Abstract image of a woman sitting on books and studying on a laptop

Basic ip traffic management with access control lists

Sourabh Badve, profile picture
Sourabh Badve

The document discusses basic concepts of access control lists (ACLs) including the types of ACLs, how they are configured and used, and how traffic is processed when ACLs are applied. It provides details on standard and extended ACLs, how they can be used to filter traffic by source/destination IP addresses, protocols, ports and ICMP message types. The document also covers best practices for verifying, monitoring and placing ACLs on network interfaces.

Education
1 of 32
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Basic IP Traffic Management with Access Control Lists
Chapter Objectives  Introduce ACL concepts  Explain the types of ACL  Configure ACL  Introduce wildcard masks  Verify ACL
Recall - I  IGRP is a distant-vector routing protocol, which implies that each router sends all or a part of its routing table in a routing message update  EIGRP was created using IGRP as the base and adding additional functionality to enhance IGRP  The OSPF protocol is designed on the Shortest Path First (SPF) algorithm, which enables to determine the shortest route to each destination  When a network link changes its state, the designated router sends a notification called Link State Advertisement (LSA) across the network
Recall - II  OSPF provides the following advantages:  Open protocol  Loop free topology  Scalable  Hierarchical design  Provides multicasting  There are different OSPF area types that help to handle external routes:  Normal area  Stub area  Totally stubby area  Not-so-stubby area
Access Control List - I  Access Control List (ACL) is a set of commands, which are grouped together to filter the traffic that enters or leaves an interface  The functions of ACLs include the following:  Reduce the network traffic and increase the network performance  Control the flow of traffic in the network  Provide security for network access  Make decision about the type of network to be forwarded or restricted on an interface
Access Control List - II  You must also specify one of the following directions in which the traffic should be filtered:  Inbound  Outbound  The Access lists are available in the following two types:  Numbered ACL  Named ACL  Each of the below ACLs supports two types:  Standard ACL  Extended ACL
ACL Processing  ACL are statements, which are grouped together by using a name or number  When ACL process a packet on the router from the group of statements, the router performs a number of steps to find a match for the ACL statements  The router processes each ACL in the top-down approach  If the router is not able to find a match of packet to the first ACL statement then the router continues with the next statement, following the same process
Configuring ACL  You must know the guidelines to configure the ACL  You can use the access-list command to create an ACL  The syntax to create an ACL is: access-list ACL_# permit|deny conditions  To activate ACL on the interface, enter the following at the command prompt: interface type slot_#|port_# ip access-group ACL_# in|out
ACL Numbers and Protocol Types - I Type Numbers IP Standard 1-99, 1300-1999 Standard Vines 1-99 IP Extended 100-199, 2000-2699 Extended Vines 100-199 Bridging type code (layer-2) 200-299 DECnet 300-399 Standard XNS 400-499 Extended XNS 500-599 Apple Talk 600-699
ACL Numbers and Protocol Types - II Bridging MAC address and vendor code 700-799 IPX Standard 800-899 IPX Extended 900-999 IPX SAP filters 1000-1099 Extended transparent bridging 1100-1199 IPX NLSP 1200-1299
Editing Entries  You may need to add, delete or modify an entry in the ACL  In a numbered ACL, you cannot delete a specific entry  The no access-list command allows you to delete an ACL, The syntax of the command is: no access-list number  The no access-list ACL_# command deletes the entire list
Wildcard Masking  Wildcard masks can be used for matching a range of IP addresses in ACL, instead of manually entering it  A wildcard mask of 0 or 1 in the bit position implies the following:  0 - Specifies that the bit position of the ACL statement address must match the bit position in the IP address of the packet that is to be examined  1 - Specifies that the bit position of the ACL statement address does not have to match the bit position in the IP address of the packet that is to be examined
Subnet Masks and Wildcard Masks Values Bit Value Subnet Mask Wildcard Mask 0 Host component Must match 1 Network component Ignore
Standard Numbered ACL  You can create an entry in a standard numbered IP ACL using the access-list command.The syntax of this command is: access-list 1-99|1300-1999 permit|deny source_address [wildcard_mask] [log]  After creating the standard ACL, you must activate it on the router's interface  The ip access-group command below enables you to activate the ACL on the interface: ip access-group ACL_number in|out
Extended Numbered ACLs  The extended numbered ACLs are more flexible as compared to the standard ACLs  The syntax of the command to configure an extended numbered ACL is: access-list 100-199|2000-2699 permit|deny IP_protocol source_address source_wildcard mask [protocol_information] destination_address destination_wildcard_mask [protocol_information] [log]
