chapter 10 - access control lists

8/13/2019 Chapter 10 - Access Control Lists

http://slidepdf.com/reader/full/chapter-10-access-control-lists 1/45

Chapter 10

Managing Traffic with AccessLists



Objectives

On completion of this chapter, you will be able toperform the following tasks:

Describe the differences between standard andextended ACLs

Explain the rules for placement of ACLs

Create and apply named ACLs

Use ACLs to restrict virtual terminal access



What are ACLs



What are ACLs

ACLs are lists of conditions that are applied to traffictraveling across a router's interface.

These lists tell the router what kinds of packets to

accept and what kinds of packets to deny.

Acceptance and denial can be based on specifiedconditions.

ACLs can be created for all routed network protocolsto filter packets, such a IP, IPX.

ACLs can be configured at the router to controlaccess to a network or subnet.



ACLs check the packet and header



How ACLs control traffic flow

IP

IPXApple Talk

IP

IPXApple Talk

One list, per port, per direction, per protocol



The primary reasons to create ACLs

Limit network traffic and increase networkperformance.

Provide a basic level of security for network

access. Decide which types of traffic are forwarded or

blocked at the router interfaces.

Allow an administrator to control what areas a

client can access on a network. Screen certain hosts to either allow or deny access

to part of a network



How the ACL work: order of ACLstatements



ACL and Routing process in a router

ACLson

Interface?Statement

ListMatch?

RoutePacket toOutboundinterface

Layer2 Address

match

Permitpacket?

Yes Yes Yes Yes

No

DefaultDeny

No

ACLson

Interface?Statement

ListMatch?

Permitpacket?

Yes

Yes Yes

No

DefaultDeny

No

SendTo thedevice

No



access-list access-list-number { permit | deny } {test-conditions }

Router (config)#

Creating ACLs: Step 1

ACL command Description

access-list defines an access list

access-list-number protocol-dependent ACL number

Permit defines a statement to allow traffic

Deny defines a statement to disallow traffic

test-conditions ACL test conditions

Defines an ACL

Alert an ACL use no access-list access-list-number



ACL numbers



Creating ACLs: Step 2

{protocol } access-group access-list-number {in/out}

Router (config-if)#

ACL command Description

protocol a protocol specified for the interface

access-group any packets that pass the ACL test conditions can bepermitted to use any interface in the access group ofinterfaces

access-list-number the ACL identified by this ACL number to be associated to thisinterface

In/Out Direction of ACL

Applies access list to interface



These basic rules should be followed

One access list per protocol per direction.

Standard access lists should be applied closest to the destination.

Extended access lists should be applied closest to the source.Use the inbound or outbound interface reference as if looking at theport from inside the router.

Statements are processed sequentially from the top of list to the bottomuntil a match is found, if no match is found then the packet is denied.

There is an implicit deny at the end of all access lists.



These basic rules should be followed

New lines are always added to the end of the access list.

A no access-list x command will remove the whole list.

It is not possible to selectively add and remove lines with

numbered ACLs.Care should be used when removing an access list. If the accesslist is applied to a production interface and the access list isremoved, depending on the version of the IOS, there may be adefault deny any applied to the interface, and all traffic will be

halted.



