Sie sind auf Seite 1von 11

1 |

F r e e

L e a r n i n g

( F a y y a z

A h m e d )

C S C O 1 2 9 7 1 2 6 7

“CLASSROOM IN A BOOK”

Topic:

d ) C S C O 1 2 9 7 1 2 6 7 “CLASSROOM IN
Class 10 : Discuss ACL Security. Presented by:
Class 10 : Discuss ACL Security.
Presented by:

Download Free Books at:

Whats EasyPeezi?

Download Free Books at: WWW.EasyPeezZi.com Whats EasyPeezi? Easy PeezZi .com By: ------------------- This Book is
Download Free Books at: WWW.EasyPeezZi.com Whats EasyPeezi? Easy PeezZi .com By: ------------------- This Book is

EasyPeezZi.com

By:

WWW.EasyPeezZi.com Whats EasyPeezi? Easy PeezZi .com By: ------------------- This Book is written by Fayyaz Ahmed

-------------------This Book is written by Fayyaz Ahmed-------------------

2 |

F r e e

L e a r n i n g

( F a y y a z

A h m e d )

C S C O 1 2 9 7 1 2 6 7

EasyPeezi?

The idea behind EasyPeezi is that which makes Learning it’s very Easy for Everyone.

In EasyPeezi we have 2 cartoon character the boy is Easy & the Girl is Peezzi :- p you can see the pic below which help you to Read books, blogs very easily.

In Easypeezzi site I upload my Education my notes my concept which I have in my field and try to share with you all guys in Roman so you can also Learn this Concept Quickly & Easily as you know English or Not

Feedback
Feedback

I invest my lots of Time & Efforts to build site learn this things making all notes and books in Roman type thousands of words by my self & Share my knowledge with all of you. so take It serious learn things quickly go ahead and enjoy the show.

For further details visit Site www.Easypeezzi.com hope this site is helpful you and others and its informative to learn these things Quickly & Easily. So0o it’s all about EasyPeezzi.

Quickly & E asily. So0o it’s all about EasyPeezzi . Easypeezzi@gmail.com All contents copyright All rights
Easypeezzi@gmail.com
Easypeezzi@gmail.com

All contents copyright All rights reserved. No part of this document or the related files may be reproduced or transmitted in any form, by any means (electronic, photocopying, recording, or otherwise) without the prior written permission of the publisher.

without the prior written permission of the publisher. Easy PeezZi .com ------------------- This Book is written

EasyPeezZi.com

-------------------This Book is written by Fayyaz Ahmed-------------------

of the publisher. Easy PeezZi .com ------------------- This Book is written by Fayyaz Ahmed -------------------

Topic Covers in this Book

L e a r n i n g

( F a y y a z

A h m e d )

3 |

F r e e

C S C O 1 2 9 7 1 2 6 7

Access Control List (ACL’s)

U ContantU Page No Access Control List Overview? 04 ✓ Types of ACL? 1) Standard
U ContantU
Page No
Access Control List Overview?
04
Types of ACL?
1) Standard ACL?
o
Where to apply standard ACL?
o
Important for standard ACL?
2)
Extended ACL?
06
a. Where to apply Extended ACL?
b. Advantage of Extended ACL direct HTTP Block?
07
c. Advantage of Extended ACL direct TELNET
3)
Named ACL on Cisco Router?
08
a. Benefit of Named ACL?
b. Criteria Of Applying ACL?
09
c. Selection of ACL?
d. Direction & Action of ACL?
10
e. In Bound?
f. Out Bound?
& Action of ACL? 10 e. In Bound? f. Out Bound? Easy PeezZi .com ------------------- This

EasyPeezZi.com

-------------------This Book is written by Fayyaz Ahmed-------------------

e. In Bound? f. Out Bound? Easy PeezZi .com ------------------- This Book is written by Fayyaz

4 |

F r e e

L e a r n i n g

( F a y y a z

A h m e d )

