Ccna2 M11 Access Control Lists

CCNA – Semester2

Module 11 Access Control Lists

Objectives

• Standard and extended ACLs • The rules for placement of ACLs • Create and apply named ACLs

Access Control List Fundamentals

What are ACLs • ACLs are lists of conditions that are applied to traffic traveling across a router's interface. • These lists tell the router what types of packets to accept or deny. • Acceptance and denial can be based on specified conditions.

ACL

Reasons to create ACLs • Limit network traffic and increase network performance. • Provide traffic flow control. • Provide a basic level of security for network access. • Decide which types of traffic are forwarded or blocked at the router interfaces.

Testing packets with ACLs • The order in which you place ACL statements is important. • A packet is checked against each condition statement, in the order in which the statements were created. • After a match is found, no more condition statements are checked. • If all the ACL statements are unmatched, an implicit "deny any" statement is imposed.

Configuration task list • ACL are classified as: numbered of named ACL, each has 2 types: standard and extended. • Configuration task includes 2 steps: – Create an ACL – Apply ACL to interface

Assigning ACL number • ACL number must be within the specific range specified for the protocol. • Modification of a numbered ACL involves deleting the entire list and creating a new one • Remove numbered ACL: no access-list list-number

Apply Access Lists • An ACL can be assigned to one or more interfaces and can filter inbound or outbound traffic. • ACLs must be defined on a per-protocol, per direction, or per interface basis. • Eg: Only 1 IP access list on interface s0 inbound direction

Types of Access Control Lists

Standard ACL Overview • When you want to: – block all traffic from a network, – allow all traffic from a network, – permit or deny an entire protocol suite.

• Standard ACLs check the source address of packets that could be routed. • Results in either permit or deny of an entire protocol suite, based on the network, subnet, and host addresses.

Standard ACL commands Router (config)# access-list access-list access-list-number access-list-number {deny {deny || permit} permit} source source [source-wildcard] [source-wildcard] [log] [log] Router (config-if)# ip ip access-group access-group access-list-number access-list-number {{ in in || out out }}

• Access list number: 1 Æ 99 or 1300 Æ 1999 in recent IOS

Wildcard mask bits • A wildcard mask is a 32-bit quantity that is divided into four octets, with each octet containing 8 bits. • A wildcard mask bit 0 means "check the corresponding bit value“. • A wildcard mask bit 1 means "do not check (ignore) that corresponding bit value".

Wildcard & Subnet mask • Wildcard mask operate differently from IP subnet mask. – Subnet mask: The zeros and ones determine the network (or subnet) and host portions of the corresponding IP address. – Wildcard mask: The zeros and ones determine whether the corresponding bits in an IP address should be checked or ignored for ACL purposes.

Wildcard any

Wildcard host

Examples: any, host

• Router(config)# access-list 1 permit 0.0.0.0 255.255.255.255 • Router(config)# access-list 1 permit any

• Router(config)# access-list 1 permit 172.30.16.29 0.0.0.0 • Router(config)# access-list 1 permit host 172.30.16.29

Verifying ACLs • show ip interface command displays IP interface information and indicates whether any ACLs are set. • show access-lists command displays the contents of all ACLs on the router. • show running-config command will also reveal the access lists on a router and the interface assignment information.

Show ip interface

Show access-lists

Standard ACL examples

ACL Requirement 1. Do not allow traffic between outside and network 172.16.3.0 2. - Node 172.16.4.13 can only access Internet - Network 172.16.4.0 (accept 172.16.4.13) can not access Internet

Extended ACL Overview • Provide a greater range of control than standard ACLs including: – – – – –

Protocols (IP, IPX, ICMP, TCP…) Source address (IP address, IPX address…) Destination address Services or ports (Telnet, HTTP, FTP …) Other parameters (SYN, ACK, Echo…)

Extended ACL commands Router (config)# access-list access-list ACL-number ACL-number {permit {permit || deny} deny} protocol protocol source source [source-mask [source-mask operator operator extended-para] extended-para] destination destination [destination-mask [destination-mask operator operator extended-para] extended-para] [log [log || log log input] input] Router (config-if)# ip ip access-group access-group access-list-number access-list-number {{ in in || out out }} •

Access list number: 100 Æ 199 or 2000 Æ 2699 in recent IOS

Extended ACL parameters Parameters

Description

access-list

Defines an access list

access-list-number

Protocol-dependent ACL number (100-199)

permit/deny

Defines a statement to allow/block traffic

protocol

The protocol in question, including: IP, TCP, UDP, ICMP, GRE, ICMP

source/destination

Source/destination address

source-mask/destination-mask

Wildcard mask: zeros Æ must match bit; ones Æ do not match bit

operator

Logical operator: •lt: less than •gt: greater than •eq: equal to •neq: not equal to

extended-para

Extended parameter of the protocols used, eg : port (for TCP/UDP), echo (for ICMP)

log [log input]

