Transcript Access Lists

Access Lists
Lists of conditions that control
access
Access Lists
• Powerful tools that control access both to
and from network segments
• Can filter unwanted packets
• Can be used to implement security
Applying Access Lists
• Once Access Lists are built, they can be
applied to either inbound or outbound
traffic on any interface
• Applying an access list will then cause the
router to analyse every packet crossing
that interface in the specified direction and
take action accordingly
Rules a Packet follows
• Rules a packet follows when it’s being compared to an
access list:
• It is always compared with each line of the access list I
sequential order, i.e., it will always start with line 1, hen
go to line 2, then line 3, and so on
• It is compared with lines of the access list only until a
match is made. Once the packet matches a line of a list,
it is acted upon, and no further comparisons take place
• There is an implicit deny at the end of each access list –
this means that if a packet doesn't match up to any lines
in the access list, it’ll be discarded
Access List Types
• Two types
– Standard
– Extended
• Standard Access List these only use the source
IP address in an IP packet to filter the network.
This basically permits or denies an entire suite of
protocols
• Extended Access Lists these check for both
source and destination IP address, protocol field
in the network
Applying Access List
• Access Lists applied to an interface with
either an inbound or outbound list:
• Inbound Access Lists
packets are
processed through the access list before
being routed to the outbound interface
• Outbound Access Lists
packets
are routed to the outbound interface and
then processed through the access list
Access List Guidelines
•
•
•
•
•
•
•
•
•
•
Assign only one access list per interface, per protocol, or per direction – i.e.
one outbound and one inbound per interface
Organise ACLs so that the more specific tests are at the top
Anytime a new list is added to an ACL it is added to the bottom
One line cannot be removed from an ACL the whole lot will need retyping
ACLs should end with permit any, because all packets are discarded if they
do not meet any of the criteria
Every list should have at least one permit statement otherwise you might as
well shut down the interface
Create access lists and then apply them to an interface
Access lists are designed to filter traffic going through a router. They will not
filter traffic originating from the router
Place IP standard access lists as close to the destination as possible
Place IP extended lists as close to the source as possible
IP ACL example with 3 LANS and a WAN
connection
Finance 172.16.10.0
Server
172.16.10.5
E0
E1
Marketing
172.16.30.0
S0
E2
Sales
172.16.40.0
Internet
Standard IP ACL (I)
Standard IP access lists filter the network by using the source IP address in an
IP packet
RouterA(config)#access-list ?
<1-99> IP standard list
<100-199> IP extented list
Using the numbers 1-99 tells the router that you want to create a standard IP
access list. You then decide if you are creating a permit or deny statement.
RouterA(config)#access-list 10 ?
Deny
Specify packets to reject
Permit Specify packets to forward
Standard ACL (II)
Next step:
Use any command to permit or deny any host or network
Use an IP address to specify or match a specific network or IP host
Use the host command to specify a specific host only
Example using the host command:
RouterA(config)#access-list 10 deny host 172.16.30.2
This tells the list to deny any packets from host 172.16.30.2. The default
Command is host
Another way to specify a specific host is to use wild cards.
There is no option if you wish to specify a network or subnet
Standard ACLs (III)
• Wildcards are used with access list to specify a
host, network, or part or a network
• To understand wildcards useful to work in block
sizes:
– 64
– 32
– 16
–8
–4
When you specify a range of addresses, you choose
the closest block size for your needs – to specify 18
hosts need a block size of 32
The Wildcard Mask
– A wildcard mask is written to tell the router what
bits in the address to match and what bits to
ignore.
– A “0” bit means means check this bit position. A
“1” means ignore this bit position. This is
completely different than the ANDing process
we studied in Semester 1.
– Our previous example of 192.5.5.10 0.0.0.0 can
be rewritten in binary as:
11000000.00000101.00000101.00001010 (Source
address)
00000000.00000000.00000000.00000000 (Wildcard
mask)
The Wildcard Mask
– This table from the curriculum may help:
Masking Practice
– On the next several slides, we will practice making wildcard masks
to fit specific guidelines. Don’t worry if you don’t get it right away.
Like subnetting, wildcard masking is a difficult concept that takes
practice to master.