C S C O 1 2 9 7 1 2 6 7

r n i n g ( F a y y a z A h m e

Access Control List:

Access Control List sy hum Packet Filtering ka function perform karty hy k kis packet ko Allow karna hai or kessy Deny. ACL Router per configure hoti hy jab tak ACL nahi hy matlab hamary network mai koi Filtering nahi hy is case mai koi bhi Traffic network k router per throw ho sakti hy per jab hum ACL apply karty hy tu us my hum packets ki filtering karty hy k kon c Traffic Router py Access hogi or kon c nahi.

hy k kon c Traffic Router py Access hogi or kon c nahi. There are T

There are Two Type of ACL:

Standard ACL:
Standard ACL:

Standard ACL my hum filtering kar sakty hy base upon the “Source IP Address” matlab kessi bhi computer ki IP dy kar us ki Traffic k access ko block kai ja sakta hy. Standard ACL my hamy control bhut kam milta hy hum is py blocking kar sakty but sirf us computer ki source IP ki base py k Traffic kis IP sy aarahi hy kis IP py jaraha hy us py nahi.

To yaha hammy is ka bhut bara disadvantage face karny ko milta hy qk hum Router k interface py is source IP ko block to kar dyty suppose k ye PC hamary Server ko access na kar saky to is condition my hum ny 1 ACL laga di or us computer ki Source IP waha define kar di to Disadvantage ye hoga k pher wo PC server ko access nahi karye ga qk ACL Apply hy per wo PC us k sath sath waha rakhy kessi Computer ya kessi or server ko bhi Access nahi kar paye.

Reason Standard ACL Source IP dekhti hy Destination nahi ussy sirf ye pata hy k kis IP k Traffic ko block karna hy ye nahi pata k kis k ley block karna hy to essy my wo us sub computer k ley us PC ki Traffic ko Block kar dygi jo Router k dosray End py hy qk waha Router us packet ko filter kary ga or dekhy ga ACL hy sirf Source IP to waha wo us IP ki sari Traffic ko Discard karta rahy ga or Traffic aggy pass nahi kary ga.

That’s way yaha hammy Router ki Selection bhut dekh k karni parti hy matlab k wo Router hamry network per to hu per Client side sy na connect hu warna Client side ki bhi Traffic Block hojaye gi TO essi ley hum zada tar Extended ACL ko Use karty hy qk waha hum pher Source or Destination IP donu bataty hy manually to waha itni problem nahi hoti Per Router Selection waha bhi bhut important hy k ACL kis Router, interface or kis direction mai configure karni hai.

Router, interface or kis direction mai configure karni hai. Easy PeezZi .com ------------------- This Book is

EasyPeezZi.com

-------------------This Book is written by Fayyaz Ahmed-------------------

mai configure karni hai. Easy PeezZi .com ------------------- This Book is written by Fayyaz Ahmed -------------------

5 |

F r e e

L e a r n i n g

( F a y y a z

A h m e d )

C S C O 1 2 9 7 1 2 6 7

ACL my hum 1 single IP ko bhi Block kar sakty hy or ACL ki 1 Statement sy pory Network ki IP ko bhi block kia ja sakta hy agar us Source IP my apny Pory Network ki IP lekh dy ya Range define kardy like 192.168.0.10/20 Deny is tarha sy to 10 sy ly kar 20 tak k PC ki Traffic Block hojaye gi 1 single Statement sy. Or is tarha k Range ko Block karny k ley hum Wildcard Mask use karty hy.

Range of Standard ACL is 1 to 99 & 1300 to 1999 (Expended Range)

Matlab hum jo bhi statement configure kary gy Router per us k statement number ki range 1 sy ly kar 99 tak hogi or hum 1 hi statement per different actions laga sakty hy like IN/OUT. Matlab k statement ka number 1 hi rahy or us py action change ho yani Deny or Permit.

Where to Apply standard ACL?
Where to Apply standard ACL?

