Transcript access-list
Access Control Lists
CCNA 2 v3 – Module 11
NESCOT CATC
1
What are ACLs?
ACLs provide basic traffic filtering capabilities.
ACLs enable management of traffic and secure access to and from a network.
ACLs can be created for various network protocols; IP, IPX, or AppleTalk.
The router examines each packet and either forwards or drops it.
Example:
E0
S0
This router has one _________
Ethernet interface and one ________
Serial interface.
Each interface can have one ACL __________
and one ACL __________
inbound
outbound
This router is configured for three routed protocols: IP, AppleTalk, IPX.
Maximum no. of ACLs that can be configured:
(No. of interfaces) x 2 x (no. of routed protocols) = 12
Forwarding decision can be based on a packets:
Source address
Destination address
Protocol
Port number
NESCOT CATC
2
Why use ACLS?
Limit network traffic to increase network _____________.
performance
Provide traffic flow control by restricting the delivery of
________________.
routing updates
Security - allow one host access but prevent another.
__________
forwarded or ________
blocked
Control which types of traffic are __________
by the router.
areas a client can access.
Ability to control which _______
types of files
Restrict user access to only certain _____________,
(eg. Web pages).
all packets passing through
If ACLs are not configured, __________
all parts of the network.
the router will be allowed onto _________
NESCOT CATC
3
How ACLs Work
ACL statements operate in sequential, logical order, from top to bottom.
If a condition is matched, the packet is permitted or denied and the rest of the
ACL isn’t checked.
An implicit "deny any" statement is at end of list by default.
This last line "deny any" is not visible but it will not allow any unmatched
packets to be permitted.
Route packet to
outbound interface
Frame arrives
at inbound
interface
No
Yes
L2 address
match?
ACL on
interface?
Yes
No
Default
Deny
ACL on
interface?
Yes
No
Any
matches?
Yes
No
Yes
Permit?
Default
Deny
No
Any
matches?
Yes
No
Permit?
Yes
Forward packet
4
Creating ACLs
There are many different types of ACLs.
Each ACL is uniquely identified by assigning a number (or a name) to it.
This number identifies the type of access list created and must fall within the
specific range of numbers:
Rio(config)# access-list ?
<1-99>
<100-199>
<200-299>
<300-399>
<600-699>
<700-799>
<800-899>
<900-999>
<1000-1099>
<1100-1199>
<1200-1299>
<1300-1999>
<2000-2699>
IP standard access list
IP extended access list
Protocol type-code access list
DECnet access list
Appletalk access list
48-bit MAC address access list
IPX standard access list
IPX extended access list
IPX SAP access list
Extended 48-bit MAC address access list
IPX summary address access list
IP standard access list (expanded range)
IP extended access list (expanded range)
NESCOT CATC
5
Applying ACLs
Creating the access list is the first half of using them on a router.
The second half of the process is assigning them to an interface.
Rio(config)# interface fastethernet 0/0
Rio(config-if)# ip access-group ?
<1-199>
<1300-2699>
WORD
IP access list (standard or extended)
IP expanded access list (standard or extended)
Access-list name
Rio(config-if)# ip access-group 10 ?
in
out
inbound packets
outbound packets
From inside the router
A numbered ACL cannot be edited on the router.
To edit an ACL:
1. Copy it to a text file.
2. Remove from router configuration with ‘no’ form of ACL statement.
3. Make necessary changes to text file.
4. Paste back to global configuration mode.
NESCOT CATC
6
Wildcard Masks
Wildcard masks are 32 bits long and paired with an IP address.
Wildcard masks are used with ACLs to filter groups of IP addresses.
Example 1:
Rio(config)# access-list 10 permit 172.16.0.0 0.0.255.255
By applying the WM to the IP address, the router will ignore the values of the last two octets.
This statement will permit traffic with source IP: _______________________
172.16.[anything].[anything]
Example 2:
Rio(config)# access-list 10 permit 172.16.16.0 0.0.15.255
This WM discounts the value of the last octet, and 4 bits from the 3rd octet (moving right to left).
If M = Match D = Don’t Care, WM = MMMMMMMM•MMMMMMMM•MMMMDDDD•DDDDDDDD
This statement will permit traffic from range ___________
172.16.16.0 to _____________
172.16.31.255
Two keywords used in ACLs:
any
- means an IP address of _______
0.0.0.0 and WM ______________
255.255.255.255
host
- matches an address exactly, or WM __________
0.0.0.0
NESCOT CATC
7
Standard ACLs
Standard IP ACLs check only the ______________
source address of packets to be routed.
