Tài liệu giảng dạy CCNA - module 05 chapter 17-IP Access Control List Security
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (670.42 KB, 44 trang )
1
Module 05 Security
Chapter 17
IP Access Control List Security
2
Table of Content
1
Access Control List Fundamentals
2
Access Control Lists (ACLs)
3
ACCESS CONTROL LIST
FUNDAMENTALS
4
What are ACLs
5
What are ACLs
ACLs are lists of conditions that are applied to traffic
traveling across a router's interface.
These lists tell the router what kinds of packets to accept
and what kinds of packets to deny.
Acceptance and denial can be based on specified
conditions.
ACLs can be created for all routed network protocols to
filter packets, such a IP, IPX.
ACLs can be configured at the router to control access to a
network or subnet.
6
ACLs check the packet and header
7
How ACLs control traffic flow
IP
IPX
Apple Talk
IP
IPX
Apple Talk
One list, per port, per direction, per protocol
8
The primary reasons to create ACLs
Limit network traffic and increase network performance.
Provide traffic flow control.
Provide a basic level of security for network access.
Decide which types of traffic are forwarded or blocked at
the router interfaces.
Allow an administrator to control what areas a client can
access on a network.
Screen certain hosts to either allow or deny access to part
of a network
9
How the ACL work: order of ACL
statements
1
0
ACL and Routing process in a router
ACLs
on
Interface?
Statement
List
Match?
Route
Packet to
Outbound
interface
Layer2
Address
match
Permit
packet?
Yes Yes Yes Yes
No
Default
Deny
No
ACLs
on
Interface?
Statement
List
Match?
Permit
packet?
Yes
Yes Yes
No
Default
Deny
No
Send
To the
device
No
No
1
1
access-list
access-list-number
{
permit
|
deny
} {
test-conditions
}
access-list
access-list-number
{
permit
|
deny
} {
test-conditions
}
Router (config)#
Creating ACLs: Step 1
ACL command Description
access-list defines an access list
access-list-number protocol-dependent ACL number
Permit defines a statement to allow traffic
Deny defines a statement to disallow traffic
test-conditions ACL test conditions
Defines an ACL
Alert an ACL use no access-list access-list-number
1
2
ACL numbers
1
3
Creating ACLs: Step 2
{
protocol
} access-group
access-list-number
{
protocol
} access-group
access-list-number
Router (config-if)#
ACL command Description
protocol a protocol specified for the interface
access-group any packets that pass the ACL test conditions
can be permitted to use any interface in the
access group of interfaces
access-list-number the ACL identified by this ACL number to be
associated to this interface
Applies access list to interface
1
4
These basic rules should be followed
(1)
One access list per protocol per direction.
Standard access lists should be applied closest to the
destination.
Extended access lists should be applied closest to the
source.
Use the inbound or outbound interface reference as if
looking at the port from inside the router.
Statements are processed sequentially from the top of list
to the bottom until a match is found, if no match is found
then the packet is denied.
There is an implicit deny at the end of all access lists.
1
5
These basic rules should be followed
(2)
Access list entries should filter in the order from specific to
general. Specific hosts should be denied first, and groups
or general filters should come last.
The match condition is examined first. The permit or deny
is examined ONLY if the match is true.
Never work with an access list that is actively applied.
Use a text editor to create comments outlining the logic,
then, fill in the statements that perform the logic.
1
6
These basic rules should be followed
(3)
New lines are always added to the end of the access list. A no
access-list x command will remove the whole list. It is not
possible to selectively add and remove lines with numbered ACLs.
An IP access list will send an ICMP host unreachable message to
the sender of the rejected packet and will discard the packet in
the bit bucket.
Care should be used when removing an access list. If the access
list is applied to a production interface and the access list is
removed, depending on the version of the IOS, there may be a
default deny any applied to the interface, and all traffic will be
halted.
Outbound filters do not affect traffic originating from the local
router.
1
7
The function of a wildcard mask
A wildcard mask is a 32-bit quantity that is divided into four
octets, with each octet containing 8 bits.
A wildcard mask bit 0 means "check the corresponding bit
value“.
A wildcard mask bit 1 means "do not check (ignore) that
corresponding bit value".
1
8
Wildcard mask bits <2>
1
9
The function of a wildcard mask:
Example
No match – Packet rejected
2
0
The function of a wildcard mask :
Example
2
1
Wildcard any
2
2
Wildcard host
2
3
Verifying ACLs: show ip interface
2
4
Verifying ACLs: show access-lists
2
5
Verifying ACLs: show running-config
