Beruflich Dokumente
Kultur Dokumente
Version 4.0
Cisco Public
Cisco Public
Packet Filtering
Packet filtering exists at Layer 3 It is the process in which the router examines the IP header of each packet to see if the IP address matches an ACL configured on the router If there is a match, then there will be an approve or deny depending on how the ACL is configured
2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Types Of Filtering
ACLs can be configured to use any of the following for packet filtering: Source IP address Destination IP address ICMP message type The ACL can also extract upper layer information and test it against its rules. Upper layer information includes: TCP/UDP source port TCP/UDP destination port
Cisco Public
Cisco Public
Cisco Public
Standard ACLs
Standard ACLs filter packets based on source IP addresses only Standard ACLs can be numbered from 1 99 and 1300 1999 They can be either a permit or deny Below is an example of a standard ACL - Notice the use of wildcard masks with ACLs
Cisco Public
Extended ACLs
Extended ACLs can be used to filter packets based on source and destination IP addresses, ports, and protocol type Extended ACLs can be numbered 100 199 and 2000 - 2699 Below you see that we have to identify tcp or udp - also, we include the any eq 80 which means that any packet that is being used for http can pass through the router
Cisco Public
Questions!!!
What three parameters can ACLs use to filter traffic? How do standard ACLs filter traffic? What happens if a packet does not match any of the defined ACL statements? What are the three Ps of ACLs?
Cisco Public
ACL Placement
Placement is important so that our filters are used as efficiently as possible Standard ACLs are placed closest to the destination If we want to stop Accounting from accessing the Human Resources server, wed place the Standard ACL on port E0 of the Lab_B router
Cisco Public
10
Cisco Public
11
Cisco Public
12
Cisco Public
13
Cisco Public
14
Removing ACLs
Use the show access-list command to view your access lists Use the no access-list command to remove access-lists
Cisco Public
15
Cisco Public
16
Cisco Public
17
Named ACLs
Named ACLs can be used for either standard or extended ACLs They are useful in keeping track of what an ACL does for you
Cisco Public
18
Cisco Public
19
Cisco Public
20
Cisco Public
21
Editing ACLs
ACLs are reviewed sequentially You can not insert ACLs from the command line, if you type in the ACL with the same number, the information will be added on to the end of the ACL To edit ACLs, you will copy and paste into a text editor like Notepad, add your new information, and then copy and paste back to command line to apply
Cisco Public
22
Questions!!!
Where should a standard access list be placed? Where should an extended access list be placed? Why would we use a Named ACL? What is an advantage that a Named ACL has over a Standard or Extended ACL?
Cisco Public
23
Cisco Public
24
Cisco Public
25
Reflexive ACLs
Used to allow IP traffic for sessions originated from within the trusted network to an untrusted network Denies IP traffic that originates from outside of the trusted network Can only be created as a Named ACL
Cisco Public
26
Cisco Public
27
Time-Based ACLs
Time-Based ACLs allow you to control when your network can be accessed
Cisco Public
28
Cisco Public
29
Questions!!!
What is another name for a Dynamic ACL? What is it used for? What is the purpose of a Reflexive ACL? What is the purpose of a Time-Range ACL?
Cisco Public
30
Cisco Public
31
Cisco Public
32
Cisco Public
33
Cisco Public
34
Cisco Public
35
Cisco Public
36