Beruflich Dokumente
Kultur Dokumente
Objectives
Introduction
Ciscoapplicationview
ACLsarelistsofconditionsused totestnetworktrafficthattries totravelacrossarouter interface. Theseliststelltherouterwhat typesofpacketstoacceptor deny.Acceptanceanddenialcan bebasedonspecified conditions. ACLsenablemanagementof trafficandsecureaccesstoand fromanetwork.
ACLsbenefits
Limitnetworktrafficandincreasenetworkperformance. Providetrafficflowcontrol. Provideabasiclevelofsecurityfornetworkaccess. Trafficdecision(forwardedorblockedattherouter interfaces). Areaaccessing toPermitordenyScreenhoststoaccessanetwork segment. canprovideaccesscontrolbasedonLayer3addressesfor IPandIPXprotocols.
HowACLexecuted
Madedecisionsby matchingacondition statementinanaccess listandthenperforming theacceptorreject actiondefinedinthe statement. ACLstatementsoperate insequential,logical order
EnteringFrametoaRouter
ACLrangeforeachprotocols
ACLrangeforeachprotocols
HowAccessListswork
ACLconfiguration
ACLconfiguration PermitACLlinewithL3informationonly
Ifapacket'sL3informationmatchestheL3informationin theACLline,thepacket'sfragmentoffsetischecked,itis permitted. Ifapacket'sL3informationdoesnotmatchtheL3 informationintheACLline,thenextACLentryis processed. Ifapacket'sFO>0,thepacketispermitted. Else,thenextACLentryisprocessed.
ACLconfiguration Example
WildcardMask
WildcardMask
WildcardMask
WildcardMask
Bycarefullysettingwildcardmasks, anadministratorcanselectsingleor severalIPaddressesforpermitordenytests. Refertotheexampleinthegraphic
WildcardMaskApplication
Any,Host,OptionalFormat
VerifyingtheACLconfiguration
VerifyingtheACLconfiguration
VerifyingtheACLconfiguration
Show running-config command: display the configuration output, including accesslists and assignments
StandardACLs
checksthesourceaddressofIPpacketsthatarerouted. TheACLwilleitherpermitordenyaccessforanentire protocolsuite,basedonthenetwork,subnet,andhost addresses. thestandardACLcommandisasfollows: Router(config)#accesslistaccesslistnumberdeny/ permit/remarksource[sourcewildcard][log]
StandardACLs,theremarkkeyword
StandardACLs
ToremoveastandardACLuseno statement.Thesyntaxis asfollows: Router(config)#noaccesslistaccesslistnumber Theipaccessgroup commandlinksanexistingstandard ACLtoaninterface: Router(configif)#ipaccessgroup {accesslistnumber| accesslistname}{in|out}
ExtendedACLs
Becauseofthegreaterrangeofcontrolproviding,theyare usedmoreoftenthenstandardACLs. ExtendedACLscheckthesourceanddestinationpacket addressesandcanalsocheckforprotocolsandport numbersgivesgreaterflexibilitytodescribewhattheACL willcheck. Accesscanbepermittedordeniedbasedonwherea packetoriginates,itsdestination,protocoltype,andport addresses. Whenpacketsarediscarded,someprotocolssendanecho packettothesender,statingthatthedestinationwas unreachable.
ExtendedACLs Statements
ExtendedACLs Parameter
Dynamic:Identifiestheaccesslistasadynamicaccesslist Timeout:specifiestheabsolutelengthoftime Protocol:nameornumber(0 255)ofanInternetprotocol Source:Numberofthenetworkorhostwhichitbeingsendfrom(32bit quantityinfourpart any host) Destination:Numberofthenetworkorhosttowhichthepacketisbeing sent(32bitquantityinfourpart any host)
ExtendedACLs Parameter
source Wildcard:Wildcardbitstobeappliedtosource (32bitquantityinfourpart any host) Destination Wildcard:Wildcardbitstobeappliedto destination(32bitquantityinfourpart any host) OtherparametersincludedintheExtendedACLs: Procedure,tos,log,log input,timerange,icmp type
Transport ApplicationlayerPorts
NamedAccesslist
Advantagesthatareprovidedbyanamedaccesslist
PlacingACLs
ExtendedACLsas closeaspossible tothesourceof thetrafficdenied. StandardACLsdo notspecify destination addresses,sothey shouldbeplaced asclosetothe destinationas possible.
Firewall
It is an architectural structure that exists between the user and the outside world to protect the internal network from intruders. ACLs should be used in firewall routers, which are often positioned between the internal network and an external network, such as the Internet. The firewall router provides a point of isolation so that the rest of the internal network structure is not affected.
Restrictingvirtualterminalaccess
it can provide additional security for our system by using access lists to restrict access to vty lines Associate the access list with inbound Telnet sessions. host1(config)#line vty 12 15 host1(config-line)#accessclass Boston in Configure an access list. host1(config)#access-list Boston permit any