Upload
veerubglrkumar
View
15
Download
0
Embed Size (px)
DESCRIPTION
al
Citation preview
In 60 Days – ICND2
Access Lists
Traffic Cops
• Decides what can pass through router
• Set of YES/NO filters
• Have several uses…
Use ACLs
• To filter traffic
• Reference NAT pools
• Debugging
• With route maps for routing
Types of ACL
• Standard
• Extended
• Named
Standard IP ACL
• Numbered from 1 to 99
• Can filter on source host/network
• Can’t filter ports or protocols
Extended IP ACLs
• Numbered from 100-199
• Filters port/destination/source etc.
• More complicated to configure
Named ACLs
• Names instead of numbers
• Can be standard or extended
• Slightly different commands
Need to Know...
• Port numbers
• Command syntax
• ACL rules
Common Ports Port Service Port Service
20 FTP Data 80 HTTP
21 FTP Control 110 POP3
22 SSH 119 NNTP
23 Telnet 123 NTP
25 SMTP 161/162 SNMP
53 DNS 443 HTTPS
69 TFTP
Command Syntax
• We will come to this!
ACL Rule #1
• One ACL per interface per direction
One incoming
One outgoing
One incoming
One outgoing
ACL Rule #2
• Processed top down
• Incoming 172.16.1.1
Permit 10.0.0.0 No match
Permit 192.168.1.1 No match
Permit 172.16.0.0 Match – Permit
Permit 172.16.1.0 Not processed
Deny 172.16.1.1 Not processed
ACL Rule #3
• Implicit ‘deny all’ at bottom
• Incoming 172.20.1.1 Permit 10.0.0.0 No match
Permit 192.168.1.1 No match
Permit 172.16.0.0 No match
Permit 172.16.1.0 No match
Deny all Match – DROP PACKET
ACL Rule #4
• Router can’t filter self generated traffic
Ping 172.16.1.1 172.16.1.1
ACL – Deny 172.16.1.1
BLOCKED
172.16.1.1
ACL – Deny 172.16.1.1
UNCHECKED
Ping 172.16.1.1
ACL Rule #5 – Can’t Edit Live
• Can’t edit live standard or extended lists
• Can edit named
1. Stop access list working (from interface)
2. Copy into notepad – edit - reapply
ACL Rule #6
• Disable ACL on the interface R1(config)#no ip access-group 101 in
ACL Rule #7
• Can reuse the same ACL
S0/1
ACL 101 IN
ACL 101 – Deny Web Traffic
S0/0
ACL 101 IN
ACL Rule #8
• Keep ‘em short
• Most specific rules at top Permit 10.0.0.0
Permit 192.168.1.1
Permit 172.16.0.0
Deny 172.16.1.1 Should be at top
ACL Rule #9
• Place as close to traffic source as possible
S0/1
ACL 101 IN
ACL 101 – Deny Web Traffic
Do not put it here
End