SlideShare une entreprise Scribd logo

Access Control List (ACL)

Télécharger en tant que PPTX, PDF
ISMT College
ISMT College

Standard ACL, Extended ACL, Wild card bits, Wild card mask ACL Syntax

Technologie
1  sur  22
Access Control List (ACL) Prepared by: Roshan Kandel Masters in Information & Communication Engineering 1
Introduction • An ACL is a list of permit or deny rules detailing what can or can't enter or leave the interface of a router. • Every packet that attempts to enter or leave a router must be tested against each rule in the ACL until a match is found. • If no match is found, then it will be denied. • To get a bit more technical, when a packet is sent out, it must know where it's going (destination) and where it came from (source). • So it contains a source and destination IP address. • The router looks at this information to determine if it matches any of the rules in its ACL. 2
• Access Control Lists (ACL) statements operate in sequential, logical order. • If a condition match is true, the packet is permitted or denied and the rest of the Access Control Lists (ACL) statements are not checked. • If all the Access Control Lists (ACL) statements are unmatched, an implicit "deny any" statement is placed at the end of the list by default. • Access list statements operate in sequential, logical order and they evaluate packets from the top down. • Once there is an access list statement match, the packet skips the rest of the statements. 3
• If a condition match is true, the packet is permitted or denied. • You should remember that there is an implicit "deny any" at the end of every Access Control Lists (ACL). • How Does Implicit Deny Work? • The last rule in every ACL is an implicit deny statement. Because it's implicit, you won't see it. • Be aware that just because you don't see it doesn't mean it doesn't do anything. This rule is very powerful. • Every bit of traffic that doesn't match a rule in an ACL will be denied. 4
Why Use An ACL? • The main idea of using an ACL is to provide security to your network. • Without it, any traffic is either allowed to enter or exit, making it more vulnerable to unwanted and dangerous traffic. • To improve security with an ACL you can, for example, deny specific routing updates or provide traffic flow control. • As shown in the picture below, the routing device has an ACL that is denying access to host C into the Financial network, and at the same time, it is allowing access to host D. 5
• With an ACL you can filter packets for a single or group of IP address or different protocols, such as TCP or UDP. • So for example, instead of blocking only one host in the engineering team, you can deny access to the entire network and only allow one. Or you can also restrict the access to host C. • If the Engineer from host C, needs to access a web server located in the Financial network, you can only allow port 80, and block everything else. 6
Where Can You Place an ACL? • Many admins choose to place ACLs on the edge routers of a network. • This enables them to filter traffic before it hits the rest of their system. • To do this, you can place a routing device that has an ACL on it, positioning it between the demilitarized zone (DMZ) and the internet. • Within the DMZ, you may have devices such as application servers, web servers, VPNs, or Domain Name System (DNS) servers. • You can also place an ACL between the DMZ and the rest of your network. • If you use an ACL between the internet and the DMZ, as well as between the DMZ and the rest of your network, they will have different configurations—each setting designed to protect the devices and users that come after the ACL. 7
Types • Standard and Extended Access Control Lists (ACL): • Standard IP Access Control Lists (ACL) can be used filter traffic only based on the source IP address of the IP datagram packet. • An extended Access Control Lists (ACL) can be used to filter traffic based on Source IP address, Destination IP address, Protocol (TCP, UDP etc), Port Numbers etc. 8
• The following table shows the Access Control Lists (ACL) Types and related Numbers which can be used to number an Access Control Lists (ACL) Access Control Lists (ACL) Type Access Control Lists (ACL) Numbers IP Standard 1–99, 1300–1999 IP Extended 100–199, 2000–2699 9
Standard ACL • Standard Access Control Lists (ACLs) are the oldest type of Access Control Lists (ACL). • Standard IP access lists are used to permit/deny traffic only based on source IP address of the IP datagram packets. • Standard Access Control Lists (ACLs) can be created by using the "access-lists" IOS command. • The syntax of "access-list" IOS command to create a Standard Access Control List is shown below. • access-list [Access_list_number] [permit | deny] [IP_address] [wildcard mask (optional)] 10
