SlideShare une entreprise Scribd logo

Access Control List & its Types

Netwax Lab
Netwax Lab

Access Control List (ACLs) can be used for two purposes: 1. To filter traffic 2. To identity traffic Access lists are set of rules, organized in a rule table. Each rules or line in an access-list provides a condition, either permit or deny.

Technologie
1  sur  10
Télécharger pour lire hors ligne
Access Control List & its Types Access Control List (ACLs) can be used for two purposes: 1. To filter traffic 2. To identity traffic Access lists are set of rules, organized in a rule table. Each rules or line in an access-list provides a condition, either permit or deny. Uses of access lists are filtering unwanted packets when implementing security policies. Access lists can be used to permit or deny packets moving through the router, permit or deny Telnet access to or from a router. When we apply an access list on an interface it doesn’t stop routing advertisements, it just controls their content. Once lists are built, they can be applied to either inbound or outbound traffic on any interface. There are a few important rules that a packet follows when it’s being compared with an access list- 1. It’s always compared with each line of the access list in sequential order-i.e.; it’s always start with the first line of the access-list, then go to line 2, then line 3, and so on.
Access Control List & its Types 2. It’s compared with lines of the access list only until a match is made. Once the packet matches the condition on a line of the access list, the packet is acted upon, and no further comparisons take place. 3. There is an implicit “deny” at the end of each access-list – this means that if a packet doesn’t match the condition on any of the lines in the access list, the packet will be discarded. When activating an ACL on an interface, you must specify in which direction the traffic should be filtered: Inbound Access Lists When an access list is applied to inbound packets on an interface, those packets are processed through the access list before being routed to the outbound interface. Any packet that are denied won’t be routed because they’re discarded before the routing process is invoked. Outbound Access Lists When an access list is applied to outbound packets on an interface, those packets are routed to the outbound interface and then processed through the access list before being queued. Data Flow Diagram of ACL
Access Control List & its Types Universal fact about Access control list: 1. ACLs come in two varieties: Numbered and Named. 2. Each of these references to ACLs supports two types of filtering: standard and extended. 3. Standard IP ACLs can filter only on the source IP address inside a packet. 4. Whereas an extended IP ACLs can filter on the source and destination IP addresses in the packet. 5. There are two actions an ACL can take: permit or deny. 6. Statements are processed top-down. 7. Once a match is found, no further statements are processed—therefore, order is important. 8. If no match is found, the imaginary implicit deny statement at the end of the ACL drops the packet. 9. An ACL should have at least one permit statement; otherwise, all traffic will be dropped because of the hidden implicit deny statement at the end of every ACL. Access List Ranges Type Range IP Standard 1–99 IP Extended 100–199 IP Standard Expanded Range 1300–1999 IP Extended Expanded Range 2000–2699 Placement of ACLs 1. Standard ACLs should be placed as close to the destination devices as possible. 2. Extended ACLs should be placed as close to the source devices as possible. There are some general access-lists guidelines: 1. We can assign only one access list per interface, per protocol, per direction. This means that when creating IP access lists, we can only have one inbound access list and one outbound access list per interface. 2. Organize your access lists so that the more specific tests are at the top of the access list. 3. Any time a new entry is added to the access list, it will be placed at the bottom of the list. Using a text editor for access lists is highly suggested. 4. You cannot remove one line from an access list. If you try to do this, you will remove the entire list. It is best to copy the access list to a text editor before trying to edit the list. The only exception is when using named access list.
Access Control List & its Types 5. Unless your access list ends with a permit any command, all packets will be discarded if they do not meet any of the lists. Every list should have at least one permit statement, or it will deny all traffic. 6. Create access lists and then apply them to an interface. Without applying on any interface access list won’t work. 7. Access lists are designed to filter traffic going through the router. They will not filter traffic that has originated from the router. 8. Place IP standard access lists as close to the destination as possible. This is the reason we don’t really want to use standard access list in our networks. We cannot put a standard access list close to the source host or network because we can only filter based on source address and nothing would be forwarded. 9. Place Ip extended access lists as close to the source as possible. Since extended access lists can filter on very specific addresses and protocols, you don’t want your traffic to traverse the entire network and then be denied. By placing this list as close to the source address as possible, you can filter traffic before it uses up your precious bandwidth. There are two types of access lists – Standard Access List These use only the source IP address in an IP packet as the condition test. All decisions are made based on source IP address. This means that standard access lists basically permit or deny an entire suite of protocols. They don’t distinguish between any of the many of IP traffic such as WWW, Telnet and UDP etc. You are telling the router that you want to create a standard IP access list, so the router will expect syntax specifying only the source IP address in the test lines. Router (config)#access-list 10 ? Deny – Specify packets to reject Permit – Specify packets to forward Router (config)#access-list 10 deny ? Hostname or A.B.C.D Address to match Any any source host Host A single host addresses The next step requires a more detailed explanation. There are three options available. You can use the any parameter to permit or deny any host or network. You can use an IP address to specify either a single host or range of them. Or you can use the host command to specify a specific host only. The any
Access Control List & its Types command is pretty obvious – any source address matches the statement, so every packet compared against this line will match. The host command is relatively simple. Router (config)#access-list 10 deny host 172.168.30.2 This tells the list to deny any packets from host 172.16.30.2. The default parameter is host. In other words if you type access-list 10 deny 172.16.30.2 the router assumes you mean host 172.16.30.2 But there’s another way to specify either a particular host or a range of hosts – you can use wild card masking. Wild cards are used with access lists to specify an individual host, a network or a certain range of a network or networks. Some of the different block sizes available are 64,32,16,8 and 4. Wild cards are used with the host or network address to tell the router a range of available addresses to filter. To specify a host, the address would look like this. 172.16.30.5 0.0.0.0 The four zeros represent each octet of the address. Whenever a zero is present, it means that octet in the address must match exactly. To specify that an octet can be any value, the value of 255 is used. As an example here’s how a /24 subnet is specified with a wildcard: 172.16.30.0 0.0.0.255 This tells the router to match up the first three octets exactly, but the fourth octet can be any value. Let’s say that you want to block access to part of network that is range from 172.16.8.0 through 172.16.15.0. That is a bloc size of 8. Your network number would be 172.16.8.0, and the wild card would be 0.0.7.255. Woh! What is that ? The 7.255 is what the router uses to determine the block size. The network and wild card tell the router to start at 172.16.8.0 and go up a block size of eight addresses to network 172.16.15.0 Router (config)#access-list 10 deny 172.16.10.0 0.0.0.255 The following example tells the router to match first three octets exactly but that the fourth octet can be anything. Router (config)#access-list 10 deny 172.16.0.0 0.0.255.255 This example tells the router to match the first two octets and that the last two octets can be any value. Router (config)#access-list 10 deny 172.16.16.0 0.0.3.255
