Transcript Introduction to ACLs

Access Control Lists (ACL)
Access-List Overview
 A Filter through which all traffic must pass
 Used to Permit or Deny Access to Network
 Provides Security
 Bandwidth Management
 Come in two flavors
– STANDARD AND EXTENDED
What is an Access-List
 A List of Criteria to which all Packets are
compared.
– Is this Packet from Network 10.5.2.0
• Yes - Forward the Packet
• No - Check with Next Statement
– Is this a Telnet Protocol Packet from 25.25.0.0
• Yes - Forward the Packet
• No - Check Next Statement
– Deny All Other Traffic
How an Access-List Works
 Packets are compared to Each Statement in
an Access-list SEQUENTIALLY
From the Top Down.
 The sooner a decision is made the better.
 Well written Access-lists take care of the
most abundant type of traffic first.
 All Access-lists End with an Implicit Deny
All statement
Standard Access Lists
 Are given a # from 1-99
 Filtering based only on Source Address
 Should be applied closest to the Destination
Extended Access-lists
 Are given a # from 100-199
 Much more flexible and complex
 Can filter based on:
– Source address
– Destination address
– Session Layer Protocol (ICMP, TCP, UDP..)
– Port Number (80 http, 23 telnet…)
 Should be applied closest to the Source
Two Steps - Create and Apply
 Step 1 - Create the Access-list
– access-list # permit/deny source IP wildcard
• # - 1-99
• permit/deny - switch the packet or drop it
• source IP - source IP address to which the packet
should be compared. Can also use ANY
• wildcard - see next page
 Step 2 -Apply the Access-list to an Interface
– Must be in interface config mode (config-if)#
– IP access-group # in/out (routers point of view)
Wildcards
 Allows you to indicate a Range of IP
addresses
 Two Values are Used:
– 0 = Must Match Exactly
– 1 = Does Not Matter
Wildcard Examples
Network
Wildcard
 195.34.5.12 0.0.0.0
 Result: Match all four octets
 Only 195.34.5.12 is a match
 Could also use host 195.34.5.12 in place of
the wildcard. Host indicates an exact match
is needed.
Wildcard Examples
 Network
Wildcard
 172.16.10.0 0.0.0.255
 Result: Match the first three octets exactly
but ignore the last octet.
 172.16.10.0 thru 172.16.10.255 is a match
since the last octet does not matter.
Implementing Access-lists
 Remember the Implicit Deny All at the end
of each access-list.
 Two Approaches:
–
–
–
–
1. List the traffic you know you want to permit
Deny all other traffic
2. List the traffic you want to deny
Permit all other traffic (permit any)
Implementing Access-lists
 You cannot selectively add or remove
statements from an Access-list
 Typically modifications are made in a text
editor and then pasted to the router as a new
access-list. The new access list is then
applied and the old one removed
 Document your Access-list
– After each line indicate exactly what that line is
supposed to do.
Implementing Access-lists
 Verifying Your Access-list
– Show Access-lists
– Show IP Interfaces
 Revisit your access-list after a few days
– Routers keep track of the number of packets
that match each statement in an access-list
– Use this information to reorder your access-list
and thus improve it efficiency
 Never remove an access-list that is applied
to a port - this can crash a router.
Summary: Access-Lists
 Are Created and then Applied to an
interface
 Are Implemented Sequentially- Top Down
 End with an implicit Deny ALL statement
 #1-99 Standard and # 100-199 Extended
 Standard - source address only
 Extended - source, destination, protocol,
port