Records all ACL matches including violations

in|out

applies this access list to inbound or outbound traffic

Extended ACL: TCP/UDP protocol Router (config)# access-list access-list access-list-number access-list-number {permit {permit || deny} deny} [tcp [tcp || udp] udp] source source [s-mask [s-mask operator operator s-port] s-port] destination destination [d-mask [d-mask operator operator d-port] d-port] [established] [established] [log [log || log log input] input] established: only match if ACK bit is set

Router (config-if)# ip ip access-group access-group access-list-number access-list-number {{ in in || out out }}

Reserved port numbers

Extended ACL: ICMP protocol Router (config)# access-list access-list access-list-number access-list-number {permit {permit || deny} deny} icmp icmp source source [source-mask [source-mask destination destination destination-mask] destination-mask] [icmp-type [icmp-type || [[icmp-type [[icmp-type icmpicmpcode] code] || [icmp-message]] [icmp-message]] [log [log || log log input] input]

Router (config-if)# ip ip access-group access-group access-list-number access-list-number {{ in in || out out }}

Extended ACL: ICMP parameters Parameters

Description

Icmp type

(Optional) A number from between 0 and 255 specifying the ICMP message type

Icmp code

(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.

icmp-message

(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name.

Named ACL Overview • Uses a name string to identify standard and extended IP ACLs instead of the numeric (1 to 199) representation. • Considerations: – Named ACLs are not compatible with Cisco IOS releases prior to Release 11.2. – You cannot use the same name for multiple ACLs.

Named ACLs vs. Numbered ACLs • Named ACLs have individual configuration mode with shorter and clearer command line. • Named ACLs can be used to remove individual entries from a specific ACL. • Using name is more understandable than using number • Eliminate the limit of 798 simple and 799 extended ACLs

Named ACL commands • Router(config)# ip access-list {standard | extended} name • Router(config {std- | ext-}nacl)# deny {source [source-wildcard] | any} • Router(config {std- | ext-}nacl)# permit {source [source-wildcard] | any}. • Router(config-if)# ip access-group name {in | out} • Router# show access-lists

Named ACL example

Inbound and Outbound • If the ACL is inbound, when the router receives a packet and prior to the routing process, router checks the ACL's statements for a match. • If the ACL is outbound, after receiving and routing a packet to the outbound interface, router checks the ACL's statements for a match.

Recommended Rule • Place extended ACLs as close to the source of the traffic denied as possible. • Place the standard ACL as close to the destination as possible. • Place ACLs on the inbound interfaces may help to reduce routing processing tasks. • Place ACLs on the outbound interfaces may avoid filterring unnessecary traffic.

Firewall architecture

Control VTY access with Access list • •

Instead of applying ACL on all router interfaces to filter telnet sessions to router interfaces, use ACL on vty lines. Access into and out of virtual terminal line ports can be controlled by IP numbered ACLs. line vty 0 4 login password cisco access-class access-list-number {in|out}

•

Interface access lists are applied only to traffics passing the router, not to traffics originated from the router.

VTY Control Example

Extended ACL examples

RA 172.16.3.100

Access List Requirements 1. 2. 3. 4.

Prevents telnet and ftp access from Internet to 172.16.3.100 and 172.16.4.13 Prevents all hosts except 172.16.4.13 on network 172.16.4.0 to access server 65.10.13.133 Prevents all hosts, except 172.16.3.100, on network 172.16.3.0 to access 172.16.4.13 using web and tftp Allow all hosts on local network as well as Internet to access company’s web site on server 172.16.4.13. Block all other types of access to this server.

ACL Challenge •Outer-network can’t ping into innernetwork

Internet

•Do not allow outer-network to access inner-network except web service in Web Server(.66).

E0

R_1 S0

•Traffic between Net1 and Net3 is not allowed

S1

Net3

•Other networks can only access web .96 service in Web Server

S1

R_2

•Packets between PC1(.48) and PC3 (.80) are only allowed if routed across the direct serial link •Telnet to routers only from PC1 •All other kind of traffic is allowed

192.169.10.0/24

S0

S0

R_3 E0

E1

E0

PC1 Net1 .32

PC2

S1

PC3 Net2 .64

Web

Summary • • • • • • •

ACL definition How ACL works Wild-card mask Standard numbered ACL configuration Extended numbered ACL configuration Named numbered ACL configuration Placing ACLs

CCNA2 – Module11