18 ccna 200-120 ipv4 services basic acl
DESCRIPTION
vsdfdsfTRANSCRIPT
-
Cisco certification training
Instructor:- ASHOK TAMBE
Contact us :- 9930157345 ashok tambe
Training for
CCNA,CCNP,
CCNA SECURITY
CCIP,
MPLS, BGP, IPV6
NETWORK+, SEURITY+
Instructor:- ASHOK TAMBE
Cisco certification training
Copyright 2015 NETworkingWANschool
CCNA 200-120
https://www.facebook.com/Networkingwanschool
-
Copyright 2015 NETworkingWANschool
CCNA 200-120
Instructor:- ASHOK TAMBE
IPv4 Services
Basic IPv4 Access Control Lists
Advanced IPv4 ACLs and Device Security
Network Address Translation
-
Copyright 2015 NETworkingWANschool
CCNA 200-120
Instructor:- ASHOK TAMBE
IPv4 Services
Basic IPv4 Access Control Lists
-
Basic IPv4 Access Control Lists
Network security is a huge subject, and much of it is far beyond the scope of this course. However, one of the most important skills a network administrator needs is mastery of access control lists (ACLs). Administrators use ACLs to stop traffic or permit only specified traffic while stopping all other traffic on their networks. This chapter includes an opportunity to develop your mastery of ACLs with a series of lessons, activities, and lab exercises.
Network designers use firewalls to protect networks from unauthorized use. Firewalls are hardware or software solutions that enforce network security policies. Consider a lock on a door to a room inside a building. The lock only allows authorized users with a key or access card to pass through the door. Similarly, a firewall filters unauthorized or potentially dangerous packets from entering the network. On a Cisco router, you can configure a simple firewall that provides basic traffic filtering capabilities using ACLs.
An ACL is a sequential list of permit or deny statements that apply to addresses or upper-layer protocols. ACLs provide a powerful way to control traffic into and out of your network. You can configure ACLs for all routed network protocols
-
The most important reason to configure ACLs is to provide security for your network. This chapter explains how to use standard and extended ACLs as part of a security solution and teaches you how to configure them on a Cisco router. Included are tips, considerations, recommendations, and general guidelines on how to use ACLs.
IPv4 ACLs perform many functions in Cisco routers, with the most common use as a packet filter.
Packet filtering, sometimes called static packet filtering, controls access to a network by analyzing the incoming and outgoing packets and passing or halting them based on stated criteria
A router acts as a packet filter when it forwards or denies packets according to filtering rules. When a packet arrives at the packet-filtering router, the router extracts certain information from the packet header and makes decisions according to the filter rules as to whether the packet can pass through or be discarded. Packet filtering works at the network layer of the Open Systems Interconnection (OSI) model, or the Internet layer of TCP/IP.
-
As a Layer 3 device, a packet-filtering router uses rules to determine whether to permit or deny traffic based on source and destination IP addresses, source port and destination port, and the protocol of the packet. These rules are defined using access control lists or ACLs.
Recall that an ACL is a sequential list of permit or deny statements that apply to IP addresses or upper-layer protocols. The ACL can extract the following information from the packet header, test it against its rules, and make "allow" or "deny" decisions based on: Source IP address Destination IP address ICMP message type The ACL can also extract upper layer information and test it against its rules. Upper layer information includes: TCP/UDP source port TCP/UDP destination port
-
Packet Filtering To understand the concept of how a router uses packet filtering, imagine that a guard has been posted at a locked door. The guard's instructions are to allow only people whose names appear on a list to pass through the door. The guard is filtering people based on the criterion of having their names on the authorized list. For example, you could say, "Only permit web access to users from network A. Deny web access to users from network B, but permit them to have all other access." Refer to the figure to examine the decision path the packet filter uses to accomplish this task.
-
An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header. ACLs are among the most commonly used objects in Cisco IOS software. ACLs are also used for selecting types of traffic to be analysed, forwarded, or processed in other ways.
As each packet comes through an interface with an associated ACL, the ACL is checked from top to bottom, one line at a time, looking for a pattern matching the incoming packet. The ACL enforces one or more corporate security policies by applying a permit or deny rule to determine the fate of the packet. ACLs can be configured to control access to a network or subnet. *******(must remember)
By default, a router does not have any ACLs configured and therefore does not filter traffic. Traffic that enters the router is routed according to the routing table. If you do not use ACLs on the router, all packets that can be routed through the router pass through the router to the next network segment. *******(must remember)
The Three Ps A general rule for applying ACLs on a router can be recalled by remembering the three Ps. You can configure one ACL per protocol, per direction, per interface: One ACL per protocol-To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface. One ACL per direction-ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic. One ACL per interface-ACLs control traffic for an interface, for example, Fast Ethernet 0/0
-
ACLs perform the following tasks
Limit network traffic to increase network performance.
