Download Restricting Access in the network

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
Document related concepts

Multiprotocol Label Switching wikipedia , lookup

Deep packet inspection wikipedia , lookup

Distributed firewall wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Network tap wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
Restricting Access in the network
Introduction to Access
Control Lists (ACLs)
Problem
Allow traffic from source network 192.168.10.0 to be forwarded out on
S0/0/0. Traffic from networks other than 192.168.10.0 is blocked
What Are ACLs?
 An ACL is a list of instructions that
tells a router what type of packets
to permit or deny.
 Based upon such thing as:
 Source address
 Destination address
 Upper Layer protocols (e.g.
TCP & UDP port numbers)
Testing Packets with ACLs
 Configure ACL
 Apply to appropriate router interface
 In or out
 Tested network traffic against the ACL statements in
sequential order using
 Permit or deny statements
 When a statement “matches,” no more
statements are evaluated. The packet is either
permitted or denied.
 If a packet does not match any of the statements
in the ACL, it is dropped.
Standard ACL
 Write the ACL statements sequentially in global
configuration mode.
Router(config)#access-list access-listnumber {permit/deny} {test-conditions}
Router(config)#access-list 1 deny 192.5.5.10 0.0.0.0
Apply to interface

Group the ACL to one or more interfaces in
interface configuration mode.
Router(config-if)#{protocol} accessgroup access-list-number {in/out}
Router(config)#interface fa 0/0
Router(config-if)#ip access-group 1
out
Will apply ACL on the outbound
interface of the router
The Wildcard Mask
 A wildcard mask is written to tell the router what bits
in the address to match and what bits to ignore.
 A “0” bit means means check this bit position. A “1”
means ignore this bit position.
 Our previous example of 192.5.5.10 0.0.0.0 can be
rewritten in binary as:
11000000.00000101.00000101.00001010 (Source address)
00000000.00000000.00000000.00000000 (Wildcard mask)
 What do all the bits turned off in the wildcard mask
tell the router?
The Wildcard Mask
Masking Practice
 Write an ip mask and wildcard mask to
check for all hosts on the network: 192.5.5.0
255.255.255.0
 Answer: 192.5.5.0 0.0.0.255
 Notice that this wildcard mask is a mirror
image of the default subnet mask for a
Class C address.
 WARNING: This is a helpful rule only
when looking at whole networks or
subnets.
Test parameters in ACL
 various parameters that can be tested are:
 Source address’ ip mask and wildcard mask.
 The source address can be a subnet, a range of
addresses, or a single host. It is also referred to as the
ip mask because the wildcard mask uses the source
address to check bits.
 Destination address
 Protocol
 Port number
ip mask
Wild card mask
Lab-A(config)#access-list 1 deny 192.5.5.10 0.0.0.0
Practice Wild card masks
 Write an ip mask and wildcard mask for all hosts
in 192.168.20.0 subnet
 Write an ip mask and wildcard mask for all hosts
in 10.10.0.0
 Write an ip mask and wildcard mask for the host
192.168.1.100
Masking Practice
 Write an ip mask and wildcard mask to check for all
hosts in the subnet: 192.5.5.32 255.255.255.224
 192.5.5.32 0.0.0.31
 0.0.0.31 is the mirror image of 255.255.255.224
Practice wild card masks
 Let’s look at both in binary:
11111111.11111111.11111111.11100000 (255.255.255.224)
 00000000.00000000.00000000.00011111 (0.0.0.31)
 To prove this wildcard mask will work, let’s look at a host
address within the .32 subnet--192.5.5.55
 11000000.00000101.00000101.00110111 (192.5.5.55)
host address
 11000000.00000101.00000101.00100000 (192.5.5.32) ip
mask
 00000000.00000000.00000000.00011111 (0.0.0.31)
wildcard mask

Masking Practice
 Write an ip mask and wildcard mask for the subnet
172.16.128.0 with a subnet mask of 255.255.128.0?
 Answer: 172.16.128.0 0.0.127.255
 Write an ip mask and wildcard mask for the subnet
10.0.8.0 with a subnet mask of 255.255.248.0?
 Answer: 10.0.8.0 0.0.7.255
Problem revisited…
 This ACL allows only traffic from
source network 192.168.10.0 to be
forwarded out on S0/0/0. Traffic
from networks other than
192.168.10.0 is blocked.
 The first line identifies the ACL as
access list 1. It permits traffic that
matches the selected parameters.
 access-list 1 permit 192.168.10.0
0.0.0.255
 The unseen implicit deny all other
traffic.
 The ip access-group 1 out interface
configuration command links and
ties ACL 1 to the Serial 0/0/0
interface as an outbound filter.
Applying Standard ACL to Interfaces
 Example 2: an ACL that denies a specific host.
 The first command deletes the previous ACL 1.
 The next ACL statement, denies the PC1 host located at
192.168.10.10. Every other host on the 192.168.10.0 /24
network is permitted.
 The implicit deny statement matches other network.
 The ACL is again reapplied to interface S0/0/0 in an
outbound direction.
Next week ..
 Network address translation.
Related documents
Database Tables, Forms
Database Tables, Forms
Behavior Analysis
Behavior Analysis
Face Mask Orthodontic Appliance Face Mask Orthodontic Appliance
Face Mask Orthodontic Appliance Face Mask Orthodontic Appliance
ITransportation of Isolation Patients
ITransportation of Isolation Patients
Diapositiva 1
Diapositiva 1
The Claustrophobic Patient
The Claustrophobic Patient
Introduction to Computer Networks
Introduction to Computer Networks
Alcohol May Not Solve Your Problems: Total Germ Protection
Alcohol May Not Solve Your Problems: Total Germ Protection
L2 U11_describing
L2 U11_describing
Exoderm Lift - The Erian Centre for Cosmetic Surgery
Exoderm Lift - The Erian Centre for Cosmetic Surgery
Database Management System
Database Management System