Scribd Logo
Upload

Welcome to Scribd!

  • HC110110027 Access Control Lists

    Uploaded by

    Mohamed Elsadany
    7 views14 pages
    The document discusses Access Control Lists (ACLs), which are used to filter network traffic based on parameters like source/destination IP addresses and ports. It describes the basic and advanced ACL types and their configuration. Basic ACLs filter traffic based on source IP addresses, while advanced ACLs can filter traffic based on additional parameters like protocols and ports. Rules within ACLs either permit or deny traffic that matches the specified conditions. ACLs are commonly used to restrict unauthorized traffic and implement network address translation (NAT).

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses Access Control Lists (ACLs), which are used to filter network traffic based on parameters like source/destination IP addresses and ports. It describes the basic and advanced ACL types and their configuration. Basic ACLs filter traffic based on source IP addresses, while advanced ACLs can filter traffic based on additional parameters like protocols and ports. Rules within ACLs either permit or deny traffic that matches the specified conditions. ACLs are commonly used to restrict unauthorized traffic and implement network address translation (NAT).

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    7 views14 pages

    HC110110027 Access Control Lists

    Uploaded by

    Mohamed Elsadany
    The document discusses Access Control Lists (ACLs), which are used to filter network traffic based on parameters like source/destination IP addresses and ports. It describes the basic and advanced ACL types and their configuration. Basic ACLs filter traffic based on source IP addresses, while advanced ACLs can filter traffic based on additional parameters like protocols and ports. Rules within ACLs either permit or deny traffic that matches the specified conditions. ACLs are commonly used to restrict unauthorized traffic and implement network address translation (NAT).

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 14

    Access Control Lists

    Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.


    Foreword
     Many technologies and protocols depend on Access Control Lists (ACL) for
    greater management and filtering of traffic as part of security measures or
    application requirements. The implementation of ACL in support of other
    technologies, and as a form of security are required to be understood, and
    as such common forms of ACL solutions are introduced.

    age 2 Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.
    Objectives
     Upon completion of this section, you will be able to:
     Describe the applications for ACL in the enterprise network.
     Explain the decision making behavior of Access Control Lists.
     Successfully implement Basic and Advanced Access Control Lists.

    age 3 Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.
    Filtering Restricted Traffic

    .1 192.168.1.0/24 .2

    G0/0/0

    G0/0/1 Server A
    .1 192.168.2.0/24 .2

     Packets are filtered based on addresses and parameters.


     Rules allow packets to be either permitted or denied.

    age 4 Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.
    Filtering Interesting Traffic

    .1 192.168.1.0/24 .2
    Data Data
    No Match

    G0/0/0

    Match
    .1 192.168.2.0/24 .2 Data Encrypted Data

     Packets can be filtered to manipulate behavior and actions.


     Parameters and forwarding behavior can be altered as a result.

    age 5 Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.
    ACL Types

    Types Value Ranges Parameters


    Basic 2000-2999 Source IP
    Source & Destination IP, Protocol, Source &
    Advanced 3000-3999
    Destination Port
    Layer 2 ACL 4000-4999 MAC Address

     Three forms of ACL can be applied to AR2200 series routers.


     Parameters for packet filtering vary for each ACL type.

    age 6 Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.
    ACL Rule Management

    acl 2000
    rule 5 deny source 192.168.1.0 0.0.0.255
    If no match

    rule 10 deny source 192.168.2.0 0.0.0.255


    If no match

    rule 15 deny source 172.16.0.0 0.0.0.255


    172.16.0.0/24
    RTA If no match

    rule 20 permit source any

    172.16.1.0/24

     Rules are used to manage the decision process for each ACL.

    age 7 Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.
    Basic ACL
    Host A

    200.10.10.1/24

    RTA
    192.168.1.1/24
    G0/0/0
    Host B

    192.168.2.1/24

    [RTA]acl 2000
    [RTA-acl-basic-2000]rule deny source 192.168.1.0 0.0.0.255
    [RTA-acl-basic-2000]rule permit source 192.168.2.0 0.0.0.255
    [RTA]interface GigabitEthernet 0/0/0
    [RTA-GigabitEthernet0/0/0]traffic-filter outbound acl 2000

    age 8 Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.
    Configuration Validation

    Host A> ping 200.10.10.1


    Ping 200.10.10.1: 32 data bytes, Press Ctrl_C to break
    Request timeout!
    Request timeout!
    Request timeout!
    ...

    [RTA]display acl 2000


    Basic ACL 2000, 2 rules
    Acl's step is 5
    rule 5 deny source 192.168.1.0 0.0.0.255 (5 matches)
    rule 10 permit source 192.168.2.0 0.0.0.255
     The rules and matching order can be verified for each ACL.
     Basic ACL rules are matched based on each source IP address.

    age 9 Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.
    Advanced ACL
    Host A
    FTP Server
    172.16.10.1/24

    RTA
    192.168.1.1/24
    G0/0/1
    Host B Private Server

    172.16.10.2/24
    192.168.2.1/24

    [RTA]acl 3000
    [RTA-acl-adv-3000]rule deny tcp source 192.168.1.0 0.0.0.255
    destination 172.16.10.1 0.0.0.0 destination-port eq 21
    [RTA-acl-adv-3000] rule deny ip source 192.168.2.0 0.0.0.255
    destination 172.16.10.2 0.0.0.0
    [RTA-GigabitEthernet0/0/1]traffic-filter inbound acl 3000

    age 10 Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.
    Configuration Validation

    [RTA]display acl 3000


    Advanced ACL 3000, 2 rules
    Acl's step is 5
    rule 5 deny tcp source 192.168.1.0 0.0.0.255 destination 172.16.10.1 0
    destination-port eq ftp
    rule 10 deny ip source 192.168.2.0 0.0.0.255 destination 172.16.10.2 0

     Advanced ACL rules defined in the range of 3000-3999 add complexity due
    to the number of parameters used for filtering.

    age 11 Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.
    ACL Application - NAT
    Host A

    Private IP Match ACL Public IP


    NAT
    RTA
    192.168.1.1/24
    G0/0/0
    Host B

    [RTA] nat address-group 1 202.110.10.8 202.110.10.15


    192.168.2.1/24 [RTA] nat address-group 2 202.115.60.1 202.115.60.30
    [RTA] acl 2000
    [RTA-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255
    [RTA] acl 2001
    [RTA-acl-basic-2001] rule permit source 192.168.2.0 0.0.0.255
    [RTA] interface GigabitEthernet 0/0/0
    [RTA-GigabitEthernet0/0/0] nat outbound 2000 address-group 1
    [RTA-GigabitEthernet0/0/0] nat outbound 2001 address-group 2

    age 12 Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.
    Summary
     The advanced access control list is capable of filtering traffic based on which
    attributes?
     Once an ACL rule is matched to a condition, what action is taken?

    age 13 Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.
    Thank You
    www.huawei.com

    You might also like