Access Control Lists (ACLs).ppt

CCNA2 Routing

Perrine modified by Brierley Page 105/04/23

Module 11Access Control

172.16.3.0 172.16.4.0

Non-172.16.0.0

e0 e1

s0

172.16.4.13

server

CCNA2 Routing


Module 11Access Control

172.16.2.0 172.16.4.0

e0 e1

s0172.16.4.3

Computer

Computer

172.16.3.2

172.16.2.2

172.16.3.1

s1

172.16.3.0

172.16.4.2

Server

CCNA2 Routing


Module 11

A HIGH LEVEL VIEW of ACLs

High Level View

CCNA2 Routing


Module 11

Access Control Lists

Standard

Extended

CCNA2 Routing


Module 11

• Standard:

• Interface Fa 0/0/0• ip access-group 1 out

• access-list 1 deny 172.16.4.13 0.0.0.0• access-list 1 permit any

• ________________________________________________________________

• Extended:

• Interface Fa 0/0/0• ip access-group 101 in

• access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq www• access-list 101 permit ip any any

High Level View

CCNA2 Routing


Module 11Standard Access Control Lists

ACLs are instructions that are applied to a router interfaces.

The ACLs describe the kind of packets that are to be permitted or denied.

Permitted or Denial testing can be based on:

• source address

• destination address

• port number

ACLs are configured on the router Interfaces to control access to a network. ACLs must be defined separately for each protocol; Unique for IP, Unique for IPX; Unique for AppleTalk, etc.

Some times ACLs are called packet filters.

CCNA2 Routing


Module 11Standard Access Control Lists

CCNA2 Routing


Module 11Extended ACLs

CCNA2 Routing


Module 11Named ACLs

CCNA2 Routing


Module 11

• Standard ACLs should be placed close to the destination.• Extended ACLs should be placed close to the source.

Placing ACLs

CCNA2 Routing


Module 11

A firewall is an architectural structure that exists between the user and the outside world to protect the internal network from intruders.

Firewalls

CCNA2 Routing


Module 11Restricting Virtual Terminal Access

CCNA2 Routing


Module 11Summary

CCNA2 Routing


Module 11

Reasons to create ACLs:

• limit network traffic - hence increase network performance

• provide traffic flow - limit traffic through the network

• provide for security• ACLs establish

•which traffic is blocked

•which traffic is not blocked

ACL - Access Control Lists

CCNA2 Routing


Module 11

A MORE DETAILED VIEW of ACLs

DETAIL

CCNA2 Routing


Module 11

Cisco IOS checks each packet for:1. destination address2. source address3. protocol4. port number

Each ACL statement is checked in a sequential order (first to last) and when there is a match, no more statements are checked.

If the results are no matches, then the packet (by default) is discarded.

Adding addition ACL statements to the end of an existing list is just a matter of adding the new statement. BUT, if

deleting an existing ACL statement causes the entire access list to be deleted.


access-list 1 deny 192.169.1.0 0.0.255.255access-list 1 deny 192.168.1.9 0.0.0.0access-list 1 deny 172.16.4.0 0.0.0.255access-list 1 permit any

CCNA2 Routing


Module 11

When a packet enters a router’s interface: “IN” (inbound) checking is required. The packet:

1) Is checked against the ACL list (if one exists)

2) Here It can be interrogated to permit or deny.

3) If denied the packet is dropped else,

4) It is matched against the routing table and passed to an “OUT” (outbound interface)


“OUT” (outbound) checking is required.1) Here It can be interrogated to permit or deny.

2) If denied the packet is dropped3) If permitted then packet is allowed “OUT” (outbound).

The Outbound interface’s ACL is a different list from the inbound)

CCNA2 Routing


Module 11

ACL statements operate in a logical, sequential order. When a match is made the rest of the statements are not checked. If none the ACL statements match, then there is an implicit deny any rule.

access-list 10 { permit | deny } { test conditions }

access-list 1 deny 192.169.1.0 0.0.255.255access-list 1 deny 192.168.1.9 0.0.0.0access-list 1 deny 172.16.4.0 0.0.0.255

access-list 1 permit any




access-list 10 deny anyaccess-list 10 deny any


CCNA2 Routing


Module 11

Two types of IP ACL :• standard - has access list value of 1- 99• extended - has access list value of 100 - 199

Must be configured in global configuration mode. Router (config) #

Steps in creating ACLs:1) create the ACL (in config mode)2) apply the ACL to an interface

ACLs are used to filter:• inbound traffic, or• outbound traffic


CCNA2 Routing


Module 11Where to place ACLs

Standard ACLs are place as close as possible to the destination.

