access control lists

access control lists PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

17 March 2009. ITCN. 2. This Week

Download Presentation

access control lists

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

1. Access Control Lists Mark Clements

2. 17 March 2009 ITCN 2

3. 17 March 2009 ITCN 3 Reasons for ACLs Limit network traffic to where we define and increase network performance Provide traffic flow control ACLs can restrict or reduce the contents of routing updates Provide a basic level of security for network access Decide which types of traffic are forwarded or blocked at router interfaces

4. 17 March 2009 ITCN 4 Consider an arbitrary Network

5. 17 March 2009 ITCN 5 Routers and ACLs Router can read packets Packets contain much data We can choose to act upon this data Permits us to allow or deny whichever part of this data we wish ACLs implement this policy

6. 17 March 2009 ITCN 6 The task of ACLs An ACL is a group of statements that define how or whether packets: Enter inbound interfaces Exit outbound interfaces of the router Relay through the router or not

7. 17 March 2009 ITCN 7 The Order of ACLs is important IOS tests the packet against each condition statement in the order in which the statements were created Note: After a match is found, no more condition statements are checked If you create a condition statement that permits all traffic, no statements added later will ever be checked If all the ACL statements are unmatched, an implicit "deny any" statement is imposed

8. 17 March 2009 ITCN 8 ACL Statement Order Implicit ‘last statement’ denies all traffic Must make statements preceding this allow the permitted traffic to flow Construct statements carefully Anything not explicitly permitted will be denied

9. 17 March 2009 ITCN 9 Standard ACLs You use standard ACLs when you : want to block all traffic from a network allow all traffic from a specific network deny entire protocol suites e.g. www or icmp Standard ACLs check the source address of packets that could be routed across your network Standard ACLs are not used very often

10. 17 March 2009 ITCN 10 Extended ACLs These are used whenever we want to be more specific about the type of traffic to block e.g. a certain host or an entire protocol e.g. www or ftp or icmp (ping) These are used very frequently

11. 17 March 2009 ITCN 11 Creating ACLs Enter global configuration mode i.e. Router(config)# Enter the command ip access-list [standard|extended] number (to identify it) Router prompt changes accordingly

12. Using Notepad Create ACLs in Notepad (or other text editor) They can be easily manipulated and reordered This is not possible on a router – it is necessary to delete the entire list and start again Once the ACL is correct, it can be pasted into the router’s CLI 17 March 2009 ITCN 12

13. 17 March 2009 ITCN 13 Standard and Extended ACLs ACL 1 to 99 are for standard ACL statements Router(config-std-nacl)# ACL 100 to 199 are for extended ACL statements Router(config-ext-nacl)# Logically order the ACL Permitted IP protocols must be specified all other protocols should be denied

14. 17 March 2009 ITCN 14 Which Interface to place the ACL? ACLs assigned to one or more interfaces Can filter inbound or outbound traffic Outbound ACLs are generally more efficient than inbound Only checks packets on that interface Inbound ACLs must check all packets before switching packet to outbound interface

15. 17 March 2009 ITCN 15 Wildcard Mask This identifies a host or range of addresses It is the binary inversion of the subnet mask i.e. in a ‘class C’ address range we use the subnet mask To specify the same range with a wildcard mask we use (all 1s are now 0s and all 0s are now 1s)

16. 17 March 2009 ITCN 16 Wildcard Mask Bits

17. 17 March 2009 ITCN 17

18. 17 March 2009 ITCN 18 Example What is the dotted decimal wildcard mask you would use to check for all traffic from hosts in the range to ? Hint – convert to binary first Write first and last addresses to compare like and unlike bits Convert back to decimal afterwards

19. Quad Zero Address is known as the Quad Zero address and it is ‘shorthand’ for any IP address. 17 March 2009 ITCN 19

20. 17 March 2009 ITCN 20 Useful Commands – ANY To specify that any source address will be permitted to pass Router(config-std-nacl)# access-list 1 permit Is the same as (but shorter) Router(config-std-nacl)# access-list 1 permit any

21. 17 March 2009 ITCN 21

22. 17 March 2009 ITCN 22 Examples of ACLs access-list 33 permit (permits all traffic in the range to access-list 44 deny (denies traffic from only the host access-list 55 permit any (permits all traffic from any network )

23. 17 March 2009 ITCN 23 Extended ACLs Provide a greater range of control than standard ACLs E.g. we can allow Web traffic but deny File Transfer Protocol (FTP) or TELNET or other traffic Extended ACLs check for both source and destination packet addresses. Specific protocols, port numbers and other parameters can be checked for Packets can be permitted or denied output based on where the packet originated and based on its destination

24. 17 March 2009 ITCN 24 Extended ACL example chatham(config)#ip access-list extended 150 chatham(config-ext-nacl)#? default Set a command to its defaults deny Specify packets to reject exit Exit from access-list configuration mode no Negate a command or set its defaults permit Specify packets to forward remark Access list entry comment chatham(config-ext-nacl)#permit tcp

25. 17 March 2009 ITCN 25 Well-known Port numbers

26. 17 March 2009 ITCN 26

27. 17 March 2009 ITCN 27 Placing Standard and Extended ACLs Put the Extended ACLs as close as possible to the source machine or range (on your network) for the traffic type denied Standard ACLs do not specify destination addresses, so you have to put the standard ACL as near to the destination machine (or range) we want to deny as possible

28. 17 March 2009 ITCN 28 Applying ACLs to an interface Once you have written an ACL, you need to apply it to an interface either IN or OUT If we have written access-list 101, we could apply it to the Fa0/0 interface inbound int fa0/0 ip access-group 101 in ACLs can also be placed on an interface in the outbound direction

29. 17 March 2009 ITCN 29 Placing ACLs Imagine you are standing INSIDE the router The direction of the ACL for an interface will be the same as our perspective standing INSIDE the router

30. 17 March 2009 ITCN 30 Conclusion ACLs will check packets for certain conditions Standard ACLs test simple conditions Extended ACLs test for more rigorous conditions Define ACL – Apply to interface Place ACLs sensibly Be sure to order ACLs sensibly too!

  • Login