Transcript Document

Access Lists
Access Lists
• Network traffic flow and security influence
the design and management of computer
networks
• Access lists are permit or deny statements
that filter traffic both to and from a network
segment based on
–
–
–
–
the source address,
destination address,
protocol type,
and port number of a packet.
1
Access Lists
Problems with Access Lists
• One of the most common problems
associated with access lists is a lack of
planning
• Another troublesome area is the sequential
nature in which you must enter the list into
the router
• Many new network administrators find
themselves in trouble when they Telnet into
a router and begin applying an access list
2
Access Lists
Access List Rules
• Access List are first created, and then they are s
are applied to interfaces
• Inbound: Direction is into the router
• Outbound: Direction is out of the router
3
Access Lists
Access List Rules
• Routers apply lists sequentially in the order in
which you type them into the router
• Routers apply lists to packets sequentially
• Packets are processed only until a match is
made and then they are acted upon based on
the access list criteria contained in access list
statements
• Implicit deny any
– Blocks all packets that do not meet requirements of
the access list unless permit any command is used
at the end of the list
4
Access Lists
Access List Rules
• Access lists must be applied to an
interface as either inbound or outbound
traffic filters
• Only one list, per protocol, per direction
can be applied to an interface
• You cannot remove one line from an
access list.
• Access list are effective as soon as they
are applied
5
Access Lists
Standard IP Access Lists
• Standard IP Access Lists
– Filter network traffic based on the source
IP address only
– Using a standard IP access list, you can
filter traffic by a host IP, subnet, or a
network address
• Wildcard mask
– Also called inverse mask
– Applied to IP addresses to determine if an
access list line will act upon a packet
6
Access Lists
Wildcard mask
• Used to specify part of network
• Block size: 64, 32, 18, 8, 4
• Examples
deny 172.16.10.0
deny 172.16.0.0
deny 172.16.16.0
0.0.0.255
0.0.255.255
0.0.3.255
deny 172.16.16.0
0.0.7.255
deny 172.16.32.0
0.0.31.255
7
Access Lists
Standard IP Access List Examples
8
Access Lists
Monitoring Standard IP Access Lists
• Three main commands are available for
monitoring access lists on your router:
– Show access-lists
– Show ip access-lists
– Show interfaces or show ip interfaces
• It is a good idea to run each of these
commands after creating and applying
access lists
9
Access Lists
Lab
10
Access Lists
Extended IP Access Lists
• IP access lists that filter traffic by:
–
–
–
–
•
•
•
•
•
•
•
Source IP address
Destination IP address
Protocol type
Port number
Type R(config)#acces-list
Type R(config)#acces-list
Type R(config)#acces-list
Type R(config)#acces-list
Type R(config)#acces-list
Type R(config)#acces-list
Type R(config)#acces-list
eq ?
?
110
110
110
110
110
110
?
deny
deny
deny
deny
deny
?
tcp
tcp
tcp
tcp
?
any ?
any host
any host
172.16.30.2 ?
172.16.30.2
11
Access Lists
Extended IP Access Lists
Interpret these commands
R(config)#acces-list 110 deny tcp host 172.16.20.10 host 172.16.30.2 eq 80
R(config)#acces-list 110 deny tcp host 172.16.20.10 any eq 80
R(config)#acces-list 110 deny tcp any any eq 80
12
Access Lists
Extended IP Access List Examples
Acme# config terminal
Acme(config)# access-list 110 deny tcp any host 172.16.10.5 eq 21
Acme(config)# access-list 110 deny tcp any host 172.16.10.5 eq 23
Acme(config)# access-list 110 permit ip any any
Acme(config)# int e0
Acme(config-if)# ip access-group 110 out.
13
Access Lists
Extended IP Access List Examples
Type commands to block host 172.22.5.2 from accessing Web
Services on server 172.22.2.2
14
Access Lists
Monitoring Extended IP Access Lists
15
Access Lists
Standard IPX Access Lists
• Very similar to their IP cousins
– One distinct difference
• Can filter based on source and destination
addresses
– Standard IP access lists can only filter based
on source addresses
• In all other aspects, they act just like
standard IP access lists
16
Access Lists
Standard IPX Access List Examples
17
Access Lists
Extended IPX Access Lists
• Allow you to filter
based on source
and destination
network or node
address, IPX
protocol type, or
IPX socket
number
18
Access Lists
Extended IPX Access Lists
19
Access Lists
IXP SAP Filters
• Limit SAP traffic on order to control what
resources on the IPX network will be visible
to IPX clients
– Allows you to limit the “advertising” of particular
servers and services to a particular IPX network
segment
– Since SAP advertisements are broadcast, limiting
them reduces network traffic
• IPX input SAP filters reduce the number of
SAP entries that are placed into a router’s
SAP table
20
Access Lists
IPX SAP Filter Example
21