TCP and UDP  The extended ACL can filter the traffic on IP protocols such as TCP and UDP  The syntax of the command that allows you to configure an extended ACL for TCP or UDP is: access-list 100-199|2000-2699 permit|deny tcp|udp source_address source_wildcard_mask [operator source_port_#] destination address destination_wildcard_mask [operator destination_port_#][established][log]
Operators for TCP and UDP Connection Operator Description lt Less than gt Greater than neq Not equal to eq Equal to range Range of port numbers
TCP Port Names and Numbers Name Command Parameter Number FTP Data ftp-data 20 FTP Control ftp 21 Telnet telnet 23 SMTP smtp 25 WWW www 80
UDP Port Names and Numbers Name Command Parameter Number DNS Query dns 53 TFTP tftp 69 SNMP snmp 161 IP RIP Rip 520
ICMP  ICMP is one of the protocols used with extended ACL  The ICMP does not use ports like the TCP and UDP  The syntax for filtering ICMP traffic is: access-list 100-199|2000-2699 permit|deny icmp source_address source_wildcard_mask [operator source_port_#] destination address destination_wildcard_mask [icmp_message][log]  ICMP enables you to enter ICMP messages
ICMP Messages Message Type Description administratively-prohibited Specifies that the packet is filtered echo Enables to check the destination echo-reply Displays a message in response to the echo message created by ping host-unreachable Specifies that the subnet is reachable, but the host is not responding net-unreachable Specifies that the network or subnet is not reachable traceroute Enables to filter based on the traceroute information
Controlling Telnet Access to a Router  The standard IP ACLs controls the telnet access to the router. The access-class command enables you to accomplish this. The syntax of this command is: access-class standard_ACL_# in|out  Cisco routers enable you to restrict telnet access for the normal users  You can configure your router to allow telnet access only for the networks administrators
Named ACL’s  Named ACLs support both IP and IPX protocols  The ip access-list allows you to create a named ACL  The syntax for this command is: ip access-list standard/extended ACL_name  After creating a named ACL, you have to activate it on the router interface  The ip access-group command given below enables you to activate the named ACL: ip access-group ACL_name in|out
Verifying and Monitoring Access Control List  To view the ACLs that are activated on the router’s interfaces, use the following command: show ip interfaces  Cisco allows you to monitor each statement in the ACL. To view the statements in the ACL, use the following commands: show access-lists [ACL_#_or_name] show ip access-list [ACL_#_or_name]
Placing ACL’s  You have to decide the placement of the ACL depending on the source and destination address to be filtered  You must consider the following while placing the ACLs:  Standard ACL  Extended ACL
Case Study The Blue Diamond steel company, Gujarat branch has recruited a few engineers in the Software Management department. The company gets a new project from their client in Delhi. The new engineers need to work only on the software application assigned to them and should access the server data. To accomplish this, the network administrator Robert uses the standard ACL. The network of the organization appears as shown in the Figure.
Network of the Organization
Problem Placement of the standard ACL on the router
Suggested Solution You can use standard ACL to prevent the users from accessing the server data. However, the placement of the ACL is a very important. The engineers should be allowed to access the all other computers in the network but not the server
Summary - I  The access control list is a set of commands, which are grouped together, to filter the traffic that enters or leaves an interface  ACL are the statements, which are grouped together by using a name or number. When ACL process a packet on the router from the group of statements, the router performs a number of steps to find a match for the ACL statements  After building IP ACL, you have to apply it to a process in the IOS  The extended numbered ACL’s are more flexible as compared to the standard ACLs
Summary - II  If the router locates a match between the packet and statement then the router executes one of the two actions that are included with the statement. The actions are:  Permit  Deny  A need may arise to add, delete or modify an entry in the ACL. You cannot delete a specific entry in an ACL  To handle the IP addresses in ACL statements, wildcard masks can be used for matching a range of address instead of manually entering it
Summary - III  A wildcard is similar to an inverted subnet mask. If you want to match on any address in a subnet or network then you have to take the subnet mask and invert the bit values  You must consider the following while placing the ACLs:  Standard ACL - Needs to be placed close to the destination device that you want to prevent the source from reaching.  Extended ACL - Needs to be placed close to the source device. The extended ACL can filter on both the source as well as destination address

