Configuring IP Access Lists
Chia sẻ bởi Nguyễn Việt Vương |
Ngày 29/04/2019 |
84
Chia sẻ tài liệu: Configuring IP Access Lists thuộc Bài giảng khác
Nội dung tài liệu:
© 2002, Cisco Systems, Inc. All rights reserved.
© 2002, Cisco Systems, Inc. All rights reserved.
2
Configuring IP Access Lists
Objectives
Upon completing this lesson, you will be able to:
Use Cisco IOS commands to configure IP standard and extended access lists, given a functioning router
Use show commands to identify anomalies in IP standard and extended access lists, given an operational router
Access List Configuration Guidelines
Access list numbers indicate which protocol is filtered.
One access list per interface, per protocol, per direction is allowed.
The order of access list statements controls testing.
Place the most restrictive statements at the top of list.
There is an implicit deny any statement as the last access list test. Every list needs at least one permit statement.
Create access lists before applying them to interfaces.
Access lists filter traffic going through the router; they do not apply to traffic originating from the router.
Step 1: Set parameters for this access list test
statement (which can be one of several statements).
Step 2: Enable an interface to use the specified
access list.
Router(config-if)#{protocol} access-group
access-list-number {in | out}
Access List Command Overview
Standard IP lists (1-99)
Extended IP lists (100-199)
Standard IP lists (1300-1999) (expanded range)
Extended IP lists (2000-2699) (expanded range)
Router(config)#access-list access-list-number
{permit | deny} {test conditions}
Activates the list on an interface
Sets inbound or outbound testing
Default = outbound
no ip access-group access-list-number removes access list from
the interface
Router(config-if)#ip access-group
access-list-number {in | out}
Sets parameters for this list entry
IP standard access lists use 1 to 99
Default wildcard mask = 0.0.0.0
no access-list access-list-number removes entire access list
remark option lets you add a description for the access list
Router(config)#access-list access-list-number
{permit | deny | remark} source [mask]
Standard IP Access List Configuration
Permit my network only.
Standard IP Access List
Example 1
Deny a specific host.
Standard IP Access List
Example 2
Deny a specific subnet.
Standard IP Access List
Example 3
Router(config-if)#ip access-group access-list-number {in | out}
Extended IP Access List Configuration
Activates the extended list on an interface
Sets parameters for this list entry
Router(config)#access-list access-list-number
{permit | deny} protocol source source-wildcard [operator port] destination destination-wildcard [operator port] [established] [log]
Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0.
Permit all other traffic.
Extended Access List
Example 1
Deny only Telnet from subnet 172.16.4.0 out of E0.
Permit all other traffic.
Extended Access List
Example 2
Router(config)#ip access-list {standard | extended} name
Router(config {std- | ext-}nacl)#{permit | deny}
{ip access list test conditions}
{permit | deny} {ip access list test conditions}
no {permit | deny} {ip access list test conditions}
Router(config-if)#ip access-group name {in | out}
Using Named IP Access Lists
Alphanumeric name string must be unique.
Permit or deny statements have no prepended number.
“no” removes the specific test from the named access list.
Activates the IP named access list on an interface.
Five virtual terminal lines (0 through 4).
Filter addresses that can access into the router’s
vty ports.
Filter vty access out from the router.
Filtering vty Access to a Router
How to Control vty Access
Set up an IP address filter with a standard access list statement.
Use line configuration mode to filter access with the access-class command.
Set identical restrictions on every vty.
Enters configuration mode for a vty or vty range
Restricts incoming or outgoing vty connections for address in the access list
Router(config-line)#access-class access-list-number {in | out}
Router(config)#line vty {vty# | vty-range}
vty Commands
Permits only hosts in network 192.168.1.0 0.0.0.255 to connect to the router vty
access-list 12 permit 192.168.1.0 0.0.0.255
(implicit deny all)
!
line vty 0 4
access-class 12 in
Controlling Inbound Access
vty Access Example
Access List Configuration Principles
The order of access list statements is crucial.
