Upload
tracey-norton
View
214
Download
0
Embed Size (px)
DESCRIPTION
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 3 Describe Traffic Filtering Analyze the contents of a packet Allow or block the packet Based on source IP, destination IP, MAC address, protocol, application type
Citation preview
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 1Version 4.0
Filtering Traffic Using Access Control Lists
Introducing Routing and Switching in the Enterprise – Chapter 8
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 2
Objectives
Describe traffic filtering and explain how Access Control Lists (ACLs) can filter traffic at router interfaces.
Analyze the use of wildcard masks.
Configure and implement ACLs.
Create and apply ACLs to control specific types of traffic.
Log ACL activity and integrate ACL best practices.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 3
Describe Traffic Filtering Analyze the contents of a packet
Allow or block the packet
Based on source IP, destination IP, MAC address, protocol, application type
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 4
Describe Traffic FilteringDevices providing traffic filtering:
Firewalls built into integrated routers
Dedicated security appliances
Servers
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 5
Describe Traffic FilteringUses for ACLs:
Specify internal hosts for NAT
Classify traffic for QoS
Restrict routing updates, limit debug outputs, control virtual terminal access
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 6
Describe Traffic FilteringPossible issues with ACLs:
Increased load on router
Possible network disruption
Unintended consequences from incorrect placement
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 7
Describe Traffic Filtering Standard ACLs filter based on source IP address
Extended ACLs filter on source and destination, as well as protocol and port number
Named ACLs can be either standard or extended
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 8
Describe Traffic Filtering ACLs consist of statements
At least one statement must be a permit statement
Final statement is an implicit deny
ACL must be applied to an interface in order to work
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 9
Describe Traffic Filtering ACL is applied inbound or outbound
Direction is from the router’s perspective
Each interface can have one ACL per direction for each network protocol
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 10
Analyze the Use of Wildcard Masks Wildcard mask can block a range of addresses or a
whole network with one statement 0s indicate which part of an IP address must match the
ACL 1s indicate which part does not have to match
specifically
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 11
Analyze the Use of Wildcard Masks Use the host parameter in place of a 0.0.0.0 wildcard
Use the any parameter in place of a 255.255.255.255 wildcard
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 12
Configure and Implement Access Control Lists
Determine traffic filtering requirements Decide which type of ACL to use Determine the router and interface on which to apply
the ACL Determine in which direction to filter traffic
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 13
Configure and Implement Access Control Lists: Numbered Standard ACL Use access-list command to enter statements Use the same number for all statements Number ranges: 1-99, 1300-1999 Apply as close to the destination as possible
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 14
Configure and Implement Access Control Lists: Numbered Extended ACL Use access-list command to enter statements Use the same number for all statements Number ranges: 100-199, 2000-2699 Specify a protocol to permit or deny Place as close to the source as possible
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 15
Configure and Implement Access Control Lists: Named ACLs
Descriptive name replaces number range Use ip access-list command to enter initial statement Start succeeding statements with either permit or deny Apply in the same way as standard or extended ACL
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 16
Configure and Implement Access Control Lists: VTY access
Create the ACL in line configuration mode Use the access-class command to initiate the ACL Use a numbered ACL Apply identical restrictions to all VTY lines
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 17
Create and Apply ACLs to Control Specific Types of Traffic
Use a specified condition when filtering on port numbers: eq, lt, gt
Deny all appropriate ports for multi-port applications like FTP
Use the range operator to filter a group of ports
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 18
Create and Apply ACLs to Control Specific Types of Traffic
Block harmful external traffic while allowing internal users free access
Ping: allow echo replies while denying echo requests from outside the network
Stateful Packet Inspection
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 19
Create and Apply ACLs to Control Specific Types of Traffic
Account for NAT when creating and applying ACLs to a NAT interface
Filter public addresses on a NAT outside interface Filter private addresses on a NAT inside interface
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 20
Create and Apply ACLs to Control Specific Types of Traffic
Examine every ACL one line at a time to avoid unintended consequences
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 21
Create and Apply ACLs to Control Specific Types of Traffic
Apply ACLs to VLAN interfaces or subinterfaces just as with physical interfaces
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 22
Log ACL Activity and ACL Best Practices Logging provides additional details on packets denied
or permitted
Add the log option to the end of each ACL statement to be tracked
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 23
Log ACL Activity and ACL Best Practices Syslog messages: Status of router interfaces ACL messages Bandwidth, protocols in use, configuration events
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 24
Log ACL Activity and ACL Best Practices Always test basic connectivity before applying ACLs
Add deny ip any to the end of an ACL when logging
Use reload in 30 when testing ACLs on remote routers
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 25
Summary ACLs enable traffic management and secure access to
and from a network and its resources
Apply an ACL to filter inbound or outbound traffic
ACLs can be standard, extended, or named
Using a wildcard mask provides flexibility
There is an implicit deny statement at the end of an ACL
Account for NAT when creating and applying ACLs
Logging provides additional details on filtered traffic
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 26