More Related Content

PPTX
Network Design on cisco packet tracer 6.0
Saurav Pandey
 
PPTX
Pace IT - Setting Up a SOHO Network
Pace IT at Edmonds Community College
 
PPT
Propagation Models
Ayushi Gagneja
 
PPTX
ALU 7360 5520_gpon_basic_configuration
Wahyu Nasution
 
PPT
cellular wirelessnetworks
Srinivasa Rao
 
PDF
Wi-Fi For Beginners - Module 3 - Access Points (APs)
Nigel Bowden
 
PDF
IEEE 802.11 and Bluetooth
Hitesh Mohapatra
 
PDF
Kernel com requisitos temporais
Rodrigo Almeida
 
Network Design on cisco packet tracer 6.0
Saurav Pandey
 
Pace IT - Setting Up a SOHO Network
Pace IT at Edmonds Community College
 
Propagation Models
Ayushi Gagneja
 
ALU 7360 5520_gpon_basic_configuration
Wahyu Nasution
 
cellular wirelessnetworks
Srinivasa Rao
 
Wi-Fi For Beginners - Module 3 - Access Points (APs)
Nigel Bowden
 
IEEE 802.11 and Bluetooth
Hitesh Mohapatra
 
Kernel com requisitos temporais
Rodrigo Almeida
 

What's hot (20)

PDF
The linux networking architecture
hugo lu
 
PPTX
Network address translation
Varsha Honde
 
PDF
Mininet introduction
Vipin Gupta
 
PPTX
ASYNCHRONOUS TRANSFER MODE (ATM)
ZillayHuma Mehmood
 
PDF
Default routing
Pawandeep Singh
 
PDF
Linux Programming
Emertxe Information Technologies Pvt Ltd
 
PDF
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Cisco Russia
 
DOCX
Nat failover with dual isp on cisco router configuration explained with example
unixhowto
 
PPT
Windows 7 firewall & its configuration
Soban Ahmad
 
PPT
Nat pat
CYBERINTELLIGENTS
 
PDF
Cisco Commands
Fredrick Hall
 
PDF
MPLS L3 VPN Deployment
APNIC
 
PPT
Networking fundamentals
jpprakash
 
PPTX
IP addressing seminar ppt
Smriti Rastogi
 
PDF
Ether channel fundamentals
Edgardo Scrimaglia
 
KEY
Network infrastructure - TCP/IP
raymondkao
 
PDF
CCNA - Routing & Switching Commands
Eng. Emad Al-Atoum
 
PPTX
Unit 1 network models & typical examples(part a)
Vishal kakade
 
PPTX
Network programmability: an Overview
Aymen AlAwadi
 
PDF
IP Routing
Peter R. Egli
 
The linux networking architecture
hugo lu
 
Network address translation
Varsha Honde
 
Mininet introduction
Vipin Gupta
 
ASYNCHRONOUS TRANSFER MODE (ATM)
ZillayHuma Mehmood
 
Default routing
Pawandeep Singh
 
Linux Programming
Emertxe Information Technologies Pvt Ltd
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Cisco Russia
 
Nat failover with dual isp on cisco router configuration explained with example
unixhowto
 
Windows 7 firewall & its configuration
Soban Ahmad
 
Nat pat
CYBERINTELLIGENTS
 
Cisco Commands
Fredrick Hall
 
MPLS L3 VPN Deployment
APNIC
 
Networking fundamentals
jpprakash
 
IP addressing seminar ppt
Smriti Rastogi
 
Ether channel fundamentals
Edgardo Scrimaglia
 
Network infrastructure - TCP/IP
raymondkao
 
CCNA - Routing & Switching Commands
Eng. Emad Al-Atoum
 
Unit 1 network models & typical examples(part a)
Vishal kakade
 
Network programmability: an Overview
Aymen AlAwadi
 
IP Routing
Peter R. Egli
 
Ad

Viewers also liked (7)