• The arguments are explained in detail below. • Access_list_number: For Standard Access Control List, Access list number must be between 1–99 or 1300–1999. • permit | deny: Whether to permit or deny traffic. • IP_address: An IP address to filter the traffic. • wildcard mask: Instead of specifying a single IP address, you can also permit or deny networks/subnets entirely or partly by using wildcard masks, also known as inverse masks. Wildcard mask is optional in above IOS command. 11
Where should a Standard Access Control List (ACL) be placed? • Standard Access Control List (ACL) filters the traffic based on source IP address. • Therefore a Standard Access Control List (ACL) must be placed on the router which is near to the destination network/host where it is denied. • If we place the Standard Access Control List (ACL) near to source of the traffic, there is a chance for denial or other legitimate traffic from the source network to some other network. 12
Access Control List (ACL) - Wildcard Masks • Wildcard masks are used in Access Control Lists (ACL) to identify (or filter) an individual host or a network to permit or deny access . • When using a wildcard mask, a 0 in a bit position means that the corresponding bit position in the address of the Access Control Lists (ACL) statement must match the bit position in the IP address in the examined packet. • A "0" bit in the wildcard mask means that corresponding part in the IP address should exactly match and "1" bit means that the corresponding part in IP address can be ignored. 13
• How to specify a single host using Access Control List (ACL) Wildcard mask • To specify a single host using Access Control List (ACL) Wildcard mask, the IP address and wildcard mask should be as below. • 172.16.0.12 0.0.0.0 • The keyword "host" can also be used to accomplish the same result as shown below. • host 172.16.0.12 14
• How to specify an entire network using Access Control List (ACL) Wildcard mask • To specify an entire network using Access Control List (ACL) Wildcard mask, use a wild card mask of 255 (all bits "1" in that octet). The following example can be used to specify all IP addresses in 172.16.0.0/16 network. • 172.16.0.0 0.0.255.255 • The above example states that the values of only first two octets should exactly match and the values of the last two octets can be any. This statement can match all the IP addresses of 172.16.0.0/16 network. 15
Extended Access Control Lists • Standard Access Control Lists can filter the IP traffic ONLY based on the source IP address in an IP datagram packet. • Extended Access Control Lists can filter the traffic based on many other factors. • Source and destination IP addresses. • Protocols like IP, TCP, UDP, ICMP etc. • Protocol information Port numbers for TCP and UDP, or message types for ICMP. 16
• Extended Access Control Lists can be created by using the "access- lists" IOS command. The syntax of "access list" IOS command to create a Extended Access Control List is shown below. • Router(config)# access-list [Access_list_number] permit|deny IP_protocol source_address source_wildcard_mask [source_protocol_information] destination_address destination_wildcard_mask [destination_protocol_information] 17
• Access_list_number: For Extended Access Control List, Access list number must be between 100–199 or 2000–2699. • IP_protocol: IP protocol to match. The IP protocols can be IP, ICMP, TCP, GRE, UDP, etc. 18
19
Commonly Used Port Numbers 20
Extended Access Control List (ACL) - Port Operators • When working with Extended Access Control Lists (ACL), we can specify TCP and UDP port numbers to permit or deny. • To filter the traffic based on TCP or UDP port numbers, we can use an operator. The operator is used to match the port number or numbers in Access Control Lists. Operator Description lt Less than gt Greater than neq Not equal to eq Equal to range Range of port numbers 21 The following table lists important Extended Access Control Lists (ACL) operators.
Where should an Extended Access Control List (ACL) be placed? • Extended Access Control List (ACL) can filter the traffic based many factors like source IP address, destination IP address, Protocol, TCP or UDP port numbers etc. • Since an Extended Access Control List (ACL) can filter the IP datagram packet based on the destination IP address, it must be placed on the router which is near to the source network/host. • If we place the Extended Access Control List (ACL) near to destination, the unwanted traffic may consume the bandwidth till destination, and the the unwanted traffic will get filtered finally near destination. 22