Access Control List & its Types The above configuration tells the router to start at network 172.16.16.0 and use a block size of 4. The range would them be 172.16.16.0 through 172.16.19.0. Router (config)#access-list 10 deny 172.16.16.0 0.0.7.255 The example below shows an access list starting at 172.16.16.0 and going up a block size of 8 to 172.16.23.0 Access-list 10 deny 172.16.32.0 0.0.15.255 This example starts at network 172.16.32.0 and goes up a block size of 16 to 172.16.47.0 Router (config)#access-list 10 deny 172.16.64.0 0.0 63.255 This example starts at network 172.16.64.0 and goes up a block size of 64 to 172.16.127.0 Router (config)#access-list 10 deny 192.168.160.0 0.0.31.255 This example starts at network 192.168.160.0 and goes up a block size of 32 to 192.168.191.255. Block size range 0 to 7, 8 to 15, 16 to 23, 0 to 31, 32 to 63, 64 to 95 The command any is the same thing as writing our the wild card 0.0.0.0 255.255.255.255 Extended Access List Extended Access Lists can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. They can evaluate source and destination IP addresses, the protocol field in the Network layer header, and port number at the Transport layer header. This gives extended access lists the ability to make much more granular decisions when controlling traffic. By using extended access lists, you can effectively allow user’s access to a physical LAN and stops them from accessing specific hosts or even specific services on those hosts. Router (config) #access-list 110 deny tcp ? Router (config) #access-list 110 deny tcp any host 172.16.30.2 ? Router (config) #access-list 110 deny tcp any host 172.16.30.2 eq ? You can choose a port number or use the application or protocol name. At this point, let’s block Telnet (Port -23) to host 172.16.30.2 only. If the users want to FTP, fine, that’s allowed. The log command is
Access Control List & its Types used to log message every time the access list is hit. This can be an extremely cool way to monitor inappropriate access attempts. Router (config) #access-list 110 deny tcp any host 172.16.30.2 eq 23 log You need to keep in mind that the next line is an implicit deny any by default. If you apply this access list to an interface, you might as well just shut the interface down, since by default there is an implicit deny all at the end of every access list you’ve got to follow up the access list with the following command. Router (config) #access-list 110 permit ip any any Once the access list is created, you need to apply it to an interface Router (config-if) #ip access-group in Router (config-if) #ip access-group out Named ACLs One of the disadvantages of using IP standard and IP extended ACLs is that you reference them by number, which is not too descriptive of its use. With a named ACL, this is not the case because you can name your ACL with a descriptive name. The ACL named DenyMike is a lot more meaningful than an ACL simply numbered 1. There are both IP standard and IP extended named ACLs. Another advantage to Named ACLs is that they allow you to remove individual lines out of an ACL. With numbered ACLs, you cannot delete individual statements. Instead, you will need to delete your existing access list and re-create the entire list. Named access list are just another way to create standard and extended list. Router (config) #ip access-list? Notice that I started IP access-list, not access-list. This allows me to enter a named access list. Router (config) #ip access-list standard block sales I’ve specified a standard access list, and then added a name: Block sales. Notice that I could’ve used a number for a standard access list, but intend, I chose to use a descriptive name. #deny 172.16.40.0 0.0.0.255 #permit any #exit #int e1
Access Control List & its Types #ip access-group block sales out #exit Commands used to verify access list configuration: 1. Show Access-list- Display all access lists and their parameters configured on the router. This command does not show you which interface the list is set on. 2. Show access-list 110- Shows only the parameters for the access list 110. This command does not show you the interface the list is set on. 3. Show Ip access list- shows only the ip access list configured on the router. 4. Show Ip interface- Shows which interface have access lists set. 5. Show-run-config- shows the access lists and which interface have access lists set. 6. Remarks The remark keyword is really important because it arms you with the ability to include comments, or rather remarks, regarding the entries you’ve made in both your IP standard and extended ACLs. Even though you have the option of placing your remarks either before or after a permit or deny statement, I totally recommend that you chose to position them consistently so you don’t get confused about which remark is relevant to which one of your permit or deny statements. Router (config) #access-list 110 remark permit Bob from sales only to finance Router (config) #access-list 110 permit ip host 172.16.40.1 172.16.30.0 0.0.0.255 7. Blocking SNMP Packets Router (config) #access-list 110 deny udp any any eq snmp Router (config) #int s0/0 Router (config-if) #access-group 110 in 8. Disabling Echo Router (config) #no service tcp-small-servers Router (config) #no service udp-small-servers 9. Turning off BootP and Auto-Config Router (config) #no ip boot server Router (config) #no service config
Access Control List & its Types 10. Disabling HTTP Interface Router (config) #no ip http server 11. Disabling Ip Source Routing Router (config) #no ip source-route 12. Disabling Proxy ARP Router (config) #int fa0/0 Router (config-if) #no ip proxy-arp 13. Disabling redirect Message Router (config) #int s0/0 Router (config-if) #no Ip redirects 14. Disabling the Generation of ICMP Unreachable Messages Router (config) #int s0/0 Router (config-if) #no ip unreachables 15. Disabling Multicast Route Caching Router (config) #int s0/0 Router (config-if) #no ip mroute-cache 16. Disabling the Maintenance Operation Protocol (MOP) Router (config) #int s0/0 Router (config-if) #no mop enabled 17. Turning off the x.25 PAD Service Router (config) #no service pad 18. Enabling the Nagle TCP congestion Algorithm Router (config) #service nagle 19. Logging Every Event Router (config) #logging trap debugging
Access Control List & its Types Router (config) #logging 192.168.254.251 Router #sh logging 20. Disabling Cisco Discovery Protocol Router (config) #no cdp run For interface Router (config-if) #no cdp enable 21. Disabling the Default Forwarded UDP Protocols When you use the ip helper-address command as follows on an interface, your router will forward UDP broadcasts to the listed server or servers: Router (config) #int fa0/0 Router (config-if) #ip helper-address 192.168.254.251 You would generally use the ip helper-address command when you want to forward DHCP client requests to a DHCP server. The problem is that not only does this forward port 67 (BOOTP server request), it forwards seven other ports by default as well. To disable the unused ports, use the following commands. Router (config) #no ip forward-protocol udp 69 Router (config) #no ip forward-protocol udp 53 Router (config) #no ip forward-protocol udp 37 Router (config) #no ip forward-protocol udp 137 Router (config) #no ip forward-protocol udp 138 Router (config) #no ip forward-protocol udp 68 Router (config) #no ip forward-protocol udp 49 Now, only the BOOTP server request (67) will be forwarded to the DHCP server. If you want to forward a certain port—say, TACACS+, for example—use the following command: Router (config) #ip forward-protocol udp 49 22. Cisco’s Auto Secure Router #auto secure

