Escolar Documentos
Profissional Documentos
Cultura Documentos
Access Lists
Traffic Cops
Decides what can pass through router
Set of YES/NO filters
Have several uses
Use ACLs
To filter traffic
Reference NAT pools
Debugging
With route maps for routing
Types of ACL
Standard
Extended
Named
Standard IP ACL
Numbered from 1 to 99
Can filter on source host/network
Cant filter ports or protocols
Extended IP ACLs
Numbered from 100-199
Filters port/destination/source etc.
More complicated to configure
Named ACLs
Names instead of numbers
Can be standard or extended
Slightly different commands
Need to Know...
Port numbers
Command syntax
ACL rules
Common Ports
Port
Service
Port
Service
20
FTP Data
80
HTTP
21
FTP Control
110
POP3
22
23
SSH
Telnet
119
123
NNTP
NTP
25
53
69
SMTP
DNS
TFTP
161/162
443
SNMP
HTTPS
Command Syntax
We will come to this!
ACL Rule #1
One ACL per interface per direction
One incoming
One outgoing
One incoming
One outgoing
ACL Rule #2
Processed top down
Incoming 172.16.1.1
Permit 10.0.0.0
No match
Permit 192.168.1.1
Permit 172.16.0.0
Permit 172.16.1.0
Deny 172.16.1.1
No match
Match Permit
Not processed
Not processed
ACL Rule #3
Implicit deny all at bottom
Incoming 172.20.1.1
Permit 10.0.0.0
No match
Permit 192.168.1.1
Permit 172.16.0.0
Permit 172.16.1.0
Deny all
No match
No match
No match
Match DROP PACKET
ACL Rule #4
Router cant filter self generated traffic
ACL Deny 172.16.1.1
BLOCKED
Ping 172.16.1.1
Ping 172.16.1.1
172.16.1.1
172.16.1.1
ACL Rule #6
Disable ACL on the interface
R1(config)#no ip access-group 101 in
ACL Rule #7
Can reuse the same ACL
S0/0
ACL 101 IN
S0/1
ACL 101 IN
ACL 101 Deny Web Traffic
ACL Rule #8
Keep em short
Most specific rules at top
Permit 10.0.0.0
Permit 192.168.1.1
Permit 172.16.0.0
Deny 172.16.1.1
Should be at top
ACL Rule #9
Place as close to traffic source as possible
Do not put it here
S0/1
ACL 101 IN
End