Chapter 51
Chap 5 – Access Control Lists Learning Objectives
• Explain how ACLs are used to secure a medium-size Enterprise branch office network.
• Configure standard ACLs in a medium-size Enterprise branch office network.
• Configure extended ACLs in a medium-size Enterprise branch office network.
• Not NAMED ACLs – Different configuration method.
• Describe complex ACLs in a medium-size Enterprise branch office network.
• Implement, verify and troubleshoot ACLs in an enterprise network environment.
Chapter 5
How it fits in
• Chapter 5 of CCNA4 online material• Assessed in skills test
• You’ll need to create an ACL• Assessed in end test
• There’ll be some questions about ACLS• Recommended labs –
• 5.2.4 and 5.2.8 (at end of lecture)• 5.5.1, 5.5.2, 5.5.3 (on askgeoff)
2
Chapter 53
Access Control Lists (ACL)
ACLs are lists of instructions applied to a router's interface
to tell the router which kind of packets to permit and which
kind to deny.
Chapter 54
• An ACL is a sequential list of permit or deny statements that apply to IP addresses or upper-layer protocols. The ACL can extract the following information from the packet header, test it against its rules, and make "allow" or "deny" decisions based on:
1. Source IP address2. Destination IP address3. ICMP message type
• The ACL can also extract upper layer information and test it against its rules. Upper layer information includes:
1. TCP/UDP source port2. TCP/UDP destination port
Access Control Lists (ACL)
Chapter 55
•Limit network traffic and increase network performance. Provide traffic flow control.
•ACLs can restrict the delivery of routing updates. If updates are not required because of network conditions, bandwidth is preserved.
•Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area.
•Decide which types of traffic are forwarded or blocked at the router interfaces. ACLs can permit e-mail traffic to be routed, but block all Telnet traffic.
•Control which areas a client can access on a network.
•ACLs can be used to permit or deny a user to access file types such as FTP or HTTP.
Access Control Lists (ACL)
Chapter 56
How ACLs Work
•ACLs must be defined on a per protocol, per direction, or per port basis.
•To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface.
•ACLs control traffic in one direction at a time on an interface.
Chapter 57
NoNoDefault
Deny
How ACLs Work•ACL statements operate in sequential, logical order, from top to bottom.•If a condition is matched, the packet is permitted or denied and the rest of the ACL isn’t checked.•An implicit deny any statement is at end of all lists by default. •This last line "deny any" is not visible but it will not allow any unmatched packets to be permitted.
L3 address match?
No
Yes ACL on interface?Yes
No
Route packet to outbound interface
No
Yes
ACL on interface?Yes
Any matches?
Permit?
Yes
NoDefaultDeny
Yes
Forward packet
Frame arrives at inbound interface
Permit?
Yes
Any matches?
Chapter 58
Wildcard Masks• ACLs statements include masks, also called wildcard
masks. The mask determines how much of an IP source or destination address to apply to the address match. The numbers 1 and 0 in the mask identify how to treat the corresponding IP address bits. They are different to subnet masks, and follow different rules.
• Wildcard masks and subnet masks are both 32 bits long and use binary 1s and 0s. Subnet masks use binary 1s and 0s to identify the network, subnet, and host portion of an IP address.
• Wildcard masks use binary 1s and 0s to filter individual or groups of IP addresses to permit or deny access to resources based on an IP address. By carefully setting wildcard masks, you can permit or deny a single or several IP addresses
Chapter 59
Wildcards (Inverse Mask)
• Allows you to indicate a host, subnet, network or range of IP addresses.
• The two binary values in the wildcard have different meanings:
0 = Must Match Exactly1 = Ignore
Chapter 510
Source IP Wildcard172.16.10.10 0.0.0.0
Wildcard Masks
10101100.00010000. 00001010. 00001010Source IP
Wildcard 00000000.00000000. 00000000. 00000000
Mustmatch
Mustmatch
Mustmatch
Range of matching addresses:172.16.10.10 only
Mustmatch
Chapter 511
Source IP Wildcard172.16.10.00.0.0.255
Wildcard Masks
10101100.00010000. 00001010. 00000000Source IP
Wildcard 00000000.00000000. 00000000. 11111111
Mustmatch
Mustmatch
Mustmatch
Don’tCare
Range of matching addresses:172.16.10.0 to 172.16.10.255
Chapter 512
Source IP Wildcard172.16.10.00.0.255.255
Wildcard Masks
10101100.00010000. 00001010. 00000000Source IP
Wildcard 00000000.00000000. 11111111. 11111111
Mustmatch
Mustmatch
Don’tCare
Don’tCare
Range of matching addresses:172.16.0.0 to 172.16.255.255
Chapter 513
Wildcard Mask Keywords• The keywords host and any help identify the most
common uses of wildcard masking, eliminating the need to enter wildcard masks when identifying a specific host or network.
