Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Computer Networking
Access-List Overview
A Filter through which all traffic must pass
Used to Permit or Deny Access to Network Provides Security
Bandwidth Management
Come in two flavors STANDARD AND EXTENDED
What is an Access-List
A List of Criteria to which all Packets are
compared.
Is this Packet from Network 10.5.2.0
Yes - Forward the Packet No - Check with Next Statement
an Access-list SEQUENTIALLY - From the Top Down. The sooner a decision is made the better. Well written Access-lists take care of the most abundant type of traffic first. All Access-lists End with an Implicit Deny All statement
Extended Access-lists
Are given a # from 100-199
Much more flexible and complex Can filter based on: Source address Destination address Session Layer Protocol (ICMP, TCP, UDP..) Port Number (80 http, 23 telnet) Should be applied closest to the Source
Step 2 -Apply the Access-list to an Interface Must be in interface config mode (config-if)# IP access-group # in/out (routers point of view)
Wildcards
Allows you to indicate a Range of IP
Wildcard Examples
Network Wildcard 195.34.5.12 0.0.0.0 Result: Match all four octets Only 195.34.5.12 is a match Could also use host 195.34.5.12 in place of the wildcard. Host indicates an exact match is needed.
Wildcard Examples
Network
Wildcard 172.16.10.0 0.0.0.255 Result: Match the first three octets exactly but ignore the last octet. 172.16.10.0 thru 172.16.10.255 is a match since the last octet does not matter.
Implementing Access-lists
Remember the Implicit Deny All at the end
Implementing Access-lists
You cannot selectively add or remove
statements from an Access-list Typically modifications are made in a text editor and then pasted to the router as a new access-list. The new access list is then applied and the old one removed Document your Access-list
After each line indicate exactly what that line is supposed to do.
Implementing Access-lists
Verifying Your Access-list Show Access-lists Show IP Interfaces Revisit your access-list after a few days Routers keep track of the number of packets that match each statement in an access-list Use this information to reorder your access-list and thus improve it efficiency Never remove an access-list that is applied
Summary: Access-Lists
Are Created and then Applied to an
interface Are Implemented Sequentially- Top Down End with an implicit Deny ALL statement #1-99 Standard and # 100-199 Extended Standard - source address only Extended - source, destination, protocol, port