1 / 82

Agenda

CCNA Prep Center - Access Control Lists Overview – Part II – Extended IP ACLs Mike Wilson, CCNP March, 2006. Quick Review of Standard IP ACL Info Calculating the Wildcard Mask Two Steps to ACL Configs Configuring Two Extended IP ACLs. Agenda. Numbered 1 – 99. Standard IP ACL Syntax.

blake-may
Download Presentation

Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CCNA Prep Center- Access Control Lists Overview –Part II – Extended IP ACLsMike Wilson, CCNPMarch, 2006

  2. Quick Review of Standard IP ACL Info Calculating the Wildcard Mask Two Steps to ACL Configs Configuring Two Extended IP ACLs Agenda

  3. Numbered 1 – 99 StandardIP ACL Syntax access-list access-list-number{permit|deny}{host | source source-wildcard | any}

  4. Numbered 1 – 99 Only look at the IP Source Address StandardIP ACL Syntax access-list access-list-number{permit|deny}{host | source source-wildcard | any}

  5. Numbered 1 – 99 Only look at the IP Source Address Easiest to configure Good for blocking traffic close to the destination device StandardIP ACL Syntax access-list access-list-number{permit|deny}{host | source source-wildcard | any}

  6. The Inverse of the Subnet Mask 255.255.255.192 (SM) = 0.0.0.63 (WM) Defines either the specific host or size of a subnet to be permitted or denied by the ACL The ‘Infamous’ Wildcard Mask

  7. The Inverse of the Subnet Mask 255.255.255.192 (SM) = 0.0.0.63 (WM) Defines either the specific host or size of a subnet to be permitted or denied by the ACL How to Calculate the Wildcard Mask? Subtract the subnet mask from 255.255.255.255 The ‘Infamous’ Wildcard Mask access-list access-list-number{permit|deny}{host | source source-wildcard | any}

  8. The Inverse of the Subnet Mask 255.255.255.192 (SM) = 0.0.0.63 (WM) Defines either the specific host or size of a subnet to be permitted or denied by the ACL How to Calculate the Wildcard Mask? Subtract the subnet mask from 255.255.255.255 Single Host – (SM) 255.255.255.255 (WM) 0.0.0.0 The ‘Infamous’ Wildcard Mask access-list access-list-number{permit|deny}{host | source source-wildcard | any}

  9. The Inverse of the Subnet Mask 255.255.255.192 (SM) = 0.0.0.63 (WM) Defines either the specific host or size of a subnet to be permitted or denied by the ACL How to Calculate the Wildcard Mask? Subtract the subnet mask from 255.255.255.255 Single Host – (SM) 255.255.255.255 (WM) 0.0.0.0 Subnet with 16 addresses – (SM) 255.255.255.240 (WM) 0.0.0.15 The ‘Infamous’ Wildcard Mask access-list access-list-number{permit|deny}{host | source source-wildcard | any}

  10. The Inverse of the Subnet Mask 255.255.255.192 (SM) = 0.0.0.63 (WM) Defines either the specific host or size of a subnet to be permitted or denied by the ACL How to Calculate the Wildcard Mask? Subtract the subnet mask from 255.255.255.255 Single Host – (SM) 255.255.255.255 (WM) 0.0.0.0 Subnet with 16 addresses – (SM) 255.255.255.240 (WM) 0.0.0.15 Subnet with 64 addresses – (SM) 255.255.255.192 (WM) 0.0.0.63 The ‘Infamous’ Wildcard Mask access-list access-list-number{permit|deny}{host | source source-wildcard | any}

  11. Subnet with 16 addresses – (SM) 255.255.255.240 255.255.255.255 The ‘Infamous’ Wildcard Mask access-list access-list-number{permit|deny}{host | source source-wildcard | any}

  12. Subnet with 16 addresses – (SM) 255.255.255.240 255.255.255.255 -255.255.255.240 (SM) The ‘Infamous’ Wildcard Mask access-list access-list-number{permit|deny}{host | source source-wildcard | any}

  13. Subnet with 16 addresses – (SM) 255.255.255.240 255.255.255.255 -255.255.255.240 (SM) 0 . 0 . 0 . 15 (WM) The ‘Infamous’ Wildcard Mask access-list access-list-number{permit|deny}{host | source source-wildcard | any}

