ACCESS
CONTROL LIST
Why Use Access Lists?
It
is used to filter network incoming and outgoing traffic and provide security on
your network.
What are ACLs?
· ACLs are a list of conditions that match statements
one by one and take decisions according to a particular statement.
·
Router read ACL statement according to
sequence number.
·
Deny and Permit statements can be based on
specified conditions.
·
ACL can filter network traffic by Deny or
Permit statement.
· ACL can filter network traffic by examining
source and destination addresses. Some ACLs can filter traffic by examining protocol
and port numbers.
·
ACL can filter the network for specific addresses
or whole subnets.
Reasons to Create ACLs-
The
following are some of the primary reasons to create ACLs:
·
Increase security by filtering network
traffic.
·
Decide which types of traffic are denied
or permitted at the router interfaces.
·
For Instance: Deny web services for a user
but allow SSH from the same web server.
·
Distinguish the subnetted network by using
a wild card mask.
ACL Rules-
·
ACL reads all statements one by one means
it follows sequence order.
·
We should first mention all Deny statements
and then Permit statements in most cases.
·
You should mention one permit statement at
the end of the deny statement.
·
If you do not mention any permit or deny statement
at the end of ACL it will deny all.
·
You can configure one ACL at one interface
in one direction or two ACLs per interface.
·
You can not add any statement in the
middle of ACL, for adding a new line you have to create from scratch and you
should use a text editor for that.
·
You can not remove any statement and if
you want to remove you have to remove all statements and create again new
modified statements.
Types of ACL’s
There
are two types of ACL’s
1. Standard,
2. Extended
Standard ACL-
Standard
ACL can filter network traffic by examining the source address and you should
apply close to the destination. Standard ACL start from (1-99) and the Extended
range of Standard ACL start from (1300-1999)
The
full syntax of the standard ACL command is:
Router(config)#access-list
access-list-number {deny | permit} source [source-wildcard ]
Remove
a standard ACL. This is the syntax:
Router(config)#no
access-list access-list-number
How to Configure Standard
ACL
R3 Configuration-
Router(config)#access-list
10 deny host 10.0.0.2
Router(config)#access-list
10 permit any
Router(config)#int fa
0/0
Router(config-if)#ip
access-group 10 out
Router(config-if)#do
wr
Router#show
access-lists
Standard IP access
list 10
10 deny host 10.0.0.2
(12 match(es))
20 permit any (8
match(es))
Router#show ip
access-lists 10
Standard IP access
list 10
deny host 10.0.0.2 (12
match(es))
permit any (8
match(es))
Extended ACL-
Extended
ACL filters the network traffic by examining source, destination address and
protocol, and port numbers. You should apply Extended ACL near to source.
Extended
ACL start from (100-199) and Extended Range start from (2000-2699). Extended
ACLs are used more often than standard ACLs because they provide a greater
range of control. Extended ACLs check the source and destination packet
addresses as well as being able to check for protocols and port numbers.
Logical
operations may be specified such as, equal (eq), not equal (neq), greater than
(gt), and less than (lt), that the extended ACL will perform on specific
protocols.
How to Configure Extended ACL-
R1(config)#access-list 100 deny tcp host
30.0.0.2 10.0.0.101 0.0.0.0 eq 21
R1(config)#access-list 100 deny tcp host
30.0.0.3 10.0.0.100 0.0.0.0 eq 80
R1(config)#access-list 100 permit ip any any
R1(config)#int fa 0/0
R1(config-if)#ip access-group 100 out
R1(config-if)#do wr
R1(config-if)#do show access-list
Extended IP access list 100
10 deny tcp host 30.0.0.2 host 10.0.0.101 eq
ftp (12 match(es))
20 deny tcp host 30.0.0.3 host 10.0.0.100 eq
www (12 match(es))
30 permit ip any any (15 match(es))
R1(config-if)#do show access-list 100
Extended IP access list 100
deny tcp host 30.0.0.2 host 10.0.0.101 eq ftp
(12 match(es))
deny tcp host 30.0.0.3 host 10.0.0.100 eq www
(12 match(es))
permit ip any any (15 match(es))
Wildcard Mask
Wildcard
mask is the inverse of the subnet mask, for calculating Wildcard mask, you can
subtract your subnet mask from Layer 3 broadcast address for example-
255.255.255.255
Layer 3 Broadcast address
-255.255.255.0 subnet mask
0.0.0.255
Wildcard mask
Access-list
99 permit 192.168.1.1 wildcard mask
All
32 bits of an IP Address can be filtered
Wildcard
inverse mask
0=must
match
1=
ignore
Block Telnet Access-
R2#conf t
R2(config)#enable
secret cisco
R2(config)#line vty 0
4
R2(config-line)#password
123
R2(config-line)#login
R2(config-line)#access-class
10 in
R2(config-line)#exit
R2(config)#access-list
10 permit 10.0.0.100 0.0.0.0
R2(config)#access-list
10 deny any
R2(config)#do show
access-list
Standard IP access
list 10
10 permit host
10.0.0.100 (2 match(es))
20 deny any (10
match(es))
R2(config)#do show
access-list 10
Standard IP access
list 10
permit host 10.0.0.100
(2 match(es))
deny any (10
match(es))
Named ACLs
Named ACL is used to allow ACLs (Both Standard and
Extended) to use names instead of numbers so that users can understand the
purpose of ACLs.
The
characteristics of the named access list:
·
Named ACL is case-sensitive and identifies
an ACL using an alphanumeric name.
·
Name cannot start with a number or (Sign as!
Or ?), and can not use space in the name and same name cannot be used for
multiple ACLs.
·
You have to specify the named ACL as standard
or Extended.
·
You can delete individual statements in a
named access list.
·
You will have to use the ip access-list
command to create named access lists.
·
The same name may not be used for multiple
ACLs.
How to Configure Named ACLs-
R3(config)#ip
access-list standard test1
R3(config-std-nacl)#deny
10.0.0.2 0.0.0.0
R3(config-std-nacl)#permit
any
R3(config-std-nacl)#exit
R3(config)#int fa 0/0
R3(config-if)#ip
access-group test1 out
R3(config-if)#do
wr
Video Link-
https://www.youtube.com/watch?v=A2OaptZirmg
No comments:
Post a Comment