If corporate policy does not allow video traffic, ACLs can block video traffic.
Provide traffic flow control.
ACLs can restrict the delivery of routing updates.
If updates are not required because of network conditions, bandwidth is preserved.
Provide a basic level of security for network access.
ACLs can allow one host to access a part of the network and prevent others from accessing the same area.
Decide which types of traffic to forward or block at the router interfaces.
For example, an ACL can permit e-mail traffic, but block all Telnet traffic.
Control which areas a client can access on a network.
Screen hosts to permit or deny access to network services.
ACLs can permit or deny a user to access file types, such as FTP or HTTP.
ACLs inspect network packets based on criteria, such as source address, destination address, protocols, and port numbers.
ACL can classify traffic to enable priority processing down the line.
-
ACL Location and Direction
Cisco routers can apply ACL logic to packets at the point at which the IP packets enter an interface, or the point at which they exit an interface. In other words, the ACL becomes associated with an interface and for a direction of packet flow (either in or out). That is, the ACL can be applied inbound to the router, before the router makes its forwarding (routing) decision, or outbound, after the router makes its forwarding decision and has determined the exit interface to use. *** (must remember )
The arrows in Figure show the locations at which you could filter packets flowing left to right in the topology. For example, imagine that you wanted to allow packets sent by host A to server S1, but to discard packets sent by host B to server S1. Each arrowed line represents a location and direction at which a router could apply an ACL, filtering the packets sent by host B.
The four arrowed lines in the figure point out the location and direction for the
router interfaces used to forward the packet from host B to server S1. In this
particular example, those interfaces and direction are inbound on R1s F0/0 interface, outbound on R1s S0/0/0 interface, inbound on R2s S0/0/1 interface, and outbound on R2s F0/0 interface. If, for example, you enabled on ACL on R2s F0/1 interface, in either direction, that ACL could not possibly filter the packet sent
from host B to server S1, because R2s F0/1 interface is not part of the route from B to S1.
-
How ACLs Work
ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. ACLs do not act on packets that originate from the router itself. ACLs are configured either to apply to inbound traffic or to apply to outbound traffic. Inbound ACLs-Incoming packets are processed before they are routed(before routing lookup)to the
outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. If the packet is permitted by the tests, it is then processed for routing. ***(must remember )
Outbound ACLs-Incoming packets are routed (after routing lookup) to the outbound interface, and
then they are processed through the outbound ACL.***(must remember)
ACL statements operate in sequential order. They evaluate packets against the ACL, from the top down, one statement at a time***(must remember)
-
ACL statements operate in sequential order.
They evaluate packets against the ACL, from the top down, one
statement at a time.
If a packet header and an ACL statement match, the rest of the
statements in the list are skipped,
and the packet is permitted or denied as determined by the
matched statement.
If a packet header does not match a statement, the packet is tested
against the next statement in the list.
This matching process continues until the end of the list.
A final implied (IMPLICIT) statement covers all packets for which
conditions did not test true.
This final statement is often referred to as the "implicit deny
any statement" or the "deny all traffic" statement.
Because of this statement, an ACL should have at least one
permit statement in it; otherwise, the ACL blocks all traffic.
Once you apply the ACL on an interface, the router MUST compare
every packet. Causes significant processor load.
ACL Operation - Inbound ACLs
-
Before a packet is forwarded to an outbound interface, the router
checks the routing table to see if the packet is routable.
If the packet is not routable, it is dropped.
Next, the router checks to see whether the outbound interface is
grouped to an ACL.
If the outbound interface is not grouped to an ACL,
The packet is sent directly to the outbound interface.
If the outbound interface is grouped to an ACL,
the packet is not sent out on the outbound interface until it
is tested by the combination of ACL statements that are
associated with that interface.
A final implied (IMPLICIT) statement covers all packets for which
conditions did not test true.
This final statement is often referred to as the "implicit
deny any statement" or the "deny all traffic" statement.
ACL Operation - Outbound ACLs
-
As a frame enters an interface, the router checks the destination Layer 2 address.
If the frame is accepted and the router checks for an ACL on the inbound interface.
If an ACL exists, the packet is now tested against the statements in the list.
