access list solution access lists workbook teachers edition
Post on 30-Oct-2015
139 Views
Preview:
TRANSCRIPT
-
0.0.0.0
permitExtended
ACL
Standard
access-groupdenyaccess-list
ACLWildcard Mask
Any
AccessLists
WorkbookVersion 1.0
Instructors Edition
-
Inside Cover
IP StandardIP ExtendedEthernet Type CodeEthernet AddressDECnet and Extended DECnetXNSExtended XNSAppletalk48-bit MAC AddressesIPX StandardIPX ExtendedIPX SAP (service advertisement protocol)IPX SAP SPXExtended 48-bit MAC AddressesIPX NLSPIP Standard, expanded rangeIP Extended, expanded rangeSS7 (voice)Standard VinesExtended VinesSimple VinesTransparent bridging (protocol type)Transparent bridging (vender type)Extended Transparent bridgingSource-route bridging (protocol type)Source-route bridging (vender type)
Access-List Numbers9919929979939949959969979989999910991099119912991999269929991002003002997991199299799
1100200700300400500600700800900
1000100011001200130020002700
1101201200700
1100200700
totototototototototototototototototototototototototo
Produced by: Robb Jonesjonesr@careertech.net
Frederick County Career & Technology CenterCisco Networking Academy
Frederick County Public SchoolsFrederick, Maryland, USA
Special Thanks to Melvin Baker and Jim Dorschfor taking the time to check this workbook for errors.
Instructors (and anyone else for that matter) please do not post the Instructors version on public websites.When you do this your giving everyone else worldwide the answers. Yes, students look for answers this way.
It also discourages others; myself included, from posting high quality materials.
-
1ACLs......are a sequential list of instructions that tell a router which packets to permit or deny.
The router checks to see if the packet is routable. If it is it looks upthe route in its routing table.
The router then checks for an ACL on that outbound interface.
If there is no ACL the router switches the packet out that interface to itsdestination.
If there is an ACL the router checks the packet against the access liststatements sequentially. Then permits or denys each packet as it ismatched.
If the packet does not match any statement written in the ACL it isdenyed because there is an implicit deny any statement at the end ofevery ACL.
General Access Lists Information Access Lists...
...are read sequentially.
...are set up so that as soon as the packet matches a statement it stops comparing and permits or denys the packet....need to be written to take care of the most abundant traffic first....must be configured on your router before you can deny packets....can be written for all supported routed protocols; but each routed protocol must have a different ACL for each interface....must be applied to an interface to work.
What are Access Control Lists?
How routers use Access Lists(Outbound Port - Default)
-
Standard Access ListsStandard Access Lists...
...are numbered from 1 to 99.
...filter (permit or deny) only source addresses.
...do not have any destination information so it must placed as close to the destination as possible....work at layer 3 of the OSI model.
2
Why standard ACLs are placed close to thedestination.
If you want to block traffic from Juans computer from reachingJanets computer with a standard access list you would place theACL close to the destination on Router D, interface E0. Sinceits using only the source address to permit or deny packets theACL here will not effect packets reaching Routers B, or C.
Router A
Router B
Router C
Router D
If you place the ACL on router A to block traffic to Router Dit will also block all packets going to Routers B, and C;because all the packets will have the same source address.
JuansComputer
JanetsComputer
JimmysComputer
MattsComputer
E0
E0 E0
E0
S0
S1 S0
S0S1
S1
-
3LisasComputer
Standard Access List PlacementSample Problems
In order to permit packets from Juans computer to arrive atJans computer you would place the standard access list atrouter interface ______.FA1
Lisa has been sending unnecessary information to Paul. Wherewould you place the standard ACL to deny all traffic from Lisa to Paul?Router Name ______________ Interface ___________
Where would you place the standard ACL to deny traffic from Paul toLisa?Router Name ______________ Interface ___________
Router B E1
Router A E0
PaulsComputer
FA1FA0
Router A
JuansComputer
JansComputer
S0S1E0
E1
Router BRouter A
-
S0 S1E0 FA1
S0S1Router B
Router C
Standard Access List Placement
4
Router A
S0S1E0
FA1
SarahsComputer
JackiesComputer
Router FRouter E
Router D
S1
S0
S1E0
S1
LindasComputer
MelvinsComputer
JimsComputer
JeffsComputer
GeorgesComputer
KathysComputer
CarrolsComputer
RickysComputer
JennysComputer Amandas
Computer
-
5Router DE0
Standard Access List Placement1. Where would you place a standard access list topermit traffic from Rickys computer to reach Jeffscomputer?
2. Where would you place a standard access list todeny traffic from Melvins computer from reachingJennys computer?
3. Where would you place a standard access list todeny traffic to Carrols computer from Sarahscomputer?
4. Where would you place a standard access list topermit traffic from Rickys computer to reach Jeffscomputer?
5. Where would you place a standard access list todeny traffic from Amandas computer from reachingJeff and Jims computer?
6. Where would you place a standard access list topermit traffic from Jackies computer to reach Lindascomputer?
7. Where would you place a standard access list topermit traffic from Georges computer to reach Carroland Amandas computer?
