Access List - PowerPoint PPT Presentation

About This Presentation
Title:

Access List

Description:

Access List Access List * Verifying the Access List Configuration Verifying Access Lists wg_ro_a# show ip interface e0 Ethernet0 is ... – PowerPoint PPT presentation

Number of Views:80
Avg rating:3.0/5.0
Slides: 36
Provided by: hardnaraC
Category:

less

Transcript and Presenter's Notes

Title: Access List


1
Access List
  • ?? ???

2
  • Access Lists and Their Applications
  • Access Lists? ?? ??? ?? ?? ??? Application?? ??.
  • inbound ? outbound? Standard ?? extended access
    lists? ??? ? ??.

3
Introducing Access Lists
Why Use Access Lists?
  • Packet Filtering? ?? ????? ???? ?????, ?? ????
    ??? ?? ???? ???? ??? ??? ? ??.
  • Access List? ????? ???? ?? ?????? ???? ??? ?????
    ??? ? ??.
  • ???? ???? Telnet ???? ?? ????? ??? ? ??, ??????
    ?? ??? ???? Telnet ???? ?? ????? ??? ?? ??.
  • Access List? ???? ???? ???? ??? ? ??? ????? ?????
    ???? ???? ??? ?????.

4
Access List Applications
Access List Applications
Transmission of packets on an interface
Virtual terminal line access (IP)
  • ???? ???? ??? Permit??? Deny ? ? ??.
  • ???? ???? ?? ????? ??? vty access ?? ??
    Permit???, Deny? ? ??.
  • Access Lists ??? ???, ?? ??? ?? ????? ?? ? ? ??.

5
Other Access Lists Uses
Priority and custom queuing
  • Router? ???? ???? ??? ?? ??? Priority? ?? ???
    ????? ??? ??? ? ? ??.

QueueList
  • ISDN, Dial-Up????? ???? ??? ??? ??? ?????,
    Access List? ?? ???? ???? ??? ???? ISDN, Dial-Up?
    ??? ? ??? ?? ??? ?? ???? ? ? ??.

Dial-On-Demand Routing
  • ???? ??? ????? ??? ??? ???? ??? ???, ? ? ??? ???
    ???? ?? ?? ? ??? ??? ? ??.

Route Filtering
RoutingTable
6
Type of Access Lists
Types of Access Lists
  • Access List? ???? ???? ??? ???? ?? ??? ??? ????
  • ???? ???? ???? ???? ???? ??? ??? ?? ????
  • ?????. ??? ??? ??? ??? ???? ???.
  • Standard Access List
  • Source Address?? ???? ??? ?? ??? ???? ???? ??
    ????
  • (FTP, TFTP, Telnet)? ?? ??? ?? ??/??? ????
    ????.
  • Extended Access List
  • Source Address? Destination Address ??? ????
    ??? ?? ??? ??
  • ?? ???? ?? ????(FTP, TFTP, Telnet)? ?? ??? ??
    ??/???
  • ??? ????.

7
How Access Lists Operate
Outbound ACL Operation
Packet
????? ??
S0
InboundInterface Packets
Y
Outbound Interfaces
??? ??
??? ??? ?/??
S0
Packet
N
Access List?
N
Y
Permit?
Y
N
Discard Packet
Packet Discard Bucket (Notify Sender)
  • If no access list statement matches then discard
    the packet

8
Testing Against Access List Statements
A List of Tests Deny or Permit
??? ??? ?
Packets to Interface(s) in the Access Group
Y
Y
N
Permit
Deny
??? ??? ?
Y
Y
Deny
Permit
Destination
N
Interface(s)
Y
Y
??? ????
Deny
Permit
N
Implicit Deny
If no match deny all
Deny
Packet Discard Bucket
9
Implementing Access Lists
Access Lists Configuration Guidelines
  • Access-List? Interface?? Direction(Inbound,
    Outbound)??, Protocol(IP, IPX?) ?? ?? ???? ??? ?
    ??.
  • 1?? ??????? ?? ?????? ????
  • Access List? Top-Down ???? ???? ??? ??? ???
    Access List? ??? ?????, ???? ??? ??? ?????.
  • Access List?? ? ???? ??? ? ??. ???? ?? ?? Access
    List? ??? ? ??. Named Access List? ???? ??? ? ???
    ???? ?? ????.
  • Access List Command? ???? ????? deny all? ?????
    ????.
  • IP standard access list? ??? Destination? ??? ??
    ???.
  • IP extended access list? ??? Source? ??? ?? ???.
  • Access List? ???? ???? ???? ????? ?????? ????
    ???? ???? ???.
  • ?????? ??? ???? ???? ?? ??? ???? ???? ??.
  • ??? ???? ???? ???? ???? ????? ?????.
  • ????? ???? ???? ?????? ???.

