Access Control Lists Lecture 1 - PowerPoint PPT Presentation

About This Presentation
Title:

Access Control Lists Lecture 1

Description:

Access Control Lists Lecture 1 PJC CCNA Semester 2 Ver. 3.0 by William Kelly ACL Definition An ACL is a sequential group of permit and/or deny statements that control ... – PowerPoint PPT presentation

Number of Views:92
Avg rating:3.0/5.0
Slides: 19
Provided by: proteusUi
Category:

less

Transcript and Presenter's Notes

Title: Access Control Lists Lecture 1


1
Access Control Lists Lecture 1
  • PJC CCNA Semester 2 Ver. 3.0
  • by
  • William Kelly

2
ACL Definition
  • An ACL is a sequential group of permit
  • and/or deny statements that control the
  • flow of particular protocols or protocol
  • suits in or out of an interface to a
  • specific host or group of hosts

3
ACL Concepts
  • Applied to a routers interface
  • Traffic is forwarded or blocked
  • Each protocol must have its own ACL defined (You
    are only allowed 1 ACL per protocol, per port,
    per direction)

4
Why Use ACLs ?
  • Controlling traffic can increase network
    performance
  • Distribution of routing updates can be controlled
  • Security can be added at the network boundary
  • Specific types of traffic can be permitted or
    blocked
  • An administrator controls what areas a client
    can access
  • Screen certain hosts to either allow or deny
    access to part of a network

5
Calculate number of ACLs
  • 2 ports, each port running IP, IPX
  • 2 ports, each port running IP, IPX, Appletalk
  • (Remember you need an ACL for each
  • protocol in each direction on each port)

6
How ACLs Work
  • Packets enter the interface
  • If the packets are routable then they are routed
    toward the outbound interface
  • If there is no access list then the packets
    proceed out the outbound interface
  • If there is an ACL then the packets are filtered
    using the sequential ACL statements

7
ACL Basic Flowchart
8
How does a Router Process an ACL?
  • Does the Layer 2 address match?
  • Is there an inbound ACL?
  • Is there an outbound ACL?

9
Creating Standard ACLs
  • ACL statements must be in the correct order! (Use
    a flowchart to plan your logic)
  • ACLs cant be modified (only created and
    deleted). Use a text editor to write your ACLs

10
Configuring ACLs
  • ACLs are created in Global Configuration Mode
  • Standard ACLs are 1-99 and Extended ACLs are
    100 199
  • Plan your ACLs in a flowchart considering the
    protocol or protocol suite, host or group of
    hosts, and interface and direction of filtering

11
Configuring ACLs (cont.)
  • Define ACL
  • Router(config) access-list access-list-num perm
    it deny test conditions
  • Apply ACL to interface
  • Router(config-if) protocol access-group
    access-list number

12
Points to remember creating ACLs
  • Outbound ACLs are more efficient
  • If you need to alter an ACL use
  • no access-list list-number
  • (Remember you cant modify an standard ACL so you
    must erase it and create it again with your
    changes. This is why you should create ACLs in
    a text file)
  • (See Basic Rules in Online Curriculum)

13
Wildcard Mask Bits
  • Wildcard mask bits appear similar to a reverse
    subnet mask but have NO RELATIONSHIP TO SUBNET
    MASKS!!
  • 0 means check a position
  • 1 means dont check a position

14
Common Wildcard command and Abbreviations
  • Permit 0.0.0.0 255.255.255.255 is the same as
    permit any
  • Permit 181.16.1.1 0.0.0.0 is the same aspermit
    host 181.16.1.1 (ONLY A PARTICULAR HOST IS
    MATCHED!!)

15
Commands to verify ACLs
  • show ip interface indicates whether any ACLs
    are set
  • show access-lists Displays the contents of all
    the ACLs
  • show running-config Also shows access lists and
    the interface to which they are assigned

16
Standard ACLs
  • Allow denying/permitting traffic from a specific
    host/group of hosts and/or protocol suite
  • Use number 1 99
  • Only 1 protocol per port per interface is allowed
  • Can only check source address so they should be
    put as close to the destination as possible

17
Extended ACLs
  • Allow denying/permitting traffic from a specific
    host/group of hosts and/or protocol
    suite/protocol and/or port/group of ports
  • Use number 100 199
  • Only 1 protocol per port per interface is allowed
  • Can check source and destination address so they
    should be put as close to the source as possible

18
Named ACLs
  • Names for standard and extended ACLs can be
    alphanumeric strings
  • Use deny/no deny or permit/no permit to change
    conditions of a named standard or extended ACL
  • You cant use the same alphanumeric name twice!
Write a Comment
User Comments (0)
About PowerShow.com