Chapter 20Access Control Lists In this chapter, you learn about using standard and extended access control lists ACLs as a means to control network traffic and how ACLs are used as part o
Trang 11102.book Page 839 Tuesday, May 20, 2003 2:53 PM
Trang 2Upon completion of this chapter, you will be able to
■ Understand the purpose of ACLs
■ Describe how ACLs work
■ Determine which wildcard mask should be used
■ Describe and use standard ACLs, extended ACLs, and named ACLs
■ Describe a simple firewall architecture
Trang 3Chapter 20
Access Control Lists
In this chapter, you learn about using standard and extended access control lists (ACLs) as
a means to control network traffic and how ACLs are used as part of a security solution
In addition, this chapter includes tips, considerations, recommendations, and general guidelines on how to use ACLs, and includes the commands and configurations needed to create ACLs Finally, this chapter provides examples of standard and extended ACLs and shows how to apply ACLs to router interfaces
Please be sure to look at this chpater’s associated e-Labs, Videos, and PhotoZooms that you will find on the CD-ROM accompanying this book These CD elements are designed
to supplement the material and reinforce the concepts introduced in this chapter
ACL Overview
Network administrators must be capable of denying unwanted access to the network while allowing appropriate access Although security tools such as passwords, callback equipment, and physical security devices are helpful, they often lack the flexibility of basic traffic filtering and the specific controls that most administrators prefer For exam-ple, a network administrator might want to allow users access to the Internet but might not want external users Telnetting into the LAN
Routers provide basic traffic-filtering capabilities, such as blocking Internet traffic, with
access control lists (ACLs) An ACL is a sequential collection of permit or deny state-ments that apply to addresses or upper-layer protocols
1102.book Page 841 Tuesday, May 20, 2003 2:53 PM
Trang 4842 Chapter 20: Access Control Lists
It is important to configure ACLs correctly and to know where to place ACLs on the network ACLs serve multiple purposes in a network Common ACL functions include the following:
■ Filtering packets internally
■ Protecting the internal network from illegal Internet access
■ Restricting access to virtual terminal ports ACLs are lists of instructions that you apply to a router’s interface These lists tell the router what kinds of packets to accept and what kinds of packets to deny Acceptance and denial can be based on certain specifications, such as source address, destination address, and TCP/UDP port number
ACLs enable you to manage traffic and scan specific packets by applying the ACL to a router interface Any traffic going through the interface is tested against certain condi-tions that are part of the ACL
ACLs can be created for all routed network protocols, such as Internet Protocol (IP) and Internetwork Packet Exchange (IPX), to filter packets as the packets pass through
a router ACLs can be configured at the router to control access to a network or subnet ACLs filter network traffic by controlling whether routed packets are forwarded or blocked at the router’s interfaces The router examines each packet to determine whether to forward or drop it, based on the conditions specified in the ACL ACL conditions could be the source address of the traffic, the destination address of the traffic, the upper-layer protocol, the port, or applications
ACLs must be defined on a per-protocol basis In other words, you must define an ACL for every protocol enabled on an interface if you want to control traffic flow for
that protocol on that interface (Note that some protocols refer to ACLs as filters.)
For example, if your router interface were configured for IP, AppleTalk, and IPX, you would need to define at least three ACLs As shown in Figure 20-1, ACLs can be used
as a tool for network control by adding the flexibility to filter the packets that flow in
or out of router interfaces This is accomplished by establishing a numbering range or scheme for each protocol’s ACL You learn more about the ACL numbers later in this chapter
NOTE
ACLs consume CPU
resources in the router
because every packet
has to be punted to
the CPU.
Trang 5Why Create ACLs? 843
Figure 20-1 ACL Example
Why Create ACLs?
Many reasons exist for creating ACLs ACLs can be used to do the following:
■ Limit network traffic and increase network performance For example, ACLs can
designate certain packets to be processed by a router before other traffic, on the basis of a protocol This is referred to as queuing Queuing ensures that routers will not process packets that are not needed As a result, queuing limits network traffic and reduces network congestion
■ Provide traffic flow control For example, ACLs can restrict or reduce the
con-tents of routing updates These restrictions are used to limit information about specific networks from propagating through the network
■ Provide a basic level of security for network access ACLs can allow one host to
access a part of your network and prevent another host from accessing the same area In Figure 20-2, Host A is allowed to access the Human Resources network, and Host B is prevented from accessing the Human Resources network If you do not configure ACLs on your router, all packets passing through the router could
be allowed onto all parts of the network
■ Decide which type of traffic is forwarded or blocked at the router interface For
example, you can permit e-mail traffic to be routed, but at the same time block all Telnet traffic
FDDI
Token Ring
172.16.0.0
172.17.0.0
Internet ACL
ACL
NOTE
The rule of thumb is one ACL per interface per direction chpt_20.fm Page 843 Tuesday, May 27, 2003 9:18 AM
Trang 6844 Chapter 20: Access Control Lists
Figure 20-2 Limiting Network Traffic
Creating an ACL: Why Order Matters
Order matters when creating an ACL As traffic enters or exits a router’s interface, where an ACL is applied, Cisco IOS Software compares the packet against the rules defined in the ACL Statements are evaluated in the order they were entered into the ACL by the network administrator The packet is compared, one at a time in sequence, until a match is found After a match is found, the action specified in the line matching the traffic in question is taken No more conditions are checked