10
Access List? ?? ??
  • Inbound Access List
  • ???? ???? ??? ???? Outbound Interface? ???? ??
    Access List? ????. ??? Filtering? ?? ??? ???? ???
    ???? ???? ?? ?? ??? ??? ??? Lookup overhead? ????
    ? ??? ???? ????? ? ? ??.
  • Outbound Access List
  • ???? ??? ??? ???? Outbound Interface?? ??? ?
    Access List? ????.
  • ???? Inbound Interface? ??? ?? ?? ?? ???? ???
    ???? ???? ???? ?? ??? ???? ?? ????? ??? ????, ???
    ?? ???? ????.
  • ?????? Access List? ???? ???? ???? ??? ??? ???,
    ???? ??? Access List? ??? ????.
  • ??? ???? ??? ???? Permit/Deny ?? ??? ?? ???
    ??/????.
  • ??? Access List?? ??? ???? ??? ??? ?? ??.

11
How to Identify Access Lists
IP ??? ??? ?? ??/???
?? (standard) 199, 13001999
?? (Extended) 100199, 20002699
?? (Name) ??
Named? ?? ?? ??
12
Testing Packets with Standard Access Lists
Source Address
Use access list statements 1-99

Deny
Permit
  • IP Header ?? ? Source Address? ???? ???? ????
    Permit/Deny ?? ??? ???? ??? ??/????. (Layer 3 ???
    ???? ??? ?? ??? ????.)
  • Standard Access List? 199?? ???? ??? ? ? ??.

13
Testing Packets with Extended Access Lists
  • Extended Access Lists? Layer 3, 4? ??? ???? ???
    ?? ??? ????. ?? Number? 100199?? ???? ??.
  • Extended Access Lists? ???? ?? ??? Source
    Address, Destination Address, Protocol (TCP, UDP,
    ICMP), Port Number (Telnet-23, FTP-20, DNS-53?)

14
Wildcard Masking
Wildcard Bits How to Check the Corresponding
Address Bists
8 bit position and address value for bit
Examples
?? ?? ???? ?

0
0
0
0
0
0
0
0
ignore last 6 address bits
ignore last 4 address bits
check last 2 address bits
???? ??? ?
  • Wildcard Mask? IP Address List? OSPF?? Network
    Command ??? ???? ??. Wildcard Mask? Rule? ??? ??.
  • - Wildcard Bits? 0? IP Address Bits? ??? ????
    ??.
  • - Wildcard Bits? 1? IP Address Bits? ???? ? ???
    ??.
  • Subnet Mask??? 0? ??? ??? ??, 1? ??? ???? ?? ???
    ??? ?? Wildcard Mask? ??? ??? ????.

15
Wildcard Bits (Address Mapping ??)
Address Wildcard Mask ??
130.0.0.0 0.255.255.255 ??? ??? ??? ?? 0?? ??? ?? ??? 8? Bit?? ??? 130.0.0.0/8? ??? ?? ?? ????. 130.0.0.1130.255.255.255
130.10.0.0 0.0.255.255 ??? ??? ??? ?? 0?? ??? ?? ???16? Bit?? ??? 130.10.0.0/16? ??? ?? ?? ????. 130.10.0.1130.10.255.255
130.10.8.0 0.0.7.255 00000111 130.10.8.0/21? ??? ?? ?? ????. 130.10.8.1130.10.15.255
130.10.8.0 0.0.0.255 130.10.8.0/24? ??? ?? ?? ????. 130.10.8.1 130.10.8.255
130.10.8.1 0.0.0.0 ?? 130.10.8.1?? ????. Host 130.10.8.1? ????? ??.
0.0.0.0 255.255.255.255 ?? IP Address? ????? ? ?? ?? any? ????? ??.
16
  • Configuring IP Access Lists
  • Standard ?? Extended IP Access Lists? ??? ? ??.
  • Named Access Lists? ??? ? ??.
  • VTY Access Lists? ??? ? ??.
  • Access Lists? ??? ??? ? ??.

17
Access Lists Command Overview
Grobal Mode??? ??
Router(config)access-list access-list-number
permit deny test conditions
Interface? ??
Router(config-if) protocol access-group
access-list-number in out
  • Standard IP lists (1-99)
  • Extended IP lists (100-199)
  • Standard IP lists (1300-1999) (expanded range)
  • Extended IP lists (2000-2699) (expanded range)

18
Configuring Standard IP Access Lists
Standard IP Access Lists Configuration
Router(config) access-list access-list-number
permit deny remark source mask
  • Sets parameters for this list entry
  • access-list-number? 1?? 99??
  • default wildcard mask 0.0.0.0
  • ?? access list? ????? no access-list
    access-list-number ??? ??
  • remark ??? ??????? ?? ??? ??? ? ????.