Recommandé

Acl
AclAcl
AclRaghu Kiran
 
Access control list [1]
Access control list [1]Access control list [1]
Access control list [1]Summit Bisht
 
OSPF Fundamental
OSPF FundamentalOSPF Fundamental
OSPF FundamentalReza Farahani
 
Routing
RoutingRouting
RoutingSaima Azam
 
MAC Address – All you Need to Know About it
MAC Address – All you Need to Know About itMAC Address – All you Need to Know About it
MAC Address – All you Need to Know About itAsya Karapetyan
 
Ppt of routing protocols
Ppt of routing protocolsPpt of routing protocols
Ppt of routing protocolsBhagyashri Dhoke
 
Routing protocols
Routing protocolsRouting protocols
Routing protocolsrajshreemuthiah
 
Routing Information Protocol
Routing Information ProtocolRouting Information Protocol
Routing Information ProtocolKashif Latif
 

Recommandé

Acl
AclAcl
AclRaghu Kiran
 
Access control list [1]
Access control list [1]Access control list [1]
Access control list [1]Summit Bisht
 
OSPF Fundamental
OSPF FundamentalOSPF Fundamental
OSPF FundamentalReza Farahani
 
Routing
RoutingRouting
RoutingSaima Azam
 
MAC Address – All you Need to Know About it
MAC Address – All you Need to Know About itMAC Address – All you Need to Know About it
MAC Address – All you Need to Know About itAsya Karapetyan
 
Ppt of routing protocols
Ppt of routing protocolsPpt of routing protocols
Ppt of routing protocolsBhagyashri Dhoke
 
Routing protocols
Routing protocolsRouting protocols
Routing protocolsrajshreemuthiah
 
Routing Information Protocol
Routing Information ProtocolRouting Information Protocol
Routing Information ProtocolKashif Latif
 
Firewall
FirewallFirewall
FirewallSaurabh Chauhan
 
Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)ISMT College
 
What is Network Address Translation (NAT)
What is Network Address Translation (NAT)What is Network Address Translation (NAT)
What is Network Address Translation (NAT)Amit Kumar , Jaipur Engineers
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPTAIRTEL
 
Spanning tree protocol (stp)
Spanning tree protocol (stp)Spanning tree protocol (stp)
Spanning tree protocol (stp)RaghulR21
 
IPv4
IPv4IPv4
IPv4Dhiraj Mishra
 
Cisco Networking (Routing and Switching)
Cisco Networking (Routing and Switching)Cisco Networking (Routing and Switching)
Cisco Networking (Routing and Switching)Alan Mark
 
Access Control List 1
Access Control List 1Access Control List 1
Access Control List 1Kishore Kumar
 
Ip address and subnetting
Ip address and subnettingIp address and subnetting
Ip address and subnettingIGZ Software house
 
