0% found this document useful (0 votes)

83 views53 pages

Filtering Traffic Using Access Control Lists

Describe Traffic Filtering and explain how Access Control Lists can filter traffic at router interfaces. Configure and implement ACLs. Create and apply ACLs to control specific types of traffic. Log ACL activity and integrate ACL best practices.

Uploaded by

James Enrique

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

83 views53 pages

Filtering Traffic Using Access Control Lists

Uploaded by

James Enrique

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 53

Filtering Traffic Using Access Control Lists

Introducing Routing and Switching in the Enterprise Chapter 8

Version 4.0

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Objectives
Describe traffic filtering and explain how Access Control Lists (ACLs) can filter traffic at router interfaces. Analyze the use of wildcard masks. Configure and implement ACLs. Create and apply ACLs to control specific types of traffic. Log ACL activity and integrate ACL best practices.

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Section 8.1 Using Access Control Lists

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Key Ideas
Traffic filtering Defining Access Control Lists Types and uses of ACLs ACL processing

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Describe Traffic Filtering

Analyze the contents of a packet Allow or block the packet Based on source IP, destination IP, MAC address, protocol, pp type yp application

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Describe Traffic Filtering

Devices providing traffic filtering: Firewalls built into integrated routers Dedicated security appliances Servers

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Describe Traffic Filtering

Uses for ACLs: Specify internal hosts for NAT Classify traffic for QoS Restrict routing updates updates, limit debug outputs outputs, control virtual terminal access

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Describe Traffic Filtering

Standard ACLs filter based on source IP address Extended ACLs filter on source and destination, as well as protocol and port number Named N d ACL ACLs can be b either ith standard t d d or extended t d d

Activity 8.1.3[2]- Determine Standard, Extended or Name ACL

Describe Traffic Filtering

ACLs consist of statements At A least l one statement must b be a permit i statement Final statement is an implicit deny ACL must tb be applied li d t to an i interface t f i in order d t to work k

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Describe Traffic Filtering

ACL is applied inbound or outbound Direction is from the routers perspective Each interface can have one ACL per direction for each network protocol

Activity 8 8.1.4[3]-Determine 1 4[3] Determine whether packet permitted or deny

Section 8.2 Using a Wildcard Mask

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Key Ideas
The purpose and structure of an ACL wildcard mask The effects of a wildcard mask

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Analyze the Use of Wildcard Masks

Wildcard mask can block a range of addresses or a whole network with one statement 0s indicate which part of an IP address must match the ACL 1s indicate which part does not have to match specifically

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Analyze the Use of Wildcard Masks

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Analyze the Use of Wildcard Masks

Wildcard mask can block a range of addresses or a whole network with one statement 0s indicate which part of an IP address must match the ACL 1s indicate which hich part does not have ha e to match specifically specificall

Activity 8.2.1[3]-Determine wildcard mask

Analyze the Use of Wildcard Masks

Use the host parameter in place of a 0.0.0.0 wildcard Use the any parameter in place of a 255.255.255.255 wildcard

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Analyze the Use of Wildcard Masks

Use the host parameter in place of a 0.0.0.0 wildcard Use the any parameter in place of a 255.255.255.255 wildcard

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Analyze the Use of Wildcard Masks

Use the host parameter in place of a 0.0.0.0 wildcard Use the any parameter in place of a 255.255.255.255 wildcard

Activity 8.2.2[4]-Determine whether IP packet permit or deny

Section 8.3 Configuring Access Control Lists

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Key Ideas
Placing Standard and Extended ACLs Basic ACL configuration process Configuring numbered standard ACLs Configuring numbered extended ACLs Configuring named ACLs Configure router VTY access

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Configure and Implement Access Control Lists

Determine traffic filtering requirements Decide which hich t type pe of ACL to use se Determine the router and interface on which to apply the ACL Determine in which direction to filter traffic

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Configure and Implement Access Control Lists

Determine traffic filtering requirements Decide which hich t type pe of ACL to use se Determine the router and interface on which to apply the ACL Determine in which direction to filter traffic

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Configure and Implement Access Control Lists

Determine traffic filtering requirements Decide which hich t type pe of ACL to use se Determine the router and interface on which to apply the ACL Determine in which direction to filter traffic

