Access Control Lists

Institute of Technology,Sligo Dept of Computing

Access Control ListsAccess Control Lists

Semester 3, Chapter 6Semester 3, Chapter 6

Table of ContentsTable of Contents

ACLs OverviewACLs Overview

ACL Configuration TasksACL Configuration Tasks

Extended ACLsExtended ACLs

Other ACL BasicsOther ACL Basics


ACLs OverviewACLs Overview

What Are ACLs?What Are ACLs?An ACL is a list of instructions that tells a router what An ACL is a list of instructions that tells a router what type of packets to permit or deny.type of packets to permit or deny. You must configure an ACL before a router will deny packets. You must configure an ACL before a router will deny packets.

Otherwise, the router will accept and forward all packets as long Otherwise, the router will accept and forward all packets as long as the link is up.as the link is up.

You can permit or deny packets based upon such thing as:You can permit or deny packets based upon such thing as: Source addressSource address Destination addressDestination address Upper Layer protocols (e.g. TCP & UDP port numbers)Upper Layer protocols (e.g. TCP & UDP port numbers)

ACLs can be written for all supported routed protocols. ACLs can be written for all supported routed protocols. However, each routed protocol configured on an interface would However, each routed protocol configured on an interface would need a different ACL to filter traffic.need a different ACL to filter traffic.

Testing Packets with ACLsTesting Packets with ACLsTo determine whether a packet is to be permitted or To determine whether a packet is to be permitted or denied, it is tested against the ACL statements denied, it is tested against the ACL statements in sequential in sequential orderorder.. When a statement “matches,” no more statements are evaluated. When a statement “matches,” no more statements are evaluated.

The packet is either permitted or denied.The packet is either permitted or denied.

There is an implicit “deny any” statement at the end of the There is an implicit “deny any” statement at the end of the ACLACL If a packet does not match any of the statements in the ACL, it is If a packet does not match any of the statements in the ACL, it is

dropped.dropped.

ACLs are created in real-time. This means you cannot ACLs are created in real-time. This means you cannot return later and update an ACL. It must be completely return later and update an ACL. It must be completely rewritten.rewritten. It is a good idea to use a text editor to write an ACL instead of It is a good idea to use a text editor to write an ACL instead of

configuring it directly on the router. That way, changes and configuring it directly on the router. That way, changes and corrections can be made before you “Paste to Host” in HyperTerm.corrections can be made before you “Paste to Host” in HyperTerm.

How a Router Uses an ACL How a Router Uses an ACL (outbound)(outbound)

Check to see if packet is routable. If so, look up Check to see if packet is routable. If so, look up route in routing tableroute in routing tableCheck for an ACL for the outbound interfaceCheck for an ACL for the outbound interfaceIf no ACL, switch the packet out the destination If no ACL, switch the packet out the destination interfaceinterfaceIf an ACL, check the packet against the ACL If an ACL, check the packet against the ACL statements sequentially--denying or permitting statements sequentially--denying or permitting based on a matched condition.based on a matched condition.If no statement matches, what happens?If no statement matches, what happens?

Outbound Standard ACL Outbound Standard ACL ProcessProcess

Outgoing PacketDo route

table lookupACL on

interface?

Does source address match?

Next entry in list

More entries? Apply

condition

PermitDeny

No

No

No

YesYes

Yes

ICMP Message Forward Packet


ACL Configuration TasksACL Configuration Tasks

Write the ACL statements sequentially in Write the ACL statements sequentially in global configuration mode.global configuration mode.Router(config)#Router(config)#access-list access-list access-list-access-list-numbernumber {permit/deny} {permit/deny} {test-conditions}{test-conditions}

Lab-D(config)#access-list 1 deny Lab-D(config)#access-list 1 deny 192.5.5.10 0.0.0.0192.5.5.10 0.0.0.0

Group the ACL to one or more interfaces in Group the ACL to one or more interfaces in interface configuration mode.interface configuration mode.Router(config-if)#{protocol} Router(config-if)#{protocol} access-groupaccess-group access-list-number access-list-number {in/out}{in/out}

Lab-D(config-if)#ip access-group 1 outLab-D(config-if)#ip access-group 1 out

Two Basic Tasks Two Basic Tasks (Standard ACL)(Standard ACL)

The The access-list-numberaccess-list-number parameterparameter

ACLs come in many types. The ACLs come in many types. The access-list-access-list-numbernumber specifies what types. specifies what types.