IP Addressing & subnetting strategy
IP Addressing & subnetting strategyIP Addressing & subnetting strategy
IP Addressing & subnetting strategyMustafa Salam
 
Nat
NatNat
NatHumaira Saleem
 
CCNA SUMMER TRAINNING PPT
CCNA SUMMER TRAINNING PPTCCNA SUMMER TRAINNING PPT
CCNA SUMMER TRAINNING PPTNishant Goel
 
Dynamic routing protocols (CCNA)
Dynamic routing protocols (CCNA)Dynamic routing protocols (CCNA)
Dynamic routing protocols (CCNA)Varinder Singh Walia
 
CCNA Access Lists
CCNA Access ListsCCNA Access Lists
CCNA Access ListsDsunte Wilson
 
Cisco ACL
Cisco ACLCisco ACL
Cisco ACLfaust0
 
ccna networking ppt
ccna networking pptccna networking ppt
ccna networking pptEr. Anmol Bhagat
 
CCNA presentation.
CCNA presentation.CCNA presentation.
CCNA presentation.Ajaigururaj R
 
Presentation on ccna
Presentation on ccnaPresentation on ccna
Presentation on ccnaHoneyKumar34
 
Network address translation
Network address translationNetwork address translation
Network address translationKarppinen Ngoc Anh
 
Internet control message protocol
Internet control message protocolInternet control message protocol
Internet control message protocolasimnawaz54
 
Acl
AclAcl
AclVicky Kamboj
 
Standard & Extended ACL Configuration
Standard & Extended ACL ConfigurationStandard & Extended ACL Configuration
Standard & Extended ACL ConfigurationMdAlAmin187
 

Contenu connexe

Tendances

Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)ISMT College
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPTAIRTEL
 
Spanning tree protocol (stp)
Spanning tree protocol (stp)Spanning tree protocol (stp)
Spanning tree protocol (stp)RaghulR21
 
Cisco Networking (Routing and Switching)
Cisco Networking (Routing and Switching)Cisco Networking (Routing and Switching)
Cisco Networking (Routing and Switching)Alan Mark
 
Access Control List 1
Access Control List 1Access Control List 1
Access Control List 1Kishore Kumar
 
IP Addressing & subnetting strategy
IP Addressing & subnetting strategyIP Addressing & subnetting strategy
IP Addressing & subnetting strategyMustafa Salam
 
CCNA SUMMER TRAINNING PPT
CCNA SUMMER TRAINNING PPTCCNA SUMMER TRAINNING PPT
CCNA SUMMER TRAINNING PPTNishant Goel
 
Cisco ACL
Cisco ACLCisco ACL
Cisco ACLfaust0
 
Presentation on ccna
Presentation on ccnaPresentation on ccna
Presentation on ccnaHoneyKumar34
 
Internet control message protocol
Internet control message protocolInternet control message protocol
Internet control message protocolasimnawaz54
 

Tendances (20)

Firewall
FirewallFirewall
Firewall
 
Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)
 
What is Network Address Translation (NAT)
What is Network Address Translation (NAT)What is Network Address Translation (NAT)
What is Network Address Translation (NAT)
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPT
 
Spanning tree protocol (stp)
Spanning tree protocol (stp)Spanning tree protocol (stp)
Spanning tree protocol (stp)
 
IPv4
IPv4IPv4
IPv4
 
Cisco Networking (Routing and Switching)
Cisco Networking (Routing and Switching)Cisco Networking (Routing and Switching)
Cisco Networking (Routing and Switching)
 
Access Control List 1
Access Control List 1Access Control List 1
Access Control List 1
 
Ip address and subnetting
Ip address and subnettingIp address and subnetting
Ip address and subnetting
 
IP Addressing & subnetting strategy
IP Addressing & subnetting strategyIP Addressing & subnetting strategy
IP Addressing & subnetting strategy
 
Nat
NatNat
Nat
 
CCNA SUMMER TRAINNING PPT
CCNA SUMMER TRAINNING PPTCCNA SUMMER TRAINNING PPT
CCNA SUMMER TRAINNING PPT
 
Dynamic routing protocols (CCNA)
Dynamic routing protocols (CCNA)Dynamic routing protocols (CCNA)
Dynamic routing protocols (CCNA)
 
CCNA Access Lists
CCNA Access ListsCCNA Access Lists
CCNA Access Lists
 
Cisco ACL
Cisco ACLCisco ACL
Cisco ACL
 
ccna networking ppt
ccna networking pptccna networking ppt
ccna networking ppt
 
CCNA presentation.
CCNA presentation.CCNA presentation.
CCNA presentation.
 
