Upload
trietbuivien
View
244
Download
0
Embed Size (px)
Citation preview
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 1/45
Chapter 10
Managing Traffic with AccessLists
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 2/45
Objectives
On completion of this chapter, you will be able toperform the following tasks:
Describe the differences between standard andextended ACLs
Explain the rules for placement of ACLs
Create and apply named ACLs
Use ACLs to restrict virtual terminal access
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 3/45
What are ACLs
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 4/45
What are ACLs
ACLs are lists of conditions that are applied to traffictraveling across a router's interface.
These lists tell the router what kinds of packets to
accept and what kinds of packets to deny.
Acceptance and denial can be based on specifiedconditions.
ACLs can be created for all routed network protocolsto filter packets, such a IP, IPX.
ACLs can be configured at the router to controlaccess to a network or subnet.
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 5/45
ACLs check the packet and header
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 6/45
How ACLs control traffic flow
IP
IPXApple Talk
IP
IPXApple Talk
One list, per port, per direction, per protocol
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 7/45
The primary reasons to create ACLs
Limit network traffic and increase networkperformance.
Provide a basic level of security for network
access. Decide which types of traffic are forwarded or
blocked at the router interfaces.
Allow an administrator to control what areas a
client can access on a network. Screen certain hosts to either allow or deny access
to part of a network
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 8/45
How the ACL work: order of ACLstatements
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 9/45
ACL and Routing process in a router
ACLson
Interface?Statement
ListMatch?
RoutePacket toOutboundinterface
Layer2 Address
match
Permitpacket?
Yes Yes Yes Yes
No
DefaultDeny
No
ACLson
Interface?Statement
ListMatch?
Permitpacket?
Yes
Yes Yes
No
DefaultDeny
No
SendTo thedevice
No
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 10/45
access-list access-list-number { permit | deny } {test-conditions }
Router (config)#
Creating ACLs: Step 1
ACL command Description
access-list defines an access list
access-list-number protocol-dependent ACL number
Permit defines a statement to allow traffic
Deny defines a statement to disallow traffic
test-conditions ACL test conditions
Defines an ACL
Alert an ACL use no access-list access-list-number
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 11/45
ACL numbers
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 12/45
Creating ACLs: Step 2
{protocol } access-group access-list-number {in/out}
Router (config-if)#
ACL command Description
protocol a protocol specified for the interface
access-group any packets that pass the ACL test conditions can bepermitted to use any interface in the access group ofinterfaces
access-list-number the ACL identified by this ACL number to be associated to thisinterface
In/Out Direction of ACL
Applies access list to interface
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 13/45
These basic rules should be followed
One access list per protocol per direction.
Standard access lists should be applied closest to the destination.
Extended access lists should be applied closest to the source.Use the inbound or outbound interface reference as if looking at theport from inside the router.
Statements are processed sequentially from the top of list to the bottomuntil a match is found, if no match is found then the packet is denied.
There is an implicit deny at the end of all access lists.
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 14/45
These basic rules should be followed
New lines are always added to the end of the access list.
A no access-list x command will remove the whole list.
It is not possible to selectively add and remove lines with
numbered ACLs.Care should be used when removing an access list. If the accesslist is applied to a production interface and the access list isremoved, depending on the version of the IOS, there may be adefault deny any applied to the interface, and all traffic will be
halted.
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 15/45
Wildcard Mask
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 16/45
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 17/45
Subnet mask and wildcard maskRange of
host
Subnet mask
-Bit 1 : check-Bit 0 : ignore
Wildcard mask
-Bit 1 : ignore-Bit 0 : check
2 1 1 1 1 1 1 1 0
254
0 0 0 0 0 0 0 1
1
4 1 1 1 1 1 1 0 0
252
0 0 0 0 0 0 1 1
3
8 1 1 1 1 1 0 0 0
248
0 0 0 0 0 1 1 1
7
16 1 1 1 1 0 0 0 0
240
0 0 0 0 1 1 1 1
15
32 1 1 1 0 0 0 0 0
224
0 0 0 1 1 1 1 1
3164 1 1 0 0 0 0 0 0
192
0 0 1 1 1 1 1 1
63
128 1 0 0 0 0 0 0 0
128
0 1 1 1 1 1 1 1
127
256 0 0 0 0 0 0 0 0
0
1 1 1 1 1 1 1 1
255
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 18/45
Common Wildcard mask
Rangeof host
Subnet mask Wildcard mask
2 192.168.1.2
255.255.255.254
192.168.1.2
0. 0 . 0 .1
4 192.168.1.8
255.255.255.252
192.168.1.8
0. 0 . 0 .3
8 192.168.1.16255.255.255.248
192.168.1.160. 0 . 0 .7
16 192.168.1.16
255.255.255.240
192.168.1.16
0. 0 . 0 .15
32 192.168.1.0
255.255.255.224
192.168.1.0
0. 0 . 0 .31
64 192.168.1.128
255.255.255.192
192.168.1.128
0. 0 . 0 .63
128 192.168.1.0
255.255.255.128
192.168.1.0
0. 0 . 0 .127
256 192.168.1.0
255.255.255.0
192.168.1.0
0. 0 . 0 .255
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 19/45
Wildcard any
Any = 0.0.0.0 255.255.255.255
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 20/45
Wildcard host
Host 172.30.16.29 = 172.30.16.29 0.0.0.0
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 21/45
Verifying ACLs: show ip interface
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 22/45
Verifying ACLs: show access-lists
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 23/45
Verifying ACLs: show running-config
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 24/45
STANDARD ACLs
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 25/45
Standard ACLs: Overview
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 26/45
How the Standard ACL work?