If the packet matches a statement, the packet is either accepted or rejected.
If the packet is accepted in the interface, it is then checked against routing table entries to determine the
destination interface and switched to that interface.
Next, the router checks whether the destination interface has an ACL.
If an ACL exists, the packet is tested against the statements in the list.
If there is no ACL or the packet is accepted, the packet is encapsulated in the new Layer 2 protocol and forwarded
out the interface to the next device.
ACL and Routing and ACL Processes on a Router
-
Matching Packets
When you think about the location and direction for an ACL, you must already be thinking about what packets you plan to filter (discard), and which ones you want to allow through. To tell the router those same ideas, you must configure the router with an IP ACL that matches packets. Matching packets refers to how to configure the ACL commands to look at each packet, listing how to identify which packets should be discarded, and which should be allowed through.
For example, consider an example with Figure , in which you want to allow packets from host A to server S1, but to discard packets from host B going to that same server. The hosts all now have IP addresses, and the figure shows pseudocode for an ACL on R2. Figure also shows the chosen location to enable the ACL: inbound on R2s S0/0/1 interface.
-
Taking Action When a Match Occurs
When using IP ACLs to filter packets, only one of two actions can be chosen. The configuration commands use keywords deny and permit, and they mean (respectively) to discard the packet or to allow it to keep going as if the ACL did not exist.
The Implied "Deny All Traffic" Criteria Statement At the end of every access list is an implied "deny all traffic" criteria statement. It is also sometimes referred to as the "implicit deny any" statement. Therefore, if a packet does not match any of the ACL entries, it is automatically blocked. The implied "deny all traffic" is the default behaviour of ACLs and cannot be changed. ***(must remember )
-
Types of IP ACLs
Cisco IOS has supported IP ACLs since the early days of Cisco routers. Beginning with the original standard numbered IP ACLs in the early days of IOS, which could enable the logic shown earlier Cisco has added many ACL features, including:
Standard Numbered ACLs (199) Extended Numbered ACLs (100199) Additional ACL Numbers (13001999 standard, 20002699 extended) Named ACLs Improved Editing with Sequence Numbers
-
Numbering and Naming ACLs
Using numbered ACLs is an effective method for determining the ACL type on
smaller networks.
Standard ACL for IP 1-99
Extended ACL for IP 100-199
Starting with Cisco IOS Release 11.2, you can use a name to identify a Cisco
ACL.
-
Numbering and Naming ACLs
When configuring ACLs on a router, each ACL must be uniquely identified by assigning a number to it.
(the number scheme)
Named ACLs help identify the function. Some ACLs (reflexive) MUST be named.
Access-list 5 permit Access-list 5 permit Access-list 5 permit Access-list 5 permit Access-list 5 permit
Access-list 1 permit Access-list 2 permit Access-list 3 permit Access-list 4 permit Access-list 5 permit
One group with the number 5 5 different groups
OR
-
Where to Place ACLs
ACLs can act as firewalls to filter packets and eliminate unwanted traffic.
Every ACL should be placed where it has the greatest impact on efficiency.
The basic rules are:
Locate extended ACLs as close as possible to the source of the traffic denied.
This way, undesirable traffic is filtered without crossing the network infrastructure.
Because standard ACLs do not specify destination addresses, place them as close
to the destination as possible.
-
2 Types of Cisco ACLs: standard and extended
Standard ACLs
Standard ACLs allow you to permit or deny traffic
from source IP addresses.
Apply these ACLs closest to the destination!
The destination of the packet and the ports
involved do not matter.
The example allows all traffic from network
192.168.30.0/24 network.
Because of the implied "deny any" at the end, all other
traffic is blocked with this ACL.
-
Extended ACLs
Extended ACLs filter IP packets based
on several attributes, for example,
protocol type, source IP address,
destination IP address, source TCP or
UDP ports, destination TCP or UDP
ports, and optional protocol type
information for finer granularity of
control.
In the figure, ACL 103 permits traffic
originating from any address on the
192.168.30.0/24 network to any destination host port 80 (HTTP).
-
Where to Place ACLs
Standard ACL: In the figure, the
administrator wants to prevent
traffic originating in the
192.168.10.0/24 network from
getting to the 192.168.30.0/24
network.
An standard ACL on the
outbound interface of R1
denies R1 the ability to send
traffic to other places as well.
The solution is to place a
standard ACL on the inbound
interface of R3 to stop all
traffic from the source
address192.168.10.0/24.
A standard ACL is only concern
with source IP addresses.