As close as possible to Destination Host”

Important for ACL:

ACL my hum jab bhi koi Statement lagaty ho like Deny ki to us k bad Router khud sy us Statement k bad 1 Statement or add karta hy All Traffic deny to agar hum ny koi 1 ACL lagai hy Deny ki to wo ACL apki sari Traffic ko hi Deny kar dygi qk ap ny Router ko ye to bata diye kis IP ki Traffic ko Block karna hy per ye nahi bataya k or Kon c IP’s ko Permit karna hy.

Agar ap essa samjhty hy k Router bs unhy IP’s ko Deny kary ga jinhy hum forcefully ACL my deny kary gy or bakki sub ko khud hi Permit kar dyga to essa bilkul nahi hy 1 Deny list create k bad Router us Statement k bad 1 apni statement laga dyga or sari hi traffic ko Deny kar dyga. Is problem sy bachny k ley hum Deny statement k bad 1 statement or lekhty hy jis my hum bakki ki Traffic ko Permit karty hy jis sy Router ko pata lag jata hy or wo bakki ki IP’s permit karni hai.

Router ACL list ko hamesha Oper sy Nechy ki taraf Check karta hy. Or jaha humari koi bhi statement ACL sy match karti hy Router foren Action Dekhta hy Deny hy to Discard or Permit hy to traffic ko Allow kar dyta hy that’s it so that’s the concept of ACL & now see the configuration of ACL which mention below.

Example & Confirmation of Standard ACL:

Router(config)# Access-list 1 Deny 192.168.0.1 0.0.255.255 Router(config)# Access-list 1 Deny 192.168.0.2 0.0.255.255 Router(config)# Access-list1 permit 0.0.0.0 255.255.255.255

Router(config)# int fa0/0 Router(int-config)# ip access-group 1 out

(Router(int-config)# exit)

ip access-group 1 out (Router(int-config)# exit) Easy PeezZi .com ------------------- This Book is written by

EasyPeezZi.com

-------------------This Book is written by Fayyaz Ahmed-------------------

(Router(int-config)# exit) Easy PeezZi .com ------------------- This Book is written by Fayyaz Ahmed -------------------

6 |

F r e e

L e a r n i n g

( F a y y a z

A h m e d )

C S C O 1 2 9 7 1 2 6 7

Extended ACL:
Extended ACL:

Extended ACL is good for implementation because Extended ACL my hum filtering kar sakty hy base upon the.

1) 2) 3) 4) Source IP Address. Destination IP Address. Protocol Base Blocking like HTTP,
1)
2)
3)
4)
Source IP Address.
Destination IP Address.
Protocol Base Blocking like HTTP, FTP, ICMP, UDP, TCP.
Blocking via Port Number.
To is my hammy control bhut zada milta hy is ley ye zada use hoti hy & this is the 2nd type of ACL.
“Range of Extendard ACL is 100 to 199
&
2000 to 2699
(Expended Range)”
Where to apply Extended ACL?
“As close as possible to Source Host”
Configuration of Extended ACL:
Router(config)# Access-list 100 deny ip host 192.168.0.1 host
192.168.0.10
(1st Source & 2nd Destination IP)
Router(config)# Access-list 100 Permit Any Any
Router(config)# int fa0/0
Router(int-config)# ip access-group 100 in
Router(int-config)# exit
1st Advantage of Extended ACL:
The 1 st advantage is hum direct hi us ki Destination IP ko Block kar sakty hy sirf ussi PC k ley or bakki
ki Communication permit hi rahy gi or bs us Destination IP k ley hi deny hojaye gi.
2nd Advantage of Extended ACL:

The 2 nd advantage is Extended ACL ka k hum protocol base blocking bhi kar sakty hy jessy koi ping na kar saky to waha hum ny ICMP ko Deny kar diya. Or 2nd k koi Browsing na kar saky to waha hum ny port number 80 dy HTTP ko Block kar diya matlab pori connectivity nahi block hoi just protocol ko block kia jo hum chaty thy.