Recommandé

Access Control List & its Types
Access Control List & its TypesAccess Control List & its Types
Access Control List & its Types
Netwax Lab
 
Address resolution protocol (ARP)
Address resolution protocol (ARP)Address resolution protocol (ARP)
Address resolution protocol (ARP)
NetProtocol Xpert
 
TCP and UDP
TCP and UDP TCP and UDP
TCP and UDP
Ramesh Giri
 
Static Routing
Static RoutingStatic Routing
Static Routing
Kishore Kumar
 
Acl
AclAcl
Acl
Raghu Kiran
 
Ipv4 and Ipv6
Ipv4 and Ipv6Ipv4 and Ipv6
Ipv4 and Ipv6
Rishav Bhurtel
 
Routing
RoutingRouting
Routing
Saima Azam
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPT
AIRTEL
 

Recommandé

Access Control List & its Types
Access Control List & its TypesAccess Control List & its Types
Access Control List & its Types
Netwax Lab
 
Address resolution protocol (ARP)
Address resolution protocol (ARP)Address resolution protocol (ARP)
Address resolution protocol (ARP)
NetProtocol Xpert
 
TCP and UDP
TCP and UDP TCP and UDP
TCP and UDP
Ramesh Giri
 
Static Routing
Static RoutingStatic Routing
Static Routing
Kishore Kumar
 
Acl
AclAcl
Acl
Raghu Kiran
 
Ipv4 and Ipv6
Ipv4 and Ipv6Ipv4 and Ipv6
Ipv4 and Ipv6
Rishav Bhurtel
 
Routing
RoutingRouting
Routing
Saima Azam
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPT
AIRTEL
 
Dns server
Dns serverDns server
Dns server
Subrata Kumer Paul
 
The medium access sublayer
The medium access sublayer The medium access sublayer
The medium access sublayer
Lal Bahadur Gehlot
 
Presentation on arp protocol
Presentation on arp protocolPresentation on arp protocol
Presentation on arp protocol
Mohd. Ahmad Siddiqi
 
IP Multicasting
IP MulticastingIP Multicasting
IP Multicasting
Tharindu Kumara
 
Iptables the Linux Firewall
Iptables the Linux Firewall Iptables the Linux Firewall
Iptables the Linux Firewall
Syed fawad Gillani
 
Routing protocols
Routing protocolsRouting protocols
Routing protocols
Sourabh Goyal
 
IPv4 Addressing
IPv4 Addressing IPv4 Addressing
IPv4 Addressing
TheGodfather HA
 
Internet control message protocol
Internet control message protocolInternet control message protocol
Internet control message protocol
asimnawaz54
 
Ports and protocols
Ports and protocolsPorts and protocols
Ports and protocols
Kailash Kumar
 
Network address translation
Network address translationNetwork address translation
Network address translation
Varsha Honde
 
EIGRP Routing Protocols
EIGRP Routing ProtocolsEIGRP Routing Protocols
EIGRP Routing Protocols
sul6an14
 
Basics of IP Addressing
Basics of IP AddressingBasics of IP Addressing
Basics of IP Addressing
Kushal Sheth
 
IPV6 ADDRESS
IPV6 ADDRESSIPV6 ADDRESS
IPV6 ADDRESS
Jothi Lakshmi
 
Routing protocols
Routing protocolsRouting protocols
Routing protocols
rajshreemuthiah
 
Media Access Control
Media Access ControlMedia Access Control
Media Access Control
VijayaLakshmi514
 
Subnetting Presentation
Subnetting PresentationSubnetting Presentation
Subnetting Presentation
Touhidul Fahim
 
Ospf.ppt
Ospf.pptOspf.ppt
Ospf.ppt
Edgardo Scrimaglia
 
Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.
Aksum Institute of Technology(AIT, @Letsgo)
 
Ppt of routing protocols
Ppt of routing protocolsPpt of routing protocols
Ppt of routing protocols
Bhagyashri Dhoke
 