-
Where to Place ACLs
Extended ACL: Placement must be
determined in the control of the network
administrator extends. (close to the
SOURCE as possible)
In this figure, the administrator of the
192.168.10.0/24 and 192.168.11.0/24
(referred to as Ten and Eleven) wants to
deny Telnet and FTP traffic from Eleven to
the 192.168.30.0/24 (Thirty). At the same
time, other traffic must be permitted to
leave Ten. (Use Bridge example to explain)
There are several ways to do this. 1. An extended ACL on R3 blocking Telnet and FTP from Eleven would accomplish the task, but the solution also still allows unwanted traffic to cross the entire network, only to be blocked at the destination. 2. Use an outbound extended, Telnet and FTP traffic from Eleven is not allowed to go to Thirty." Place this extended ACL on the outbound S0/0/0 port of R1. A disadvantage of this is that traffic from Ten would also be processing by the ACL, even though traffic is allowed.
The better solution is to place an extended ACL on the inbound Fa0/2 of R1. This ensures that packets from Eleven do not enter R1, and cannot cross over into Ten.
-
General Guidelines for Creating ACLs: Activity
-
Entering Criteria Statements Recall that when traffic comes into the router, it is compared to ACL statements based on the order that the entries occur
in the router. The router continues to process the ACL statements until it has a match.
For this reason, you should have the most frequently used ACL entry at the top of the list.
If no matches are found when the router reaches the end of the list, the traffic is denied because there is an implied
deny for traffic.
A single-entry ACL with only one deny entry has the effect of denying all traffic. You must have at least one permit
statement in an ACL or all traffic is blocked.
For example, the two ACLs (101 and 102) in the figure have the same effect.
Network 192.168.10.0 would be permitted to access network 192.168.30.0 while 192.168.11.0 would not be allowed.
-
Standard ACL Logic
Standard ACL Logic In the figure, packets that come in Fa0/0 are checked for their source addresses: access-list 2 deny 192.168.10.1 access-list 2 permit 192.168.10.0 0.0.0.255 access-list 2 deny 192.168.0.0 0.0.255.255 access-list 2 permit 192.0.0.0 0.255.255.255 If packets are permitted, they are routed through the router to an output interface. If packets are not permitted, they are dropped at the incoming interface
-
Configuring a Standard ACL
To configure numbered standard ACLs on a Cisco router, you must first create the standard ACL and then activate the ACL on an interface. The access-list global configuration command defines a standard ACL with a number in the range of 1 to 99. Cisco IOS Software Release 12.0.1 extended these numbers by allowing 1300 to 1999 to provide a maximum of 798 possible standard ACLs. These additional numbers are referred to as expanded IP ACLs.
The full syntax of the standard ACL command is as follows: Router(config)# access-list access-list-number deny permit remark source [source-wildcard] [log] The figure provides a detailed explanation of the syntax for a standard ACL. For example, to create a numbered ACL designated 10 that would permit network 192.168.10.0 /24, you would enter: R1(config)# access-list 10 permit 192.168.10.0
-
Remove ACL
The no form of this command removes a standard ACL. In the figure, the output of the show access-list command displays the current ACLs configured on router R1. To remove the ACL, the global configuration no access-list command is used. Issuing the show access-list command confirms that access list 10 has been removed.
-
Remark a Standard ACL
Typically, administrators create ACLs and fully understand each the purpose of each statement within the ACL. However, when an ACL is revisited at a later time, it may no longer as obvious as it once was. The remark keyword is used for documentation and makes access lists a great deal easier to understand. Each remark is limited to 100 characters. The ACL in the figure, although fairly simple, is used to provide an example. When reviewing the ACL in the configuration, the remark is also displayed.
-
Matching the Exact IP Address
To match a specific source IP address, the entire IP address, all you have to do is
type that IP address at the end of the command. For example, the previous example
uses pseudocode for permit if source = 10.1.1.1. The following command configures that logic with correct syntax using ACL number 1:
access-list 1 permit 10.1.1.1
Matching the exact full IP address is that simple.
In earlier IOS versions, the syntax included a host keyword. Instead of simply typing
the full IP address, you first typed the host keyword, and then the IP address. Note
that in later IOS versions, if you use the host keyword, IOS accepts the command,
but then removes the keyword.
access-list 1 permit host 10.1.1.1
-
Matching a Subset of the Address with Wildcards
Often, the business goals you want to implement with an ACL does not match a single particular IP address, but rather a range of IP addresses. Maybe you want to match all IP addresses in a subnet.