Activity 8.3.1[4]-Determine where to put ACL

Configure and Implement Access Control Lists

ACL Processing and Creating Guidelines

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Configure and Implement Access Control Lists: Numbered Standard ACL

Use access-list command to enter statements Use U th the same number b f for all ll statements t t t Number ranges: 1-99, 1300-1999 Apply as close to the destination as possible

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Configure and Implement Access Control Lists: Numbered Standard ACL

Use access-list command to enter statements Use U th the same number b f for all ll statements t t t Number ranges: 1-99, 1300-1999 Apply as close to the destination as possible

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Configure and Implement Access Control Lists: Numbered Standard ACL

Show ip interface Show Sh access-lists li t Show running-config

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Configure and Implement Access Control Lists: Numbered Standard ACL

Show ip interface Show Sh access-lists li t Show running-config `

Activity 8.3.3[3]-the sequence ACL... Hands-on Lab 8.3.3[4]-Configuring And Verifying Standard ACL
2006 Cisco Systems, Inc. All rights reserved. Cisco Public

Configure and Implement Access Control Lists: Numbered Extended ACL

Use access-list command to enter statements Use the same number for all statements Number ranges: 100-199, 2000-2699 Specify a protocol to permit or deny Place as close to the source as possible

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Configure and Implement Access Control Lists: Numbered Extended ACL

Use access-list command to enter statements Use the same number for all statements Number ranges: 100-199, 2000-2699 Specify a protocol to permit or deny Place as close to the source as possible

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Configure and Implement Access Control Lists: Numbered Extended ACL

Use access-list command to enter statements Use the same number for all statements Number ranges:100-199 ranges:100 199,2000 2000-2699 2699 Specify a protocol to permit or deny Place as close to the source as possible p

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Configure and Implement Access Control Lists: Numbered Extended ACL

Use access-list command to enter statements Use the same number for all statements Number ranges: 100-199, 2000-2699 Specify a protocol to permit or deny Place as close to the source as possible

Activity 8 8.3.4[3]-Determine 3 4[3]-Determine the ACL Hands-on Lab 8.3.4[4]-Planning, [ ] g, Configuring, and Verifying Extended ACLs
2006 Cisco Systems, Inc. All rights reserved. Cisco Public

Configure and Implement Access Control Lists: Named ACLs

Descriptive name replaces number range Use U ip i access-list li t command dt to enter t initial i iti l statement t t t Start succeeding statements with either permit or deny Apply in the same way as standard or extended ACL

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Configure and Implement Access Control Lists: Named ACLs

Delete, Change, Insert ACL

PT Activity 8.3.5[3]-Configuring and Verifying Standards Named ACLs Hands-on Hands on Lab 8.3.5[4]8 3 5[4] Configuring Config ring and Verifying Verif ing StandardsNamed ACLs
2006 Cisco Systems, Inc. All rights reserved. Cisco Public

Configure and Implement Access Control Lists: VTY access

Create the ACL in line configuration mode Use U th the access-class l command dt to initiate i iti t th the ACL Use a numbered ACL Apply identical restrictions to all VTY lines

Cisco Public

Configure and Implement Access Control Lists: VTY access

Create the ACL in line configuration mode Use U th the access-class l command dt to initiate i iti t th the ACL Use a numbered ACL Apply identical restrictions to all VTY lines

Hands-on Lab 8.3.6[3]-Configuring and Verifying VTY R t i ti Restrictions PT 8.3.6[4]-Planning, Configuring, and Verifying Standard, Extended and Named ACLs
2006 Cisco Systems, Inc. All rights reserved. Cisco Public

Section 8.4 Permitting and Denying Specific Types of Traffic

Cisco Public

Key Ideas
Configuring ACLs for Application and Port Filtering Configuring ACLs to Support Established Traffic Effects of NAT and PAT on ACL Placement Analyzing Network ACLs and Placement Configuring ACLs with Inter Inter-VLAN VLAN Routing

Cisco Public

Create and Apply ACLs to Control Specific Types of Traffic

Use a specified condition when filtering on port numbers: eq, lt, lt gt t Deny all appropriate ports for multi-port applications like FTP Use U th the range operator t to t filter filt a group of f ports t

