access lists ppt

8/13/2019 Access Lists PPT

1/32

Access Lists

Lists of conditions that control

access


2/32

Access Lists

Powerful tools that control access both to

and from network segments

Can filter unwanted packets

Can be used to implement security


3/32


4/32

Rules a Packet follows

Rules a packet follows when its being compared to anaccess list:

It is always compared with each line of the access list Isequential order, i.e., it will always start with line 1, hen

go to line 2, then line 3, and so on It is compared with lines of the access list only until a

match is made. Once the packet matches a line of a list,it is acted upon, and no further comparisons take place

There is an implicit deny at the end of each access listthis means that if a packet doesn't match up to any linesin the access list, itll be discarded


5/32


6/32

Applying Access List

Access Lists applied to an interface with

either an inbound or outbound list:

Inbound Access Lists packets are

processed through the access list before

being routed to the outbound interface

Outbound Access Lists packets

are routed to the outbound interface and

then processed through the access list


7/32

Access List Guidelines

Assign only one access list per interface, per protocol, or per directioni.e.one outbound and one inbound per interface

Organise ACLs so that the more specific tests are at the top

Anytime a new list is added to an ACL it is added to the bottom

One line cannot be removed from an ACL the whole lot will need retyping

ACLs should end with permit any, because all packets are discarded if theydo not meet any of the criteria

Every list should have at least one permit statement otherwise you might aswell shut down the interface

Create access lists and then apply them to an interface

Access lists are designed to filter traffic going through a router. They will notfilter traffic originating from the router

Place IP standard access lists as close to the destination as possible Place IP extended lists as close to the source as possible


8/32

IP ACL example with 3 LANS and a WAN

connection

E0

S0

E2

E1

Finance 172.16.10.0

Server

172.16.10.5

Marketing

172.16.30.0

Internet

Sales

172.16.40.0


9/32

Standard IP ACL (I)

Standard IP access lists filter the network by using the source IP address in an

IP packet

RouterA(config)#access-list ?

IP standard list

IP extented list

Using the numbers 1-99 tells the router that you want to create a standard IP

access list. You then decide if you are creating a permit or deny statement.

RouterA(config)#access-list 10 ?

Deny Specify packets to reject

Permit Specify packets to forward


10/32

Standard ACL (II)

Next step:

Use any command to permit or deny any host or network

Use an IP address to specify or match a specific network or IP host

Use the host command to specify a specific host only

Example using the host command:

RouterA(config)#access-list 10 deny host 172.16.30.2

This tells the list to deny any packets from host 172.16.30.2. The default

Command is host

Another way to specify a specific host is to use wild cards.

There is no option if you wish to specify a network or subnet


11/32

Standard ACLs (III)

Wildcards are used with access list to specify ahost, network, or part or a network

To understand wildcards useful to work in blocksizes:

64 32

16

8

4When you specify a range of addresses, you choose

the closest block size for your needsto specify 18hosts need a block size of 32


12/32

The Wildcard Mask

A wildcard mask is written to tell the router whatbits in the address to match and what bits toignore.

A 0 bit means means check this bit position. A1 means ignore this bit position. This iscompletely different than the ANDing processwe studied in Semester 1.

Our previous example of 192.5.5.10 0.0.0.0 canbe rewritten in binary as:11000000.00000101.00000101.00001010 (Source

address)

00000000.00000000.00000000.00000000 (Wildcardmask)


13/32

The Wildcard Mask

This table from the curriculum may help:


14/32

Masking Practice

On the next several slides, we will practice making wildcard masks

to fit specific guidelines. Dont worry if you dont get it right away.

Like subnetting, wildcard masking is a difficult concept that takes

practice to master.

Write an ip mask and wildcard mask to check for all hosts on the

network: 192.5.5.0 255.255.255.0

Answer: 192.5.5.0 0.0.0.255

Notice that this wildcard mask is a mirror image of the default

subnet mask for a Class C address.