•The host option substitutes for the 0.0.0.0 mask: Instead of entering 192.168.10.10 0.0.0.0, use host 192.168.10.10.
•The any option substitutes for the IP address and 255.255.255.255 mask: instead of entering 0.0.0.0 255.255.255.255, can use the keyword any by itself.
Chapter 514
Standard ACLs• Standard ACLs allow you to permit or deny traffic from
source IP addresses.
• The destination of the packet and the ports involved do not matter.
•The example allows all traffic from network 192.168.30.0/24 network.
•Because of the implied deny any at the end, all other traffic is blocked with this ACL.
•Standard ACLs are created in global configuration mode.
Chapter 515
•Extended ACLs filter IP packets based on several attributes, for example, protocol type, source IP address, destination IP address, source TCP or UDP ports, destination TCP or UDP ports, and optional protocol type information for finer granularity of control.
•In the example, ACL 103 permits traffic originating from any address on the 192.168.30.0/24 network to any destination host using port 80 (HTTP).
•Extended ACLs are created in global configuration mode.
Extended ACLs
Chapter 516
Numbering & Naming ACLs
Numbered ACLs - Assign a number based on which protocol is to be filtered filtered:• (1 to 99) and (1300 to 1999): Standard IP ACL• (100 to 199) and (2000 to 2699): Extended IP ACL
Named ACLs - assign a name by providing the name of
the ACL: (only after IOS Release 11.2!)• Names can contain alphanumeric characters.• Recommended that the name be written in
CAPITAL LETTERS.• Names cannot contain spaces or punctuation
and mustbegin with a letter.• Possible to add or delete entries within the
ACL.
Chapter 517
ACL Placement
• Standard ACLs should be placed close to the destination. (standard ACLs can only permit/deny according to SOURCE)
• Extended ACLs should be placed close to the source. Extended ACL’s can act on a wider range of parameters
Chapter 518
ACL Best Practice
• Base ACLs on the security policy of the organisation.
• Prepare a description of what ACLs are required to do.
• Use a text editor to create, edit and save ACLs.• DON’T create them on the fly!
• Test ACLs on a development network before implementing them on a production network.
Using ACLs requires attention to detail and great care. Mistakes can be costly in terms of downtime, troubleshooting efforts, and poor
network service. Before starting to configure an ACL, basic planning is required:
Chapter 519
Editing Numbered ACLs• When configuring an ACL, the statements are added in the order that they
are entered at the end of the ACL. However, there is no built-in editing feature that allows you to edit a change in an ACL - selectively inserting or deleting lines is not possible.
• Therefore, any ACL is best constructed in a text editor such as MS Notepad, allowing the ACL to be edited and then pasted into the router as follows:
1. Display the ACL using the sh run command.
2. Highlight the ACL, copy it, and then paste it into MS Notepad. Edit the list as required. Once the ACL is correctly displayed in MS Notepad, highlight it and copy it.
3. In global configuration mode, remove the old access list using the no access-list command. Then paste the new ACL into the configuration of the router.
Chapter 520
Configuring Standard ACLs
R1
192.168.10.1/24
Computer
Fa0/1PC1
192.168.10.10/24
Fa0/2
Fa0/0
Computer
Fa0/1
Fa0/2
Fa0/1
192.168.11.1/24
PC2192.168.11.10/24
192.168.30.0/24
•Both ACLs have the same effect, due to the implicit deny at the end of all ACLs:
Chapter 521
Creating Standard ACLs
access-list # permit/deny source IP wildcard
To delete:
Chapter 522
PacketHeader
SegmentHeader Data
Yes
Yes
No
NoPermit
Permit
Deny
Implicit Deny
Source is 192.168.10.1?