Extended ACLs are place as close as possible to the source.

CCNA2 Routing


Module 11

Configuring an Access List:Router(config)# access-list <ACL number> { permit | deny } { test conditions }Router(config)# access-list 1 permit { test conditions }Router(config)# access-list 50 deny { test conditions }

To delete all ACL statements of an access-listRouter(config)# no access-list <ACL number>

Applying the Access List:At an interface:

Router(config)# int E0

Router(config-if)# { protocol } access-group <ACL number> [IN | OUT]Out is the default if not mentioned

Router(config-if)# ip access-group 1Router(config-if)# ip access-group 50

To delete an ACL group statement (this will not delete the associated list):Router(config)# no access-group <ACL number>

Where to place ACLs

CCNA2 Routing


Module 11

A wildcard is matched with an IP address or protocol address.It is a 32 bit mask divided into 4 octet, each containing 8 bits.

A 0 in the wildcard means to check the bit in the IP you are testing.A 1 in the wildcard means ignore the bit in the IP you are testing.

NOTE!!!Do NOT think subnet mask – that is a totally different

meaning not related to the WILDCARD

Wildcard

CCNA2 Routing


Module 11Abbreviations

To permit or deny any address: 0.0.0.0 255.255.255.255

Address WildcardUse the abbreviation any

Router(config)# access-list 1 permit 0.0.0.0 255.255.255.255Router(config)# access-list 1 permit any

Router(config)# access-list 1 deny 0.0.0.0 255.255.255.255Router(config)# access-list 1 deny any

CCNA2 Routing


Module 11

To match all the bits of IP address use host:

EX: 172. 30.16. 29 0. 0. 0. 0Router(config)# access-list 1 permit 172.30.16.29 0.0.0.0Router(config)# access-list 1 permit host 172.30.16.29

Abbreviations

CCNA2 Routing


Module 11Standard ACLs

Criteria:• block all traffic from a network• allow all traffic from a network• deny entire protocol suits

Standard ACLs only check the source address.

Router(config)# access-list <ACL number> { deny | permit } source [ source wildcard] [log]

CCNA2 Routing


Module 11

What does this statement accomplish?

Access-list 33 permit 172.16.0.0 0.0.255.255 log

Permits all traffic from 172.16.0.0 and sends messages to the console every time the access list is executed.

Standard ACLs

CCNA2 Routing


Module 11


Access-list 44 deny 172.16.13.7 0.0.0.0 log

Denies traffic from host 172.16.13.7 and sends message to the console every time the access list is hit.

Standard ACLs

CCNA2 Routing


Module 11


Access-list 55 deny 172.16.64.3 0.0.0.255

Denies all traffic from network 172.16.64.0

Standard ACLs

CCNA2 Routing


Module 11

The log command:

Prints messages to the console which includes the ACL number, whether the packet was permitted or denied, the source address, and the number of packets.The message is generated for the first packet that matches, and then at five-minute intervals, including the number of packets permitted or denied in the prior five-minute interval.

Log is used for debugging only not to be left active on live networks.

Standard ACLs

CCNA2 Routing


Module 11

Example of applying the access-list:

Router(config-if)# ip access-group 33 inRouter(config-if)# ip access-group 44 out

Standard ACLs

CCNA2 Routing


Module 11

To monitor IP access list: (in EXEC mode)show access-list

Displays all access lists & their parameters configured on the router. (Does not show you which interface the list is set on.)

show access-list <ACL number>Shows only the parameters for the access list <ACL number>. (Does not show you the interface the list is set on.)

show ip access-listShows only the IP access lists configured on the router

show ip interfaceShows which interfaces have access lists set (containing an access-group).

show running-config Shows the routers entire configuration

Standard ACLs

CCNA2 Routing


Module 11

R(config)# Interface e0R(config-if)# ip access-group 1 out


R(config)# access-list 1 permit 172.16.0.0 0.0.255.255

What does it do?

