Scribd Logo
Upload

Welcome to Scribd!

  • Acl Security

    Uploaded by

    Lezette
    17 views18 pages
    security

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    security

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    17 views18 pages

    Acl Security

    Uploaded by

    Lezette
    security

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 18

    Access Control List

    2009 Alexander Rybolovlev

    A TCP Conversation
    SMTP
    POP3
    IMAP
    HTTP
    HTTPS
    DNS
    FTP-DATA
    FTP
    TFTP
    SNMP
    NTP

    25
    110
    143
    80
    443
    53
    20
    21
    69
    169
    123

    Packet Filtering
    ALLOW or DENY
    Source IP address
    Destination IP address
    ICMP message type
    TCP/UDP source port
    TCP/UDP destination port

    One ACL per protocol (e.g., IP or IPX)


    One ACL per interface (e.g., FastEthernet0/0)
    One ACL per direction (i.e., IN or OUT)

    Numbering and Naming ACLs


    Router(config)#access-list ?
    <1-99>
    IP standard access list
    <100-199>
    IP extended access list
    <1100-1199> Extended 48-bit MAC address access list
    <1300-1999> IP standard access list (expanded range)
    <200-299>
    Protocol type-code access list
    <2000-2699> IP extended access list (expanded range)
    <700-799>
    48-bit MAC address access list
    You assign a number based on which protocol you want filtered:
    (1 to 99) and (1300 to 1999): Standard IP ACL
    (100 to 199) and (2000 to 2699): Extended IP ACL
    You assign a name by providing the name of the ACL:
    Names can contain alphanumeric characters.
    It is suggested that the name be written in CAPITAL LETTERS.
    Names cannot contain spaces or punctuation and must begin with a letter.
    You can add or delete entries within the ACL.

    Where To Place ACLs

    Standard ACL
    [no] access-list acl-num {deny|permit|remark} [source [source-wildcard]] [log]
    Router#show access-lists
    Standard IP access list 99
    10 permit host 192.168.99.0
    20 permit host 192.168.98.0

    Router#conf t
    Router(config)#no access-list 99
    Router(config)#end
    Router#show access-lists
    Router#
    Router(config)#access-list 10 remark Acces_to_LAN
    Router(config)#access-list 10 permit 192.168.10.0
    access-list 2 deny 192.168.10.1
    access-list 2 permit 192.168.10.0 0.0.0.255
    access-list 2 deny 192.168.0.0 0.0.255.255
    access-list 2 permit 192.0.0.0 0.255.255.255

    Router(config-if)#ip access-group {access-list-number | access-list-name} {in | out}


    Router(config)#access-list 1 permit ip 192.168.10.0 0.0.0.255
    Router(config)#interface FastEthernet0/0
    Router(config-if)#ip access-group 1 out

    Example

    Example

    Example

    Example

    Edit Standard ACL


    #1
    R1#show running-config | include access-list
    access-list 20 permit 192.168.10.100
    access-list 20 deny 192.168.10.0 0.0.0.255
    #2
    access-list 20 permit 192.168.10.11
    access-list 20 deny 192.168.10.0 0.0.0.255
    #3
    R1#conf t
    R1(config)#no access-list 20
    R1(config)#access-list 20 remark Access for permit host 10.11
    R1(config)#access-list 20 permit 192.168.10.11
    R1(config)#access-list 20 deny 192.168.10.0 0.0.0.255

    Naming ACL
    Router(config)#ip access-list [standart | extended] name
    Router(config-std-nacl)#[no] [num] {deny|permit|remark}
    Router(config)#ip access-list standard Bumburum
    Router(config-std-nacl)#deny host 192.168.0.1
    Router(config-std-nacl)#permit 192.168.0.0 0.0.0.255
    Router#sh access-lists
    Standard IP access list Bumburum
    10 deny host 192.168.0.1
    20 permit 192.168.0.0 0.0.0.255
    Router(config-if)#ip access-group {access-list-number | access-list-name} {in | out}
    Router(config-if)#ip access-group Bumburum out

    Edit ACL
    Router#show access-lists {acl-num|name}
    Router#sh access-lists 99
    Standard IP access list 99
    10 permit host 192.168.9.9
    20 permit host 192.168.9.11
    Router(config)#ip access-list {standart | extended} {acl-num|name}
    Router(config-std-nacl)#[no] [num] {deny|permit|remark}
    Router#sh access-lists standard 99
    Router(config-std-nacl)#15 permit host 192.168.9.10
    Router#sh access-lists 99
    Standard IP access list 99
    10 permit host 192.168.9.9
    15 permit host 192.168.9.10
    20 permit host 192.168.9.11

    Extended ACL

    R1(config)#access-list 101 permit tcp any eq ?

    Example

    Example

    Example

    You might also like