Access Lists Access Lists: WWW - Alishariaty.ir

Access Lists
Shariaty@gmail.com
www.alishariaty.ir
Shariaty@gmail.com Copyright 2012 Alishariaty.ir

www.alishariaty.ir All Rights Reserved.
Contents
Part I Access Lists Basic Concepts

Part II Standard Access Lists
Part III Extended Access Lists
Part IV Named Base Access Lists
Part V Access Class
Estimated time
03:00:00

Part I
Access Lists Basic
Concepts

Access Lists Basic Concepts
Network Filtering
Network Filtering is the process of network services

access limitation.

Network Filtering
Where to implement the filtering ?

On which router ?
On which interface ?
On what direction ?

Network Filtering
Examples

Network Filtering
Examples

Network Filtering
Examples

Features
Each scenario will be implemented by a single

access list.
Each access list is a combination of several rules

(with the same access list number)
Each rule in an access list is pointing to a single

traffic.
With permit or deny keyword , we separate the

allowed traffic from unhallowed.

Features
The last rule in every access list is implicitly deny all

the traffics. (we may change the policy with adding
the last line of access-list 101 permit ip any any)
We will assign an access list to an interface and a

district direction:
Router(conf)# Interface fastethernet 0/1

Router(conf-if)# Ip access-group 101 {in|out}
An access list is just useful when is implemented on

an interface , otherwise it will not do anything.

Features
It is important how to organize the rules.
Example
Access-list 101 deny ip 192.168.1.0 0.0.0.255 any
Access-list 101 permit ip any any
Or
Access-list 101 permit ip any any
Access-list 101 deny ip 192.168.1.0 0.0.0.255 any

Features
When an access list is applied on a router , It will

only process and filter the traffic passing the router. It
means the packets that have been generated by the
router (source IP address of the router) Or the
packets that has been terminated in that router
(destination IP address of the router) , will not be
processed. Some packets like OSPF , EIGRP , SSH ,
Telnet , ICMP ,

Access List Types
Standard Numbered ACLs (1-99)

Extended Numbered ACLs (100-199)
Additional ACL Numbers
(1300-1999 standard, 2000-2699 extended)
Named ACLs (Standard & Extended)

Access List Types

Q. Which of the following answers lists a valid
number that can be used with standard numbered
IP ACLs? (Choose two answers.)
a. 1987
b. 2187
c. 187
d. 87

Part II
Standard Access
Lists

Standard Access Lists
These access list are not widely use for filtering.

These access list are for categorizing the traffic.
(e.g in NAT , PBR , )
Filtering just based on the source IP.
Note
This access list should be implemented as near as the
destination. (because if you deny a source , it will be
denied to all the destinations)

How to write a standard access list?

Router(conf)# Access-list <Number> {permit|deny} <source-ip-addreess>
<wild-mask>



Example
Access-list 1 permit 192.168.1.10 0.0.0.0

Access-list 1 deny 192.168.1.0 0.0.0.15
Access-list 1 deny 0.0.0.0 255.255.255.255 (no need)
Or
Access-list 1 permit host 192.168.1.10

Access-list 1 deny 192.168.1.0 0.0.0.15
Access-list 1 deny any (no need)

PC1 should have access to server.

PC2 should not.

R2(config)# access-list 1 permit 192.168.1.100
R2(config)# interface fastEthernet 0/0

R2(config-if)# ip access-group 1 out

Q. Which of the following access-list commands
matches all packets in the range of addresses in
subnet 172.16.5.0/25?
a. access-list 1 permit 172.16.0.5 0.0.255.0

b. access-list 1 permit 172.16.4.0 0.0.1.255
c. access-list 1 permit 172.16.5.0
d. access-list 1 permit 172.16.5.0 0.0.0.128

Part III
Extended Access
Lists

Extended Access Lists
Filtering based on
Source IP address
Destination IP address
Source port
Destination port
Protocol (e.g. IP , TCP , UDP , ICMP , )
Note
IP is covering all of the protocols in the example above.