Cisco Public

Create and Apply ACLs to Control Specific Types of Traffic

Block harmful external traffic while allowing internal users free access Ping: allow echo replies while denying echo requests from outside the network Stateful Packet Inspection

Activity 8.4.2[2]-Determine if the Packet will be allowed

Create and Apply ACLs to Control Specific Types of Traffic

Account for NAT when creating and applying ACLs to a NAT interface Filter public addresses on a NAT outside interface Filter private addresses on a NAT inside interface

Hands-on Lab 8.4.3[2]-Configuring an ACL with NAT

Create and Apply ACLs to Control Specific Types of Traffic

Examine every ACL one line at a time to avoid unintended consequences

A ti it 8.4.4[2]-Create Activity 8 4 4[2] C t an extended t d d ACL b based d on th the

Create and Apply ACLs to Control Specific Types of Traffic

Apply ACLs to VLAN interfaces or subinterfaces just as with physical h i li interfaces t f

Hands-on Lab 8.4.5[2]-Configuring and Verifying ACLs to filter Inter-VLAN Traffic PT Activity 8.4.5[3]-Configuring and Verifying Extended ACLs with a DMZ
2006 Cisco Systems, Inc. All rights reserved. Cisco Public

Section 8.5 Filtering Traffic Using Access Control Lists

Cisco Public

Key Ideas
Using logging to verify ACLs Analyzing routing logs ACL best practices

Cisco Public

Log ACL Activity and ACL Best Practices

Logging provides additional details on packets denied or permitted itt d Add the log option to the end of each ACL statement to be tracked

Cisco Public

Log ACL Activity and ACL Best Practices

Logging provides additional details on packets denied or permitted itt d Add the log option to the end of each ACL statement to be tracked

Log ACL Activity and ACL Best Practices

Syslog messages: Status of router interfaces ACL messages Bandwidth, Bandwidth protocols in use use, configuration events

Cisco Public

Log ACL Activity and ACL Best Practices

Syslog messages: Status of router interfaces ACL messages Bandwidth, Bandwidth protocols in use use, configuration events

Hands-on Lab 8.5.2[3]-Configuring ACLs and Recording Activity to a Syslog Server

Log ACL Activity and ACL Best Practices

Always test basic connectivity before applying ACLs Add deny ip any to the end of an ACL when logging Use reload in 30 when testing ACLs on remote routers

Cisco Public

Summary
ACLs enable traffic management and secure access to and from a network and its resources Apply an ACL to filter inbound or outbound traffic ACLs can be standard standard, extended extended, or named Using a wildcard mask provides flexibility There is an implicit deny statement at the end of an ACL Account for NAT when creating and applying ACLs Logging provides additional details on filtered traffic

