Filtering Traffic Using Access Control Lists

Filtering Traffic Using Access Control Lists
Introducing Routing and Switching in the Enterprise Chapter 8
Version 4.0
2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
Objectives
Describe traffic filtering and explain how Access Control Lists (ACLs) can filter traffic at router interfaces. Analyze the use of wildcard masks. Configure and implement ACLs. Create and apply ACLs to control specific types of traffic. Log ACL activity and integrate ACL best practices.
Cisco Public
Section 8.1 Using Access Control Lists
Cisco Public
Key Ideas
Traffic filtering Defining Access Control Lists Types and uses of ACLs ACL processing
Cisco Public
Describe Traffic Filtering

Analyze the contents of a packet Allow or block the packet Based on source IP, destination IP, MAC address, protocol, pp type yp application
Cisco Public

Devices providing traffic filtering: Firewalls built into integrated routers Dedicated security appliances Servers
Cisco Public

Uses for ACLs: Specify internal hosts for NAT Classify traffic for QoS Restrict routing updates updates, limit debug outputs outputs, control virtual terminal access
Cisco Public

Standard ACLs filter based on source IP address Extended ACLs filter on source and destination, as well as protocol and port number Named N d ACL ACLs can be b either ith standard t d d or extended t d d
Activity 8.1.3[2]- Determine Standard, Extended or Name ACL

2006 Cisco Systems, Inc. All rights reserved. Cisco Public

ACLs consist of statements At A least l one statement must b be a permit i statement Final statement is an implicit deny ACL must tb be applied li d t to an i interface t f i in order d t to work k
Cisco Public

ACL is applied inbound or outbound Direction is from the routers perspective Each interface can have one ACL per direction for each network protocol
Activity 8 8.1.4[3]-Determine 1 4[3] Determine whether packet permitted or deny

10
Section 8.2 Using a Wildcard Mask
Cisco Public
11
Key Ideas
The purpose and structure of an ACL wildcard mask The effects of a wildcard mask
Cisco Public
12
Analyze the Use of Wildcard Masks

Wildcard mask can block a range of addresses or a whole network with one statement 0s indicate which part of an IP address must match the ACL 1s indicate which part does not have to match specifically
Cisco Public
13

Wildcard mask can block a range of addresses or a whole network with one statement 0s indicate which part of an IP address must match the ACL 1s indicate which part does not have to match specifically
Cisco Public
14

Wildcard mask can block a range of addresses or a whole network with one statement 0s indicate which part of an IP address must match the ACL 1s indicate which hich part does not have ha e to match specifically specificall
Activity 8.2.1[3]-Determine wildcard mask

15

Use the host parameter in place of a 0.0.0.0 wildcard Use the any parameter in place of a 255.255.255.255 wildcard
Cisco Public
16

Cisco Public
17

Activity 8.2.2[4]-Determine whether IP packet permit or deny

18
Section 8.3 Configuring Access Control Lists
Cisco Public
19
Key Ideas
Placing Standard and Extended ACLs Basic ACL configuration process Configuring numbered standard ACLs Configuring numbered extended ACLs Configuring named ACLs Configure router VTY access
Cisco Public
20
Configure and Implement Access Control Lists

Determine traffic filtering requirements Decide which hich t type pe of ACL to use se Determine the router and interface on which to apply the ACL Determine in which direction to filter traffic
Cisco Public
21

Cisco Public
22

Activity 8.3.1[4]-Determine where to put ACL

23

ACL Processing and Creating Guidelines
Cisco Public
24
Configure and Implement Access Control Lists: Numbered Standard ACL

Use access-list command to enter statements Use U th the same number b f for all ll statements t t t Number ranges: 1-99, 1300-1999 Apply as close to the destination as possible
Cisco Public
25

Use access-list command to enter statements Use U th the same number b f for all ll statements t t t Number ranges: 1-99, 1300-1999 Apply as close to the destination as possible
Cisco Public
26

Show ip interface Show Sh access-lists li t Show running-config
Cisco Public
27

Show ip interface Show Sh access-lists li t Show running-config `
Activity 8.3.3[3]-the sequence ACL... Hands-on Lab 8.3.3[4]-Configuring And Verifying Standard ACL
28
Configure and Implement Access Control Lists: Numbered Extended ACL

