Bài giảng Mạng máy tính nâng cao - Chapter 08: Access control list

Chapter 08ACCESS CONTROL LISTMẠNG MÁY TÍNH NÂNG CAOWhat are ACLs: ACCES CONTROL LISTACL tell the router what types of packets to accept or deny. Acceptance and denial can be based on specified conditions. ACLs enable management of traffic and secure access to and from a network What are ACLs The router examines each packet to determine whether to forward or drop it, based on the conditions specified in the ACL What are ACLs ACLs can be created for all routed network protocols, such as Internet Protocol (IP) and Internetwork Packet Exchange (IPX).ACLs must be defined on a per-protocol, per direction, or per port basis The Primary Reasons to Create ACLs Limit network traffic and increase network performance. For example By restricting video traffic Provide traffic flow control. ACLs can restrict the delivery of routing updates. If updates are not required because of network conditions, bandwidth is preserved. Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For example, Host A is allowed to access the Human Resources network and Host B is prevented from accessing it. The Primary Reasons to Create ACLs Decide which types of traffic are forwarded or blocked at the router interfaces. For Examples: Permit e-mail traffic to be routed, but block all telnet traffic. Allow an administrator to control what areas a client can access on a network. Screen certain hosts to either allow or deny access to part of a network. Grant or deny user permission to access only certain types of files, such as FTP or HTTP How ACLs work How ACLs Work? ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. ACLs do not act on packets that originate from the router itself.ACLs are configured either to apply to inbound traffic or to apply to outbound traffic.ACL statements operate in sequential order. They evaluate packets against the ACL, from the top down, one statement at a time.There is an implicit deny at the end of all access listsACLs and Routing Processes on a Router Type of ACLs StandardExtendedNamed Creating ACLs Creating ACLs Step 1 : Create ACLRouter(config)#access-list acl_num {permit|deny} {test_conditions}Step 2 : Apply ACL to an Interface Router(config-if)#{protocol}  access-group acl_num {in|out}Step 3 : Delete a ACL Router(config)#no access-list acl_num These basic rules One access list per protocol per direction. Standard access lists should be applied closest to the destination. Extended access lists should be applied closest to the source. Use the inbound or outbound interface reference as if looking at the port from inside the router. Statements are processed sequentially from the top of list to the bottom until a match is found, if no match is found then the packet is denied. These basic rules There is an implicit deny at the end of all access lists. This will not appear in the configuration listing. The match condition is examined first. The permit or deny is examined ONLY if the match is true. Never work with an access list that is actively applied. Use a text editor to create comments outlining the logic, then, fill in the statements that perform the logic. New lines are always added to the end of the access list. A no access-list x command will remove the whole list. These basic rules An IP access list will send an ICMP host unreachable message to the sender of the rejected packet and will discard the packet in the bit bucket. Care should be used when removing an access list. If the access list is applied to a production interface and the access list is removed, depending on the version of the IOS, there may be a default deny any applied to the interface, and all traffic will be halted. Outbound filters do not affect traffic originating from the local router. How a Standard ACLs Work A standard ACL is a sequential collection of permit and deny conditions that apply to IP addresses.The destination of the packet and the ports involved are not coveredStandard ACL Syntax Standard ACL Logic wildcard mask Wildcard masks are designed to filter individual or groups of IP addresses permitting or denying access to resources based on the address. A wildcard mask is a 32-bit quantity that is divided into four octets. A wildcard mask is paired with an IP address. The numbers one and zero in the mask are used to identify how to treat the corresponding IP address bits. Wildcard masks have no functional relationship with subnet masks. wildcard mask In wildcard mask a zero bit means let the value through to be checked, the one bit mean block the value from being compared.See more wildcard maskStandard ACL Example 1 Standard ACL Example 2 Standard ACL Example 3 Using an ACL to Control VTY Access Configuring Extended ACLs Extended ACLs numbered 100 to 199 and 2000 to 2699 providing a total of 799 possible extended ACLs.Extended ACLs can also be named. Extended ACL built to filter on Source addresses Destination addresses Protocol Port numbers Configuring Extended ACLs The ability to filter on protocol and port number allows you to build very specific extended ACLs.Using the appropriate port number, you can specify an application by configuring either the port number or the name of a well-known port. Configuring Extended ACLs The procedural steps for configuring extended ACLs are the same as for standard ACLs-you first create the extended ACL and then activate it on an interfaceExtended ACLs example 1: Deny FTP Extended ACLs example 2: Deny Telnet Creating Named ACLs Creating Standard Named ACLs Creating Named Extended ACLs Verifying ACLs show ip interface show access-lists show running-config Show ip interface show access-lists {access-list-number | name} Summary ACLs perform several functions within a router, including implementing security/access procedures. ACLs are used to control and manage traffic. For some protocols, two ACLs can be applied to an interface: one inbound ACL and one outbound ACL. With ACLs, after a packet is matched to an ACL statement, it can be denied or permitted access to the router. Wildcard mask bits use the number one (1) and the number zero (0) to identify how to treat the corresponding IP address bits. Summary Access list creation and application is verified through the use of various IOS show commands. The two main types of ACLs are standard and extended. Named ACLs allow for the use of a name to identify the access list instead of a number. ACLs can be configured for all routed network protocols. ACLs are placed where they allow the most efficient control. ACLs are typically used in firewall routers. Access lists can also restrict virtual terminal access to the router.