CCNA Guide to Cisco Networking Fundamentals Fourth Edition

1
CCNA Guide to Cisco Networking Fundamentals
Fourth Edition

• Chapter 10
• Access Lists

2
Objectives

• Describe the usage and rules of access lists
• Establish standard IP access lists
• Produce extended IP access lists
• Apply access lists to interfaces
• Monitor and verify access lists

3
Objectives (continued)

• Create named access lists
• Use Security Device Manager to create standard
  and extended IP access lists
• Use Security Device Manager to create a router
  firewall

4
Access Lists Usage and Rules

• Access lists
• Permit or deny statements that filter traffic
  based on the source address, destination address,
  protocol type, and port number of a packet
• Available for IP, IPX, AppleTalk, and many other
  protocols

5
Access List Usage

• You can create a standard access list that
  examines a packet for the packets source header
  information
• deny any statement
• Implicitly blocks all packets that do not meet
  the requirements of the access list
• Exists even though it is not shown as part of the
  access list
• With careful planning, you can create access
  lists that control which traffic crosses
  particular links
• And which segments of your network will have
  access to others

6
Access List Usage (continued)
7
Problems with Access Lists

• Lack of planning is one of the most common
  problems associated with access lists
• The need to enter the list sequentially into the
  router also presents problems
• You cannot move individual statements once they
  are entered
• When making changes, you must remove the list,
  using the no access-list list number command,
  and then retype the commands
• Access lists begin working the second they are
  applied to an interface

8
Access List Rules

• Example of the structure of a standard IP access
  list
• RouterA(config)access-list 1 deny 172.22.5.2
  0.0.0.0
• RouterA(config)access-list 1 deny 172.22.5.3
  0.0.0.0
• RouterA(config) access-list 1 permit any
• Router applies each line in the order in which
  you type it into the access list
• The no access-list list command is used to
  remove an access list

9
Access List Rules (continued)
10
Access List Rules (continued)

• As a general rule, the lines with the most
  potential matches should be first in the list
• So that packets will not undergo unnecessary
  processing
• You should avoid unnecessarily long access lists
• After you create access lists, you must apply
  them to interfaces so they can begin filtering
  traffic
• You apply a list as either an outgoing or an
  incoming filter

11
Access List Rules (continued)

• In summary, all access lists follow these rules
• Routers apply lists sequentially in the order in
  which you type them into the router
• Routers apply lists to packets sequentially, from
  the top down, one line at a time
• Packets are processed only until a match is made
• Lists always end with an implicit deny
• Access lists must be applied to an interface as
  either inbound or outbound traffic filters
• Only one list, per protocol, per direction can be
  applied to an interface
• Access lists are effective as soon as they are
  applied

12
Standard IP Access Lists

• Standard IP access lists
• Filter network traffic based on the source IP
  address only
• Using a standard IP access list, you can filter
  traffic by a host IP, subnet, or a network
  address
• Configure standard IP access lists
• access-list list permitdeny source
  address source wildcard mask
• Routers use wildcards to determine which bits in
  an address will be significant

13
Standard IP Access Lists (continued)
14
Standard IP Access Lists (continued)
15
Standard IP Access Lists (continued)
16
Standard IP Access Lists (continued)
17
Standard IP Access Lists (continued)
18
Standard IP Access List Examples

• Standard IP access lists permit or deny packets
  based only on the source address
• Addresses can be a single host address, a subnet
  address, or a full network address

19
(No Transcript)
20
Standard IP Access List Examples (continued)
21
Standard IP Access List Examples (continued)

• Correct placement of a list is imperative
• To view the access lists defined on your router,
  use the show access-lists command
• For IP access lists you could also use the show
  ip access-lists command
• If you decide that an access list needs to be
  removed from an interface
• You can remove it with the no ip access-group
  list command

22
(No Transcript)
23
Standard IP Access List Examples (continued)
24
Standard IP Access List Examples (continued)
25
Standard IP Access List Examples (continued)
26
Standard IP Access List Examples (continued)
27
Standard IP Access List Examples (continued)

• Application of the list as an outbound filter on
  FastEthernet0/0
• See Figure 10-15
• Use the show access-lists or show ip access-lists
  command followed by the show ip interface command
• To verify that the list has been entered and
  applied correctly

28
Standard IP Access List Examples (continued)
29
(No Transcript)
30
Standard IP Access List Examples (continued)
31
Monitoring Standard IP Access Lists

• Three main commands are available for monitoring
  access lists on your router
• show access-lists
• show ip access-lists
• show interfaces or show ip interface
• Use the no access-list list command to remove
  the list
• Use the no ip accessgroup list direction
  command to remove the application of the list