Router(config-if) ip access-group
access-list-number in out
  • Activates the Standard list on an interface
  • default outbound
  • ?????? ??? access list? ????? no ip access-group
    access-list-number ??? ??

19
??1 ?? ??????? ???? ???? ?? ??? ???
172.16.0.0 ??????? ???? ?? ???? Ethernet 0 ?
Ethernet 1? ???? ???? Ethernet 0? Ethernet 1?
??? ??? ???
172.16.0.0?? ?? ?? ???
172.16.3.0
172.16.4.0
S0
172.16.3.5
172.16.4.13
E0
E1
Router(config) access-list 1 permit 172.16.0.0
0.0.255.255 Router(config) interface ethernet
0 Router(config-if) ip access-group 1
out Router(config-if) interface ethernet
1 Router(config-if) ip access-group 1 out
20
??2 ?? ?????? ???? ???? ?? ??? ???
Ethernet 0 ?????? ?? 172.16.4.13? ???? ??? ??
???? ?? ??? ??
172.16.0.0?? ?? ?? ???
172.16.3.0
172.16.4.0
S0
172.16.3.5
172.16.4.13
E0
E1
Router(config) access-list 1 deny 172.16.4.13
0.0.0.0 Router(config) access-list 1 permit
0.0.0.0 255.255.255.255 Router(config) interface
ethernet 0 Router(config-if) ip access-group 1
out
21
??3 ?? ??????? ???? ???? ?? ??? ???
Ethernet 0 ?????? ?? 172.16.4.0? ???? ??? ?? ????
?? ??? ??
172.16.0.0?? ?? ?? ???
172.16.3.0
172.16.4.0
S0
172.16.3.5
172.16.4.13
E0
E1
Router(config) access-list 1 deny 172.16.4.0
0.0.0.255 Router(config) access-list 1 permit
any Router(config) interface ethernet
0 Router(config-if) ip access-group 1 out
22
Configuring Virtual Terminal Access Lists
Filtering vty Access to a Router
  • Telnet ??? ???? Virtual Port? ??.
  • Virtual Port? Virtual Port Line??? ???.
  • Virtual Port? ????? 04?? 5?? ????.
  • ???? Vty ports ??? ????? ??? ? ??.

23
How to Control vty Access
  • Telnet(Application Layer) ??? ??? Extended IP
    Access List? ????? Virtual Port line?
    access-class? ???? Standard IP Access List?? ????
    Telnet ??? ??? ? ??.
  • ???? ???? ??? ????? ?? ???? ??? ?? ??? ??? ?? ??.
  • ???? Virtual Terminal ??? ????? ? ???? ?? Virtual
    port line? ???? ??. ???? ?? ?? Virtual port
    line?? telnet ??? ???? ?? ??? ?? ??? ?? ????.

24
vty Commands
1 ?? Access List? ???? ?? Global Configuration?
???.
2 ?? ??? Virtual port line(04)? ????.
Router(config)line vty vty vty-range
3 ?? access-class? ????.
Router(config-line)access-class
access-list-number inout
25
vty Access Example
Router(config) access-list 2 permit 192.168.1.0
0.0.0.255 ! Router(config) line vty 0 4
Router(config-line) access-class 2 in
  • ?? ??? 192.168.1.0/24 ?????? ???? Virtual
    Terminal(Telnet) ??? ?????, ?? ??????? Telnet ???
    ????? deny??.
  • ???? Access List ??? ??? deny any? ???? ??
    ????.
  • ???? Telnet ??? ????? User Mode/Privileged Mode?
    ???? ???? ???? Password ??? ????.

26
?? ??? ???? ?? ??? ???? ??
?? (Standard) ?? (Extended)
??? ?????? ???? ??? ???? ??? ???? ? ???? ??? ????? ???? ???
TCP/IP ???? ??? ??? ????? ?? ??? IP ????? ?? ??? ????.
??? 199 ??? 100199
? ??? ???? IP ????
20 FTP (File Transfer Protocol) ???
21 FTP ????
23 ??
25 SMTP (Simple Mail Transport Protocol)
69 TFTP (Trivial File Transfer Protocol)
53 DNS (Domain Name System)
80 WWW (HyperText Markup Language)
27
Configuring Extended IP Access Lists
Extended IP Access Lists Configuration
Router(config) access-list access-list-number
permit deny protocol source source-wildcard
operator port destination destination-wildcard
operator port established log
  • Sets parameters for this list entry

Router(config-if) ip access-group
access-list-number in out
  • Activates the extended list on an interface

