Chapter 7: Access Control Lists Cisco Networking Academy Program Routing and Switching Essentials v6.0 Chapter 7: Access Control Lists Access router configuration router ospf 100 redistribute connected metric 100 metric-type 1 subnets redistribute static metric 100 metric-type 1 subnets passive-interface Ethernet0 network 10.0.144.0 0.0.0.255 area 9 area 9 nssa ! no ip classless logging buffered alerts logging console informational logging 10.192.17.3 access-list 1 permit 10.132.36.16 access-list 1 permit 10.132.37.11 access-list 1 permit 10.132.37.3 access-list 2 permit 10.0.0.0 0.255.255.255 snmp-server community public RW 1 snmp-server trap-source Loopback1 snmp-server packetsize 8192 snmp-server trap-authentication snmp-server queue-length 50 snmp-server enable traps isdn snmp-server enable traps config snmp-server enable traps bgp snmp-server enable traps frame-relay snmp-server host 10.192.17.3 public tty snmp Access router configuration router ospf 100 redistribute connected metric 100 metric-type 1 subnets redistribute static metric 100 metric-type 1 subnets passive-interface Ethernet0 network 10.0.144.0 0.0.0.255 area 9 area 9 nssa ! no ip classless logging buffered alerts logging console informational logging 10.192.17.3 access-list 1 permit 10.132.36.16 access-list 1 permit 10.132.37.11 access-list 1 permit 10.132.37.3 access-list 2 permit 10.0.0.0 0.255.255.255 snmp-server community public RW 1 snmp-server trap-source Loopback1 snmp-server packetsize 8192 snmp-server trap-authentication snmp-server queue-length 50 snmp-server enable traps isdn snmp-server enable traps config snmp-server enable traps bgp snmp-server enable traps frame-relay snmp-server host 10.192.17.3 public tty snmp útok pomocí snmpbrute Backbone router configuration version 11.2 no service finger service password-encryption service udp-small-servers service tcp-small-servers ! hostname Prague_General_Staff ! boot system flash slot0:rsp-isv-mz_112-17_P.bin aaa new-model aaa authentication login default tacacs+ local aaa authorization exec tacacs+ local aaa authorization commands 1 tacacs+ local aaa authorization commands 15 tacacs+ local aaa accounting exec start-stop tacacs+ aaa accounting commands 0 start-stop tacacs+ : aaa accounting commands 15 start-stop tacacs+ aaa accounting system start-stop tacacs+ enable password 7 121A0C041B04 ! username Prague_General_Staff password 7 094F471C1A0B : username commander_01 password 7 121A0C041104 ip domain-name army.cz ip name-server 10.132.36.5 isdn switch-type primary-net5 Backbone router configuration version 11.2 no service finger service password-encryption service udp-small-servers service tcp-small-servers ! hostname Prague_Generalni_stab ! boot system flash slot0:rsp-isv-mz_112-17_P.bin aaa new-model aaa authentication login default tacacs+ local aaa authorization exec tacacs+ local aaa authorization commands 1 tacacs+ local aaa authorization commands 15 tacacs+ local aaa accounting exec start-stop tacacs+ aaa accounting commands 0 start-stop tacacs+ : aaa accounting commands 15 start-stop tacacs+ aaa accounting system start-stop tacacs+ enable password 7 121A0C041B04 ! username Prague_GS password 7 094F471C1A0B : username comm01 password 7 121A0C041104 ip domain-name army.cz ip name-server 10.132.36.5 isdn switch-type primary-net5 7.1 ACL Operation 7- Access Control Lists 7.1 – IOS Bootcamp ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential •how ACLs filter traffic •how ACLs use wildcard masks •how to place ACLs 7.1 ACL Operation Cisco Networking Academy Program Routing and Switching Essentials v6.0 Chapter 7: Access Control Lists What is an ACL? §An ACL is a series of IOS commands that control whether a router forwards or drops packets. § §ACLs are not configured by default. • • • • • 7.1 – ACL Operation 7.1.1 – Purpose of ACLs 7.1.1.1 – What is an ACL? Purpose of ACLs: Packet Filtering §An ACL is a sequential list of permit or deny statements (ACEs). §Packet Filtering: •incoming/outgoing packets. •Layer 3 or Layer 4. §The last statement: implicit deny => at least one permit statement. • § • • • • • • • • 7.1 – ACL Operation 7.1.1 – Purpose of ACLs 7.1.1.2 – Packet Filtering Purpose of ACLs ACL Operation §ACLs do not act on packets that originate from the router itself. §ACLs: •Inbound ACLs. •Outbound ACLs. § • § • • • • • • • • 7.1 – ACL Operation 7.1.1 – Purpose of ACLs 7.1.1.3 – ACL Operation Wildcard = inverse mask 7.1 – ACL Operation 7.1.2 – Wildcard Masks in ACLs 7.1.2.1 - Introducing ACL Wildcard Masking •Example 1: all. •Example2: nothing. •Example 3: all from 192.168.1.0/24. • § § § § • § • • • • • • • • 7.1 – ACL Operation 7.1.2 – Wildcard Masks in ACLs 7.1.2.2 - Wildcard Mask