Day-09.1access Control List

1
Access Control List
It is a Layer 3 security which controls the flow of
traffic from one router to another.

It is also called as Packet Filtering Firewall.
ACL - Network Diagram
10.0.0.1/8 S0
11.0.0.1/8 S0
HYD
E0 192.168.1.150/24
S1 10.0.0.2/8
CHE
E0 192.168.2.150/24
S1 11.0.0.2/8
BAN
E0 192.168.3.150/2
1.1
1.2
1.3
2.1
2.2
2.3
3.1
3.2
3.3
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
3
1.0 should not communicate with 2.0 network
Types of Access-list
Standard ACL
Extended ACL
Named ACL
Standard Access List
The access-list number lies between 1 99
Can block a Network, Host and Subnet

Two way communication is stopped All services are block. Implemented closest to the destination
Extended Access List
The access-list number lies between 100 199
Can block a Network, Host, Subnet and Service

One way communication is stopped Selected services are block. Implemented closest to the source.
Terminology
Deny : Blocking a Network/Host/Subnet/Service

Permit : Allowing a Network/Host/Subnet/Service Source Address : The address of the PC from where the request starts. Show Diagram Destination address : The address of the PC where the
request ends.
Inbound : Traffic coming into the interface Outbound : Traffic going out of the interface
8
Terminology
Protocols : IP - TCP - UDP - ICMP Operators : eq (equal to) neq (not equal to) lt (less than) gt (greater than)
Services : HTTP, FTP, TELNET, DNS, DHCP etc..

9
Wild Card Mask
Tells the router which addressing bits must match in the address of the ACL statement.
Its the inverse of the subnet mask, hence is also

called as Inverse mask. A bit value of 0 indicates MUST MATCH (Check Bits) A bit value of 1 indicates IGNORE (Ignore Bits) Wild Card Mask for a Host will be always 0.0.0.0
10
Wild Card Mask
A wild card mask can be calculated using the formula : Global Subnet Mask Customized Subnet Mask ------------------------------Wild Card Mask E.g. 255.255.255.255 255.255.255.240 --------------------0. 0. 0. 15
11
Rules of Access List All deny statements have to be given First There should be at least one Permit statement An implicit deny blocks all traffic by default when there is no match (an invisible statement). Can have one access-list per interface per direction. (i.e.) Two access-list per interface, one in inbound direction and one in outbound direction. Works in Sequential order Editing of access-lists is not possible (i.e) Selectively adding or removing access-list statements is not possible.
12
Standard ACL - Network Diagram
Creation and
Implementation is done Closest
10.0.0.1/8 S0
11.0.0.1/8 S0
to the
Destination.
HYD
E0 192.168.1.150/24
S1 10.0.0.2/8
CHE
E0 192.168.2.150/24
S1 11.0.0.2/8
BAN
E0 192.168.3.150/2
1.1
1.2
1.3
2.1
2.2
2.3
3.1
3.2
3.3
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
13
10.0.0.1/8 S0
11.0.0.1/8 S0
HYD
E0 192.168.1.150/24
S1 10.0.0.2/8
CHE
E0 192.168.2.150/24
S1 11.0.0.2/8
BAN
E0 192.168.3.150/2
1.1
1.2
1.3
2.1
2.2
2.3
3.1
3.2
3.3
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
14
1.1
Source IP 192.168.1.1 Destination IP 192.168.2.1
2.1
access-list 1 deny 192.168.1.1 0.0.00.0

access-list 1 deny 192.168.1.2 0.0.00.0 access-list 1 permit any
15
1.1
2.1
access-list 1 deny 192.168.1.1 0.0.00.0

16
10.0.0.1/8 S0
11.0.0.1/8 S0
HYD
E0 192.168.1.150/24
S1 10.0.0.2/8
CHE
E0 192.168.2.150/24
S1 11.0.0.2/8
BAN
E0 192.168.3.150/2
1.1
1.2
1.3 1.3
2.1
2.2
2.3
3.1
3.2
3.3
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
17
1.1
2.1
access-list 1 deny 192.168.1.1 0.0.00.0

18
1.1
2.1
access-list 1 deny 192.168.1.1 0.0.00.0

19
1.1
2.1
access-list 1 deny 192.168.1.1 0.0.00.0

20
1.1
2.1
access-list 1 deny 192.168.1.1 0.0.00.0

21
Named Access List
Access-lists are identified using Names rather than Numbers. Names are Case-Sensitive No limitation of Numbers here. One Main Advantage is Editing of ACL is Possible (i.e) Removing a specific statement from the ACL is possible. (IOS version 11.2 or later allows Named ACL)
22
ACL - Network Diagram
10.0.0.1/8 S0
11.0.0.1/8 S0
HYD
E0 192.168.1.150/24
S1 10.0.0.2/8
CHE
E0 192.168.2.150/24
S1 11.0.0.2/8
BAN
E0 192.168.3.150/2
1.1
1.2
1.3
2.1
2.2
2.3
3.1
3.2
3.3
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
23

Day-09.1access Control List

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Day-09.1access Control List

Hochgeladen von

Copyright:

Verfügbare Formate

1

Access Control List

It is a Layer 3 security which controls the flow of

traffic from one router to another.

ACL - Network Diagram

1.0 should not communicate with 2.0 network

Standard Access List

The access-list number lies between 1 99

Can block a Network, Host and Subnet

Extended Access List

The access-list number lies between 100 199

Can block a Network, Host, Subnet and Service

Deny : Blocking a Network/Host/Subnet/Service

Services : HTTP, FTP, TELNET, DNS, DHCP etc..

Wild Card Mask

Its the inverse of the subnet mask, hence is also

Wild Card Mask

Standard ACL - Network Diagram

1.0 should not communicate with 2.0 network

Standard ACL - Network Diagram

1.0 should not communicate with 2.0 network

Source IP 192.168.1.1 Destination IP 192.168.2.1

access-list 1 deny 192.168.1.1 0.0.00.0

Source IP 192.168.1.1 Destination IP 192.168.2.1

access-list 1 deny 192.168.1.1 0.0.00.0

Standard ACL - Network Diagram

1.0 should not communicate with 2.0 network

Source IP 192.168.1.3 Destination IP 192.168.1.2

access-list 1 deny 192.168.1.1 0.0.00.0

Source IP 192.168.1.3 Destination IP 192.168.1.2

access-list 1 deny 192.168.1.1 0.0.00.0

Source IP 192.168.1.3 Destination IP 192.168.1.2

access-list 1 deny 192.168.1.1 0.0.00.0

Source IP 192.168.1.1 Destination IP 192.168.2.1

access-list 1 deny 192.168.1.1 0.0.00.0

Named Access List

ACL - Network Diagram

1.0 should not communicate with 2.0 network

Das könnte Ihnen auch gefallen