Professional Documents
Culture Documents
CCNA2 M11 Access Control Lists
CCNA2 M11 Access Control Lists
Objectives
Standard and extended ACLs The rules for placement of ACLs Create and apply named ACLs
ACL
Standard ACLs check the source address of packets that could be routed. Results in either permit or deny of an entire protocol suite, based on the network, subnet, and host addresses.
Wildcard any
Wildcard host
Router(config)# access-list 1 permit 172.30.16.29 0.0.0.0 Router(config)# access-list 1 permit host 172.30.16.29
Verifying ACLs
show ip interface command displays IP interface information and indicates whether any ACLs are set. show access-lists command displays the contents of all ACLs on the router. show running-config command will also reveal the access lists on a router and the interface assignment information.
Show ip interface
Show access-lists
ACL Requirement
1. Do not allow traffic between outside and network 172.16.3.0 2. - Node 172.16.4.13 can only access Internet - Network 172.16.4.0 (accept 172.16.4.13) can not access Internet
Description
Defines an access list Protocol-dependent ACL number (100-199) Defines a statement to allow/block traffic The protocol in question, including: IP, TCP, UDP, ICMP, GRE, ICMP Source/destination address Wildcard mask: zeros must match bit; ones do not match bit Logical operator: lt: less than gt: greater than eq: equal to neq: not equal to
Extended parameter of the protocols used, eg : port (for TCP/UDP), echo (for ICMP) Records all ACL matches including violations applies this access list to inbound or outbound traffic
icmp-message
Recommended Rule
Place extended ACLs as close to the source of the traffic denied as possible. Place the standard ACL as close to the destination as possible. Place ACLs on the inbound interfaces may help to reduce routing processing tasks. Place ACLs on the outbound interfaces may avoid filterring unnessecary traffic.
Firewall architecture
Interface access lists are applied only to traffics passing the router, not to traffics originated from the router.
RA 172.16.3.100
ACL Challenge
Outer-network cant ping into innernetwork Do not allow outer-network to access inner-network except web service in Web Server(.66). Traffic between Net1 and Net3 is not allowed Other networks can only access web .96 service in Web Server Packets between PC1(.48) and PC3 (.80) are only allowed if routed across the direct serial link Telnet to routers only from PC1 All other kind of traffic is allowed
PC1 Net1 .32 Net3
S1 E1 S0
Internet
E0
R_1
S1
192.169.10.0/24
S0 S1
S0
R_2
E0
R_3 E0
PC2
Web
Summary
ACL definition How ACL works Wild-card mask Standard numbered ACL configuration Extended numbered ACL configuration Named numbered ACL configuration Placing ACLs
CCNA2 Module11