-
8/7/2019 Chapter 8 vN.1
1/32
Basic IP Traffic Management withAccess Control Lists
Chapter 8
-
8/7/2019 Chapter 8 vN.1
2/32
Chapter 8 2
Chapter Objectives
Introduce ACL conceptsExplain the types of ACL
Configure ACLIntroduce wildcard masksVerify ACL
-
8/7/2019 Chapter 8 vN.1
3/32
Chapter 8 3
Recall - I
IGRP is a distant-vector routing protocol, whichimplies that
each router sends all or a part of itsrouting table in a routing
message updateEIGRP was created using IGRP as the base andadding
additional functionality to enhance IGRP The OS PF protocol is
designed on the ShortestP ath First (S PF) algorithm, which enables
todetermine the shortest route to each destinationWhen a network
link changes its state, thedesignated router sends a notification
called LinkState Advertisement (LSA ) across the network
-
8/7/2019 Chapter 8 vN.1
4/32
Chapter 8 4
Recall - II
OS PF provides the following advantages:Open protocolLoop free
topologyScalableHierarchical designP rovides multicasting
There are different OS PF area types that help to handleexternal
routes:
Normal areaStub areaTotally stubby areaNot-so-stubby area
-
8/7/2019 Chapter 8 vN.1
5/32
Chapter 8 5
Access Control List - I
Access Control List (ACL ) is a set of commands,which are
grouped together to filter the traffic thatenters or leaves an
interfaceThe functions of ACLs include the following:
Reduce the network traffic and increase thenetwork
performanceControl the flow of traffic in the network
P rovide security for network accessMake decision about the type
of network to beforwarded or restricted on an interface
-
8/7/2019 Chapter 8 vN.1
6/32
Chapter 8 6
Access Control List - IIY ou must also specify one of the
following directions inwhich the traffic should be filtered:
InboundOutbound
The Access lists are available in the following twotypes:
Numbered ACLNamed ACL
Each of the below ACLs supports two types:Standard ACLExtended
ACL
-
8/7/2019 Chapter 8 vN.1
7/32
Chapter 8 7
ACL Processing
ACL are statements, which are grouped together byusing a name or
number When ACL process a packet on the router from thegroup of
statements, the router performs a number of steps to find a match
for the ACL statementsThe router processes each ACL in the
top-downapproach
If the router is not able to find a match of packet tothe first
ACL statement then the router continueswith the next statement,
following the same process
-
8/7/2019 Chapter 8 vN.1
8/32
Chapter 8 8
Configuring ACL
Y ou must know the guidelines to configure the ACLY ou can use
the access-list command to create anACL
The syntax to create an ACL is:access-list ACL_# permit|deny
conditionsTo activate ACL on the interface, enter the followingat
the command prompt:
interface type slot_#|port_#ip access-group ACL_# in|out
-
8/7/2019 Chapter 8 vN.1
9/32
Chapter 8 9
ACL Numbers and Protocol Types - I
Type Numbers
IP Standard 1-99, 1300-1999
Standard Vines 1-99
IP Extended 100-199, 2000-2699
Extended Vines 100-199
Bridging type code (layer-2 ) 200-299
DECnet 300-399
Standard XNS 400-499Extended XNS 500-599
Apple Talk 600-699
-
8/7/2019 Chapter 8 vN.1
10/32
Chapter 8 10
ACL Numbers and Protocol Types - II
Bridging MAC address and vendor code 700-799
IPX Standard 800-899
IPX Extended 900-999
IPX SA P filters 1000-1099
Extended transparent bridging 1100-1199
IPX NLS P 1200-1299
-
8/7/2019 Chapter 8 vN.1
11/32
Chapter 8 11
Editing Entries
Y ou may need to add, delete or modify an entry inthe ACLIn a
numbered ACL, you cannot delete a specificentryThe no access-list
command allows you to delete anACL, The syntax of the command is:no
access-list number