WARNING: This is a helpful rule only when looking at wholenetworks or subnets.


15/32

Masking Practice Write an ip mask and wildcard mask to check for all hosts in the subnet:

192.5.5.32 255.255.255.224

If you answered 192.5.5.32 0.0.0.31 YOURE RIGHT!!

0.0.0.31 is the mirror image of 255.255.255.224

Lets look at both in binary:

11111111.11111111.11111111.11100000 (255.255.255.224)

00000000.00000000.00000000.00011111 (0.0.0.31)

To prove this wildcard mask will work, lets look at a host address

within the .32 subnet--192.5.5.55

11000000.00000101.00000101.00110111 (192.5.5.55) host address

11000000.00000101.00000101.00100000 (192.5.5.32) ip mask

00000000.00000000.00000000.00011111 (0.0.0.31) wildcard mask


16/32

Masking Practice

Notice in the previous example (repeated below), some bits were coloredblue. These bits are the bits that must match.

11000000.00000101.00000101.00110111 (192.5.5.55) host address

11000000.00000101.00000101.00100000 (192.5.5.32) ip mask

00000000.00000000.00000000.00011111 (0.0.0.31) wildcard mask

Remember: a 0 bit in the wildcard mask means check the bit; a 1 bitin the wildcard mask means ignore.

The 0s must match between the address of the packet (192.5.5.55)being filtered and the ip mask configured in the access list (192.5.5.32)

Write an ip mask and wildcard mask for the subnet 192.5.5.64 with asubnet mask of 255.255.255.192?

Answer: 192.5.5.64 0.0.0.63


17/32

Masking Practice

Write an ip mask and wildcard mask for the subnet 172.16.128.0 witha subnet mask of 255.255.128.0?

Answer: 172.16.128.0 0.0.127.255

Write an ip mask and wildcard mask for the subnet 172.16.16.0 with asubnet mask of 255.255.252.0?

Answer: 172.16.16.0 0.0.3.255 Write an ip mask and wildcard mask for the subnet 10.0.8.0 with a

subnet mask of 255.255.248.0?

Answer: 10.0.8.0 0.0.7.255

By now, you should have the hang of ip mask and wildcard masks

when dealing with a subnet. If not, go back & review.


18/32

Masking a Host Range

Masking will not be so easy during the

Hands On final. Youll need to be able todeny a portion of a subnet while permittinganother.

To mask a range of host within a subnet, it isoften necessary to work on the binary level.

For example, students use the range192.5.5.0 to 192.5.5.127 and teachers usethe range 192.5.5.128 to 192.5.5.255. Bothgroups are on network 192.5.5.0255.255.255.0

How do you write an ip mask and wildcardmask to deny one group, yet permit another?


19/32


Lets write the masks for the students.

First, write on the first and last host address in binary.

Since the first 3 octets are identical, we can skip

those. All their bits must be 0

First Hosts 4th octet: 00000000

Last Hosts 4th octet: 01111111

Second, look for the leading bits that are shared by

both (in blue below)

00000000

01111111

These bits in common are to be checked just like the

common bits in the 192.5.5 portion of the addresses.

Examples: Host Ranges 192.5.5.1 to .127 and .128 to .255


20/32


Third, add up the decimal value of the 1 bits in the

last hosts address (127)

Finally, determine the ip mask and wildcard mask

The ip mask can be any host address in the range, but

convention says use the first one

The wildcard mask is all 0s for the common bits

192.5.5.0 0.0.0.127

What about the teachers? What would be their

ip mask and wildcard mask? 192.5.5.128 (10000000) to 192.5.5.255 (11111111)

Answer: 192.5.5.128 0.0.0.127

Notice anything? What stayed the same? changed?Examples: Host Ranges 192.5.5.1 to .127 and .128 to .255


