1 Chapter 5 - ACLs CCNA Exploration 4.0 Học viện mạng Bach Khoa - Website: www.bkacad.com 2 Introduction Học viện mạng Bach Khoa - Website: www.bkacad.com 3 Using ACLs to Secure Networks Học viện mạng Bach Khoa - Website: www.bkacad.com 4 A TCP Conversation • ACLs enable you to control traffic into and out of your network. This control can be as simple as permitting or denying network hosts or addresses. • ACLs can also be configured to control network traffic based on the TCP port being used. Học viện mạng Bach Khoa - Website: www.bkacad.com 5 A TCP Conversation Học viện mạng Bach Khoa - Website: www.bkacad.com 6 Packet Filtering • Packet filtering, sometimes called static packet filtering, controls access to a network by analyzing the incoming and outgoing packets and passing or halting them based on stated criteria. • Packet filtering works at the network layer of the Open Systems Interconnection (OSI) model, or the Internet layer of TCP/IP. Học viện mạng Bach Khoa - Website: www.bkacad.com 7 Packet Filtering • The ACL is a sequential list of permit or deny statements that apply to IP addresses or upper-layer protocols. • The ACL can extract the following information from the packet header, test it against its rules, and make "allow" or "deny" decisions based on: 1. Source IP address 2. Destination IP address 3. ICMP message type • The ACL can also extract upper layer information and test it against its rules. Upper layer information includes: 1. TCP/UDP source port 2. TCP/UDP destination port Học viện mạng Bach Khoa - Website: www.bkacad.com 8 Packet Filtering Example Học viện mạng Bach Khoa - Website: www.bkacad.com 9 What is an ACL ? • An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header. • ACLs are also used for selecting types of traffic to be analyzed, forwarded, or processed in other ways. Học viện mạng Bach Khoa - Website: www.bkacad.com 10 What is an ACL ? • Here are some guidelines for using ACLs: 1. Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet. 2. Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network. 3. Configure ACLs on border routers-routers situated at the edges of your networks. This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network. 4. Configure ACLs for each network protocol configured on the border router interfaces. You can configure ACLs on an interface to filter inbound traffic, outbound traffic, or both. The Three Ps You can configure one ACL per protocol, per direction, per interface. [...]... assume you wanted to permit access to all users in the 192.168.3.0 network – Because the subnet mask is 255 . 255 . 255 .0, you could take the 255 . 255 . 255 . 255 and subtract from the subnet mask 255 . 255 . 255 .0 as is indicated in the figure – The solution produces the wildcard mask 0.0.0. 255 Học viện mạng Bach Khoa - Website: www.bkacad.com 33 ACL Wildcard Masking • To simplify this task, the keywords host and any... address and 255 . 255 . 255 . 255 mask This mask says to ignore the entire IP address or to accept any addresses Học viện mạng Bach Khoa - Website: www.bkacad.com 34 ACL Wildcard Masking Học viện mạng Bach Khoa - Website: www.bkacad.com 35 Applying Standard ACLs to Interfaces • Standard ACL Configuration Procedures – After a standard ACL is configured, it is linked to an interface using the ip access-group command:... standard ACLs do not specify destination addresses, place them as close to the destination as possible Học viện mạng Bach Khoa - Website: www.bkacad.com 19 General Guidelines for Creating ACLs Học viện mạng Bach Khoa - Website: www.bkacad.com 20 General Guidelines for Creating ACLs • Activity 5. 1.9.2 Học viện mạng Bach Khoa - Website: www.bkacad.com 21 General Guidelines for Creating ACLs • Activity 5. 1.9.2... Guidelines for Creating ACLs • Activity 5. 1.9.2 Học viện mạng Bach Khoa - Website: www.bkacad.com 22 General Guidelines for Creating ACLs • Activity 5. 1.9.2 Học viện mạng Bach Khoa - Website: www.bkacad.com 23 Configuring Standard ACLs Học viện mạng Bach Khoa - Website: www.bkacad.com 24 Entering Criteria Statements • A single-entry ACL with only one deny entry has the effect of denying all traffic... viện mạng Bach Khoa - Website: www.bkacad.com 15 Types of Cisco ACLs • The two main tasks involved in using ACLs are as follows: – Step 1 Create an access list by specifying an access list number or name and access conditions – Step 2 Apply the ACL to interfaces or terminal lines Học viện mạng Bach Khoa - Website: www.bkacad.com 16 How a Standard ACL works ? Học viện mạng Bach Khoa - Website: www.bkacad.com... Standard ACL Configuration Procedures – After a standard ACL is configured, it is linked to an interface using the ip access-group command: – Router(config-if)#ip access-group {access-list-number | access-listname} {in | out} Học viện mạng Bach Khoa - Website: www.bkacad.com 36 ... rules to match binary 1s and 0s: – Wildcard mask bit 0 - Match the corresponding bit value in the address – Wildcard mask bit 1 - Ignore the corresponding bit value in the address Học viện mạng Bach Khoa - Website: www.bkacad.com 30 ACL Wildcard Masking Học viện mạng Bach Khoa - Website: www.bkacad.com 31 ACL Wildcard Masking Học viện mạng Bach Khoa - Website: www.bkacad.com 32 ACL Wildcard Masking •... from the router itself Inbound ACLs -Incoming packets are processed before they are routed to the outbound interface An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded If the packet is permitted by the tests, it is then processed for routing Học viện mạng Bach Khoa - Website: www.bkacad.com 12 ACL Operation • Outbound ACLs -Incoming packets are routed... Naming ACLs • Using numbered ACLs is an effective method for determining the ACL type on smaller networks with more homogeneously defined traffic – a number does not inform you of the purpose of the ACL – starting with Cisco IOS Release 11.2, you can use a name to identify a Cisco ACL Học viện mạng Bach Khoa - Website: www.bkacad.com 18 Where to place ACLs • The basic rules are: – Locate extended ACLs. .. one permit statement in an ACL or all traffic is blocked Học viện mạng Bach Khoa - Website: www.bkacad.com 25 Configuring a Standard ACL Học viện mạng Bach Khoa - Website: www.bkacad.com 26 Configuring a Standard ACL Học viện mạng Bach Khoa - Website: www.bkacad.com 27 Configuring a Standard ACL Học viện mạng Bach Khoa - Website: www.bkacad.com 28 ACL Wildcard Masking • • A wildcard mask is a string . 1 Chapter 5 - ACLs CCNA Exploration 4.0 Học viện mạng Bach Khoa - Website: www.bkacad.com 2 Introduction Học viện mạng Bach Khoa - Website: www.bkacad.com 3 Using ACLs to Secure. • ACLs can also be configured to control network traffic based on the TCP port being used. Học viện mạng Bach Khoa - Website: www.bkacad.com 5 A TCP Conversation Học viện mạng Bach Khoa - Website:. viện mạng Bach Khoa - Website: www.bkacad.com 17 How a Standard ACL works ? Học viện mạng Bach Khoa - Website: www.bkacad.com 18 Numbering and Naming ACLs • Using numbered ACLs is an effective