– Write an ip mask and wildcard mask to check for all hosts on the
network: 192.5.5.0 255.255.255.0
– Answer: 192.5.5.0 0.0.0.255
• Notice that this wildcard mask is a mirror image of the default
subnet mask for a Class C address.
• WARNING: This is a helpful rule only when looking at whole
networks or subnets.
Masking Practice
– Write an ip mask and wildcard mask to check for all hosts in the subnet:
192.5.5.32 255.255.255.224
• If you answered 192.5.5.32 0.0.0.31 YOU’RE RIGHT!!
• 0.0.0.31 is the mirror image of 255.255.255.224
• Let’s look at both in binary:
– 11111111.11111111.11111111.11100000 (255.255.255.224)
– 00000000.00000000.00000000.00011111 (0.0.0.31)
• To prove this wildcard mask will work, let’s look at a host address within
the .32 subnet--192.5.5.55
– 11000000.00000101.00000101.00110111 (192.5.5.55) host address
– 11000000.00000101.00000101.00100000 (192.5.5.32) ip mask
– 00000000.00000000.00000000.00011111 (0.0.0.31) wildcard mask
Masking Practice
– Notice in the previous example (repeated below), some bits were colored
blue. These bits are the bits that must match.
– 11000000.00000101.00000101.00110111 (192.5.5.55) host address
– 11000000.00000101.00000101.00100000 (192.5.5.32) ip mask
– 00000000.00000000.00000000.00011111 (0.0.0.31) wildcard mask
• Remember: a “0” bit in the wildcard mask means check the bit; a “1” bit
in the wildcard mask means ignore.
• The “0”s must match between the address of the packet (192.5.5.55)
being filtered and the ip mask configured in the access list (192.5.5.32)
– Write an ip mask and wildcard mask for the subnet 192.5.5.64 with a
subnet mask of 255.255.255.192?
• Answer: 192.5.5.64 0.0.0.63
Masking Practice
– Write an ip mask and wildcard mask for the subnet 172.16.128.0 with
a subnet mask of 255.255.128.0?
• Answer: 172.16.128.0 0.0.127.255
– Write an ip mask and wildcard mask for the subnet 172.16.16.0 with a
subnet mask of 255.255.252.0?
• Answer: 172.16.16.0 0.0.3.255
– Write an ip mask and wildcard mask for the subnet 10.0.8.0 with a
subnet mask of 255.255.248.0?
• Answer: 10.0.8.0 0.0.7.255
– By now, you should have the hang of ip mask and wildcard masks
when dealing with a subnet. If not, go back & review.
Masking a Host Range
– Masking will not be so easy during the
“Hands On” final. You’ll need to be able to
deny a portion of a subnet while permitting
another.
– To mask a range of host within a subnet, it is
often necessary to work on the binary level.
– For example, students use the range
192.5.5.0 to 192.5.5.127 and teachers use
the range 192.5.5.128 to 192.5.5.255. Both
groups are on network 192.5.5.0
255.255.255.0
– How do you write an ip mask and wildcard
mask to deny one group, yet permit another?
Masking a Host Range
– Let’s write the masks for the students.
• First, write on the first and last host address in binary.
Since the first 3 octets are identical, we can skip
those. All their bits must be “0”
– First Host’s 4th octet: 00000000
– Last Host’s 4th octet: 01111111
• Second, look for the leading bits that are shared by
both (in blue below)
– 00000000
– 01111111
– These “bits in common” are to be checked just like the
common bits in the 192.5.5 portion of the addresses.
Examples: Host Ranges 192.5.5.1 to .127 and .128 to .255
Masking a Host Range
• Third, add up the decimal value of the “1” bits in the
last host’s address (127)
• Finally, determine the ip mask and wildcard mask
– The ip mask can be any host address in the range, but
convention says use the first one
– The wildcard mask is all “0”s for the common bits
– 192.5.5.0 0.0.0.127
– What about the teachers? What would be their
ip mask and wildcard mask?
• 192.5.5.128 (10000000) to 192.5.5.255 (11111111)
• Answer: 192.5.5.128 0.0.0.127
• Notice anything? What stayed the same? changed?