8. Where would you place a standard access list todeny traffic to Jennys computer from Jackiescomputer?
9. Where would you place a standard access list topermit traffic from Georges computer to reach Lindaand Sarahs computer?
10. Where would you place an ACL to deny traffic fromJeffs computer from reaching Georges computer?
11. Where would you place a standard access list todeny traffic to Sarahs computer from Rickyscomputer?
12. Where would you place an ACL to deny traffic fromLindas computer from reaching Jackies computer?
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router AE0
Router CFA1
Router DE0
Router DE0
Router EE0
Router CFA1
Router AE0
Router EE0
Router CFA1
Router EE0
Router FFA1
-
Extended Access Lists......are numbered from 100 to 199....filter (permit or deny) based on the: source address
destination addressprotocolport number
... are placed close to the source.
...work at both layer 3 and 4 of the OSI model.
Extended Access Lists
Why extended ACLs are placed close to the source.
If you want to deny traffic from Juans computer from reachingJanets computer with an extended access list you would placethe ACL close to the source on Router A, interface E0. Since itcan permit or deny based on the destination address it can reducebackbone overhead and not effect traffic to Routers B, or C.
If you place the ACL on Router E to block traffic from RouterA, it will work. However, Routers B, and C will have to routethe packet before it is finally blocked at Router E. Thisincreases the volume of useless network traffic.
6
Router A
Router B
Router C
Router D
JuansComputer
JanetsComputer
JimmysComputer
MattsComputer
E0
FA0
E0
E0
S0
S1 S0
S0S1
S1
-
7JuansComputer
JansComputer
Extended Access List PlacementSample Problems
In order to permit packets from Juans computer to arrive atJans computer you would place the extended access list atrouter interface ______.E0
Lisa has been sending unnecessary information to Paul. Where wouldyou place the extended ACL to deny all traffic from Lisa to Paul?Router Name ______________ Interface ___________
Where would you place the extended ACL to deny traffic from Paul toLisa?Router Name ______________ Interface ___________
Router A FA0
Router B FA1
E1E0
Router A
S0S1FA0
FA1
Router BRouter A
LisasComputer
PaulsComputer
-
8S0 S1FA0 E1
S0S1Router B
Router C
Extended Access List Placement
Router A
S0S1FA0 FA1
SarahsComputer
JackiesComputer
Router FRouter E
Router D
S1
S0
S1
FA0
S1
LindasComputer
MelvinsComputer
JimsComputer
JeffsComputer
GeorgesComputer
KathysComputer
CarrolsComputer
RickysComputer
JennysComputer Amandas
Computer
-
9Extended Access List PlacementRouter Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
1. Where would you place an ACL to deny traffic fromJeffs computer from reaching Georges computer?
2. Where would you place an extended access list topermit traffic from Jackies computer to reach Lindascomputer?
3. Where would you place an extended access list todeny traffic to Carrols computer from Rickyscomputer?
4. Where would you place an extended access list todeny traffic to Sarahs computer from Jackiescomputer?
5. Where would you place an extended access list topermit traffic from Carrols computer to reach Jeffscomputer?
6. Where would you place an extended access list todeny traffic from Melvins computer from reaching Jeffand Jims computer?
7. Where would you place an extended access list topermit traffic from Georges computer to reach Jeffscomputer?
8. Where would you place an extended access list topermit traffic from Jims computer to reach Carrol andAmandas computer?
9. Where would you place an ACL to deny traffic fromLindas computer from reaching Kathys computer?
10. Where would you place an extended access listto deny traffic to Jennys computer from Sarahscomputer?
11. Where would you place an extended access list topermit traffic from Georges computer to reach Lindaand Sarahs computer?
12. Where would you place an extended access listto deny traffic from Lindas computer from reachingJennys computer?
Router DFA0
Router FFA1
Router AFA0
Router FFA1
Router CE1
Router FFA1
Router CE1
Router DFA0
Router EFA0
Router EFA0
Router CE1
Router EFA0
-
Access Lists on your incoming port......requires less CPU processing....filters and denys packets before the router has to make a routing decision.
Access Lists on your outgoing port......are outbound by default unless otherwise specified....increases the CPU processing time because the routing decision is made and the packet switched to the correct outgoing port before it is tested against the ACL.
Choosing to Filter Incoming or Outgoing Packets
Breakdown of a Standard ACL Statement
access-list 1 permit 192.168.90.36 0.0.0.0
permitor
deny
autonomousnumber1 to 99
sourceaddress
wildcardmask
access-list 78 deny host 192.168.90.36 log
permit or deny
autonomousnumber1 to 99
sourceaddress
indicates aspecific host
address
(Optional)generates a logentry on the
router for eachpacket thatmatches thisstatement
10
-
Breakdown of an Extended ACL Statement
access-list 125 permit ip 192.168.90.36 0.0.0.0 192.175.63.12 0.0.0.0
permit or deny
autonomousnumber
100 to 199
sourcewildcard
mask
destinationaddress
destinationwildcard
mask
access-list 178 deny tcp host 192.168.90.36 host 192.175.63.12 eq 23 log
permitor
deny
autonomousnumber
100 to 199
sourceaddress
indicates aspecific
host
protocolicp,
icmp,tcp, udp,
ip,etc.
destinationaddress
operatoreq for =gt for >lt for
top related