Unit 15 : Network Management and Security

Lesson 1: Standard Access Control List

Day
Place WE - Schools
Date ‫هجر‬
Year 2
‫ي‬
Class Networks and Cybersecurity
‫ميالد‬
‫ي‬
Time
1
 By the end of the training unit, the student will be able to the following:
Short
description - Apply Security policies on a network , Restore and backup network devices operating systems, Operate and monitor network
devices performance

TPC1.4 Use IT systems and software efficiently to complete planned tasks

TPC1.5 Develop policies for the use of IT within an organization

Skills
TPC3.3 Configure devices to communicate on a network and virtual private network

TPC3.4 Perform troubleshooting procedures and analyze problems

TPC3.5 Identify, install, and configure different network devices

TPK05 Endpoint protection

Different Routing Protocols and protocols used to exchange data on a network
Knowledge TPK15

TPK21 The basic IT security threads and its protection

2
Learning Strategy Brain storming and Lab practice

Lesson Items Items

1 What is an access control list

2 Matching logic and syntax

3 Implementing Acl

Learning Resource Knowledge written

Activities Videos + Lab

Materials needed for the Computer lab with packet tracer or GNS3
Activity

‫إدارة‬
: ‫المدرسة‬

3
 What is an
Access Control
List ?

4
 Access
Control
List

5
 Access Control List

Deny User to FTP server

Permit Admin to FTP

server

6
 • ACLs are rule based lists that are
used by switches and routers to
identify traffic based on
Access characteristics such as
Control List • IP address
• Port number
• Once identified the switch or router
can filter the traffic

7
 Named
Standard
Numbered
ACL
Named
Extended
Numbered
8
ACL Standard Numbered

Numbered Standard ACLs

1 to 99 and 1300 to 1999
9
 ACL Standard Named

Named Standard ACLs

 Names can contain alphanumeric characters
 It is suggested that the name be written in capital letters
 Names cannot contain spaces
 Entries can be added or deleted within ACL

10
 Standard ACLs Syntax and Matching

How can I allow only host A

to reach my server and block
host B and C

11
Standard ACLs Syntax and Matching
We will make a
standard ACL on R2
and tell the router if
the source IP address
is 10.1.1.1 permit
If any other source IP
address deny

12
 Standard ACLs Syntax and Matching
Standard numbered IP ACLs use the following global command:

access-list {1-99 | 1300-1999} {permit | deny} matching-parameters

You tell the router I am configuring an ACL

13
 We are selecting the number that shows the router
it is a standard ACLs
Standard ACLs Syntax and Matching

14
 We are telling this line in the ACL will permit or
deny
Standard ACLs Syntax and Matching

15
For standard ACLs, means that you can only match the
source IP address or portions of the source IP address
using something called an ACL wildcard mask.

Standard ACLs Syntax and Matching

16
 Standard ACLs Matching Parameters

Exact IP
address

Subset of
Matching
addresses using
Parameters
wild Card mask

All or Any
Addresses
17
 Standard ACLs Matching Parameters

Matching
Exact IP address
Parameters

access-list 1 permit 10.1.1.1

18
 Standard ACLs Matching Parameters
Subset of
Matching
addresses using
Parameters
wild Card mask
For the subnet 10.1.1.0 /24 , we want to allow only 10.1.1.1 and deny all the rest of IP
addresses. Can we type the rest of addresses 253 ??????!!!!!!!!

WILD CARD MASK

Decimal 0: The router must compare this octet as normal.
Decimal 255: The router ignores this octet, considering it to already match.

19
 Standard ACLs Matching Parameters
Subset of
Matching
addresses using
Parameters
wild Card mask

access-list 1 permit 10.1.1.1

access-list 1 deny 10.1.1.0 0.0.0.255
IOS refers to each line in an ACL as an Access Control Entry (ACE)
OR ACL statements. Besides the ACL number, each access-list
command also lists the action (permit or deny), plus the matching
logic. 20
 Standard ACLs Matching Parameters

Matching All or Any

Parameters Addresses

access-list 1 permit any

21
 Standard ACLs
Applying
Writing ACL
statements is enough to
be
applied ?????????????
?!!!!!!!!!!!!!

22
Standard ACLs Applying
IN / OUT

23
Standard ACLs Applying
IN / OUT

24
 Important Rules for ACL

RULE # 1 : Statements are executed from

top to bottom
25
 Important Rules for ACL

RULE # 2 : The default action, if a packet does not

match any of the access-list commands, is to deny
(discard) the packet.
26
 Important Rules for ACL

RULE # 3 : Standard ACLs should be placed near

to the destination

27
 Important Rules for ACL

RULE # 4 : Enable the ACL on the chosen router

interface, in the correct direction, using the ip access-
group number {in | out} interface subcommand.

28
We want to allow PC1 (10.1.1.1 /24) to reach the server
and prevent any other device of this subnet, while allowing
all devices from the subnet 10.0.0.0/24.
30
Our steps will be as follows:
1) Enable the ACL inbound on R2’s Gig0/0/0 interface.
2) Permit packets coming from host PC1.
3) Deny packets coming from other hosts in host PC1 ’s subnet. 4)
Permit packets coming from any other address in Class A network
10.0.0.0.
5) The original example made no comment about what to do by
default, so simply deny all other traffic
31
32