The table below shows common access list types.The table below shows common access list types.

ACL TypeACL Type ACL NumberACL Number

IP StandardIP Standard 1 to 991 to 99

IP ExtendedIP Extended 100 to 199100 to 199

AppleTalkAppleTalk 600 to 699600 to 699

IPX IPX StandardStandard

800 to 899800 to 899

IPX IPX ExtendedExtended

900 to 999900 to 999

IPX SAPIPX SAP 1000 to 10991000 to 1099

Router(config)#access-list access-list-number {permit/deny}{test-conditions}

The The permit/denypermit/deny parameter parameter After you’ve typed After you’ve typed access-listaccess-list and chosen and chosen

the correct the correct access-list-numberaccess-list-number, you type , you type either either permitpermit or or denydeny depending on the depending on the action you wish to take.action you wish to take.

Permit Deny

ICMP MessageForward Packet


The The {test-conditions}{test-conditions} parameterparameter

In the {test conditions} portion of the ACL, you will specify various In the {test conditions} portion of the ACL, you will specify various parameters depending on the type of access list.parameters depending on the type of access list.

Common to most access lists is the source address’ ip mask and Common to most access lists is the source address’ ip mask and wildcard mask.wildcard mask.

The source address can be a subnet, a range of addresses, or a The source address can be a subnet, a range of addresses, or a single host. It is also referred to as the ip mask because the single host. It is also referred to as the ip mask because the wildcard mask uses the source address to check bits.wildcard mask uses the source address to check bits.

The wildcard mask tells the router what bits to check. We will The wildcard mask tells the router what bits to check. We will spend some time now learning its function.spend some time now learning its function.


Lab-A(config)#access-list 1 deny 192.5.5.10 0.0.0.0

ip mask wildcardmask

The Wildcard MaskThe Wildcard Mask A wildcard mask is written to tell the router what bits in A wildcard mask is written to tell the router what bits in

the address to match and what bits to ignore.the address to match and what bits to ignore. A “0” bit means means check this bit position. A “1” A “0” bit means means check this bit position. A “1”

means ignore this bit position. This is completely means ignore this bit position. This is completely different than the ANDing process we studied in different than the ANDing process we studied in Semester 1.Semester 1.

Our previous example of 192.5.5.10 0.0.0.0 can be Our previous example of 192.5.5.10 0.0.0.0 can be rewritten in binary as:rewritten in binary as:

11000000.00000101.00000101.00001010 (Source address)11000000.00000101.00000101.00001010 (Source address)00000000.00000000.00000000.00000000 (Wildcard mask)00000000.00000000.00000000.00000000 (Wildcard mask)

What do all the bits turned off in the wildcard mask tellWhat do all the bits turned off in the wildcard mask tell the router?the router?

The Wildcard MaskThe Wildcard Mask This table from the curriculum may help:This table from the curriculum may help:

Masking PracticeMasking Practice On the next several slides, we will practice making On the next several slides, we will practice making

wildcard masks to fit specific guidelines. Don’t worry wildcard masks to fit specific guidelines. Don’t worry if you don’t get it right away. Like subnetting, wildcard if you don’t get it right away. Like subnetting, wildcard masking is a difficult concept that takes practice to masking is a difficult concept that takes practice to master.master.

Write an ip mask and wildcard mask to check for all Write an ip mask and wildcard mask to check for all hosts on the network: 192.5.5.0 255.255.255.0hosts on the network: 192.5.5.0 255.255.255.0

Answer: 192.5.5.0 0.0.0.255Answer: 192.5.5.0 0.0.0.255 Notice that this wildcard mask is a mirror image of the default Notice that this wildcard mask is a mirror image of the default

subnet mask for a Class C address.subnet mask for a Class C address. WARNINGWARNING: This is a helpful rule only when looking at whole : This is a helpful rule only when looking at whole

networks or subnets.networks or subnets.

