Chabot college
Download
1 / 18

Chabot College - PowerPoint PPT Presentation


  • 112 Views
  • Uploaded on

Chabot College. ELEC 99.08 Extended Access Control Lists. ACL Topics. Extended ACLs Editing ACLs Anatomy of an ACL. Extended ACLs. Provide more precise (finer tuned) packet selection based on: Source and destination addresses Protocols Port numbers 100-199. Steps to Configure ACLs.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Chabot College' - afra


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Chabot college
Chabot College

ELEC 99.08

Extended Access Control Lists


Acl topics
ACL Topics

  • Extended ACLs

  • Editing ACLs

  • Anatomy of an ACL


Extended acls
Extended ACLs

  • Provide more precise (finer tuned) packet selection based on:

    • Source and destination addresses

    • Protocols

    • Port numbers

  • 100-199


Steps to configure acls
Steps to Configure ACLs

1) Create ACL (global config mode)

2) Apply to an interface (interface config mode)


Extended acl operation
Extended ACL operation

  • Permits or denies if all conditions match:

    • Source Address

    • Destination Address

    • Protocol

    • Port No. or Protocol Options


Extended acl syntax explained
Extended ACL Syntax Explained

  • Network Computing has published a great summary chart of the “anatomy of an ACL”

  • A PDF copy of this chart is on the Semester 2 class page under “Chabot College Study Sheets”


Extended ip acl command
Extended IP ACL command

access-listACL-number {permit|deny} protocolsource-ip-addresssource-wildcard-maskdestination-ip-addressdestination-wildcard-maskeqport-number

  • ACL number: 100-199

  • Global Config mode


Extended acl example
Extended ACL Example

  • To permit traffic from the network 192.168.1.0 to the host 192.168.3.10 only on telnet:

    access-list 101 permit tcp 192.168.1.0 0.0.0.255 192.168.3.10 0.0.0.0 eq 23


Some protocols with port numbers
Some Protocols with Port Numbers

  • FTP – 21

  • Telnet – 23

  • SMTP – 25

  • DNS – 53

  • TFTP – 69

  • WWW, HTML – 80

  • POP3 - 110

  • SNMP - 161


Acl configuration example
ACL Configuration Example

What will this list do?

fre(config)#access-list 101 deny tcp any 192.168.3.10 0.0.0.0 eq 80

fre(config)#access-list 101 permit ip any any

fre(config)#int e0

fre(config-if)#ip-access group 101 in

fre(config-if)#^z

S1

S1

hay

oak

fre

S0

S0

E0

E0

E0

192.168.1.11

192.168.1.0

192.168.2.0

192.168.3.0

192.168.1.10

192.168.2.10

192.168.3.10


Acl configuration example1
ACL Configuration Example

What will this list do?

fre(config)#access-list 101 deny tcp 192.168.1.10 0.0.0.0 any eq 80

fre(config)#access-list 101 deny tcp 192.168.1.0 0.0.0.255 any eq 21

fre(config)#access-list 101 permit ip any any

fre(config)#int e0

fre(config-if)#ip-access group 101 in

fre(config-if)#^z

S1

S1

hay

oak

fre

S0

S0

E0

E0

E0

192.168.1.11

192.168.1.0

192.168.2.0

192.168.3.0

192.168.1.10

192.168.2.10

192.168.3.10


Acl configuration example2
ACL Configuration Example

What will this list do? (What’s wrong here?)

fre(config)#access-list 101 deny tcp 192.168.1.10 0.0.0.0 any eq 80

fre(config)#int e0

fre(config-if)#ip-access group 101 in

fre(config-if)#^z

S1

S1

hay

oak

fre

S0

S0

E0

E0

E0

192.168.1.11

192.168.1.0

192.168.2.0

192.168.3.0

192.168.1.10

192.168.2.10

192.168.3.10


Extended acl placement
Extended ACL Placement

Blocking traffic from Fremont LAN to Oakland PC

Place extended ACL close to source.

fre(config)#access-list 101 deny ip any host 192.168.3.10

fre(config)#access-list 101 permit ip any any

fre(config)#int e0

fre(config-if)#ip-access group 101 in

S1

S1

hay

oak

fre

S0

S0

E0

E0

E0

192.168.1.11

192.168.1.0

192.168.2.0

192.168.3.0

192.168.1.10

192.168.2.10

192.168.3.10


Standard acl placement
Standard ACL Placement

Blocking traffic from Fremont LAN to Oakland LAN

Place standard ACL close to destination.

oak(config)#access-list 10 deny 192.168.1.0 0.0.0.255

oak(config)#access-list 10 permit any

oak(config)#int e0

oak(config-if)#ip-access group 10 out

S1

S1

hay

oak

fre

S0

S0

E0

E0

E0

192.168.1.11

192.168.1.0

192.168.2.0

192.168.3.0

192.168.1.10

192.168.2.10

192.168.3.10


Acl placement
ACL Placement

Blocking traffic from Fremont LAN to Oakland PC

Standard or Extended ACL

Which seems more efficient?

Why?

Extended

Standard

S1

S1

hay

oak

fre

S0

S0

E0

E0

E0

192.168.1.11

192.168.1.0

192.168.2.0

192.168.3.0

192.168.1.10

192.168.2.10

192.168.3.10


Editing acls
Editing ACLs

  • The exec adds new lines (rules) to an ACL at the end; probably not where you want them.

  • To change lines in the middle, you must delete the entire list and re-enter it.

  • Or - dump your config out to a text file & edit it as follows:


Editing acls1
Editing ACLs

  • Use Hyperterm’s “capture text” to save the config as a text file..

  • In your editor, renumber the existing ACL using search & replace.

  • Edit the renumbered ACL.

  • Paste the new ACL into your running config.

  • On the interface where the old ACL is applied, apply the new list with the command:

    ip access-group XXX in/out

    (Make XXX the new ACL number; the old list will automatically be turned off when you turn on the new list. If you encounter problems with the new list, you can re-apply the old one with the ip-access group command.)


Acl syntax summary
ACL Syntax Summary

  • Network Computing has published a great summary chart of the “anatomy of an ACL”

  • There is a link to this chart on the Semester 2 class page under “Chabot College Study Sheets”.


ad