IOS allows standard ACLs to match a range of addresses using a tool called a wildcard mask. Note that this is not a subnet mask. The wildcard mask (which this book abbreviates as WC mask) gives the engineer a way to tell IOS to ignore parts of the address when making comparisons, essentially treating those parts as wildcards, as if they already matched.
ACLs statements include masks, called wildcard masks. A wildcard mask is a string of binary digits telling the router which parts of the subnet number to look at. Although wildcard masks have no functional relationship with subnet masks, they do provide a similar function. The mask determines how much of an IP source or destination address to apply to the address match. The numbers 1 and 0 in the mask identify how to treat the corresponding IP address bits. However, they are used for different purposes and follow different rules.
-
ACLs statements include wildcard masks.
A wildcard mask is a string of binary digits telling the router which parts of the subnet number to look at.
The numbers 1 and 0 in the mask identify how to treat the corresponding IP address bits.
Wildcard masks are referred to as an inverse mask.
Wildcard masks and subnet masks differ in the way they match binary 1s and 0s. Wildcard masks use the following
rules to match binary 1s and 0s:
Wildcard mask bit 0 - Match the corresponding bit value in the address
Wildcard mask bit 1 - Ignore the corresponding bit value in the address
The table in the figure shows the results of applying a 0.0.255.255 wildcard mask to a 32-bit IP address.
-
ACL Wildcard Masks to Match IP Subnets
The first example the wildcard mask stipulates that every bit in the IP
192.168.1.1must match exactly.
The wildcard mask is 0.0.0.0.
In the second example, the wildcard mask stipulates that anything will match.
The wildcard mask is 255.255.255.255.
In the third example, the wildcard mask stipulates that it will match any host
within the 192.168.1.0 /24 network.
The wildcard mask is 0.0.0.255.
The second figure are more complicated.
In example 1, the first two octets and first four bits of the third octet must
match exactly.
This checks for 192.168.16.0 to 192.168.31.0
The wildcard mask is 0.0.15.255.
Example 2 , a wildcard mask that matches the first two octets, and the least
significant bit in the third octet.
The result is a mask that would permit or deny all hosts from odd
subnets (/24) from the 192.168.0.0 major network.
The wildcard mask is 0.0.254.255.
-
ACL Wildcard Masks to Match IP Subnets
Although you could accomplish the result with two statements:
R1(config)# access-list 10 permit 192.168.10.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.11.0 0.0.0.255
It is far more efficient to configure the wildcard mask such as:
R1(config)# access-list 10 permit 192.168.10.0 0.0.3.255
That may not seem more efficient, but when you consider if you wanted to match network 192.168.16.0 to 192.168.31.0 :
R1(config)# access-list 10 permit 192.168.16.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.17.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.18.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.19.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.20.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.21.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.22.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.23.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.24.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.25.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.26.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.27.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.28.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.29.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.30.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.31.0 0.0.0.255
You can see that configuring the following wildcard mask makes it far more efficient:
R1(config)# access-list 10 permit 192.168.16.0 0.0.15.255
-
ACL Wildcard Masks to Match IP Subnets Calculating wildcard masks can be difficult, but you can
do it easily by subtracting the subnet mask from
255.255.255.255.
Example 1: assume you wanted to permit access to all
users in the 192.168.3.0 network.
Because the subnet mask is 255.255.255.0, you could take
the 255.255.255.255 and subtract from the subnet mask.
The solution produces the wildcard mask 0.0.0.255.
Example 2: Now assume you wanted to permit network
access for the 14 users in the subnet 192.168.3.32 /28.
The subnet mask for the IP subnet is 255.255.255.240,
take 255.255.255.255 and subtract the subnet mask
255.255.255.240
The solution this time produces the wildcard mask 0.0.0.15.
Example 3: assume you wanted to match only networks
192.168.10.0 and 192.168.11.0.
take 255.255.255.255 and subtract the subnet mask
255.255.254.0.
The result is 0.0.1.255.
-
Wildcard Bit Mask Keywords The keywords host and any help identify the most common uses of wildcard
masking.
The host option substitutes for the 0.0.0.0 mask. This mask states that all IP
address bits must match or only one host is matched.
The any option substitutes for the IP address and 255.255.255.255 mask.
This mask says to ignore the entire IP address or to accept any
addresses.
Example for keyword any:
Instead of entering
R1(config)# access-list 1 permit 0.0.0.0 255.255.255.255,
you can use
R1(config)# access-list 1 permit any
Example for keyword host:
Instead of entering
R1(config)# access-list 1 permit 192.168.10.10 0.0.0.0,
you can use
R1(config)# access-list 1 permit host 192.168.10.10.
