CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists

Chapter 7 – Sections & Objectives

  • 7.1 ACL Operation
    • Explain how ACLs filter traffic.
    • Explain how ACLs use wildcard masks.
    • Explain how to create ACLs.
    • Explain how to place ACLs.
  • 7.2 Standard IPv4 ACLs
    • Configure standard IPv4 ACLs to filter traffic to meet networking requirements.
    • Use sequence numbers to edit existing standard IPv4 ACLs.
    • Configure a standard ACL to secure vty access.
  • 7.3 Troubleshoot ACLs
    • Explain how a router processes packets when an ACL is applied.
    • Troubleshoot common standard IPv4 ACL errors using CLI commands.

7.1 ACL Operation

7.1.1 Purpose of ACLs

What is an ACL?

  • By default, a router does not have ACLs configured; therefore, by default a router does not filter traffic.

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 46

Packet Filtering

  • Packet filtering, sometimes called static packet filtering, controls access to a network by analyzing the incoming and outgoing packets and passing or dropping them based on given criteria, such as the source IP address, destination IP addresses, and the protocol carried within the packet.
  • A router acts as a packet filter when it forwards or denies packets according to filtering rules.
  • An ACL is a sequential list of permit or deny statements, known as access control entries (ACEs).

ACL Operation

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 47

 

7.1.2 Wildcard Masks in ACLs

Introducing ACL Wildcard Masking

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 48

 

Example

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 49

 

Wildcard Mask Examples

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 50

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 51

 

Calculating the Wildcard Mask

  • Calculating wildcard masks can be challenging. One shortcut method is to subtract the subnet mask from 255.255.255.255.

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 52

 

Wildcard Mask Keywords

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 53

 

Wildcard Mask Keyword Examples

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 54

 

7.1.3 Guidelines for ACL Creation

General Guidelines for Creating ACLS

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 55

 

ACL Best Practices

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 56

 

7.1.4 Guidelines for ACL Placement

Where to Place ACLs

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 57

  • Every ACL should be placed where it has the greatest impact on efficiency. The basic rules are:
    • Extended ACLs – Locate extended ACLs as close as possible to the source of the traffic to be filtered.
    • Standard ACLs – Because standard ACLs do not specify destination addresses, place them as close to the destination as possible.
    • Placement of the ACL, and therefore the type of ACL used, may also depend on: the extent of the network administrator’s control, bandwidth of the networks involved, and ease of configuration.

Standard ACL Placement

  • The administrator wants to prevent traffic originating in the 192.168.10.0/24 network from reaching the 192.168.30.0/24 network.

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 58

 

7.2 Standard IPv4 ACLs

7.2.1 Configure Standard IPv4 ACLs

Numbered Standard IPv4 ACL Syntax

  • Router(config)# access-listaccess-list-number denypermit | remark } source [ source-wildcard ] [ log ]

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 59

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 60

 

Applying Standard IPv4 ACLs to Interfaces

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 61

 

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 62

 

Numbered Standard IPv4 ACL Examples

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 63

 

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 64

 

Named Standard IPv4 ACL Syntax

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 65

 

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 66

 

7.2.2 Modify IPv4 ACLs

Method 1 – Use a Text Editor

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 67

 

Method 2 – Use Sequence Numbers

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 68

 

Editing Standard Named ACLs

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 69

Verifying ACLs

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 70

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 71

 

ACL Statistics

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 72

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 73

 

7.2.3 Securing VTY Ports with a Standard IPv4 ACL

The access-class Command

  • Theaccess-class command configured in line configuration mode restricts incoming and outgoing connections between a particular VTY (into a Cisco device) and the addresses in an access list.

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 74

 

Verifying the VTY Port is Secured

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 75

 

7.3 Troubleshoot ACLs

7.3.1 Processing Packet with ACLs

The Implicit Deny Any

  • At least one permit ACE must be configured in an ACL or all traffic is blocked.
  • For the network in the figure, applying either ACL 1 or ACL 2 to the S0/0/0 interface of R1 in the outbound direction will have the same effect.

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 76

 

The Order of ACEs in an ACL

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 77

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 78

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 79

 

Cisco IOS Reorders Standard ACLs

  • Notice that the statements are listed in a different order than they were entered.

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 80

  • The order in which the standard ACEs are listed is the sequence used by the IOS to process the list.

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 81

 

Routing Processes and ACLs

  • As a frame enters an interface, the router checks to see whether the destination Layer 2 address matches its interface Layer 2 address, or whether the frame is a broadcast frame.
  • If the frame address is accepted, the frame information is stripped off and the router checks for an ACL on the inbound interface.
  • If an ACL exists, the packet is tested against the statements in the list.
  • If the packet matches a statement, the packet is either permitted or denied.
  • If the packet is accepted, it is then checked against routing table entries to determine the destination interface.
  • If a routing table entry exists for the destination, the packet is then switched to the outgoing interface, otherwise the packet is dropped.
  • Next, the router checks whether the outgoing interface has an ACL. If an ACL exists, the packet is tested against the statements in the list. If the packet matches a statement, it is either permitted or denied.
  • If there is no ACL or the packet is permitted, the packet is encapsulated in the new Layer 2 protocol and forwarded out the interface to the next device.

7.3.2 Common Standard IPv4 ACL Errors

Troubleshooting Standard IPv4 ACLs – Example 1

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 82

 

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 83

 

Troubleshooting Standard IPv4 ACLs – Example 2

  • Security Policy: The 192.168.11.0/24 network should not be able to access the 192.168.10.0/24 network.

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 84

  • ACL 20 was applied to the wrong interface and in the wrong direction. All traffic from the 192.168.11.0/24 is denied inbound access through the G0/1 interface.

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 85

 

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 86

 

Troubleshooting Standard IPv4 ACLs – Example 3

  • Problem
  • Security Policy: Only PC1 is allowed SSH remote access to R1.

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 87

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 88

 

  • Solution!
  • Security Policy: Only PC1 is allowed SSH remote access to R1.

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 89

CCNA 2 v6.0 Study Material – Chapter 7: Access Control Lists 90

 

7.4 Summary

  • Explain how ACLs filter traffic.
  • Explain how ACLs use wildcard masks.
  • Explain how to create ACLs.
  • Explain how to place ACLs.
  • Configure standard IPv4 ACLs to filter traffic to meet networking requirements.
  • Use sequence numbers to edit existing standard IPv4 ACLs.
  • Configure a standard ACL to secure vty access.
  • Explain how a router processes packets when an ACL is applied.
  • Troubleshoot common standard IPv4 ACL errors using CLI commands.

Section 7.1
Terms and Commands

  • Access list (ACL)
  • Packet filtering
  • Access control entries (ACEs)
  • Standard ACLs
  • Extended ACLs
  • Inbound ACLs
  • Outbound ACLs
  • Wildcard masking
  • Wildcard mask bit 0
  • Wildcard mask bit 1
  • access-list access-list-number permit ip_address wildcard_mask
  • host
  • any

Section 7.2
Terms and Commands

  • access-list access-list-number{ deny | permit | remark }sourcesource-wildcard ][ log ]
  • show access-lists
  • no access-list access-list-number
  • ip access-group {access-list-numberaccess-list-name} { in | out }
  • ip access-list standardname
  • clear access-list counters
  • access-class access-list-number { in |out }

 

Download Slide PowerPoint (pptx):

[sociallocker id=”54558″]

Icon

RSE6_Study_Materials_Chapter7.pptx 0.00 KB 4084 downloads

...
[/sociallocker]


Related Articles

guest
0 Comments
Inline Feedbacks
View all comments