How to write an extended access list?

How to write an extended access list?
Router(conf)# Access-list <number> {permit|deny} {IP|ICMP} <Source-

IP> <Wild-mask> <Destination-IP> <Wild-Mask>
Router(conf)# Access-list <number> {permit|deny} {TCP|UDP} <Source-

IP> <Wild-mask> operators <Source-port> <Destination-IP> <Wild-
Mask> operators <Destination-port>

Operators
Eq
Neq
Gt
Lt
Range
Examples
Eq 80 = web
Eq 25 = SMTP
Neq 80 = all the trafics exept web
Gt 1024 = all the random ports
Lt 1024 = all the standard ports
Range 20 23 = SSH , FTP , Telnet

Popular Applications and Their Well-Known Port
Numbers

Popular Applications and Their Well-Known Port
Numbers

Note
Source IP and destination IP is mandatory , if you
are not interested use the any key word.
If the source and the destination port is not
important , just avoid writing it.

Examples
Filtering Packets Based on Destination Port

Examples
Filtering Packets Based on Source Port

Example Extended access-list Commands and Logic
Explanations

Standard and extended access list problems
ACL numbering is not understandable.

It not possible to delete a rule , by this , all the rules
will be deleted.
When you add a new rule , it will be added at the
end of the list.

Solution 1
Deactivate the ACL on the interface.

Copy the ACL from running configuration
into a note pad.
Do the changes necessary in the note pad.
Delete the access list.
Copy commands from the note pad.
Apply the access list.

Solution 2
Name based access lists.

PC1 should have access pinging the server , PC2 should not.
PC1 should have access to FTP service of the server , PC2 should not.
PC2 should have access to web service of the server , PC1 should not.

R2(config)#access-list 101 permit icmp host 192.168.1.100 host 192.168.2.100
R2(config)#access-list 101 permit tcp host 192.168.1.100 any eq ftp
R2(config)#access-list 101 permit tcp host 192.168.1.101 host 192.168.2.10 eq www
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip access-group 101 out

Q. Which of the following fields cannot be compared
based on an extended IP ACL? (Choose two answers.)
e. Protocol
f. Source IP address
g. Destination IP address
h. Destination Port address
i. URL

Q. Which of the following access-list commands
permits packets going from host 10.1.1.1 to all web
servers whose IP addresses begin with 172.16.5?
(Choose two answers.)
a. access-list 101 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www

b. access-list 1951 permit ip host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
c. access-list 2523 permit ip host 10.1.1.1 eq www 172.16.5.0 0.0.0.255
d. access-list 2523 permit tcp host 10.1.1.1 eq www 172.16.5.0 0.0.0.255
e. access-list 2523 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www

Part IV
Named Base
Access Lists

Name Based Access List (IP access list)
Named ACL Versus Numbered ACL Configuration
Router(conf)# IP access-list <Extended|Standard> <Name>

Then enters the ACL context

How to write a named base access list?
Router(conf)# IP access-list <Extended|Standard> <Name>

Then enters the ACL context

Example
Router(config)# ip access-list extended test
Router(config-ext-nacl)#permit udp any any eq domain
Router(config-ext-nacl)#permit icmp any any
Router(config-ext-nacl)#permit ip any host 192.168.1.150
Router(config-ext-nacl)#permit ip host 192.168.3.10 any
Router(config-ext-nacl)#deny tcp host 192.168.3.12 host 192.168.1.100 eq www
Router(config-ext-nacl)#permit tcp host 192.168.3.13 host 192.168.1.100 eq www
Router(config-ext-nacl)#permit tcp host 192.168.3.11 host 192.168.1.200 eq telnet

Example
Router# show access-list test

Extende IP access-list test
10 permit udp any any eq domain
20 permit icmp any any
30 permit ip any host 192.168.1.150
40 permit ip host 192.168.3.10 any
50 deny tcp host 192.168.3.12 host 192.168.1.100 eq www
60 permit tcp host 192.168.3.13 host 192.168.1.100 eq www
70 permit tcp host 192.168.3.11 host 192.168.1.200 eq telnet

