Upload
sujeethat
View
229
Download
0
Embed Size (px)
Citation preview
8/7/2019 Chapter 8 vN.1
1/32
Basic IP Traffic Management withAccess Control Lists
Chapter 8
8/7/2019 Chapter 8 vN.1
2/32
Chapter 8 2
Chapter Objectives
Introduce ACL conceptsExplain the types of ACL
Configure ACLIntroduce wildcard masksVerify ACL
8/7/2019 Chapter 8 vN.1
3/32
Chapter 8 3
Recall - I
IGRP is a distant-vector routing protocol, whichimplies that each router sends all or a part of itsrouting table in a routing message updateEIGRP was created using IGRP as the base andadding additional functionality to enhance IGRP The OS PF protocol is designed on the ShortestP ath First (S PF) algorithm, which enables todetermine the shortest route to each destinationWhen a network link changes its state, thedesignated router sends a notification called LinkState Advertisement (LSA ) across the network
8/7/2019 Chapter 8 vN.1
4/32
Chapter 8 4
Recall - II
OS PF provides the following advantages:Open protocolLoop free topologyScalableHierarchical designP rovides multicasting
There are different OS PF area types that help to handleexternal routes:
Normal areaStub areaTotally stubby areaNot-so-stubby area
8/7/2019 Chapter 8 vN.1
5/32
Chapter 8 5
Access Control List - I
Access Control List (ACL ) is a set of commands,which are grouped together to filter the traffic thatenters or leaves an interfaceThe functions of ACLs include the following:
Reduce the network traffic and increase thenetwork performanceControl the flow of traffic in the network
P rovide security for network accessMake decision about the type of network to beforwarded or restricted on an interface
8/7/2019 Chapter 8 vN.1
6/32
Chapter 8 6
Access Control List - IIY ou must also specify one of the following directions inwhich the traffic should be filtered:
InboundOutbound
The Access lists are available in the following twotypes:
Numbered ACLNamed ACL
Each of the below ACLs supports two types:Standard ACLExtended ACL
8/7/2019 Chapter 8 vN.1
7/32
Chapter 8 7
ACL Processing
ACL are statements, which are grouped together byusing a name or number When ACL process a packet on the router from thegroup of statements, the router performs a number of steps to find a match for the ACL statementsThe router processes each ACL in the top-downapproach
If the router is not able to find a match of packet tothe first ACL statement then the router continueswith the next statement, following the same process
8/7/2019 Chapter 8 vN.1
8/32
Chapter 8 8
Configuring ACL
Y ou must know the guidelines to configure the ACLY ou can use the access-list command to create anACL
The syntax to create an ACL is:access-list ACL_# permit|deny conditionsTo activate ACL on the interface, enter the followingat the command prompt:
interface type slot_#|port_#ip access-group ACL_# in|out
8/7/2019 Chapter 8 vN.1
9/32
Chapter 8 9
ACL Numbers and Protocol Types - I
Type Numbers
IP Standard 1-99, 1300-1999
Standard Vines 1-99
IP Extended 100-199, 2000-2699
Extended Vines 100-199
Bridging type code (layer-2 ) 200-299
DECnet 300-399
Standard XNS 400-499Extended XNS 500-599
Apple Talk 600-699
8/7/2019 Chapter 8 vN.1
10/32
Chapter 8 10
ACL Numbers and Protocol Types - II
Bridging MAC address and vendor code 700-799
IPX Standard 800-899
IPX Extended 900-999
IPX SA P filters 1000-1099
Extended transparent bridging 1100-1199
IPX NLS P 1200-1299
8/7/2019 Chapter 8 vN.1
11/32
Chapter 8 11
Editing Entries
Y ou may need to add, delete or modify an entry inthe ACLIn a numbered ACL, you cannot delete a specificentryThe no access-list command allows you to delete anACL, The syntax of the command is:no access-list number
The no access-list ACL_# command deletes theentire list
8/7/2019 Chapter 8 vN.1
12/32
Chapter 8 12
Wildcard Masking
Wildcard masks can be used for matching a range of IP addresses in ACL, instead of manually entering itA wildcard mask of 0 or 1 in the bit position implies thefollowing:
0 - Specifies that the bit position of the ACLstatement address must match the bit position in theIP address of the packet that is to be examined1 - Specifies that the bit position of the ACLstatement address does not have to match the bitposition in the IP address of the packet that is to beexamined
8/7/2019 Chapter 8 vN.1
13/32
Chapter 8 13
Subnet Masks and Wildcard Masks
Values
Bit Value Subne t Mask W ildcard Mask
0 Host component Must match
1 Network component Ignore
8/7/2019 Chapter 8 vN.1
14/32
Chapter 8 14
Standard Numbered ACL
Y ou can create an entry in a standard numbered IP ACL using the access-list command.The syntax of this command is:access-list 1-99|1300-1999 permit|denysource_address [wildcard_mask] [log]After creating the standard ACL, you must activate iton the router's interfaceThe ip access-group command below enables youto activate the ACL on the interface:ip access-group ACL_number in|out
8/7/2019 Chapter 8 vN.1
15/32
Chapter 8 15
Extended Numbered ACLs
The extended numbered ACLs are more flexible ascompared to the standard ACLsThe syntax of the command to configure anextended numbered ACL is:access-list 100-199|2000-2699 permit|denyIP_protocol source_address source_wildcard mask[protocol_information] destination_addressdestination_wildcard_mask [protocol_information][log]
8/7/2019 Chapter 8 vN.1
16/32
Chapter 8 16
TCP and UDP
The extended ACL can filter the traffic on IP protocols such as TC P and UD P The syntax of the command that allows you toconfigure an extended ACL for TC P or UD P is:access-list 100-199|2000-2699 permit|deny tcp|udpsource_address source_wildcard_mask [operator source_port_#] destination addressdestination_wildcard_mask [operator destination_port_#][established][log]
