Managing IP Traffic with Access Lists
Chia sẻ bởi Nguyễn Việt Vương |
Ngày 29/04/2019 |
112
Chia sẻ tài liệu: Managing IP Traffic with Access Lists thuộc Bài giảng khác
Nội dung tài liệu:
© 2002, Cisco Systems, Inc. All rights reserved.
Managing IP Traffic with Access Lists
Module 6
Objectives
Upon completing this module, you will be able to:
Use Cisco IOS commands to configure standard and extended IP access lists, and NAT/PAT, given a functioning router
Use show commands to identify anomalies in standard and extended IP access lists, given an operational router
© 2002, Cisco Systems, Inc. All rights reserved.
4
Access Lists and Their Applications
Objectives
Upon completing this lesson, you will be able to:
Explain the purpose of access lists and identify potential applications
Describe how the Cisco IOS software processes standard and extended access lists on inbound and outbound interfaces
Manage IP traffic as network access grows
Filter packets as they pass through the router
Why Use Access Lists?
Permit or deny packets moving through the router.
Permit or deny vty access to or from the router.
Without access lists, all packets could be transmitted onto all parts of your network.
Access List Applications
Special handling for traffic based on packet tests
Other Access List Uses
Standard
Checks source address
Generally permits or denies entire protocol suite
Extended
Checks source and destination address
Generally permits or denies specific protocols
Types of Access Lists
How to Identify Access Lists
Standard IP lists (1-99) test conditions of all IP packets from
source addresses.
Extended IP lists (100-199) test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports.
Standard IP lists (1300-1999) (expanded range).
Extended IP lists (2000-2699) (expanded range).
Other access list number ranges test conditions for other
networking protocols.
Testing Packets with
Standard Access Lists
Testing Packets with
Extended Access Lists
Outbound ACL Operation
If no access list statement matches, then discard the packet.
A List of Tests: Deny or Permit
0 means check value of corresponding address bit.
1 means ignore value of corresponding address bit.
Wildcard Bits: How to Check the Corresponding Address Bits
For example, 172.30.16.29 0.0.0.0 checks all the
address bits.
Abbreviate this wildcard mask using the IP address preceded by the keyword host (host 172.30.16.29).
Check all the address bits (match all).
Verify an IP host address, for example:
Wildcard Bits to Match a Specific IP Host Address
Accept any address: any
Abbreviate the expression using the
keyword any.
Test conditions: Ignore all the address bits (match any).
An IP host address, for example:
Wildcard Bits to Match Any IP Address
Check for IP subnets 172.30.16.0/24 to 172.30.31.0/24.
Address and wildcard mask:
172.30.16.0 0.0.15.255
Wildcard Bits to Match IP Subnets
Summary
Access lists offer a powerful tool for network control. These lists add the flexibility to filter the packet flow into or out of router interfaces. Such control can help limit network traffic and restrict network use by certain users or devices.
An IP access list is a sequential list of permit and deny conditions that apply to IP addresses or upper-layer IP protocols. Access lists filter traffic going through the router, but they do not filter traffic originated from the router.
Access lists are optional mechanisms in Cisco IOS software that you can configure to filter or test packets to determine whether to forward them to their destination or discard them.
Summary (Cont.)
Inbound access lists process incoming packets before they are routed to an outbound interface, while outbound access lists process packets to an outbound interface.
The Cisco IOS software executes access list statements in sequential order, so the first statement is processed, then the next, and so on.
Address filtering occurs using access list address wildcard masking to identify how to check or ignore corresponding IP address bits.
Managing IP Traffic with Access Lists
Module 6
Objectives
Upon completing this module, you will be able to:
Use Cisco IOS commands to configure standard and extended IP access lists, and NAT/PAT, given a functioning router
Use show commands to identify anomalies in standard and extended IP access lists, given an operational router
© 2002, Cisco Systems, Inc. All rights reserved.
4
Access Lists and Their Applications
Objectives
Upon completing this lesson, you will be able to:
Explain the purpose of access lists and identify potential applications
Describe how the Cisco IOS software processes standard and extended access lists on inbound and outbound interfaces
Manage IP traffic as network access grows
Filter packets as they pass through the router
Why Use Access Lists?
Permit or deny packets moving through the router.
Permit or deny vty access to or from the router.
Without access lists, all packets could be transmitted onto all parts of your network.
Access List Applications
Special handling for traffic based on packet tests
Other Access List Uses
Standard
Checks source address
Generally permits or denies entire protocol suite
Extended
Checks source and destination address
Generally permits or denies specific protocols
Types of Access Lists
How to Identify Access Lists
Standard IP lists (1-99) test conditions of all IP packets from
source addresses.
Extended IP lists (100-199) test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports.
Standard IP lists (1300-1999) (expanded range).
Extended IP lists (2000-2699) (expanded range).
Other access list number ranges test conditions for other
networking protocols.
Testing Packets with
Standard Access Lists
Testing Packets with
Extended Access Lists
Outbound ACL Operation
If no access list statement matches, then discard the packet.
A List of Tests: Deny or Permit
0 means check value of corresponding address bit.
1 means ignore value of corresponding address bit.
Wildcard Bits: How to Check the Corresponding Address Bits
For example, 172.30.16.29 0.0.0.0 checks all the
address bits.
Abbreviate this wildcard mask using the IP address preceded by the keyword host (host 172.30.16.29).
Check all the address bits (match all).
Verify an IP host address, for example:
Wildcard Bits to Match a Specific IP Host Address
Accept any address: any
Abbreviate the expression using the
keyword any.
Test conditions: Ignore all the address bits (match any).
An IP host address, for example:
Wildcard Bits to Match Any IP Address
Check for IP subnets 172.30.16.0/24 to 172.30.31.0/24.
Address and wildcard mask:
172.30.16.0 0.0.15.255
Wildcard Bits to Match IP Subnets
Summary
Access lists offer a powerful tool for network control. These lists add the flexibility to filter the packet flow into or out of router interfaces. Such control can help limit network traffic and restrict network use by certain users or devices.
An IP access list is a sequential list of permit and deny conditions that apply to IP addresses or upper-layer IP protocols. Access lists filter traffic going through the router, but they do not filter traffic originated from the router.
Access lists are optional mechanisms in Cisco IOS software that you can configure to filter or test packets to determine whether to forward them to their destination or discard them.
Summary (Cont.)
Inbound access lists process incoming packets before they are routed to an outbound interface, while outbound access lists process packets to an outbound interface.
The Cisco IOS software executes access list statements in sequential order, so the first statement is processed, then the next, and so on.
Address filtering occurs using access list address wildcard masking to identify how to check or ignore corresponding IP address bits.
* Một số tài liệu cũ có thể bị lỗi font khi hiển thị do dùng bộ mã không phải Unikey ...
Người chia sẻ: Nguyễn Việt Vương
Dung lượng: |
Lượt tài: 4
Loại file:
Nguồn : Chưa rõ
(Tài liệu chưa được thẩm định)