Access Control List (ACL)
-
Upload
gisela-trevino -
Category
Documents
-
view
47 -
download
2
description
Transcript of Access Control List (ACL)
![Page 1: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/1.jpg)
Access Control List (ACL)
W.lilakiatsakun
![Page 2: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/2.jpg)
Transport Layer Review (1)
• TCP (Transmission Control Protocol)– HTTP (Web)– SMTP (Mail)
• UDP (User Datagram Protocol)– DNS (Domain Name Service) – SNMP (Simple Management Protocol)
![Page 3: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/3.jpg)
Transport Layer Review (2)
![Page 4: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/4.jpg)
Transport Layer Review (3)
TCP Port
![Page 5: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/5.jpg)
Transport Layer Review (4)
UDP Port
![Page 6: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/6.jpg)
Transport Layer Review (5)
TCP/UDP Common Port
![Page 7: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/7.jpg)
Packet Filtering (1)
• To controls access to a network by analyzing the incoming and outgoing packets and passing or halting them based on stated criteria.
• A router acts as a packet filter when it forwards or denies packets according to filtering rules.
![Page 8: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/8.jpg)
Packet Filtering (2)
![Page 9: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/9.jpg)
Packet Filtering (3)
![Page 10: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/10.jpg)
Packet Filtering (4)
• A packet-filtering router uses rules to determine whether to permit or deny traffic based on source and destination IP addresses, source port and destination port, and the protocol of the packet.
• These rules are defined using access control lists or ACLs.
![Page 11: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/11.jpg)
Packet Filtering (5)
- Only permit web access to users from network A. - Deny web access to users from network B, - Permit them Network B to have all other access."
![Page 12: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/12.jpg)
ACL (Access Control List) (1)
• An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header.
• ACLs are also used for selecting types of traffic to be analyzed, forwarded, or processed in other ways.
![Page 13: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/13.jpg)
ACL (Access Control List) (2)
![Page 14: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/14.jpg)
ACL (Access Control List) (3)
![Page 15: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/15.jpg)
ACL guideline (1)
• Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet.
• Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network.
![Page 16: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/16.jpg)
ACL guideline (2)
• Configure ACLs on border routers-routers situated at the edges of your networks.– This provides a very basic buffer from the outside
network, or between a less controlled area of your own network and a more sensitive area of your network.
• Configure ACLs for each network protocol configured on the border router interfaces.– You can configure ACLs on an interface to filter
inbound traffic, outbound traffic, or both.
![Page 17: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/17.jpg)
ACL Operation (1)
• Inbound ACLs – Incoming packets are processed before they are
routed to the outbound interface. – An inbound ACL is efficient because it saves the
overhead of routing lookups if the packet is discarded.
• Outbound ACLs – Incoming packets are routed to the outbound
interface, and then they are processed through the outbound ACL.
![Page 18: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/18.jpg)
ACL Operation (2)
Inbound ACLs
![Page 19: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/19.jpg)
ACL Operation (3)
Outbound ACLs
![Page 20: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/20.jpg)
ACL Operation (4)
![Page 21: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/21.jpg)
Type of CISCO ACL
![Page 22: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/22.jpg)
Standard ACL (1)
The two main tasks involved in using ACLs are as follows:Step 1. Create an access list by specifying an access list number or name and access conditions.Step 2. Apply the ACL to interfaces or terminal lines.
![Page 23: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/23.jpg)
Numbering and Naming ACL
![Page 24: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/24.jpg)
Where to Place ACL (1)
• Locate extended ACLs as close as possible to the source of the traffic denied.– This way, undesirable traffic is filtered without
crossing the network infrastructure.
• Because standard ACLs do not specify destination addresses, place them as close to the destination as possible.