8/7/2019 Chapter 8 vN.1
17/32
Chapter 8 17
Operators for TCP and UDP
ConnectionO pera to r Descr ip tio n
lt Less than
gt Greater than
neq Not equal to
eq Equal to
range Range of port numbers
8/7/2019 Chapter 8 vN.1
18/32
Chapter 8 18
TCP Port Names and Numbers
Name C o mmand Parame t er Number
FTP Data ftp-data 20
FTP Control ftp 21
Telnet telnet 23
SMT P smtp 25
WWW www 80
8/7/2019 Chapter 8 vN.1
19/32
Chapter 8 19
UDP Port Names and Numbers
Name C o mmand Parame t er Number
DNS Query dns 53
TFTP tftp 69
SNM P snmp 161
IP RIP R ip 520
8/7/2019 Chapter 8 vN.1
20/32
Chapter 8 20
ICMP
ICMP is one of the protocols used with extendedACLThe ICMP does not use ports like the TC P and UD P
The syntax for filtering ICMP traffic is:access-list 100-199|2000-2699 permit|deny icmpsource_address source_wildcard_mask [operator source_port_#] destination address
destination_wildcard_mask [icmp_message][log]ICMP enables you to enter ICMP messages
8/7/2019 Chapter 8 vN.1
21/32
Chapter 8 21
ICMP Messages
Message Type Descr ip tio n
administratively-prohibited Specifies that the packet is filtered
echo Enables to check the destination
echo-reply Displays a message in response to theecho message created by ping
host-unreachable Specifies that the subnet is reachable,but the host is not responding
net-unreachable Specifies that the network or subnet isnot reachable
traceroute Enables to filter based on thetraceroute information
8/7/2019 Chapter 8 vN.1
22/32
Chapter 8 22
Controlling Telnet Access to a Router
The standard IP ACLs controls the telnet access tothe router. The access-class command enables youto accomplish this. The syntax of this command is:access-class standard_ACL_# in|outCisco routers enable you to restrict telnet access for the normal usersY ou can configure your router to allow telnet accessonly for the networks administrators
8/7/2019 Chapter 8 vN.1
23/32
Chapter 8 23
Named ACLs
Named ACLs support both IP and IPX protocolsThe ip access-list allows you to create a named ACLThe syntax for this command is:ip access-list standard/extended ACL_nameAfter creating a named ACL, you have to activate iton the router interfaceThe ip access-group command given below enables
you to activate the named ACL:ip access-group ACL_name in|out
8/7/2019 Chapter 8 vN.1
24/32
Chapter 8 24
Verifying and Monitoring Access
Control ListTo view the ACLs that are activated on the routersinterfaces, use the following command:
show ip interfacesCisco allows you to monitor each statement in theACL. To view the statements in the ACL, use thefollowing commands:
show access-lists [ACL_#_or_name]show ip access-list [ACL_#_or_name]
8/7/2019 Chapter 8 vN.1
25/32
Chapter 8 25
Placing ACLs
Y ou have to decide the placement of the ACLdepending on the source and destination address tobe filteredY ou must consider the following while placing theACLs:
Standard ACLExtended ACL
8/7/2019 Chapter 8 vN.1
26/32
Chapter 8 26
Case Study
The Blue Diamond steel company, Gujarat branch hasrecruited a few engineers in the SoftwareManagement department. The company gets a newproject from their client in Delhi. The new engineersneed to work only on the software applicationassigned to them and should access the server data.To accomplish this, the network administrator Robertuses the standard ACL. The network of the
organization appears as shown in the Figure.
8/7/2019 Chapter 8 vN.1
27/32
Chapter 8 27
Network of the Organization
8/7/2019 Chapter 8 vN.1
28/32
Chapter 8 28
Problem
P lacement of the standard ACL on the router
8/7/2019 Chapter 8 vN.1
29/32
Chapter 8 29
Suggested Solution
Y ou can use standard ACL to prevent the users fromaccessing the server data. However, the placement
of the ACL is a very important. The engineersshould be allowed to access the all other computers
in the network but not the server
8/7/2019 Chapter 8 vN.1
30/32
Chapter 8 30
Summary - I
The access control list is a set of commands, which aregrouped together, to filter the traffic that enters or leavesan interfaceACL are the statements, which are grouped together byusing a name or number. When ACL process a packet onthe router from the group of statements, the router performs a number of steps to find a match for the ACLstatements
After building IP ACL, you have to apply it to a process inthe IOSThe extended numbered ACLs are more flexible ascompared to the standard ACLs
8/7/2019 Chapter 8 vN.1
31/32
Chapter 8 31
Summary - II
If the router locates a match between the packet andstatement then the router executes one of the twoactions that are included with the statement. The actionsare:
P ermitDeny
A need may arise to add, delete or modify an entry in theACL. Y ou cannot delete a specific entry in an ACLTo handle the IP addresses in ACL statements, wildcardmasks can be used for matching a range of addressinstead of manually entering it
8/7/2019 Chapter 8 vN.1
32/32
Chapter 8 32
Summary - III
A wildcard is similar to an inverted subnet mask. If youwant to match on any address in a subnet or networkthen you have to take the subnet mask and invert the bitvaluesY ou must consider the following while placing the ACLs:
Standard ACL - Needs to be placed close to thedestination device that you want to prevent the sourcefrom reaching.
Extended ACL - Needs to be placed close to thesource device. The extended ACL can filter on boththe source as well as destination address