Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Anilnet
1.
Name access list
Submitted To,
Mr. Parvesh Mor
Submitted by,
Anil Sharma
Reg: 11107936
Permit or deny statements that filter
traffic based on the source address,
destination address, protocol type,
and port number of a packet
Available for IP, IPX, AppleTalk,
Introduction:
An access list is essentially a list of
conditions that categorize packets. They can
be really helpful when you need to exercise
control over network traffic. An access list
would be your tool of choice for decision
making in these situation. One of the most
common and easiest to understand uses of
access list is filtering unwanted packet when
implementing
security policies.
For
example, you can set them up to make very
specific decisions about regulating traffic
pattern so that they will allow only certain
host to access web resources on the internet
while restricting others. With the right
combination of access list, network
managers arm themselves with the power to
enforce any security any policy they can
invent. Some important points under access
list
•
Powerful tools that control access
both to and from network segments
•
Can be used to implement security
•
Powerful tools that control access
both to and from network segments
•
Can filter unwanted packets
•
Can be used to implement security
Access List Usage:
•
You can create a standard access list
that examines a packet for the
packet’s source header information
•
deny any statement
Can filter unwanted packets
•
and many other protocols
–
Implicitly blocks all packets
that do not meet the
requirements of the access
list
2. –
•
With careful planning, you can
create access lists that control which
traffic crosses particular links And
which segments of your network will
have access to others
Problems with Access Lists:
•
•
Lack of planning is one of the most
common problems associated with
access lists
The need to enter the list sequentially
into the router also presents
problems
–
–
•
Exists even though it is not
shown as part of the access
list
You cannot move individual
statements once they are
entered
When making changes, you
must remove the list, using
the no access-list [list
number] command, and then
retype the commands
Access lists begin working the
second they are applied to an
interface
Access List Rules:
•
Example of the structure of a
standard IP access list:
RouterA(config)#access-list 1 deny
172.22.5.2 0.0.0.0
RouterA(config)#access-list 1 deny
172.22.5.3 0.0.0.0
RouterA(config)# access-list 1 permit
any
•
Router applies each line in the order
in which you type it into the access
list
•
The no access-list [list #] command
is used to remove an access list
•
As a general rule, the lines with the
most potential matches should be
first in the list
3. –
So that packets will not
undergo
unnecessary
processing
inbound or outbound traffic
filters
–
Only one list, per protocol,
per direction can be applied
to an interface
– Access lists are
effective as soon as they are
applied
Standard IP Access Lists:
•
Standard IP access lists
•
You should avoid unnecessarily long
access lists
–
Filter network traffic based
on the source IP address only
•
After you create access lists, you
must apply them to interfaces so they
can begin filtering traffic
–
Using a standard IP access
list, you can filter traffic by a
host IP, subnet, or a network
address
–
•
You apply a list as either an
outgoing or an incoming
filter
•
–
In summary, all access lists follow
these rules:
–
Routers
apply
lists
sequentially in the order in
which you type them into the
router
–
Routers apply lists to packets
sequentially, from the top
down, one line at a time
–
Packets are processed only
until a match is made
–
Lists always end with an
implicit deny
–
Access lists must be applied
to an interface as either
Configure standard IP access lists:
•
access-list
[list
#]
[permit|deny]
[source
address] [source wildcard
mask]
Routers use wildcards to determine
which bits in an address will be
significant
Wildcard mask example:
4. Wildcard
masking
matching a single host:
example
•
Standard
Examples:
•
IP
Access
List
If you decide that an access list
needs to be removed from an
interface
– You can remove it with the
no ip access-group [list #]
command
Standard IP access lists permit or deny
packets based only on the source
address
–
Addresses can be a single
host address, a subnet
address, or a full network
address
•
•
•
•
•
Correct placement of a list is
imperative
To view the access lists defined on
your router, use the show access-lists
command
– For IP access lists you could
also use the show ip accesslists command
Application of the list as an
outbound filter on FastEthernet0/0
– See Figure 10-15
Use the show access-lists or show ip
access-lists command followed by
the show ip interface command
– To verify that the list has
been entered and applied
correctly
5. Monitoring
Lists:
•
Standard
IP
Access
–
Three main commands are available
for monitoring access lists on your
router
–
show access-lists
–
show ip access-lists
–
show interfaces or show ip
interface
•
Use the no ip accessgroup [list
#][direction] command to remove
the application of the list
Using Named Lists:
•
Extended IP Access Lists:
•
Extended IP access lists
–
–
Can filter by source IP
address,
destination
IP
address, protocol type, and
application port number
This granularity allows you
to design extended IP access
lists that:
•
•
•
Permit or deny a
single type of IP
protocol
Filter by a particular
port of a particular
protocol
To configure extended IP access
lists, you must create the list and
then apply it to an interface using the
following syntax
Named access lists
–
Use the no access-list [list #]
command to remove the list
•
access-list
[list
#]
[permit|deny]
[protocol]
[source IP address] [source
wildcard mask] [operator]
[port]
[destination
IP
address]
[destination
wildcard mask] [operator]
[port] [log]
•
In Cisco IOS versions 11.2
and above, names instead of
numbers can be used to
identify lists
To name a standard IP access list,
use the following syntax:
RouterC(config)#ip
standard [name]
•
access-list
To name an extended IP access list,
use the following syntax:
RouterC(config)#ip
extended [name]
access-list
•
Once the list is named, the permit or
deny statement is entered
•
The commands follow the same
syntax as unnamed lists
–
•
The beginning part of the
command is not included
To apply a standard IP named list to
an interface, the syntax is:
RouterC(config-if)#ip access-group
[name] [in | out]
6. Advantages:
–
–
–
–
RouterA(config-line)#access-class
Allows you to maintain
security by using an easily
identifiable access list
Removes the limit of 100
lists per filter type
With named access lists lines
can be selectively deleted in
the ACL
Named ACLs provide greater
flexibility
to
network
administrators who work in
environments where large
numbers of ACLs are needed
12 in
•
RouterA(config)#access-list
permit 192.168.12.0 0.0.0.255
RouterA(config-line)#access-class
13 in
Using Security Device Manager to
Create Access Control Lists:
•
Using the SDM, an administrator can
accomplish all the tasks that
formerly required use of the CLI
interface
•
SDM allows you to easily create a
standard or an extended access list
or, as it is known in the SDM, an
Access Control List (ACL)
Access lists are used for both traffic
flow and security
•
One useful security feature of access
lists is restricting access to telnet on
your router
–
•
By controlling VTY line
access
You must first create a standard IP
access list that permits the
management workstation
RouterA(config)#access-list
permit 192.168.12.12 0.0.0.0
12
•
Then, it must be applied to the VTY
lines access-class [acl #] in | out
•
To apply access list 12 to the VTY
lines, use the following command:
RouterA(config)#line vty 0 4
13
RouterA(config)#line vty 0 4
Controlling VTY Line Access:
•
The commands to restrict access to
the VTY lines to network
192.168.12.0/24 only are: