Professional Documents
Culture Documents
.
.
.
.
I
. .
SUNMAR'SS Technologies
1
2
Ru les of Access Llst
SUNMAR'SS Technologies
• All, denv statements have to be giv,en First
• There should be at least one Permi:t statement
• An implicit ,deny blocks all traffic b'y' default when there is no match: (an invisible statement),
• C,an have one access-list per interface per direction. (I.e.) Two access-list per interface, one, in inbound direction and' one in outbound dlrectlon,
• Works in Sequential order
• Ed,ili,Fig of access-lists is, not possible (I.e) Se'lectively adding' or removing, access-Ilst statements is not possible.
Standard' ACL: - Ne,twork D'i,agra,m
10.0,.0.1/8 so
3
EO 192.168.1.150/24
51"" ':1.0.0,.0.2/8'
,EO 192.168.2.1.50/24
", ',' . " .. ::.
11.'O.O.~1 0
I-\J
192.168.3.150/
I
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
How Stan,dard ACL Wo'rks ?
10.0,.0.1/8 so
1,1,.0,.0.1/8 ~~~~SO
Sl 11.'0.0.2/8
SUNMAR'SS Technologies
EO 192.168.1.
---,_.
_1 _
,EO 192.168.2.1,50/24
,EO 192.168.3.150/
LAN - 192.168.1.0/24
I
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
4
access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any
SUNMAR·SS Technologies
5
6
SUNMAR'SS Technologies
access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any
How Standard ACL Works: ?
10.0,.0.1/8 so
1,1,.0,.0.1/8 ~~~~so
Sl 11.'0.0.2/8
SUNMAR'SS Technologies
EO 192.168.1.
---,_.
_1 _
,EO 192.168.2.1,50/24
,EO 192.168.3.150/
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
7
How St,anda,rd: AC,L Works?
access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any
SUNMAR'SS Technologies
8
How Standard ACL Wo,rks ?
access-list 1 deny 192.168.1.1 0.0.0.0
access-list 1 permit any
SUNMAR'SS Technologies
9
How Standa,rd ACL Wo,rks ?
access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 de"ny 192.168.1.2 0.0.0.0
::.-
SUNMAR'SS Technologies
10
access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 de"ny 192.168.1.2 0.0.0.0
::.-
SUNMAR"SS Technologies
~D
- "-
11
Standard' ACL: - Network D'iagra,m
10.0,.0.1/8 so
11
EO 192.168.1.150/24
51"" ':1.0.0,.0.2/8'
,EO 192.168.2.1.50/24
", ',' . " .. ::.
11.'O.O.~1 0
I-\J
192.168.3.150/
I
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
How Standar.d ACL Works: ?
10.0,.0.1/8 so
1,1,.0,.0.1/8 ~~~~so
Sl 11.'0.0.2/8
SUNMAR'SS Technologies
EO 192.168.1.
---.-.
_1 _
,EO 192.168.2.1.50/24
,EO 192.168.3.150/
LAN - 192.168.1.0/24
I
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
13
How Standard ACL Wo'rks ?
access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any
SUNMAR'SS Technologies
14
I:=;
How Standa,rd: ACL: Works?
. .
SUNMAR'SS Technologies
access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any
How St,anda,rd: ACL Works?
10.0,.0.1/8 so
1,1,.0,.0.1/8 ~~~~so
Sl 11.'0.0.2/8
SUNMAR'SS Technologies
EO 192.168.1.
---,_.
_1 _
,EO 192.168.2.1,50/24
,EO 192.168.3.150/
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
16
How Standa,rd ACL Wo,rks ?
access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any
SUNMAR'SS Technologies
17
How Standa.rd: ACL: Works?
access-list 5 permit any
SUNMAR'SS Technologies
18
access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255
::.- -----------.
How Standar.d ACL Works: ?
SUNMAR·SS Technologies
19
access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255
::.- -----------.
SUNMAR"SS Technologies
~D
- "-
20
How Standa,rd ACL Wo,rks ?
10.0,.0.1/8 so
1,1,.0,.0.1/8 SO
Sl 11.'0.0.2/8
SUNMAR'SS Technologies
EO 192.168.1.
---,_.
_1 _
,EO 192.168.2.1,50/24
,EO 192.168.3.150/
LAN - 192.168.1.0/24
I
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
21
How Standa,rd: ACL: Works?
