In 60 Days – ICND2 Access Lists Traffic Cops Decides what can pass through router Set of YES/NO filters Have several uses…

Post on 17-Jan-2018

214 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

DESCRIPTION

Traffic Cops Decides what can pass through router Set of YES/NO filters Have several uses…

Transcript

In 60 Days – ICND2Access Lists

Traffic Cops• Decides what can pass through

router• Set of YES/NO filters• Have several uses…

Use ACLs• To filter traffic• Reference NAT pools• Debugging• With route maps for routing

Types of ACL• Standard• Extended• Named

Standard IP ACL• Numbered from 1 to 99• Can filter on source

host/network• Can’t filter ports or protocols

Extended IP ACLs• Numbered from 100-199• Filters port/destination/source

etc.• More complicated to

configure

Named ACLs• Names instead of numbers• Can be standard or extended• Slightly different commands

Need to Know...• Port numbers• Command syntax• ACL rules

Common PortsPort Service Port Service20 FTP Data 80 HTTP21 FTP Control 110 POP322 SSH 119 NNTP23 Telnet 123 NTP25 SMTP 161/162 SNMP53 DNS 443 HTTPS69 TFTP

Command Syntax• We will come to this!

ACL Rule #1• One ACL per interface per

directionOne incoming

One outgoing

One incoming

One outgoing

ACL Rule #2• Processed top down• Incoming 172.16.1.1Permit 10.0.0.0

No match

Permit 192.168.1.1

No match

Permit 172.16.0.0

Match – Permit

Permit 172.16.1.0

Not processed

Deny 172.16.1.1

Not processed

ACL Rule #3• Implicit ‘deny all’ at bottom• Incoming 172.20.1.1Permit 10.0.0.0

No match

Permit 192.168.1.1

No match

Permit 172.16.0.0

No match

Permit 172.16.1.0

No match

Deny all Match – DROP PACKET

ACL Rule #4• Router can’t filter self

generated trafficPing 172.16.1.1 172.16.1.1

ACL – Deny 172.16.1.1BLOCKED

172.16.1.1

ACL – Deny 172.16.1.1UNCHECKED

Ping 172.16.1.1

ACL Rule #5 – Can’t Edit Live

• Can’t edit live standard or extended lists• Can edit named1. Stop access list working

(from interface)2. Copy into notepad – edit -

reapply

ACL Rule #6• Disable ACL on the interfaceR1(config)#no ip access-group 101 in

ACL Rule #7• Can reuse the same ACL

S0/1ACL 101 IN

ACL 101 – Deny Web Traffic

S0/0ACL 101 IN

ACL Rule #8• Keep ‘em short• Most specific rules at top

Permit 10.0.0.0Permit 192.168.1.1Permit 172.16.0.0Deny 172.16.1.1

Should be at top

ACL Rule #9• Place as close to traffic

source as possibleS0/1

ACL 101 IN

ACL 101 – Deny Web Traffic

Do not put it here

End

top related

ICND1 0x08 ICND2 OSPFv2 et OSPFv3
Technology
Why Do Good Cops Defend Bad Cops
Documents
Cisco CCNA Training - ICND2 - Lab · PDF fileCCNA...
Documents
41273490 ICND2 Exam Notes
Documents
Ccna Icnd2 Labs
Documents
Cisco CCNA Routing and Switching ICND2 -...
Documents
ICND2 Lab Guide - Boson.com
Documents
ICND2 -200-101 Study Guide...
Documents
Interconnecting Cisco (ICND2) -...
Documents
CCNA ICND2 Official Exam Certification Guide
Documents
Ccna icnd2
Design
Icnd2 Cram
Documents
ICND2 Lab Guide - boson.com · Lab Guide 200-105 ICND2...
Documents
Cops Vs. Cops: How Does Community-Oriented Policing ...
Documents
ICND2 Chapter 9
Documents
Cisco CCNA Training - ICND2 - Lab Guide Certification ICND2....
Documents