![Page 25: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/25.jpg)
Where to Place ACL (2)
Standard ACL
![Page 26: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/26.jpg)
Where to Place ACL (3)
Extended ACL
![Page 27: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/27.jpg)
ACL Best Practice (1)
![Page 28: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/28.jpg)
ACL Criteria (1)
![Page 29: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/29.jpg)
Configuring Standard ACL (1)
Access Control Condition Permit IP from network 192.168.10.0/24 except
192.168.10.1 Permit IP from network 192.0.0.0/8 except
192.168.0.0/16– access-list 2 deny 192.168.10.1– access-list 2 permit 192.168.10.0 0.0.0.255– access-list 2 deny 192.168.0.0 0.0.255.255– access-list 2 permit 192.0.0.0 0.255.255.255
![Page 30: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/30.jpg)
Configuring Standard ACL (2)
![Page 31: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/31.jpg)
Configuring Standard ACL (3)
![Page 32: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/32.jpg)
Configuring Standard ACL (4)
Removing ACL
Router(config)#access-list access-list-number [deny | permit | remark] source [source-wildcard] [log]
![Page 33: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/33.jpg)
Configuring Standard ACL (5)
Documenting ACL
![Page 34: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/34.jpg)
ACL Wildcard Masking (1)
• Wildcard masks use the following rules to match binary 1s and 0s: – Wildcard mask bit 0 - Match the corresponding bit
value in the address – Wildcard mask bit 1 - Ignore the corresponding bit
value in the address
![Page 35: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/35.jpg)
ACL Wildcard Masking (2)
![Page 36: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/36.jpg)
ACL Wildcard Masking (3)
![Page 37: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/37.jpg)
ACL Wildcard Masking (4)
![Page 38: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/38.jpg)
ACL Wildcard Masking (5)
![Page 39: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/39.jpg)
ACL Wildcard Masking (6)
![Page 40: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/40.jpg)
Apply Standard ACL (1)
![Page 41: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/41.jpg)
Apply Standard ACL (2)
![Page 42: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/42.jpg)
Apply Standard ACL (3)
![Page 43: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/43.jpg)
Apply Standard ACL (4)
![Page 44: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/44.jpg)
Apply Standard ACL (5)
![Page 45: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/45.jpg)
Commenting ACL
![Page 46: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/46.jpg)
Named ACL (1)
![Page 47: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/47.jpg)
Named ACL (2)
![Page 48: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/48.jpg)
Verifying ACL
![Page 49: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/49.jpg)
Extended ACL (1)
Extended ACLs check the source packet addresses, but they also check the destination address, protocols and port numbers (or services). This gives a greater range of criteria on which to base the ACL.
![Page 50: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/50.jpg)
Extended ACL (2)
![Page 51: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/51.jpg)
Extended ACL (2)
![Page 52: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/52.jpg)
![Page 53: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/53.jpg)
Configuring Extended ACL (1)
• The network administrator needs to restrict Internet access to allow only website browsing. – ACL 103 applies to traffic leaving the 192.168.10.0
network– ACL 104 to traffic coming into the network.
![Page 54: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/54.jpg)
Configuring Extended ACL (2)
![Page 55: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/55.jpg)
Configuring Extended ACL (3)
• ACL 103 accomplishes the first part of the requirement. – It allows traffic coming from any address on the
192.168.10.0 network to go to any destination, subject to the limitation that traffic goes to ports 80 (HTTP) and 443 (HTTPS) only.
![Page 56: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/56.jpg)
Configuring Extended ACL (4)
• ACL 104 does that by blocking all incoming traffic, except for the established connections. – HTTP establishes connections starting with the
original request and then through the exchange of ACK, FIN, and SYN messages.
![Page 57: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/57.jpg)
Configuring Extended ACL (5)
• The established parameter allows responses to traffic that originates from the 192.168.10.0 /24 network to return inbound on the s0/0/0. • A match occurs if the TCP datagram has the ACK or
reset (RST) bits set, which indicates that the packet belongs to an existing connection.
![Page 58: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/58.jpg)
Apply Extended ACL (1)
![Page 59: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/59.jpg)
Apply Extended ACL (2)
![Page 60: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/60.jpg)
Apply Extended ACL (3)
![Page 61: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/61.jpg)
Named Extended ACL
![Page 62: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/62.jpg)
Complex ACL
![Page 63: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/63.jpg)
Dynamic ACL (1)
• AKA lock-and-key ACL– Users who want to traverse the router are blocked
by the extended ACL until they use Telnet to connect to the router and are authenticated.
– The Telnet connection is then dropped, and a single-entry dynamic ACL is added to the extended ACL that exists.
![Page 64: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/64.jpg)
Dynamic ACL (2)
![Page 65: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/65.jpg)
Dynamic ACL (3)
![Page 66: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/66.jpg)
Reflexive ACL (1)
• Reflexive ACLs force the reply traffic from the destination of a known recent outbound packet to go to the source of that outbound packet.
• This adds greater control to what traffic you allow into your network and increases the capabilities of extended access lists.
![Page 67: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/67.jpg)
Reflexive ACL (2)
![Page 68: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/68.jpg)
Reflexive ACL (3)
![Page 69: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/69.jpg)
Time Based ACL (1)• Time-based ACLs are similar to extended ACLs
in function, but they allow for access control based on time.
• To implement time-based ACLs, you create a time range that defines specific times of the day and week.
![Page 70: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/70.jpg)
Time Based ACL (2)
![Page 71: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/71.jpg)
Time Based ACL (3)
![Page 72: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/72.jpg)
Troubleshooting ACL (1)
Order of rule
![Page 73: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/73.jpg)
Troubleshooting ACL (2)
TFTP use UDP
![Page 74: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/74.jpg)
Troubleshooting ACL (3)
Order of statement
![Page 75: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/75.jpg)
Troubleshooting ACL (4)
No rule to block 192.168.10.1.0
![Page 76: Access Control List (ACL)](https://reader036.fdocuments.in/reader036/viewer/2022062517/5681351b550346895d9c7396/html5/thumbnails/76.jpg)
Troubleshooting ACL (5)