Scribd Logo
Upload

Welcome to Scribd!

  • Lec.10 11 PDF

    Uploaded by

    Haider majed
    6 views25 pages

    Original Title

    lec.10 11.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6 views25 pages

    Lec.10 11 PDF

    Uploaded by

    Haider majed

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 25

    Lecture Ten

    Access Control List


    Part I

    Dr. Saba M. Hussain


    2022/2023
    Lecture Outlines

    1- Access Control List Definition.


    2- Access Control List Operation
    3- Types of ACLs
    Access Control List Definition

    1- Network administrators must figure out how to deny unwanted


    access to the network while allowing internal users appropriate
    access to necessary services.

    2- Routers provide basic traffic filtering capabilities, such as


    blocking. Internet traffic, with access control lists (ACLs).

    3- For example, a network administrator may want to allow users


    access to the Internet, but not permit external users telnet access
    into the LAN.
    Access Control List Definition

    1- An ACL is : a Router configuration script that controls


    whether a router permits or denies packets to pass based
    on criteria found in the packet header.
    2- ACLs applied on the router's interfaces.
    3- The router examines each packet to determine whether to
    forward or drop it, based on the conditions specified in the
    ACL. Some ACL decision points are:
    1- IP source address.
    2- IP destination addresses.
    3- UDP or TCP protocols.
    4- Upper-layer (TCP/UDP) source / destination port
    numbers.
    Access Control List Definition

     ACLs must be defined on a:


    1- per-protocol (IP, IPX, AppleTalk).
    2- per direction (in or out).
    3- port (interface) basis.

    Writing ACLs can be a challenging and complex task. Every interface


    can have multiple protocols and directions defined. The router shown in
    Figure 5-6 has two interfaces configured for IP, AppleTalk and IPX. This
    router could possibly require 12 separate ACLs (one ACL for each
    protocol, times 2 for each direction, times 2 for the number of ports).
    Access Control List Definition
     Here are some guidelines for using ACLs:
     Use ACLs in firewall routers positioned between your
    internal network and an external network such as the
    Internet.
     Use ACLs on a router positioned between two parts of your
    network to control traffic entering or exiting a specific
    part of your internal network.

     Configure ACLs on border routers, routers situated at the


    edges of your networks. This provides a basic buffer from
    the outside network, or between a less controlled area of
    your own network and a more sensitive area of your network.

     Configure ACLs for each network protocol configured on the


    border router interfaces. You can configure ACLs on an
    interface to filter inbound traffic, outbound traffic, or
    both.
    ACL Functions
     ACLs Advantages:
    1- Limit network traffic to increase network performance.
    For example, if corporate policy does not allow video traffic
    on the network, ACLs that block video traffic could be
    configured and applied. This would greatly reduce the network
    load and increase network performance.
    2- Provide traffic flow control.
    3- Provide a basic level of security for network access. ACLs
    can allow one host to access part of the network and prevent
    another host from accessing the same area. For example,
    access to the Human Resources network can be restricted to
    select users.
    4- Decide which types of traffic to forward or block at the
    router interfaces. For example, an ACL can permit e-mail
    traffic but block all Telnet traffic.
    ACL Functions
     ACLs Advantages :
    5- Control which areas a client can access on a network.
    6- Screen hosts to permit or deny access to network services.
    ACLs can permit or deny a user access to file types, such
    as FTP or HTTP.
    Access Control List Operation

     ACL statements operate in sequential, logical order (top to


    down) , one line at a time, looking for a pattern matching the
    incoming packet , In such away :-
    1-If a condition match is true, the packet is permitted or denied
    and the rest of the ACL statements are not checked.
    2- If all the ACL statements are unmatched, an implicit “deny
    any” statement is placed at the end of the list by default.
    (not visible)
    3- When first learning how to create ACLs, it is a good idea to
    add the implicit deny at the end of ACLs to reinforce the
    dynamic presence of the command line.
    Access Control List Definition
    Two types of ACLs

    The two types of Cisco ACLs are standard and extended


    1- Standard IP ACLs
    Can only filter on source IP addresses only
    2- Extended IP ACLs
    Can filter based on:
    1- Source IP address.
    2- Destination IP address.
    3- Protocol (TCP, UDP).
    4- Ports Numbers (Telnet – 23, http – 80, etc.)
    and other parameters
    Standard IP ACLs