Recommended: Use a text editor on a PC to create the access-list statements, then cut and paste them into the router.
Top-down processing is important.
Place the more specific test statements first.
No reordering or removal of statements.
Use the no access-list number command to remove the entire access list.
Exception: Named access lists permit removal of individual statements.
Implicit deny all will be applied to any packets that do not match any access-list statement.
Unless the access list ends with an explicit permit any statement.
Place extended access lists close to the source.
Place standard access lists close to the destination.
Where to Place IP Access Lists
wg_ro_a#show ip interfaces e0
Ethernet0 is up, line protocol is up
Internet address is 10.1.1.11/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 1
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
Verifying Access Lists
Monitoring Access List Statements
wg_ro_a#show access-lists
Standard IP access list 1
permit 10.2.2.1
permit 10.3.3.1
permit 10.4.4.1
permit 10.5.5.1
Extended IP access list 101
permit tcp host 10.22.22.1 any eq telnet
permit tcp host 10.33.33.1 any eq ftp
permit tcp host 10.44.44.1 any eq ftp-data
wg_ro_a#show {protocol} access-list {access-list number}
wg_ro_a#show access-lists {access-list number}
Summary
Well-designed and implemented access lists will add an important security component to your network.
To configure standard IP access lists on a Cisco router, you will create a standard IP access list and activate an access list on an interface.
Similarly, to configure extended IP access lists on a Cisco router, you will create an extended IP access list range and activate an access list on an interface.
The named access list feature allows you to identify IP standard and extended access lists with an alphanumeric string (name) instead of the current numeric (1 to 199 and 1300 to 2699) representations.
Summary (Cont.)
For security purposes, you can deny Telnet access to the router, or you can permit Telnet access to the router but deny access to destinations from that router. Restricting Telnet access is primarily a technique for increasing network security.
Access lists are used to control traffic by filtering and eliminating unwanted packets. Proper placement of an access list statement can reduce unnecessary traffic.
When you finish the access list configuration, you can verify it using the show commands.
© 2002, Cisco Systems, Inc. All rights reserved.
2
Configuring IP Access Lists
Objectives
Upon completing this lesson, you will be able to:
Use Cisco IOS commands to configure IP standard and extended access lists, given a functioning router
Use show commands to identify anomalies in IP standard and extended access lists, given an operational router
Access List Configuration Guidelines
Access list numbers indicate which protocol is filtered.
One access list per interface, per protocol, per direction is allowed.
The order of access list statements controls testing.
Place the most restrictive statements at the top of list.
There is an implicit deny any statement as the last access list test. Every list needs at least one permit statement.
Create access lists before applying them to interfaces.
Access lists filter traffic going through the router; they do not apply to traffic originating from the router.
Step 1: Set parameters for this access list test
statement (which can be one of several statements).
Step 2: Enable an interface to use the specified
access list.
Router(config-if)#{protocol} access-group
access-list-number {in | out}
Access List Command Overview
Standard IP lists (1-99)
Extended IP lists (100-199)
Standard IP lists (1300-1999) (expanded range)
Extended IP lists (2000-2699) (expanded range)
Router(config)#access-list access-list-number
{permit | deny} {test conditions}
Activates the list on an interface
Sets inbound or outbound testing
Default = outbound
no ip access-group access-list-number removes access list from
the interface
Router(config-if)#ip access-group
access-list-number {in | out}
Sets parameters for this list entry
IP standard access lists use 1 to 99
Default wildcard mask = 0.0.0.0
no access-list access-list-number removes entire access list
remark option lets you add a description for the access list
Router(config)#access-list access-list-number
{permit | deny | remark} source [mask]
Standard IP Access List Configuration
Permit my network only.
Standard IP Access List
Example 1
Deny a specific host.
Standard IP Access List
Example 2
Deny a specific subnet.
Standard IP Access List
Example 3
Router(config-if)#ip access-group access-list-number {in | out}
Extended IP Access List Configuration
Activates the extended list on an interface
Sets parameters for this list entry
Router(config)#access-list access-list-number
{permit | deny} protocol source source-wildcard [operator port] destination destination-wildcard [operator port] [established] [log]
Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0.