The no access-list ACL_# command deletes theentire list
-
8/7/2019 Chapter 8 vN.1
12/32
Chapter 8 12
Wildcard Masking
Wildcard masks can be used for matching a range of IP addresses
in ACL, instead of manually entering itA wildcard mask of 0 or 1 in
the bit position implies thefollowing:
0 - Specifies that the bit position of the ACLstatement address
must match the bit position in theIP address of the packet that is
to be examined1 - Specifies that the bit position of the
ACLstatement address does not have to match the bitposition in the
IP address of the packet that is to beexamined
-
8/7/2019 Chapter 8 vN.1
13/32
Chapter 8 13
Subnet Masks and Wildcard Masks
Values
Bit Value Subne t Mask W ildcard Mask
0 Host component Must match
1 Network component Ignore
-
8/7/2019 Chapter 8 vN.1
14/32
Chapter 8 14
Standard Numbered ACL
Y ou can create an entry in a standard numbered IP ACL using the
access-list command.The syntax of this command is:access-list
1-99|1300-1999 permit|denysource_address [wildcard_mask] [log]After
creating the standard ACL, you must activate iton the router's
interfaceThe ip access-group command below enables youto activate
the ACL on the interface:ip access-group ACL_number in|out
-
8/7/2019 Chapter 8 vN.1
15/32
Chapter 8 15
Extended Numbered ACLs
The extended numbered ACLs are more flexible ascompared to the
standard ACLsThe syntax of the command to configure anextended
numbered ACL is:access-list 100-199|2000-2699
permit|denyIP_protocol source_address source_wildcard
mask[protocol_information]
destination_addressdestination_wildcard_mask
[protocol_information][log]
-
8/7/2019 Chapter 8 vN.1
16/32
Chapter 8 16
TCP and UDP
The extended ACL can filter the traffic on IP protocols such as
TC P and UD P The syntax of the command that allows you toconfigure
an extended ACL for TC P or UD P is:access-list 100-199|2000-2699
permit|deny tcp|udpsource_address source_wildcard_mask [operator
source_port_#] destination addressdestination_wildcard_mask
[operator destination_port_#][established][log]
-
8/7/2019 Chapter 8 vN.1
17/32
Chapter 8 17
Operators for TCP and UDP
ConnectionO pera to r Descr ip tio n
lt Less than
gt Greater than
neq Not equal to
eq Equal to
range Range of port numbers
-
8/7/2019 Chapter 8 vN.1
18/32
Chapter 8 18
TCP Port Names and Numbers
Name C o mmand Parame t er Number
FTP Data ftp-data 20
FTP Control ftp 21
Telnet telnet 23
SMT P smtp 25
WWW www 80
-
8/7/2019 Chapter 8 vN.1
19/32
Chapter 8 19
UDP Port Names and Numbers
Name C o mmand Parame t er Number
DNS Query dns 53
TFTP tftp 69
SNM P snmp 161
IP RIP R ip 520
-
8/7/2019 Chapter 8 vN.1
20/32
Chapter 8 20
ICMP
ICMP is one of the protocols used with extendedACLThe ICMP does
not use ports like the TC P and UD P
The syntax for filtering ICMP traffic is:access-list
100-199|2000-2699 permit|deny icmpsource_address
source_wildcard_mask [operator source_port_#] destination
address
destination_wildcard_mask [icmp_message][log]ICMP enables you to
enter ICMP messages
-
8/7/2019 Chapter 8 vN.1
21/32
Chapter 8 21
ICMP Messages
Message Type Descr ip tio n
administratively-prohibited Specifies that the packet is
filtered
echo Enables to check the destination
echo-reply Displays a message in response to theecho message
created by ping
host-unreachable Specifies that the subnet is reachable,but the
host is not responding
net-unreachable Specifies that the network or subnet isnot
reachable
traceroute Enables to filter based on thetraceroute
information
-
8/7/2019 Chapter 8 vN.1
22/32
Chapter 8 22
Controlling Telnet Access to a Router
The standard IP ACLs controls the telnet access tothe router.