nahi block hoi just protocol ko block kia jo hum chaty thy. Easy PeezZi .com -------------------

EasyPeezZi.com

-------------------This Book is written by Fayyaz Ahmed-------------------

block kia jo hum chaty thy. Easy PeezZi .com ------------------- This Book is written by Fayyaz

7 |

F r e e

L e a r n i n g

( F a y y a z

A h m e d )

C S C O 1 2 9 7 1 2 6 7

Configuration Deny HTTP Protocol in Extended ACL:

Router(config)# Access-list 100 deny ICMP host 192.168.0.2 host

192.168.0.10 (1st Source & 2nd Destination IP)

Router(config)# Access-list 100 deny tcp host 192.168.0.3 host

192.168.0.10 eq 80

Router(config)# Access-list 100 Permit ip Any Any

(HTTP Protocol Blocking here)

eq 23 (Telnet Protocol Blocking here)
eq 23
(Telnet Protocol Blocking here)

Router(config)# int fa0/0 Router(int-config)# ip access-group 100 in Router(int-config)# exit

Bad Way To Configure This Type of Telnet:

Is Configuration mai problem ye hy k hum ny Telnet ko is my block kia per is my Problem ye hy agar is router my koi Dosra interface Up hoga to waha sy Telnet hojaye ga wo kessi dosray interface sy telnet ka console ly lyga to agar hammy Telnet rokna hoga to hum pher 1 Statement configure kary gy or pher waha us interface ki destination IP ko configure kary gy to ye koi good solution nahi hy matlab Router per jitney bhi interfaces hongy hammy utni hi Statement Again & Again Configure karni pary gi Telnet ko block karny k ley.

Configuration Deny Telnet Protocol in Extended ACL:

Router(config)# Access-list 100 deny tcp host 192.168.0.3 host

192.168.0.10

Router(config)# Access-list 100 Permit ip Any Any

Router(config)# int fa0/0 Router(int-config)# ip access-group 100 in Router(int-config)# exit

Best Way to configure telnet here:

Bajaye is k k hum her interface per blocking kary telnet ka 1 simple or best way ye hy k hum us line ko hi block kar dy jaha telnet use hoti hy or wo line hy line vty jaha telnet use hoti hy to best way ye hy k hum us Router per us line ko hi Deny kar dy to jitney bhi interfaces hongy us Router per sub py auto hi Telnet deny hojaye ga.

Configuration Deny Telnet Protocol in Extended ACL in Best Way:

Router(config)# access-list 1 deny host 192.168.0.1 Source PC IP Which You Want to Block Telnet) Router(config)# access-list 1 permit any Router(config)# line vty 0 4

Router(config)#access-class 1 in

(Here is

(Router(int-config)# exit)

1 in (Here is (Router(int-config)# exit) Easy PeezZi .com ------------------- This Book is written by

EasyPeezZi.com

-------------------This Book is written by Fayyaz Ahmed-------------------

(Router(int-config)# exit) Easy PeezZi .com ------------------- This Book is written by Fayyaz Ahmed -------------------

8 |

F r e e

L e a r n i n g

( F a y y a z

A h m e d )

C S C O 1 2 9 7 1 2 6 7

Named ACL on Cisco
Named ACL on Cisco

Wessy to ACL ki 2 hi type hy 1st Standard or 2nd Extended but in donu ACl my hi hum editing ya kessi 1 statement ko delete ya edit nahi kar skty agar koi new statement add bhi karni hotu to dobara sy sari ACL ko list wise dobara configure karna parta hy or agar delete bhi karna hotu koi 1 single statement ko hum delete nahi kar sakty to essi ley CISCO ny hamari Aasani k ley inhe ACL ko Modify kar k 1 new ACL ka Concept diya hammy jessy hum “Named ACL” khty hy or ye sirf CISCO k Routers per hi work karti hy.