Cisco Public

Network Security v1.0 - Module 8
No ratings yet
Network Security v1.0 - Module 8
68 pages
Access Control Lists
No ratings yet
Access Control Lists
38 pages
Chapter 7: Access Control Lists: CCNA Routing and Switching Routing and Switching Essentials v6.0
No ratings yet
Chapter 7: Access Control Lists: CCNA Routing and Switching Routing and Switching Essentials v6.0
41 pages
W11 - Module-Chapter 9 Access Control Lists
No ratings yet
W11 - Module-Chapter 9 Access Control Lists
12 pages
Network Security with ACLs
No ratings yet
Network Security with ACLs
69 pages
Dfn40143 Network Security Chapter 3 Part 1 Firewall Technologies
No ratings yet
Dfn40143 Network Security Chapter 3 Part 1 Firewall Technologies
77 pages
Exploration Accessing WAN Chapter5
No ratings yet
Exploration Accessing WAN Chapter5
36 pages
Chapter 10 - Access Control Lists
No ratings yet
Chapter 10 - Access Control Lists
45 pages
Introducing ACL Operation: Access Control Lists
No ratings yet
Introducing ACL Operation: Access Control Lists
17 pages
Slide Chuyen de
No ratings yet
Slide Chuyen de
63 pages
Basic IP Traffic Management With Access Control Lists
No ratings yet
Basic IP Traffic Management With Access Control Lists
32 pages
Access Control List: ACL's
No ratings yet
Access Control List: ACL's
31 pages
CCNA Security 04
No ratings yet
CCNA Security 04
121 pages
10 Acl
No ratings yet
10 Acl
64 pages
CCNA Presentation - ACL
No ratings yet
CCNA Presentation - ACL
58 pages
IP Traffic Management With Access Control List Using Cisco Packet Tracer
No ratings yet
IP Traffic Management With Access Control List Using Cisco Packet Tracer
7 pages
CCNA Security: Chapter Four Implementing Firewall Technologies
No ratings yet
CCNA Security: Chapter Four Implementing Firewall Technologies
121 pages
Creating Static Packet Filters Using Acls: Network Security Using Cisco Ios Firewalls
No ratings yet
Creating Static Packet Filters Using Acls: Network Security Using Cisco Ios Firewalls
36 pages
Data Communication and Network Management
No ratings yet
Data Communication and Network Management
37 pages
A Experiment No.1
No ratings yet
A Experiment No.1
49 pages
Introducing ACL Operation: Access Control Lists
No ratings yet
Introducing ACL Operation: Access Control Lists
18 pages
Configure Standard ACLs Guide
No ratings yet
Configure Standard ACLs Guide
17 pages
Lab 1 5 3 PDF
No ratings yet
Lab 1 5 3 PDF
4 pages
Access Control List (ACL)
50% (2)
Access Control List (ACL)
37 pages
C9-Access Control List
No ratings yet
C9-Access Control List
42 pages
Understanding Acls
No ratings yet
Understanding Acls
76 pages
IP Access Control List Security
No ratings yet
IP Access Control List Security
20 pages
ACL Basics for Network Professionals
No ratings yet
ACL Basics for Network Professionals
55 pages
Access List Tutorial
No ratings yet
Access List Tutorial
6 pages
Access List Tutorial
No ratings yet
Access List Tutorial
5 pages
CCNAv3.3 210
No ratings yet
CCNAv3.3 210
52 pages
Icnd210s06 Acl
No ratings yet
Icnd210s06 Acl
43 pages
Cisco Training
No ratings yet
Cisco Training
85 pages
Lab 1.4.3 Introductory Lab 3 - Access Control List Basics and Extended Ping
No ratings yet
Lab 1.4.3 Introductory Lab 3 - Access Control List Basics and Extended Ping
5 pages
Access Control Lists John Mowry: © 2008 Cisco Systems, Inc. All Rights Reserved. Cisco Confidential Presentation - ID
No ratings yet
Access Control Lists John Mowry: © 2008 Cisco Systems, Inc. All Rights Reserved. Cisco Confidential Presentation - ID
34 pages
2 - Access Control Lists
No ratings yet
2 - Access Control Lists
54 pages
Chapter 5 Access Control Lists
No ratings yet
Chapter 5 Access Control Lists
63 pages
Lec 09,10 - Access Control Lists
No ratings yet
Lec 09,10 - Access Control Lists
21 pages
3a. ACL
No ratings yet
3a. ACL
19 pages
ENSA Module 4 Students-Cancel
No ratings yet
ENSA Module 4 Students-Cancel
30 pages
Implementing Firewall Technologies
No ratings yet
Implementing Firewall Technologies
115 pages
Network ACL Configuration Guide