Subnetting
SubnettingSubnetting
Subnetting
Gichelle Amon
 
Chapter 08 - Acl
Chapter 08 - AclChapter 08 - Acl
Chapter 08 - Acl
phanleson
 
CCNA_RSE_Chp7.pptx
CCNA_RSE_Chp7.pptxCCNA_RSE_Chp7.pptx
CCNA_RSE_Chp7.pptx
NarcisIlie1
 

Contenu connexe

Tendances

Internet control message protocol
Internet control message protocolInternet control message protocol
Internet control message protocol
asimnawaz54
 
Subnetting Presentation
Subnetting PresentationSubnetting Presentation
Subnetting Presentation
Touhidul Fahim
 
Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.
Aksum Institute of Technology(AIT, @Letsgo)
 

Tendances (20)

Dns server
Dns serverDns server
Dns server
 
The medium access sublayer
The medium access sublayer The medium access sublayer
The medium access sublayer
 
Presentation on arp protocol
Presentation on arp protocolPresentation on arp protocol
Presentation on arp protocol
 
IP Multicasting
IP MulticastingIP Multicasting
IP Multicasting
 
Iptables the Linux Firewall
Iptables the Linux Firewall Iptables the Linux Firewall
Iptables the Linux Firewall
 
Routing protocols
Routing protocolsRouting protocols
Routing protocols
 
IPv4 Addressing
IPv4 Addressing IPv4 Addressing
IPv4 Addressing
 
Internet control message protocol
Internet control message protocolInternet control message protocol
Internet control message protocol
 
Ports and protocols
Ports and protocolsPorts and protocols
Ports and protocols
 
Network address translation
Network address translationNetwork address translation
Network address translation
 
EIGRP Routing Protocols
EIGRP Routing ProtocolsEIGRP Routing Protocols
EIGRP Routing Protocols
 
Basics of IP Addressing
Basics of IP AddressingBasics of IP Addressing
Basics of IP Addressing
 
IPV6 ADDRESS
IPV6 ADDRESSIPV6 ADDRESS
IPV6 ADDRESS
 
Routing protocols
Routing protocolsRouting protocols
Routing protocols
 
Media Access Control
Media Access ControlMedia Access Control
Media Access Control
 
Subnetting Presentation
Subnetting PresentationSubnetting Presentation
Subnetting Presentation
 
Ospf.ppt
Ospf.pptOspf.ppt
Ospf.ppt
 
Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.
 
Ppt of routing protocols
Ppt of routing protocolsPpt of routing protocols
Ppt of routing protocols
 
Subnetting
SubnettingSubnetting
Subnetting
 

Similaire à Access Control List (ACL)

Chapter 08 - Acl
Chapter 08 - AclChapter 08 - Acl
Chapter 08 - Acl
phanleson
 
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Shu Shin
 
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Shu Shin
 
Access control list 2
Access control list 2Access control list 2
Access control list 2
Kishore Kumar
 

Similaire à Access Control List (ACL) (20)

Chapter 08 - Acl
Chapter 08 - AclChapter 08 - Acl
Chapter 08 - Acl
 
CCNA_RSE_Chp7.pptx
CCNA_RSE_Chp7.pptxCCNA_RSE_Chp7.pptx
CCNA_RSE_Chp7.pptx
 
CNv6_instructorPPT_Chapter4.pptx
CNv6_instructorPPT_Chapter4.pptxCNv6_instructorPPT_Chapter4.pptx
CNv6_instructorPPT_Chapter4.pptx
 
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
 
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
 
Basic ip traffic management with access control lists
Basic ip traffic management with access control listsBasic ip traffic management with access control lists
Basic ip traffic management with access control lists
 
ENSA_Module_4.pptx
ENSA_Module_4.pptxENSA_Module_4.pptx
ENSA_Module_4.pptx
 
Acl
AclAcl
Acl
 
Standard & Extended ACL Configuration
Standard & Extended ACL ConfigurationStandard & Extended ACL Configuration
Standard & Extended ACL Configuration
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccna
 
