logging in or signing up ACL aSGuest44597 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 568 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: May 11, 2010 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: atchy (12 month(s) ago) nice presentation........ Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript MOREACCESS CONTROL LISTS : MOREACCESS CONTROL LISTS EUMED - GRNET ACL Types : ACL Types ACLs come in many types. The access-list-number specifies what types. The table below shows common access list types. Router(config)#access-list access-list-number {permit/deny}{test-conditions} Standard ACL (1-99) : Standard ACL (1-99) Access-list list# {permit/deny} source IP [wildcard mask] interface [router port] ip access-group [list#] in|out (out is the default) If a match is made, the action defined in this access list statement is performed. If no match is made with an entry in the access list, the deny action is performed (implicit deny) Should be put close to the destination address because you can not specify the destination address. Wildcard Mask : Wildcard Mask 32 bit long Mask bits of 0 imply that the same bit positions must be compared Mask bits of 1imply that the same bit positions are considered to match Extended ACL (100-199) : Extended ACL (100-199) Access-list list# {permit/deny} protocol source [source mask] destination [destination mask] operator [port] Should be put close to the source Correct Placement of Extended ACLs : Correct Placement of Extended ACLs Since extended ACLs have destination information, you want to place it as close to the source as possible. Place an extended ACL on the first router interface the packet enters and specify inbound in the access-group command. Correct Placement of Extended ACLs : Correct Placement of Extended ACLs In the graphic below, we want to deny network 221.23.123.0 from accessing the server 198.150.13.34. What router and interface should the access list be applied to? Write the access list on Router C, apply it to the E0, and specify in This will keep the network free of traffic from 221.23.123.0 destined for 198.150.13.34 but still allow 221.23.123.0 access to the Internet Example : Example Configure an access list that blocks network 210.93.105.0 from exiting serial port s0 on some router. Allow all other to pass. access-list 4 deny 210.93.105.0 0.0.0.255 access-list 4 permit any interface s0 ip access-group 4 Example (continued) : Example (continued) Same example but would like to block only the first half IP of the network. access-list 4 deny 210.93.105.0 0.0.0.127 access-list 4 permit any interface s0 ip access-group 4 Example (continued) : Example (continued) Same example but would like to block only the second half IP of the network. access-list 4 deny 210.93.105.128 0.0.0.127 access-list 4 permit any interface s0 ip access-group 4 Example (continued) : Example (continued) Same example but would like to block only the even numbered IP of the network. access-list 4 deny 210.93.105.0 0.0.0.254 access-list 4 permit any interface s0 ip access-group 4 Example (continued) : Example (continued) Same example but would like to block only the odd numbered IP of the network. access-list 4 deny 210.93.105.1 0.0.0.254 access-list 4 permit any interface s0 ip access-group 4 Ex. Masking a Host Range : Ex. Masking a Host Range To mask a range of host within a subnet, it is often necessary to work on the binary level. For example, students use the range 192.5.5.0 to 192.5.5.127 and teachers use the range 192.5.5.128 to 192.5.5.255. Both groups are on network 192.5.5.0 255.255.255.0 How do you write an ip mask and wildcard mask to deny one group, yet permit another? Masking a Host Range : Masking a Host Range Let’s write the masks for the students. First, write on the first and last host address in binary. Since the first 3 octets are identical, we can skip those. All their bits must be “0” First Host’s 4th octet: 00000000 Last Host’s 4th octet: 01111111 Second, look for the leading bits that are shared by both (in blue below) 00000000 01111111 These “bits in common” are to be checked just like the common bits in the 192.5.5 portion of the addresses. Examples: Host Ranges 192.5.5.1 to .127 and .128 to .255 Masking a Host Range : Masking a Host Range Third, add up the decimal value of the “1” bits in the last host’s address (127) Finally, determine the ip mask and wildcard mask The ip mask can be any host address in the range, but convention says use the first one The wildcard mask is all “0”s for the common bits 192.5.5.0 0.0.0.127 What about the teachers? What would be their ip mask and wildcard mask? 192.5.5.128 (10000000) to 192.5.5.255 (11111111) Answer: 