PDF
CCNAv5 - S2: Chapter 9 Access Control Lists
Vuz Dở Hơi
 
PPT
Acl
Raghu Kiran
 
PPTX
Types of ACLs
NetProtocol Xpert
 
PPTX
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...
Disha Bedi
 
PPT
Access Control List 1
Kishore Kumar
 
PPT
Cisco ACL
faust0
 
PDF
Access Control List & its Types
Netwax Lab
 
CCNAv5 - S2: Chapter 9 Access Control Lists
Vuz Dở Hơi
 
Acl
Raghu Kiran
 
Types of ACLs
NetProtocol Xpert
 
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...
Disha Bedi
 
Access Control List 1
Kishore Kumar
 
Cisco ACL
faust0
 
Access Control List & its Types
Netwax Lab
 
Ad

Similar to Basic ip traffic management with access control lists (20)

PPTX
Access Control List (ACL)
ISMT College
 
PPT
CCNA CHAPTER8 BY jetarvind kumar madhukar
ALLCAD Services Pvt Limited
 
PPT
Chapter 08 - Acl
phanleson
 
DOCX
1 SEC450 ACL Tutorial This document highlights.docx
dorishigh
 
PPT
CCNP 642-732 Training
saenaetr
 
PPT
Icnd210 s06l01
computerlenguyen
 
PPT
CCNA part 7 acl
Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
PPT
CCNA Discovery 3 - Chapter 8
Irsandi Hasan
 
PPTX
ACCESS CONTROL LIST (Standard and Dynamic).pptx
ishaqictm
 
PPT
Chapter10ccna
Lakshan Perera
 
PPTX
Access control list [1]
Summit Bisht
 
PDF
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Shu Shin
 
PDF
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Shu Shin
 
PPT
Access control list 2
Kishore Kumar
 
PDF
The Role of Access Control Lists (ACLs) in CCNA Networking.pdf
maheshmitta2525
 
PDF
Modul 5 access control list
diah risqiwati
 
DOCX
Student Name _________________________________ Date _____________SE.docx
emelyvalg9
 
PPTX
Acl cisco
Tapan Khilar
 
PDF
5 ip security ipsec gre
SagarR24
 
PPT
Acl
Vicky Kamboj
 
Access Control List (ACL)
ISMT College
 
CCNA CHAPTER8 BY jetarvind kumar madhukar
ALLCAD Services Pvt Limited
 
Chapter 08 - Acl
phanleson
 
1 SEC450 ACL Tutorial This document highlights.docx
dorishigh
 
CCNP 642-732 Training
saenaetr
 
Icnd210 s06l01
computerlenguyen
 
CCNA part 7 acl
Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
CCNA Discovery 3 - Chapter 8
Irsandi Hasan
 
ACCESS CONTROL LIST (Standard and Dynamic).pptx
ishaqictm
 
Chapter10ccna
Lakshan Perera
 
Access control list [1]
Summit Bisht
 
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Shu Shin
 
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Shu Shin
 
Access control list 2
Kishore Kumar
 
The Role of Access Control Lists (ACLs) in CCNA Networking.pdf
maheshmitta2525
 
Modul 5 access control list
diah risqiwati
 
Student Name _________________________________ Date _____________SE.docx
emelyvalg9
 
Acl cisco
Tapan Khilar
 
5 ip security ipsec gre
SagarR24
 
Acl
Vicky Kamboj
 

More from Sourabh Badve (8)

PPTX
Ipsec 2
Sourabh Badve
 
PPTX
Ip routing
Sourabh Badve
 
PPTX
Cyber crime
Sourabh Badve
 
PPT
Cryptography
Sourabh Badve
 
PPTX
Basic router configuration
Sourabh Badve
 
PDF
Corporate security
Sourabh Badve
 
PPT
Cyber laws
Sourabh Badve
 
PPT
Ethical hacking
Sourabh Badve
 
Ipsec 2
Sourabh Badve
 
Ip routing
Sourabh Badve
 
Cyber crime
Sourabh Badve
 
Cryptography
Sourabh Badve
 
Basic router configuration
Sourabh Badve
 
Corporate security
Sourabh Badve
 
Cyber laws
Sourabh Badve
 
Ethical hacking
Sourabh Badve
 

Recently uploaded (20)

PDF
Disorder of Endocrine system (1).pdfyyhyyyy
[email protected]
 