Wildcard Mask



Subnet mask and wildcard maskRange of

host

Subnet mask

-Bit 1 : check-Bit 0 : ignore

Wildcard mask

-Bit 1 : ignore-Bit 0 : check

2 1 1 1 1 1 1 1 0

254

0 0 0 0 0 0 0 1

1

4 1 1 1 1 1 1 0 0

252

0 0 0 0 0 0 1 1

3

8 1 1 1 1 1 0 0 0

248

0 0 0 0 0 1 1 1

7

16 1 1 1 1 0 0 0 0

240

0 0 0 0 1 1 1 1

15

32 1 1 1 0 0 0 0 0

224

0 0 0 1 1 1 1 1

3164 1 1 0 0 0 0 0 0

192

0 0 1 1 1 1 1 1

63

128 1 0 0 0 0 0 0 0

128

0 1 1 1 1 1 1 1

127

256 0 0 0 0 0 0 0 0

0

1 1 1 1 1 1 1 1

255



Common Wildcard mask

Rangeof host

Subnet mask Wildcard mask

2 192.168.1.2

255.255.255.254

192.168.1.2

0. 0 . 0 .1

4 192.168.1.8

255.255.255.252

192.168.1.8

0. 0 . 0 .3

8 192.168.1.16255.255.255.248

192.168.1.160. 0 . 0 .7

16 192.168.1.16

255.255.255.240

192.168.1.16

0. 0 . 0 .15

32 192.168.1.0

255.255.255.224

192.168.1.0

0. 0 . 0 .31

64 192.168.1.128

255.255.255.192

192.168.1.128

0. 0 . 0 .63

128 192.168.1.0

255.255.255.128

192.168.1.0

0. 0 . 0 .127

256 192.168.1.0

255.255.255.0

192.168.1.0

0. 0 . 0 .255



Wildcard any

Any = 0.0.0.0 255.255.255.255



Wildcard host

Host 172.30.16.29 = 172.30.16.29 0.0.0.0



Verifying ACLs: show ip interface



Verifying ACLs: show access-lists



Verifying ACLs: show running-config



STANDARD ACLs



Standard ACLs: Overview



How the Standard ACL work?

Isthere a

Standard access listOn this

interface

Does source Address match ACL

List entry

Route Packetto properoutboundinterface

Is thisan IP

packet

IsThis the

Last entry in the ACL

Yes Yes Yes Permit

No

Move to nextstatement

No

Permit orDeny condition

SendDestinationNot foundmessage

Deny

No Yes

No



Standard ACL commands

Access list number: 1 99

Commands:

Router# show access-lists

access-list access-list-number

{deny | permit} source [source-wildcard ] [log]

Router (config)#

ip access-group access-list-number { in | out }

Router (config-if)#



Permit my network only.

Standard IP Access ListExample 1

S



• Deny a specific host.


S d d IP A Li



Deny a specific subnet.




EXTENDED ACLs



Extended ACLs: Overview



How the Extended ACL work?

Doessource address

Match ACLlist entry

Doesdestination

address match ACL list

entry

Route Packetto properoutboundinterface

Is therean ACL on

This interface

IsThis the

Last entry in the

ACL

Yes Yes Yes

Permit

No

Move to nextstatement

No

Permit orDeny

condition

SendDestination

Not foundmessage

Deny

Yes

NoDoes

Protocol andPort

match

Yes

No



Extended ACL commands

Access list number: 100 199

Commands:

Router# show access-lists

access-list access-list-number {permit | deny}

protocol source [source-mask destination

destination-mask operator operand] [established]

Router (config)#

ip access-group access-list-number { in | out }

Router (config-if)#



Reserved port numbers

E t d d A Li t



Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0.

Permit all other traffic.

Extended Access ListExample 1

E t d d A Li t



Deny only Telnet from subnet 172.16.4.0 out of E0.

Permit all other traffic.

Extended Access ListExample 2



Name ACLs: Overview

Intuitively identify an ACL using an alphanumeric name.

Named ACLs provide the ability to modify ACLs withoutdeleting and then reconfiguring them.

Considerations:IP named ACLs were introduced in Cisco IOSSoftware Release 11.2.

Only allow for statements to be inserted at the endof a list.

You cannot use the same name for multiple ACLs.In addition, ACLs of different types cannot have thesame name.



Name ACL commands

ip access-list {standard | extended} name Router (config)#

deny {source [source-wildcard] | any}permit {source [source-wildcard] | any}

Router(config {std- | ext-}nacl)#

ip access-group name {in | out}

Router(config-if)#

show access-lists

Router#



Name ACL examples



Basic Security Cisco Router withAccess List



Five virtual terminal lines (0 through 4).

Filter addresses that can access into the router’s

vty ports.

Filter vty access out from the router.

Filtering vty Access to a Router



How to Control vty Access

• Set up an IP address filter with a standard access list

statement.

• Use line configuration mode to filter access with the

access-class command.

• Set identical restrictions on every vty.



• Enters configuration mode for a vty or vty range

• Restricts incoming or outgoing vty connections for

address in the access list

Router(config-line)#access-class access-list-number

{in | out}

Router(config)#line vty {vty# | vty-range}

vty Commands



Restricting virtual terminal access

41 20 3

Virtual port

(VTY 0-4)

Physical port

FastEthernet0/0

chapter 10 - access control lists

Documents