CCNA Guide to Cisco Networking Fundamentals Fourth Edition - PowerPoint PPT Presentation

1 / 63
About This Presentation
Title:

CCNA Guide to Cisco Networking Fundamentals Fourth Edition

Description:

CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 10 Access Lists ... – PowerPoint PPT presentation

Number of Views:388
Avg rating:5.0/5.0
Slides: 64
Provided by: letu150
Category:

less

Transcript and Presenter's Notes

Title: CCNA Guide to Cisco Networking Fundamentals Fourth Edition


1
CCNA Guide to Cisco Networking Fundamentals
Fourth Edition
  • Chapter 10
  • Access Lists

2
Objectives
  • Describe the usage and rules of access lists
  • Establish standard IP access lists
  • Produce extended IP access lists
  • Apply access lists to interfaces
  • Monitor and verify access lists

3
Objectives (continued)
  • Create named access lists
  • Use Security Device Manager to create standard
    and extended IP access lists
  • Use Security Device Manager to create a router
    firewall

4
Access Lists Usage and Rules
  • Access lists
  • Permit or deny statements that filter traffic
    based on the source address, destination address,
    protocol type, and port number of a packet
  • Available for IP, IPX, AppleTalk, and many other
    protocols

5
Access List Usage
  • You can create a standard access list that
    examines a packet for the packets source header
    information
  • deny any statement
  • Implicitly blocks all packets that do not meet
    the requirements of the access list
  • Exists even though it is not shown as part of the
    access list
  • With careful planning, you can create access
    lists that control which traffic crosses
    particular links
  • And which segments of your network will have
    access to others

6
Access List Usage (continued)
7
Problems with Access Lists
  • Lack of planning is one of the most common
    problems associated with access lists
  • The need to enter the list sequentially into the
    router also presents problems
  • You cannot move individual statements once they
    are entered
  • When making changes, you must remove the list,
    using the no access-list list number command,
    and then retype the commands
  • Access lists begin working the second they are
    applied to an interface

8
Access List Rules
  • Example of the structure of a standard IP access
    list
  • RouterA(config)access-list 1 deny 172.22.5.2
    0.0.0.0
  • RouterA(config)access-list 1 deny 172.22.5.3
    0.0.0.0
  • RouterA(config) access-list 1 permit any
  • Router applies each line in the order in which
    you type it into the access list
  • The no access-list list command is used to
    remove an access list

9
Access List Rules (continued)
10
Access List Rules (continued)
  • As a general rule, the lines with the most
    potential matches should be first in the list
  • So that packets will not undergo unnecessary
    processing
  • You should avoid unnecessarily long access lists
  • After you create access lists, you must apply
    them to interfaces so they can begin filtering
    traffic
  • You apply a list as either an outgoing or an
    incoming filter

11
Access List Rules (continued)
  • In summary, all access lists follow these rules
  • Routers apply lists sequentially in the order in
    which you type them into the router
  • Routers apply lists to packets sequentially, from
    the top down, one line at a time
  • Packets are processed only until a match is made
  • Lists always end with an implicit deny
  • Access lists must be applied to an interface as
    either inbound or outbound traffic filters
  • Only one list, per protocol, per direction can be
    applied to an interface
  • Access lists are effective as soon as they are
    applied

12
Standard IP Access Lists
  • Standard IP access lists
  • Filter network traffic based on the source IP
    address only
  • Using a standard IP access list, you can filter
    traffic by a host IP, subnet, or a network
    address
  • Configure standard IP access lists
  • access-list list permitdeny source
    address source wildcard mask
  • Routers use wildcards to determine which bits in
    an address will be significant

13
Standard IP Access Lists (continued)
14
Standard IP Access Lists (continued)
15
Standard IP Access Lists (continued)
16
Standard IP Access Lists (continued)
17
Standard IP Access Lists (continued)
18
Standard IP Access List Examples
  • Standard IP access lists permit or deny packets
    based only on the source address
  • Addresses can be a single host address, a subnet
    address, or a full network address

19
(No Transcript)
20
Standard IP Access List Examples (continued)
21
Standard IP Access List Examples (continued)
  • Correct placement of a list is imperative
  • To view the access lists defined on your router,
    use the show access-lists command
  • For IP access lists you could also use the show
    ip access-lists command
  • If you decide that an access list needs to be
    removed from an interface
  • You can remove it with the no ip access-group
    list command

22
(No Transcript)
23
Standard IP Access List Examples (continued)
24
Standard IP Access List Examples (continued)
25
Standard IP Access List Examples (continued)
26
Standard IP Access List Examples (continued)
27
Standard IP Access List Examples (continued)
  • Application of the list as an outbound filter on
    FastEthernet0/0
  • See Figure 10-15
  • Use the show access-lists or show ip access-lists
    command followed by the show ip interface command
  • To verify that the list has been entered and
    applied correctly

28
Standard IP Access List Examples (continued)
29
(No Transcript)
30
Standard IP Access List Examples (continued)
31
Monitoring Standard IP Access Lists
  • Three main commands are available for monitoring
    access lists on your router
  • show access-lists
  • show ip access-lists
  • show interfaces or show ip interface
  • Use the no access-list list command to remove
    the list
  • Use the no ip accessgroup list direction
    command to remove the application of the list