PDF
The TKT Course. Modules 1, 2, 3.for self study
Aydelina Medina
 
PPTX
Power Point PR B.Inggris 12 Ed. 2019.pptx
FirdaFauziah14
 
PPTX
4. Diagnosis and treatment planning in RPD.pptx
rakshasb
 
PPT
hemostasis and its significance, physiology
rakshasb
 
PPT
Acidosis in Dairy Herds: Causes, Signs, Management, Prevention and Treatment
khosrowsamiei2001
 
PPTX
Designing Adaptive Learning Paths in Virtual Learning Environments
Dr. Bushra Sumaiya
 
PDF
CHALLENGES FACED BY TEACHERS WHEN TEACHING LEARNERS WITH DEVELOPMENTAL DISABI...
HarlynCaballero1
 
PPTX
MMW-CHAPTER-1-final.pptx major Elementary Education
kimberlydespair4
 
PDF
fundamentals-of-heat-and-mass-transfer-6th-edition_incropera.pdf
gloryjsingh
 
PPTX
Thinking Routines and Learning Engagements.pptx
n646vnqyjz
 
PPTX
Neurology of Systemic disease all systems
BisratAlex2
 
PPTX
Diploma pharmaceutics notes..helps diploma students
zonuntluangimph
 
PPTX
Q2 Week 1.pptx Lesson on Kahalagahan ng Pamilya sa Edukasyon
juliemarbetio1
 
PDF
Chevening Scholarship Application and Interview Preparation Guide
Leneka Rhoden
 
PDF
Lecture on Viruses: Structure, Classification, Replication, Effects on Cells,...
Miraj Khan
 
PDF
Compact First Student's Book Cambridge Official
TunHng48
 
PPTX
UNIT_2-__LIPIDS[1].pptx.................
Akanksha Kotangale
 
PPTX
ACFE CERTIFICATION TRAINING ON LAW.pptx
Godwin Emmanuel Oyedokun MBA MSc PhD FCA FCTI FCNA CFE FFAR
 
PDF
WHAT NURSES SAY_ COMMUNICATION BEHAVIORS ASSOCIATED WITH THE COMP.pdf
shaheraharby
 
Disorder of Endocrine system (1).pdfyyhyyyy
[email protected]
 
The TKT Course. Modules 1, 2, 3.for self study
Aydelina Medina
 
Power Point PR B.Inggris 12 Ed. 2019.pptx
FirdaFauziah14
 
4. Diagnosis and treatment planning in RPD.pptx
rakshasb
 
hemostasis and its significance, physiology
rakshasb
 
Acidosis in Dairy Herds: Causes, Signs, Management, Prevention and Treatment
khosrowsamiei2001
 
Designing Adaptive Learning Paths in Virtual Learning Environments
Dr. Bushra Sumaiya
 
CHALLENGES FACED BY TEACHERS WHEN TEACHING LEARNERS WITH DEVELOPMENTAL DISABI...
HarlynCaballero1
 
MMW-CHAPTER-1-final.pptx major Elementary Education
kimberlydespair4
 
fundamentals-of-heat-and-mass-transfer-6th-edition_incropera.pdf
gloryjsingh
 
Thinking Routines and Learning Engagements.pptx
n646vnqyjz
 
Neurology of Systemic disease all systems
BisratAlex2
 
Diploma pharmaceutics notes..helps diploma students
zonuntluangimph
 
Q2 Week 1.pptx Lesson on Kahalagahan ng Pamilya sa Edukasyon
juliemarbetio1
 
Chevening Scholarship Application and Interview Preparation Guide
Leneka Rhoden
 
Lecture on Viruses: Structure, Classification, Replication, Effects on Cells,...
Miraj Khan
 
Compact First Student's Book Cambridge Official
TunHng48
 
UNIT_2-__LIPIDS[1].pptx.................
Akanksha Kotangale
 
ACFE CERTIFICATION TRAINING ON LAW.pptx
Godwin Emmanuel Oyedokun MBA MSc PhD FCA FCTI FCNA CFE FFAR
 
WHAT NURSES SAY_ COMMUNICATION BEHAVIORS ASSOCIATED WITH THE COMP.pdf
shaheraharby
 

