CCNA 200-301 Portable Command Guide 5th Edition 22

Preview (5 of 15 Pages)

100%

Purchase to unlock

Loading page image...

CHAPTER 21Managing Traffic UsingAccess Control Lists (ACLs)This chapter provides information and commands concerning the following topics:DAccess list numbersnUsing wildcard masksn ACL keywords□Creating standard ACLsDApplying standard ACLs to an interfaceDVerifyingACLs□Removing ACLsu Creating extended ACLsuApplying extended ACLs to an interfaceuThe established keyword□The log keyword□Creating named ACLsnUsing sequence numbers in named ACLsnRemoving specific lines in named ACLs using sequence numbersn Sequence number tipsnIncluding comments about entries in ACLsDRestricting virtual terminal access□Tips for configuring ACLsU IPv6 ACLsu Verifying IPv6 ACLsuConfiguration examples: IPv4 ACLsuConfiguration examples: IPv6 ACLsAccess List NumbersAlthough many different protocols can use access control lists (ACLs), the CCNA200-301 certification exam is concerned only with IPv4 ACLs. The following chartshows some of the other protocols that can use ACLs.1-99 or 1300-1999Standard IPv4100-199 or 2000-2699Extended IPv4NOTE:IPv6 ACLs do not use numbers; IPv6 ACLs are configured using names only.Technet24

Loading page image...

198Using Wildcard MasksUsing Wildcard MasksWhen applied to an IP address, a wildcard mask identifies which addresses get matchedto be applied to the permitor deny argument in an ACL statement. A wildcard mask canidentify a single host, a range of hosts, a complete network or subnetwork, or even allpossible addresses.There are two rules when working with wildcard masks:uA 0 (zero) in a wildcard mask means to check the corresponding bit in theaddress for an exact match.nA 1 (one) in a wildcard mask means to ignore the corresponding bit in theaddress—can be either 1 or 0. In the examples, this is shown as x.Example 1: 172.16.0.0 0.0.255.255172.16.0.0 = 10101100.00010000.00000000.000000000.0.255.255 = 00000000.00000000.11111111.11111111Result = 10101100.00010000. xxxxxxxxxxxxxxxx172.16.x.x (Anything between 172.16.0.0 and 172.16.255.255 matches the examplestatement)TIP:An octet of all 0s means that the octet has to match exactly to the address. Anoctet of all 1s means that the octet can be ignored.Example 2: 172.16.8.0 0.0.7.255172.16.8.0 = 10101100.00010000.00001000.000000000.0.7.255 = 00000000.00000000.00000111.11111111Result = 10101100.00010000.OOOOlxxxxxxxxxxx00001XXX= 00001000 to 00001 111 = 8-15xxxxxxxiw 00000000 to 11111111 = 0-255Anything between 172.16.8.0 and 172.16.15.255 matches the example statementACL KeywordsanyUsed in place of 0.0.0.0 255.255.255.255, matches any address that it iscompared againsthostUsed in place of 0.0.0.0 in the wildcard mask, matches only one specificaddressCreating Standard ACLsNOTE:Standard ACLs are the oldest type of ACL. They date back as early as CiscoIOS Release 8.3. Standard ACLs control traffic by comparing the source of the IP pack-ets to the addresses configured in the ACL.

Loading page image...

Applying Standard ACLs to an Interface199NOTE:Each line in an ACL is called an access control entry (ACE). Many ACEsgrouped together form a single ACL.Router(config)#access-list 10permit 172.16.0.00.0.255.255Read this line to say, "All packets with a source IP addressof 172.16.x.x will be matched by the statement, and thepacket will be exited from processing the rest of the ACL"access-list = ACL command10 = Arbitrary number between 1 and 99, or 1300 and1999, designating this as a standard IP ACLpermit =Packets that match this statement will be allowed tocontinue172.16.0.0 = Source IP address to be compared to0.0.255.255 = Wildcard maskRouter(config)#access-list 10 denyhost 172.17.0.1Read this line to say, "All packets with a source IP addressof 172.17.0.1 will be dropped and discarded"access-listACL command10Number between 1 and 99, or 1300 and 1999, designatingthis as a standard IP ACLdenyPackets that match this statement will be dropped anddiscardedhostKeyword172.17.0.1Specific host addressRouter(config)#access-list 10permit anyRead this line to say, "All packets with any source IPaddress will be matched by the statement, and the packetwill be exited from processing the rest of the ACL"access-listACL command10Number between 1 and 99, or 1300 and 1999, designatingthis as a standard IP ACLpermitPackets that match this statement will be allowed to continueanyKeyword to mean all IP addressesTIP:An implicit denystatement is assumed into every ACL. You cannot see it, but itstates "deny everything not already matched by an ACE in the list." This is always the lastline of any ACL. If you want to defeat this implicitdeny , put apermit anystatement inyour standard ACLs or apermit ip any anyin your extended ACLs as the last line.Applying Standard ACLs to an InterfaceRouter(config)#interfacegigabitethemet 0/0Moves to interface configuration modeRouter(config-if)#ip access-group 10 outTakes all ACEs that are defined as being part ofgroup 10 and applies them in an outbound manner.Packets leaving the router through interfacegigabitethemet 0/0 will be checkedTechnet24

Loading page image...