The access-class command enables youto accomplish this. The syntax
of this command is:access-class standard_ACL_# in|outCisco routers
enable you to restrict telnet access for the normal usersY ou can
configure your router to allow telnet accessonly for the networks
administrators
-
8/7/2019 Chapter 8 vN.1
23/32
Chapter 8 23
Named ACLs
Named ACLs support both IP and IPX protocolsThe ip access-list
allows you to create a named ACLThe syntax for this command is:ip
access-list standard/extended ACL_nameAfter creating a named ACL,
you have to activate iton the router interfaceThe ip access-group
command given below enables
you to activate the named ACL:ip access-group ACL_name
in|out
-
8/7/2019 Chapter 8 vN.1
24/32
Chapter 8 24
Verifying and Monitoring Access
Control ListTo view the ACLs that are activated on the
routersinterfaces, use the following command:
show ip interfacesCisco allows you to monitor each statement in
theACL. To view the statements in the ACL, use thefollowing
commands:
show access-lists [ACL_#_or_name]show ip access-list
[ACL_#_or_name]
-
8/7/2019 Chapter 8 vN.1
25/32
Chapter 8 25
Placing ACLs
Y ou have to decide the placement of the ACLdepending on the
source and destination address tobe filteredY ou must consider the
following while placing theACLs:
Standard ACLExtended ACL
-
8/7/2019 Chapter 8 vN.1
26/32
Chapter 8 26
Case Study
The Blue Diamond steel company, Gujarat branch hasrecruited a
few engineers in the SoftwareManagement department. The company
gets a newproject from their client in Delhi. The new engineersneed
to work only on the software applicationassigned to them and should
access the server data.To accomplish this, the network
administrator Robertuses the standard ACL. The network of the
organization appears as shown in the Figure.
-
8/7/2019 Chapter 8 vN.1
27/32
Chapter 8 27
Network of the Organization
-
8/7/2019 Chapter 8 vN.1
28/32
Chapter 8 28
Problem
P lacement of the standard ACL on the router
-
8/7/2019 Chapter 8 vN.1
29/32
Chapter 8 29
Suggested Solution
Y ou can use standard ACL to prevent the users fromaccessing the
server data. However, the placement
of the ACL is a very important. The engineersshould be allowed
to access the all other computers
in the network but not the server
-
8/7/2019 Chapter 8 vN.1
30/32
Chapter 8 30
Summary - I
The access control list is a set of commands, which aregrouped
together, to filter the traffic that enters or leavesan
interfaceACL are the statements, which are grouped together byusing
a name or number. When ACL process a packet onthe router from the
group of statements, the router performs a number of steps to find
a match for the ACLstatements
After building IP ACL, you have to apply it to a process inthe
IOSThe extended numbered ACLs are more flexible ascompared to the
standard ACLs
-
8/7/2019 Chapter 8 vN.1
31/32
Chapter 8 31
Summary - II
If the router locates a match between the packet andstatement
then the router executes one of the twoactions that are included
with the statement. The actionsare:
P ermitDeny
A need may arise to add, delete or modify an entry in theACL. Y
ou cannot delete a specific entry in an ACLTo handle the IP
addresses in ACL statements, wildcardmasks can be used for matching
a range of addressinstead of manually entering it
-
8/7/2019 Chapter 8 vN.1
32/32
Chapter 8 32
Summary - III
A wildcard is similar to an inverted subnet mask. If youwant to
match on any address in a subnet or networkthen you have to take
the subnet mask and invert the bitvaluesY ou must consider the
following while placing the ACLs:
Standard ACL - Needs to be placed close to thedestination device
that you want to prevent the sourcefrom reaching.
Extended ACL - Needs to be placed close to thesource device. The
extended ACL can filter on boththe source as well as destination
address
![[HANU] - Đường lối Đảng CS VN - Chương 8](https://img.pdfslide.net/doc/110x75/55a763e61a28ab35058b46ef/hanu-duong-loi-dang-cs-vn-chuong-8.jpg)
