PPt_4face_021208.jpg © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID ‹#› Cisco_NewLogo Cisco • Instructor Materials Chapter 4: Access Control Lists CCNA Routing and Switching Connecting Networks Cisco Networking Academy Program Connecting Networks Chapter 4: Access Control Lists Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Instructor Materials – Chapter 4 Planning Guide §This PowerPoint deck is divided in two parts: 1.Instructor Planning Guide §Information to help you become familiar with the chapter §Teaching aids 2.Instructor Class Presentation §Optional slides that you can use in the classroom §Begins on slide # 9 §Note: Remove the Planning Guide from this presentation before sharing with anyone. PPt_4face_021208.jpg © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID ‹#› Cisco_NewLogo Cisco Connecting Networks Planning Guide Chapter 4: Access Control Lists Course Planning Guide Chapter 4: Access Control Lists Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Chapter 4: Activities §What activities are associated with this chapter? § § § Page # Activity Type Activity Name Optional? 4.1.1.5 Activity Determine the Correct Wildcard Mask - 4.1.1.6 Activity ACL Operation - 4.1.2.6 Activity Placing Standard and Extended ACLs - 4.1.3.5 Packet Tracer Configure Standard IPv4 ACLs Optional 4.1.3.6 Video Standard ACL Configuration Part 1 - 4.1.3.7 Video Standard ACL Configuration Part 2 - 4.2.2.7 Activity Create an Extended ACL Statement - 4.2.2.8 Activity Evaluating Extended ACEs - 4.2.2.9 Activity ACL Testlet - 4.2.2.10 Packet Tracer Configuring Extended ACLs – Scenario 1 Optional 4.2.2.11 Packet Tracer Configuring Extended ACLs – Scenario 2 Optional 4.2.2.12 Packet Tracer Configuring Extended ACLs – Scenario 3 Optional 4.2.2.13 Lab Configuring and Verifying Extended ACLs Recommended 4.3.2.6 Packet Tracer Configuring IPv6 ACLs Optional Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Chapter 4: Activities cont… §What activities are associated with this chapter? § § § Page # Activity Type Activity Name Optional? 4.3.2.7 Lab Configuring and Verifying IPv6 ACLs Recommended 4.4.1.5 Activity Place in Order the Steps of the ACL Decision Making Process - 4.4.2.9 Packet Tracer Troubleshooting IPv4 ACLs Recommended 4.4.2.10 Packet Tracer Troubleshooting IPv6 ACLs Recommended 4.4.2.11 Lab Troubleshooting ACL Configuration and Placement Optional 4.5.1.1 Packet Tracer Skills Integration Challenge Recommended The password used in the Packet Tracer activities in this chapter is: PT_ccna5 Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Chapter 4: Assessment §Students should complete Chapter 4, “Assessment” after completing Chapter 4. §Quizzes, labs, Packet Tracers and other activities can be used to informally assess student progress. Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Chapter 4: Best Practices §Prior to teaching Chapter 4, the instructor should: §Complete Chapter 4 Assessment. §Ensure all activities are completed. This is a very important concept and hands-on time is vital. §Provide the students many ACL building activities. §Encourage students to login with their cisco.com login and read http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/15-sy/sec-data-acl-15-s y-book/sec-acl-ov-gdl.html Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Chapter 4: Additional Help §For additional help with teaching strategies, including lesson plans, analogies for difficult concepts, and discussion topics, visit the CCNA Community at community.netacad.net. §If you have lesson plans or resources that you would like to share, upload them to the CCNA Community in order to help other instructors. Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png CNA_largo-onwhite PPt_4face_021208.jpg © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID ‹#› Cisco_NewLogo Cisco Chapter 4: Access Control Lists Connecting Networks Cisco Networking Academy Program Connecting Networks Chapter 4: Access Control Lists Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Chapter 4 - Sections & Objectives §4.1 Standard ACL Operation and Configuration •Configure standard IPv4 ACLs. §4.2 Extended IPv4 ACLs •Configure extended IPv4 ACLs. §4.3 IPv6 ACLs •Configure IPv6 ACLs. §4.4 Troubleshoot ACLs •Troubleshoot ACLs. PPt_4face_021208.jpg © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID ‹#› Cisco_NewLogo Cisco 4.1 Standard ACL Operation and Configuration Review Cisco Networking Academy Program Connecting Networks Chapter 4: Access Control Lists Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png ACL Operation Overview ACLs and the Wildcard Mask §An ACL is a sequential list of permit or deny statements, known as access control entries (ACEs). §As network traffic passes through an interface configured with an ACL, the router compares the information within the packet against each ACE. § An IPv4 ACE includes the use of a wildcard mask to filter IPv4 addresses. 4.1 - Standard ACL Operation and Configuration 4.1.1 – ACL Operation Overview 4.1.1 – ACLs and the Wildcard Mask Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png •ACL Operation Overview ACLs and the Wildcard Mask cont… 4.1 - Standard ACL Operation and Configuration 4.1.1 – ACL Operation Overview 4.1.1 – ACLs and the Wildcard Mask Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png •ACL Operation Overview ACLs and the Wildcard Mask cont… 4.1 - Standard ACL Operation and Configuration 4.1.1 – ACL Operation Overview 4.1.1 – ACLs and the Wildcard Mask Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png •ACL Operation Overview Applying ACLs to an Interface 4.1 - Standard ACL Operation and Configuration 4.1.1 – ACL Operation Overview 4.1.2 – Applying ACLs to an Interface Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png •ACL Operation Overview Applying ACLs to an Interface cont… 4.1 - Standard ACL Operation and Configuration 4.1.1 – ACL Operation Overview 4.1.2 – Applying ACLs to an Interface Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png TCP segments are marked with flags that denote their purpose: §a SYN starts (synchronizes) the session §an ACK is an acknowledgment that an expected segment was received §a FIN finishes the session. •ACL Operation Overview A TCP Conversation 4.1 - Standard ACL Operation and Configuration 4.1.1 – ACL Operation Overview 4.1.1.3 – A TCP Conversation Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png §The TCP data segment also identifies the port which matches the requested service. § •ACL Operation Overview A TCP Conversation cont… 4.1 - Standard ACL Operation and Configuration 4.1.1 – ACL Operation Overview 4.1.1.3 – A TCP Conversation Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png §Packet filtering controls access to a network by analyzing the incoming and outgoing packets and forwarding them or discarding them based on given criteria. •ACL Operation Overview ACL Packet Filtering 4.1 - Standard ACL Operation and Configuration 4.1.1 – ACL Operation Overview 4.1.1.4 – ACL Packet Filtering Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png §Two types of Cisco IPv4 ACLS: •Standard oStandard ACLs can be used to permit or deny traffic only from source IPv4 addresses. The destination of the packet and the ports involved are not evaluated •Extended oExtended ACLs filter IPv4 packets based on several attributes: Protocol type Source IPv4 address Destination IPv4 address Source TCP or UDP ports Destination TCP or UDP ports Optional protocol type information for finer control o o Types of IPv4 ACLs Standard and Extended IPv4 ACLs 4.1 - Standard ACL Operation and Configuration 4.1.2 – Types of IPv4 ACLs 4.1.2.1 – Standard and Extended IPv4 ACLs Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Types of IPv4 ACLs Standard and Extended IPv4 ACLs cont… 4.1 - Standard ACL Operation and Configuration 4.1.2 – Types of IPv4 ACLs 4.1.2.1 – Standard and Extended IPv4 ACLs Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Types of IPv4 ACLs Numbered and Named ACLs §Standard and extended ACLs can be created using either a number or a name to identify the ACL. 4.1 - Standard ACL Operation and Configuration 4.1.2 – Types of IPv4 ACLs 4.1.2.2 – Numbered and Named ACLs Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Types of IPv4 ACLs Where to Place ACLs 4.1 - Standard ACL