ACL Tutorial
ACL TutorialACL Tutorial
ACL Tutorial
 
CCNA 2 Routing and Switching v5.0 Chapter 9
CCNA 2 Routing and Switching v5.0 Chapter 9CCNA 2 Routing and Switching v5.0 Chapter 9
CCNA 2 Routing and Switching v5.0 Chapter 9
 
CCNA part 7 acl
CCNA part 7 aclCCNA part 7 acl
CCNA part 7 acl
 
Securing management, control & data plane
Securing management, control & data planeSecuring management, control & data plane
Securing management, control & data plane
 
5 ip security aaa and acl
5 ip security aaa and acl5 ip security aaa and acl
5 ip security aaa and acl
 
Access control list [1]
Access control list [1]Access control list [1]
Access control list [1]
 
Access control list 2
Access control list 2Access control list 2
Access control list 2
 
CCNA CHAPTER8 BY jetarvind kumar madhukar
CCNA CHAPTER8 BY jetarvind kumar madhukarCCNA CHAPTER8 BY jetarvind kumar madhukar
CCNA CHAPTER8 BY jetarvind kumar madhukar
 
Modul 5 access control list
Modul 5 access control listModul 5 access control list
Modul 5 access control list
 
Guide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric VanderburgGuide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric Vanderburg
 

Plus de ISMT College

Plus de ISMT College (18)

Attack.pptx
Attack.pptxAttack.pptx
Attack.pptx
 
Time delays & counter.ppt
Time delays & counter.pptTime delays & counter.ppt
Time delays & counter.ppt
 
Timing Diagram.pptx
Timing Diagram.pptxTiming Diagram.pptx
Timing Diagram.pptx
 
4. Instruction Set Of MP 8085.pptx
4. Instruction Set Of MP 8085.pptx4. Instruction Set Of MP 8085.pptx
4. Instruction Set Of MP 8085.pptx
 
Instruction.pdf
Instruction.pdfInstruction.pdf
Instruction.pdf
 
3. Addressing Modes in 8085 microprocessor.pptx
3. Addressing Modes in 8085 microprocessor.pptx3. Addressing Modes in 8085 microprocessor.pptx
3. Addressing Modes in 8085 microprocessor.pptx
 
2. 8085-Microprocessor.pptx
2. 8085-Microprocessor.pptx2. 8085-Microprocessor.pptx
2. 8085-Microprocessor.pptx
 
1. Introduction to Microprocessor.pptx
1. Introduction to Microprocessor.pptx1. Introduction to Microprocessor.pptx
1. Introduction to Microprocessor.pptx
 
Digital Logic BCA TU Chapter 2.2
Digital Logic BCA TU Chapter 2.2Digital Logic BCA TU Chapter 2.2
Digital Logic BCA TU Chapter 2.2
 
Chapter 1 Introduction to Digital Logic
Chapter 1 Introduction to Digital LogicChapter 1 Introduction to Digital Logic
Chapter 1 Introduction to Digital Logic
 
VLAN
VLANVLAN
VLAN
 
Introduction to Counters
Introduction to CountersIntroduction to Counters
Introduction to Counters
 
Chapter 2.1 introduction to number system
Chapter 2.1 introduction to number systemChapter 2.1 introduction to number system
Chapter 2.1 introduction to number system
 
Chapter 1 Introduction to Digital Logic
Chapter 1 Introduction to Digital LogicChapter 1 Introduction to Digital Logic
Chapter 1 Introduction to Digital Logic
 
Programmable logic devices
Programmable logic devicesProgrammable logic devices
Programmable logic devices
 
Basic Gates in Digital Logic
Basic Gates in Digital LogicBasic Gates in Digital Logic
Basic Gates in Digital Logic
 
Adder & subtractor (Half adder, Full adder, Half subtractor, Full subtractor)
Adder & subtractor (Half adder, Full adder, Half subtractor, Full subtractor)Adder & subtractor (Half adder, Full adder, Half subtractor, Full subtractor)
Adder & subtractor (Half adder, Full adder, Half subtractor, Full subtractor)
 
Register in Digital Logic
Register in Digital LogicRegister in Digital Logic
Register in Digital Logic
 

