Scribd Logo
Upload

Welcome to Scribd!

  • 1 © 2005 Cisco Systems, Inc. All Rights Reserved

    Uploaded by

    صديقكالوفي
    7 views15 pages
    04 ACL

    Original Title

    04 ACL

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    04 ACL

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views15 pages

    1 © 2005 Cisco Systems, Inc. All Rights Reserved

    Uploaded by

    صديقكالوفي
    04 ACL

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 15

    Cisco Systems,

    Systems, Inc.
    Inc. All
    All rights
    rights reserved.
    reserved.
    2004,
    2005 Cisco

    Network Security

    ACCESS CONTROL LIST

    ACL
    2005 Cisco Systems, Inc. All rights reserved.

    ACL Overview
    ACL are basically set of commands that is grouped under certain
    Name or Number to control traffic flow.
    ACL can do one of two actions: Permit or Deny.
    ACL Configurations : 1- Create ACL.
    2- Apply ACL to a certain Interface.
    Maximum Number of ACL can be applied on each interface per protocol = 2
    ( 1 per direction ) ( 1 Inbound & 1 Outbound ).
    In an Inbound ACL, Packets are processed Before they are routed to an
    outbound interface.
    In an Outbound ACL, Packets are processed After they are routed to an
    outbound interface.

    2005 Cisco Systems, Inc. All rights reserved.

    ACL Processing
    Statements are processed from Top to Down.
    Once a match is found, No further statements are processed.
    If no match is found, the packet will be dropped due to Implicit
    Deny ( Statement at the end of the list called Deny any ).
    At least, There is must be one permit statement in the ACL or
    otherwise all packets will be dropped.
    In any ACL, We cant add statement between statements. Any new
    statement is added to the end of the list. So, the sequence is very
    important.

    2005 Cisco Systems, Inc. All rights reserved.

    ACL Types

    ACL

    Numbered

    Named

    Standard

    Extended

    Standard

    Extended

    1 --->99

    100 ---< 199

    Any Name

    Any Name

    2005 Cisco Systems, Inc. All rights reserved.

    Standard Numbered ACL


    Standard ACL filter packets based only on source IP address in
    the packet header.
    Configuration :
    1- Creation:
    (config)# Access-list { 1 ---< 99 } { Permit / Deny } Source IP
    [ Source Wild Card Mask ]
    2- Applying:
    (config)# interface { Interface Name }
    (config-if)# ip access-group {1 ---< 99 } { In / Out }
    2005 Cisco Systems, Inc. All rights reserved.

    Standard Numbered ACL (Cont.)


    Wild Card Mask:
    32-bit Mask ( Continuous of 0s followed by Continuous of 1s )
    0 : Exact Match
    1 : Dont Care
    Source IP
    A.B.C.D
    A.B.C.D

    Wild card Mask


    0.0.0.0 (Default)
    255.255.255.255

    = host A.B.C.D
    =

    Any

    Placement of Standard ACL :


    Place Standard ACL as close to the destination as possible.
    2005 Cisco Systems, Inc. All rights reserved.

    Extended Numbered ACL


    It is much more flexible than Standard ACL.
    Extended ACL can match on :
    1- Source IP & Destination IP.
    2- TCP/IP Protocols : ( TCP , UDP , ICMP , IP )
    3- Protocol Information : ( Port Number , ICMP Message Type )

    2005 Cisco Systems, Inc. All rights reserved.

    Extended Numbered ACL (Cont.)


    Configuration :
    1- Creation:
    (config)# Access-list { 100 ---< 199 } { Permit / Deny } TCP/IP Protocol
    Source IP

    Source Wild Card Mask [ Operator + Source

    Protocol Information ] Destination IP

    Destination Wild

    Card Mask [ Operator + Destination Protocol Information ]


    Operator : eq , lt , gt

    eq = equal

    Protocol Information : Port Number

    lt = Less than or equal


    gt = greater than or equal

    2- Applying:
    (config)# interface { Interface Name }
    (config-if)# ip access-group {100 ---< 199 } { In / Out }

    2005 Cisco Systems, Inc. All rights reserved.

    Extended Numbered ACL ( Cont. )


    Placement of Standard ACL :
    Place Extended ACL as close to the Source as possible.

    2005 Cisco Systems, Inc. All rights reserved.

    10

    Named ACL
    Configuration :
    1- Creation:
    (config)# ip access-list { standard / extended } ACL_name
    If standard:
    (config-std-nacl)# { permit/deny } Source IP [Source Wild Card Mask]
    If Extended:
    (config-ext-nacl)# { Permit / Deny } TCP/IP Protocol
    Source IP

    Source Wild Card Mask [ Operator + Source

    Protocol Information ] Destination IP

    Destination Wild

    Card Mask [ Operator + Destination Protocol Information ]

    2005 Cisco Systems, Inc. All rights reserved.

    11

    Named ACL ( Cont. )


    2- Applying:
    ABC(config)# interface

    { Interface Name }

    ABC(config-if)# ip access-group { ACL_name } { In / Out }


    In Numbered ACL
    We cant delete a certain statement. Only we can delete the whole ACL.
    In Named ACL
    We can delete certain statement inside the ACL.

    2005 Cisco Systems, Inc. All rights reserved.

    12

    Restricting Telnet Access to the Router

    Configuration
    (config)# line vty 0 4
    (config-line)# access-class { 1 --- <99 } { In / Out }

    2005 Cisco Systems, Inc. All rights reserved.

    13

    Troubleshooting ACL
    # show ip interface
    Display Placement and Direction of ACL.

    # show ip access-lis
    or # show access-list
    Display ACL statements & Number of matches

    2005 Cisco Systems, Inc. All rights reserved.

    14


    Cisco Systems,
    Systems, Inc.
    Inc. All
    All rights
    rights reserved.
    reserved.
    2005,
    2005 Cisco

    15

    15

    You might also like