Isthere a
Standard access listOn this
interface
Does source Address match ACL
List entry
Route Packetto properoutboundinterface
Is thisan IP
packet
IsThis the
Last entry in the ACL
Yes Yes Yes Permit
No
Move to nextstatement
No
Permit orDeny condition
SendDestinationNot foundmessage
Deny
No Yes
No
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 27/45
Standard ACL commands
Access list number: 1 99
Commands:
Router# show access-lists
access-list access-list-number
{deny | permit} source [source-wildcard ] [log]
Router (config)#
ip access-group access-list-number { in | out }
Router (config-if)#
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 28/45
Permit my network only.
Standard IP Access ListExample 1
S
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 29/45
• Deny a specific host.
Standard IP Access ListExample 2
S d d IP A Li
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 30/45
Deny a specific subnet.
Standard IP Access ListExample 3
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 31/45
EXTENDED ACLs
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 32/45
Extended ACLs: Overview
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 33/45
How the Extended ACL work?
Doessource address
Match ACLlist entry
Doesdestination
address match ACL list
entry
Route Packetto properoutboundinterface
Is therean ACL on
This interface
IsThis the
Last entry in the
ACL
Yes Yes Yes
Permit
No
Move to nextstatement
No
Permit orDeny
condition
SendDestination
Not foundmessage
Deny
Yes
NoDoes
Protocol andPort
match
Yes
No
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 34/45
Extended ACL commands
Access list number: 100 199
Commands:
Router# show access-lists
access-list access-list-number {permit | deny}
protocol source [source-mask destination
destination-mask operator operand] [established]
Router (config)#
ip access-group access-list-number { in | out }
Router (config-if)#
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 35/45
Reserved port numbers
E t d d A Li t
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 36/45
Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0.
Permit all other traffic.
Extended Access ListExample 1
E t d d A Li t
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 37/45
Deny only Telnet from subnet 172.16.4.0 out of E0.
Permit all other traffic.
Extended Access ListExample 2
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 38/45
Name ACLs: Overview
Intuitively identify an ACL using an alphanumeric name.
Named ACLs provide the ability to modify ACLs withoutdeleting and then reconfiguring them.
Considerations:IP named ACLs were introduced in Cisco IOSSoftware Release 11.2.
Only allow for statements to be inserted at the endof a list.
You cannot use the same name for multiple ACLs.In addition, ACLs of different types cannot have thesame name.
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 39/45
Name ACL commands
ip access-list {standard | extended} name Router (config)#
deny {source [source-wildcard] | any}permit {source [source-wildcard] | any}
Router(config {std- | ext-}nacl)#
ip access-group name {in | out}
Router(config-if)#
show access-lists
Router#
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 40/45
Name ACL examples
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 41/45
Basic Security Cisco Router withAccess List
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 42/45
Five virtual terminal lines (0 through 4).
Filter addresses that can access into the router’s
vty ports.
Filter vty access out from the router.
Filtering vty Access to a Router
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 43/45
How to Control vty Access
• Set up an IP address filter with a standard access list
statement.
• Use line configuration mode to filter access with the
access-class command.
• Set identical restrictions on every vty.
8/13/2019 Chapter 10 - Access Control Lists
http://slidepdf.com/reader/full/chapter-10-access-control-lists 44/45
• Enters configuration mode for a vty or vty range
• Restricts incoming or outgoing vty connections for
address in the access list
Router(config-line)#access-class access-list-number
{in | out}
Router(config)#line vty {vty# | vty-range}
vty Commands