Use access-list command to enter statements Use the same number for all statements Number ranges: 100-199, 2000-2699 Specify a protocol to permit or deny Place as close to the source as possible
Cisco Public
29

Cisco Public
30

Use access-list command to enter statements Use the same number for all statements Number ranges:100-199 ranges:100 199,2000 2000-2699 2699 Specify a protocol to permit or deny Place as close to the source as possible p
Cisco Public
31

Activity 8 8.3.4[3]-Determine 3 4[3]-Determine the ACL Hands-on Lab 8.3.4[4]-Planning, [ ] g, Configuring, and Verifying Extended ACLs
32
Configure and Implement Access Control Lists: Named ACLs

Descriptive name replaces number range Use U ip i access-list li t command dt to enter t initial i iti l statement t t t Start succeeding statements with either permit or deny Apply in the same way as standard or extended ACL
Cisco Public
33
Configure and Implement Access Control Lists: Named ACLs

Delete, Change, Insert ACL
PT Activity 8.3.5[3]-Configuring and Verifying Standards Named ACLs Hands-on Hands on Lab 8.3.5[4]8 3 5[4] Configuring Config ring and Verifying Verif ing StandardsNamed ACLs
34
Configure and Implement Access Control Lists: VTY access

Create the ACL in line configuration mode Use U th the access-class l command dt to initiate i iti t th the ACL Use a numbered ACL Apply identical restrictions to all VTY lines
Cisco Public
35
Configure and Implement Access Control Lists: VTY access

Create the ACL in line configuration mode Use U th the access-class l command dt to initiate i iti t th the ACL Use a numbered ACL Apply identical restrictions to all VTY lines
Hands-on Lab 8.3.6[3]-Configuring and Verifying VTY R t i ti Restrictions PT 8.3.6[4]-Planning, Configuring, and Verifying Standard, Extended and Named ACLs
36
Section 8.4 Permitting and Denying Specific Types of Traffic
Cisco Public
37
Key Ideas
Configuring ACLs for Application and Port Filtering Configuring ACLs to Support Established Traffic Effects of NAT and PAT on ACL Placement Analyzing Network ACLs and Placement Configuring ACLs with Inter Inter-VLAN VLAN Routing
Cisco Public
38
Create and Apply ACLs to Control Specific Types of Traffic

Use a specified condition when filtering on port numbers: eq, lt, lt gt t Deny all appropriate ports for multi-port applications like FTP Use U th the range operator t to t filter filt a group of f ports t
Cisco Public
39

Use a specified condition when filtering on port numbers: eq, lt, lt gt t Deny all appropriate ports for multi-port applications like FTP Use U th the range operator t to t filter filt a group of f ports t
PT Activity A ti it 8.4.1[3]-Configuring 8 4 1[3] C fi i and d Verifying V if i Extended E t d d ACLs to filter on Port Numbers
40

Block harmful external traffic while allowing internal users free access Ping: allow echo replies while denying echo requests from outside the network Stateful Packet Inspection
Activity 8.4.2[2]-Determine if the Packet will be allowed

41

Account for NAT when creating and applying ACLs to a NAT interface Filter public addresses on a NAT outside interface Filter private addresses on a NAT inside interface
Hands-on Lab 8.4.3[2]-Configuring an ACL with NAT

42

Examine every ACL one line at a time to avoid unintended consequences
A ti it 8.4.4[2]-Create Activity 8 4 4[2] C t an extended t d d ACL b based d on th the

43

Apply ACLs to VLAN interfaces or subinterfaces just as with physical h i li interfaces t f
Hands-on Lab 8.4.5[2]-Configuring and Verifying ACLs to filter Inter-VLAN Traffic PT Activity 8.4.5[3]-Configuring and Verifying Extended ACLs with a DMZ
44
Section 8.5 Filtering Traffic Using Access Control Lists
Cisco Public
45
Key Ideas
Using logging to verify ACLs Analyzing routing logs ACL best practices
Cisco Public
46
Log ACL Activity and ACL Best Practices

Logging provides additional details on packets denied or permitted itt d Add the log option to the end of each ACL statement to be tracked
Cisco Public
47

Logging provides additional details on packets denied or permitted itt d Add the log option to the end of each ACL statement to be tracked
Hands-on Lab 8.5.1[3]-Configuring ACLs and Verifying with Console Logg ing
48

