
44/47
-
7/28/2019 515_lecture8
45/47
45
-
7/28/2019 515_lecture8
46/47
Cisco IOS version 11.2 and above
Named ACL examples
RouterC(config)# ip access-list standard [name]
RouterC(config)# ip access-list extended [name]
RouterC(config-std-nacl)# deny{source [source-
wildcard] | any}
RouterC(config-std-nacl)# permit{source [source-
wildcard] | any}
RouterC(config-if)# ip access-group [name] [in | out]
46
-
7/28/2019 515_lecture8
47/47
Restricting access to telnet
Access control examples
Individual hosts
RouterA(config)# access-list 12 permit 192.168.12.12 0.0.0.0 RouterA(config)# access-list 12 permit host 192.168.12.12
Network access RouterA(config)# access-list 12 permit 192.168.12.0 0.0.0.255
Apply Access Control List to interface
RouterA(config)# line vty 0 4
RouterA(config-line)# access-class 12 in
47