Transcript Describe Traffic Filtering

Filtering Traffic
Using Access
Control Lists
Introducing Routing and Switching in the Enterprise –
Chapter 8
Version 4.0
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
1
Objectives

Describe traffic filtering and explain how Access
Control Lists (ACLs) can filter traffic at router
interfaces.

Analyze the use of wildcard masks.

Configure and implement ACLs.

Create and apply ACLs to control specific types of
traffic.

Log ACL activity and integrate ACL best practices.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
2
Describe Traffic Filtering
 Analyze the contents of a packet
 Allow or block the packet
 Based on source IP, destination IP, MAC address,
protocol, application type
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
3
Describe Traffic Filtering
Devices providing traffic filtering:
 Firewalls built into integrated routers
 Dedicated security appliances
 Servers
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
4
Describe Traffic Filtering
Uses for ACLs:
 Specify internal hosts for NAT
 Classify traffic for QoS
 Restrict routing updates, limit debug outputs, control
virtual terminal access
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
5
Describe Traffic Filtering
Possible issues with ACLs:
 Increased load on router
 Possible network disruption
 Unintended consequences from incorrect placement
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
6
Describe Traffic Filtering
 Standard ACLs filter based on source IP address
 Extended ACLs filter on source and destination, as well
as protocol and port number
 Named ACLs can be either standard or extended
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
7
Describe Traffic Filtering
 ACLs consist of statements
 At least one statement must be a permit statement
 Final statement is an implicit deny
 ACL must be applied to an interface in order to work
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
8
Describe Traffic Filtering
 ACL is applied inbound or outbound
 Direction is from the router’s perspective
 Each interface can have one ACL per direction for each
network protocol
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
9
Analyze the Use of Wildcard Masks
 Wildcard mask can block a range of addresses or a
whole network with one statement
 0s indicate which part of an IP address must match the
ACL
 1s indicate which part does not have to match
specifically
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
10
Analyze the Use of Wildcard Masks
 Use the host parameter in place of a 0.0.0.0 wildcard
 Use the any parameter in place of a 255.255.255.255
wildcard
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
11
Configure and Implement Access
Control Lists
 Determine traffic filtering requirements
 Decide which type of ACL to use
 Determine the router and interface on which to apply
the ACL
 Determine in which direction to filter traffic
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
12
Configure and Implement Access Control
Lists: Numbered Standard ACL
 Use access-list command to enter statements
 Use the same number for all statements
 Number ranges: 1-99, 1300-1999
 Apply as close to the destination as possible
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
13
Configure and Implement Access Control
Lists: Numbered Extended ACL
 Use access-list command to enter statements
 Use the same number for all statements
 Number ranges: 100-199, 2000-2699
 Specify a protocol to permit or deny
 Place as close to the source as possible
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
14
Configure and Implement Access
Control Lists: Named ACLs
 Descriptive name replaces number range
 Use ip access-list command to enter initial statement
 Start succeeding statements with either permit or deny
 Apply in the same way as standard or extended ACL
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
15
Configure and Implement Access
Control Lists: VTY access
 Create the ACL in line configuration mode
 Use the access-class command to initiate the ACL
 Use a numbered ACL
 Apply identical restrictions to all VTY lines
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
16
Create and Apply ACLs to Control Specific
Types of Traffic
 Use a specified condition when filtering on port
numbers: eq, lt, gt
 Deny all appropriate ports for multi-port applications like
FTP
 Use the range operator to filter a group of ports
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
17
Create and Apply ACLs to Control Specific
Types of Traffic
 Block harmful external traffic while allowing internal
users free access
 Ping: allow echo replies while denying echo requests
from outside the network
 Stateful Packet Inspection
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
18
Create and Apply ACLs to Control Specific
Types of Traffic
 Account for NAT when creating and applying ACLs to a
NAT interface
 Filter public addresses on a NAT outside interface
 Filter private addresses on a NAT inside interface
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
19
Create and Apply ACLs to Control Specific
Types of Traffic
 Examine every ACL one line at a time to avoid
unintended consequences
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
20
Create and Apply ACLs to Control Specific
Types of Traffic
 Apply ACLs to VLAN interfaces or subinterfaces just as
with physical interfaces
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
21
Log ACL Activity and ACL Best Practices
 Logging provides additional details on packets denied
or permitted
 Add the log option to the end of each ACL statement to
be tracked
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
22
Log ACL Activity and ACL Best Practices
Syslog messages:
 Status of router interfaces
 ACL messages
 Bandwidth, protocols in use, configuration events
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
23
Log ACL Activity and ACL Best Practices
 Always test basic connectivity before applying ACLs
 Add deny ip any to the end of an ACL when logging
 Use reload in 30 when testing ACLs on remote routers
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
24
Summary
 ACLs enable traffic management and secure access to
and from a network and its resources
 Apply an ACL to filter inbound or outbound traffic
 ACLs can be standard, extended, or named
 Using a wildcard mask provides flexibility
 There is an implicit deny statement at the end of an
ACL
 Account for NAT when creating and applying ACLs
 Logging provides additional details on filtered traffic
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
25
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
26