Presentation on ccna
Presentation on ccnaPresentation on ccna
Presentation on ccna
 
Network address translation
Network address translationNetwork address translation
Network address translation
 
Internet control message protocol
Internet control message protocolInternet control message protocol
Internet control message protocol
 

Similaire à Access Control List & its Types

Standard & Extended ACL Configuration
Standard & Extended ACL ConfigurationStandard & Extended ACL Configuration
Standard & Extended ACL ConfigurationMdAlAmin187
 
Chapter 08 - Acl
Chapter 08 - AclChapter 08 - Acl
Chapter 08 - Aclphanleson
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccnarobertoxe
 
1 SEC450 ACL Tutorial This document highlights.docx
1 SEC450 ACL Tutorial This document highlights.docx1 SEC450 ACL Tutorial This document highlights.docx
1 SEC450 ACL Tutorial This document highlights.docxdorishigh
 
Modul 5 access control list
Modul 5 access control listModul 5 access control list
Modul 5 access control listdiah risqiwati
 
Student Name _________________________________ Date _____________SE.docx
Student Name _________________________________ Date _____________SE.docxStudent Name _________________________________ Date _____________SE.docx
Student Name _________________________________ Date _____________SE.docxemelyvalg9
 
Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.igede tirtanata
 
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Shu Shin
 
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Shu Shin
 
Ccna 3-discovery-4-0-module-8-100-
Ccna 3-discovery-4-0-module-8-100-Ccna 3-discovery-4-0-module-8-100-
Ccna 3-discovery-4-0-module-8-100-junkut3
 
CCNA_RSE_Chp7.pptx
CCNA_RSE_Chp7.pptxCCNA_RSE_Chp7.pptx
CCNA_RSE_Chp7.pptxNarcisIlie1
 

Similaire à Access Control List & its Types (20)

Acl
AclAcl
Acl
 
Standard & Extended ACL Configuration
Standard & Extended ACL ConfigurationStandard & Extended ACL Configuration
Standard & Extended ACL Configuration
 
Chapter 08 - Acl
Chapter 08 - AclChapter 08 - Acl
Chapter 08 - Acl
 
Ip Access Lists
Ip Access ListsIp Access Lists
Ip Access Lists
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccna
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccna
 
Easy steps-cisco-extended-access-list-231
Easy steps-cisco-extended-access-list-231Easy steps-cisco-extended-access-list-231
Easy steps-cisco-extended-access-list-231
 
Anilnet
AnilnetAnilnet
Anilnet
 
Chapter 10
Chapter 10Chapter 10
Chapter 10
 
Chapter 10
Chapter 10Chapter 10
Chapter 10
 
20 access lists[1]
20 access lists[1]20 access lists[1]
20 access lists[1]
 
1 SEC450 ACL Tutorial This document highlights.docx
1 SEC450 ACL Tutorial This document highlights.docx1 SEC450 ACL Tutorial This document highlights.docx
1 SEC450 ACL Tutorial This document highlights.docx
 
Modul 5 access control list
Modul 5 access control listModul 5 access control list
Modul 5 access control list
 
Student Name _________________________________ Date _____________SE.docx
Student Name _________________________________ Date _____________SE.docxStudent Name _________________________________ Date _____________SE.docx
Student Name _________________________________ Date _____________SE.docx
 
Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.
 
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
 
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
 
Ccna 3-discovery-4-0-module-8-100-
Ccna 3-discovery-4-0-module-8-100-Ccna 3-discovery-4-0-module-8-100-
Ccna 3-discovery-4-0-module-8-100-
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccna
 
CCNA_RSE_Chp7.pptx
CCNA_RSE_Chp7.pptxCCNA_RSE_Chp7.pptx
CCNA_RSE_Chp7.pptx
 

Plus de Netwax Lab

Eincop Netwax Lab: Lab 1 static route
Eincop Netwax Lab: Lab 1 static routeEincop Netwax Lab: Lab 1 static route
Eincop Netwax Lab: Lab 1 static routeNetwax Lab
 
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)Netwax Lab
 
Eincop Netwax Lab: Redistribution
Eincop Netwax Lab: RedistributionEincop Netwax Lab: Redistribution
Eincop Netwax Lab: RedistributionNetwax Lab
 
Eincop Netwax Lab: Route Redistribution
Eincop Netwax Lab: Route RedistributionEincop Netwax Lab: Route Redistribution
Eincop Netwax Lab: Route RedistributionNetwax Lab
 
Nxll12 zone based firewall
Nxll12 zone based firewallNxll12 zone based firewall
Nxll12 zone based firewallNetwax Lab
 
Nxll09 access list
Nxll09 access listNxll09 access list
Nxll09 access listNetwax Lab
 
Nxll21 ospf filtering & summarization
Nxll21 ospf filtering & summarizationNxll21 ospf filtering & summarization
Nxll21 ospf filtering & summarizationNetwax Lab
 
Nxll10 v lan and trunking
Nxll10 v lan and trunkingNxll10 v lan and trunking
Nxll10 v lan and trunkingNetwax Lab
 
Nxll16 basic asa v8.2
Nxll16 basic asa v8.2Nxll16 basic asa v8.2
Nxll16 basic asa v8.2Netwax Lab
 
Nxll20 na ting
Nxll20 na ting Nxll20 na ting
Nxll20 na ting Netwax Lab
 
Nxll14 cut through-proxy on asa
Nxll14 cut through-proxy on asaNxll14 cut through-proxy on asa
Nxll14 cut through-proxy on asaNetwax Lab
 
Nxll17 dynamic routing with asa
Nxll17 dynamic routing with asaNxll17 dynamic routing with asa
Nxll17 dynamic routing with asaNetwax Lab
 
Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)Netwax Lab
 
Nxll19 vrrp (virtual router redundancy protocol)
Nxll19 vrrp (virtual router redundancy protocol)Nxll19 vrrp (virtual router redundancy protocol)
Nxll19 vrrp (virtual router redundancy protocol)Netwax Lab
 
Nxll22 role based cli
Nxll22 role based cliNxll22 role based cli
Nxll22 role based cliNetwax Lab
 
Nxll25 hsrp with failover
Nxll25 hsrp with failoverNxll25 hsrp with failover
Nxll25 hsrp with failoverNetwax Lab
 