Examples 7.1 – ACL Operation 7.1.2 – Wildcard Masks in ACLs 7.1.2.3 - Calculating the Wildcard Mask Wildcard Mask Keywords •192.168.10.10 0.0.0.0 = host 192.168.10.10 • •0.0.0.0 255.255.255.255 = any • • 7.1 – ACL Operation 7.1.2 – Wildcard Masks in ACLs 7.1.2.4 - Wildcard Mask Keywords 7.1 – ACL Operation 7.1.2 – Wildcard Masks in ACLs 7.1.2.5 - Wildcard Mask Keyword Examples 7.1 – ACL Operation 7.1.3 – Guidelines for ACL Creation 7.1.3.1 - General guidelines for Creating ACLs General Guidelines for Creating ACLs •Standard ACLs – Since standard ACLs do not specify destination addresses, they should be configured as close to the destination as possible. § § § § • § • • • • • • • • 7.1 – ACL Operation 7.1.4 – Guidelines for ACL Placement 7.1.4.1 – Where to Place ACLs 7.1 – ACL Operation 7.1.4 – Guidelines for ACL Placement 7.1.4.2 – Standard ACL Placement 7.2 Standard IPv4 ACLs 7- Access Control Lists 7.2 – Standard IPv4 ACLs •Configure standard IPv4 ACLs to filter traffic in a SMB network. • •Configure a standard ACL to secure VTY access. Chapter 7.2 - ACL Operation Cisco Networking Academy Program Routing and Switching Essentials v6.0 Chapter 7: Access Control Lists Numbered Standard IPv4 ACL Syntax • § • • Router(config)# access-list access-list-number { deny | permit | remark } source [ source-wildcard ][ log ] 7.2 – Standard IPv4 ACLs 7.2.1 – Configure Standard IPv4 ACLs 7.2.1.1 – Numbered Standard IPv4 ACL Examples 7.2 – Standard IPv4 ACLs 7.2.1 – Configure Standard IPv4 ACLs 7.2.1.2 – Applying Standard IPv4 ACLs to Interfaces 7.2 – Standard IPv4 ACLs 7.2.1 – Configure Standard IPv4 ACLs 7.2.1.3 – Numbered Standard IPv4 ACL Examples 7.2 – Standard IPv4 ACLs 7.2.1 – Configure Standard IPv4 ACLs 7.2.1.3 – Numbered Standard IPv4 ACL Examples 7.2 – Standard IPv4 ACLs 7.2.1 – Configure Standard IPv4 ACLs 7.2.1.4 – Named Standard IPv4 ACL Syntax Method 1 – Use a Text Editor •use the show running-config command to display the ACL • • § § § § • • • 7.2 – Standard IPv4 ACLs 7.2.2 – Modify IPv4 ACLs 7.2.2.1 – Method 1 – Use a Text Editor Modify IPv4 ACLs Method 2 – Use Sequence Numbers §The deny 192.168.10.99 statement is incorrect. The host to deny should be 192.168.10.10 §The misconfigured statement had to be deleted with the no command: no 10 §new statement with the correct host was added: 10 deny host 192.168.10.10 • § § § § • • • 7.2 – Standard IPv4 ACLs 7.2.2 – Modify IPv4 ACLs 7.2.2.2 – Method 2 – Use Sequence Numbers Verifying ACLs §Use the show ip interface command to verify that the ACL is applied to the correct interface. §The output will display the name of the access list and the direction in which it was applied to the interface. §Use the show access-lists command to display the access-lists configured on the router. §Notice how the sequence is displayed out of order for the NO_ACCESS access list. This will be discussed later in this section. • § § § § • • • 7.2 – Standard IPv4 ACLs 7.2.2 – Modify IPv4 ACLs 7.2.2.4 – Verifying ACLs ACL Statistics §show access-lists §clear access-list counters § § § § • • • Recall that every ACL has an implicit deny any as the last statement. The statistics for this implicit command will not be displayed. However, if this command is configured manually, the results will be displayed. 7.2 – Standard IPv4 ACLs 7.2.2 – Modify IPv4 ACLs 7.2.2.5 – ACL Statistics Modify IPv4 ACLs Lab – Configuring and Modifying Standard IPv4 ACLs §ACL that allows traffic from all hosts on the 192.168.10.0/24 network and all hosts on the 192.168.20.0/24 network to access all hosts on the 192.168.30.0/24 network. § §Napište na tabuli! 7.2 – Standard IPv4 ACLs 7.2.2 – Modify IPv4 ACLs 7.2.2.6 – Lab – Configuring and Modifying Standard IPv4 ACLs The access-class Command 7.2 – Standard IPv4 ACLs 7.2.3 – Securing VTY ports with a Standard IPv4 ACL 7.2.3.1 – The access-class Command Verifying the VTY Port is Secured 7.2 – Standard IPv4 ACLs 7.2.3 – Securing VTY ports with a Standard IPv4 ACL 7.2.3.2 – Verifying the VTY Port is Secured Securing VTY ports with a Standard IPv4 ACL Lab – Configuring and Verifying VTY Restrictions •only administrator PCs have permission to telnet or SSH into the router. § § § § § • • • 7.2 – Standard IPv4 ACLs 7.2.3 – Securing VTY ports with a Standard IPv4 ACL 7.2.3.4 – Lab - Configuring and Verifying VTY Restrictions ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Příklad reálného filtru •R1(config)#access-list 10 deny 172.16.16.0 0.0.3.255 • •R2(config)#access-list 10 deny 172.16.16.0 0.0.7.255 • •R3(config)#access-list 10 deny 172.16.32.0 0.0.15.255 • •R4(config)#access-list 10 deny 172.16.64.0 0.0.63.255 • •R5(config)#access-list 10 deny 192.168.160.0 0.0.31.255 Příklady na závěr