Anilnet
-
Upload
anil-sharma -
Category
Technology
-
view
41 -
download
0
Transcript of Anilnet
![Page 1: Anilnet](https://reader033.fdocuments.in/reader033/viewer/2022060117/558458cfd8b42a7f1d8b46da/html5/thumbnails/1.jpg)
Name access list
Submitted To, Submitted by,
Mr. Parvesh Mor Anil Sharma
Reg: 11107936
Introduction:
An access list is essentially a list of
conditions that categorize packets. They can
be really helpful when you need to exercise
control over network traffic. An access list
would be your tool of choice for decision
making in these situation. One of the most
common and easiest to understand uses of
access list is filtering unwanted packet when
implementing security policies. For
example, you can set them up to make very
specific decisions about regulating traffic
pattern so that they will allow only certain
host to access web resources on the internet
while restricting others. With the right
combination of access list, network
managers arm themselves with the power to
enforce any security any policy they can
invent. Some important points under access
list
• Powerful tools that control access
both to and from network segments
• Can filter unwanted packets
• Can be used to implement security
• Powerful tools that control access
both to and from network segments
• Can filter unwanted packets
• Can be used to implement security
Permit or deny statements that filter
traffic based on the source address,
destination address, protocol type,
and port number of a packet
Available for IP, IPX, AppleTalk,
and many other protocols
Access List Usage: • You can create a standard access list
that examines a packet for the
packet’s source header information
• deny any statement
– Implicitly blocks all packets
that do not meet the
requirements of the access
list
![Page 2: Anilnet](https://reader033.fdocuments.in/reader033/viewer/2022060117/558458cfd8b42a7f1d8b46da/html5/thumbnails/2.jpg)
– Exists even though it is not
shown as part of the access
list
• With careful planning, you can
create access lists that control which
traffic crosses particular links And
which segments of your network will
have access to others
Problems with Access Lists: • Lack of planning is one of the most
common problems associated with
access lists
• The need to enter the list sequentially
into the router also presents
problems
– You cannot move individual
statements once they are
entered
– When making changes, you
must remove the list, using
the no access-list [list
number] command, and then
retype the commands
• Access lists begin working the
second they are applied to an
interface
Access List Rules:
• Example of the structure of a
standard IP access list:
RouterA(config)#access-list 1 deny
172.22.5.2 0.0.0.0
RouterA(config)#access-list 1 deny
172.22.5.3 0.0.0.0
RouterA(config)# access-list 1 permit
any
• Router applies each line in the order
in which you type it into the access
list
• The no access-list [list #] command
is used to remove an access list
• As a general rule, the lines with the
most potential matches should be
first in the list
![Page 3: Anilnet](https://reader033.fdocuments.in/reader033/viewer/2022060117/558458cfd8b42a7f1d8b46da/html5/thumbnails/3.jpg)
– So that packets will not
undergo unnecessary
processing
• You should avoid unnecessarily long
access lists
• After you create access lists, you
must apply them to interfaces so they
can begin filtering traffic
– You apply a list as either an
outgoing or an incoming
filter
• In summary, all access lists follow
these rules:
– Routers apply lists
sequentially in the order in
which you type them into the
router
– Routers apply lists to packets
sequentially, from the top
down, one line at a time
– Packets are processed only
until a match is made
– Lists always end with an
implicit deny
– Access lists must be applied
to an interface as either
inbound or outbound traffic
filters
– Only one list, per protocol,
per direction can be applied
to an interface
– Access lists are
effective as soon as they are
applied
Standard IP Access Lists: • Standard IP access lists
– Filter network traffic based
on the source IP address only
– Using a standard IP access
list, you can filter traffic by a
host IP, subnet, or a network
address
• Configure standard IP access lists:
– access-list [list #]
[permit|deny] [source
address] [source wildcard
mask]
• Routers use wildcards to determine
which bits in an address will be
significant
Wildcard mask example:
![Page 4: Anilnet](https://reader033.fdocuments.in/reader033/viewer/2022060117/558458cfd8b42a7f1d8b46da/html5/thumbnails/4.jpg)
Wildcard masking example
matching a single host:
Standard IP Access List
Examples: • Standard IP access lists permit or deny
packets based only on the source
address
– Addresses can be a single
host address, a subnet
address, or a full network
address
• Correct placement of a list is
