O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

CCNA Discovery 3 - Chapter 8

Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Próximos SlideShares
CCNA Discovery 3 - Chapter 9
CCNA Discovery 3 - Chapter 9
Carregando em…3
×

Confira estes a seguir

1 de 26 Anúncio
Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Anúncio

Semelhante a CCNA Discovery 3 - Chapter 8 (20)

Mais de Irsandi Hasan (20)

Anúncio

CCNA Discovery 3 - Chapter 8

  1. 1. Filtering Traffic Using Access Control Lists Introducing Routing and Switching in the Enterprise – Chapter 8 Version 4.0 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 1
  2. 2. Objectives  Describe traffic filtering and explain how Access Control Lists (ACLs) can filter traffic at router interfaces.  Analyze the use of wildcard masks.  Configure and implement ACLs.  Create and apply ACLs to control specific types of traffic.  Log ACL activity and integrate ACL best practices. © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 2
  3. 3. Describe Traffic Filtering  Analyze the contents of a packet  Allow or block the packet  Based on source IP, destination IP, MAC address, protocol, application type © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 3
  4. 4. Describe Traffic Filtering Devices providing traffic filtering:  Firewalls built into integrated routers  Dedicated security appliances  Servers © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 4
  5. 5. Describe Traffic Filtering Uses for ACLs:  Specify internal hosts for NAT  Classify traffic for QoS  Restrict routing updates, limit debug outputs, control virtual terminal access © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 5
  6. 6. Describe Traffic Filtering Possible issues with ACLs:  Increased load on router  Possible network disruption  Unintended consequences from incorrect placement © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 6
  7. 7. Describe Traffic Filtering  Standard ACLs filter based on source IP address  Extended ACLs filter on source and destination, as well as protocol and port number  Named ACLs can be either standard or extended © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 7
  8. 8. Describe Traffic Filtering  ACLs consist of statements  At least one statement must be a permit statement  Final statement is an implicit deny  ACL must be applied to an interface in order to work © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 8
  9. 9. Describe Traffic Filtering  ACL is applied inbound or outbound  Direction is from the router’s perspective  Each interface can have one ACL per direction for each network protocol © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 9
  10. 10. Analyze the Use of Wildcard Masks  Wildcard mask can block a range of addresses or a whole network with one statement  0s indicate which part of an IP address must match the ACL  1s indicate which part does not have to match specifically © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 10
  11. 11. Analyze the Use of Wildcard Masks  Use the host parameter in place of a 0.0.0.0 wildcard  Use the any parameter in place of a 255.255.255.255 wildcard © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 11
  12. 12. Configure and Implement Access Control Lists  Determine traffic filtering requirements  Decide which type of ACL to use  Determine the router and interface on which to apply the ACL  Determine in which direction to filter traffic © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 12
  13. 13. Configure and Implement Access Control Lists: Numbered Standard ACL  Use access-list command to enter statements  Use the same number for all statements  Number ranges: 1-99, 1300-1999  Apply as close to the destination as possible © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 13
  14. 14. Configure and Implement Access Control Lists: Numbered Extended ACL  Use access-list command to enter statements  Use the same number for all statements  Number ranges: 100-199, 2000-2699  Specify a protocol to permit or deny  Place as close to the source as possible © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 14
  15. 15. Configure and Implement Access Control Lists: Named ACLs  Descriptive name replaces number range  Use ip access-list command to enter initial statement  Start succeeding statements with either permit or deny  Apply in the same way as standard or extended ACL © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 15
  16. 16. Configure and Implement Access Control Lists: VTY access  Create the ACL in line configuration mode  Use the access-class command to initiate the ACL  Use a numbered ACL  Apply identical restrictions to all VTY lines © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 16
  17. 17. Create and Apply ACLs to Control Specific Types of Traffic  Use a specified condition when filtering on port numbers: eq, lt, gt  Deny all appropriate ports for multi-port applications like FTP  Use the range operator to filter a group of ports © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 17
  18. 18. Create and Apply ACLs to Control Specific Types of Traffic  Block harmful external traffic while allowing internal users free access  Ping: allow echo replies while denying echo requests from outside the network  Stateful Packet Inspection © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 18
  19. 19. Create and Apply ACLs to Control Specific Types of Traffic  Account for NAT when creating and applying ACLs to a NAT interface  Filter public addresses on a NAT outside interface  Filter private addresses on a NAT inside interface © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 19
  20. 20. Create and Apply ACLs to Control Specific Types of Traffic  Examine every ACL one line at a time to avoid unintended consequences © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 20
  21. 21. Create and Apply ACLs to Control Specific Types of Traffic  Apply ACLs to VLAN interfaces or subinterfaces just as with physical interfaces © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 21
  22. 22. Log ACL Activity and ACL Best Practices  Logging provides additional details on packets denied or permitted  Add the log option to the end of each ACL statement to be tracked © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 22
  23. 23. Log ACL Activity and ACL Best Practices Syslog messages:  Status of router interfaces  ACL messages  Bandwidth, protocols in use, configuration events © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 23
  24. 24. Log ACL Activity and ACL Best Practices  Always test basic connectivity before applying ACLs  Add deny ip any to the end of an ACL when logging  Use reload in 30 when testing ACLs on remote routers © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 24
  25. 25. Summary  ACLs enable traffic management and secure access to and from a network and its resources  Apply an ACL to filter inbound or outbound traffic  ACLs can be standard, extended, or named  Using a wildcard mask provides flexibility  There is an implicit deny statement at the end of an ACL  Account for NAT when creating and applying ACLs  Logging provides additional details on filtered traffic © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 25
  26. 26. © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 26

×