CCNA Dis3 - Chapter 8 - Filtering Traffic Using Access Control Lists - PPT (Compatibility Mode)

Chapter 8 Filtering traffic using Access Control Lists
CCNA Discovery 4.0
Intruduction
Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com
Intruduction
Intruduction
Objectives
Using Access Control Lists
Traffic filtering
Packet filtering can be simple or complex, denying or permitting traffic based on: Source IP address Destination IP address MAC addresses Protocols Application type
Traffic filtering
Devices most commonly used to provide traffic filtering are:
Access Control Lists

The primary use of ACLs is to identify the types of packets to accept or deny. ACLs identify traffic for multiple uses such as: Specifying internal hosts for NAT Identifying or classifying traffic for advanced features such as QoS and queuing Restricting the contents of routing updates Limiting debug output Controlling virtual terminal access to routers The following potential problems can result from using ACLs: The additional load on the router to check all packets means less time to actually forward packets Poorly designed ACLs place an even greater load on the router and might disrupt network usage. Improperly placed ACLs block traffic that should be allowed and permit traffic that should be blocked
Types and Usage ACLs
Standard ACLs The ACLs filter based on the source IP address of a packet. The identification number can range from 1 to 99 and from 1300 to 1999. Extended ACLs: Extended ACLs filter not only on the source IP address but also on the destination IP address, protocol, and port numbers. The range of numbers for Extended ACLs is from 100 to 199 and from 2000 to 2699. Named ACLs Named ACLs (NACLs) are either Standard or Extended format that are referenced by a descriptive name rather than a number. When configuring named ACLs, the router IOS uses a NACL subcommand mode.
ACL Processing

Each statement either permits or denies traffic based on specified parameters. Traffic is compared to each statement in the ACL sequentially until a match is found or until there are no more statements. The last statement of an ACL is always an implicit deny.
ACL Processing
ACL Processing
ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. ACLs do not act on packets that originate from the router itself. Inbound ACLs -Incoming packets are processed before they are routed to the outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. If the packet is permitted by the tests, it is then processed for routing.
Hc vin mng Bach Khoa - Website: www.bkacad.com 15
ACL Processing
Outbound ACLs -Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL.
Hc vin mng Bach Khoa - Website: www.bkacad.com 16
ACL Processing
Using a Wildcard mask
ACL wildcard mask purpose and structure
A wildcard mask uses 0s to indicate the portion of an IP address that must match exactly and 1s to indicate the portion of the IP address that does not have to match a specific number.
Analyzing the Effects of the Wildcard mask

To permit the hosts on the 192.168.77.32 subnet, the ACL statement is: access-list 44 permit 192.168.77.32 0.0.0.31
Configuring Access Control List

Placing Standard and Extended ACLs
Planning involves the following steps: 1. Determine the traffic filtering requirements 2. Decide which type of ACL best suits the requirements 3. Determine the router and the interface on which to apply the ACL 4. Determine in which direction to filter traffic

Step 2: Decide Type of ACL to Suit Requirements

Step 2: Decide Type of ACL to Suit Requirements

Step 3: Determine Router and Interface for ACL Step 4: Determine Direction to Filter Traffic
Basic ACL Configuration Process
Basic ACL Configuration Process
Configuring numbered Standard ACLs

An ACL does not filter traffic until it has been applied, or assigned, to an interface.

show ip interface Displays IP interface information and indicates any assigned ACLs.

show access-list [access list number] Displays the contents of all ACLs on the router. It also displays the number of matches for each permit or deny statement since application of the ACL. To see a specific list, add the ACL name or number as an option for this command.
Activity
Configuring numbered Extended ACLs
Extended ACLs use an access-list number in the

ranges 100 to 199 and 2000 to 2699. The same rules that apply to Standard ACLs also apply to Extended ACLs : Configure multiple statements in one ACL. Assign the same ACL number to each statement. Use the host or any keywords to represent IP addresses.
Configuring Named ACLs

A Named ACL is created with the command: ip access-list {standard | extended} name
Configuring Named ACLs

Editing ACLs with older versions of IOS make it necessary to: Copy the ACL to a text editor Remove the ACL from the router. Recreate and apply the edited version.
Configure Router VTY Access
Configure Router VTY Access
Permitting and Denying Specific Types of Traffic