Nxll28 ospf iii
Nxll28 ospf iiiNxll28 ospf iii
Nxll28 ospf iiiNetwax Lab
 

Plus de Netwax Lab (20)

Eincop Netwax Lab: Lab 1 static route
Eincop Netwax Lab: Lab 1 static routeEincop Netwax Lab: Lab 1 static route
Eincop Netwax Lab: Lab 1 static route
 
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
 
Eincop Netwax Lab: Redistribution
Eincop Netwax Lab: RedistributionEincop Netwax Lab: Redistribution
Eincop Netwax Lab: Redistribution
 
Eincop Netwax Lab: Route Redistribution
Eincop Netwax Lab: Route RedistributionEincop Netwax Lab: Route Redistribution
Eincop Netwax Lab: Route Redistribution
 
Nxll12 zone based firewall
Nxll12 zone based firewallNxll12 zone based firewall
Nxll12 zone based firewall
 
Nxll11 bgp
Nxll11 bgpNxll11 bgp
Nxll11 bgp
 
Nxll09 access list
Nxll09 access listNxll09 access list
Nxll09 access list
 
Nxll21 ospf filtering & summarization
Nxll21 ospf filtering & summarizationNxll21 ospf filtering & summarization
Nxll21 ospf filtering & summarization
 
Nxll10 v lan and trunking
Nxll10 v lan and trunkingNxll10 v lan and trunking
Nxll10 v lan and trunking
 
Nxll16 basic asa v8.2
Nxll16 basic asa v8.2Nxll16 basic asa v8.2
Nxll16 basic asa v8.2
 
Nxll20 na ting
Nxll20 na ting Nxll20 na ting
Nxll20 na ting
 
Nxll14 cut through-proxy on asa
Nxll14 cut through-proxy on asaNxll14 cut through-proxy on asa
Nxll14 cut through-proxy on asa
 
Nxll17 dynamic routing with asa
Nxll17 dynamic routing with asaNxll17 dynamic routing with asa
Nxll17 dynamic routing with asa
 
Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)
 
Nxll19 vrrp (virtual router redundancy protocol)
Nxll19 vrrp (virtual router redundancy protocol)Nxll19 vrrp (virtual router redundancy protocol)
Nxll19 vrrp (virtual router redundancy protocol)
 
Nxll22 role based cli
Nxll22 role based cliNxll22 role based cli
Nxll22 role based cli
 
Nxll25 hsrp with failover
Nxll25 hsrp with failoverNxll25 hsrp with failover
Nxll25 hsrp with failover
 