Standard ACLs

172.16.3.0 172.16.4.0

Non-172.16.0.0

e0 e1

s0

172.16.4.13

server

CCNA2 Routing


Module 11



R(config)# access-list 1 permit 172.16.0.0 0.0.255.255Allows only traffic from source network 172.16.0.0 to be forwarded & and non-172.16.0.0 traffic is blocked.

Standard ACLs

One Access list used by multiple Interfaces

172.16.3.0 172.16.4.0

Non-172.16.0.0

e0 e1

s0

172.16.4.13

server

CCNA2 Routing


Module 11


R(config)# access-list 1 deny 172.16.4.13 0.0.0.0R(config)# access-list 1 permit any

What does this do?

Standard ACLs

172.16.3.0 172.16.4.0

Non-172.16.0.0

e0 e1

s0

172.16.4.13

server

CCNA2 Routing


Module 11


R(config)# access-list 1 deny 172.16.4.13 0.0.0.0R(config)# access-list 1 permit any

Denies traffic from a specific device, 172.16.4.13 & allows all other traffic thru e0 to network 172.16.3.0.

Standard ACLs

172.16.3.0 172.16.4.0

Non-172.16.0.0

e0 e1

s0

172.16.4.13

server

CCNA2 Routing


Module 11

Interface e0ip access-group 1 out

access-list 1 deny 172.16.4.0 0.0.0.255access-list 1 permit any

What does this do?

Standard ACLs

172.16.3.0 172.16.4.0

Non-172.16.0.0

e0 e1

s0

172.16.4.13

server

CCNA2 Routing


Module 11

Interface e0ip access-group 1 out

access-list 1 deny 172.16.4.0 0.0.0.255access-list 1 permit any

Denies traffic from the subnet, 172.16.4.0 & allows all other traffic thru e0 to network 172.16.3.0.

Standard ACLs

172.16.3.0 172.16.4.0

Non-172.16.0.0

e0 e1

s0

172.16.4.13

server

CCNA2 Routing


Module 11

Criteria:• checks both the packet’s source & destination addresses• check for specific protocol• check for specific port numbers• permit or denied applications – pings, telnets, FTP, etc.•ACL values range between 100 – 199 (for IP)

Extended ACLs

CCNA2 Routing


Module 11

Port Numbers (decimal) IP Protocol20 FTP data [TCP]21 FTP program (control) [TCP]23 Telnet [TCP]25 Simple Mail Transport Protocol

[TCP] (SMTP)53 DNS [TCP, UDP]69 TFTP [UDP]80 HTTP [TCP]

Extended ACLs

CCNA2 Routing


Module 11

Router(config)# access-list <ACL number> { permit | deny } protocol source source-mask destination destination-mask operator operand {established}

ACL number100 – 199

permit | denyPacket is allowed or blocked

protocol IP, TCP, UDP, ICMP, GRE or IGRP

source -- Source address source-wildcard mask

destination -- Destination address destination-wildcard mask

Extended ACLs

Continued

CCNA2 Routing


Module 11

Router(config)# access-list <ACL number> { permit | deny } protocol source source-mask destination destination-mask operator

operand {established}

operatorlt, gt, eq, neq

OperandPort number

established Allows TCP traffic to pass if the packet uses an established connection ( for example, has ACK bits set ).

access-list 101 permit tcp 172.16.4.0 0.0.0.255 any eq 25

Extended ACLs

CCNA2 Routing


Module 11

Configuring an extended ACL to an interface:

Router(config-if)# ip access-group <ACL number> { in | out }

Router(config)# int E0Router(config-if)# ip access-group 101 in

Extended ACLs

CCNA2 Routing


Module 11

Interface e0ip access-group 101

access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21access-list 101 permit ip any any

What does this do?

Extended ACLs

172.16.3.0 172.16.4.0

Non-172.16.0.0

e0 e1

s0

172.16.4.13

server

CCNA2 Routing


Module 11



Blocks FTP traffic from all hosts on 172.16.4.0 to any device on 172.16.3.0 & allows all other traffic.

Extended ACLs

172.16.3.0 172.16.4.0

Non-172.16.0.0

e0 e1

s0

172.16.4.13

server

CCNA2 Routing


Module 11



What does this do?