192.5.5.128 0.0.0.127 Notice anything? What stayed the same? changed? Examples: Host Ranges 192.5.5.1 to .127 and .128 to .255 Time Savers: the any command : Time Savers: the any command Since ACLs have an implicit “deny any” statement at the end, you must write statements to permit others through. Using our previous example, if the students are denied access and all others are allowed, you would write two statements: Lab-A(config)#access-list 1 deny 192.5.5.0 0.0.0.127 Lab-A(config)#access-list 1 permit 0.0.0.0 255.255.255.255 Since the last statement is commonly used to override the “deny any,” Cisco gives you an option--the any command: Lab-A(config)#access-list 1 permit any Time Savers: the host command : Time Savers: the host command Many times, a network administrator will need to write an ACL to permit a particular host (or deny a host). The statement can be written in two ways. Either... Lab-A(config)#access-list 1 permit 192.5.5.10 0.0.0.0 or... Lab-A(config)#access-list 1 permit host 192.5.5.10 Ext. ACL Misc : Ext. ACL Misc Port accounting access-list 106 permit udp any any eq Match only packets on a given port number fragments Check non-initial fragments gt Match only packets with a greater port number log Log matches against this entry log-input Log matches against this entry, incl. input interface lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value range Match only packets in the range of port numbers tos Match packets with given TOS value Router(config)#access-list access-list-number {permit/deny}{test-conditions} Ext. ACL Misc. cnt. : Ext. ACL Misc. cnt. TCP header fields access-list 106 permit udp any any ack Match on the ACK bit eq Match only packets on a given port number established Match established connections fin Match on the FIN bit fragments Check non-initial fragments gt Match only packets with a greater port number log Log matches against this entry log-input Log matches against this entry, incl. input interface lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value psh Match on the PSH bit range Match only packets in the range of port numbers rst Match on the RST bit syn Match on the SYN bit tos Match packets with given TOS value urg Match on the URG bit Naming ACLs : Naming ACLs One nice feature in the Cisco IOS is the ability to name ACLs. This is especially helpful if you need more than 99 standard ACLs on the same router. Once you name an ACL, the prompt changes and you no longer have to enter the access-list and access-list-number parameters. In the example below, the ACL is named over_and as a hint to how it should be placed on the interface--out Lab-A(config)# ip access-list standard over_and Lab-A(config-std-nacl)#deny host 192.5.5.10 ......... Lab-A(config-if)#ip access-group over_and out Verifying ACLs : Verifying ACLs Show commands: show access-lists shows all access-lists configured on the router show access-lists {name | number} shows the identified access list show ip interface shows the access-lists applied to the interface--both inbound and outbound. show running-config shows all access lists and what interfaces they are applied on Enhanced Access Lists : Enhanced Access Lists Time-Based—Access lists whose statements become active based upon the time of day and/or day of the week. Reflexive—Create dynamic openings on the untrusted side of a router based on sessions originating from a trusted side of the router. Dynamic (Lock and Key)—Create dynamic entries. Context-Based Access Control (CBAC)—Allows for secure handling of multi-channel connections based on upper layer information. Cisco routers support several enhanced types of access lists: Extended ACL : Extended ACL Logging (config-ext-nacl)# permit tcp any any log-input(config-ext-nacl)# permit ip any any log Time based (conf)# time-range bar(conf-time-range)# periodic daily 10:00 to 13:00(conf-time-range)# ip access-list tin(config-ext-nacl)# deny tcp any any eq www time-range bar(config-ext-nacl)# permit ipv6 any any IOS ACL Reflexive : IOS ACL Reflexive Reflect A reflexive ACL is created dynamically, when traffic matches a permit entry containing the reflect keyword. The reflexive ACL mirrors the permit entry and times out (by default after 3 mins), unless further traffic matches the entry (or a FIN is detected for TCP traffic). The timeout keyword allows setting a higher or lower timeout value. Reflexive ACLs can be applied to TCP, UDP, SCTP and ICMPv6. Evaluate Apply the packet against a reflexive ACL. Multiple evaluate statements are allowed per ACL. The implicit deny any any rule does not apply at the end of a reflexive ACL; matching continues after the evaluate in this case. You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
