Limit network traffic to where we define and increase network performance Provide a basic level of security for network

k access Decide which types of traffic are forwarded or blocked at router interfaces

 Router can read packets

Packets contain much data

We can choose to act upon this data Permits us to allow or deny whichever part of this data we wish ACLs implement this policy

 Standard Extended

 Use only the packets source address for comparison 1-99

 Provide more precise (finer tuned) packet selection based on:

Source and destination addresses Protocols Port numbers

100-199

 IOS tests the packet against each condition statement in the order in which the statements were created Note: After a match is found, no more condition statements are checked If you create a condition statement that permits all traffic, no statements added later will ever be checked If all the ACL statements are unmatched, an implicit "deny any" statement is imposed

 Create ACL in global config Assign to interface Decide the direction

In Out

 If source IP address is matched:

Permit or deny statement is processed Permit action in ACL is performed Deny packet is dropped Implicit Deny If a packets address does not match an earlier statement an implicit deny any occurs at the end of every ACL and the packet is dropped.

 This identifies a host or range of addresses It is the binary inversion of the subnet mask i.e. in a class C address range we use the subnet mask 255.255.255.0 To specify the same range with a wildcard mask we use 0.0.0.255 (all 1s are now 0s and all 0s are now 1s)

11

 access-list access-list-number {permit |deny} source-ip-address wildcard-mask [log] Log causes each packet that matches this statement to generate a log entry that is recorded by the router.

 To permit all packets for the network number 172.16.0.0

Access-list 20 permit 172.16.0.0 0.0.255.255

 To permit traffic from the host 172.16.1.1 only

Access-list 20 permit 172.16.1.1 0.0.0.0

 To permit traffic from any source address.

Access-list 20 permit 0.0.0.0 255.255.255.255 OR Access-list 20 permit any

 To permit traffic from the subnet 12.16.0.0 through 12.31.0.0

Access-list 20 permit 12.16.0.0 0.15.255.255

 Access-list 22 permit 0.0.0.0 255.255.255.255 Access-list 22 permit any

 Access-list 23 permit 172.16.1.1 0.0.0.0 Access-list 23 permit host 172.16.1.1

 All conditions must match Test sequence in this order

Source Address Destination Address Protocol Port No. or Protocol Options Permit or Deny decision

 access-list number {permit|deny} protocol source-ip-address source-wildcard-mask destination-ip-address destination-wildcardmask eq port-number [log]

21

17 March 2009in

ITCN

 access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

This command is used to permit IP traffic from 10.1.1.0 network to 172.16.1.0 network. All packets with a source address not in this range will be rejected.

access-list 102 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 access-list 102 deny ip any any
This command is used to permit IP traffic from 10.1.1.0 network to 172.16.1.0 network. All packets with a source address not in this range will be rejected.

 access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet

This command is used to permit Telnet traffic from machine 10.1.1.2 to machine 172.16.1.1.

access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1

This command is used to permit tcp traffic from 10.1.1.2 host machine to 172.16.1.1 host machine.

 access-list 101 permit udp host 10.1.1.2 host 172.16.1.1

This command is used to permit udp traffic from 10.1.1.2 host machine to 172.16.1.1 host machine.

access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

This command is used to permit ip traffic from 10.1.1.0 network to 172.16.1.0 network.

FTP 21 Telnet 23 SMTP 25 DNS 53 TFTP 69 WWW, HTML 80 POP3 - 110 SNMP - 161

 Standard ACL
Use only source address and requires fewer CPU cycles. Place as close to destination as possible.

Extended ACL
More flexible and requires more CPU cycles. Place as close to source as possible. (This keeps undesired traffic and ICMP messages away from the network backbone.)

 Imagine you are standing INSIDE the router The direction of the ACL for an interface will be the same as our perspective standing INSIDE the router

27

 In
Requires less CPU processing because every packet bypasses processing before it is routed. Filtering decision is made prior to the routing table.

 Out
Routing decision has been made and the packet is switched to the proper outbound interface before it is tested against the access list. ACLs are outbound unless otherwise specified.