Operation and Configuration 4.1.2 – Types of IPv4 ACLs 4.1.2.3 – Where to Place ACLs Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Types of IPv4 ACLs Where to Place ACLs cont… §Every ACL should be placed where it has the greatest impact on efficiency. The basic rules are: §Extended ACLs - Locate extended ACLs as close as possible to the source of the traffic to be filtered. §Standard ACLs - Because standard ACLs do not specify destination addresses, place them as close to the destination as possible. §Placement of the ACL, and therefore the type of ACL used, may also depend on: the extent of the network administrator’s control, bandwidth of the networks involved, and ease of configuration. § 4.1 - Standard ACL Operation and Configuration 4.1.2 – Types of IPv4 ACLs 4.1.2.3 – Where to Place ACLs Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Types of IPv4 ACLs Standard ACL Placement Example §The administrator wants to prevent traffic originating in the 192.168.10.0/24 network from reaching the 192.168.30.0/24 network. § 4.1 - Standard ACL Operation and Configuration 4.1.2 – Types of IPv4 ACLs 4.1.2.4 – Standard ACL Placement Example Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Types of IPv4 ACLs Extended ACL Placement Example §The administrator wants to deny Telnet and FTP traffic from the 192.168.11.0/24 network to Company B’s 192.168.30.0/24 network. All other traffic from the .11 network must be permitted to leave Company A without restriction. 4.1 - Standard ACL Operation and Configuration 4.1.2 – Types of IPv4 ACLs 4.1.2.5 – Extended ACL Placement Example Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Standard IPv4 ACL Configuration Configure a Standard IPv4 ACL §Router(config)# access-list access-list-number { deny | permit | remark } source [ source-wildcard ] [ log ] § 4.1 - Standard ACL Operation and Configuration 4.1.3 – Standard IPv4 ACL Configuration 4.1.3.1 – Configure a Standard IPv4 ACL Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Standard IPv4 ACL Configuration Apply a Standard IPv4 ACL 4.1 - Standard ACL Operation and Configuration 4.1.3 – Standard IPv4 ACL Configuration 4.1.3.2 – Apply a Standard IPv4 ACL Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Standard IPv4 ACL Configuration Named Standard IPv4 ACLs 4.1 - Standard ACL Operation and Configuration 4.1.3 – Standard IPv4 ACL Configuration 4.1.3.3 – Named Standard IPv4 ACLs Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Standard IPv4 ACL Configuration Named Standard IPv4 ACLs cont… 4.1 - Standard ACL Operation and Configuration 4.1.3 – Standard IPv4 ACL Configuration 4.1.3.3 – Named Standard IPv4 ACLs Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Standard IPv4 ACL Configuration Verify ACLs 4.1 - Standard ACL Operation and Configuration 4.1.3 – Standard IPv4 ACL Configuration 4.1.3.4 – Verify ACLs PPt_4face_021208.jpg © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID ‹#› Cisco_NewLogo Cisco 4.2 Extended IPv4 ACLs Cisco Networking Academy Program Connecting Networks Chapter 4: Access Control Lists Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Structure of an Extended IPv4 ACLs Extended ACLs §Extended ACLs are used more often than standard ACLs because they provide a greater degree of control. 4.2 – Extended IPv4 ACLs 4.2.1 – Structure of an Extended IPv4 ACLs 4.2.1.1 – Extended ACLs Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png §The ability to filter on protocol and port number allows network administrators to build very specific extended ACLs. §An application can be specified by configuring either the port number or the name of a well-known port. Structure of an Extended IPv4 ACLs Filtering Ports and Services 4.2 – Extended IPv4 ACLs 4.2.1 – Structure of an Extended IPv4 ACLs 4.2.1.2 – Filtering Ports and Services Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png §The procedural steps for configuring extended ACLs are the same as for standard ACLs. The extended ACL is first configured, and then it is activated on an interface. However, the command syntax and parameters are more complex to support the additional features provided by extended ACLs. § Configure