Examples: Host Ranges 192.5.5.1 to .127 and .128 to .255
Specify a small range of subnets
•If you wish to block access to part of a network that is
in the range from
•172.16.8.0 through 172.16.15.0
•That is a block size of 8
•The wildcard would be 0.0.7.255
•Wildcard is one less than the block number
Access List Example (I)
RouterA(config)#access-list 10 deny 172.16.10.0 0.0.0.255
This tells the router to match the first three octets and the last octet can be
anything
The next configuration tells the router to start at network 17.16.16.0 and use a
block size of 4. The range would be 172.16.16.0 through 172.16.19.0
RouterA(config)#access-list 10 deny 172.16.16.0 0.0.3.255
The next example starts at network 172.16.32.0 and goes up a block size of 32
to 172.16.63.0
RouterA(config)#access-list 10 deny 172.16.32.0 0.0.31.255
IP ACL example with 3 LANS and a WAN
connection
Finance 172.16.10.0
Server
172.16.10.5
E0
E1
Marketing
172.16.30.0
S0
E2
Sales
172.16.40.0
Internet
Applying a standard ACL
• The example has three LAN connections
• One WAN connection to the internet
• Users on sales LAN should not have
access to the Finance LAN
• Should have access to the internet and
marketing
• Marketing needs to access the Finance
LAN for application service
IP ACL example with 3 LANS and a WAN
connection
Finance 172.16.10.0
Server
172.16.10.5
E0
E1
Marketing
172.16.30.0
S0
E2
Sales
172.16.40.0
Internet
Router ACL Config
Acme router the following standard IP access list is applied:
Acme# config t
Acme(config) #access-list 10 deny 172.16.40.0 0.0.0.255
Acme(confg)# acecess-list 10 permit any (same as 0.0.0.0 255.255.255.255)
At this point the access list is denying the SALES Lan and allowing everyone else
Where should it be placed?
If you place it as an incoming access list on E2 – might as well shut down the
ethernet interface
The best place to put is the router E0 interface out bound
Acme(config)# int e0
Acme(config-if) ip access-group 10 out
Extended IP Access List
• The example IP ACL had to block the whole subnet from getting to
the finance department
• What if you wanted them to gain access to only a certain server on
Finance LAN, but not to other nework service for security reasons
• Need extended ACL
• Extended IP ACL allow:
• Choice of source and destination IP address
• Protocol and Port number (identifies upper layer protocol or
application)
• Using extended IP access list you can allow users access to the
physical LAN and stop them using certain services
Extended IP Access List
Use extended range from 100 to 199
RouterA(config)#access-list 110
Specify permit or deny
RouterA(config)#access-list 110 deny
Then choose a network layer protocol field entry
RouterA(config)#access-list 110 deny tcp
Then choose the source and destination address
RouterA(config)#access-list 110 deny tcp any host 172.16.30.2
now going to match a given port number
RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log
Extended IP Access List
Keep in mind that the next line is an implicit deny any statement
Therefore must place after:
RouterA(config)#access-list 110 permit ip any 0.0.0.0 255.255.255.255
Once access list has been created you must apply it to an interface.
Use the same command as the IP standard list
RouterA(config-if)ip access-group 110 in
or
RouterA(config-if)ip access-group 110 outRouterA(config-if)ip access-group 11
IP ACL example with 3 LANS and a WAN
connection
Finance 172.16.10.0
Server
172.16.10.5
E0
E1
Marketing
172.16.30.0
S0
E2
Sales
172.16.40.0
Internet
Extended IP Access List Example
• Using the same example
• Deny access to a server on the finance
department LAN for both Telenet and ftp
services on server 172.16.10.5
• All other services on the LAN are
acceptable for the sales and marketing
departments to access
Extended IP Access List example
Acme#config t
Acme(config)#access-list 110 deny tcp any host 172.16.10.5 eq 21
Acme(config)#access-list 110 deny tcp any host 172.16.10.5 eq 21
Acme(config)#access-list 110 permit ip any any
After the lists are created, they need to b applied to the Ethernet 0 port
This is because the other three interfaces on the router need access to the LAN
However, if this list were created to only block sales, then we would want to put
this list closest to the source on ethernet 2
Acme(config-if)ip access-group 110 out