  14. Create the Access Control List, then… ACLs - Two Basic Steps

  15. Create the Access Control List, then… Two Basic Steps Router(config)# access-list 8 deny 131.108.7.0 0.0.0.3 Router(config)# access-list 8 permit 131.108.2.0 0.0.0.255 Router(config)# access-list 8 permit any (access-list 8 deny any)

  16. Create the Access Control List, then… Two Basic Steps Router(config)# access-list 8 deny 131.108.7.0 0.0.0.3 Router(config)# access-list 8 permit 131.108.2.0 0.0.0.255 Router(config)# access-list 8 permit any (access-list 8 deny any) • Apply it to the Correct Interface Router(config)# interface serial0 Router(config-if)# ip access-group 8 in

  17. Configuring an Extended IP ACL

  18. Extended IP ACL Syntax access-list access-list-number {permit|deny} protocol {host | source source-wildcard | any}{host | destination destination-wildcard | any} [precedence precedence name or #]

  19. Extended IP ACL Syntax access-list access-list-number {permit|deny} protocol {host | source source-wildcard | any}{host | destination destination-wildcard | any} [precedence precedence name or #] • Numbered 100 – 199

  20. Extended IP ACL Syntax access-list access-list-number {permit|deny} protocol {host | source source-wildcard | any}{host | destination destination-wildcard | any} [precedence precedence name or #] • Numbered 100 – 199 • Looks both the IPsource address and destination address

  21. Extended IP ACL Syntax access-list access-list-number {permit|deny} protocol {host | source source-wildcard | any}{host | destination destination-wildcard | any} [precedence precedence name or #] • Numbered 100 – 199 • Looks both the IPsource address and destination address • Checks many IP layer (L3) and upper layer (L4) header fields

  22. Extended IP ACL Syntax access-list access-list-number {permit|deny} protocol {host | source source-wildcard | any}{host | destination destination-wildcard | any} [precedence precedence name or #] • Numbered 100 – 199 • Looks both the IPsource address and destination address • Checks many IP layer (L3) and upper layer (L4) header fields • Good for blocking traffic anywhere (near source)

  23. What fields do Standard ACLs Check? L3 Header Version (4 bit) Header length (4 bit) Type of Service (8-bit) Total Length of IP datagram (16-bit) Identification (16-bit) Flags (3 bit) Fragment Offset (13-bit) Time to Live (8-bit) Protocol (8-bit) Header Checksum (16-bit) Source IP address (32-bit) Destination IP address (32-bit) IP Options (if any) Pad Upper Layer Data

  24. What fields do Standard ACLs Check? L3 Header Version (4 bit) Header length (4 bit) Type of Service (8-bit) Total Length of IP datagram (16-bit) SOURCE IP ADDRESS Identification (16-bit) Flags (3 bit) Fragment Offset (13-bit) Time to Live (8-bit) Protocol (8-bit) Header Checksum (16-bit) Source IP address (32-bit) Destination IP address (32-bit) IP Options (if any) Pad Upper Layer Data

  25. What fields do Standard ACLs Check? L3 Header Version (4 bit) Header length (4 bit) Type of Service (8-bit) Total Length of IP datagram (16-bit) SOURCE IP ADDRESS Identification (16-bit) Flags (3 bit) Fragment Offset (13-bit) Time to Live (8-bit) Protocol (8-bit) Header Checksum (16-bit) Source IP address (32-bit) Destination IP address (32-bit) IP Options (if any) Pad Upper Layer Data

  26. What fields do Extended ACLs Check? L3 Header Version (4 bit) Header length (4 bit) Type of Service (8-bit) Total Length of IP datagram (16-bit) Identification (16-bit) Flags (3 bit) Fragment Offset (13-bit) Time to Live (8-bit) Protocol (8-bit) Header Checksum (16-bit) Source IP address (32-bit) Destination IP address (32-bit) IP Options (if any) Pad Upper Layer Data

  27. What fields do Extended ACLs Check? L3 Header • Source Version (4 bit) Header length (4 bit) Type of Service (8-bit) Total Length of IP datagram (16-bit) • Destination • Protocol Identification (16-bit) Flags (3 bit) Fragment Offset (13-bit) • Precedence Time to Live (8-bit) Protocol (8-bit) Header Checksum (16-bit) • Type of Service Source IP address (32-bit) Destination IP address (32-bit) IP Options (if any) Pad Upper Layer Data