No ratings yet
Network ACL Configuration Guide
19 pages
Lab9 ACL
No ratings yet
Lab9 ACL
6 pages
Configuring IP Access Lists: Document ID: 23602
No ratings yet
Configuring IP Access Lists: Document ID: 23602
18 pages
Sy2021-2021 T-Cpet414 Acl
No ratings yet
Sy2021-2021 T-Cpet414 Acl
59 pages
Access Control Lists: Mark Clements
No ratings yet
Access Control Lists: Mark Clements
30 pages
Experiment#7: Access Control List Basics and Extended Ping: Objective
No ratings yet
Experiment#7: Access Control List Basics and Extended Ping: Objective
4 pages
Why Use Access Control Lists (ACL)
No ratings yet
Why Use Access Control Lists (ACL)
5 pages
CCNA ACL Training Guide
No ratings yet
CCNA ACL Training Guide
47 pages
Acl DHCP Nat
No ratings yet
Acl DHCP Nat
106 pages
Cap9 Access Control Lists
No ratings yet
Cap9 Access Control Lists
87 pages
Topic 1.0 Access Control Lists
No ratings yet
Topic 1.0 Access Control Lists
29 pages
Ccna4 5.2.8.2 PDF
No ratings yet
Ccna4 5.2.8.2 PDF
6 pages
Access Control List
No ratings yet
Access Control List
9 pages
User Behavior Analytics Ebook
No ratings yet
User Behavior Analytics Ebook
5 pages
Lokesh Amazon Businessanalyst2
No ratings yet
Lokesh Amazon Businessanalyst2
3 pages
IRD - PAYE Annual Return - Printing Guide - TD4 Supplementary Forms
No ratings yet
IRD - PAYE Annual Return - Printing Guide - TD4 Supplementary Forms
4 pages
Session Variables
No ratings yet
Session Variables
16 pages
Ankit's Resume v3.1
No ratings yet
Ankit's Resume v3.1
3 pages
Rig Cadence Flyer
No ratings yet
Rig Cadence Flyer
1 page
28.1.3 Lab - Use The Netmiko Python Module To Configure A Router
No ratings yet
28.1.3 Lab - Use The Netmiko Python Module To Configure A Router
9 pages
Extend The Master Data Governance For Material by A Custom Defined Field For A Reuse Entity Type
No ratings yet
Extend The Master Data Governance For Material by A Custom Defined Field For A Reuse Entity Type
49 pages
Business Intelligence INTRO
No ratings yet
Business Intelligence INTRO
45 pages
Facility Explorer Building Management System: Server Software
No ratings yet
Facility Explorer Building Management System: Server Software
4 pages
IEC62304 Intro 01
No ratings yet
IEC62304 Intro 01
8 pages
DBMS Lab Manual
No ratings yet
DBMS Lab Manual
73 pages
(2022) CIS Controls Cloud Companion Guide - CIS
No ratings yet
(2022) CIS Controls Cloud Companion Guide - CIS
55 pages
Moving To Integrated Language Environment For RPG IV
No ratings yet
Moving To Integrated Language Environment For RPG IV
227 pages
MVC Summary Examples
No ratings yet
MVC Summary Examples
6 pages
Cambium Networks Data Sheet Xirrus XMS-Cloud
No ratings yet
Cambium Networks Data Sheet Xirrus XMS-Cloud
5 pages
Incident Report Form en v1.2
No ratings yet
Incident Report Form en v1.2
5 pages
Certified Cloud Security Engineer Course Content
No ratings yet
Certified Cloud Security Engineer Course Content
7 pages
Calapan Voter List: Precinct 0013A
No ratings yet
Calapan Voter List: Precinct 0013A
64 pages
Your Project Title: CSE 400: I/Ii/Iii/Iv
No ratings yet
Your Project Title: CSE 400: I/Ii/Iii/Iv
11 pages
Data Loss Prevention Using Open DLP
100% (1)
Data Loss Prevention Using Open DLP
35 pages
MEM System Administrator II (1) - 1
No ratings yet
MEM System Administrator II (1) - 1
2 pages
SQL Exercises - Pieces and Providers - Wikibooks, Open Books For An Open World With Answers PDF
No ratings yet
SQL Exercises - Pieces and Providers - Wikibooks, Open Books For An Open World With Answers PDF
3 pages
ISRO CS/IT Exam Syllabus
No ratings yet
ISRO CS/IT Exam Syllabus
12 pages
Hacking Step
100% (2)
Hacking Step
10 pages
Java Preview
No ratings yet
Java Preview
19 pages
Lahw 2024 00007
No ratings yet
Lahw 2024 00007
14 pages
Working With Javascript:: Unit - 5
No ratings yet
Working With Javascript:: Unit - 5
32 pages
SLA Definition - Help Center - Powell Software
No ratings yet
SLA Definition - Help Center - Powell Software
5 pages
The Data Security and Privacy Playbook
No ratings yet
The Data Security and Privacy Playbook
48 pages