21/32

Specify a small range of subnets

If you wish to block access to part of a network that is

in the range from

172.16.8.0 through 172.16.15.0

That is a block size of 8

The wildcard would be 0.0.7.255

Wildcard is one less than the block number


22/32

Access List Example (I)

RouterA(config)#access-list 10 deny 172.16.10.0 0.0.0.255

This tells the router to match the first three octets and the last octet can be

anything

The next configuration tells the router to start at network 17.16.16.0 and use a

block size of 4. The range would be 172.16.16.0 through 172.16.19.0


The next example starts at network 172.16.32.0 and goes up a block size of 32to 172.16.63.0



23/32


connection

E0

S0

E2

E1

Finance 172.16.10.0

Server

172.16.10.5

Marketing

172.16.30.0

Internet

Sales

172.16.40.0


24/32

Applying a standard ACL

The example has three LAN connections

One WAN connection to the internet

Users on sales LAN should not haveaccess to the Finance LAN

Should have access to the internet and

marketing

Marketing needs to access the Finance

LAN for application service


25/32


connection

E0

S0

E2

E1

Finance 172.16.10.0

Server

172.16.10.5

Marketing

172.16.30.0

Internet

Sales

172.16.40.0


26/32

Router ACL Config

Acme router the following standard IP access list is applied:

Acme# config t

Acme(config) #access-list 10 deny 172.16.40.0 0.0.0.255

Acme(confg)# acecess-list 10 permit any (same as 0.0.0.0 255.255.255.255)

At this point the access list is denying the SALES Lan and allowing everyone else

Where should it be placed?

If you place it as an incoming access list on E2might as well shut down the

ethernet interface

The best place to put is the router E0 interface out bound

Acme(config)# int e0

Acme(config-if) ip access-group 10 out


27/32

Extended IP Access List

The example IP ACL had to block the whole subnet from getting to

the finance department

What if you wanted them to gain access to only a certain server on

Finance LAN, but not to other nework service for security reasons

Need extended ACL Extended IP ACL allow:

Choice of source and destination IP address

Protocol and Port number (identifies upper layer protocol or

application)

Using extended IP access list you can allow users access to thephysical LAN and stop them using certain services


28/32

Extended IP Access ListUse extended range from 100 to 199

RouterA(config)#access-list 110

Specify permit or deny

RouterA(config)#access-list 110 deny

Then choose a network layer protocol field entry

RouterA(config)#access-list 110 deny tcp

Then choose the source and destination address

RouterA(config)#access-list 110 deny tcp any host 172.16.30.2

now going to match a given port number

RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log


29/32

Extended IP Access List

Keep in mind that the next line is an implicit deny any statement

Therefore must place after:

RouterA(config)#access-list 110 permit ip any 0.0.0.0 255.255.255.255

Once access list has been created you must apply it to an interface.

Use the same command as the IP standard list

RouterA(config-if)ip access-group 110 in

or

RouterA(config-if)ip access-group 110 outRouterA(config-if)ip access-group 1


30/32


connection

E0

S0

E2

E1

Finance 172.16.10.0

Server

172.16.10.5

Marketing

172.16.30.0

Internet

Sales

172.16.40.0


31/32

Extended IP Access List Example

Using the same example

Deny access to a server on the finance

department LAN for both Telenet and ftp

services on server 172.16.10.5

All other services on the LAN are

acceptable for the sales and marketing

departments to access


32/32

Extended IP Access List example

Acme#config tAcme(config)#access-list 110 deny tcp any host 172.16.10.5 eq 21

Acme(config)#access-list 110 deny tcp any host 172.16.10.5 eq 21

Acme(config)#access-list 110 permit ip any any

After the lists are created, they need to b applied to the Ethernet 0 port

This is because the other three interfaces on the router need access to the LANHowever, if this list were created to only block sales, then we would want to put

this list closest to the source on ethernet 2

Acme(config-if)ip access-group 110 out

access lists ppt

Documents