-
Applying Standard ACL to Interfaces
After a standard ACL is configured, it is linked to an interface using the ip access-group command: Router(config-if)#ip access-group {access-list-number | access-list-name} {in | out} To remove an ACL from an interface, first enter the no ip access-group command on the interface, and then enter the global no access-list command to remove the entire ACL. The figure lists the steps and syntax to configure and apply a numbered standard ACL on a router.
-
Example 1: use an ACL to permit a
single network.
This ACL allows only traffic from source
network 192.168.10.0 to be forwarded out on
S0/0/0. Traffic from networks other than
192.168.10.0 is blocked.
The first line identifies the ACL as access list
1. It permits traffic that matches the
selected parameters.
access-list 1 permit 192.168.10.0 0.0.0.255
The unseen implicit deny all other traffic.
The ip access-group 1 out interface
configuration command links and ties ACL 1
to the Serial 0/0/0 interface as an outbound filter.
-
Example 2: an ACL that denies a
specific host.
The first command deletes the previous
ACL 1.
The next ACL statement, denies the
PC1 host located at 192.168.10.10.
Every other host on the 192.168.10.0
/24 network is permitted.
The implicit deny statement matches
other network.
The ACL is again reapplied to interface S0/0/0 in an outbound direction.
-
Example 3: an ACL that denies a
specific host.
This ACL replaces the previous example
but still blocks traffic from the host
PC1. It also permits all other LAN
traffic to exit from router R1.
The first command deletes the previous
version of ACL 1 and the next ACL
statement denies the PC1 host located
at 192.168.10.10.
The third line is new and permits all
hosts from the 192.168.x.x /16
networks.
The ACL is again reapplied to interface S0/0/0 in an outbound direction.
-
Using an ACL to Control VTY Access
Cisco recommends using SSH for administrative connections to routers and switches. If the Cisco IOS software image on your router does not support SSH, you can partially improve the security of administrative lines by restricting VTY access. Restricting VTY access is a technique that allows you to define which IP addresses are allowed Telnet access to the router EXEC process. You can control which administrative workstation or network manages your router with an ACL and an access-class statement to your VTY lines. You can also use this technique with SSH to further improve administrative access security.
The access-class command in line configuration mode restricts incoming and outgoing connections between a particular VTY (into a Cisco device) and the addresses in an access list.
Filtering Telnet traffic is typically considered an extended IP ACL function because it filters a higher level protocol. However, because you are using the access-class command to filter incoming or outgoing Telnet sessions by source address and apply filtering to VTY lines, you can use standard ACL statements to control VTY access.
-
The command syntax of the access-class command is: access-class access-list-number {in [vrf-also] | out} The parameter in restricts incoming connections between a particular Cisco device and the addresses in the access list, while the parameter out restricts outgoing connections between a particular Cisco device and the addresses in the access list. An example allowing VTY 0 and 4 is shown in the figure. For example, the ACL in the figure is configured to permit networks 192.168.10.0 and 192.168.11.0 access to VTYs 0 - 4. All other networks are denied access to the VTYs. The following should be considered when configuring access lists on VTYs: Only numbered access lists can be applied to VTYs. Identical restrictions should be set on all the VTYs,
because a user can attempt to connect to any of them.
-
Commenting ACLs
You can use the remark keyword to include comments about entries in any ACL.
The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters.
To include a comment for IP numbered standard or extended ACLs,
access-list access-list number remark remark command.
To remove the remark, use the no form of this command.
For an entry in a named ACL,
use the remark configuration command.
To remove the remark, use the no form of this command.
-
Creating Standard Named ACLs
Naming an ACL makes it easier to understand.
For example, an ACL to deny FTP could be called NO_FTP.
When you identify your ACL with a name, the configuration command syntax are slightly different.
The steps to create a standard named ACL.
Step 1. Starting from the global configuration mode, use the ip access-list command to create a named ACL.
ACL names are alphanumeric, must be unique and must not begin with a number.
Step 2. From the named ACL configuration mode, use the permit or deny statements to specify one or more
conditions for determining if a packet is forwarded or dropped.
Step 3. Return to privileged EXEC mode with the end command.