Masking PracticeMasking Practice Write an ip mask and wildcard mask to check for all Write an ip mask and wildcard mask to check for all

hosts in the subnet: 192.5.5.32 255.255.255.224hosts in the subnet: 192.5.5.32 255.255.255.224 If you answered 192.5.5.32 0.0.0.31 YOU’RE RIGHT!!If you answered 192.5.5.32 0.0.0.31 YOU’RE RIGHT!! 0.0.0.31 is the mirror image of 255.255.255.2240.0.0.31 is the mirror image of 255.255.255.224 Let’s look at both in binary:Let’s look at both in binary:

11111111.11111111.11111111.11111111111.11111111.11111111.11100000 (255.255.255.224)00000 (255.255.255.224) 00000000.00000000.00000000.00000000000.00000000.00000000.0001111111111 (0.0.0.31) (0.0.0.31)

To prove this wildcard mask will work, let’s look at a host To prove this wildcard mask will work, let’s look at a host address within the .32 subnet--192.5.5.55address within the .32 subnet--192.5.5.55

11000000.00000101.00000101.00111000000.00000101.00000101.00110111 (192.5.5.55) host 10111 (192.5.5.55) host addressaddress

11000000.00000101.00000101.00111000000.00000101.00000101.00100000 (192.5.5.32) ip mask00000 (192.5.5.32) ip mask 00000000.00000000.00000000.00000000000.00000000.00000000.0001111111111 (0.0.0.31) wildcard (0.0.0.31) wildcard

maskmask

Masking PracticeMasking Practice Notice in the previous example (repeated below), some Notice in the previous example (repeated below), some

bits were colored blue. These bits are the bits that must bits were colored blue. These bits are the bits that must match.match.

11000000.00000101.00000101.00111000000.00000101.00000101.00110111 (192.5.5.55) host address10111 (192.5.5.55) host address 11000000.00000101.00000101.00111000000.00000101.00000101.00100000 (192.5.5.32) ip mask00000 (192.5.5.32) ip mask 00000000.00000000.00000000.00000000000.00000000.00000000.0001111111111 (0.0.0.31) wildcard mask (0.0.0.31) wildcard mask

Remember: a “0” bit in the wildcard mask means check the bit; a Remember: a “0” bit in the wildcard mask means check the bit; a “1” bit in the wildcard mask means ignore.“1” bit in the wildcard mask means ignore.

The “0”s must match between the address of the packet The “0”s must match between the address of the packet (192.5.5.55) being filtered and the ip mask configured in the (192.5.5.55) being filtered and the ip mask configured in the access list (192.5.5.32)access list (192.5.5.32)

Write an ip mask and wildcard mask for the subnet Write an ip mask and wildcard mask for the subnet 192.5.5.64 with a subnet mask of 255.255.255.192?192.5.5.64 with a subnet mask of 255.255.255.192?

Answer: 192.5.5.64 0.0.0.63Answer: 192.5.5.64 0.0.0.63

Masking PracticeMasking Practice Write an ip mask and wildcard mask for the subnet Write an ip mask and wildcard mask for the subnet

172.16.128.0 with a subnet mask of 255.255.128.0?172.16.128.0 with a subnet mask of 255.255.128.0? Answer: 172.16.128.0 0.0.127.255Answer: 172.16.128.0 0.0.127.255


Answer: 172.16.16.0 0.0.3.255Answer: 172.16.16.0 0.0.3.255


Answer: 10.0.8.0 0.0.7.255Answer: 10.0.8.0 0.0.7.255

By now, you should have the hang of ip mask and By now, you should have the hang of ip mask and wildcard masks when dealing with a subnet. If not, go wildcard masks when dealing with a subnet. If not, go back & review.back & review.

