CCNA Course

Access Control Lists

Access Control Lists (ACL)

Traffic Filtering Permit or deny packets moving through router

Permit or deny (VTY) access to or from a router

Traffic Identifying for special handling Network Address Translation (NAT)

Create dial-on demand (DDR) interesting traffic that triggers dialing to a remote location

ACL Rules A single ACL is both a single entity and, at the same

time, a list of one or more configuration commands.

As a single entity, the configuration enables the entire ACL on an interface, in a specific direction

list of commands, each command has different matching logic that the router must apply to each packet when filtering using that ACL

Once a packet matches one line in the ACL, the router takes the action listed in that line of the ACL

Packets are compared to each line (command) of the assess control list in sequential order

ACL Rules Packets are compared with lines (commands) of the

access control list only until a match is made

Once a match is made & acted upon no further comparisons take place

An implicit “deny” is at the end of each access control list

If no matches have been made, the packet will be discarded

ACL Guidelines

One access list per interface, per protocol, or per direction

More specific tests at the top of the ACL

New commands are placed at the bottom of the ACL

Sequence number for each line, so individual lines can be removed

End ACLs with a permit any command

Create ACLs & then apply them to an interface

ACLs do not filter traffic originated from the router

Put Standard ACLs close to the destination

Put Extended ACLs close the the source

ACL Operation Inbound Access Control Lists

Packets are processed before being routed to the outbound interface

ACL Operation

Outbound Access Lists

Packets are routed to the outbound interface & then processed through the access list

Types of ACLs Standard Access List (1 – 99) & Expanded (1300 –

1999)

Filter by source IP addresses only

Extended Access List (100 – 199) & expanded (2000 – 2699)

Filter by Source IP, Destination

IP, Protocol Field, Port Number

Named Access List

The same as standard

and extended access lists.

Extended ACLs

For protocol type use a keyword, such as tcp, udp, or icmp, matching IP packets that happen to have a TCP, UDP, or ICMP header, respectively, following the IP header.

You can use the keyword ip, which means “all ip packets.”

Can match UDP and TCP port numbers

Many operands can be used for port numbers

Named ACLs Named ACL has the following features:

Using names instead of numbers to identify the ACL

Using ACL subcommands, not global commands, to define the action and matching parameters

ACL editing features that allow the CLI user to delete individual lines from the ACL and insert new lines

Numbered ACL can be edited, each line is automatically assigned by sequence number

Secure Devices Using ACLs

Users can remotely access network devices like routers and switches through vty lines using Telnet and SSH

ACL can be used to limit the remote access of such devices

ACL apply to inbound connections of the vty lines

Outbound ACL can be used for vty lines to filter Telnet and SSH going from the device to access another device

Network Address Translation

CCNA Course

IP Addresses Shortage Solutions

IPv6 is a long-term solution

Classless Inter-Domain Routing (CIDR) is short-term solution

Private IP addressing is short-term solution

Private IP addresses

Class A: 10.0.0.0 – 10.255.255.255

Class B: 172.16.0.0 – 172.31.255.255

Class C: 192.168.0.0 – 192.168.255.255

Why NAT You need to connect to the Internet and your hosts

don’t have globally unique IP addresses.

You change to a new ISP that requires you to renumber your network.

You need to merge two intranets with duplicate addresses.

NAT Terms Inside Local

The term “inside” refers to an address used for a host inside an enterprise. It is the actual IP address assigned to a host in the private enterprise network.

Inside Global

NAT uses an inside global address to represent the inside host as the packet is sent through the outside network, typically the Internet.

A NAT router changes the source IP address of a packet sent by an inside host from an inside local address to an inside global address as the packet goes from the inside to the outside network.

Inside and Outside

Types of NAT

Static NAT

Dynamic NAT

Overloading with Port Address

Translation (PAT)

Static NAT

Static NAT - Mapping an unregistered IP address to a registered IP address on a one-to-one basis. Particularly useful when a device needs to be accessible from outside the network.

In static NAT, the computer with the IP address of 192.168.32.10 will always translate to 213.18.123.110.

Dynamic NAT

Mapping of an inside local address to an inside global address happens dynamically

Overload NAT with PAT PAT translates not only IP address, but also the port number

Many TCP or UDP flows from different hosts look like the same number of flows from one host

Server doesn’t care whether it has one connection each three different hosts or three connections to a single host IP address