Extended ACLs

172.16.3.0 172.16.4.0

Non-172.16.0.0

e0 e1

s0

172.16.4.13

server

CCNA2 Routing


Module 11



Denies only telnet traffic from 172.16.4.0 to 172.16.3.0 network, and permits all other traffic thru e0 to any address.

Extended ACLs

172.16.3.0 172.16.4.0

Non-172.16.0.0

e0 e1

s0

172.16.4.13

server

CCNA2 Routing


Module 11Extended/Standard ACL numbers for IP

NOTE:

Standard ACL numbers: 1-99; 1300-1999

Extended ACL numbers: 100-199; 2000-2699

CCNA2 Routing


Module 11Standard/Extended ACL

You can not add ACL statements into the body of the access-list (ONLY at the end of the list). Otherwise the access list must be deleted first, and then rewritten.

Therefore it is prudent to write your access-list in text format using “notepad”, and then transfer it to your router.

CCNA2 Routing


Module 11Configuring Named ACLs

NOTE:

• A NAMED ACL is an alphanumeric string instead of the ACL number (1 - 199 )• NAMED ACLs are not compatible with Cisco IOS release prior to Release 11.2• Named ACLs can be used for either standard & extended•You cannot configure the same name for multiple ACLs.•use Name ACL when you want to intuitively identify ACLs •use Name ACL when you have more than 99 standard & 100 extended ACLs have been configured on a router for a given protocol

CCNA2 Routing


Module 11Configuring Named ACLs

Router(config)# ip access-list { standard | extended } name { deny | permit } { commands }

ip access-list standard internetfilter deny 172.10.15.0 0.0.0.255permit 128.88.0.0 0.0.255.255permit 36.0.0.0 0.0.255.255

ip access-list extended marketing-group permit tcp any 171.69.0.0 0.255.255.255 eq telnetdeny udp any 171.69.0.0 0.255.255.255 lt 1024

CCNA2 Routing


Module 11Named ACL

A named ACL will allow the deletion of statements, but will only allow for the statements to be inserted a the end of the list.

CCNA2 Routing


Module 11More Details

access-list 1 permit 172.16.0.0 0.0.255.255

10101100.00010000.00000000.0000000000000000.00000000.xxxxxxxx. xxxxxxxx10101100.00010000.xxxxxxxx. xxxxxxxx Matched value

Incoming packet with address of 172.18.4.2. Will it be permitted?Source : 10101100.00010010.00000100.00000010Wildcard mask: 00000000.00000000.xxxxxxxx. xxxxxxxx 10101100.00010010.xxxxxxxx. xxxxxxxx Result

CCNA2 Routing


Module 11


10101100.00010000.00000000.0000000000000000.00000000.xxxxxxxx. xxxxxxxx10101100.00010000.xxxxxxxx. xxxxxxxx Match value

Incoming packet with address of 172.18.4.2. Will it be permitted?Source : 10101100.00010010.00000100.00000010Wildcard mask: 00000000.00000000.xxxxxxxx. xxxxxxxx 10101100.00010010.xxxxxxxx. xxxxxxxx ResultDoes the result equal the match value?

No! Hence the incoming packet will not be permitted.

CCNA2 Routing


Module 11


10101100.00010000.00000000.0000000000000000.00000000.xxxxxxxx. xxxxxxxx10101100.00010000.xxxxxxxx. xxxxxxxx Match value

Incoming packet with address of 172.16.4.2. Will it be permitted?Source : 10101100.00010000.00000100.00000010Wildcard mask: 00000000.00000000.xxxxxxxx. xxxxxxxx 10101100.00010000.xxxxxxxx. xxxxxxxx Result

Does the result equal the match value?

Yes! Hence the incoming packet will be permitted.

CCNA2 Routing


Module 11


10101100.00010000.00000000.0000000000000000.00000000.xxxxxxxx. xxxxxxx010101100.00010000.xxxxxxxx. xxxxxxx0 Matched value

Incoming packet with address of 172.16.4.1. Will it be permitted?Source : 10101100.00010000.00000100.00000001Wildcard mask: 00000000.00000000. xxxxxxxx. xxxxxxx0 10101100.00010000.xxxxxxxx. xxxxxxx1 ResultIncoming packet with address of 172.16.4.4. Will it be permitted?Source : 10101100.00010000.00000100.00000100Wildcard mask: 00000000.00000000. xxxxxxxx. xxxxxxx0 10101100.00010000. xxxxxxxx. xxxxxxx0 Result

