IP Access Lists IP Access Lists IP Access Lists

Size: px

Start display at page:

Download "IP Access Lists IP Access Lists IP Access Lists"

炮傅
7 years ago
Views:

1 Chapter 10 Access Lists

2 IP Access Lists IP Access Lists IP Access Lists

3 Security) IP Access Lists Access Lists (Network

4 router

5 For example, RouterA can use an access list to deny access from Network 4 to Network 1; both networks are shown in Fig

6 With the following conceptual syntax, you create the standard access list to block access from Network 4 to Network 1: access list 1 deny Network 4 access list 1 permit any

7 If you wanted to deny traffic from Network 3 and Network 4, the access list conceptual syntax are: access list 1 deny Network 3 access list 1 deny Network 4 access list 1 permit any

8 IP Access Lists Lists IP Lists IP IP Standard Access IP Extended Access

9 IP Standard Access Control Lists (ACL) Concepts For example, we assume that Bob is not allowed to access Server1, but Larry is.

10 IP Standard Access Lists ( ) Filtering logic could be configured on any of the three routers and on any of their interfaces.

11 Here are some key features of Cisco access lists: Packets can be filtered as they enter an interface, before the routing decision. Packets can be filtered before they exit an interface, after the routing decision.

12 Here are some key features of Cisco access lists: (cont.) Deny implies that the packets will be filtered. Permit implies that the packets will not be filtered.

13 Here are some key features of Cisco access lists: (cont.) The filtering logic is configured in the access list. At the end of every access list is an implied that deny all traffic statement.

14 Access Lists have two major steps in their logic: matching and action. Look the packets with Bob s So the access List for source IP address and preventing Bob s traffic to the server might go something like: the Server1 s destination IP address. When you see them, discard them. If you see any other packets, do not discard them.

15 IP Standard Access Lists ( ) 1~99

16 IP Standard Access Lists ( ) IP Access-list access-list-number [permit deny] source [source wildcard mask]

17 IP Standard Access Lists ( ) ip access-group access-list-number [in out]

18 IP Standard Access Lists ( ) Source address Wildcard Mask Wildcard Mask 0 don t care 1 need match

19 Source address Wildcard Mask ( )

20 Source address Wildcard Mask ( )

21 Source address Wildcard Mask ( ) Source: Wildcard Mask :

22 Source address Wildcard Mask ( ) Source: Wildcard Mask : IP

23 Wildcard mask examples Consider the IP addresses and wildcard mask shown in Table 1.

24 Wildcard mask examples (cont.) An access-list that states access-list 1 permit Will allow traffic from any odd-numbered subnet to pass.

25 Wildcard mask examples (cont.)

26 Wildcard mask examples (cont.)

27 Wildcard mask Eg. 1: The following example tells the router to match the first three octets exactly but the fourth octet can be anything. access-list 10 deny

28 Wildcard mask Eg. 2: The following example tells the router to match the first two octets and that the last two octets can be anything. access-list 10 deny

29 Wildcard mask Eg. 3: The following example tells the router to start at network and use a block size of 4. The blocking range would then access-list be deny through

30 Wildcard mask Eg. 4: The example shows an access list starting at network and going up a block size of 8 to access-list 10 deny

31 Wildcard mask Eg. 5: The following example starts at network and goes up a block size of 32 to access-list 10 deny

32 Wildcard mask Eg. 6: The last example starts at network and goes up a block size of 64 to access-list 10 deny

33 Wildcard mask Please keep in mind when working with block size and wildcards: Each block size must start at 0 or a multiple of the block size.

34 Wildcard mask For example, you can t say that you want a block size of 8 and then start at 12. You must use 0-7, 8-15, 16-23, etc. For a block size of 32, the ranges are 0-31, 32-63,

35 Standard IP Access List Examples Standard IP access list permit or deny packets based only on the source address. These address can be a single host address, a subnet address, or a full network address.

36 Using the sample network in Fig. 10-8, you can create a standard IP access list that blocks host from accessing subnet

37 Fig shows the commands you would enter on RouterB to accomplish this task.

38 Standard IP ACL Examples (cont. Correct placement of a list is imperative. If the list were placed on RouterB s access list 1 deny S1 interface as an inbound access list 1 permit any list, it would work with the int s1 sample network. ip access-group 1 in

39 Standard IP ACL Examples (cont. However, if RouterB had another Ethernet interface, as shown in Fig , placing the access list on S1 would inadvertently block traffic to the 2nd Ethernet interface, E1.

40 Standard IP ACL Examples (cont. You should apply the standard IP access list as close to the destination as possible. Otherwise, you will inadvertently block access to portions of your network.

41 Standard IP ACL Examples (cont. To view the access list defined on your routers, use show access-lists command and show ip access-lists command.

42 Standard IP ACL Examples (cont. To view which interfaces have IP access lists set, use show ip interface command.

43 Standard IP ACL Examples (cont. You can remove the access list with the no ip access-group [list #].

44 Standard IP ACL Examples (cont. Now assume that instead of blocking a single host from subnet , you want to block all traffic from this subnet to subnet

45 Standard IP ACL Examples (cont. Finally, assume that you want to block access to the subnet from all hosts on subnets and

46 Monitoring Standard IP Access Lists Three main commands are available for monitoring access lists on your router. show access-lists show ip access-lists show ip interface

47 Sam is not allowed access to Bugs or Daffy Hosts on the Seville Ethernet are not allowed access to hosts on the Yosemite Ethernet All other combined are

50 ( )

