Академический Документы
Профессиональный Документы
Культура Документы
CCNA Basics
1/13
1/10/2015
2/13
1/10/2015
The access-list number is used to identify the access-list. If a number between 1-99 is chosen as an
http://ccnabasics.com/category/i-access-control-and-nat/
3/13
1/10/2015
The access-list number is used to identify the access-list. If a number between 1-99 is chosen as an
access-list-number, it is a standard access list. If a number is chosen between 100-199, it is an extended
access-list.
Standard IP lists (1-99)
Extended IP lists (100-199)
Standard IP lists (1300-1999) (expanded range)
Extended IP lists (2000-2699) (expanded range)
Standard IP ACL configuration:
Step 1:
http://ccnabasics.com/category/i-access-control-and-nat/
4/13
1/10/2015
http://ccnabasics.com/category/i-access-control-and-nat/
5/13
1/10/2015
turning ACL on
Enter config mode and designate the interface where you want to apply the filter.
list of access list statements is referred to as a group. ip access-group 101 in
Applies access list 101 to incoming packets on an interface
Performance issues:
Access list filters exact a toll on router performance
Some performance-enhancing features built into routers will not work if access lists used
The longer the access list, the more work the router will have to perform every time a packet has to
be processed
Working of ACLs:
ACLs check packet and upper layer headers.
http://ccnabasics.com/category/i-access-control-and-nat/
6/13
1/10/2015
http://ccnabasics.com/category/i-access-control-and-nat/
7/13
1/10/2015
8/13
1/10/2015
EXAMPLE:
1. Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out E0. Permit all other traffic.
1. Deny only Telnet from subnet 172.16.4.0 out E0. Permit all other traffic.
9/13
1/10/2015
SUMMARY
Following the ACL configuration guidelines and commands is important to successfully
implement ACLs.
To configure standard IP ACLs on a Cisco router, you must create a standard IP ACL and apply an
ACL on an interface.
To configure extended IP ACLs on a Cisco router, you must create an extended IP access list range
and apply an ACL on an interface.
The named ACL feature allows you to identify IP standard and extended ACLs with an
alphanumeric string (name) instead of the current numeric (1 to 199 and 1300 to 2699)
representations.
For security purposes, you can deny Telnet access to or from a routers VTY ports. Restricting Telnet
access is primarily a technique for increasing network security.
ACLs are used to control traffic by filtering and eliminating unwanted packets. Proper placement of
an ACL statement can reduce unnecessary traffic.
The show command can be used to verify ACL configuration.
Posted in i. ACCESS CONTROL AND NAT
Leave a comment
August 24, 2012
http://ccnabasics.com/category/i-access-control-and-nat/
10/13
1/10/2015
Host 10.1.1.1 sends an out bound packet to the border router configured with NAT. The router
identifies the IP address as an inside local address destined for an outside network, translates the
address and documents the translation in the NAT table.
http://ccnabasics.com/category/i-access-control-and-nat/
11/13
1/10/2015
The packet is sent to the outside interface with the new translated source address. The external host
returns the packet to the destination host and the NAT router translates the inside global IP address
back to the inside local IP address using the NAT table.
Advantages & disadvantages of NAT
ADVANTAGES
DISADVANTAGES
NAT names:
Some names are used to describe the addresses used with NAT.
http://ccnabasics.com/category/i-access-control-and-nat/
12/13
1/10/2015
Addresses used after NAT translations are called NAT global addresses. These are usually the public
addresses used on the internet but public addresses are not required if you are not using internet.
Local addresses are ones used before NAT translations. So, the inside local address is the private address
of the sending host that is trying to get to the internet. The outside local address is the address of the
destination host. It is usually a public address (web address etc.).
After translation, the inside local address is called inside global address and the outside global address
becomes the name of destination host.
Name
Meaning
Inside local
Outside local
Inside global
Outside global
http://ccnabasics.com/category/i-access-control-and-nat/
13/13