ACL aSGuest44597 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 568 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: May 11, 2010 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: atchy (12 month(s) ago) nice presentation........ Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript MOREACCESS CONTROL LISTS : MOREACCESS CONTROL LISTS EUMED - GRNET ACL Types : ACL Types ACLs come in many types. The access-list-number specifies what types. The table below shows common access list types. Router(config)#access-list access-list-number {permit/deny}{test-conditions} Standard ACL (1-99) : Standard ACL (1-99) Access-list list# {permit/deny} source IP [wildcard mask] interface [router port] ip access-group [list#] in|out (out is the default) If a match is made, the action defined in this access list statement is performed. If no match is made with an entry in the access list, the deny action is performed (implicit deny) Should be put close to the destination address because you can not specify the destination address. Wildcard Mask : Wildcard Mask 32 bit long Mask bits of 0 imply that the same bit positions must be compared Mask bits of 1imply that the same bit positions are considered to match Extended ACL (100-199) : Extended ACL (100-199) Access-list list# {permit/deny} protocol source [source mask] destination [destination mask] operator [port] Should be put close to the source Correct Placement of Extended ACLs : Correct Placement of Extended ACLs Since extended ACLs have destination information, you want to place it as close to the source as possible. Place an extended ACL on the first router interface the packet enters and specify inbound in the access-group command. Correct Placement of Extended ACLs : Correct Placement of Extended ACLs In the graphic below, we want to deny network 221.23.123.0 from accessing the server 198.150.13.34. What router and interface should the access list be applied to? Write the access list on Router C, apply it to the E0, and specify in This will keep the network free of traffic from 221.23.123.0 destined for 198.150.13.34 but still allow 221.23.123.0 access to the Internet Example : Example Configure an access list that blocks network 210.93.105.0 from exiting serial port s0 on some router. Allow all other to pass. access-list 4 deny 210.93.105.0 0.0.0.255 access-list 4 permit any interface s0 ip access-group 4 Example (continued) : Example (continued) Same example but would like to block only the first half IP of the network. access-list 4 deny 210.93.105.0 0.0.0.127 access-list 4 permit any interface s0 ip access-group 4 Example (continued) : Example (continued) Same example but would like to block only the second half IP of the network. access-list 4 deny 210.93.105.128 0.0.0.127 access-list 4 permit any interface s0 ip access-group 4 Example (continued) : Example (continued) Same example but would like to block only the even numbered IP of the network. access-list 4 deny 210.93.105.0 0.0.0.254 access-list 4 permit any interface s0 ip access-group 4 Example (continued) : Example (continued) Same example but would like to block only the odd numbered IP of the network. access-list 4 deny 210.93.105.1 0.0.0.254 access-list 4 permit any interface s0 ip access-group 4 Ex. Masking a Host Range : Ex. Masking a Host Range To mask a range of host within a subnet, it is often necessary to work on the binary level. For example, students use the range 192.5.5.0 to 192.5.5.127 and teachers use the range 192.5.5.128 to 192.5.5.255. Both groups are on network 192.5.5.0 255.255.255.0 How do you write an ip mask and wildcard mask to deny one group, yet permit another? Masking a Host Range : Masking a Host Range Let’s write the masks for the students. First, write on the first and last host address in binary. Since the first 3 octets are identical, we can skip those. All their bits must be “0” First Host’s 4th octet: 00000000 Last Host’s 4th octet: 01111111 Second, look for the leading bits that are shared by both (in blue below) 00000000 01111111 These “bits in common” are to be checked just like the common bits in the 192.5.5 portion of the addresses. Examples: Host Ranges 192.5.5.1 to .127 and .128 to .255 Masking a Host Range : Masking a Host Range Third, add up the decimal value of the “1” bits in the last host’s address (127) Finally, determine the ip mask and wildcard mask The ip mask can be any host address in the range, but convention says use the first one The wildcard mask is all “0”s for the common bits 192.5.5.0 0.0.0.127 What about the teachers? What would be their ip mask and wildcard mask? 192.5.5.128 (10000000) to 192.5.5.255 (11111111) Answer: 192.5.5.128 0.0.0.127 Notice anything? What stayed the same? changed? Examples: Host Ranges 192.5.5.1 to .127 and .128 to .255 Time Savers: the any command : Time Savers: the any command Since ACLs have an implicit “deny any” statement at the end, you must write statements to permit others through. Using our previous example, if the students are denied access and all others are allowed, you would write two statements: Lab-A(config)#access-list 1 deny 192.5.5.0 0.0.0.127 Lab-A(config)#access-list 1 permit 0.0.0.0 255.255.255.255 Since the last statement is commonly used to override the “deny any,” Cisco gives you an option--the any command: Lab-A(config)#access-list 1 permit any Time Savers: the host command : Time Savers: the host command Many times, a network administrator will need to write an ACL to permit a particular host (or deny a host). The statement can be written in two ways. Either... Lab-A(config)#access-list 1 permit 192.5.5.10 0.0.0.0 or... Lab-A(config)#access-list 1 permit host 192.5.5.10 Ext. ACL Misc : Ext. ACL Misc Port accounting access-list 106 permit udp any any eq Match only packets on a given port number fragments Check non-initial fragments gt Match only packets with a greater port number log Log matches against this entry log-input Log matches against this entry, incl. input interface lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value range Match only packets in the range of port numbers tos Match packets with given TOS value Router(config)#access-list access-list-number {permit/deny}{test-conditions} Ext. ACL Misc. cnt. : Ext. ACL Misc. cnt. TCP header fields access-list 106 permit udp any any ack Match on the ACK bit eq Match only packets on a given port number established Match established connections fin Match on the FIN bit fragments Check non-initial fragments gt Match only packets with a greater port number log Log matches against this entry log-input Log matches against this entry, incl. input interface lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value psh Match on the PSH bit range Match only packets in the range of port numbers rst Match on the RST bit syn Match on the SYN bit tos Match packets with given TOS value urg Match on the URG bit Naming ACLs : Naming ACLs One nice feature in the Cisco IOS is the ability to name ACLs. This is especially helpful if you need more than 99 standard ACLs on the same router. Once you name an ACL, the prompt changes and you no longer have to enter the access-list and access-list-number parameters. In the example below, the ACL is named over_and as a hint to how it should be placed on the interface--out Lab-A(config)# ip access-list standard over_and Lab-A(config-std-nacl)#deny host 192.5.5.10 ......... Lab-A(config-if)#ip access-group over_and out Verifying ACLs : Verifying ACLs Show commands: show access-lists shows all access-lists configured on the router show access-lists {name | number} shows the identified access list show ip interface shows the access-lists applied to the interface--both inbound and outbound. show running-config shows all access lists and what interfaces they are applied on Enhanced Access Lists : Enhanced Access Lists Time-Based—Access lists whose statements become active based upon the time of day and/or day of the week. Reflexive—Create dynamic openings on the untrusted side of a router based on sessions originating from a trusted side of the router. Dynamic (Lock and Key)—Create dynamic entries. Context-Based Access Control (CBAC)—Allows for secure handling of multi-channel connections based on upper layer information. Cisco routers support several enhanced types of access lists: Extended ACL : Extended ACL Logging (config-ext-nacl)# permit tcp any any log-input(config-ext-nacl)# permit ip any any log Time based (conf)# time-range bar(conf-time-range)# periodic daily 10:00 to 13:00(conf-time-range)# ip access-list tin(config-ext-nacl)# deny tcp any any eq www time-range bar(config-ext-nacl)# permit ipv6 any any IOS ACL Reflexive : IOS ACL Reflexive Reflect A reflexive ACL is created dynamically, when traffic matches a permit entry containing the reflect keyword. The reflexive ACL mirrors the permit entry and times out (by default after 3 mins), unless further traffic matches the entry (or a FIN is detected for TCP traffic). The timeout keyword allows setting a higher or lower timeout value. Reflexive ACLs can be applied to TCP, UDP, SCTP and ICMPv6. Evaluate Apply the packet against a reflexive ACL. Multiple evaluate statements are allowed per ACL. The implicit deny any any rule does not apply at the end of a reflexive ACL; matching continues after the evaluate in this case.