32
Extended IP Access Lists

• Extended IP access lists
• Can filter by source IP address, destination IP
  address, protocol type, and application port
  number
• This granularity allows you to design extended IP
  access lists that
• Permit or deny a single type of IP protocol
• Filter by a particular port of a particular
  protocol

33
Extended IP Access Lists (continued)

• To configure extended IP access lists, you must
  create the list and then apply it to an interface
  using the following syntax
• access-list list permitdeny protocol
  source IP address source wildcard mask
  operator port destination IP address
  destination wildcard mask operator port
  log

34
Extended IP Access List Examples
35
(No Transcript)
36
(No Transcript)
37
Extended IP Access List Examples (continued)
38
The Established Parameter

• Established parameter
• Permits traffic from any host on any network to
  any destination, as long as the traffic was in
  response to a request initiated inside the
  network
• Example
• access-list 100 permit tcp any 15.0.0.0
  0.255.255.255 established

39
Monitoring Extended IP Access Lists

• The same commands used to monitor standard IP
  access lists are used to monitor extended IP
  access lists
• Extended IP lists keep track of the number of
  packets that pass each line of an access list
• The clear access-list counters list command
  clears the counters
• The no access-list list command removes the
  list
• The no ip access-group list direction
  command removes the application of the list

40
Monitoring Extended IP Access Lists
41
Monitoring Extended IP Access Lists
42
Using Named Lists

• Named access lists
• In Cisco IOS versions 11.2 and above, names
  instead of numbers can be used to identify lists
• To name a standard IP access list, use the
  following syntax
• RouterC(config)ip access-list standard name
• To name an extended IP access list, use the
  following syntax
• RouterC(config)ip access-list extended name

43
Using Named Lists (continued)

• Once the list is named, the permit or deny
  statement is entered
• The commands follow the same syntax as unnamed
  lists
• The beginning part of the command is not included
• To apply a standard IP named list to an
  interface, the syntax is
• RouterC(config-if)ip access-group name in
  out

44
Using Named Lists (continued)

• Advantages
• Allows you to maintain security by using an
  easily identifiable access list
• Removes the limit of 100 lists per filter type
• With named access lists lines can be selectively
  deleted in the ACL
• Named ACLs provide greater flexibility to network
  administrators who work in environments where
  large numbers of ACLs are needed

45
Controlling VTY Line Access

• Access lists are used for both traffic flow and
  security
• One useful security feature of access lists is
  restricting access to telnet on your router
• By controlling VTY line access
• You must first create a standard IP access list
  that permits the management workstation
• RouterA(config)access-list 12 permit
  192.168.12.12 0.0.0.0
• Then, it must be applied to the VTY lines
• access-class acl in out

46
Controlling VTY Line Access (continued)

• To apply access list 12 to the VTY lines, use the
  following command
• RouterA(config)line vty 0 4
• RouterA(config-line)access-class 12 in
• The commands to restrict access to the VTY lines
  to network 192.168.12.0/24 only are
• RouterA(config)access-list 13 permit
  192.168.12.0 0.0.0.255
• RouterA(config)line vty 0 4
• RouterA(config-line)access-class 13 in

47
Using Security Device Manager to Create Access
Control Lists

• Using the SDM, an administrator can accomplish
  all the tasks that formerly required use of the
  CLI interface
• SDM allows you to easily create a standard or an
  extended access list or, as it is known in the
  SDM, an Access Control List (ACL)

48
(No Transcript)
49
(No Transcript)
50
(No Transcript)
51
(No Transcript)
52
(No Transcript)
53
(No Transcript)
54
Using Security Device Manager to Create a Router
Firewall

• Unlike the CLI, the SDM allows a router to be
  configured as a firewall

55
(No Transcript)
56
(No Transcript)
57
(No Transcript)
58
Using Security Device Manager to Create a Router
Firewall (continued)
59
Using Security Device Manager to Create a Router
Firewall (continued)
60
(No Transcript)
61
Summary

• Access lists are one of the most important IOS
  tools for controlling network traffic and
  security
• Access lists are created in a two-step process
• All access lists are created sequentially and
  applied sequentially to all packets that enter an
  interface where the list is applied
• By default, access lists always end in an
  implicit deny any statement
• Only one access list per direction (inbound or
  outbound) per protocol can be applied to an
  interface

62
Summary (continued)

• Standard IP access lists allow you to filter
  traffic based on the source IP address of a
  packet
• Extended IP access lists filter traffic based on
  source, destination, protocol type, and
  application type
• Access lists can be used to restrict telnet by
  controlling VTY line access
• Ranges of numbers represent all access lists

63
Summary (continued)

• The SDM can be used to configure both standard
  and extended ACLs via the Additional Tasks
  configuration tab
• The SDM can be used to configure a router as
  either a Basic or Advanced firewall
• The main difference between a Basic and Advanced
  firewall is the ability to configure DMZ
  interfaces in the Advanced firewall setup wizard