ACL Intro - Chabot College
Download
Report
Transcript ACL Intro - Chabot College
Chabot College
ELEC 99.08
Access Control Lists - Introduction
CISCO NETWORKING ACADEMY
ACL Topics
•
•
•
•
•
Function of ACLs
ACL Types & Syntax
Wildcard Bitmasks
Placement of ACLs
Commands
CISCO NETWORKING ACADEMY
Typical Functions
• Security
• Firewalling
CISCO NETWORKING ACADEMY
Types
• Standard
• Extended
CISCO NETWORKING ACADEMY
Standard ACLs
• Use rules based only the packet’s
source address
• 1-99
CISCO NETWORKING ACADEMY
Extended ACLs
• Provide more precise (finer tuned)
packet selection based on:
– Source and destination addresses
– Protocols
– Port numbers
• 100-199
CISCO NETWORKING ACADEMY
Steps to Configure ACLs
1) Create ACL (global config mode)
– The list may contain many rules, each on one line.
– The list is identified by a number or name.
2) Apply to an interface (interface config mode)
CISCO NETWORKING ACADEMY
How do ACLs work?
• Processing occurs line by line from top to
bottom of the list.
• Each line tests a packet for a “match”.
• If there is a match, a “permit” or “deny”
rule is applied.
• When a “match” occurs, no further rules
are checked.
• Invisible last line of an ACL is an implicit
“deny any.”
CISCO NETWORKING ACADEMY
How do ACLs work?
• ACL example:
oak#sh ru
oak#...
oak#access-list 10 deny 192.168.1.0 0.0.0.255
oak#access-list 10 permit any
oak#access-list 10 deny any (implicit)
oak#...
CISCO NETWORKING ACADEMY
How does a Standard ACL
work?
• Permits or denies if source IP address
is matched:
– Permit – packet is allowed
– Deny – packet is dropped
– Implicit Deny – If a packet’s address does
not match an earlier statement, an implicit
deny any occurs at the end of every ACL
and the packet is dropped.
CISCO NETWORKING ACADEMY
Wildcard Masks
• Are used to specify (by bits) the part of
the ip address to be matched.
• Looks like a subnet mask but it its not!
• Example:
172.16.0.0 0.0.255.255
The network address to be matched
CISCO NETWORKING ACADEMY
The wildcard bitmask
Wildcard Masks
• Specify the part of the ip address to be
matched.
• Use 0s to match,1s to ignore.
(Reverse of subnet masks!)
• In the example below, only the 1st
2 octets will be examined for a match:
172.16.0.0 0.0.255.255
Match this part of the address
CISCO NETWORKING ACADEMY
This is the wildcard bitmask
Wildcard Masks
172.16.0.0 0.0.255.255
address to match
wildcard bitmask
172
16
0
0
10101100
00010000
00000000
00000000
Wildcard 00000000
Mask
0
00000000
0
11111111
11111111
255
Address
Check for
a match
CISCO NETWORKING ACADEMY
255
Ignore
Wildcard Masks
• In this example, which octets will be
examined for a match?
172.16.5.0 0.0.0.255
CISCO NETWORKING ACADEMY
Wildcard Masks
• In this example, which octets will be
examined for a match?
172.16.5.0 0.0.0.255
• The first 3:
172.16.5.0 0.0.0.255
Match this part of the address
CISCO NETWORKING ACADEMY
Wildcard Masks
• In this example, which octets will be
examined for a match?
172.16.5.2 0.0.0.0
CISCO NETWORKING ACADEMY
Wildcard Masks
• In this example, which octets will be
examined for a match?
172.16.5.2 0.0.0.0
• All 4 octets:
172.16.5.2 0.0.0.0
Match the entire address
(permit or deny this specific host)
CISCO NETWORKING ACADEMY
Wildcard Masks
• In Cisco 2, we will work only with
wildcard bitmasks that are 0 or 255 for
an entire octet.