Extended IPv4 ACLs Configuring Extended ACLs 4.2 – Extended IPv4 ACLs 4.2.2 – Configure Extended IPv4 ACLs 4.2.2.1 – Configuring Extended ACLs Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Configure Extended IPv4 ACLs Configuring Extended ACLs cont… 4.2 – Extended IPv4 ACLs 4.2.2 – Configure Extended IPv4 ACLs 4.2.2.1 – Configuring Extended ACLs Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Configure Extended IPv4 ACLs Applying Extended ACLs to Interfaces 4.2 – Extended IPv4 ACLs 4.2.2 – Configure Extended IPv4 ACLs 4.2.2.2 – Applying Extended ACLs to Interfaces Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Configure Extended IPv4 ACLs Filtering Traffic with Extended ACLs 4.2 – Extended IPv4 ACLs 4.2.2 – Configure Extended IPv4 ACLs 4.2.2.3 – Filtering Traffic with Extended ACLs Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Configure Extended IPv4 ACLs Creating Named Extended ACLs 4.2 – Extended IPv4 ACLs 4.2.2 – Configure Extended IPv4 ACLs 4.2.2.4 – Creating Named Extended ACLs Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Configure Extended IPv4 ACLs Verifying Extended ACLs 4.2 – Extended IPv4 ACLs 4.2.2 – Configure Extended IPv4 ACLs 4.2.2.5 – Verifying Extended ACLs Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Configure Extended IPv4 ACLs Editing Extended ACLs §Editing an extended ACL can be accomplished using the same process as editing a standard. An extended ACL can be modified using: •Method 1 - Text editor oThe ACL is copied and pasted into the text editor where the changes are made. The current access list is removed using the no access-list command. The modified ACL is then pasted back into the configuration. •Method 2 – Sequence numbers oSequence numbers can be used to delete or insert an ACL statement. § 4.2 – Extended IPv4 ACLs 4.2.2 – Configure Extended IPv4 ACLs 4.2.2.6 – Editing Extended ACLs Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Configure Extended IPv4 ACLs Editing Extended ACLs cont… §Editing an extended ACL via Sequence Numbers: 4.2 – Extended IPv4 ACLs 4.2.2 – Configure Extended IPv4 ACLs 4.2.2.6 – Editing Extended ACLs PPt_4face_021208.jpg © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID ‹#› Cisco_NewLogo Cisco 4.3 IPv6 ACLs Cisco Networking Academy Program Connecting Networks Chapter 4: Access Control Lists Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png IPv6 ACL Creation Types of IPv6 ACLs 4.3 – IPv6 ACLs 4.3.1 – IPv6 ACL Creation 4.3.1.1 – Types of IPv6 ACLs Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png IPv6 ACL Creation Comparing IPv4 and IPv6 ACLs §Although IPv4 and IPv6 ACLs are very similar, there are three significant differences between them. §Applying an IPv6 ACL •IPv6 uses the ipv6 traffic-filter command to perform the same function for IPv6 interfaces. §No Wildcard Masks •The prefix-length is used to indicate how much of an IPv6 source or destination address should be matched. §Additional Default Statements •permit icmp any any nd-na •permit icmp any any nd-ns 4.3 – IPv6 ACLs 4.3.1 – IPv6 ACL Creation 4.3.1.2 – Comparing IPv4 and IPv6 ACLs Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Configuring IPv6 ACLs Configuring IPv6 Topology 4.3 – IPv6 ACLs 4.3.2 – Configuring IPv6 ACLs 4.3.2.1 – Configuring IPv6 Topology Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Configuring IPv6 ACLs Configuring IPv6 ACLs §There are three basic steps to configure an IPv6 ACL: 1.From global configuration mode, use the ipv6 access-list name command to create an IPv6 ACL. 2.From the named ACL configuration mode, use permit or deny statements to specify one or more conditions to determine if a packet is forwarded or dropped. 