Syslog messages: Status of router interfaces ACL messages Bandwidth, Bandwidth protocols in use use, configuration events
Cisco Public
49

Syslog messages: Status of router interfaces ACL messages Bandwidth, Bandwidth protocols in use use, configuration events
Hands-on Lab 8.5.2[3]-Configuring ACLs and Recording Activity to a Syslog Server

50

Always test basic connectivity before applying ACLs Add deny ip any to the end of an ACL when logging Use reload in 30 when testing ACLs on remote routers
Cisco Public
51
Summary
ACLs enable traffic management and secure access to and from a network and its resources Apply an ACL to filter inbound or outbound traffic ACLs can be standard standard, extended extended, or named Using a wildcard mask provides flexibility There is an implicit deny statement at the end of an ACL Account for NAT when creating and applying ACLs Logging provides additional details on filtered traffic
Cisco Public
52
Cisco Public
53

Filtering Traffic Using Access Control Lists

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Filtering Traffic Using Access Control Lists

Caricato da

Copyright:

Formati disponibili

Filtering Traffic Using Access Control Lists

Introducing Routing and Switching in the Enterprise Chapter 8

2006 Cisco Systems, Inc. All rights reserved.

2006 Cisco Systems, Inc. All rights reserved.

Section 8.1 Using Access Control Lists

2006 Cisco Systems, Inc. All rights reserved.

2006 Cisco Systems, Inc. All rights reserved.

Describe Traffic Filtering

2006 Cisco Systems, Inc. All rights reserved.

Describe Traffic Filtering

2006 Cisco Systems, Inc. All rights reserved.

Describe Traffic Filtering

2006 Cisco Systems, Inc. All rights reserved.

Describe Traffic Filtering

Activity 8.1.3[2]- Determine Standard, Extended or Name ACL

Describe Traffic Filtering

2006 Cisco Systems, Inc. All rights reserved.

Describe Traffic Filtering

Activity 8 8.1.4[3]-Determine 1 4[3] Determine whether packet permitted or deny

Section 8.2 Using a Wildcard Mask

2006 Cisco Systems, Inc. All rights reserved.

2006 Cisco Systems, Inc. All rights reserved.

Analyze the Use of Wildcard Masks

2006 Cisco Systems, Inc. All rights reserved.

Analyze the Use of Wildcard Masks

2006 Cisco Systems, Inc. All rights reserved.

Analyze the Use of Wildcard Masks

Activity 8.2.1[3]-Determine wildcard mask

Analyze the Use of Wildcard Masks

2006 Cisco Systems, Inc. All rights reserved.

Analyze the Use of Wildcard Masks

2006 Cisco Systems, Inc. All rights reserved.

Analyze the Use of Wildcard Masks

Activity 8.2.2[4]-Determine whether IP packet permit or deny

Section 8.3 Configuring Access Control Lists

2006 Cisco Systems, Inc. All rights reserved.

2006 Cisco Systems, Inc. All rights reserved.

Configure and Implement Access Control Lists

2006 Cisco Systems, Inc. All rights reserved.

Configure and Implement Access Control Lists

2006 Cisco Systems, Inc. All rights reserved.

Configure and Implement Access Control Lists

Activity 8.3.1[4]-Determine where to put ACL

Configure and Implement Access Control Lists

2006 Cisco Systems, Inc. All rights reserved.

Configure and Implement Access Control Lists: Numbered Standard ACL

2006 Cisco Systems, Inc. All rights reserved.

Configure and Implement Access Control Lists: Numbered Standard ACL

2006 Cisco Systems, Inc. All rights reserved.

Configure and Implement Access Control Lists: Numbered Standard ACL

2006 Cisco Systems, Inc. All rights reserved.

Configure and Implement Access Control Lists: Numbered Standard ACL

Configure and Implement Access Control Lists: Numbered Extended ACL

2006 Cisco Systems, Inc. All rights reserved.

Configure and Implement Access Control Lists: Numbered Extended ACL

2006 Cisco Systems, Inc. All rights reserved.

Configure and Implement Access Control Lists: Numbered Extended ACL

2006 Cisco Systems, Inc. All rights reserved.

Configure and Implement Access Control Lists: Numbered Extended ACL

Configure and Implement Access Control Lists: Named ACLs

2006 Cisco Systems, Inc. All rights reserved.

Configure and Implement Access Control Lists: Named ACLs