Masking a Host RangeMasking a Host Range Masking will not be so easy during the “Hands On” Masking will not be so easy during the “Hands On”

final. You’ll need to be able to deny a portion of a final. You’ll need to be able to deny a portion of a subnet while permitting another.subnet while permitting another.

To mask a range of host within a subnet, it is often To mask a range of host within a subnet, it is often necessary to work on the binary level.necessary to work on the binary level.

For example, students use the range 192.5.5.0 to For example, students use the range 192.5.5.0 to 192.5.5.127 and teachers use the range 192.5.5.127 and teachers use the range 192.5.5.128 to 192.5.5.255. Both groups are on 192.5.5.128 to 192.5.5.255. Both groups are on network 192.5.5.0 255.255.255.0network 192.5.5.0 255.255.255.0

How do you write an ip mask and wildcard mask to How do you write an ip mask and wildcard mask to deny one group, yet permit another?deny one group, yet permit another?

Masking a Host RangeMasking a Host Range Let’s write the masks for the students.Let’s write the masks for the students.

First, write on the first and last host address in binary. Since First, write on the first and last host address in binary. Since the first 3 octets are identical, we can skip those. All their the first 3 octets are identical, we can skip those. All their bits must be “0”bits must be “0”

First Host’s 4th octet: 00000000First Host’s 4th octet: 00000000 Last Host’s 4th octet: 01111111Last Host’s 4th octet: 01111111

Second, look for the leading bits that are shared by both (in Second, look for the leading bits that are shared by both (in blue below)blue below)

0000000000000000 0011111111111111 These “bits in common” are to be checked just like the common These “bits in common” are to be checked just like the common

bits in the 192.5.5 portion of the addresses.bits in the 192.5.5 portion of the addresses.

Examples: Host Ranges 192.5.5.1 to .127 and .128 to .255

Masking a Host RangeMasking a Host Range Third, add up the decimal value of the “1” bits in the last Third, add up the decimal value of the “1” bits in the last

host’s address (127)host’s address (127) Finally, determine the ip mask and wildcard maskFinally, determine the ip mask and wildcard mask

The ip mask can be any host address in the range, but The ip mask can be any host address in the range, but convention says use the first oneconvention says use the first one

The wildcard mask is all “0”s for the common bitsThe wildcard mask is all “0”s for the common bits 192.5.5.0 0.0.0.127192.5.5.0 0.0.0.127

What about the teachers? What would be their ip What about the teachers? What would be their ip mask and wildcard mask?mask and wildcard mask?

192.5.5.128 (192.5.5.128 (110000000) to 192.5.5.255 (0000000) to 192.5.5.255 (111111111)1111111) Answer: 192.5.5.128 0.0.0.127Answer: 192.5.5.128 0.0.0.127 Notice anything? What stayed the same? changed?Notice anything? What stayed the same? changed?

Examples: Host Ranges 192.5.5.1 to .127 and .128 to .255

Time Savers: the Time Savers: the anyany command command Since ACLs have an implicit “deny any” statement at the Since ACLs have an implicit “deny any” statement at the

end, you must write statements to permit others through.end, you must write statements to permit others through. Using our previous example, if the students are denied Using our previous example, if the students are denied

access and all others are allowed, you would write two access and all others are allowed, you would write two statements:statements:

Lab-A(config)#access-list 1 deny 192.5.5.0 Lab-A(config)#access-list 1 deny 192.5.5.0 0.0.0.1270.0.0.127

Lab-A(config)#access-list 1 permit 0.0.0.0 Lab-A(config)#access-list 1 permit 0.0.0.0 255.255.255.255 255.255.255.255

Since the last statement is commonly used to override the Since the last statement is commonly used to override the “deny any,” Cisco gives you an option--the “deny any,” Cisco gives you an option--the anyany command:command:

Lab-A(config)#access-list 1 permit anyLab-A(config)#access-list 1 permit any

Time Savers: the Time Savers: the hosthost commandcommand

Many times, a network administrator will need Many times, a network administrator will need to write an ACL to permit a particular host (or to write an ACL to permit a particular host (or deny a host). The statement can be written in deny a host). The statement can be written in two ways. Either...two ways. Either...

