Transcript ACLs - Department of Computer Engineering

Lecture #5
Access Control Lists (ACLs)
Asst.Prof. Dr.Anan Phonphoem
Department of Computer Engineering,
Faculty of Engineering, Kasetsart University,
Bangkok, Thailand
1
Overview
 ACL fundamentals
 ACL operations
 Types of ACLs (Standard / Extended)
 Implementing ACLs
2
Access Control Lists (ACLs)
 List of conditions to test the traffic
 Router can permit or deny( like a filter)
 Provides Security
 Bandwidth Management
 Come in two Types

STANDARD and EXTENDED
3
What is ACL?
 A List of Criteria to which all Packets are
compared.

Is this Packet from Network 10.5.2.0



Is this a Telnet Protocol Packet from 25.25.0.0



Yes - Forward the Packet
No - Check with Next Statement
Yes - Forward the Packet
No - Check Next Statement
Deny All Other Traffic
4
ACL Operations
 Packets are compared to Each Statement in
an Access-list SEQUENTIALLY- From the Top
Down.
 The sooner a decision is made the better.
 Well written Access-lists take care of the most
abundant type of traffic first.
 All Access-lists End with an Implicit Deny All
statement
5
ACL operations
6
ACL numbers
7
Standard ACL
 Are given a # from 1-99
 Filtering based only on Source Address
 Should be applied closest to the Destination
8
Extended ACL
 Are given a # from 100-199
 Much more flexible and complex
 Can filter based on:




Source address
Destination address
Session Layer Protocol (ICMP, TCP, UDP..)
Port Number (80 http, 23 telnet…)
 Should be applied closest to the Source
9
Implementing ACLs
 Step 1 - Create the Access-list
 Step 2 -Apply the Access-list to an Interface


Must be in interface config mode (config-if)#
IP access-group # in/out (routers point of
view)
10
Standard ACL format
access-list # permit/deny sourceIP wildcard
#
permit/deny
sourceIP
1-99
switch the packet or drop it
source IP address to which the
packet should be compared. Can
also use ANY
see next slides
wildcard
(inverse mask)
11
Wildcard Mark
 Allows you to indicate a host, subnet, network
or range of IP addresses
 The two binary values in the wildcard have
different meanings:


0 = Must Match Exactly
1 = Ignore
12
Wildcard Mark
13
Wildcard Example
 Network
Wildcard
 172.16.10.0
0.0.0.255
 Result: Match the first three octets exactly but
ignore the last octet.
 172.16.10.0 thru 172.16.10.255 is a match
since the last octet does not matter.
14
Implementing ACLs
 Remember the Implicit Deny All at the end of
each access-list.
 Two Approaches:


1. List the traffic you know you want to permit
Deny all other traffic
2. List the traffic you want to deny
Permit all other traffic (permit any)
15
Standard ACL
16
Standard ACL example (I)
A(config)#access-list 5 deny 172.22.5.2 0.0.0.0
A(config)#access-list 5 deny 172.22.5.3 0.0.0.0
A(config)#access-list 5 permit any
So what does this access list do?
•Deny any host 172.22.5.2
•Deny any host 172.22.5.3
•All other traffic can go
17
Standard ACL example (II)
A(config)#access-list 5 deny 172.22.5.2 0.0.0.0
A(config)#access-list 5 deny 172.22.5.3 0.0.0.0
A(config)#access-list 5 permit any
A(config)#access-list 5 deny 172.22.5.4 0.0.0.0
Why does the last line have no affect?
How could you correct this situation?
18
Extended ACL
19
Placing ACLs
Standard : Closed to source
Extended: Closed to destination
20
Firewall
External
Internal
DMZ
21
Restricted ACL access
22
Verifying ACLs
 show ip interface
 show access-lists
 Show running-config
23
Implementing ACLs Tips
 You cannot selectively add or remove
statements from an Access-list
 Typically modifications are made in a text
editor and then pasted to the router as a new
access-list. The new access list is then
applied and the old one removed
 Document your Access-list

After each line indicate exactly what that line is
supposed to do.
24
Implementing ACLs Tips
 Verifying Your Access-list
 Show Access-lists
 Show IP Interfaces
 Revisit your access-list after a few days
 Routers keep track of the number of packets
that match each statement in an access-list
 Use this information to reorder your access-list
and thus improve it efficiency
 Never remove an access-list that is applied to
a port - this can crash a router.
25
Summary
 Are Created and then Applied to an interface
 Are Implemented Sequentially- Top Down
 End with an implicit Deny ALL statement
 #1-99 Standard and # 100-199 Extended
 Standard - source address only
 Extended - source, destination, protocol, port
26
References
 C.Dodge slide in Cisco Website
 Cisco curriculum materials
27