3.Return to privileged EXEC mode 4.3 – IPv6 ACLs 4.3.2 – Configuring IPv6 ACLs 4.3.2.2 – Configuring IPv6 ACLs Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Configuring IPv6 ACLs Configuring IPv6 ACLs cont… §This IPv6 ACL does the following: •The first statement names the IPv6 access list NO-R3-LAN-ACCESS. •The second statement denies all IPv6 packets from the 2001:DB8:CAFE:30::/64 destined for any IPv6 network. •The third statement allows all other IPv6 packets. § 4.3 – IPv6 ACLs 4.3.2 – Configuring IPv6 ACLs 4.3.2.2 – Configuring IPv6 ACLs Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Configuring IPv6 ACLs Configuring IPv6 ACLs cont… 4.3 – IPv6 ACLs 4.3.2 – Configuring IPv6 ACLs 4.3.2.2 – Configuring IPv6 ACLs Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Configuring IPv6 ACLs Applying an IPv6 ACL to an Interface 4.3 – IPv6 ACLs 4.3.2 – Configuring IPv6 ACLs 4.3.2.3 – Applying an IPv6 ACL to an Interface Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Configuring IPv6 ACLs IPv6 ACL Examples 4.3 – IPv6 ACLs 4.3.2 – Configuring IPv6 ACLs 4.3.2.4 – IPv6 ACL Examples Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png §Router R1 is configured with an IPv6 access list to deny FTP traffic to 2001:DB8:CAFE:11::/64. Ports for both FTP data (port 20) and FTP control (port 21) need to be blocked. §Because the filter is applied inbound on the G0/0 interface on R1, only traffic from the 2001:DB8:CAFE:10::/64 network will be denied. Configuring IPv6 ACLs IPv6 ACL Examples cont… 4.3 – IPv6 ACLs 4.3.2 – Configuring IPv6 ACLs 4.3.2.4 – IPv6 ACL Examples Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png 1. The first two permit statements allow access from any device to the web server at 2001:DB8:CAFE:10::10. 2. All other devices are denied access to network 2001:DB8:CAFE:10::/64. 3. PC3 at 2001:DB8:CAFE:30::12 is permitted Telnet access to PC2 which has the IPv6 address 2001:DB8:CAFE:11::11. Configuring IPv6 ACLs IPv6 ACL Examples cont… 4.3 – IPv6 ACLs 4.3.2 – Configuring IPv6 ACLs 4.3.2.4 – IPv6 ACL Examples Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png 4. All other devices are denied Telnet access to PC2. 5. All other IPv6 traffic is permitted to all other destinations. 6. The IPv6 access list is applied to interface G0/0 in the inbound direction, so only the 2001:DB8:CAFE:30::/64 network is affected. Configuring IPv6 ACLs IPv6 ACL Examples cont… 4.3 – IPv6 ACLs 4.3.2 – Configuring IPv6 ACLs 4.3.2.4 – IPv6 ACL Examples Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Configuring IPv6 ACLs Verifying IPv6 ACLs 4.3 – IPv6 ACLs 4.3.2 – Configuring IPv6 ACLs 4.3.2.5 – Verifying IPv6 ACLs Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Configuring IPv6 ACLs Verifying IPv6 ACLs cont… 4.3 – IPv6 ACLs 4.3.2 – Configuring IPv6 ACLs 4.3.2.5 – Verifying IPv6 ACLs Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Configuring IPv6 ACLs Verifying IPv6 ACLs cont… 4.3 – IPv6 ACLs 4.3.2 – Configuring IPv6 ACLs 4.3.2.5 – Verifying IPv6 ACLs PPt_4face_021208.jpg © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID ‹#› Cisco_NewLogo Cisco 4.4 Troubleshoot ACLs Cisco Networking Academy Program Connecting Networks Chapter 4: Access Control Lists Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Processing Packets with ACLs Inbound and Outbound ACL Logic 4.4 – Troubleshoot ACLs 4.4.1 – Processing Packets with ACLs 4.4.1.1 – Inbound and Outbound ACL Logic Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Processing Packets with ACLs Inbound and Outbound ACL Logic 4.4 – Troubleshoot ACLs 4.4.1 – Processing Packets with ACLs 4.4.1.1 – Inbound and Outbound ACL Logic Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Processing Packets with ACLs ACL Logic Operations §As a frame enters an interface, the router checks to see whether the destination Layer 2 address matches its interface Layer 2 address, or whether the frame is a broadcast frame. §If the frame address is accepted, the frame information is stripped off and the router checks for an ACL on the inbound interface. §If an ACL exists, the packet is tested against the statements in the list. §If the packet matches a statement, the packet is either permitted or denied. §If the packet is accepted, it is then checked against routing table entries to determine the destination interface. §If a routing table entry exists for the destination, the packet is then switched to the outgoing interface, otherwise the packet is dropped. §Next, the router checks whether the outgoing interface has an ACL. If an ACL exists, the packet is tested against the statements in the list. If the packet matches a statement, it is either permitted or denied. §If there is no ACL or the packet is permitted, the packet is encapsulated in the new Layer 2 protocol and forwarded out the interface to the next device. § § 4.4 – Troubleshoot ACLs 4.4.1 – Processing Packets with ACLs 4.4.1.2 – ACL Logic Operations Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Common ACL Errors Troubleshooting IPv4 ACLs- Example 1 §Host 192.168.10.10 has no Telnet connectivity with 192.168.30.12. 