-
Creating Standard Named ACLs
Naming an ACL makes it easier to understand its function. For example, an ACL to deny FTP could be called NO_FTP. When you identify your ACL with a name instead of with a number, the configuration mode and command syntax are slightly different. The figure shows the steps to create a standard named ACL. Step 1. Starting from the global configuration mode, use the ip access-list command to create a named ACL. ACL names are alphanumeric, must be unique and must not begin with a number. Step 2. From the named ACL configuration mode, use the permit or deny statements to specify one or more conditions for determining if a packet is forwarded or dropped. Step 3. Return to privileged EXEC mode with the end command
-
Monitoring and Verifying ACLs
When you finish an ACL configuration, use Cisco IOS show commands to verify the configuration.
-
Editing Names ACLs
Named ACLs have a big advantage over numbered ACLs in that they are easier to edit.
Starting with Cisco IOS 12.3, named IP ACLs allow you to delete individual entries in a specific ACL.
You can use sequence numbers to insert statements anywhere in the named ACL.
If you are using an earlier Cisco IOS version, you can add statements only at the bottom of the named ACL.
The example in the figure shows an ACL applied to the S0/0/0 interface of R1. It restricted access to the web server. Looking at this
example,
In the first show command output, you can see that the ACL named WEBSERVER has three numbered lines.
To grant another workstation access in the list only requires inserting a numbered line. The workstation with the IP address
192.168.11.10 is being added.
The final show command output verifies that the new workstation is now allowed access.
-
Extended Numbered IP Access Control Lists
Extended IP access lists have many similarities compared to the standard numbered IP
ACLs discussed in the previous chapter. Just like standard IP ACLs, you enable extended
access lists on interfaces for packets either entering or exiting the interface. IOS searches
the list sequentially.
Extended ACLs also use first-match logic, because the router stops the search through the
list as soon as the first statement is matched, taking the action defined in the first-matched
statement. All these features are also true of standard numbered access lists (and named
ACLs).
Extended ACLs differ from standard ACLs mostly because of the larger variety of packet
header fields that can be used to match a packet. One extended ACL statement can
examine multiple parts of the packet headers, requiring that all the parameters be matched
correctly to match that one ACL statement. That powerful matching logic makes extended
access lists both more useful and more complex than standard IP ACLs.
-
Matching the Protocol, Source IP, and Destination IP
Like standard numbered IP ACLs, extended numbered IP ACLs also use the access-list global
command. The syntax is identical, at least up through the permit or deny keyword. At that point, the
command lists matching parameters, and those differ, of course. In particular, the extended ACL
access-list command requires three matching parameters: the IP protocol type, the source IP address, and the destination IP address.
The IP headers Protocol field identifies the header that follows the IP header. Figure shows the location of the IP Protocol field, the concept of it pointing to the type of header that follows, along with some
details of the IP header for reference.
IOS requires that you configure parameters for the three highlighted parts of Figure . For the protocol type,
you simply use a keyword, such as tcp, udp, or icmp, matching IP packets that happen to have a TCP,
UDP, or ICMP header, respectively, following the IP header. Or you can use the keyword ip, which means all ip packets.
-
Extended ACL Syntax, with Required Fields
Note
When matching IP addresses in the source and destination fields, there is
one difference with standard ACLs: When matching a specific IP address,
the extended ACL requires the use of the host keyword. You cannot simply
list the IP address alone.
In an extended ACL access-list command, all the matching parameters must
match the packet for the packet to match the command.**** (must remember )
-
Matching TCP and UDP Port Numbers
Extended ACLs can also examine parts of the TCP and UDP headers, particularly the source
and destination port number fields. The port numbers identify the application that sends or
receives the data.
The most useful ports to check are the well-known ports used by servers. For example, web
servers use well-known port 80 by default. Figure shows the location of the port numbers in
the TCP header, following the IP header.
-
When an extended ACL command includes either the tcp or udp keyword, that command
can optionally reference the source and/or destination port. To make these comparisons, the
syntax uses keywords for equal, not equal, less than, greater than, and for a range of port
numbers. Additionally, the command can use either the literal decimal port numbers, or
more convenient keywords for some well-known application ports. Figure shows the
positions of the source and destination port fields in the access-list command and these
port number keywords.
-
For example, consider the simple network shown in Figure . The FTP server sits on the right,
with the client on the left. The figure shows the syntax of an ACL that matches the following:
Packets that include a TCP header Packets sent from the client subnet Packets sent to the server subnet Packets with TCP destination port 21 (FTP server control port)
-
Conversely, Figure shows the reverse flow, with a packet sent by the server back toward
PC1. In this case, the packets TCP header has a source port of 21, so the ACL must check the source port value of 21, and the ACL must be located on different interfaces. In
this case, the eq 21 parameters follow the source address field, but comes before the
destination address field.
