Documente Academic
Documente Profesional
Documente Cultură
Access Lists
Powerful tools that control access both to and from network segments Can filter unwanted packets Can be used to implement security
Standard Access List these only use the source IP address in an IP packet to filter the network. This basically permits or denies an entire suite of protocols Extended Access Lists these check for both source and destination IP address, protocol field in the network
Assign only one access list per interface, per protocol, or per direction i.e. one outbound and one inbound per interface Organise ACLs so that the more specific tests are at the top Anytime a new list is added to an ACL it is added to the bottom One line cannot be removed from an ACL the whole lot will need retyping ACLs should end with permit any, because all packets are discarded if they do not meet any of the criteria Every list should have at least one permit statement otherwise you might as well shut down the interface Create access lists and then apply them to an interface Access lists are designed to filter traffic going through a router. They will not filter traffic originating from the router Place IP standard access lists as close to the destination as possible Place IP extended lists as close to the source as possible
Sales 172.16.40.0
Using the numbers 1-99 tells the router that you want to create a standard IP access list. You then decide if you are creating a permit or deny statement.
RouterA(config)#access-list 10 ? Deny Specify packets to reject Permit Specify packets to forward
Use any command to permit or deny any host or network Use an IP address to specify or match a specific network or IP host Use the host command to specify a specific host only
Example using the host command: RouterA(config)#access-list 10 deny host 172.16.30.2 This tells the list to deny any packets from host 172.16.30.2. The default Command is host Another way to specify a specific host is to use wild cards. There is no option if you wish to specify a network or subnet
Masking Practice
On the next several slides, we will practice making wildcard masks to fit specific guidelines. Dont worry if you dont get it right away. Like subnetting, wildcard masking is a difficult concept that takes practice to master. Write an ip mask and wildcard mask to check for all hosts on the network: 192.5.5.0 255.255.255.0 Answer: 192.5.5.0 0.0.0.255 Notice that this wildcard mask is a mirror image of the default subnet mask for a Class C address. WARNING: This is a helpful rule only when looking at whole networks or subnets.
Masking Practice
Write an ip mask and wildcard mask to check for all hosts in the subnet: 192.5.5.32 255.255.255.224 If you answered 192.5.5.32 0.0.0.31 YOURE RIGHT!! 0.0.0.31 is the mirror image of 255.255.255.224 Lets look at both in binary: 11111111.11111111.11111111.11100000 (255.255.255.224) 00000000.00000000.00000000.00011111 (0.0.0.31) To prove this wildcard mask will work, lets look at a host address within the .32 subnet--192.5.5.55 11000000.00000101.00000101.00110111 (192.5.5.55) host address 11000000.00000101.00000101.00100000 (192.5.5.32) ip mask 00000000.00000000.00000000.00011111 (0.0.0.31) wildcard mask
Masking Practice
Notice in the previous example (repeated below), some bits were colored blue. These bits are the bits that must match. 11000000.00000101.00000101.00110111 (192.5.5.55) host address 11000000.00000101.00000101.00100000 (192.5.5.32) ip mask 00000000.00000000.00000000.00011111 (0.0.0.31) wildcard mask Remember: a 0 bit in the wildcard mask means check the bit; a 1 bit in the wildcard mask means ignore. The 0s must match between the address of the packet (192.5.5.55) being filtered and the ip mask configured in the access list (192.5.5.32) Write an ip mask and wildcard mask for the subnet 192.5.5.64 with a subnet mask of 255.255.255.192? Answer: 192.5.5.64 0.0.0.63
Masking Practice
Write an ip mask and wildcard mask for the subnet 172.16.128.0 with a subnet mask of 255.255.128.0? Answer: 172.16.128.0 0.0.127.255 Write an ip mask and wildcard mask for the subnet 172.16.16.0 with a subnet mask of 255.255.252.0? Answer: 172.16.16.0 0.0.3.255 Write an ip mask and wildcard mask for the subnet 10.0.8.0 with a subnet mask of 255.255.248.0? Answer: 10.0.8.0 0.0.7.255 By now, you should have the hang of ip mask and wildcard masks when dealing with a subnet. If not, go back & review.
Second, look for the leading bits that are shared by both (in blue below)
00000000 01111111 These bits in common are to be checked just like the common bits in the 192.5.5 portion of the addresses.
Examples: Host Ranges 192.5.5.1 to .127 and .128 to .255
What about the teachers? What would be their ip mask and wildcard mask?
192.5.5.128 (10000000) to 192.5.5.255 (11111111) Answer: 192.5.5.128 0.0.0.127 Notice anything? What stayed the same? changed?
Examples: Host Ranges 192.5.5.1 to .127 and .128 to .255
The next example starts at network 172.16.32.0 and goes up a block size of 32 to 172.16.63.0
RouterA(config)#access-list 10 deny 172.16.32.0 0.0.31.255
Sales 172.16.40.0
Sales 172.16.40.0
Once access list has been created you must apply it to an interface. Use the same command as the IP standard list RouterA(config-if)ip access-group 110 in or
Sales 172.16.40.0