Permit all other traffic.
Extended Access List
Example 1
Deny only Telnet from subnet 172.16.4.0 out of E0.
Permit all other traffic.
Extended Access List
Example 2
Router(config)#ip access-list {standard | extended} name
Router(config {std- | ext-}nacl)#{permit | deny}
{ip access list test conditions}
{permit | deny} {ip access list test conditions}
no {permit | deny} {ip access list test conditions}
Router(config-if)#ip access-group name {in | out}
Using Named IP Access Lists
Alphanumeric name string must be unique.
Permit or deny statements have no prepended number.
“no” removes the specific test from the named access list.
Activates the IP named access list on an interface.
Five virtual terminal lines (0 through 4).
Filter addresses that can access into the router’s
vty ports.
Filter vty access out from the router.
Filtering vty Access to a Router
How to Control vty Access
Set up an IP address filter with a standard access list statement.
Use line configuration mode to filter access with the access-class command.
Set identical restrictions on every vty.
Enters configuration mode for a vty or vty range
Restricts incoming or outgoing vty connections for address in the access list
Router(config-line)#access-class access-list-number {in | out}
Router(config)#line vty {vty# | vty-range}
vty Commands
Permits only hosts in network 192.168.1.0 0.0.0.255 to connect to the router vty
access-list 12 permit 192.168.1.0 0.0.0.255
(implicit deny all)
!
line vty 0 4
access-class 12 in
Controlling Inbound Access
vty Access Example
Access List Configuration Principles
The order of access list statements is crucial.
Recommended: Use a text editor on a PC to create the access-list statements, then cut and paste them into the router.
Top-down processing is important.
Place the more specific test statements first.
No reordering or removal of statements.
Use the no access-list number command to remove the entire access list.
Exception: Named access lists permit removal of individual statements.
Implicit deny all will be applied to any packets that do not match any access-list statement.
Unless the access list ends with an explicit permit any statement.
Place extended access lists close to the source.
Place standard access lists close to the destination.
Where to Place IP Access Lists
wg_ro_a#show ip interfaces e0
Ethernet0 is up, line protocol is up
Internet address is 10.1.1.11/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 1
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
Verifying Access Lists
Monitoring Access List Statements
wg_ro_a#show access-lists
Standard IP access list 1
permit 10.2.2.1
permit 10.3.3.1
permit 10.4.4.1
permit 10.5.5.1
Extended IP access list 101
permit tcp host 10.22.22.1 any eq telnet
permit tcp host 10.33.33.1 any eq ftp
permit tcp host 10.44.44.1 any eq ftp-data
wg_ro_a#show {protocol} access-list {access-list number}
wg_ro_a#show access-lists {access-list number}
Summary
Well-designed and implemented access lists will add an important security component to your network.
To configure standard IP access lists on a Cisco router, you will create a standard IP access list and activate an access list on an interface.
Similarly, to configure extended IP access lists on a Cisco router, you will create an extended IP access list range and activate an access list on an interface.
The named access list feature allows you to identify IP standard and extended access lists with an alphanumeric string (name) instead of the current numeric (1 to 199 and 1300 to 2699) representations.
Summary (Cont.)
For security purposes, you can deny Telnet access to the router, or you can permit Telnet access to the router but deny access to destinations from that router. Restricting Telnet access is primarily a technique for increasing network security.
Access lists are used to control traffic by filtering and eliminating unwanted packets. Proper placement of an access list statement can reduce unnecessary traffic.
When you finish the access list configuration, you can verify it using the show commands.
* Một số tài liệu cũ có thể bị lỗi font khi hiển thị do dùng bộ mã không phải Unikey ...
Người chia sẻ: Nguyễn Việt Vương
Dung lượng: |
Lượt tài: 4
Loại file:
Nguồn : Chưa rõ
(Tài liệu chưa được thẩm định)