• In Cisco 3, you’ll work with masks
where the change from 0 to 1 does not
fall on an octet boundary:
– e.g. 0.0.15.255
CISCO NETWORKING ACADEMY
Keyword: “any”
• Identical statements
– access-list 22 permit 0.0.0.0 255.255.255.255
– access-list 22 permit any
CISCO NETWORKING ACADEMY
Keyword: “host”
• Identical statements
– Access-list 23 permit 172.16.1.1 0.0.0.0
– Access-list 23 permit host 172.16.1.1
CISCO NETWORKING ACADEMY
Standard IP ACL command
access-list ACL-number {permit |deny}
source-ip-address wildcard-mask
• ACL number: 1-99
• Global Config mode
CISCO NETWORKING ACADEMY
Standard ACL Example
• To permit all packets from the network
number 172.16.0.0
access-list 20 permit 172.16.0.0 0.0.255.255
CISCO NETWORKING ACADEMY
Standard ACL Example
• To permit traffic from the host
172.16.1.1 only
access-list 20 permit 172.16.1.1 0.0.0.0
OR
access-list 20 permit host 172.16.1.1
CISCO NETWORKING ACADEMY
Standard ACL Example
• To permit traffic from any source address.
access-list 20 permit 0.0.0.0 255.255.255.255
OR
access-list 20 permit any
CISCO NETWORKING ACADEMY
How does an Extended ACL
work?
• Permits or denies if all conditions match:
– Source Address
– Destination Address
– Protocol
– Port No. or Protocol Options
CISCO NETWORKING ACADEMY
Extended IP ACL command
access-list ACL-number {permit|deny}
protocol source-ip-address source-wildcardmask destination-ip-address destinationwildcard-mask eq port-number
• ACL number: 100-199
• Global Config mode
CISCO NETWORKING ACADEMY
Extended ACL Example
• To permit traffic from the network 192.168.1.0 to
the host 192.168.3.10 only on telnet:
access-list 101 permit tcp 192.168.1.0 0.0.0.255
192.168.3.10 0.0.0.0 eq telnet
• More about extended ACLs later...
CISCO NETWORKING ACADEMY
Major differences
• Standard ACL
– Use only source address
– Requires fewer CPU cycles.
– Place as close to destination as possible.
(because they can only check source address)
• Extended ACL
– Uses source, destination, protocol, port
– Requires more CPU cycles.
– Place as close to source as possible.
(This stops undesired traffic early.)
CISCO NETWORKING ACADEMY
Command to apply IP ACL
ip access-group ACL-number {in |out}
• Interface Config mode
• The group of rules in the list is applied to the
interface being configured.
• Use “in” and “out” as if looking at the interface
from inside the router.
CISCO NETWORKING ACADEMY
Do I place an ACL in?
• In
– Coming into the router.
– Requires less CPU processing because
every packet bypasses processing before
it is routed.
– Filtering decision is made prior to the
routing table.
CISCO NETWORKING ACADEMY
Do I place an ACL out?
• Out
– Going out of the router.
– Routing decision has been made and the
packet is switched to the proper outbound
interface before it is tested against the
access list.
– ACLs are outbound unless otherwise
specified.
CISCO NETWORKING ACADEMY
ACL Configuration Example
What will this list do?
oak(config)#access-list 10 permit 192.168.1.0 0.0.0.255
oak(config)#access-list 10 permit 192.168.2.10 0.0.0.0
oak(config)#int e0
oak(config-if)#ip-access group 10 out
oak(config-if)#^z
S1
S0
fre
E0
S0
192.168.3.0
192.168.2.10
oak
E0
192.168.2.0
CISCO NETWORKING ACADEMY
S1
E0
192.168.1.0
192.168.1.10
hay
192.168.3.10
ACL Configuration Example
What’s the problem here?
oak(config)#access-list 10 permit any
oak(config)#access-list 10 deny 192.168.2.10 0.0.0.0
oak(config)#int e0
oak(config-if)#ip-access group 10 out
oak(config-if)#^z
S1
S0
fre
E0
S0
192.168.3.0
192.168.2.10
oak
E0
192.168.2.0
CISCO NETWORKING ACADEMY
S1
E0
192.168.1.0
192.168.1.10
hay
192.168.3.10
Commands to show ACLs
show access-lists
• Privileged exec mode
• Displays the ACLs on the router.
show ip interface
• Privileged exec mode
• Shows which ACLs are set on that interface.
CISCO NETWORKING ACADEMY