4.4 – Troubleshoot ACLs 4.4.2 – Common ACL Errors 4.4.2.1 – Troubleshooting IPv4 ACLs – Example 1 Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png §The 192.168.10.0/24 network cannot use TFTP to connect to the 192.168.30.0/24 network. Common ACL Errors Troubleshooting IPv4 ACLs- Example 2 4.4 – Troubleshoot ACLs 4.4.2 – Common ACL Errors 4.4.2.2 – Troubleshooting IPv4 ACLs – Example 2 Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png §The 192.168.11.0/24 network can use Telnet to connect to 192.168.30.0/24, but this connection should not be allowed. Common ACL Errors Troubleshooting IPv4 ACLs- Example 3 4.4 – Troubleshoot ACLs 4.4.2 – Common ACL Errors 4.4.2.3 – Troubleshooting IPv4 ACLs – Example 3 Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png §Host 192.168.30.12 is able to Telnet to connect to 192.168.31.12, but this connection should not be allowed. Common ACL Errors Troubleshooting IPv4 ACLs- Example 4 4.4 – Troubleshoot ACLs 4.4.2 – Common ACL Errors 4.4.2.4 – Troubleshooting IPv4 ACLs – Example 4 Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png §Host 192.168.30.12 can use Telnet to connect to 192.168.31.12, but this connection should not be allowed. Common ACL Errors Troubleshooting IPv4 ACLs- Example 5 4.4 – Troubleshoot ACLs 4.4.2 – Common ACL Errors 4.4.2.5 – Troubleshooting IPv4 ACLs – Example 5 Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png §R1 is configured with an IPv6 ACL to deny FTP access from the :10 network to the :11 network, but PC1 is still able to connect to the FTP server running on PC2. Common ACL Errors Troubleshooting IPv6 ACLs- Example 1 4.4 – Troubleshoot ACLs 4.4.2 – Common ACL Errors 4.4.2.6 – Troubleshooting IPv6 ACLs – Example 1 Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Common ACL Errors Troubleshooting IPv6 ACLs- Example 1 cont… 4.4 – Troubleshoot ACLs 4.4.2 – Common ACL Errors 4.4.2.6 – Troubleshooting IPv6 ACLs – Example 1 Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Common ACL Errors Troubleshooting IPv6 ACLs- Example 1 cont… 4.4 – Troubleshoot ACLs 4.4.2 – Common ACL Errors 4.4.2.6 – Troubleshooting IPv6 ACLs – Example 1 Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png §R3 is configured with IPv6 ACL RESTRICTED-ACCESS that should enforce the following policy for the R3 LAN: § § § § § § § § §However, after configuring the ACL, PC3 cannot reach the 10 network or the 11 network, and it cannot SSH into the host at 2001:DB8:CAFE:11::11. Common ACL Errors Troubleshooting IPv6 ACLs- Example 2 4.4 – Troubleshoot ACLs 4.4.2 – Common ACL Errors 4.4.2.7 – Troubleshooting IPv6 ACLs – Example 2 Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Common ACL Errors Troubleshooting IPv6 ACLs- Example 2 cont… 4.4 – Troubleshoot ACLs 4.4.2 – Common ACL Errors 4.4.2.7 – Troubleshooting IPv6 ACLs – Example 2 Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Common ACL Errors Troubleshooting IPv6 ACLs- Example 2 cont… 4.4 – Troubleshoot ACLs 4.4.2 – Common ACL Errors 4.4.2.7 – Troubleshooting IPv6 ACLs – Example 2 Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Common ACL Errors Troubleshooting IPv6 ACLs- Example 2 cont… 4.4 – Troubleshoot ACLs 4.4.2 – Common ACL Errors 4.4.2.7 – Troubleshooting IPv6 ACLs – Example 2 Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png §R1 is configured with IPv6 ACL DENY-ACCESS that should enforce the following policy for the R3 LAN: § § § § § § § § §However, after applying the ACL to the interface the :10 network is still reachable from the :30 network. Common ACL Errors Troubleshooting IPv6 ACLs- Example 3 4.4 – Troubleshoot ACLs 4.4.2 – Common ACL Errors 4.4.2.8 – Troubleshooting IPv6 ACLs – Example 3 Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Common ACL Errors Troubleshooting IPv6 ACLs- Example 3 cont… 4.4 – Troubleshoot ACLs 4.4.2 – Common ACL Errors 4.4.2.8 – Troubleshooting IPv6 ACLs – Example 3 Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Common ACL Errors Troubleshooting IPv6 ACLs- Example 3 cont… 4.4 – Troubleshoot ACLs 4.4.2 – Common ACL Errors 4.4.2.8 – Troubleshooting IPv6 ACLs – Example 3 PPt_4face_021208.jpg © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID ‹#› Cisco_NewLogo Cisco 4.5 Chapter Summary Cisco Networking Academy Program Connecting Networks Chapter 4: Access Control Lists Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png § § Chapter Summary Summary §By default a router does not filter traffic. Traffic that enters the router is routed solely based on information within the routing table. §An ACL is a sequential list of permit or deny statements. The last statement of an ACL is always an implicit deny any statement which blocks all traffic. To prevent the implied deny any statement at the end of the ACL from blocking all traffic, the permit ip any any statement can be added. §When network traffic passes through an interface configured with an ACL, the router compares the information within the packet against each entry, in sequential order, to determine if the packet matches one of the statements. If a match is found, the packet is processed accordingly. §ACLs can be applied to inbound traffic or to outbound traffic. §Standard ACLs can be used to permit or deny traffic only from a source IPv4 addresses. The basic rule for placing a standard ACL is to place it close to the destination. §Extended ACLs filter packets based on several attributes: protocol type, source or destination IPv4 address, and source or destination ports. The basic rule for placing an extended ACL is to place it as close to the source as possible. 2.4 – Chapter Summary Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Summary Continued §The access-list global configuration command defines a standard ACL with a number in the range of 1 through 99 or an extended ACL with numbers in the range of 100 to 199. The ip access-list standard name is used to create a standard named ACL, whereas the command ip access-list extended name is for an extended access list. §After an ACL is configured, it is linked to an interface using the ip access-group command in interface configuration mode. A device an only have one ACL per protocol, per direction, per interface. §To remove an ACL from an interface, first enter the no ip access-group command on the interface, and then enter the global no access-list command to remove the entire ACL. §The show running-config and show access-lists commands are used to verify ACL configuration. The show ip interface command is used to verify the ACL on the interface and the direction in which it was applied. §The access-class command configured in line configuration mode is used to link an ACL to a particular VTY line. §Unlike IPv4, IPv6 ACLs e is no need for a standard or extended option. §From global configuration mode, use the ipv6 access-list name command to create an IPv6 ACL. Unlike IPv4 ACLs, IPv6 ACLs do not use wildcard masks. Instead, the prefix-length is used to indicate how much of an IPv6 source or destination address should be matched. §After an IPv6 ACL is configured, it is linked to an interface using the ipv6 traffic-filter command. Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Summary Continued §Unlike IPv4, IPv6 ACLs do not have support for a standard or extended option. §From global configuration mode, use the ipv6 access-list name command to create an IPv6 ACL. §Unlike IPv4 ACLs, IPv6 ACLs do not use wildcard masks. Instead, the prefix-length is used to indicate how much of an IPv6 source or destination address should be matched. §After an IPv6 ACL is configured, it is linked to an interface using the ipv6 traffic-filter command. Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png CNA_largo-onwhite Presentation_ID ‹#› © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Rev08_Cisco_BrandBar10_060408.png Cisco_WHT_Logo.gif