Chapter 09 access control lists Fetel Academy

Access Control lists

Trang 1

ELECTRONICS AND TELECOMMUNICATION FACULTY

CISCO NETWORKING ACADEMY

Trang 2

IP ACL Operation Standard IPv4 ACLs Extended IPv4 ACLSs Contextual Unit: Debug with ACLs Troubleshoot ACLs

Contextual Unit: IPv6 ACLs

Trang 3

Objectives

After completing this chapter, you will be able to:

Explain how ACLs are used to filter traffic

Compare standard and extended IPv4 ACLs

Explain how ACLs use wildcard masks

Explain the guidelines for creating ACLs

Explain the guidelines for placement of ACLs

Configure standard IPv4 ACLs to filter traffic according to networking requirements

Modify a standard IPv4 ACL using sequence numbers

Configure a standard ACL to secure vty access

Explain the structure of an extended access control entry (ACE)

Configure extended IPv4 ACLs to filter traffic according to networking requirements

Configure an ACL to limit debug output

Explain how a router processes packets when an ACL is applied

Troubleshoot common ACL errors using CLI commands

Compare IPv4 and IPv6 ACL creation

Configure I|Pv6 ACLs to filter traffic according to networking requirements

|Cisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam

Trang 4

1 IP ACL Operation

Purpose of ACLs

Trang 5

What is an ACL?

“+ An ACL is a series of IOS commands that control whether a

router forwards or drops packets based on information found in the packet header

“* ACLs perform the following tasks:

o Limit network traffic to increase network performance

o Provide traffic flow control

o Provide a basic level of security for network access

o Filter traffic based on traffic type

o Screen hosts to permit or deny access to network services

|Cisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam 5

Trang 6

Day FT “ By default, a router

ew TỶ does not have ACLs

configured

s To either permitting or denying traffic, ACLs can be used for selecting types of traffic to be analyzed, forwarded, or processed in other ways

Trang 7

» These criteria are defined using ACLs

»An Access Control List (ACL) is a sequential list of permit or deny statements that apply to IP addresses

or upper-layer protocols

“+ A router acts as a packet filter when it forwards or denies packets according to filtering rules

An ACL is a sequential list of permit or deny statements,

known as access control entries (ACEs)

ICisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam 7

Trang 8

= And from the Layer 4 header: Deta hig

>TCP/UDP source port Physical

>TCP/UDP destination port

Trang 10

ACL Operation

s* Access list statements operate in sequential, logical order

s* They evaluate packets from the top - down

s*Once there is an access list statement match, the router

skips the rest of the statements

“+ If a condition match is true, the packet is permitted or

denied

s* There is an implicit deny any at the end of every access list

** ACLs do not block packets that originate within the router (i.e pings, telnets, ssh, etc.)

Trang 11

outbound interface

An outbound ACL filters packets after being routed, regardless of

the inbound interface

|Cisco Networking Academy, Electronics and Telecommunications Facui Jniversity of Science, Ho Chi Minh City, Vietnam 11

Trang 12

No (Implicit Deny)

the outbound interface

Trang 13

“+ The logic used to create the list and the order of the list items is very important

Trang 14

L Operation

Packets to interfaces in the access group

Permit

(to destination intertace)}

“+ If a condition match is true, the packet is permitted or denied and the rest of the ACL statements are not checked

“+ If all the ACL statements are unmatched, an implicit deny

any statement is placed at the end of the list by default

Trang 15

s* Before a packet is forwarded to an outbound interface, the router checks the routing table

Next, the router checks to see whether the outbound

interface is grouped to an ACL (access group command)

Trang 16

%If no ACL is present, the packet is forwarded out the interface

“+ If an ACL is present, the packet is tested by the combination

of ACL statements that are associated with that interface

Trang 17

L Operation

Outbound Interface

The packet is either permitted (sent to the outbound interface) or denied (dropped)

“+ If the packet does not meet any of the criteria, it is dropped

(Implicit Deny)

Trang 18

Activity |Cisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chỉ Minh City, Vietnam 18

Trang 19

1 IP ACL Operation Standard versus Extended IPv4 ACLs

Trang 21

access-list 103 permit tcp 192.168.30.0 0.0.0.255 any eq 80

o Permits traffic originating from any address on the 192.168.30.0/24 network to any destination host port 80 (HTTP)

Trang 22

s* Using numbered ACLs is an effective method for determining the ACL type on smaller networks with more homogeneously defined traffic

Numbered ACL:

Assign a number based on protocol to be filtered

(1 to 99) and (1300 and 1999): Standard IP ACL

(100 to 199) and (2000 to 2699): Extended IP ACL

Trang 23

s* Using named ACLs:

= A numbered ACL does not tell you the purpose of the list

= Starting with Cisco IOS Release 11.2, you can use a name

to identify a Cisco ACL

Assign a name to identify the ACL

Names can contain alphanumeric characters

It is suggested that the name be written in CAPITAL LETTERS

Names cannot contain spaces or punctuation

Entries can be added or deleted within the ACL

Trang 24

1 IP ACL Operation

Wildcard Masks in ACLs

Trang 25

Introducing ACL Wildcard Masking

“+ Wildcard Masking:

= ACLs statements include wildcard masks

>» (Remember OSPF network entries?)