Configuring ACLs for Application and Port Filtering
The abbreviations most commonly used are: eq - equals gt - greater than lt - less than
Configuring ACLs for Application and Port Filtering
Configuring ACLs to Support established traffic
ACLs are often created to protect an internal network from outside sources. However, while protecting the internal network, it should still allow internal users access to all resources. To resolve this issue, it is possible to create a single statement that permits internal users to establish a TCP session with external resources. Once the TCP three-way handshake is accomplished and the connection is established, all packets sent between the two devices will be permitted. To accomplish this, use the keyword: established. access-list 101 permit tcp any any established
Permitting the incoming responses to established communications is a form of Stateful Packet Inspection (SPI).
Effects of NAT and PAT on ACL Placement
Effects of NAT and PAT on ACL Placement
Analyzing Network ACLs and Placement
Administrators need to examine the ACL, one line at a time, and answer the following questions: What service does the statement deny? What is the source and what is the destination? What port numbers are denied? What would happen if the ACL was moved to another interface? What would happen if the ACL filtered traffic in a different direction? Is NAT an issue? When evaluating an Extended ACL, it is important to remember these key points: The keyword tcp permits or denies protocols like FTP, HTTP, Telnet, and so on. The key phrase permit ip is used to permit all IP, including any TCP, UDP, and ICMP protocols.
Configuring ACLs with Inter-VLAN Routing
Apply ACLs directly to VLAN interfaces or subinterfaces on a router just as with physical interfaces.
Filtering Traffic Using Access Control Lists

Using logging to verify ACL Functionality

After writing an ACL and applying it to an interface, a network administrator evaluates the number of matches. When the fields of an incoming packet are equal to all ACL comparison fields, this is a match. Viewing the number of matches helps to identify whether the ACL statements are having the desired effect. By default, an ACL statement captures the number of matches and displays them at the end of each statement. View the matches using the following command: show access-list The basic match counts that are displayed with the show access-list command provide the number of ACL statements matched and the number of packets processed. The output does not indicate the source or destination of the packet or the protocols in use.

For additional details on packets permitted or denied, activate a process called logging. Logging activates for individual ACL statements. To activate this feature, add the log option to the end of each ACL statement to be tracked.
Analyzing Router Logs

Logging to the console uses router memory, which is a limited resource. Instead, configure a router to send logging, sometimes called syslog messages, to an external server. This method allows viewing the messages in real time and also at a later time. Types of reported events include the status of: Router interfaces Protocols in use Bandwidth usage ACL messages Configuration events Syslog software is available from many resources. Syslog is a protocol supported by all network equipment, including switches, routers, firewalls, storage systems, modems, wireless devices, and UNIX hosts.
Analyzing Router Logs

To use a syslog server, install the software on a Windows, Linux, UNIX, or MAC OS server and configure the router to send logged events to the syslog server. A sample of the command that specifies the IP address of the host where the syslog server is installed is: logging 192.168.3.11 Use the show clock command to check the date and time setting. R1>show clock *00:03:45.213 UTC Mon Mar 1 2007 To set the clock, first set the time zone. Base the time zone on Greenwich Mean Time (GMT) and then set the clock. Note that the clock set command is not used in configuration mode. To set the time zone: R1(config)#clock timezone CST -6 To set the clock: R1#clock set 10:25:00 Sep 10 2007
ACL Best Practices
ACL Best Practices
Summary
Traffic Filtering ACLs types: Standard, Extended, Number, Name Wildcard Mask ACLs Process and Creation Guideline

CCNA Dis3 - Chapter 8 - Filtering Traffic Using Access Control Lists - PPT (Compatibility Mode)

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

CCNA Dis3 - Chapter 8 - Filtering Traffic Using Access Control Lists - PPT (Compatibility Mode)

Загружено:

Авторское право:

Доступные форматы

Chapter 8 Filtering traffic using Access Control Lists

CCNA Discovery 4.0

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Using Access Control Lists

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Access Control Lists

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Types and Usage ACLs

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Types and Usage ACLs

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Types and Usage ACLs

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Using a Wildcard mask

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

ACL wildcard mask purpose and structure

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

ACL wildcard mask purpose and structure

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

ACL wildcard mask purpose and structure

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

ACL wildcard mask purpose and structure

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

ACL wildcard mask purpose and structure

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

ACL wildcard mask purpose and structure

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

ACL wildcard mask purpose and structure

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Analyzing the Effects of the Wildcard mask

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Analyzing the Effects of the Wildcard mask

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Analyzing the Effects of the Wildcard mask

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Analyzing the Effects of the Wildcard mask

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Analyzing the Effects of the Wildcard mask

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Configuring Access Control List

Placing Standard and Extended ACLs

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Placing Standard and Extended ACLs

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Placing Standard and Extended ACLs

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Placing Standard and Extended ACLs

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Placing Standard and Extended ACLs

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Basic ACL Configuration Process

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Basic ACL Configuration Process

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com