1 / 25

Student Guide

Access List. Student Guide. www.visioninfosystems.org. Introduction to Security. Security is a required solution for a company to prevent its network from Various types of attacks and intruders. There are various solution for security like Firewall Software, etc

price-walters
Download Presentation

Student Guide

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access List • Student Guide www.visioninfosystems.org

  2. Introduction to Security Security is a required solution for a company to prevent its network from Various types of attacks and intruders. There are various solution for security like Firewall Software, etc Cisco has implemented a simple and easy to feature for security called As acess-list.

  3. Introduction to Access-List • An access-list is a list of conditions that controls flow of traffic. • Access-list helps for packet filtering, traffic controlling, security, etc. • Used to permit or deny packets moving through the router. • Permit or deny Telnet (VTY) access to or from a router.

  4. Types of Access-List • Standard Access List • Only source IP address is specified in the condition • Extended Access List • Conditions can contains Source IP, Destination IP, Protocol Field, Port Number • Named Access List • Functionally the same as standard and extended access lists but with name tag.

  5. Access-list rules • Packets are compared to each line of the assess list in sequential order • Packets are compared with lines of the access list only until a match is made • Once a match is made & acted upon no further comparisons take place • An implicit “deny” is at the end of each access list • If no matches have been made, the packet will be discarded

  6. How Access-List is applied • Inbound Access Lists • Packets are processed before being routed to the outbound interface • Outbound Access Lists • Packets are routed to the outbound interface & then processed through the access list

  7. Access-List Guideline End ACLs with a permit any command Create ACLs & then apply them to an interface ACLs do not filter traffic originated from the router Put Standard ACLs close to the destination Put Extended ACLs close the the source One access list per interface, per protocol, or per direction More specific tests at the top of the ACL New lists are placed at the bottom of the ACL Individual lines cannot be removed

  8. Wildcards • What are they??? • Used with access lists to specify a…. • Host • Network • Part of a network

  9. Block Size 64 32 16 8 4 • Rules: • When specifying a range of addresses, choose the closest block size • Each block size must start at 0 • A ‘0’ in a wildcard means that octet must match exactly • A ‘255’ in a wildcard means that octet can be any value • The command any is the same thing as writing out the wildcard: 0.0.0.0 255.255.255.255

  10. Specifying range of subnet (Remember: specify a range of values in a block size) Requirement: Block access in the range from 172.16.8.0 through 172.16.15.0 = block size 8 Network number = 172.16.8.0 Wildcard = 0.0.7.255 **The wildcard is always one number less than the block size

  11. Standard IP access-list • In standard access-list on source address is specified • It number ranges from 1 – 99 • It is generally applied to destination nearest interface

  12. Creating standard access-list • Creating a standard IP access list: Router(config)#access-list 10 ? deny Specify packets to reject permit Specify packets to forward • Permit or deny? Router(config)#access-list 10 deny ? Hostname or A.B.C.D Address to match any any source host host A single host address • Using the host command Router(config)#access-list 10 deny host 172.16.30.2

  13. Example - 1 Condition : Sales network cannot access marketing network Others can access marketing network. 10.0.0.0/8 20.0.0.0/8 Router(config)# access-list 15 deny 10.0.0.0 0.255.255.255 Router(config)#access-list 15 permit any Router(config)#int ethernet2 Router(config-if)#access-group 15 out

  14. Example - 2 Condition : Human resource department can only access human resources server located on Lab_B router. Others are not allowed. Lab_b(config)#access-list 11 permit 192.168.10.160 0.0.0.31 Lab_b(config)#access-list 11 deny any Lab_b(config)#int ethernet0 Lab_b(config-if)#access-group 11 out

  15. Example - 3 • Conditions • Network 172.16.144.0 cannot access internet, others can access internet • Host 172.16.144.17 and 172.16.50.173 cannot access network 172.16.92.0 Internet Router(config)# access-list 10 deny 172.16.144.0 0.0.31.255 Router(config)#access-list 10 permit any Router(config)#int serial 0 Router(config-if)#access-group 10 out Router(config)# access-list 11 deny host 172.16.144.17 0.0.0.0 Router(config)# access-list 11 deny host 172.16.50.173 0.0.0.0 Router(config)#access-list 11 permit any Router(config)#int Ethernet 3 Router(config-if)#access-group 11 out

  16. VTY (Telnet) Control • Why?? • Without an ACL any user can Telnet into the router via VTY and gain access • Controlling access • Create a standard IP access list • Permitting only the host/hosts authorized to Telnet into the router • Apply the ACL to the VTY line with the access-class command

  17. Example Lab_A(config)#access-list 50 permit 172.16.10.3 Lab_A(config)#line vty 0 4 Lab_A(config-line)#access-class 50 in

  18. Extended IP Access-list • Allows you to choose... • IP Source Address • IP Destination Address • Protocol • Port number • Starts with number 100-199

  19. Extended IP access-list steps #1: Select the access list: RouterA(config)#access-list 110 #2: Decide on deny or permit: RouterA(config)#access-list 110 deny #3: Choose the protocol type: RouterA(config)#access-list 110 deny tcp #4: Choose source IP address of the host or network: RouterA(config)#access-list 110 deny tcp any #5: Choose destination IP address RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 #6: Choose the type of service, port, & logging RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log

  20. Continue… RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log RouterA(config)#access-list 110 permit ip any 0.0.0.0 255.255.255.255 RouterA(config)#ip access-group 110 in or RouterA(config)#ip access-group 110 out

  21. Example - 1 Condition : Sales network cannot access marketing network Others can access marketing network. 10.0.0.0/8 20.0.0.0/8 Router(config)# access-list 101 deny ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 Router(config)#access-list 15 permit ip any any Router(config)#int ethernet2 Router(config-if)#access-group 101 out

  22. Example - 2 Condition : Human resource department can only access human resources server located on Lab_B router. Others are not allowed. Lab_b(config)#access-list 110 permit ip 192.168.10.160 0.0.0.31 192.168.10.192 0.0.0.31 Lab_b(config)#access-list 110 ip deny any any Lab_b(config)#int ethernet0 Lab_b(config-if)#access-group 110 out

  23. Example - 3 • Conditions • Network 172.16.144.0 cannot access FTP Service on internet, others can access. • Host 172.16.144.17 and 172.16.50.173 cannot access network 172.16.92.0 Internet Router(config)#access-list 110 deny tcp 172.16.144.0 0.0.31.255 any eq 21 Router(config)#access-list 110 permit tcp any any Router(config)#int serial 0 Router(config-if)#access-group 10 out Router(config)# access-list 111 deny ip host 172.16.144.17 0.0.0.0 172.16.92.0 0.0.7.255 Router(config)# access-list 111 deny ip host 172.16.50.173 0.0.0.0 172.16.92.0 0.0.7.255 Router(config)#access-list 111 permit ip any any Router(config)#int Ethernet 3 Router(config-if)#access-group 111 out

  24. Named Access-list • Another way to create standard and extended access lists. • Allows the use of descriptive names to ease network management. • Syntax changes: • Lab_A(config)#ip access-list standard BlockSales • Lab_A(config-std-nacl)#deny 172.16.40.0 0.0.0.255 • Lab_A(config-std-nacl)#permit any

  25. Monitoring IP access-list • Display all access lists & their parameters show access-list • Show only the parameters for the access list 110 show access-list 110 • Shows only the IP access lists configured show ip access-list • Shows which interfaces have access lists set show ip interface • Shows the access lists & which interfaces have access lists set show running-config

More Related