imperative
• To view the access lists defined on
your router, use the show access-lists
command
– For IP access lists you could
also use the show ip access-
lists command
• If you decide that an access list
needs to be removed from an
interface
– You can remove it with the
no ip access-group [list #]
command
•
• Application of the list as an
outbound filter on FastEthernet0/0
– See Figure 10-15
• Use the show access-lists or show ip
access-lists command followed by
the show ip interface command
– To verify that the list has
been entered and applied
correctly
![Page 5: Anilnet](https://reader033.fdocuments.in/reader033/viewer/2022060117/558458cfd8b42a7f1d8b46da/html5/thumbnails/5.jpg)
Monitoring Standard IP Access
Lists: • Three main commands are available
for monitoring access lists on your
router
– show access-lists
– show ip access-lists
– show interfaces or show ip
interface
• Use the no access-list [list #]
command to remove the list
• Use the no ip accessgroup [list
#][direction] command to remove
the application of the list
Extended IP Access Lists:
• Extended IP access lists
– Can filter by source IP
address, destination IP
address, protocol type, and
application port number
– This granularity allows you
to design extended IP access
lists that:
• Permit or deny a
single type of IP
protocol
• Filter by a particular
port of a particular
protocol
• To configure extended IP access
lists, you must create the list and
then apply it to an interface using the
following syntax
– access-list [list #]
[permit|deny] [protocol]
[source IP address] [source
wildcard mask] [operator]
[port] [destination IP
address] [destination
wildcard mask] [operator]
[port] [log]
Using Named Lists: • Named access lists
– In Cisco IOS versions 11.2
and above, names instead of
numbers can be used to
identify lists
• To name a standard IP access list,
use the following syntax:
RouterC(config)#ip access-list
standard [name]
• To name an extended IP access list,
use the following syntax:
RouterC(config)#ip access-list
extended [name]
• Once the list is named, the permit or
deny statement is entered
• The commands follow the same
syntax as unnamed lists
– The beginning part of the
command is not included
• To apply a standard IP named list to
an interface, the syntax is:
RouterC(config-if)#ip access-group
[name] [in | out]
![Page 6: Anilnet](https://reader033.fdocuments.in/reader033/viewer/2022060117/558458cfd8b42a7f1d8b46da/html5/thumbnails/6.jpg)
Advantages: – Allows you to maintain
security by using an easily
identifiable access list
– Removes the limit of 100
lists per filter type
– With named access lists lines
can be selectively deleted in
the ACL
– Named ACLs provide greater
flexibility to network
administrators who work in
environments where large
numbers of ACLs are needed
Controlling VTY Line Access: • Access lists are used for both traffic
flow and security
• One useful security feature of access
lists is restricting access to telnet on
your router
– By controlling VTY line
access
• You must first create a standard IP
access list that permits the
management workstation
RouterA(config)#access-list 12
permit 192.168.12.12 0.0.0.0
• Then, it must be applied to the VTY
lines access-class [acl #] in | out
• To apply access list 12 to the VTY
lines, use the following command:
RouterA(config)#line vty 0 4
RouterA(config-line)#access-class
12 in
• The commands to restrict access to
the VTY lines to network
192.168.12.0/24 only are:
RouterA(config)#access-list 13
permit 192.168.12.0 0.0.0.255
RouterA(config)#line vty 0 4
RouterA(config-line)#access-class
13 in
Using Security Device Manager to
Create Access Control Lists: • Using the SDM, an administrator can
accomplish all the tasks that
formerly required use of the CLI
interface
• SDM allows you to easily create a
standard or an extended access list
or, as it is known in the SDM, an
Access Control List (ACL)
![Page 7: Anilnet](https://reader033.fdocuments.in/reader033/viewer/2022060117/558458cfd8b42a7f1d8b46da/html5/thumbnails/7.jpg)
Topology:
Router1:
E0:- 10.0.0.1 E1:-11.0.0.1
Router2:
E0:-11.0.0.2 E1:12.0.0.1
Router3: E0:- 12.0.0.2
E1:-13.0.0.1
Router 4: E0:- 13.0.0.2
E1:-14.0.0.1
Router 5:
E0/0:-
14.0.0.2 E0/1:-14.0.0.1
E0/2:-16.0.0.1
Router 6:
E0:-15.0.0.2
E1:-16.0.0.2
Router 7: E0:-17.0.0.1
E1:-18.0.0.1
Router 8 :- E0:-18.0.0.2
E1:-19.0.0.1
Pc1
E0:- 10.0.0.2
Pc3:
E0:-15.0.0.2
Pc5:
E0:-19.0.0.3
Pc2:
E0:-10.0.0.3
Pc4:
E0:-19.0.0.2
Switch1
F/E 0/1
SWITCH2
F/E0/1 15.0.0.2
![Page 8: Anilnet](https://reader033.fdocuments.in/reader033/viewer/2022060117/558458cfd8b42a7f1d8b46da/html5/thumbnails/8.jpg)
10.0.0.4 SWITCH3
FE/E0/1 19.0.0.4
Reference: http://en.wikipedia.org/wiki/Access_c
ontrol_list
Book – CCNA(Todd Lammle)
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.2/addr_serv/command/reference/b_ipaddr_cr42asr9k_chapter_01.html