Max 8:05

Review the previous class (30 minutos) (Dirigido by me)

New Topic (Grueso la clase) (Muchas preguntas) (Done by me)
Break (10-10:20am)
New Topic (Grueso la clase) (Muchas preguntas) (Done by me)
Kahoot New Topic (Dirigido by me)
------Lab time (45 minutes) (Done by you)

Thursday: Accumulative quiz: day 16, day 20, day 24

Thursday Quiz: Previous topic
Tuesday Quiz: Any topic/Previous topic
Evaluation: Main explanation (Spanish) brief (English) / Main explanation (English)
brief (Spanish)
-------------------------------------------------------------------Access
list(ACL)--------------------------------------------------------------------------
------------------
Other devices that allowed to access to devices or networks
List of rules that can allowed to access to particular devices or networks
ACL can check network layer information (IP address SRC/DST), transport layer
information (TCP/UDP/Ports)
If you have configured the ACL over one interface, each packet, that it is arriving
to this interface, will be analyze by the ACL.

One line at a time (Top to bottom)

We will stop the search when it finds a matching statement > Takes the decision
(permit or deny)

If not match is present, the default is to deny the packet

If you configured the ACL but it is not applied over one interface, the ACL is
useless

Functionality: Flow control, basic security, manage the performance, (NAT {PAT/Dyn
NAT}, ZBFW, VPN tunnel {S2S}, QoS, Inspection, AAA)

One line ACL per protocol (Network layer, TCP, UDP)

One ACL per direction (In or Out) ******Important understand the flow (how looks
the traffic on the interface)
One ACL per interface (You can not configure two ACL for the same interface)

-----------------------------------------------How ACL
works---------------------------------------------

We need to assigned ACL over one interface (Physical or virtual):

access-group: to associate the ACL with the interface

------------------PC4
|
------------------PC3
PC5--------------------- |
| |
PC1-----------------f0/0--router-f0/2-------------------------PC2
|
-------------------Webserver
PC1:192.168.1.1/24
PC2: 192.168.2.1/24
PC3: 192.168.2.2/24
PC4: 192.168.4.1/24
PC5: 192.168.5.1/24
Webserver 8.8.8.8

ip Access-list extended test

10 permit ip host 192.168.1.1 192.168.2.1 0.0.0.0
20 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
30 permit ip 192.168.1.0 0.0.0.255 any

host 192.168.1.1 = 192.168.1.1 0.0.0.0

any = 0.0.0.0 255.255.255.255

interface f0/0
ip access-group test in

interface f0/2
ip access-group test out

icmp (permit) icmp (deny) icmp(permit)

SRC:192.168.1.1 SRC:192.168.1.1 SRC:192.168.1.1
DST:192.168.2.1 DST:192.168.2.2 DST:8.8.8.8

icmp (permit)
SRC:192.168.1.1
DST:192.168.4.1

icmp
SRC:192.168.5.1
DST:192.168.4.1

permit specific host specific host

deny specific host specific host
permit specific host specific subnet
deny specific host specific subnet
permit specific host any subnet
deny specific host any subnet
permit specific subnet specific subnet
deny specific subnet specific subnet
permit specific subnet any subnet
deny specific subnet any subnet
deny (implicit)

---------------------------------------------Types of the
ACL------------------------------------------------

Numbered ACL:------------
1 to 99 and 1300 to 1999: Standard IP acl
100 to 199 and 2000 to 2699: Extended IP acl

Name ACL: -------------

You can put alphanumeric characters
not spaces not punctuation
add or delete entries within the ACL
Standard ACL:-------------

Allow or deny traffic based on the source IP address (it is not taking in consider
the destination ip address, the ports or the protocol)

At the end, implicit deny

Extended ACL:------------
Allow or deny traffic based on the source/destination (IP address or ports) and
protocol type (TCP, UDP, IP, OSPF, ICMP, etc)

At the end, implicit deny

Where is the best place for locating ACL extended? (best practice)

a. Close to source (extended) (in:sometimes)

b. Close to destination (standard) (out:sometimes)

-------------------------------------Configuration
ACL----------------------------------------

Standard-----------------------------------
Numbered:
1. Configure ACL entry

access-list <1-99> <permit|deny|remark> <ip address match | host | any> <wildcard>

2. Assigned to the interface

interface <type>
ip access-group <name/number> <in|out> (ipv4)

line vty 0 15
access-class <number/name> <in|out> (ipv4)
ip access-class <name> <in|out> (ipv6)

Naming:
ip access-list standard <number/name>
<1-2147483647><permit|deny|remark> <ip address match | host | any> <wildcard>

delete entry: no <1-2147483647>

Extended--------------------------------------
Numbered:

1. Configure ACL entry

access-list <100-199> <permit|deny|remark> <protocol> <ip address src match | host

| any> <wildcard> {eq/gt/lt/neq/range} {port-number} <ip address src match | host |
any> <wildcard> {eq/gt/lt/neq/range} {port-number}

2. Assigned to the interface

interface <type>
ip access-group <name/number> <in|out> (ipv4)
line vty 0 15
access-class <number/name> <in|out> (ipv4)
ip access-class <name> <in|out> (ipv6)

Naming:

ip access-list extended <number/name>

<1-2147483647> <permit|deny|remark> <protocol> <ip address src match | host | any>
<wildcard> {eq/gt/lt/neq/range} {port-number} <ip address src match | host | any>
<wildcard> {eq/gt/lt/neq/range} {port-number}

delete entry: no <1-2147483647>

show access-list {number/name}: Display access-list configuration

Other types-------------------------------------------------------------------

Dynamic ACL: Users need to authenticate by using telnet connection to the router
for passing through the device. (Requires Authentication)

Reflexive: Allows outbound traffic and limits inbound traffic in response to

sessions that originate inside the router. (Added prohibited originated traffic
from outside {Firewall Function})

Time-based: Allows for access control based on the time of day and week. (Access
control during specific time)