51 IP Extended Access Lists 100~199 IP Extended Access Lists

52 FTP S E0

53 ( ) access-list 105 deny tcp eq 20 access-list 105 deny tcp eq 21

54 ( ) access-list 105 permit IP interface e ip access-group 105

55 IP Extended Access Lists ( ) TCP UDP FTP 21 Telnet 23 port SMTP name 25 HTTP 80 POP3 110 NNTP 119 PPTP 1723 L2TP 1701 TFTP 69 BOOTPS 67 BOOTPC 68 TCP UDP port number

56 drivers\etc services IP Extended Access Lists ( ) %systemroot%\system32\

57 IP Extended Access Lists ( )

58 Extended IP ACL Examples Using Fig as an example, this section discuss how to block host from accessing Web services on server

59 Extended IP ACL Examples (cont.)

60 Standard and Extended IP Access Lists: Matching

61 Extended access-lists Commands

62 Extended access-lists Commands

63 ACL Implement. Considerations Create your ACLs using a text editor outside the router, and copy and paste configuration into the router.

64 ACL Implement. Consider. (cont.) Place Standard ACLs as close to the packet s destination as possible.

65 ACL Implement. Consider. (cont.) Place Extended ACLs as close to the source of the packet as possible to discard the packets quickly.

66 IP Access Lists IP Access Lists IP Access Lists

67 (conf) ip access-group 10 out IP Access Lists access-lists accessgroup conf ter (conf) access-list 10 deny (conf) int fa0/ (conf) access-list 10 permit any

68 P Access Lists ( ) conf ter (conf) access-list 11 deny (conf) int fa0/ (conf) access-list 11 permit any (conf) ip access-group 11 out

69 IP Access Lists ( ) show interface fa0/0

70 IP Access Lists ( ) access-lists access-group Telnet conf ter (conf) access-list 111 deny tcp any eq telnet

71 IP Access Lists ( ) access-lists access-group ( ) (conf) access-list 111 permit (conf) int fa0/0 ip any any (conf) ip access-group 111 out

72 IP Access Lists ( ) access-lists show ip access-list

73 IP Access Lists ( ) Bob is denied access to all FTP servers on R1 s Ethernet Larry is denied access to Server1 s Web server All other combined are allowed.

74 IP Access Lists ( ) ( )

75 IP Access Lists ( ) R1 s Extended Access List int s0 ip addr ip access-group 101 in int s1 ip addr ip access-group 101 in

76 IP Access Lists ( ) ( ) ccess-list 101 deny tcp host eq ftp ccess-list 101 deny tcp host host eq http p access-group 101 permit ip any any

77 IP Access Lists ( ) Bob is denied access to all FTP servers on R1 s Ethernet -> R3 R3 Larry is denied access to Server1 s Web server -> R2 R2

78 ccess-list 101 permit ip any any IP Access Lists ( ) R3 s Extended Access List Stopping Bob from Reaching FTP Servers int e0 ip addr ip access-group 101 in ccess-list 101 deny tcp host eq ftp

79 acess-list 101 permit ip any any IP Access Lists ( ) R2 s Extended Access List Stopping Larry from Accessing int e0 Web Servers ip addr ip access-group 101 in access-list 101 deny tcp host eq http

80 IP Access Lists ( ) ICMP access-list 101 deny icmp host host echo-replay ip access-group 101 permit ip any any

81 IP Access Lists ( ) ICMP (conf) int e0 (conf) ip access-group 101 in

82 IP Access Lists ( ) Server ping echo access-list 101 deny icmp host echo-replay ip access-group 101 permit ip any any

83 If you want to remove a list from a list from an interface, you can use the no ip-access-group [list #] [in out] command. (see Fig )

84 IP Access Lists ( ) Controlling VTY line Access Telnet conf ter (conf) access-list 12 permit or (conf) access-list 12 permit host

85 IP Access Lists ( ) Telnet ( ) (conf) line vty 0 4 (conf-line) access-class 12 in

86 IP Access Lists ( ) Telnet (conf) access-list 13 permit (conf) line vty (conf-line) access-class 13 in

87 IP Access Lists IP Access Lists IP Access Lists

88 IP Access Lists Ans: B Which one of the following is a range of standard IP access list? A. 0~99 B. 1~99 C. 100~199 D. 200~299 E. None of the above

89 Ans: A IP Access Lists ( ) Which one of the following command assigns a number and condition for the list? A. access-list B. access-group C. access-number D. list-number E. None of the above

90 Which one of the following command will you use to display access lists set in IP interface? A. show int ip B. show ip access-list C. show ip list D. show ip int E. None of the above Ans: D

91 Which one of the following command will you use to display all access-lists on Serial 0? A. show all access-list B. show access-list ser0 C. show ip ser 0 access-list D. show ip int ser0 E. None of the above Ans: D

92 Ans: A IP Access Lists ( ) Which one of the following command will you use to permit all SNMP? A. access-list 123 permit tcp any any eq SNMP B. access-list 123 permit SNMP C. access-list 123 deny all D. access-list 123 deny SNMP all

93 Ans: A IP Access Lists ( ) What does any mean in access-list command? A B C D E

94 IP Access Lists Ans: C Which one of the following wildcard mask will you use to match the range ~ ? A B C D E

95 IP Access Lists Which of the following wildcard masks is most useful for matching all IP packets in subnet , mask ? A B C D

96 IP Access Lists Which of the following wildcard masks is most useful for matching all IP packets in subnet , mask ? A B C D

IP505SM_manual_cn.doc

IP505SM_manual_cn.doc IP505SM 1 Introduction 1...4...4...4...5 LAN...5...5...6...6...7 LED...7...7 2...9...9...9 3...11...11...12...12...12...14...18 LAN...19 DHCP...20...21 4 PC...22...22 Windows...22 TCP/IP -...22 TCP/IP