CCNA2 Routing


Module 11


10101100.00010000.00000000.0000000000000000.00000000.xxxxxxxx. xxxxxxx010101100.00010000.xxxxxxxx. xxxxxxx0 Matched value

Incoming packet with address of 172.16.4.5. Will it be permitted?Source : 10101100.00010000.00000100.00000101Wildcard mask: 00000000.00000000.xxxxxxxx. xxxxxxx0 10101100.00010000.xxxxxxxx. xxxxxxx1 Result

So the access list perform what operation? Permits 172.16.4.4, and denies 172.16.4.1 and 172.16.4.5

Permits all even addresses from the network 172.16.0.0

CCNA2 Routing


Module 11Permit/Deny BLOCKS of addresses

One can permit or deny a block of addresses. However, the blocks must be a power of 2! (Example, 2, 4, 8, 16, 32, 64, 128, etc.)When you need to specify a range of addresses, you choose the closet block size for your needs.You want to block access to part of network that is in the range from 198.16.99.0 through 198.16.99.7. This is a block size of 8. Hence:

198.16.99.0 0.0.0.7Also in this case for a block of 8, the beginning address must either start at 0, 8, 16, etc.

CCNA2 Routing


Module 11

One has a subnet whose addresses range from 200.17.2.128 to 200.17.2.191. One wants to divide this network so the top half are permitted and the bottom half is denied to any other network. What is the access lists?

The block range is:

64What is the access-list for the bottom?

access-list 101 deny ip 200.17.2.128 0.0.0.31 any

What is the access-list for the top?

access-list 101 permit ip 200.17.2.160 0.0.0.31 any

Permit/Deny BLOCKS of addresses

CCNA2 Routing


Module 11

What does this do?access-list 10 deny 200.16.88.64 0.0.0.63

Denies a block of 64 address starting at 200.16.88.64

Permit/Deny BLOCKS of addresses

CCNA2 Routing


Module 11Virtual Terminal ACL

You can control access via the VTY ports controlling telnet sessions coming into the router.You write the ACL as usual, but use access-class to apply it.As an example:

Router(config t)# access-list 1 permit 172.16.1.0 0.0.0.255

Router(config t)# line vty 0 4Router(config-line)# loginRouter(config-line)# password ciscoRouter(config-line)# access-class 1 in

Note: only numbered access lists can be applied to VTY virtual lines!

CCNA2 Routing


Module 11Established option

The ‘establish’ option in an access-list used only with TCP datagrams. There are cases when you want to stop host B from initiating a connection with a host A while permitting A to initiate connections with B.

Macintosh SE¾Macintosh SE¾

establish

response

establish

A B

CCNA2 Routing


Module 11

Allow host 172.16.3.13 with Internet connection, but don’t allow the internet to initialize any sessions.

172.16.3.0

172.16.4.0

e0 e1

172.16.3.13

INTERNET

As a practical example:

Established option

CCNA2 Routing


Module 11

Router(config)# int e1Router(config-if)# ip access-group 101 in

Router(config)# access-list 101 permit tcp any 172.16.3.0 0.0.255.255 established

Established option

172.16.3.0

172.16.4.0

e0 e1

172.16.3.13

INTERNET

CCNA2 Routing


Module 11


Router(config)# access-list 101 permit tcp any host 172.16.3.13 eq www established

Established option

172.16.3.0

172.16.4.0

e0 e1

172.16.3.13

INTERNET

CCNA2 Routing


Module 11


Router(config)# access-list 101 permit tcp any 172.16.3.0 0.0.0.255 eq www establishedRouter(config)# access-list 101 permit icmp any anyRouter(config)# access-list 101 permit udp any any eq 53

Note: established argument is limited to tcp which means UDP, ICMP and all other IP protocols will not match, and will be denied, unless specifically allowed. Hence

Established option

172.16.3.0

172.16.4.0

e0 e1

172.16.3.13

INTERNET

CCNA2 Routing


Module 11Where to Place ACLs?

ACL Rules:

Standard ACLPlace the ACL as near the destination as possible.

Extended ACLPut the ACL as close as possible to the source

CCNA2 Routing


Module 11

Access ListsStandard

Extended

End of Session

Documents

Access Control Lists (ACLs).ppt