Академический Документы
Профессиональный Документы
Культура Документы
Intruduction
Intruduction
Intruduction
Objectives
Traffic filtering
Packet filtering can be simple or complex, denying or permitting traffic based on: Source IP address Destination IP address MAC addresses Protocols Application type
Traffic filtering
Devices most commonly used to provide traffic filtering are:
Standard ACLs The ACLs filter based on the source IP address of a packet. The identification number can range from 1 to 99 and from 1300 to 1999. Extended ACLs: Extended ACLs filter not only on the source IP address but also on the destination IP address, protocol, and port numbers. The range of numbers for Extended ACLs is from 100 to 199 and from 2000 to 2699. Named ACLs Named ACLs (NACLs) are either Standard or Extended format that are referenced by a descriptive name rather than a number. When configuring named ACLs, the router IOS uses a NACL subcommand mode.
ACL Processing
Each statement either permits or denies traffic based on specified parameters. Traffic is compared to each statement in the ACL sequentially until a match is found or until there are no more statements. The last statement of an ACL is always an implicit deny.
ACL Processing
ACL Processing
ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. ACLs do not act on packets that originate from the router itself. Inbound ACLs -Incoming packets are processed before they are routed to the outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. If the packet is permitted by the tests, it is then processed for routing.
Hc vin mng Bach Khoa - Website: www.bkacad.com 15
ACL Processing
Outbound ACLs -Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL.
Hc vin mng Bach Khoa - Website: www.bkacad.com 16
ACL Processing
A wildcard mask uses 0s to indicate the portion of an IP address that must match exactly and 1s to indicate the portion of the IP address that does not have to match a specific number.
Planning involves the following steps: 1. Determine the traffic filtering requirements 2. Decide which type of ACL best suits the requirements 3. Determine the router and the interface on which to apply the ACL 4. Determine in which direction to filter traffic
Activity
The abbreviations most commonly used are: eq - equals gt - greater than lt - less than
ACLs are often created to protect an internal network from outside sources. However, while protecting the internal network, it should still allow internal users access to all resources. To resolve this issue, it is possible to create a single statement that permits internal users to establish a TCP session with external resources. Once the TCP three-way handshake is accomplished and the connection is established, all packets sent between the two devices will be permitted. To accomplish this, use the keyword: established. access-list 101 permit tcp any any established
Permitting the incoming responses to established communications is a form of Stateful Packet Inspection (SPI).
Administrators need to examine the ACL, one line at a time, and answer the following questions: What service does the statement deny? What is the source and what is the destination? What port numbers are denied? What would happen if the ACL was moved to another interface? What would happen if the ACL filtered traffic in a different direction? Is NAT an issue? When evaluating an Extended ACL, it is important to remember these key points: The keyword tcp permits or denies protocols like FTP, HTTP, Telnet, and so on. The key phrase permit ip is used to permit all IP, including any TCP, UDP, and ICMP protocols.
Apply ACLs directly to VLAN interfaces or subinterfaces on a router just as with physical interfaces.
Summary
Traffic Filtering ACLs types: Standard, Extended, Number, Name Wildcard Mask ACLs Process and Creation Guideline