track routers anexo- what is acl

8/13/2019 Track Routers Anexo- What is ACL

1/36

Dominio de Conocimiento

Routers

Anexo Access ControlLists (ACLs)


2/36

Objectives

Explainthedifferencesbetweenstandardandextended

ACLs ExplaintherulesforplacementofACLs

CreateandapplynamedACLs Describethefunctionoffirewalls

UseACLs

to

restrict

virtual

terminal

access


3/36

Introduction

Accesscontrollist(ACL)consistofatablethattellsa

computerOperation

System

(OS)

which

access

rights

each

userhastoaparticularsystemobject,suchasafile

directoryorindividualfile.

Eachobjecthasasecurityattributethatidentifiesitsaccess

controllist.


4/36

Ciscoapplicationview

ACLsarelistsofconditionsused

totestnetworktrafficthattries

totravelacrossarouter

interface.

Theseliststelltherouterwhat

typesofpacketstoacceptor

deny.Acceptanceanddenialcan

bebased

on

specified

conditions.

ACLsenablemanagementof

trafficandsecureaccesstoand

fromanetwork.


5/36

ACLsbenefits

Limitnetworktrafficandincreasenetworkperformance.

Providetrafficflowcontrol.

Provideabasiclevelofsecurityfornetworkaccess.

Trafficdecision (forwardedorblockedattherouter

interfaces).

Areaaccessing

toPermitordenyScreenhoststoaccess anetwork

segment.

canprovide

access

control

based

on

Layer

3addresses

for

IPandIPXprotocols.


6/36

HowACLexecuted

Madedecisionsby

matching

a

condition

statementinanaccess

listandthenperforming

theacceptorreject

actiondefinedinthe

statement.

ACLstatementsoperate

insequential,logical

order


7/36

EnteringFrametoaRouter

Afterindicate iftheframehaveamatchedlayer2addressoritsabroadcastform,therouterwillcheckifthereACLscommand

present

IfthepacketisacceptedornoACL:thepacketisencapsulatedinthenewLayer2protocolandforwardedouttheinterfacetothenextdevice.

ACLexists:

the

packet

is

tested

against

the

statements

in

thelist.Ifthepacketmatchesastatement,itiseitheracceptedorrejected.


8/36

ACLrangeforeachprotocols

ACLscan

be

created

for

all

routed

network

protocols

such

asIPandInternetworkPacketExchange(IPX)

ACLs

can

be

configured

at

the

router

to

control

access

to

a

networkorsubnet.


9/36

ACLrangeforeachprotocols

EachACLmusthavea

uniqueidentification

numberassignedtoit.

Thisnumberidentifies

thetypeofaccesslist

createdand

must

fall

withinthespecificrange

ofnumbersthatisvalid

forthattypeoflist.


10/36

HowAccessListswork


11/36

ACLconfiguration

Step1:Router(config)#accesslistaccesslistnumber

{permit/deny}

{test

condition} Step2:Router(config)#{protocol}accessgroupaccesslist

number

AnACLcontainingnumberedACLstatementscannotbe

altered.It

must

be

deleted

by

using

the

no

access

list

list

numbercommandandthenrecreated.


12/36

ACLconfiguration

PermitACL

line

with

L3

information

only

Ifapacket'sL3informationmatchestheL3informationin

the

ACL

line

,

the

packet's

fragment

offset

is

checked,

it

is

permitted.

Ifapacket'sL3informationdoesnotmatchtheL3

informationintheACLline,thenextACLentryis

processed.

Ifapacket'sFO>0,thepacketispermitted.

Else,thenextACLentryisprocessed.


13/36

ACLconfigurationExample

1. Router(config)#accesslist6deny172.13.0.00.0.255.255

2. Router(config)#

access

list

6permit

172.0.0.0

0.255.255.255

3. Router(config)#interfacee0

4. Router(configif)#ipaccessgroup6in

IfwewanttodeleteormodifytheACL:

Router(config)#noaccesslist6


14/36

WildcardMask

WildcardMaskingforIPaddressbitsusesthenumber1

and

the

number

0

to

identify

how

to

treat

the

correspondingIPaddressbits.

Awildcardmaskbit0meanscheckthe

correspondingbitvalue.

Awildcardmaskbit1meansdonotcheck

(ignore)thatcorrespondingbitvalue.


15/36

WildcardMask

Wildcardmaskingforaccesslistsoperatesdifferentlyfrom

an

IP

subnet

mask.

Azeroinabitpositionoftheaccesslistmaskindicatesthat

thecorrespondingbitintheaddressmustbechecked;

A

onein

a

bit

position

of

the

access

list

mask

indicates

the

correspondingbitintheaddressisnotinterestingand

canbeignored.


16/36

WildcardMask

AnadministratorwantstotestanIPaddressforsubnets

that

will

be

permitted

or

denied.

AssumetheIPaddressisClassB(firsttwooctetsarethe

networknumber)witheightbitsofsubnetting(thethird

octetisforsubnets).

TheadministratorwantstouseIPwildcardmaskingbitsto

matchsubnets172.30.16.0to172.30.31.0


17/36

WildcardMask

Bycarefullysettingwildcardmasks,

anadministratorcanselectsingleor

severalIP

addresses

for

permit

or

deny

tests.

