In this session, we will learn about the concept and how to use Extended ACLs, which are called extended ACLs.
1. Extended ACL
Source Address and Destination Address modes are checked to determine the forward permit/deny of the packet. Packet can be controlled according to specific protocols (FTP, TFTP, Telnet).
These days, each site uses an Access List a lot on the switch, and among them, an Extended Access List is used a lot.
Why? Due to the NIS security guidelines, there are many policies to apply to switches used internally, such as blocking remote access or allowing only certain administrator IPs to access.
To do this, the Extended Access List is the setting that allows you to allow telnet, ssh access for a particular IP.
It supports detailed traffic filtering controls that the Standard Access List cannot provide, and you can specify protocols and optional TCP/UDP ports at the end of an Access List statement.
👉 Well-Known Port Number IP Protocol
20 File Transfer Protocol(FTP) Data
21 FTP Program
23 Telnet
14 Simple Mail Transport Protocol (SMTP)
69 Trivial File Transfer Protocol (TFTP)
53 Domain Name System (DNS)
★ Standard Access List & Extended Access List의 차이점
Standard : Controlling only the origin address
Extended : Control both origin and destination addresses
Standard : Control for TCP/IP
Extended : Specific protocols such as IP, TCP, UDP, ICMP, etc. are specified and controlled.
Standard : Use a number between 1 and 99
Extended : Use a number between 100 and 199
2. How to use Extended Access List
Step 1: Use the Access-list command to express conditional sentences with complex filters.
1. access-list access-list-number [ permit | deny ]
: The Access-list number is set using a number between 100 and 199: Will it be allowed? Should I block it? Set it up.
2. protocol source-address source-wildcard [ operator port ]
: Protocol sets IP, TCP, UDP, ICMP: origin address and wildcard mask settings
3. protocol destination-address destination-wildcard [ operator port ]
: Protocol sets IP, TCP, UDP, and ICMP: setting destination address and wildcard mask
Step 2: Apply the access-list where the ip access-group command exists to the interface.
1. ip access-group access-group access-list-number [ in | out ]
: Write down the number of access-lists that apply to an interface and choose which direction to apply to that interface
EX) access-list 101 deny tcp 172.16.5.0 0.0.0.255 172.16.30.0 0.0.0.255 eq23 access-list 101 permit ip any any interface ethernet 0 ip access-group 101 out
: Block telnet packets from origin 172.16.5.0 to destination 172.16.30.0 except for that. Then apply the policy from interface Ethernet 0 to out.
EX2) Allow only certain IPs to telnet to the switch ip access-list extended SSH permit ip host 105.10.15.191 any log permit ip host 105.10.15.192 any log permit ip host 105.10.15.133 any log permit ip host 105.10.15.37 any log permit ip host 105.10.15.38 any log deny ip any any log line vty 0 4 access-class SSH in
The setting above with EX is a description taken based on the Cisco switch. Each vendor has a different command and setting method, so please understand how to do it.
저의 글을 읽어 주셔서 감사합니다. 오늘도 즐거운 하루 보내세요.
'NETWORK' 카테고리의 다른 글
Extreme Switch - Frequently Used Config Collection (0) | 2024.05.30 |
---|---|
Backbone Switch Redundancy - Virtual-Chassis (VC) (0) | 2024.05.28 |
Learn the basics of BPDUs (0) | 2024.05.27 |
What is an access list? (0) | 2024.05.26 |
What is Stacking - Switch Stacking Technology (0) | 2024.05.23 |