28
??1 ??? ??? ???????? FTP ??? ??
172.16.4.0 ????? 172.16.3.0 ????? ?? FTP ????
????, Ethernet 1 ?????? ?? ?? ???? ????
FTP
Non- 172.16.0.0
172.16.3.0
172.16.4.0
S0
172.16.4.13
E0
E1
Router(config) access-list 101 deny tcp
172.16.4.0 0.0.0.255 172.16.3.0
0.0.0.255 eq 21 Router(config) access-list
101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0
0.0.0.255 eq
20 Router(config) access-list 101 permit ip any
any Router(config) interface ethernet
1 Router(config-if) ip access-group 101 in
29
??2 ??? ??? ???????? ?? ??? ??
172.16.4.0 ????? 172.16.3.0 ????? ?? ?? ????
????, Ethernet 1 ?????? ?? ?? ???? ????
FTP
Non- 172.16.0.0
172.16.3.0
172.16.4.0
S0
172.16.4.13
E0
E1
Router(config) access-list 101 deny tcp
172.16.4.0 0.0.0.255 172.16.3.0
0.0.0.255 eq 23 Router(config) access-list
101 permit ip any any Router(config) interface
ethernet 0 Router(config-if) ip access-group 101
out
30
Using Named Access Lists
Using Named IP Access Lists
Cisco IOS 11.2 ????? ??? ????. Numbered IP Access
List? ??? ??? ?? Numbered Access List? ????
??? ???? ?? ?? Access List? ?? ???? ?? ??? ???
Named IP Access List? ??? ???? ??? ? ??.
1?? Grobal Gonfiguration? Named Access List?
????.
2?? ???? ????.
Router(config)ip access-list extended
screen Router(config-ext-nacl)deny tcp
172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq
23 Router(config-ext-nacl)permit ip any
any Router(config)interface ethernet
0 Router(config-if)ip access-group screen out
31
Guidelines for Placing Access Lists
Access List Configuration Principles
  • ??? ??? ??? ??? ??? ???? ????. TFTP ???? ??? ????
    ???? ??? ???? TFTP? ???? ?????? ??? ???? ??? ??
    ????.
  • ?? terminal emulator ?? Telnet ??? PC?? ???? ???
    ???? cut paste?? ??? ?? ??? ??? ?? ??? ? ??.
  • ??? ???? ??? ??? ????. ?? ????? ???? ???? ????
    ????? ??? ???? ??? ?? ???? ????? ?? ? ??.
  • ????? ? ??? ??? ??? ??? ????? ??? ? ???, ??? ???
    ?? ?? ???.
  • ??? ???? ??? ????, ?? ???? ???? ??? ?? ?? ???
    ???? ?? ???? ??.
  • ?? ??? ???? implicit deny any ???? ???.

32
Where to Place IP Access Lists
Standard IP Access List? ?? ??
  • Source Address? ???? Standard IP Access List?
    Destination? ???? ????? ???? ?? ??? ??? ?? ???.
  • ?? ??, Token-Ring 0?? ???? ??? ??? D? Ethernet 0?
    ?? Router B,C? ?? ???? Filtering??. ??? ?????
    ???? ?? ???? ?? ??? ?? ?? ??? ?? ? ??.

33
Where to Place IP Access Lists (Cont.)
S0
S1
B
S0
S0
C
S0
A
S1
D
To0
E0
Extended IP Access List? ?? ??
  • Token-Ring 0?? ???? ??? ??? D? Eternet 0? ?? ????
    ????? ? ?? Extended IP Access List?
    Source/Destination Address ??? ???? ??/???? ???
    ??? A? ????? ???? ??? ?? ????? Performance? ???
    ?? ???.
  • Source Address ??? ???? ?? ?? ??? D? Ethernet 0?
    ?? ???? ??? B,C,D?? ?? ??? ??? ? ??.

34
Verifying the Access List Configuration
Verifying Access Lists
wg_ro_a show ip interface e0 Ethernet0 is up,
line protocol is up Internet address is
10.1.1.11/24 Broadcast address is
255.255.255.255 Address determined by setup
command MTU is 1500 bytes Helper address is
not set Directed broadcast forwarding is
disabled Outgoing access list is not set
Inbound access list is 1 Proxy ARP is enabled
Security level is default Split horizon is
enabled ICMP redirects are always sent ICMP
unreachables are always sent ICMP mask replies
are never sent IP fast switching is enabled
IP fast switching on the same interface is
disabled IP Feature Fast switching turbo
vector IP multicast fast switching is enabled
IP multicast distributed fast switching is
disabled lttext omittedgt
35
Monitoring Access Lists Statements
Routershow protocol access-list access-list
number
Routershow access-lists access-list number
Router show access-lists Standard IP access
list 1 permit 10.2.2.1 permit 10.3.3.1
permit 10.4.4.1 permit 10.5.5.1 Extended IP
access list 101 permit tcp host 10.22.22.1
any eq telnet permit tcp host 10.33.33.1 any
eq ftp permit tcp host 10.44.44.1 any eq
ftp-data
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Access List" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!