  28. What fields do Extended ACLs Check? L3 Header • Source Version (4 bit) Header length (4 bit) Type of Service (8-bit) Total Length of IP datagram (16-bit) • Destination • Protocol Identification (16-bit) Flags (3 bit) Fragment Offset (13-bit) • Precedence Time to Live (8-bit) Protocol (8-bit) Header Checksum (16-bit) • Type of Service Source IP address (32-bit) Destination IP address (32-bit) • L4 Header: • Additional headers can be checked for these protocols: • TCP: ports, protocols • ICMP: message type • UDP: ports Pad IP Options (if any) Upper Layer Data

  29. 192.168.66.64/27 e0 19.168.66.16/28 ACL Conditions .22 .35 e1 192.168.66.32/27 e1 B s0 s1 D e4 s1 s0 s1 s0 12.168.66.32/28 A e3 C e2 201.168.66.0/24 .42 .144 152.168.66.32/28

  30. DENY Telnet only from .35 HOST to server 192.168.66.64/27 e0 19.168.66.16/28 ACL Conditions .22 .35 e1 192.168.66.32/27 e1 B s0 s1 D e4 s1 s0 s1 s0 12.168.66.32/28 A e3 C e2 201.168.66.0/24 .42 .144 152.168.66.32/28

  31. DENY Telnet only from .35 HOST to server 192.168.66.64/27 e0 19.168.66.16/28 ACL Conditions .22 .35 e1 192.168.66.32/27 e1 B s0 s1 D e4 s1 s0 s1 s0 12.168.66.32/28 A e3 C e2 201.168.66.0/24 SERVER .42 .144 152.168.66.32/28

  32. DENY Telnet only from .35 HOST to server 192.168.66.64/27 e0 19.168.66.16/28 ACL Conditions .22 .35 e1 192.168.66.32/27 e1 B s0 s1 D e4 s1 s0 s1 s0 12.168.66.32/28 A e3 C PERMIT all on Subnet to go to Web from server except .144 e2 201.168.66.0/24 SERVER .42 .144 152.168.66.32/28

  33. DENY Telnet only from .35 HOST to server 192.168.66.64/27 e0 19.168.66.16/28 ACL Conditions .22 .35 e1 192.168.66.32/27 e1 B s0 s1 D e4 s1 PERMIT Everyonefull access to server s0 s1 s0 12.168.66.32/28 A e3 C PERMIT all on Subnet to go to Web from server except .144 e2 201.168.66.0/24 SERVER .42 .144 152.168.66.32/28

  34. First ACL DENY Telnet only from .35 HOST to server 192.168.66.64/27 e0 19.168.66.16/28 ACL Conditions 1) CREATE THE ACL .22 .35 e1 192.168.66.32/27 e1 B s0 s1 D e4 s1 PERMIT Everyonefull access to server s0 s1 s0 12.168.66.32/28 A e3 C PERMIT all on Subnet to go to Web from server except .144 e2 201.168.66.0/24 SERVER .42 .144 152.168.66.32/28

  35. DENY Telnet only from .35 HOST to server 192.168.66.64/27 e0 19.168.66.16/28 Second ACL ACL Conditions 1) CREATE THE ACL .22 .35 e1 192.168.66.32/27 e1 B s0 s1 D e4 s1 PERMIT Everyone full access to server s0 s1 s0 12.168.66.32/28 A e3 C PERMIT all on Subnet to go to Web from server except .144 e2 201.168.66.0/24 SERVER .42 .144 152.168.66.32/28

  36. DENY Telnet only from .35 HOST to server e0 access-list access-list-number {permit|deny} protocol{host | source source-wildcard | any} {host | destination destination-wildcard | any} [precedence precedence name or #] ACL Conditions 1) CREATE THE ACL RouterB> enable .35 192.168.66.32/27 B s0 s1 D s1 PERMIT Everyone full access to server s0 s1 s0 A e3 C PERMIT all on Subnet to go to Web from server except .144 e2 201.168.66.0/24 SERVER .42 .144 152.168.66.32/28

  37. DENY Telnet only from .35 HOST to server e0 access-list access-list-number {permit|deny} protocol{host | source source-wildcard | any} {host | destination destination-wildcard | any} [precedence precedence name or #] ACL Conditions 1) CREATE THE ACL RouterB> enable RouterB# configure terminal .35 192.168.66.32/27 B s0 s1 D s1 PERMIT Everyone full access to server s0 s1 s0 A e3 C PERMIT all on Subnet to go to Web from server except .144 e2 201.168.66.0/24 SERVER .42 .144 152.168.66.32/28