= A wildcard mask is a string of binary digits telling the

router to check specific parts of the subnet number

>The numbers 1 and 0 in the mask identify how to treat the corresponding IP address bits

= Wildcard masks are referred to as an inverse mask

>» Unlike a subnet mask in which binary 1 is equal to a match (network) and binary 0 is not a match (host), the reverse is true

>It also does not have to be contiguous 1's and 0’s

Trang 26

> Wildcard mask bit 0:

oThe corresponding bit value in the IP Address to be tested must match the bit value in the address specified in the ACL

»>Wildcard mask bit 1:

olIgnore the corresponding bit value

Trang 27

Octet Bit Position and Address Value for Bit

128 64 32 16 8

ÿ3§999$1 Examples

0 0 0 0 0 0 0 0 = Match All Address Bits (Match All)

0 1 De Ignore Last 6 Address Bits

0 0 0 0 1 1 1 1 = Ignore Last 4 Address Bits

1 1 1 1 0 0 = lgnore First6 Address Bits

1 1 1 1 1 i 1 1= lgnore All Bits in Octet

0 means to match the value of the corresponding address bit

1 means to ignore the value of the corresponding address bit

Trang 30

Calculating the Wildcard Mask

Network 172.16.32.0 Subnet Mask 255.255.240.0

We can calculate the Wildcard Mask using the Subnet Mask

Trang 31

Calculating the Wildcard Mask

172.16.10.100 0.0.0.0 192.168.1.100 0.0.0.0 0.0.0.0 255.255.255.255

Trang 32

Example 1 + 192.168.10.10 0.0.0.0

matches all of the address bits

+ Abbreviate this wildcard mask

using the IP address preceded

by the keyword host (host

192.168.10.10)

Example 2

+ 0.0.0.0 255.255.255.255 ignores all address bits

+ Abbreviate expression with the keyword any

|Cisco Networking Academy, Electronics and Telecommunications Facult

(Ignore All Bits)

University of Science, Ho Chi Minh Cit «(0 32

Trang 33

Example 1:

R1 (config) #access-list 1 permit 0.0.0.0 255.255.255.255

R1 (config) #access-list 1 permit any

Example 2:

R1 (config) #access-list 1 permit 192.168.10.10 0.0.0.0

R1 (config) #access-list 1 permit host 192.168.10.10

ICisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam

Trang 34

Determine the Correct Wildcard Mask

Trang 35

Determine the Permit or Deny

Trang 36

1 IP ACL Operation

Guidelines for ACL creation

Trang 38

bi General Guidelines for Creating ACLs

1 One ACL Per protocol:

= An ACL must be defined for each protocol enabled on the interface

2 One ACL Per direction:

= ACLs control traffic in one direction at a time on an interface

»Two separate ACLs must be created to control:

oInbound Traffic: Traffic coming into the interface

o Outbound Traffic: Traffic leaving an interface

3 One ACL Per interface:

= ACLs control traffic for an interface (Gi0/0, s0/0/0)

Trang 39

IPv4 V sa IPv4

One list per interface, per direction, and per protocol

With two interfaces and two protocols running, this router could have a total of 8 separate

ACLs applied

The three Ps for using ACLs

You can only have one ACL per protocol, per interface, and per direction:

* One ACL per protocol (e.g., IPv4 or IPv6)

+ One ACL per direction (i.e., IN or OUT)

+ One ACL per interface (e.g., FastEthernet0/0)

Trang 40

L Best Practices

CT

Base your ACLs on the security policy | This will ensure you implement organizational

Prepare a description of what you This will help you avoid inadvertently creating

Use a text editor to create, edit, and This will help you create a library of reusable

Test your ACLs on a development This will help you avoid costly errors

network before implementing them on

a production network

iCisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam ci)

Trang 42

1 IP ACL Operation

Guidelines for ACL Placement

Trang 43

Where to Place ACLs

* Every ACL should be placed where it has the greatest impact

on efficiency The basic rules are:

o Standard ACLs - Place standard ACLs as close to the destination as possible because do not specify destination addresses

o Extended ACLs - Locate extended ACLs as close as possible to the source of the traffic to be filtered

»Undesirable traffic is filtered without crossing the network infrastructure

“+ Placement of the ACL and therefore the type of ACL used may also depend on: the extent of the network administrator's control, bandwidth of the networks involved

and ease of configuration

ICisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam Esl

Trang 46

Placing Standard and Extended ACLs

Trang 47

2 Standard IPv4 ACLs

Configure Standard IPv4 ACLs

FS 3

Trang 48

Entering Criteria Statements

“+ Entering Criteria Statements:

= Traffic is compared to ACL statements based on the order that the entries occur in the router

= The router continues to process the ACL statements until

Trang 49

Entering Criteria Statements

+» Entering Criteria Statements:

>A single-entry ACL with only one deny entry has the

effect of denying all traffic

>You must have at least one permit statement in an ACL

or all traffic is blocked

Trang 50

Configuring a Standard ACL

s* To configure a standard ACL you must:

1 Create the standard ACL

2 Activate the ACL on an interface

> The access-list global configuration command defines

a standard ACL with a number in the range of 1 to 99

or 1300 to 1399

Router (config) #taccess-list

[deny | permit | remark]

source [source-wildcard]

Tiêu đề	Access Control Lists
Người hướng dẫn	Nguyen Viet Ha
Trường học	University of Science, Ho Chi Minh City
Chuyên ngành	Networking
Thể loại	Chapter
Thành phố	Ho Chi Minh City

Định dạng
Số trang	134
Dung lượng	32 MB