Refertotheexampleinthegraphic


18/36

WildcardMaskApplication


19/36

Any,Host,OptionalFormat

Theanyoptionsubstitutes0.0.0.0fortheIPaddressand255.255.255.255forthewildcardmask.Thisoptionwillmatchanyaddressthatitiscomparedagainst.

The

hostoption

substitutes

0.0.0.0

for

the

mask.

This

mask

requiresthatallbitsoftheACLaddressandthepacketaddressmatch.Thisoptionwillmatchjustoneaddress.


20/36

VerifyingtheACLconfiguration

Show accesslistscommand:

displaytheaccesslists

configuration


21/36


Show ip interface

command:

display the access-listsinterface assignments


22/36


Show running-config

command:

display the configurationoutput, including access-

lists and assignments


23/36

StandardACLs

checksthesourceaddressofIPpacketsthatarerouted.

TheACLwilleitherpermitordenyaccessforanentire

protocolsuite,

based

on

the

network,

subnet,

and

host

addresses.

thestandardACLcommandisasfollows:

Router(config)#access

listaccesslistnumber

deny

/

permit/remarksource[sourcewildcard][log]


24/36

StandardACLs,theremarkkeyword

Makestheaccesslisteasiertounderstand.

Thefollowingentryisnotrightawayclearitsobjective:

Router(config)#accesslist1permit171.69.2.88

Itismucheasiertoreadaremarkabouttheentrytounderstanditseffect,asfollows:

Router(config)#accesslist

1remark

Permit

only

Jones

workstationthroughaccesslist1permit171.69.2.88


25/36

StandardACLs

ToremoveastandardACLuseno statement.Thesyntaxis

asfollows:

Router(config)#noaccesslistaccesslistnumber

Theipaccessgroupcommandlinksanexistingstandard

ACLtoaninterface:

Router(configif)#ipaccessgroup{accesslistnumber|

accesslistname}{in|out}


26/36

ExtendedACLs

Becauseofthegreaterrangeofcontrolproviding,theyareusedmoreoftenthenstandardACLs.

ExtendedACLscheckthesourceanddestinationpacket

addressesand

can

also

check

for

protocols

and

port

numbersgivesgreaterflexibilitytodescribewhattheACLwillcheck.

Accesscanbepermittedordeniedbasedonwherea

packetoriginates,

its

destination,

protocol

type,

and

port

addresses.

Whenpacketsarediscarded,someprotocolssendanechopackettothesender,statingthatthedestinationwas

unreachable.


27/36

ExtendedACLsStatements

Accesslistnumberrangeof100 199and2000 2699

Sourcedestination

IP

address

Layer4protocolnumber Appliedtoportclosesttosourcehost


28/36

ExtendedACLsParameter

Dynamic:Identifies

the

access

list

as

adynamic

access

list

Timeout:specifiestheabsolutelengthoftime

Protocol:nameornumber(0 255)ofanInternetprotocol

Source:Numberofthenetworkorhostwhichitbeingsendfrom(32bitquantityinfourpart any host)

Destination:Number

of

the

network

or

host

to

which

the

packet

is

being

sent(32bitquantityinfourpart any host)


29/36

ExtendedACLsParameter

source Wildcard:Wildcardbitstobeappliedtosource

(32bitquantityinfourpart any host)

Destination Wildcard:Wildcardbitstobeappliedto

destination(32bitquantityinfourpart any host)

OtherparametersincludedintheExtendedACLs:

Procedure,tos,

log,

log

input,

time

range,

icmp

type


30/36

Transport ApplicationlayerPorts


31/36

NamedAccesslist

ModifyingaNamed

Accesslist:anyadditions

willbemadetotheend

oftheACL

CreatingNamedAccess

list


32/36

Advantagesthatareprovidedbyanamedaccesslist

Alphanumericnamescan

beused

to

identify

ACLs.

TheIOSdoesnotlimitthe

numberofnamedACLs

thatcanbeconfigured.

NamedACLsprovidethe

abilitytomodifyACLs

withoutdeletionand

reconfiguration.


33/36

PlacingACLs

ExtendedACLsas

closeaspossible

tothe

source

of

thetrafficdenied.

StandardACLsdo

notspecify

destination

addresses,sothey

shouldbeplaced

as

close

to

the

destinationas

possible.


34/36

Firewall

It is an architecturalstructure that existsbetween the user andthe outside world toprotect the internal

network fromintruders.

ACLs should be usedin firewall routers,which are often

positioned betweenthe internal networkand an externalnetwork, such as theInternet.

The firewall routerprovides a point ofisolation so that therest of the internalnetwork structure isnot affected.


35/36

Restrictingvirtualterminalaccess

it can provide additionalsecurity for our system byusing access lists to restrictaccess to vty lines

Associate the access list withinbound Telnet sessions.

host1(config)#line vty 12 15host1(config-line)#access-class Boston in

Configure an access list.

host1(config)#access-list

Boston permit any


36/36

Fin

del

Anexo

Access

Control

Lists(ACL)

track routers anexo- what is acl

Documents