200Applying Standard ACLs to an InterfaceTIP:Access lists can be applied in either an inbound direction (keywordin) oran outbound direction (keywordout). Best practice is to have ACLs applied in anoutbound direction.TIP:Not sure in which direction to apply an ACL? Look at the flow of packets. Do youwant to filter packets as they are goingin a router's interface from an external source?Use the keywordin for this ACL. Do you want to filter packets before they goout of therouter's interface toward another device? Use the keywordoutfor this ACL.TIP:Apply a standard ACL as close as possible to the destination network or device.You do not want packets with the same source IP address to be filtered out early andprevented from reaching a legitimate destination.Verifying ACLsRouter#show ip interfaceRouter#show access-listsRouter#show access-listaccess-list-numberRouter#show access-listnameRouter#show runDisplays any ACLs applied to that interfaceDisplays the contents of all ACLs on the routerDisplays the contents of the ACL by thenumber specifiedDisplays the contents of the ACL by the namespecifiedDisplays all ACLs and interface assignmentsRemoving ACLsRouter(config)#no access-list 10Removes all ACEs in ACL number 10Creating Extended ACLsNOTE:Extended ACLs were also introduced in Cisco IOS Release 8.3. ExtendedACLs control traffic by comparing the source and destination of the IP packets tothe addresses configured in the ACL. Extended ACLs can also filter packets usingprotocol/port numbers for a more granular filter.Router(config)#access-list110 pennit tcp172.16.0.0 0.0.0.255Read this line to say, "HTTP packets with a source IPaddress of 172.16.0.x will be matched by the statement,and the packet will be exited from processing the rest ofthe ACL"192.168.100.00.0.0.255 eq 80access-list = ACL command110 = Number between 100 and 199, or 2000 and 2699,designating this as an extended IP ACLpermit =Packets that match this statement will beallowed to continuetcp = Protocol must be TCP172.16.0.0 = Source IP address to be compared to0.0.0.255 = Wildcard mask for the source IP address

Loading page image...

The established Keyword201192.168.100.0 = Destination IP address to be compared to0.0.0.255 = Wildcard mask for the destination IP addresseq = Operand; means "equal to"80 = Port 80, indicating HTTP trafficRead this line to say, "Telnet packets with any source IPaddress will be dropped if they are addressed to specifichost 192.168.100.7"access-list = ACL commandRouter(config)#access-list 110 denytcp any 192.168.100.70.0.0.0 eq 23110 = Number between 100 and 199, or 2000 and 2699,designating this as an extended IP ACLdeny = Packets that match this statement will be droppedand discardedtcp = Protocol must be TCP protocolany = Any source IP address192.168.100.7 = Destination IP address to be compared to0.0.0.0 = Wildcard mask; address must match exactlyeq = Operand, means "equal to"23 = Port 23, indicating Telnet trafficApplying Extended ACLs to an InterfaceMoves to interface configuration mode and takesall access list lines that are defined as being part ofgroup 110 and applies them in an inbound manner.Packets going in gigabitethemet 0/0 will be checkedRouter(config)#interfacegigabitethemet 0/0Router(config-if)#ipaccess-group 110 inTIP:Access lists can be applied in either an inbound direction (keywordin) or anoutbound direction (keywordout ). Best practice for extended ACLs is to apply them inan inbound manner.TIP:Only one access list can be applied per interface, per direction, per protocol.TIP:Apply an extended ACL as close as possible to the source network or device.This ensures that packets that are intended to be dropped are not allowed to travel.The established KeywordThe established keyword is an optional keyword that is used with the TCP protocolonly. It indicates an established connection. A match occurs only if the TCP segment hasthe ACK or RST control bits set.Router(config)#access-list 110 permit tcp172.16.0.0 0.0.0.255 eq 80 192.168.100.00.0.0.255 establishedIndicates an establishedconnectionTechnet24

Preview Mode

This document has 15 pages. Sign in to access the full document!

Report

Study Now!

Document Details

Related Documents

DevOps and Its Importance Study Notes

Veeam Certified Engineer VMCE-V12

Modules 1 - 3 Basic Network Connectivity and Commu

Notes CCNA

CCNA 200-301 Portable Command Guide 5th Edition 20

CCNA 200-301 Portable Command Guide 5th Edition 36

Foundations of Novell Networking Section 26

Modulo 7 DHCPv4

Build and troubleshooting Integration Challenge

Entregable 02 Red Hat Kevin Cortez

Company

Explore

Study Tools