For example, if a condition statement permitting all traffic is created, statements added later will never be checked If additional statements are required or if statements must
be changed, you must delete the ACL and re-create it with the new statements It is a good idea to use a PC text editor to create and modify ACLs and then send them to the router via Trivial File Transfer Protocol (TFTP) or HyperTerminal text file transfer
Using ACLs
You can create an ACL for each protocol that you want to filter for each router inter-face For some protocols, you create one ACL to filter inbound traffic and one ACL to filter outbound traffic
After an ACL statement checks a packet for a match, the packet can be denied or per-mitted to use an interface in the access group Cisco IOS Software ACLs check the packet and upper-layer headers, as shown in Figure 20-3
Human Resources Network
Research and Development Network Host B
Host A
X
NOTE
When an ACL is
cre-ated, new lines are
added to the end of
the ACL Individual
lines cannot be
deleted Only entire
ACLs can be deleted
Trang 7How ACLs Work 845
Figure 20-3 Checking the Packet and Upper-Layer Headers
How ACLs Work
An ACL is a group of statements that define how packets do the following:
■ Enter inbound router interfaces
■ Relay through the router
■ Exit outbound router interfaces
As shown in Figure 20-4, the beginning of the communication process is the same,
whether ACLs are used or not As a packet enters an interface, the router checks to
see whether the packet is routable or bridgeable Now the router checks whether the
inbound interface has an ACL If one exists, the packet is tested against the conditions
in the list If the packet is allowed, it then is checked against routing table entries to
determine the destination interface ACLs filter not packets that originate in the router
itself, but packets from other sources
Next, the router checks whether the destination interface has an ACL If it does not,
the packet can be sent to the destination interface directly; for example, if it will use
E0, which has no ACLs, the packet uses E0 directly
ACL statements operate in a sequential, logical order If a condition match is true, the
packet is permitted or denied and the rest of the ACL statements are not checked If all
the ACL statements are unmatched, an implicit deny any statement is imposed Even
though you will not see the deny any as the last line of an ACL, it is there by default In
Figure 20-5, if by matching the first test a packet is denied access to the destination, it
is discarded and dropped into the bit bucket It is not exposed to any ACL tests that
follow If the packet does not match the conditions of the first test, it drops to the next
statement in the ACL
Frame Header (For Example, HDLC)
Packet (IP Header)
Segment (For Example, TCP Header) Port Number
Deny
Destination Address Source Address Protocol
Data
Use Access List Statements
to Test the Packet
Permit
1102.book Page 845 Tuesday, May 20, 2003 2:53 PM
Trang 8846 Chapter 20: Access Control Lists
Figure 20-4 How ACLs Work
Figure 20-5 ACL Test Matching and Implicit deny any
Choose Interface
Route/
Bridge
? N Y
Permit
? N Y
Table Entry
?
Inbound Interface
Packet Discard Bucket
Unwanted Packet Firewall Notify Sender
Packets
N
N
Y
ACL
Y
Test ACL Statements
Packets
Packets
Outbound Interfaces
Y
Match First Test
Packet Discard Bucket
N Y
Match Next Test(s)
Packets to Interface(s)
in the Access Group
Destination Interface(s) N
Y Y
Y Y
Match Next Test N Deny
Deny
Deny Deny
Implicit Deny
Permit Permit Permit
Trang 9Assigning a Unique Number to Each ACL 847
ACLs enable you to control what clients can access on your network Conditions in an
ACL file can do the following:
■ Screen out certain hosts to either allow or deny access to part of your network
■ Grant or deny users permission to access only certain types of applications, such
as FTP or HTTP
ACL Configuration Tasks
In practice, ACL commands can be lengthy character strings Key tasks covered in this
section for creating ACLs include the following:
■ You create ACLs by using global configuration mode
■ Specifying an ACL number from 1 to 99 defines a standard ACL for IP and
instructs the router to accept standard ACL statements
■ Specifying an ACL number from 100 to 199 defines an extended ACL for IP and
instructs the router to accept extended ACL statements
■ You must carefully select and logically order the ACL Permitted IP protocols
must be specified; all other protocols should be denied unless required
■ You need to select which protocols to check; any other protocols are not
checked Later in the procedure, you can specify an optional destination port for more precision
■ You apply an ACL to an interface
Although each protocol has its own set of specific tasks and rules that are required to
provide traffic filtering, in general most protocols require two basic steps:
ACLs are assigned to one or more interfaces and can filter inbound traffic or outbound
traffic, depending on the configuration and how they are applied Outbound ACLs
generally are more efficient than inbound and, therefore, are preferred A router with
an inbound ACL must check every packet to see whether it matches the ACL condition
before switching the packet to an outbound interface
Assigning a Unique Number to Each ACL
When configuring ACLs on a router, you must identify each ACL uniquely by
assign-ing a number to the protocol’s ACL When you use a number to identify an ACL, the
1102.book Page 847 Tuesday, May 20, 2003 2:53 PM
Trang 10848 Chapter 20: Access Control Lists
number must be within the specific range of numbers that is valid for the protocol Example 20-1 defines ACLs 1 and 2 and applies the ACLs to interface Ethernet 0:
Table 20-1 lists valid protocol ACL numbers
Using Wildcard Mask Bits
A wildcard mask is a 32-bit quantity that is divided into four octets, with each octet
containing 8 bits A wildcard mask bit of 0 means “check the corresponding bit value,” and a wildcard mask bit of 1 means “do not check (ignore) that corresponding bit value” (see Figure 20-6)
Example 20-1 Assigning ACLs to an Interface
access-list 1 permit 5.6.0.0 0.0.255.255 access-list 1 deny 7.9.0.0 0.0.255.255
! access-list 2 permit 1.2.3.4 access-list 2 deny 1.2.0.0 0.0.255.255
! interface ethernet 0
ip address 1.1.1.1 255.0.0.0
!
ip access-group 1 in
ip access-group 2 out
Table 20-1 Protocols, ACLs, and Their Corresponding Numbers
IPX Service Advertising Protocol 1000 to 1099