Dernier

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Dernier (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

Access Control List (ACL)

  • 1. Access Control List (ACL) Prepared by: Roshan Kandel Masters in Information & Communication Engineering 1
  • 2. Introduction • An ACL is a list of permit or deny rules detailing what can or can't enter or leave the interface of a router. • Every packet that attempts to enter or leave a router must be tested against each rule in the ACL until a match is found. • If no match is found, then it will be denied. • To get a bit more technical, when a packet is sent out, it must know where it's going (destination) and where it came from (source). • So it contains a source and destination IP address. • The router looks at this information to determine if it matches any of the rules in its ACL. 2
  • 3. • Access Control Lists (ACL) statements operate in sequential, logical order. • If a condition match is true, the packet is permitted or denied and the rest of the Access Control Lists (ACL) statements are not checked. • If all the Access Control Lists (ACL) statements are unmatched, an implicit "deny any" statement is placed at the end of the list by default. • Access list statements operate in sequential, logical order and they evaluate packets from the top down. • Once there is an access list statement match, the packet skips the rest of the statements. 3
  • 4. • If a condition match is true, the packet is permitted or denied. • You should remember that there is an implicit "deny any" at the end of every Access Control Lists (ACL). • How Does Implicit Deny Work? • The last rule in every ACL is an implicit deny statement. Because it's implicit, you won't see it. • Be aware that just because you don't see it doesn't mean it doesn't do anything. This rule is very powerful. • Every bit of traffic that doesn't match a rule in an ACL will be denied. 4
  • 5. Why Use An ACL? • The main idea of using an ACL is to provide security to your network. • Without it, any traffic is either allowed to enter or exit, making it more vulnerable to unwanted and dangerous traffic. • To improve security with an ACL you can, for example, deny specific routing updates or provide traffic flow control. • As shown in the picture below, the routing device has an ACL that is denying access to host C into the Financial network, and at the same time, it is allowing access to host D. 5
  • 6. • With an ACL you can filter packets for a single or group of IP address or different protocols, such as TCP or UDP. • So for example, instead of blocking only one host in the engineering team, you can deny access to the entire network and only allow one. Or you can also restrict the access to host C. • If the Engineer from host C, needs to access a web server located in the Financial network, you can only allow port 80, and block everything else. 6
  • 7. Where Can You Place an ACL? • Many admins choose to place ACLs on the edge routers of a network. • This enables them to filter traffic before it hits the rest of their system. • To do this, you can place a routing device that has an ACL on it, positioning it between the demilitarized zone (DMZ) and the internet. • Within the DMZ, you may have devices such as application servers, web servers, VPNs, or Domain Name System (DNS) servers. • You can also place an ACL between the DMZ and the rest of your network. • If you use an ACL between the internet and the DMZ, as well as between the DMZ and the rest of your network, they will have different configurations—each setting designed to protect the devices and users that come after the ACL. 7
  • 8. Types • Standard and Extended Access Control Lists (ACL): • Standard IP Access Control Lists (ACL) can be used filter traffic only based on the source IP address of the IP datagram packet. • An extended Access Control Lists (ACL) can be used to filter traffic based on Source IP address, Destination IP address, Protocol (TCP, UDP etc), Port Numbers etc. 8
  • 9. • The following table shows the Access Control Lists (ACL) Types and related Numbers which can be used to number an Access Control Lists (ACL) Access Control Lists (ACL) Type Access Control Lists (ACL) Numbers IP Standard 1–99, 1300–1999 IP Extended 100–199, 2000–2699 9
  • 10. Standard ACL • Standard Access Control Lists (ACLs) are the oldest type of Access Control Lists (ACL). • Standard IP access lists are used to permit/deny traffic only based on source IP address of the IP datagram packets. • Standard Access Control Lists (ACLs) can be created by using the "access-lists" IOS command. • The syntax of "access-list" IOS command to create a Standard Access Control List is shown below. • access-list [Access_list_number] [permit | deny] [IP_address] [wildcard mask (optional)] 10