. .
access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any
SUNMAR'SS Technologies
22
How Standard ACL Wo,rks ?
access-list 5 deny 192.168.1.1 0.0.0.0
access-list 5 permit any
SUNMAR'SS Technologies
23
24
How Standard ACL Wo,rks ?
SUNMAR'SS Technologies
access-list 5 deny 192.168.1.1 0.0.0.0
access-list 5 permit any
Ext'ended ACL .. Network' Di'agram
10.0,.0.1/8 so
EO 192.168.1.150/24
51"" ':1.0.0,.0.2/8'
,EO 192.168.2.1.50/24
", ',' . " .. ::.
11.'O.O.~1 0
I-\J
192.168.3.150/
I
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
How Exte,nd,ed' ACL: Wor'ks· ?
10.0,.0.1/8 so
1,1,.0,.0.1/8 SO
EO 192.168.1.
LAN - 192.168.1.0/24
Sl 11.'0.0.2/8
SUNMAR'SS Technologies
,EO 192.168.3.150/
,I:, 192.168.2.1.50/24
I
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
26
How Extended ACL Works?
access-llst 101 permit ip any any
SUNMAR'SS Technologies
27
How Exte,nd,ed' ACL: Wor'ks?
SUNMAR'SS Technologies
access-list 101 permit ip any any
28
How Extend'ed ACL Works?
10.0,.0.1/8 so
1,1,.0,.0.1/8 SO
EO 192.168.1.
LAN - 192.168.1.0/24
Sl 11.'0.0.2/8
SUNMAR'SS Technologies
,EO 192.168.3.150/
,I:, 192.168.2.1,50/24
I
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
29
How Ext,ended' AC'L Wor'ks ?
access-list 101 permit ip any any
SUNMAR'SS Technologies
30
How Extended, ACL Wor,ks ?
. .
SUNMAR'SS Technologies
31
How Exten,cI:ed ACL Works?
SUNMAR'SS Technologies
~D
- ,_
32
How Extended, ACL Wor,ks ?
10.0,.0.1/8 so
1,1,.0,.0.1/8 SO
EO 192.168.1.
LAN - 192.168.1.0/24
Sl 11.'0.0.2/8
SUNMAR'SS Technologies
,EO 192.168.3.150/
,I:, 192.168.2.1,50/24
I
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
33
How Exte,nd,ed' ACL: Wor'ks?
access-llst 101 permit ip any any
SUNMAR'SS Technologies
34
How Exten.d·e·d ACL Works?
SUNMAR'SS Technologies
How Extended, ACL Wor,ks ?
. .
SUNMAR'SS Technologies
~D
- ,_
36
37
Name,d Access 'List,
SUNMAR'SS Technologies
• Access,-lists are identified usinq Names
rather than Numbers.
• Names are Cas.e-Se,nsitive
• Noli'mitatio,n of Numbers, here.
• One Main, Advantage' is Editing of ACL is Possible (i.e)
Removing a specific s·tatement from the AeL is possfble.
38
Standard' Named Atce,ss List
SUNMAR'SS Technologies
Creation of Standard Named Access List
Implementation of Standard Named Access List
39
SUNMAR'SS Technologies
Creation of Extended Named Access List
Implementation of Extended Named Access List
40
SUNMAR'SS Technologies
s
.
.
.
.
I
. .
SUNMAR'SS Technologies
53
54
Access Control List
SUNMAR'SS Technologies
• It is a Layer 3 security whlch controls the flow of
traffic from one router to another,
• It is also called as Packet Filtering Firewall.
ACL - Net,wor:k Diaqrarn
10.0,.0.1/8 so
I
LAN - 192.168.1.0/24
1,1,.0,.0.1/8 SO
,EO 192.168.2.1,50/24
EO 192.168.1.150/24
51"" ':1.0.0,.0.2/8'
LAN - 192.168.2.0/24
Sl 11.'0.0.2/8
SUNMAR'SS Technologies
,EO 192.168.3.150/
LAN - 192.168.3.0/24
56
SUNMAR'SS Technologies
• Exte,nded ACL
• ,N"am'ed ACL
57
Standard' Access: List
SUNMAR'SS Technologies
• The access-list number lies between 1 - 9'9
• Can' block a Net:work, Host and Subnet
• Two w'av communication is stopped
• Impl'ementetJ closest to the destination
Extended' Access List
. -. -
• The access-list number lies between 100 - 199
• Can' block a Net:work, Host, Subnet and Se,lVice
• On'e way communication is stopped
• Impl'ementetJ closest to the source.