     Standard ACLs allow you to permit or deny traffic from source


    IP addresses.
     Standard ACLs is a sequential collection of permit and deny
    conditions that apply to source IP addresses. The packet’s
    destination and the ports involved are not examined.
     Figure 5-10 maps out the decision process for a standard ACL.
    Cisco IOS software tests addresses against the conditions one by
    one. The first match determines whether the software accepts or
    rejects the address. Because the software stops testing
    conditions after the first match, the order of the conditions is
    critical. If no conditions match, the address is rejected.
    Standard IP ACLs
    Standard IP ACLs types

    Access Control List

    Standard Extended

    Numbered Named Numbered Named


    Standard IP ACL (Numbered ACL)

     Numbered ACL: You assign a number based on whether your ACL is


    standard or extended:
    ■ 1 to 99 and 1300 to 1999: Standard IP ACL.
    ■ 100 to 199 and 2000 to 2699: Extended IP ACL
    ■ You cannot add or delete entries within the ACL.
     Named ACL: You assign a name by providing the name of the ACL:
    ■ Names can contain alphanumeric characters.
    ■ It is suggested that the name be written in CAPITAL LETTERS.
    ■ Names cannot contain spaces or punctuation and must begin
    with an alphabetic character.
    ■ You can add or delete entries within the ACL.
    ■ You can specify whether the ACL is standard or extended.
    Where to Place ACLs (Network Level)

     Every ACL should be placed where it has the greatest impact on


    efficiency. The basic rules are as follows:
    ■ Because standard ACLs do not specify destination addresses,
    place them as close to the destination as possible. This way,
    the ACL does not inadvertently block traffic to more
    destinations than intended.

    ■ Like standard ACLs, extended ACLs can examine the source


    IP addresses, but they also examine the destination IP address,
    protocols, and port numbers (or services). Because extended
    ACLs can filter based on the destination IP address, you can
    locate extended ACLs as close as possible to the source of
    the traffic denied. This way, undesirable traffic is filtered
    without crossing the network infrastructure.
    Where to Place ACLs/Example

     Placing Standard ACLs


     Problem :- the administrator wants to prevent traffic originating
    in the 192.168.10.0/24 network from getting to the
    192.168.30.0/24 network.
     Solution : An ACL on the outbound interface of R1 keeps R1
    from sending traffic to other places as well. The solution is to
    place a standard ACL on the outbound interface of R3 to stop all
    traffic from the source address 192.168.10.0/24. A standard
    ACL meets these needs because it is concerned with only source
    IP addresses.
    Where to Place ACLs/Example

    ACL placed at input


    direction

    ACL placed at
    output direction
    Where to Place ACLs/Example

     Placing Extended ACLs


     The administrator of the 192.168.10.0/24 and 192.168.11.0/24
    networks (referred to in this example as Ten and Eleven,
    respectively) wants to deny Telnet and FTP traffic from Eleven
    to the 192.168.30.0/24 network (Thirty, in this example). At the
    same time, other traffic must be permitted to leave the Eleven
    network. All traffic from the Ten network is to be permitted.
     Solution :-
    Where to Place ACLs/Example

     There are several ways to do this. An extended ACL on R3


    blocking Telnet and FTP from Eleven would accomplish the task,
    but the administrator does not control R3. That solution also still
    allows unwanted traffic to cross the entire network, only to be
    blocked at the destination. This affects overall network efficiency.
     One solution is to use an outbound extended ACL that specifies
    both source and destination addresses (Ten and Thirty,
    respectively), and that says, “Telnet and FTP traffic from Eleven is
    not allowed to go to Thirty.” Place this extended ACL on the
    outbound S0/0/0 port of R1.
     A disadvantage of this solution is that traffic from Eleven would
    also be subject to some processing by the ACL, even though
    Telnet and FTP traffic is allowed.
    Where to Place ACLs/Example

     The better solution is to move closer to the source and place an


    extended ACL on the inbound Fa0/2 interface of R1. This ensures
    that Telnet and FTP packets from Eleven and bound for Thirty do
    not enter R1 and therefore never need to be processed by R2 or
    R3. Traffic from Eleven with other destination addresses and ports
    is still permitted through R1.
    Where to Place ACLs/Example

    2 1
    3
     The full syntax of the standard ACL command is as follows:
    Thank You

    You might also like