  38. DENY Telnet only from .35 HOST to server e0 access-list access-list-number {permit|deny} protocol{host | source source-wildcard | any} {host | destination destination-wildcard | any} [precedence precedence name or #] ACL Conditions 1) CREATE THE ACL RouterB> enable RouterB# configure terminal RouterB(config)# access-list 101 deny .35 192.168.66.32/27 B s0 s1 D s1 PERMIT Everyone full access to server s0 s1 s0 A e3 C PERMIT all on Subnet to go to Web from server except .144 e2 201.168.66.0/24 SERVER .42 .144 152.168.66.32/28

  39. DENY Telnet only from .35 HOST to server e0 access-list access-list-number {permit|deny} protocol{host | source source-wildcard | any} {host | destination destination-wildcard | any} [precedence precedence name or #] ACL Conditions 1) CREATE THE ACL RouterB> enable RouterB# configure terminal RouterB(config)# access-list 101 deny tcp .35 192.168.66.32/27 B s0 s1 D s1 PERMIT Everyone full access to server s0 s1 s0 A e3 C PERMIT all on Subnet to go to Web from server except .144 e2 201.168.66.0/24 SERVER .42 .144 152.168.66.32/28

  40. DENY Telnet only from .35 HOST to server e0 access-list access-list-number {permit|deny} protocol{host | source source-wildcard | any} {host | destination destination-wildcard | any} [precedence precedence name or #] ACL Conditions 1) CREATE THE ACL RouterB> enable RouterB# configure terminal RouterB(config)# access-list 101 deny tcphost 192.168.66.35 .35 192.168.66.32/27 B s0 s1 D s1 PERMIT Everyone full access to server s0 s1 s0 A e3 C PERMIT all on Subnet to go to Web from server except .144 e2 201.168.66.0/24 SERVER .42 .144 152.168.66.32/28

  41. DENY Telnet only from .35 HOST to server e0 access-list access-list-number {permit|deny} protocol{host | source source-wildcard | any} {host | destination destination-wildcard | any} [precedence precedence name or #] ACL Conditions 1) CREATE THE ACL RouterB> enable RouterB# configure terminal RouterB(config)# access-list 101 deny tcphost 192.168.66.35152.168.66.42 0.0.0.0 .35 192.168.66.32/27 B s0 s1 D s1 PERMIT Everyonefull access to server s0 s1 s0 A e3 C PERMIT all on Subnet to go to Web from server except .144 e2 201.168.66.0/24 SERVER .42 .144 152.168.66.32/28

  42. DENY Telnet only from .35 HOST to server e0 access-list access-list-number {permit|deny} protocol{host | source source-wildcard | any} {host | destination destination-wildcard | any} [precedence precedence name or #] ACL Conditions 1) CREATE THE ACL RouterB> enable RouterB# configure terminal RouterB(config)# access-list 101 deny tcphost 192.168.66.35152.168.66.42 0.0.0.0 eq 23 .35 192.168.66.32/27 B s0 s1 D s1 PERMIT Everyonefull access to server s0 s1 s0 A e3 C PERMIT all on Subnet to go to Web from server except .144 e2 201.168.66.0/24 SERVER .42 .144 152.168.66.32/28

  43. DENY Telnet only from .35 HOST to server e0 access-list access-list-number {permit|deny} protocol{host | source source-wildcard | any} {host | destination destination-wildcard | any} [precedence precedence name or #] ACL Conditions 1) CREATE THE ACL RouterB> enable RouterB# configure terminal RouterB(config)# access-list 101 deny tcphost 192.168.66.35152.168.66.42 0.0.0.0 eq 23 RouterB(config)# access-list 101 permit ipanyany .35 192.168.66.32/27 B s0 s1 D s1 PERMIT Everyonefull access to server s0 s1 s0 A e3 C PERMIT all on Subnet to go to Web from server except .144 e2 201.168.66.0/24 SERVER .42 .144 152.168.66.32/28