Lab-A(config)#access-list 1 permit Lab-A(config)#access-list 1 permit 192.5.5.10 0.0.0.0192.5.5.10 0.0.0.0

or...or... Lab-A(config)#access-list 1 permit Lab-A(config)#access-list 1 permit host 192.5.5.10host 192.5.5.10

Correct Placement of Standard Correct Placement of Standard ACLsACLs

Standard ACLs do not have a destination Standard ACLs do not have a destination parameter. Therefore, you place standard ACLs as parameter. Therefore, you place standard ACLs as close to the destination as possible.close to the destination as possible.

To see why, ask yourself what would happen to To see why, ask yourself what would happen to allall ip traffic if you placed a “deny 192.5.5.0 0.0.0.255” ip traffic if you placed a “deny 192.5.5.0 0.0.0.255” statement on Lab-A’s E0?statement on Lab-A’s E0?


Extended ACLsExtended ACLs

Extended ACL OverviewExtended ACL Overview Extended ACLs are numbered from 100 - 199 and Extended ACLs are numbered from 100 - 199 and

“extend” the capabilities of the standard ACL.“extend” the capabilities of the standard ACL. Extensions include the ability to filter traffic based on...Extensions include the ability to filter traffic based on...

destination addressdestination address portions of the ip protocolportions of the ip protocol

You can write statements to deny only protocols such as “icmp” or You can write statements to deny only protocols such as “icmp” or routing protocols like “rip” and “igrp”routing protocols like “rip” and “igrp”

upper layers of the TCP/IP protocol suiteupper layers of the TCP/IP protocol suite You can write statements to deny only protocols such as “tftp” or You can write statements to deny only protocols such as “tftp” or

“http”“http” You can use an operand like eq, gt, lt, and neg (equal to, greater You can use an operand like eq, gt, lt, and neg (equal to, greater

than, less than, and not equal to) to specify how to handle a particular than, less than, and not equal to) to specify how to handle a particular protocol.protocol.

For example, if you wanted an access list to permit all traffic except For example, if you wanted an access list to permit all traffic except http access, you would use http access, you would use permit ip any any permit ip any any neg 80neg 80

Write the ACL statements sequentially in global Write the ACL statements sequentially in global configuration mode.configuration mode.

Router(config)# Router(config)# access-listaccess-list access-list-numberaccess-list-number {permit|deny}{permit|deny} { {protocol|protocol-keywordprotocol|protocol-keyword}{}{source source source-wildcardsource-wildcard} {} {destination destination-wildcarddestination destination-wildcard} } [[protocol-specific optionsprotocol-specific options] [] [loglog]]

Lab-A(config)#access-list 101 deny tcp 192.5.5.0 Lab-A(config)#access-list 101 deny tcp 192.5.5.0 0.0.0.255 210.93.105.0 0.0.0.255 eq telnet log0.0.0.255 210.93.105.0 0.0.0.255 eq telnet log

Group the ACL to one or more interfaces in Group the ACL to one or more interfaces in interface configuration mode (same command interface configuration mode (same command syntax as standard)syntax as standard)

Router(config-if)#{Router(config-if)#{protocolprotocol} } access-groupaccess-group access-access-list-numberlist-number {in/out}{in/out}

Lab-A(config-if)#ip access-group 101 outLab-A(config-if)#ip access-group 101 out

Two Basic Tasks Two Basic Tasks (Extended ACL)(Extended ACL)

The Extended ParametersThe Extended Parameters access-list-numberaccess-list-number

choose from the range 100 to 199choose from the range 100 to 199 {{protocol | protocol-numberprotocol | protocol-number}}

For the CCNA, you only need to knowFor the CCNA, you only need to know ip ip and and tcptcp--many more --many more are availableare available

{{source source-wildcardsource source-wildcard}} same as in standardsame as in standard

{{destination destination-wildcarddestination destination-wildcard}} formatted like the standard, but specifies the destinationformatted like the standard, but specifies the destination

[[protocol-specific optionsprotocol-specific options]] This parameter is used to specify particular parts of a protocol This parameter is used to specify particular parts of a protocol

that needs filtering.that needs filtering.

