Transcript Class Power Points Acls for Chapter #12

Access Control List
ACL’s
4/8/2016
1
What Is an ACL?
• An ACL is a sequential collection of permit or
deny statements that apply to addresses or
upper-layer protocols.
• Routers provide basic traffic filtering capabilities,
such as blocking internet traffic, with access
control lists (ACLs.
• ACLs are lists of instructions you apply to a
router's interface. These lists tell the router what
kinds of packets to accept and what kinds of
packets to deny.
4/8/2016
2
ACL’s
• Acceptance and denial can be based on certain
specifications, such as source address,
destination address, and port number.
• ACLs can be created for all routed network
protocols, such as internet protocol (IP) and
Internetwork packet exchange (IPX).
• Can be configured at the router to control access
to a network or subnet.
• Must be defined on a per-protocol basis.
4/8/2016
3
Reasons to Create ACL’s
• Limit network traffic and increase network
performance.
• Provide traffic flow control. ACLs can restrict or
reduce the contents of routing updates.
• Provide a basic level of security for network
access.
• Decide which types of traffic are forwarded or
blocked at the router interfaces.
4/8/2016
4
Access Control Lists (ACLs)
• The order in which you place ACL statements is
important.
• (IOS) software tests the packet against each
condition statement, in the order in which the
statements were created.
• After a match is found, no more condition
statements are checked.
• Once created, if you need additional statements,
in a standard or extended ACL you must delete
the ACL and re-create it with the new condition
statements.
4/8/2016
5
How ACL’s Work
• You can create an ACL for each protocol
you want to filter for each router interface.
4/8/2016
6
How ACL’s Work
• An ACL is a group of statements that define how
packets: enter inbound interfaces, relay through
the router, exit outbound interfaces of the router.
• As a packet enters an interface, the router
checks to see whether the packet is routable or
bridgeable. Now, the router checks whether the
inbound interface has an ACL. If one exists, the
packet is now tested against the conditions in
the list.
4/8/2016
7
How ACL’s Work
• ACL statements operate in sequential,
logical order. If a condition match is true,
the packet is permitted or denied and the
rest of the ACL statements are not
checked. If all the ACL statements are
unmatched, an implicit "deny any"
statement is imposed. This means that
even though you will not see the "deny
any" as the last line of an ACL, it is there.
4/8/2016
8
Creating ACLs
• You create ACLs by using the global
configuration mode.
• Specifying an ACL number from 1 to 99 instructs
the router to accept standard ACL statements.
Specifying an ACL number from 100 to 199
instructs the router to accept extended ACL
statements.
• You must carefully select and logically order the
ACL.
4/8/2016
9
Creating ACLs
• Two steps: 1. define the ACL
• Example, router(config)#access-list access list
number permit/deny {test conditions}
• 2. Apply ACL to an interface (ex. E0, s0, s1) by using
the access-group command.
• Router(config-if) protocol access-group access-list
number in/out
4/8/2016
10
Deleting an ACL
• If you want to alter an ACL containing
numbered ACL statements, you need to
delete all the statements in the numbered
ACL by using the command no accesslist list-number.
• If you have already applied the access-group
to an interface, use the command no accessgroup list-number in/out before the no accesslist list-number command.
4/8/2016
11
Wildcard Masks
• A wildcard mask is a 32-bit quantity that is
divided into four octets, with each octet
containing 8 bits.
• A wildcard mask bit 0 means "check the
corresponding bit value" and a wildcard mask bit
1 means "do not check (ignore) that
corresponding bit value".
• A wildcard mask is paired with an IP address.
4/8/2016
12
Wildcard Masks
• The zero and one bits in an ACL wildcard mask
cause the ACL to either check or ignore the
corresponding bit in the IP address.
• Say you want to test an IP address for subnets
that will be permitted or denied.
• You want to use IP wildcard mask bits to permit
all packets from any host in the 172.30.16.0 to
172.30.31.0 subnets.
• Example will be done on board.
4/8/2016
13
Wildcard Any
• To indicate any IP address, you would
enter 0.0.0.0; Then, to indicate that the
ACL should ignore (that is, allow without
checking) any value, the corresponding
wildcard mask bits for this address would
be all ones (that is, 255.255.255.255).
• Instead of typing 0.0.0.0 255.255.255.255,
you can use the word any by itself as the
keyword.
4/8/2016
14
The Host Command
• Say you want to specify that a specific IP host
address will be permitted in an ACL test.
• To indicate a host IP address, you would enter
the full address (for example, 172.30.16.29);
Then, to indicate that the ACL should check all
the bits in the address. That is 0.0.0.0 in
wildcard mask form.
• You can use the abbreviation host to
communicate this same test condition to Cisco
IOS ACL software.
4/8/2016
15
Standard ACLs
• You use standard ACLs when you want to
block all traffic from a network, allow all
traffic from a specific network, or deny
protocol suites.
• Standard ACLs check the source address
of packets that could be routed. The result
permits or denies output for an entire
protocol suite, based on the network,
subnet, and host addresses.
4/8/2016
16
Standard Access-list Example
• Router(config)# access-list accesslist-number {deny | permit} source
[source-wildcard ] [log]
• Access-list 33 permit 172.16.0.0 0.0.255.255 log
(permits all traffic from 172.16.0.0)
• Access-list 44 deny 172.16.13.7 0.0.0.0 log
(denies traffic from host 172.16.13.7)
• Access-list 55 deny 172.16.64.0 any log (denies
all traffic from network 172.16.64.0)
4/8/2016
17
How to Verify Access Lists
• You use the show access-lists
EXEC command to display the contents of
all ACLs.
• In addition, you use the show accesslists EXEC command followed by the
name or number of an ACL to display the
contents of one ACL.
4/8/2016
18
Standard Access-lists
• The ip access-group command
groups an existing ACL to an interface.
Remember that only one ACL per port per
protocol per direction is allowed.
• Router(config-if)#ip accessgroup access-list-number {in |
out}.
4/8/2016
19
Extended Access-list
• Provide a greater range of control than
standard ACLs.
• Extended ACLs check for both source and
destination packet addresses. They also
can check for specific protocols, port
numbers, and other parameters.
4/8/2016
20
Extended Access-list
• Packets can be permitted or denied output
based on where the packet originated and
based on its destination.
• Router(config)# access-list
access-list-number {permit |
deny} protocol source [sourcemask destination destinationmask operator operand]
[established]
4/8/2016
21
Extended Access-list
• For more precise traffic-filtering control, you use
extended ACLs. Extended ACL statements
check for source address and for destination
address. In addition, at the end of the extended
ACL statement, you gain additional precision
from a field that specifies the optional TCP or
user Datagram protocol (UDP) protocol port
number.
• . Extended ACLs use a number in the range 100
to 199.
4/8/2016
22
Extended Access-group
• The ip access-group command links
an existing extended ACL to an interface.
Remember that only one ACL per
interface, per direction, per protocol is
allowed.
• Router(config-if)# ip accessgroup access-list-number {in |
out}
4/8/2016
23
Placing ACL’s
• The rule is to put the extended ACLs as
close as possible to the source of the
traffic denied. Standard ACLs do not
specify destination addresses, so you
have to put the standard ACL as near the
destination as possible.
• ACLs should be used in firewall routers,
which are often positioned between the
internal network and an external network,
such as the internet.
4/8/2016
24
Placing ACL’s
• To provide the security benefits of ACLs,
you should at a minimum configure ACLs
on border routers, which are routers
situated on the boundaries of the network.
• This provides basic security from the
outside network, or from a less controlled
area of the network, into a more private
area of the network.
4/8/2016
25