  • 11. • The arguments are explained in detail below. • Access_list_number: For Standard Access Control List, Access list number must be between 1–99 or 1300–1999. • permit | deny: Whether to permit or deny traffic. • IP_address: An IP address to filter the traffic. • wildcard mask: Instead of specifying a single IP address, you can also permit or deny networks/subnets entirely or partly by using wildcard masks, also known as inverse masks. Wildcard mask is optional in above IOS command. 11
  • 12. Where should a Standard Access Control List (ACL) be placed? • Standard Access Control List (ACL) filters the traffic based on source IP address. • Therefore a Standard Access Control List (ACL) must be placed on the router which is near to the destination network/host where it is denied. • If we place the Standard Access Control List (ACL) near to source of the traffic, there is a chance for denial or other legitimate traffic from the source network to some other network. 12
  • 13. Access Control List (ACL) - Wildcard Masks • Wildcard masks are used in Access Control Lists (ACL) to identify (or filter) an individual host or a network to permit or deny access . • When using a wildcard mask, a 0 in a bit position means that the corresponding bit position in the address of the Access Control Lists (ACL) statement must match the bit position in the IP address in the examined packet. • A "0" bit in the wildcard mask means that corresponding part in the IP address should exactly match and "1" bit means that the corresponding part in IP address can be ignored. 13
  • 14. • How to specify a single host using Access Control List (ACL) Wildcard mask • To specify a single host using Access Control List (ACL) Wildcard mask, the IP address and wildcard mask should be as below. • 172.16.0.12 0.0.0.0 • The keyword "host" can also be used to accomplish the same result as shown below. • host 172.16.0.12 14
  • 15. • How to specify an entire network using Access Control List (ACL) Wildcard mask • To specify an entire network using Access Control List (ACL) Wildcard mask, use a wild card mask of 255 (all bits "1" in that octet). The following example can be used to specify all IP addresses in 172.16.0.0/16 network. • 172.16.0.0 0.0.255.255 • The above example states that the values of only first two octets should exactly match and the values of the last two octets can be any. This statement can match all the IP addresses of 172.16.0.0/16 network. 15
  • 16. Extended Access Control Lists • Standard Access Control Lists can filter the IP traffic ONLY based on the source IP address in an IP datagram packet. • Extended Access Control Lists can filter the traffic based on many other factors. • Source and destination IP addresses. • Protocols like IP, TCP, UDP, ICMP etc. • Protocol information Port numbers for TCP and UDP, or message types for ICMP. 16
  • 17. • Extended Access Control Lists can be created by using the "access- lists" IOS command. The syntax of "access list" IOS command to create a Extended Access Control List is shown below. • Router(config)# access-list [Access_list_number] permit|deny IP_protocol source_address source_wildcard_mask [source_protocol_information] destination_address destination_wildcard_mask [destination_protocol_information] 17
  • 18. • Access_list_number: For Extended Access Control List, Access list number must be between 100–199 or 2000–2699. • IP_protocol: IP protocol to match. The IP protocols can be IP, ICMP, TCP, GRE, UDP, etc. 18
  • 19. 19
  • 21. Extended Access Control List (ACL) - Port Operators • When working with Extended Access Control Lists (ACL), we can specify TCP and UDP port numbers to permit or deny. • To filter the traffic based on TCP or UDP port numbers, we can use an operator. The operator is used to match the port number or numbers in Access Control Lists. Operator Description lt Less than gt Greater than neq Not equal to eq Equal to range Range of port numbers 21 The following table lists important Extended Access Control Lists (ACL) operators.
  • 22. Where should an Extended Access Control List (ACL) be placed? • Extended Access Control List (ACL) can filter the traffic based many factors like source IP address, destination IP address, Protocol, TCP or UDP port numbers etc. • Since an Extended Access Control List (ACL) can filter the IP datagram packet based on the destination IP address, it must be placed on the router which is near to the source network/host. • If we place the Extended Access Control List (ACL) near to destination, the unwanted traffic may consume the bandwidth till destination, and the the unwanted traffic will get filtered finally near destination. 22