Professional Documents
Culture Documents
Basic IP Traffic Management With Access Control Lists
Basic IP Traffic Management With Access Control Lists
Chapter 8
Chapter Objectives
Chapter 8 2
Recall - I
IGRP is a distant-vector routing protocol, which implies
that each router sends all or a part of its routing table
in a routing message update
EIGRP was created using IGRP as the base and
adding additional functionality to enhance IGRP
The OSPF protocol is designed on the Shortest Path
First (SPF) algorithm, which enables to determine the
shortest route to each destination
When a network link changes its state, the designated
router sends a notification called Link State
Advertisement (LSA) across the network
Chapter 8 3
Recall - II
OSPF provides the following advantages:
Open protocol
Scalable
Hierarchical design
Provides multicasting
There are different OSPF area types that help to handle external
routes:
Normal area
Stub area
Not-so-stubby area
Chapter 8 4
Access Control List - I
Access Control List (ACL) is a set of commands,
which are grouped together to filter the traffic that
enters or leaves an interface
The functions of ACLs include the following:
Reduce the network traffic and increase the
network performance
Control the flow of traffic in the network
Chapter 8 5
Access Control List - II
You must also specify one of the following directions in
which the traffic should be filtered:
Inbound
Outbound
Named ACL
Extended ACL
Chapter 8 6
ACL Processing
ACL are statements, which are grouped together by
using a name or number
When ACL process a packet on the router from the
group of statements, the router performs a number
of steps to find a match for the ACL statements
The router processes each ACL in the top-down
approach
If the router is not able to find a match of packet to
the first ACL statement then the router continues
with the next statement, following the same process
Chapter 8 7
Configuring ACL
You must know the guidelines to configure the ACL
You can use the access-list command to create an
ACL
The syntax to create an ACL is:
access-list ACL_# permit|deny conditions
To activate ACL on the interface, enter the following
at the command prompt:
interface type slot_#|port_#
ip access-group ACL_# in|out
Chapter 8 8
ACL Numbers and Protocol Types -
I Type Numbers
IP Standard 1-99, 1300-1999
Standard Vines 1-99
IP Extended 100-199, 2000-2699
Extended Vines 100-199
Bridging type code (layer-2) 200-299
DECnet 300-399
Standard XNS 400-499
Extended XNS 500-599
Apple Talk 600-699
Chapter 8 9
ACL Numbers and Protocol Types -
II
Bridging MAC address and vendor code 700-799
Chapter 8 10
Editing Entries
You may need to add, delete or modify an entry in
the ACL
In a numbered ACL, you cannot delete a specific
entry
The no access-list command allows you to delete an
ACL, The syntax of the command is:
no access-list number
The no access-list ACL_# command deletes the
entire list
Chapter 8 11
Wildcard Masking
Wildcard masks can be used for matching a range of
IP addresses in ACL, instead of manually entering it
A wildcard mask of 0 or 1 in the bit position implies the
following:
0 - Specifies that the bit position of the ACL
Chapter 8 12
Subnet Masks and Wildcard Masks
Values
Chapter 8 13
Standard Numbered ACL
You can create an entry in a standard numbered IP
ACL using the access-list command.The syntax of
this command is:
access-list 1-99|1300-1999 permit|deny
source_address [wildcard_mask] [log]
After creating the standard ACL, you must activate it
on the router's interface
The ip access-group command below enables you
to activate the ACL on the interface:
ip access-group ACL_number in|out
Chapter 8 14
Extended Numbered ACLs
The extended numbered ACLs are more flexible as
compared to the standard ACLs
The syntax of the command to configure an
extended numbered ACL is:
access-list 100-199|2000-2699 permit|deny
IP_protocol source_address source_wildcard mask
[protocol_information] destination_address
destination_wildcard_mask [protocol_information]
[log]
Chapter 8 15
TCP and UDP
The extended ACL can filter the traffic on IP
protocols such as TCP and UDP
The syntax of the command that allows you to
configure an extended ACL for TCP or UDP is:
access-list 100-199|2000-2699 permit|deny tcp|udp
source_address source_wildcard_mask [operator
source_port_#] destination address
destination_wildcard_mask [operator
destination_port_#][established][log]
Chapter 8 16
Operators for TCP and UDP
Connection
Operator Description
lt Less than
gt Greater than
eq Equal to
Chapter 8 17
TCP Port Names and Numbers
Telnet telnet 23
SMTP smtp 25
WWW www 80
Chapter 8 18
UDP Port Names and Numbers
TFTP tftp 69
Chapter 8 19
ICMP
ICMP is one of the protocols used with extended
ACL
The ICMP does not use ports like the TCP and UDP
The syntax for filtering ICMP traffic is:
access-list 100-199|2000-2699 permit|deny icmp
source_address source_wildcard_mask [operator
source_port_#] destination address
destination_wildcard_mask [icmp_message][log]
ICMP enables you to enter ICMP messages
Chapter 8 20
ICMP Messages
Message Type Description
administratively-prohibited Specifies that the packet is filtered
Chapter 8 21
Controlling Telnet Access to a
Router
The standard IP ACLs controls the telnet access to
Chapter 8 22
Named ACL’s
Named ACLs support both IP and IPX protocols
The ip access-list allows you to create a named ACL
The syntax for this command is:
ip access-list standard/extended ACL_name
After creating a named ACL, you have to activate it
on the router interface
The ip access-group command given below enables
you to activate the named ACL:
ip access-group ACL_name in|out
Chapter 8 23
Verifying and Monitoring Access
Control List
To view the ACLs that are activated on the router’s
interfaces, use the following command:
show ip interfaces
Cisco allows you to monitor each statement in the
ACL. To view the statements in the ACL, use the
following commands:
show access-lists [ACL_#_or_name]
show ip access-list [ACL_#_or_name]
Chapter 8 24
Placing ACL’s
You have to decide the placement of the ACL
depending on the source and destination address to
be filtered
You must consider the following while placing the
ACLs:
Standard ACL
Extended ACL
Chapter 8 25
Case Study
The Blue Diamond steel company, Gujarat branch has
recruited a few engineers in the Software
Management department. The company gets a new
project from their client in Delhi. The new engineers
need to work only on the software application
assigned to them and should access the server data.
To accomplish this, the network administrator Robert
uses the standard ACL. The network of the
organization appears as shown in the Figure.
Chapter 8 26
Network of the Organization
Chapter 8 27
Problem
Chapter 8 28
Suggested Solution
Chapter 8 29
Summary - I
The access control list is a set of commands, which are
grouped together, to filter the traffic that enters or leaves an
interface
ACL are the statements, which are grouped together by
using a name or number. When ACL process a packet on
the router from the group of statements, the router performs
a number of steps to find a match for the ACL statements
After building IP ACL, you have to apply it to a process in
the IOS
The extended numbered ACL’s are more flexible as
compared to the standard ACLs
Chapter 8 30
Summary - II
If the router locates a match between the packet and
statement then the router executes one of the two
actions that are included with the statement. The actions
are:
Permit
Deny
Chapter 8 31
Summary - III
A wildcard is similar to an inverted subnet mask. If you
want to match on any address in a subnet or network
then you have to take the subnet mask and invert the bit
values
You must consider the following while placing the ACLs:
Standard ACL - Needs to be placed close to the
Chapter 8 32