-
Configuring Extended ACLs
The procedural steps for configuring extended ACLs are the same as for standard ACLs
first create the extended ACL
then activate it on an interface.
-
For example, the network administrator needs to restrict Internet access to allow only web browsing.
ACL 103 applies to traffic leaving 192.168.10.0 network,
It allows traffic to go to any destination ports 80 (HTTP) and 443 (HTTPS) only.
ACL 104 applies to traffic coming into the network.
ACL 104 blocking all incoming traffic, except for the established connections.
HTTP establishes connections starting with the request and then exchange of ACK, FIN, and SYN
messages.
A match occurs if the TCP datagram has the ACK or reset (RST) bits set, which indicates that the
packet belongs to an existing connection.
This parameter allows responses to traffic that originates from the 192.168.10.0 /24 network to
return to s0/0/0.
-
Applying Extended ACLs to Interfaces
Recall that we want to allow users to browse both insecure and secure websites.
First consider whether the traffic you want to filter is going in or out.
In the example in the figure, R1 has two interfaces. It has a serial port, S0/0/0, and a Fast
Ethernet port, Fa0/0.
The Internet traffic coming in is going in the S0/0/0 interface,
but is going out the Fa0/0 interface to reach PC1.
The example applies the ACL to the serial interface in both directions.
-
Example: Deny FTP
Denying FTP traffic from subnet 192.168.11.0 going to 192.168.10.0, but permitting all other traffic.
Remember that FTP requires ports 20 and 21, therefore you need to specify to deny FTP.
With extended ACLs, you can choose to use port numbers as in the example, or to call out a well-known port by name.
access-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq ftp
access-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq ftp-data
-
Example: Deny Telnet
Denies Telnet traffic from 192.168.11.0 going out interface Fa0/0, but allows all other IP
traffic from any other source to any destination out Fa0/0.
Note the use of the any keywords, meaning from anywhere going to anywhere.
-
Creating Named Extended ACLs You can create named extended ACLs in essentially the same way you created named standard ACLs.
Step 1. Starting in the global configuration mode, use the ip access-list extended name command to define a
named extended ACL.
Step 2. In named ACL configuration mode, specify the conditions you want to allow or deny.
Step 3. Return to privileged EXEC mode and verify your ACL with the show access-lists [number | name]
command.
Step 4. As an option and recommended step, save your entries in the configuration file with the copy running-
config startup-config command.
To remove a named extended ACL, use the no ip access-list extended name global configuration command.
-
ACL Editing
Now that you have a good understanding of the core concepts in IOS IP ACLs, this section
examines a few enhancements to IOS support for ACLs :- ACL editing with sequence numbers
ACL sequence numbers make it easier to edit existing ACLs when an ACL needs to change.
Named ACLs allow the user to delete and add new lines to the ACL from within ACL configuration
mode.
Numbered ACLs have existed in IOS since the early days of Cisco routers and IOS.
However, for many years, through many IOS versions, the ability to edit a numbered IP ACL
was poor. For example, to simply delete a line from the ACL, the user had to delete the
entire ACL and then reconfigure it.
Today, modern IOS versions allow CLI users to easily edit both numbered and named
ACLs. Cisco first introduced these enhanced ACL editing features in named ACLs only, and
slowly added them to numbered ACLs as well. This section examines these great ACL
editing features that have been around in IOS since Version 12.3, is now a relatively old
IOS version.
-
The ACL editing feature uses an ACL sequence number that is added to each ACL permit
or deny statement, with the numbers representing the sequence of statements in the
ACL. ACL sequence numbers provide the following features for both numbered and
named ACLs:
New Configuration Style for Numbered: Numbered ACLs use a configuration style like
named ACLs, as well as the traditional style, for the same ACL; the new style is required to
perform advanced ACL editing.
Deleting Single Lines: An individual ACL permit or deny statement can be deleted with a
no sequence-number subcommand.
Inserting New Lines: Newly added permit and deny commands can be configured with a
sequence number, dictating the location of the statement within the ACL.
Automatic Sequence Numbering: IOS adds sequence numbers to commands as you
configure them, even if you do not include the sequence numbers.
-
Cisco certification training
Instructor:- ASHOK TAMBE
Contact us :- 9930157345 ashok tambe
https://www.facebook.com/ashok.tambe.733
https://www.facebook.com/groups/networkingwanschool/