  44. DENY Telnet only from .35 HOST to server e0 Implicit Deny All access-list access-list-number {permit|deny} protocol{host | source source-wildcard | any} {host | destination destination-wildcard | any} [precedence precedence name or #] ACL Conditions 1) CREATE THE ACL RouterB> enable RouterB# configure terminal RouterB(config)# access-list 101 deny tcphost 192.168.66.35152.168.66.42 0.0.0.0 eq 23 RouterB(config)# access-list 101 permit ipanyany RouterB(config)# access-list 101 deny ip any any .35 192.168.66.32/27 B s0 s1 D s1 PERMIT Everyonefull access to server s0 s1 s0 A e3 C PERMIT all on Subnet to go to Web from server except .144 e2 201.168.66.0/24 SERVER .42 .144 152.168.66.32/28

  45. DENY Telnet only from .35 HOST to server e0 access-list access-list-number {permit|deny} protocol{host | source source-wildcard | any} {host | destination destination-wildcard | any} [precedence precedence name or #] ACL Conditions 1) CREATE THE ACL RouterA> enable .35 192.168.66.32/27 B s0 s1 D s1 PERMIT Everyonefull access to server s0 s1 s0 A e3 C PERMIT all on Subnet to go to Web from server except .144 e2 201.168.66.0/24 SERVER .42 .144 152.168.66.32/28

  46. DENY Telnet only from .35 HOST to server e0 access-list access-list-number {permit|deny} protocol{host | source source-wildcard | any} {host | destination destination-wildcard | any} [precedence precedence name or #] ACL Conditions 1) CREATE THE ACL RouterA> enable RouterA# configure terminal .35 192.168.66.32/27 B s0 s1 D s1 PERMIT Everyonefull access to server s0 s1 s0 A e3 C PERMIT all on Subnet to go to Web from server except .144 e2 201.168.66.0/24 SERVER .42 .144 152.168.66.32/28

  47. DENY Telnet only from .35 HOST to server e0 access-list access-list-number {permit|deny} protocol{host | source source-wildcard | any} {host | destination destination-wildcard | any} [precedence precedence name or #] ACL Conditions 1) CREATE THE ACL RouterA> enable RouterA# configure terminal RouterA(config)# access-list 111 deny tcp .35 192.168.66.32/27 B s0 s1 D s1 PERMIT Everyonefull access to server s0 s1 s0 A e3 C PERMIT all on Subnet to go to Web from server except .144 e2 201.168.66.0/24 SERVER .42 .144 152.168.66.32/28

  48. DENY Telnet only from .35 HOST to server e0 access-list access-list-number {permit|deny} protocol{host | source source-wildcard | any} {host | destination destination-wildcard | any} [precedence precedence name or #] ACL Conditions 1) CREATE THE ACL RouterA> enable RouterA# configure terminal RouterA(config)# access-list 111 deny tcphost 201.168.66.144 .35 192.168.66.32/27 B s0 s1 D s1 PERMIT Everyonefull access to server s0 s1 s0 A e3 C PERMIT all on Subnet to go to Web from server except .144 e2 201.168.66.0/24 SERVER .42 .144 152.168.66.32/28

  49. DENY Telnet only from .35 HOST to server e0 access-list access-list-number {permit|deny} protocol{host | source source-wildcard | any} {host | destination destination-wildcard | any} [precedence precedence name or #] ACL Conditions 1) CREATE THE ACL RouterA> enable RouterA# configure terminal RouterA(config)# access-list 111 deny tcphost 201.168.66.144host152.168.66.42 .35 192.168.66.32/27 B s0 s1 D s1 PERMIT Everyonefull access to server s0 s1 s0 A e3 C PERMIT all on Subnet to go to Web from server except .144 e2 201.168.66.0/24 SERVER .42 .144 152.168.66.32/28

  50. DENY Telnet only from .35 HOST to server e0 access-list access-list-number {permit|deny} protocol{host | source source-wildcard | any} {host | destination destination-wildcard | any} [precedence precedence name or #] ACL Conditions 1) CREATE THE ACL RouterA> enable RouterA# configure terminal RouterA(config)# access-list 111 deny tcphost 201.168.66.144host 152.168.66.42 eq 80 .35 192.168.66.32/27 B s0 s1 D s1 PERMIT Everyonefull access to server s0 s1 s0 A e3 C PERMIT all on Subnet to go to Web from server except .144 e2 201.168.66.0/24 SERVER .42 .144 152.168.66.32/28

More Related