Port NumbersPort Numbers Review the various port numbers for the tcp and udp Review the various port numbers for the tcp and udp

protocols and know the most common ones below.protocols and know the most common ones below. You can also simply type the name (You can also simply type the name (telnettelnet) instead of ) instead of

the number (the number (2323) in the ) in the {{protocol-specific optionsprotocol-specific options}}

Port NumberPort Number DescriptionDescription

2121 FTPFTP

2323 TelnetTelnet

2525 SMTPSMTP

5353 DNSDNS

6969 TFTPTFTP

Correct Placement of Extended Correct Placement of Extended ACLsACLs

Since extended ACLs have destination information, you Since extended ACLs have destination information, you want to place it as close to the source as possible.want to place it as close to the source as possible.

Place an extended ACL on the first router interface the Place an extended ACL on the first router interface the packet enters and specify inbound in thepacket enters and specify inbound in the access-group access-group command.command.

Correct Placement of Extended ACLsCorrect Placement of Extended ACLs In the graphic below, we want to deny network 221.23.123.0 In the graphic below, we want to deny network 221.23.123.0

from accessing the server 198.150.13.34.from accessing the server 198.150.13.34. What router and interface should the access list be applied to?What router and interface should the access list be applied to?

Write the access list on Router C, apply it to the E0, and specify inWrite the access list on Router C, apply it to the E0, and specify in This will keep the network free of traffic from 221.23.123.0 destined for This will keep the network free of traffic from 221.23.123.0 destined for

198.150.13.34 but still allow 221.23.123.0 access to the Internet198.150.13.34 but still allow 221.23.123.0 access to the Internet

Writing & Applying the ACLWriting & Applying the ACLRouter-C(config)#access-list 100 deny ip Router-C(config)#access-list 100 deny ip 221.23.123.0 0.0.0.255 198.150.13.34 0.0.0.0221.23.123.0 0.0.0.255 198.150.13.34 0.0.0.0

Router-C(config)#access-list 100 permit ip any anyRouter-C(config)#access-list 100 permit ip any any

Router-C(config)#int e0Router-C(config)#int e0

Router-C(config-if)#ip access-group 100 inRouter-C(config-if)#ip access-group 100 in


Other ACL BasicsOther ACL Basics

Naming ACLsNaming ACLs

One nice feature in the Cisco IOS is the ability to name One nice feature in the Cisco IOS is the ability to name ACLs. This is especially helpful if you need more than 99 ACLs. This is especially helpful if you need more than 99 standard ACLs on the same router.standard ACLs on the same router.

Once you name an ACL, the prompt changes and you no Once you name an ACL, the prompt changes and you no longer have to enter the longer have to enter the access-listaccess-list and and access-list-access-list-numbernumber parameters. parameters.

In the example below, the ACL is named In the example below, the ACL is named over_andover_and as a hint as a hint to how it should be placed on the interface--to how it should be placed on the interface--outout

Lab-A(config)# ip access-list standard over_and

Lab-A(config-std-nacl)#deny host 192.5.5.10

.........

Lab-A(config-if)#ip access-group over_and out

Verifying ACLsVerifying ACLs Show commands:Show commands:

show access-listsshow access-lists shows all access-lists configured on the routershows all access-lists configured on the router

show access-lists {show access-lists {name | numbername | number}} shows the identified access listshows the identified access list

show ip interfaceshow ip interface shows the access-lists applied to the interface--both shows the access-lists applied to the interface--both

inbound and outbound.inbound and outbound. show running-configshow running-config

shows all access lists and what interfaces they are shows all access lists and what interfaces they are applied onapplied on

Documents

Access Control Lists