32
Extended IP Access Lists
  • Extended IP access lists
  • Can filter by source IP address, destination IP
    address, protocol type, and application port
    number
  • This granularity allows you to design extended IP
    access lists that
  • Permit or deny a single type of IP protocol
  • Filter by a particular port of a particular
    protocol

33
Extended IP Access Lists (continued)
  • To configure extended IP access lists, you must
    create the list and then apply it to an interface
    using the following syntax
  • access-list list permitdeny protocol
    source IP address source wildcard mask
    operator port destination IP address
    destination wildcard mask operator port
    log

34
Extended IP Access List Examples
35
(No Transcript)
36
(No Transcript)
37
Extended IP Access List Examples (continued)
38
The Established Parameter
  • Established parameter
  • Permits traffic from any host on any network to
    any destination, as long as the traffic was in
    response to a request initiated inside the
    network
  • Example
  • access-list 100 permit tcp any 15.0.0.0
    0.255.255.255 established

39
Monitoring Extended IP Access Lists
  • The same commands used to monitor standard IP
    access lists are used to monitor extended IP
    access lists
  • Extended IP lists keep track of the number of
    packets that pass each line of an access list
  • The clear access-list counters list command
    clears the counters
  • The no access-list list command removes the
    list
  • The no ip access-group list direction
    command removes the application of the list

40
Monitoring Extended IP Access Lists
41
Monitoring Extended IP Access Lists
42
Using Named Lists
  • Named access lists
  • In Cisco IOS versions 11.2 and above, names
    instead of numbers can be used to identify lists
  • To name a standard IP access list, use the
    following syntax
  • RouterC(config)ip access-list standard name
  • To name an extended IP access list, use the
    following syntax
  • RouterC(config)ip access-list extended name

43
Using Named Lists (continued)
  • Once the list is named, the permit or deny
    statement is entered
  • The commands follow the same syntax as unnamed
    lists
  • The beginning part of the command is not included
  • To apply a standard IP named list to an
    interface, the syntax is
  • RouterC(config-if)ip access-group name in
    out

44
Using Named Lists (continued)
  • Advantages
  • Allows you to maintain security by using an
    easily identifiable access list
  • Removes the limit of 100 lists per filter type
  • With named access lists lines can be selectively
    deleted in the ACL
  • Named ACLs provide greater flexibility to network
    administrators who work in environments where
    large numbers of ACLs are needed

45
Controlling VTY Line Access
  • Access lists are used for both traffic flow and
    security
  • One useful security feature of access lists is
    restricting access to telnet on your router
  • By controlling VTY line access
  • You must first create a standard IP access list
    that permits the management workstation
  • RouterA(config)access-list 12 permit
    192.168.12.12 0.0.0.0
  • Then, it must be applied to the VTY lines
  • access-class acl in out

46
Controlling VTY Line Access (continued)
  • To apply access list 12 to the VTY lines, use the
    following command
  • RouterA(config)line vty 0 4
  • RouterA(config-line)access-class 12 in
  • The commands to restrict access to the VTY lines
    to network 192.168.12.0/24 only are
  • RouterA(config)access-list 13 permit
    192.168.12.0 0.0.0.255
  • RouterA(config)line vty 0 4
  • RouterA(config-line)access-class 13 in

47
Using Security Device Manager to Create Access
Control Lists
  • Using the SDM, an administrator can accomplish
    all the tasks that formerly required use of the
    CLI interface
  • SDM allows you to easily create a standard or an
    extended access list or, as it is known in the
    SDM, an Access Control List (ACL)

48
(No Transcript)
49
(No Transcript)
50
(No Transcript)
51
(No Transcript)
52
(No Transcript)
53
(No Transcript)
54
Using Security Device Manager to Create a Router
Firewall
  • Unlike the CLI, the SDM allows a router to be
    configured as a firewall

55
(No Transcript)
56
(No Transcript)
57
(No Transcript)
58
Using Security Device Manager to Create a Router
Firewall (continued)
59
Using Security Device Manager to Create a Router
Firewall (continued)
60
(No Transcript)
61
Summary
  • Access lists are one of the most important IOS
    tools for controlling network traffic and
    security
  • Access lists are created in a two-step process
  • All access lists are created sequentially and
    applied sequentially to all packets that enter an
    interface where the list is applied
  • By default, access lists always end in an
    implicit deny any statement
  • Only one access list per direction (inbound or
    outbound) per protocol can be applied to an
    interface

62
Summary (continued)
  • Standard IP access lists allow you to filter
    traffic based on the source IP address of a
    packet
  • Extended IP access lists filter traffic based on
    source, destination, protocol type, and
    application type
  • Access lists can be used to restrict telnet by
    controlling VTY line access
  • Ranges of numbers represent all access lists

63
Summary (continued)
  • The SDM can be used to configure both standard
    and extended ACLs via the Additional Tasks
    configuration tab
  • The SDM can be used to configure a router as
    either a Basic or Advanced firewall
  • The main difference between a Basic and Advanced
    firewall is the ability to configure DMZ
    interfaces in the Advanced firewall setup wizard
Write a Comment
User Comments (0)
About PowerShow.com