(ACL number is 12)
(ACL number
is
12)

Benefit of Named ACL:

Named ACL ka sub sy bara benefit ye hy k hum is my Editing bhi kar sakty hy or kessi 1 single statement ko Delete bhi kar sakty hy. Standard or Extended my tu hum us k number ki range dyty hy jis sy router ko pata lagta hy k ye Standard ACL hy ya Extended ACL hy per Named ACL my hum ACL ka 1 Name dyty hy hy jis sy router us name ko dekhta hy or us k bad hum ACL ki type lekhty hy hum jo bhi use karna chahye Standard ya Extended or pher us ACL ko 1 number dyty hy. Named ACL ko use karty howay hum Apni sari ACL ko edit bhi kar sakty hy or kessi single statement ko Delete bhi kar sakty hy ussi configuration my rehty howay dobora sy pori Configuration karny ki zarorat nahi parti.

Configuration of Named ACL for Standard ACL:

Router(config)#ip access-list standard Blocking-List (Blocking-List is the Name of ACL)

Router(config-std-nacl)# deny host 192.168.0.1 (Suppose ACL number is 10)

Router(config-std-nacl)# 12 deny host 192.168.0.3

Router(config-std-nacl)# deny host 192.168.0.2 (Suppose ACL number is 20)

Router(config-std-nacl)# Permit any (Suppose ACL number is 30)

Router(config-std-nacl)# show access-list Router(config-std-nacl)# 12 deny host 192.168.0.3 (Editing in ACL after Configuration)

Router(config-std-nacl)# no deny host 192.168.0.1 (1st Method of Delete Single Statement)

host 192.168.0.1 (1st Method of Delete Single Statement) Easy PeezZi .com ------------------- This Book is written

EasyPeezZi.com

-------------------This Book is written by Fayyaz Ahmed-------------------

of Delete Single Statement) Easy PeezZi .com ------------------- This Book is written by Fayyaz Ahmed -------------------

9 |

F r e e

L e a r n i n g

( F a y y a z

A h m e d )

C S C O 1 2 9 7 1 2 6 7

Router(config-std-nacl)# no 10 (2nd Method of Delete Single Statement with ACL number)

Router(config)# int fa0/0 Router(int-config)# ip access-group Blocking-List in Router(int-config)# exit

Note That:

Cisco ny named ACL my her ACL ko 1 number diya hy wo jab hum
Cisco ny named ACL my her ACL ko 1 number diya hy wo jab hum “Show access-list” ki command
chalaty hy to hammy wo number dekhty hy. or ye 10 sy start hoty hy or aagyee barhty jaty hy. Ye gape
is ley hota hy taky agar hammy koi statement bad my add karani hoi to hum us sy phly ka number use
kar k us statement ki placement waha kar sakty hy agar hum essa nahi kary gy or koi statement configure
kar dygy to wo statement us list k last my ja kar lag jaye gi jo permit statement k bad hogi or ussy number
bhi us k bad ka hi milly ga to wo run nahi hi hopaye gi essi ley hummy number bhi ussi gape ko use
karty howy dyna hota hy jaha hammy wo statement place karni hu jaisy my ny oper diya hy 10 or 20 k
bech ka number taky wo statement jo my ny bad my configure ki hy wo waha ja k place ho saky.
Operator in Extended ACL:
Operator in the access-list command
Meaning
Eq
Equals to
Neq
Not equals to
it
Less Then
gt
Greater Then
range
Range of port Numbers
Criteria of Applying ACL:
ACL ko Apply karny k ley hammy phly hammy network diagram ko samjhna hota hy k jis computer ki
Traffic ko hum block karna chty hy to kitny essy Rasty hy hamary network ki Topology my jaha sy wo
Traffic access ho rahi hy ya throw ho rahi hy qk agar hum essa nahi kary gy to suppose jis computer ko
hum block karna chty thy us ki traffic k ley multiple links sy throw hoti hu. Right or
ye bhi dekhna hota hy k Traffic k entrance kaha sy ho rahi hy to ussy point py matlab
k entrance kaha sy ho rahi hy to ussy point py matlab Easy PeezZi .com -------------------

EasyPeezZi.com

-------------------This Book is written by Fayyaz Ahmed-------------------

hy to ussy point py matlab Easy PeezZi .com ------------------- This Book is written by Fayyaz

10 |

F r e e

L e a r n i n g

( F a y y a z

A h m e d )

C S C O 1 2 9 7 1 2 6 7

Router k ussi interface py jaha wo traffic access ho rahi hoti hy ussi interface py ACL laga k hammy ussy Block karna hota hy.