Example
Router(config)# ip access-list extended test

Router(config-ext-nacl)#no 20
Router(config-ext-nacl)#55 permit tcp any any eq ftp

Example
Router# show access-list test

Extende IP access-list test
10 permit udp any any eq domain
30 permit ip any host 192.168.1.150
40 permit ip host 192.168.3.10 any
50 deny tcp host 192.168.3.12 host 192.168.1.100 eq www
55 permit tcp any any eq ftp
60 permit tcp host 192.168.3.13 host 192.168.1.100 eq www
70 permit tcp host 192.168.3.11 host 192.168.1.200 eq telnet

PC1 should have access pinging the server , PC2 should not.
PC1 should have access to FTP service of the server , PC2 should not.
PC2 should have access to web service of the server , PC1 should not.

R2(config)#ip access-list extended cisco

R2(config-ext-nacl)#permit icmp host 192.168.1.100 host 192.168.2.100
R2(config-ext-nacl)#permit tcp host 192.168.1.100 any eq ftp
R2(config-ext-nacl)#permit tcp host 192.168.1.101 any eq www

Part V
Access Class

Access Class
Limitation in VTY Lines
ACL it self is not the answer because the packets

that have been generated by the router (source IP
address of the router) Or the packets that has been
terminated in that router (destination IP address of
the router) , will not be processed.
Access class is not applied on the interfaces , they

will be applied directly on the VTY lines.

Access Class
ACL it self is not the answer because the packets

that have been generated by the router (source IP
address of the router) Or the packets that has been
terminated in that router (destination IP address of
the router) , will not be processed.
Access class is not applied on the interfaces , they

will be applied directly on the VTY lines.

Access Class
Router(config)# Access-list 1 permit host 192.168.1.100
Router(config)# Access-list 1 permit host 192.168.2.100
Router(config)# Line vty 0 15
Router(config-line)# Access-class 1 in
Router(config-line)# Exit
Note
Destination IP address and
protocols will not be written
in the access-class , because
when it is applied to the VTY
line , it is obvious that it is
even SSH or telnet.

PC1 should have access to telnet the R1, PC2 should not.

R1(config)#access-list 1 permit 192.168.1.100
R1(config)#enable password cisco
R1(config)#line vty 0 15
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#access-class 1 in

The whole purpose of education
is to turn mirrors into windows.
Sydney J. Harris


Access Lists Access Lists: WWW - Alishariaty.ir

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Access Lists Access Lists: WWW - Alishariaty.ir

Transféré par

Droits d'auteur :

Formats disponibles

Access Lists

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

Part I Access Lists Basic Concepts

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

Network Filtering is the process of network services

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

Where to implement the filtering ?

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

Each scenario will be implemented by a single

Each access list is a combination of several rules

Each rule in an access list is pointing to a single

With permit or deny keyword , we separate the

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

The last rule in every access list is implicitly deny all

We will assign an access list to an interface and a

Router(conf)# Interface fastethernet 0/1

An access list is just useful when is implemented on

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

It is important how to organize the rules.

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

When an access list is applied on a router , It will

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

Standard Numbered ACLs (1-99)

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

These access list are not widely use for filtering.

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

How to write a standard access list?

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

Access-list 1 permit 192.168.1.10 0.0.0.0

Access-list 1 permit host 192.168.1.10

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

PC1 should have access to server.

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

R2(config)# access-list 1 permit 192.168.1.100

R2(config)# interface fastEthernet 0/0

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

a. access-list 1 permit 172.16.0.5 0.0.255.0

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

How to write an extended access list?

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

How to write an extended access list?

Router(conf)# Access-list <number> {permit|deny} {IP|ICMP} <Source-

Router(conf)# Access-list <number> {permit|deny} {TCP|UDP} <Source-

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

Shariaty@gmail.com Copyright 2012 Alishariaty.ir

ACL numbering is not understandable.