Escolar Documentos
Profissional Documentos
Cultura Documentos
ITE I Chapter 6
Cisco Public
Objectives
ITE 1 Chapter 6
Cisco Public
Objectives
Extended ACLs
http://www.cisco.com/en/US/tech/tk648/tk3
61/technologies_configuration_example09
186a0080100548.shtml
Cisco Public
A TCP Conversation
ITE 1 Chapter 6
Cisco Public
Packet Filtering
Destination IP address
ICMP message type
ITE 1 Chapter 6
Cisco Public
Packet Filtering
Router(config)#access-list 101 deny ?
<0-255> An IP protocol number
ahp
eigrp
esp
gre
icmp
igmp
igrp
ip
ipinip IP in IP tunneling
nos
ospf
pcp
pim
tcp
udp
ITE 1 Chapter 6
Cisco Public
ITE 1 Chapter 6
Cisco Public
What is an ACL?
ITE 1 Chapter 6
Cisco Public
What is an ACL?
ITE 1 Chapter 6
Cisco Public
ITE 1 Chapter 6
Cisco Public
10
If corporate policy does not allow video traffic, ACLs can block video traffic.
ACLs can allow one host to access a part of the network and prevent others from
accessing the same area.
ACLs can permit or deny a user to access file types, such as FTP or HTTP.
Cisco Public
11
ACL Operation
ITE 1 Chapter 6
Cisco Public
12
ITE 1 Chapter 6
Cisco Public
13
ITE 1 Chapter 6
Cisco Public
14
Standard ACLs
Extended ACLs
ITE 1 Chapter 6
Cisco Public
15
Because the software stops testing conditions after the first match, the order of the
conditions is critical.
If no conditions match, the address is rejected.
Step 1. Create an access list by specifying an access list number or name and access
conditions.
Step 2. Apply the ACL to interfaces or terminal lines.
ITE 1 Chapter 6
Cisco Public
16
ITE 1 Chapter 6
Cisco Public
17
Access-list 5 permit
Access-list 5 permit
Access-list 5 permit
Access-list 5 permit
Access-list 5 permit
OR
5 different groups
ITE 1 Chapter 6
Access-list 1 permit
Access-list 2 permit
Access-list 3 permit
Access-list 4 permit
Access-list 5 permit
Cisco Public
18
ACLs can act as firewalls to filter packets and eliminate unwanted traffic. Every
ACL should be placed where it has the greatest impact on efficiency.
The basic rules are:
Locate extended ACLs as close as possible to the source of the traffic denied. This
way, undesirable traffic is filtered without crossing the network infrastructure.
Because standard ACLs do not specify destination addresses, place them as close to
the destination as possible.
Source
ITE 1 Chapter 6
Cisco Public
Destination
19
ITE 1 Chapter 6
Cisco Public
20
Cisco Public
21
Using ACLs requires attention to detail and great care. Mistakes can be
costly in terms of downtime, troubleshooting efforts, and poor network
service.
Before starting to configure an ACL, basic planning is required.
The figure presents guidelines that form the basis of an ACL best
practices list.
ITE 1 Chapter 6
Cisco Public
22
ITE 1 Chapter 6
Cisco Public
23
In the figure, packets that come in Fa0/0 are checked for their source addresses:
access-list 2 deny 192.168.10.1
If packets are permitted, they are routed through the router to an output interface.
If packets are not permitted, they are dropped at the incoming interface.
ITE 1 Chapter 6
Cisco Public
24
ITE 1 Chapter 6
Cisco Public
25
Remove ACL
Remark ACL
ITE 1 Chapter 6
Cisco Public
26
ITE 1 Chapter 6
Cisco Public
27
ITE 1 Chapter 6
Cisco Public
28
Example 1
Example 2
Example 3
Cisco Public
29
Step 2. Highlight the ACL, copy it, and then paste it into
Notepad.
Step 4: Paste the new ACL into the configuration of the router.
ITE 1 Chapter 6
Cisco Public
30
ITE 1 Chapter 6
Cisco Public
31
Commenting ACLs
ITE 1 Chapter 6
Cisco Public
32
Step 2. From the named ACL configuration mode, use the permit
or deny statements to specify one or more conditions for
determining if a packet is forwarded or dropped.
Step 3. Return to privileged EXEC mode with the end command.
ITE 1 Chapter 6
Cisco Public
33
ACL names can include the dash (-), the underscore (_),
and the period (.).
ACL names must start with an alphabetic character, and
must be unique from all other ACLs of all types on the
switch router.
You cannot use keywords from any command as an
ACL name.
http://www.cisco.com/univercd/cc/td/doc/product/l3s
w/8540/12_1/lhouse/sw_confg/8500acl.htm
ITE 1 Chapter 6
Cisco Public
34
When you finish an ACL configuration, use Cisco IOS show commands
to verify the configuration.
In the figure the top example shows the Cisco IOS syntax to display the
contents of all ACLs.
The bottom example shows the result of issuing the show access-lists
command on router R1. The capitalized ACL names, SALES and ENG
stand out in the screen output.
ITE 1 Chapter 6
Cisco Public
35
In the first show command output, you can see that the
ACL named WEBSERVER has three numbered lines.
To grant another workstation access in the list only
requires inserting a numbered line. The workstation with
the IP address 192.168.11.10 is being added.
The final show command output verifies that the new
workstation is now allowed access.
ITE 1 Chapter 6
Cisco Public
http://www.cisco.com/univercd/cc/t
d/doc/product/software/ios123/123
newft/123t/123t_7/gtaclace.htm
36
Extended ACLs
Extended ACLs are used more often than standard ACLs because they provide a greater
range of control and, therefore, add to your security solution.
For more precise traffic-filtering control, you can use extended ACLs numbered 100 to 199
and 2000 to 2699 providing a total of 799 possible extended ACLs.
The same
process
repeated
again for the
outgoing
interface
ITE 1 Chapter 6
Cisco Public
37
ITE 1 Chapter 6
Cisco Public
38
Cisco Public
39
ITE 1 Chapter 6
Cisco Public
40
ITE 1 Chapter 6
Cisco Public
41
Cisco Public
42
ITE 1 Chapter 6
Cisco Public
43