Nxll26 bgp ii
Nxll26 bgp iiNxll26 bgp ii
Nxll26 bgp ii
 
Nxll28 ospf iii
Nxll28 ospf iiiNxll28 ospf iii
Nxll28 ospf iii
 
Nxll23 i pv6
Nxll23 i pv6Nxll23 i pv6
Nxll23 i pv6
 

Dernier

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

Dernier (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 

Access Control List & its Types

  • 1. Access Control List & its Types Access Control List (ACLs) can be used for two purposes: 1. To filter traffic 2. To identity traffic Access lists are set of rules, organized in a rule table. Each rules or line in an access-list provides a condition, either permit or deny. Uses of access lists are filtering unwanted packets when implementing security policies. Access lists can be used to permit or deny packets moving through the router, permit or deny Telnet access to or from a router. When we apply an access list on an interface it doesn’t stop routing advertisements, it just controls their content. Once lists are built, they can be applied to either inbound or outbound traffic on any interface. There are a few important rules that a packet follows when it’s being compared with an access list- 1. It’s always compared with each line of the access list in sequential order-i.e.; it’s always start with the first line of the access-list, then go to line 2, then line 3, and so on.
  • 2. Access Control List & its Types 2. It’s compared with lines of the access list only until a match is made. Once the packet matches the condition on a line of the access list, the packet is acted upon, and no further comparisons take place. 3. There is an implicit “deny” at the end of each access-list – this means that if a packet doesn’t match the condition on any of the lines in the access list, the packet will be discarded. When activating an ACL on an interface, you must specify in which direction the traffic should be filtered: Inbound Access Lists When an access list is applied to inbound packets on an interface, those packets are processed through the access list before being routed to the outbound interface. Any packet that are denied won’t be routed because they’re discarded before the routing process is invoked. Outbound Access Lists When an access list is applied to outbound packets on an interface, those packets are routed to the outbound interface and then processed through the access list before being queued. Data Flow Diagram of ACL
  • 3. Access Control List & its Types Universal fact about Access control list: 1. ACLs come in two varieties: Numbered and Named. 2. Each of these references to ACLs supports two types of filtering: standard and extended. 3. Standard IP ACLs can filter only on the source IP address inside a packet. 4. Whereas an extended IP ACLs can filter on the source and destination IP addresses in the packet. 5. There are two actions an ACL can take: permit or deny. 6. Statements are processed top-down. 7. Once a match is found, no further statements are processed—therefore, order is important. 8. If no match is found, the imaginary implicit deny statement at the end of the ACL drops the packet. 9. An ACL should have at least one permit statement; otherwise, all traffic will be dropped because of the hidden implicit deny statement at the end of every ACL. Access List Ranges Type Range IP Standard 1–99 IP Extended 100–199 IP Standard Expanded Range 1300–1999 IP Extended Expanded Range 2000–2699 Placement of ACLs 1. Standard ACLs should be placed as close to the destination devices as possible. 2. Extended ACLs should be placed as close to the source devices as possible. There are some general access-lists guidelines: 1. We can assign only one access list per interface, per protocol, per direction. This means that when creating IP access lists, we can only have one inbound access list and one outbound access list per interface. 2. Organize your access lists so that the more specific tests are at the top of the access list. 3. Any time a new entry is added to the access list, it will be placed at the bottom of the list. Using a text editor for access lists is highly suggested. 4. You cannot remove one line from an access list. If you try to do this, you will remove the entire list. It is best to copy the access list to a text editor before trying to edit the list. The only exception is when using named access list.
  • 4. Access Control List & its Types 5. Unless your access list ends with a permit any command, all packets will be discarded if they do not meet any of the lists. Every list should have at least one permit statement, or it will deny all traffic. 6. Create access lists and then apply them to an interface. Without applying on any interface access list won’t work. 7. Access lists are designed to filter traffic going through the router. They will not filter traffic that has originated from the router. 8. Place IP standard access lists as close to the destination as possible. This is the reason we don’t really want to use standard access list in our networks. We cannot put a standard access list close to the source host or network because we can only filter based on source address and nothing would be forwarded. 9. Place Ip extended access lists as close to the source as possible. Since extended access lists can filter on very specific addresses and protocols, you don’t want your traffic to traverse the entire network and then be denied. By placing this list as close to the source address as possible, you can filter traffic before it uses up your precious bandwidth. There are two types of access lists – Standard Access List These use only the source IP address in an IP packet as the condition test. All decisions are made based on source IP address. This means that standard access lists basically permit or deny an entire suite of protocols. They don’t distinguish between any of the many of IP traffic such as WWW, Telnet and UDP etc. You are telling the router that you want to create a standard IP access list, so the router will expect syntax specifying only the source IP address in the test lines. Router (config)#access-list 10 ? Deny – Specify packets to reject Permit – Specify packets to forward Router (config)#access-list 10 deny ? Hostname or A.B.C.D Address to match Any any source host Host A single host addresses The next step requires a more detailed explanation. There are three options available. You can use the any parameter to permit or deny any host or network. You can use an IP address to specify either a single host or range of them. Or you can use the host command to specify a specific host only. The any
  • 5. Access Control List & its Types command is pretty obvious – any source address matches the statement, so every packet compared against this line will match. The host command is relatively simple. Router (config)#access-list 10 deny host 172.168.30.2 This tells the list to deny any packets from host 172.16.30.2. The default parameter is host. In other words if you type access-list 10 deny 172.16.30.2 the router assumes you mean host 172.16.30.2 But there’s another way to specify either a particular host or a range of hosts – you can use wild card masking. Wild cards are used with access lists to specify an individual host, a network or a certain range of a network or networks. Some of the different block sizes available are 64,32,16,8 and 4. Wild cards are used with the host or network address to tell the router a range of available addresses to filter. To specify a host, the address would look like this. 172.16.30.5 0.0.0.0 The four zeros represent each octet of the address. Whenever a zero is present, it means that octet in the address must match exactly. To specify that an octet can be any value, the value of 255 is used. As an example here’s how a /24 subnet is specified with a wildcard: 172.16.30.0 0.0.0.255 This tells the router to match up the first three octets exactly, but the fourth octet can be any value. Let’s say that you want to block access to part of network that is range from 172.16.8.0 through 172.16.15.0. That is a bloc size of 8. Your network number would be 172.16.8.0, and the wild card would be 0.0.7.255. Woh! What is that ? The 7.255 is what the router uses to determine the block size. The network and wild card tell the router to start at 172.16.8.0 and go up a block size of eight addresses to network 172.16.15.0 Router (config)#access-list 10 deny 172.16.10.0 0.0.0.255 The following example tells the router to match first three octets exactly but that the fourth octet can be anything. Router (config)#access-list 10 deny 172.16.0.0 0.0.255.255 This example tells the router to match the first two octets and that the last two octets can be any value. Router (config)#access-list 10 deny 172.16.16.0 0.0.3.255