Basic ip traffic management with access control lists

  • 1. Basic IP Traffic Management with Access Control Lists
  • 2. Chapter Objectives  Introduce ACL concepts  Explain the types of ACL  Configure ACL  Introduce wildcard masks  Verify ACL
  • 3. Recall - I  IGRP is a distant-vector routing protocol, which implies that each router sends all or a part of its routing table in a routing message update  EIGRP was created using IGRP as the base and adding additional functionality to enhance IGRP  The OSPF protocol is designed on the Shortest Path First (SPF) algorithm, which enables to determine the shortest route to each destination  When a network link changes its state, the designated router sends a notification called Link State Advertisement (LSA) across the network
  • 4. Recall - II  OSPF provides the following advantages:  Open protocol  Loop free topology  Scalable  Hierarchical design  Provides multicasting  There are different OSPF area types that help to handle external routes:  Normal area  Stub area  Totally stubby area  Not-so-stubby area
  • 5. Access Control List - I  Access Control List (ACL) is a set of commands, which are grouped together to filter the traffic that enters or leaves an interface  The functions of ACLs include the following:  Reduce the network traffic and increase the network performance  Control the flow of traffic in the network  Provide security for network access  Make decision about the type of network to be forwarded or restricted on an interface
  • 6. Access Control List - II  You must also specify one of the following directions in which the traffic should be filtered:  Inbound  Outbound  The Access lists are available in the following two types:  Numbered ACL  Named ACL  Each of the below ACLs supports two types:  Standard ACL  Extended ACL
  • 7. ACL Processing  ACL are statements, which are grouped together by using a name or number  When ACL process a packet on the router from the group of statements, the router performs a number of steps to find a match for the ACL statements  The router processes each ACL in the top-down approach  If the router is not able to find a match of packet to the first ACL statement then the router continues with the next statement, following the same process
  • 8. Configuring ACL  You must know the guidelines to configure the ACL  You can use the access-list command to create an ACL  The syntax to create an ACL is: access-list ACL_# permit|deny conditions  To activate ACL on the interface, enter the following at the command prompt: interface type slot_#|port_# ip access-group ACL_# in|out
  • 9. ACL Numbers and Protocol Types - I Type Numbers IP Standard 1-99, 1300-1999 Standard Vines 1-99 IP Extended 100-199, 2000-2699 Extended Vines 100-199 Bridging type code (layer-2) 200-299 DECnet 300-399 Standard XNS 400-499 Extended XNS 500-599 Apple Talk 600-699
  • 10. ACL Numbers and Protocol Types - II Bridging MAC address and vendor code 700-799 IPX Standard 800-899 IPX Extended 900-999 IPX SAP filters 1000-1099 Extended transparent bridging 1100-1199 IPX NLSP 1200-1299
  • 11. Editing Entries  You may need to add, delete or modify an entry in the ACL  In a numbered ACL, you cannot delete a specific entry  The no access-list command allows you to delete an ACL, The syntax of the command is: no access-list number  The no access-list ACL_# command deletes the entire list
  • 12. Wildcard Masking  Wildcard masks can be used for matching a range of IP addresses in ACL, instead of manually entering it  A wildcard mask of 0 or 1 in the bit position implies the following:  0 - Specifies that the bit position of the ACL statement address must match the bit position in the IP address of the packet that is to be examined  1 - Specifies that the bit position of the ACL statement address does not have to match the bit position in the IP address of the packet that is to be examined
  • 13. Subnet Masks and Wildcard Masks Values Bit Value Subnet Mask Wildcard Mask 0 Host component Must match 1 Network component Ignore
  • 14. Standard Numbered ACL  You can create an entry in a standard numbered IP ACL using the access-list command.The syntax of this command is: access-list 1-99|1300-1999 permit|deny source_address [wildcard_mask] [log]  After creating the standard ACL, you must activate it on the router's interface  The ip access-group command below enables you to activate the ACL on the interface: ip access-group ACL_number in|out
  • 15. Extended Numbered ACLs  The extended numbered ACLs are more flexible as compared to the standard ACLs  The syntax of the command to configure an extended numbered ACL is: access-list 100-199|2000-2699 permit|deny IP_protocol source_address source_wildcard mask [protocol_information] destination_address destination_wildcard_mask [protocol_information] [log]
  • 16. TCP and UDP  The extended ACL can filter the traffic on IP protocols such as TCP and UDP  The syntax of the command that allows you to configure an extended ACL for TCP or UDP is: access-list 100-199|2000-2699 permit|deny tcp|udp source_address source_wildcard_mask [operator source_port_#] destination address destination_wildcard_mask [operator destination_port_#][established][log]