SUNMAR'SS Technologies
58
59
Terminoloqv
SUNMAR'SS Technologies
: BI'oc'kin'g a N,etwork/Hos~/Su,b,n,e~/Service
" Allowing a Network/Host/,Subnet/Serv;ice
: The address of the PC from w'here
the request starts, Show Diagram
The address of the PC where the
request ends.
Traffic corninq into the interface
Trafflc going out of the. interface
Terminoloqv
- TCp:
:_: UD'P
-ICMP
II (less than)
gt (greate,r than)
HTT'~, FTP, :TELNE'T, DNS, D'HCP etc ..
SUNMAR'SS Technologies
60
61
Wild Card Mask
SUNMAR'SS Technologies
• Tells the router wh:ic,h addresslnq blts must
match in, the address of the ACL statement,
• II's the: inverse of the' subnet mask,he:nce, is also
called as In'\le,rse mask.
• A blt value of 0 indicates MUST MATCH (Check Bits)
• A blt value of 1 indicates IGN·OR.E (Ignore Bits)
• Wild' Card Mask for a Host w'ill be ,always 0.0.0.0
62
SUNMAR'SS Technologies
• A wild card mask can be calculated' using
the formula :
M - Customized Subnet Mask
_______________________________
'E.g,.
- 255.255.255.240
_____ . . _
63
Rules of Access List
SUNMAR'SS Technologies
• All, denv statements have to be giv,en First
• There should be at least one Permi:t statement
• An implicit ,deny blocks all traffic b'y' default when there is no match: (an invisible statement),
• C,an have one access-list per interface per direction. (I.e.) Two access-list per interface, one, in inbound direction and' one in outbound dlrectlon,
• Works in Sequential order
• Ed,ili,Fig of access-lists is, not possible (I.e) Se'lectively adding' or removing, access-Ilst statements is not possible.
Standa,rd ACL - Network Diagram
10.0,.0.1/8 so
64
EO 192.168.1.150/24
51"" ':1.0.0,.0.2/8'
,EO 192.168.2.1,50/24
", ',' . " .. ::.
11.'O.O.~1 0
I-\J
192.168.3.150/
I
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
SUNMAR'SS
Standa,rd ACL - Network Diagram Technologies
10.0,.0.1/8 1,1,.0,.0.1/8
SO SO
EO 192.168.1.
---,_.
_1 _
,EO 192.168.2.1,50/24
Sl 11.'0.0.2/8
,EO 192.168.3.150/
I
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
access-list 1 deny 192.168.1.2 0.0.00.0 access-list 1 permit any
SUNMAR·SS Technologies
66
67
SUNMAR'SS Technologies
access-list 1 deny 192.168.1.2 0.0.00.0 access-list 1 permit any
68
SUNMAR'SS
,Standard ACL -Network Diagram Technologies
10.0,.0.1/8 1,1,.0,.0.1/8
SO SO
EO 192.168.1.
---,_.
_1 _
,EO 192.168.2.1,50/24
Sl 11.'0.0.2/8
,EO 192.168.3.150/
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
access-list 1 deny 192.168.1.2 0.0.00.0 access-list 1 permit any
SUNMAR·SS Technologies
69
access-list 1 deny 192.168.1.1 0.0.00.0
access-list 1 permit any
SUNMAR'SS Technologies
70
access-list 1 deny 192.168.1.1 0.0.00.0 access-list 1 de"ny 192.168.1.2 0.0.00.0
::.-
SUNMAR"SS Technologies
71
access-list 1 deny 192.168.1.1 0.0.00.0 access-list 1 de"ny 192.168.1.2 0.0.00.0
::.-
SUNMAR"SS Technologies
~D
- "-
72
73
Named Access List
SUNMAR'SS Technologies
• Access,-lists are identified usinq Names
rather than Numbers.
• Names are Cas.e-Se,nsitive
• Noli'mitatio,n of Numbers, here.
• One Main, Advantage' is Editing of ACL is Possible (i.e)
Removing a specific s·tatement from the AeL is possfble.
74
ACL - Network ,Diagram,
SUNMAR'SS Technologies
10.0,.0.1/8 so
1,1,.0,.0.1/8 SO
51""
EO ':1.0.0,.0.2/8' •••
• 192.168.1.150/24 ••
•
•
Sl
,EO.. 11.'0.0.2/8
192.1-iS.2.1.50/24
,EO 192.168.3.150/
LAN - 192.168.1.0,'24
LAN - 192.168.2.0 i24
LAN - 192.168.3.0/24