  • 6. Access Control List & its Types The above configuration tells the router to start at network 172.16.16.0 and use a block size of 4. The range would them be 172.16.16.0 through 172.16.19.0. Router (config)#access-list 10 deny 172.16.16.0 0.0.7.255 The example below shows an access list starting at 172.16.16.0 and going up a block size of 8 to 172.16.23.0 Access-list 10 deny 172.16.32.0 0.0.15.255 This example starts at network 172.16.32.0 and goes up a block size of 16 to 172.16.47.0 Router (config)#access-list 10 deny 172.16.64.0 0.0 63.255 This example starts at network 172.16.64.0 and goes up a block size of 64 to 172.16.127.0 Router (config)#access-list 10 deny 192.168.160.0 0.0.31.255 This example starts at network 192.168.160.0 and goes up a block size of 32 to 192.168.191.255. Block size range 0 to 7, 8 to 15, 16 to 23, 0 to 31, 32 to 63, 64 to 95 The command any is the same thing as writing our the wild card 0.0.0.0 255.255.255.255 Extended Access List Extended Access Lists can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. They can evaluate source and destination IP addresses, the protocol field in the Network layer header, and port number at the Transport layer header. This gives extended access lists the ability to make much more granular decisions when controlling traffic. By using extended access lists, you can effectively allow user’s access to a physical LAN and stops them from accessing specific hosts or even specific services on those hosts. Router (config) #access-list 110 deny tcp ? Router (config) #access-list 110 deny tcp any host 172.16.30.2 ? Router (config) #access-list 110 deny tcp any host 172.16.30.2 eq ? You can choose a port number or use the application or protocol name. At this point, let’s block Telnet (Port -23) to host 172.16.30.2 only. If the users want to FTP, fine, that’s allowed. The log command is
  • 7. Access Control List & its Types used to log message every time the access list is hit. This can be an extremely cool way to monitor inappropriate access attempts. Router (config) #access-list 110 deny tcp any host 172.16.30.2 eq 23 log You need to keep in mind that the next line is an implicit deny any by default. If you apply this access list to an interface, you might as well just shut the interface down, since by default there is an implicit deny all at the end of every access list you’ve got to follow up the access list with the following command. Router (config) #access-list 110 permit ip any any Once the access list is created, you need to apply it to an interface Router (config-if) #ip access-group in Router (config-if) #ip access-group out Named ACLs One of the disadvantages of using IP standard and IP extended ACLs is that you reference them by number, which is not too descriptive of its use. With a named ACL, this is not the case because you can name your ACL with a descriptive name. The ACL named DenyMike is a lot more meaningful than an ACL simply numbered 1. There are both IP standard and IP extended named ACLs. Another advantage to Named ACLs is that they allow you to remove individual lines out of an ACL. With numbered ACLs, you cannot delete individual statements. Instead, you will need to delete your existing access list and re-create the entire list. Named access list are just another way to create standard and extended list. Router (config) #ip access-list? Notice that I started IP access-list, not access-list. This allows me to enter a named access list. Router (config) #ip access-list standard block sales I’ve specified a standard access list, and then added a name: Block sales. Notice that I could’ve used a number for a standard access list, but intend, I chose to use a descriptive name. #deny 172.16.40.0 0.0.0.255 #permit any #exit #int e1
  • 8. Access Control List & its Types #ip access-group block sales out #exit Commands used to verify access list configuration: 1. Show Access-list- Display all access lists and their parameters configured on the router. This command does not show you which interface the list is set on. 2. Show access-list 110- Shows only the parameters for the access list 110. This command does not show you the interface the list is set on. 3. Show Ip access list- shows only the ip access list configured on the router. 4. Show Ip interface- Shows which interface have access lists set. 5. Show-run-config- shows the access lists and which interface have access lists set. 6. Remarks The remark keyword is really important because it arms you with the ability to include comments, or rather remarks, regarding the entries you’ve made in both your IP standard and extended ACLs. Even though you have the option of placing your remarks either before or after a permit or deny statement, I totally recommend that you chose to position them consistently so you don’t get confused about which remark is relevant to which one of your permit or deny statements. Router (config) #access-list 110 remark permit Bob from sales only to finance Router (config) #access-list 110 permit ip host 172.16.40.1 172.16.30.0 0.0.0.255 7. Blocking SNMP Packets Router (config) #access-list 110 deny udp any any eq snmp Router (config) #int s0/0 Router (config-if) #access-group 110 in 8. Disabling Echo Router (config) #no service tcp-small-servers Router (config) #no service udp-small-servers 9. Turning off BootP and Auto-Config Router (config) #no ip boot server Router (config) #no service config
  • 9. Access Control List & its Types 10. Disabling HTTP Interface Router (config) #no ip http server 11. Disabling Ip Source Routing Router (config) #no ip source-route 12. Disabling Proxy ARP Router (config) #int fa0/0 Router (config-if) #no ip proxy-arp 13. Disabling redirect Message Router (config) #int s0/0 Router (config-if) #no Ip redirects 14. Disabling the Generation of ICMP Unreachable Messages Router (config) #int s0/0 Router (config-if) #no ip unreachables 15. Disabling Multicast Route Caching Router (config) #int s0/0 Router (config-if) #no ip mroute-cache 16. Disabling the Maintenance Operation Protocol (MOP) Router (config) #int s0/0 Router (config-if) #no mop enabled 17. Turning off the x.25 PAD Service Router (config) #no service pad 18. Enabling the Nagle TCP congestion Algorithm Router (config) #service nagle 19. Logging Every Event Router (config) #logging trap debugging
  • 10. Access Control List & its Types Router (config) #logging 192.168.254.251 Router #sh logging 20. Disabling Cisco Discovery Protocol Router (config) #no cdp run For interface Router (config-if) #no cdp enable 21. Disabling the Default Forwarded UDP Protocols When you use the ip helper-address command as follows on an interface, your router will forward UDP broadcasts to the listed server or servers: Router (config) #int fa0/0 Router (config-if) #ip helper-address 192.168.254.251 You would generally use the ip helper-address command when you want to forward DHCP client requests to a DHCP server. The problem is that not only does this forward port 67 (BOOTP server request), it forwards seven other ports by default as well. To disable the unused ports, use the following commands. Router (config) #no ip forward-protocol udp 69 Router (config) #no ip forward-protocol udp 53 Router (config) #no ip forward-protocol udp 37 Router (config) #no ip forward-protocol udp 137 Router (config) #no ip forward-protocol udp 138 Router (config) #no ip forward-protocol udp 68 Router (config) #no ip forward-protocol udp 49 Now, only the BOOTP server request (67) will be forwarded to the DHCP server. If you want to forward a certain port—say, TACACS+, for example—use the following command: Router (config) #ip forward-protocol udp 49 22. Cisco’s Auto Secure Router #auto secure