Configuration Of Named ACL for Extended ACL:

Router(config)# ip access-list extended Blocking-HTTP (Blocking-HTTP is the Name of ACL) Router(config-etd-nacl)# deny tcp host 192.168.0.1 host 192.168.0.10 eq 80 Router(config-etd-nacl)# Permit any

1) In Bound:
1) In Bound:

1)

2)

Direction & Action of ACL:

Kessi bhi tarha ki ACL ho Standard ya pher Extended donu hi ACL sirf (2) Direction py hi lagti hy.

Router(config)# int fa0/0 Router(int-config)# ip access-group Blocking-HTTP in Router(int-config)# exit

Selection/Planning of ACL:

Step k kon sy Router py ACL lagani hy agar ap k Network my multiple Router hy to phly to Router ki selection hogi k kon sa router py ACL Apply karni hy. Step k us Router k kon sy interface py ACL ko Apply karna hy like agar apky Rotuer per Multiple Ports hy to waha apko ye bhi dekhna hoga k Router k kis interface py ap ACL ko Apply karo gy.

Means traffic jaha sy aarahi hu agar wo side Block karni hy tu waha hum “InBoundDirection ko use karty hy ACL Apply karny k ley. Inbound direction ki ACL work karti hy Routing Decision sy phly. Jab koi bhi packet Router py in hoti hy to phly wo ussy match karta hy apny Routing table my or pher ACL statement ko check karta hy k wo Deny hy ya Permit Deny hota hy Packet Discard kar dyta hy or Permit hota hy to Packet aagye Forward kar dyta hy.

2) Out Bound:

Means traffic jaha sy Bahar ja rahi hu us side py Blocking lagany k ley hum “Outbound” Direction ko use karty hy ACL Apply karny k ley. Or outbound direction ki ACL work karti hy Routing Decision k Baad.

direction ki ACL work karti hy Routing Decision k Baad . Easy PeezZi .com ------------------- This

EasyPeezZi.com

-------------------This Book is written by Fayyaz Ahmed-------------------

Routing Decision k Baad . Easy PeezZi .com ------------------- This Book is written by Fayyaz Ahmed

11 |

F r e e

L e a r n i n g

( F a y y a z

A h m e d )

C S C O 1 2 9 7 1 2 6 7

Router k her (1) Single interface py hum sirf (2) ACL ko hi use kar sakty hy wo bhi jab un donu ki directions different hu yani 1 interface py 1 hi ACL lagi ho incoming Traffic ko Block karny k ley or 1 ACL lagi hu Outgoing Traffic ko Block karny k ley.

“Yess you Learn ACLs:-) Now Plan your Another Day & Learn NAT Terminology Ahead”

YES Finally you Complete your ACL Topic Hope this is Informative for you & Easy
YES Finally you Complete your ACL Topic Hope this is
Informative for you & Easy to Learn.
For More Learning & Notes Visite www.easypeezzi.com

75% Completed just 25% Left on your CCNA!

Feedback E asypeezzi@gmail.com
Feedback
E
asypeezzi@gmail.com

Visit Site www.EasypeezZi.com & Download Other Topics & Modules & Learn with FUN

Download Other Topics & Modules & Learn with FUN Easy PeezZi .com ------------------- This Book is

EasyPeezZi.com

-------------------This Book is written by Fayyaz Ahmed-------------------

& Learn with FUN Easy PeezZi .com ------------------- This Book is written by Fayyaz Ahmed -------------------