26
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching in the Enterprise – Chapter 8

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

Embed Size (px)

DESCRIPTION

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 3 Describe Traffic Filtering  Analyze the contents of a packet  Allow or block the packet  Based on source IP, destination IP, MAC address, protocol, application type

Citation preview

Page 1: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 1Version 4.0

Filtering Traffic Using Access Control Lists

Introducing Routing and Switching in the Enterprise – Chapter 8

Page 2: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 2

Objectives

Describe traffic filtering and explain how Access Control Lists (ACLs) can filter traffic at router interfaces.

Analyze the use of wildcard masks.

Configure and implement ACLs.

Create and apply ACLs to control specific types of traffic.

Log ACL activity and integrate ACL best practices.

Page 3: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 3

Describe Traffic Filtering Analyze the contents of a packet

Allow or block the packet

Based on source IP, destination IP, MAC address, protocol, application type

Page 4: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 4

Describe Traffic FilteringDevices providing traffic filtering:

Firewalls built into integrated routers

Dedicated security appliances

Servers

Page 5: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 5

Describe Traffic FilteringUses for ACLs:

Specify internal hosts for NAT

Classify traffic for QoS

Restrict routing updates, limit debug outputs, control virtual terminal access

Page 6: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 6

Describe Traffic FilteringPossible issues with ACLs:

Increased load on router

Possible network disruption

Unintended consequences from incorrect placement

Page 7: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 7

Describe Traffic Filtering Standard ACLs filter based on source IP address

Extended ACLs filter on source and destination, as well as protocol and port number

Named ACLs can be either standard or extended

Page 8: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 8

Describe Traffic Filtering ACLs consist of statements

At least one statement must be a permit statement

Final statement is an implicit deny

ACL must be applied to an interface in order to work

Page 9: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 9

Describe Traffic Filtering ACL is applied inbound or outbound

Direction is from the router’s perspective

Each interface can have one ACL per direction for each network protocol

Page 10: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 10

Analyze the Use of Wildcard Masks Wildcard mask can block a range of addresses or a

whole network with one statement 0s indicate which part of an IP address must match the

ACL 1s indicate which part does not have to match

specifically

Page 11: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 11

Analyze the Use of Wildcard Masks Use the host parameter in place of a 0.0.0.0 wildcard

Use the any parameter in place of a 255.255.255.255 wildcard

Page 12: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 12

Configure and Implement Access Control Lists

Determine traffic filtering requirements Decide which type of ACL to use Determine the router and interface on which to apply

the ACL Determine in which direction to filter traffic

Page 13: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 13

Configure and Implement Access Control Lists: Numbered Standard ACL Use access-list command to enter statements Use the same number for all statements Number ranges: 1-99, 1300-1999 Apply as close to the destination as possible

Page 14: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 14

Configure and Implement Access Control Lists: Numbered Extended ACL Use access-list command to enter statements Use the same number for all statements Number ranges: 100-199, 2000-2699 Specify a protocol to permit or deny Place as close to the source as possible

Page 15: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 15

Configure and Implement Access Control Lists: Named ACLs

Descriptive name replaces number range Use ip access-list command to enter initial statement Start succeeding statements with either permit or deny Apply in the same way as standard or extended ACL

Page 16: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 16

Configure and Implement Access Control Lists: VTY access

Create the ACL in line configuration mode Use the access-class command to initiate the ACL Use a numbered ACL Apply identical restrictions to all VTY lines

Page 17: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 17

Create and Apply ACLs to Control Specific Types of Traffic

Use a specified condition when filtering on port numbers: eq, lt, gt

Deny all appropriate ports for multi-port applications like FTP

Use the range operator to filter a group of ports

Page 18: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 18

Create and Apply ACLs to Control Specific Types of Traffic

Block harmful external traffic while allowing internal users free access

Ping: allow echo replies while denying echo requests from outside the network

Stateful Packet Inspection

Page 19: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 19

Create and Apply ACLs to Control Specific Types of Traffic

Account for NAT when creating and applying ACLs to a NAT interface

Filter public addresses on a NAT outside interface Filter private addresses on a NAT inside interface

Page 20: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 20

Create and Apply ACLs to Control Specific Types of Traffic

Examine every ACL one line at a time to avoid unintended consequences

Page 21: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 21

Create and Apply ACLs to Control Specific Types of Traffic

Apply ACLs to VLAN interfaces or subinterfaces just as with physical interfaces

Page 22: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 22

Log ACL Activity and ACL Best Practices Logging provides additional details on packets denied

or permitted

Add the log option to the end of each ACL statement to be tracked

Page 23: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 23

Log ACL Activity and ACL Best Practices Syslog messages: Status of router interfaces ACL messages Bandwidth, protocols in use, configuration events

Page 24: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 24

Log ACL Activity and ACL Best Practices Always test basic connectivity before applying ACLs

Add deny ip any to the end of an ACL when logging

Use reload in 30 when testing ACLs on remote routers

Page 25: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 25

Summary ACLs enable traffic management and secure access to

and from a network and its resources

Apply an ACL to filter inbound or outbound traffic

ACLs can be standard, extended, or named

Using a wildcard mask provides flexibility

There is an implicit deny statement at the end of an ACL

Account for NAT when creating and applying ACLs

Logging provides additional details on filtered traffic

Page 26: © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 26