Rio(config)# access-list 50 deny 172.16.1.1
Rio(config)# access-list 50 permit 172.16.0.0 0.0.255.255
Number between 1 and 99,
or 1300 to1999 (recent IOS)
Deny or Permit
No WM specified,
mask = 0.0.0.0
Wildcard Mask
Extended ACLs
Extended ACLs check the ________
source and ___________
destination packet addresses
as well as being able to check for __________
protocols and _____________.
port numbers
Protocol
1. access-list
2. access-list
3. access-list
4. access-list
1.
2.
3.
4.
101
101
101
101
Source
Destination
Port
permit ip host 10.0.0.1 any
deny ip 10.0.0.0 0.0.0.255 any
deny tcp host 172.16.6.1 192.168.1.0 0.0.0.255 eq 23
permit tcp 172.16.6.0 0.0.0.255 any eq telnet
Specifically permit all IP traffic from this host (only) to any other network or host
More general statement denying other traffic from 10.0.0.0/24 network
Specifically denies host 172.16.6.1 (only) telnet access to 192.168.1.0/24 network
More general statement permitting telnet from all other hosts on 172.16.6.0/24 network
Named ACLs
IP named ACLs were introduced in Cisco IOS Software Release 11.2.
Advantages are:
Intuitively identify ACLs using names (not just numbers).
Extend possibilities beyond 798 simple and 799 extended ACLs
Modification of a NACL without deleting and reconfiguring it.
NACLs allow individual statements to be deleted without losing whole list.
It is still only possible to add statements to the end of a list.
Standard or Extended
Administrator assigned name
Rio(config)# ip access-list extended Server-Access
Rio(config-ext-nacl)#permit tcp any host 10.0.0.2 eq smtp
Rio(config-ext-nacl)# permit udp any host 10.0.0.2 eq 53
Rio(config-ext-nacl)# [Control + Z]
Rio(config)# interface f 0/0
Rio(config-if)# ip access-group Server-Access out
NESCOT CATC
9
Placing ACLs
ACLs placed in proper location filter traffic and increase network efficiency.
The general rule is to put extended ACLs close to the source of denied traffic.
Standard ACLs do not specify destination addresses, so they should be placed
as close to the destination as possible.
Administrators can only place ACLs on devices under their control.
Verifying ACLs
These show commands verify the content and placement of ACLs:
Command
Description
show ip interface
Interface information includes number of inbound or outbound ACL.
show access-list
Lists contents of all ACLs on the router
show running-config Interface placement and ACL contents in current configuration
NESCOT CATC
10
ACL Rules
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
One access list per ________,
protocol per _________,
interface per _________.
direction
Standard access lists should be applied closest to the ___________.
destination
source
Extended access lists should be applied closest to the ________.
Use the inbound or outbound interface reference as if looking at the port
inside the router
from ________________.
implicit deny
The ______________
at the end of all access lists will not appear in the
configuration listing.
Access list entries should filter in the order from specific to ________.
general
The permit or deny is examined ONLY if the _____________.
match is true
end of the access list.
New lines are always added to the _____
no access-list [number]
___________________________
will remove the whole list.
numbered ACLs.
It is not possible to selectively add and remove lines with _________
An IP ACL will send ____________________
ICMP host unreachable to sender of rejected packet.
In some situations, removing an access list may result in a default
____________
‘deny any’ being applied to the interface.
the local router
Outbound filters do not affect traffic originating at _____________.
NESCOT CATC
11
Firewalls
A network firewall can be one or several machines working together to prevent
unwanted access.
External
Internal
Web
Server
DMZ
FTP
Server
Firewalls control access to services both into and from the internal network.
ACLs are used in firewalls between the internal and external network.
A De-Militarised Zone contains network services available to Internet traffic.
The firewall router provides isolation for the internal network and the DMZ.
Border routers (at the edge of a network) use ACLs to provide security benefits.
NESCOT CATC
12
Restricting VTY Access
A router has both physical ports (Fa0/0, S0/0) and ________
virtual ports.
These virtual ports are called __________.
vty lines
0 to __
4 (0 to 15 on later IOS).
There are five such vty lines, numbered __
access lists
VTY access can be restricted on routers by using ____________.
Telnet
Access to vty is accomplished using _________.
Identical restrictions should be placed on all vty lines as it is not possible to
control _____________________________.
which line a user will connect on
The process of creating a vty access list is the same as for ____________.
an interface
Applying the ACL to a terminal line (vty, aux or con) requires the command
access-class
access-group
____________ instead of _______________.
numbered ACLs can be applied to vty lines.
Only ___________
Rio(config)# line vty 0 4
Rio(config-line)# login
Rio(config-line)# password Cisco
Rio(config-line)# access-class 2 in
Rio(config-line)# end
Rio#
NESCOT CATC
13