  • 17. Operators for TCP and UDP Connection Operator Description lt Less than gt Greater than neq Not equal to eq Equal to range Range of port numbers
  • 18. TCP Port Names and Numbers Name Command Parameter Number FTP Data ftp-data 20 FTP Control ftp 21 Telnet telnet 23 SMTP smtp 25 WWW www 80
  • 19. UDP Port Names and Numbers Name Command Parameter Number DNS Query dns 53 TFTP tftp 69 SNMP snmp 161 IP RIP Rip 520
  • 20. ICMP  ICMP is one of the protocols used with extended ACL  The ICMP does not use ports like the TCP and UDP  The syntax for filtering ICMP traffic is: access-list 100-199|2000-2699 permit|deny icmp source_address source_wildcard_mask [operator source_port_#] destination address destination_wildcard_mask [icmp_message][log]  ICMP enables you to enter ICMP messages
  • 21. ICMP Messages Message Type Description administratively-prohibited Specifies that the packet is filtered echo Enables to check the destination echo-reply Displays a message in response to the echo message created by ping host-unreachable Specifies that the subnet is reachable, but the host is not responding net-unreachable Specifies that the network or subnet is not reachable traceroute Enables to filter based on the traceroute information
  • 22. Controlling Telnet Access to a Router  The standard IP ACLs controls the telnet access to the router. The access-class command enables you to accomplish this. The syntax of this command is: access-class standard_ACL_# in|out  Cisco routers enable you to restrict telnet access for the normal users  You can configure your router to allow telnet access only for the networks administrators
  • 23. Named ACL’s  Named ACLs support both IP and IPX protocols  The ip access-list allows you to create a named ACL  The syntax for this command is: ip access-list standard/extended ACL_name  After creating a named ACL, you have to activate it on the router interface  The ip access-group command given below enables you to activate the named ACL: ip access-group ACL_name in|out
  • 24. Verifying and Monitoring Access Control List  To view the ACLs that are activated on the router’s interfaces, use the following command: show ip interfaces  Cisco allows you to monitor each statement in the ACL. To view the statements in the ACL, use the following commands: show access-lists [ACL_#_or_name] show ip access-list [ACL_#_or_name]
  • 25. Placing ACL’s  You have to decide the placement of the ACL depending on the source and destination address to be filtered  You must consider the following while placing the ACLs:  Standard ACL  Extended ACL
  • 26. Case Study The Blue Diamond steel company, Gujarat branch has recruited a few engineers in the Software Management department. The company gets a new project from their client in Delhi. The new engineers need to work only on the software application assigned to them and should access the server data. To accomplish this, the network administrator Robert uses the standard ACL. The network of the organization appears as shown in the Figure.
  • 27. Network of the Organization
  • 28. Problem Placement of the standard ACL on the router
  • 29. Suggested Solution You can use standard ACL to prevent the users from accessing the server data. However, the placement of the ACL is a very important. The engineers should be allowed to access the all other computers in the network but not the server
  • 30. Summary - I  The access control list is a set of commands, which are grouped together, to filter the traffic that enters or leaves an interface  ACL are the statements, which are grouped together by using a name or number. When ACL process a packet on the router from the group of statements, the router performs a number of steps to find a match for the ACL statements  After building IP ACL, you have to apply it to a process in the IOS  The extended numbered ACL’s are more flexible as compared to the standard ACLs
  • 31. Summary - II  If the router locates a match between the packet and statement then the router executes one of the two actions that are included with the statement. The actions are:  Permit  Deny  A need may arise to add, delete or modify an entry in the ACL. You cannot delete a specific entry in an ACL  To handle the IP addresses in ACL statements, wildcard masks can be used for matching a range of address instead of manually entering it
  • 32. Summary - III  A wildcard is similar to an inverted subnet mask. If you want to match on any address in a subnet or network then you have to take the subnet mask and invert the bit values  You must consider the following while placing the ACLs:  Standard ACL - Needs to be placed close to the destination device that you want to prevent the source from reaching.  Extended ACL - Needs to be placed close to the source device. The extended ACL can filter on both the source as well as destination address