Source is 192.168.10.0
0.0.0.255?
Source is 192.168.0.00.0.255.255?
Source is 192.0.0.0
0.255.255.255?No
No
Yes
Yes
Deny
Standard ACL
access-list 2 deny 192.168.10.1
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 2 deny 192.168.0.0 0.0.255.255
access-list 2 permit 192.0.0.0 0.255.255.255
Source is Any other address?
Chapter 523
Verify Standard ACLs
•The remark keyword is used for documentation and makes access lists a great deal easier to understand. Each remark is limited to 100 characters. •When reviewing the ACL in the configuration, the remark is also displayed.
Chapter 524
Applying Standard ACLs
R1
192.168.10.1/24
Computer
Fa0/1PC1
192.168.10.10/24
Fa0/2
Fa0/0
Computer
Fa0/1
Fa0/2
Fa0/1
192.168.11.1/24
PC2192.168.11.10/24
10.1.1.1/30
S0/0/0
•After a standard ACL is configured, it is linked to an interface using the ip access-group command:
•Direction refers to the direction in which packets must be are flowing in order for the ACL to check them.
Chapter 525
Standard ACLs to Control VTY Access
R1
192.168.10.1/24
Computer
Fa0/1PC1
192.168.10.10/24
Fa0/2
Fa0/0
Computer
Fa0/1
Fa0/2
Fa0/1
192.168.11.1/24
PC2192.168.11.10/24
10.1.1.1/30
S0/0/0
•Restricting VTY access allows the definition of which IP addresses are allowed Telnet access to the router EXEC process. This technique can be used with with SSH to further improve administrative access security.
Chapter 526
Verifying ACLs
There are many show commands that will verifythe content and placement of ACLs on the router:
• show ip interface • show access-lists• show access-list <ACL-number>• show running-config
Chapter 527
Extended ACLs•Extended ACLs are used more often than standard ACLs because they provide a greater range of control and, therefore, add additional security.
•What do you think your test will include?
•Like standard ACLs, extended ACLs check the packet source addresses, but they can also check the destination address, protocols and port numbers (or services).
Chapter 528
Extended ACLs
At the end of the extended ACL statement, an administrator can specify a TCP or UDP port number.
Using Port Numbers:
Using Keywords:
Chapter 529
Extended ACLs
•Use the ‘?’ to display a list of layer-4 protocols and their associated port numbers
Chapter 530
Creating Extended ACLs
R2
S0/0/010.1.1.1/30
192.168.10.0/24
Fa0/0 Fa0/0
192.168.11.0/24R1 R3
S0/0/110.2.2.1/30
S0/0/110.2.2. 2/30
ISP
S0/1/0209.165.200.255/27
•Administrator needs to restrict Internet access to allow only website browsing. ACL 103 applies to traffic leaving the 192.168.10.0 network, and ACL 104 to traffic coming into the network.
Chapter 531
Extended ACLs - Established
ComputerOut
In WAN
•Allow access to traffic that originated in the network only •Allow external network testing
A(config)#access-list 101 Permit TCP Any Any EstablishedA(config)#access-list 101 Permit ICMP Any Any Echo-ReplyA(config)#access-list 101 Permit ICMP Any Any Unreachable
Chapter 532
Applying Extended ACLs
R2
S0/0/010.1.1.1/30
192.168.10.0/24
Fa0/0 Fa0/0
192.168.11.0/24R1 R3
S0/0/110.2.2.1/30
S0/0/110.2.2. 2/30
ISP
S0/1/0209.165.200.255/27
•ACL 103 is allowing internal users to access the Internet – it is applied to the S0/0/0 outbound.•ACL 104 is allowing established Internet traffic to enter network 192.168.10.0 – it is applied to S0/0/0 inbound.
Chapter 533
Applying Extended ACLs
R1
192.168.10.1/24
Computer
Fa0/1PC1
192.168.10.10/24
Fa0/2
Fa0/0
Computer
Fa0/1
Fa0/2
Fa0/1
192.168.11.1/24
PC2192.168.11.10/24
10.1.1.1/30
S0/0/0
•Deny FTP traffic from subnet 192.168.11.0 going to subnet 192.168.10.0, but permitting all other traffic. FTP requires ports 20 and 21, therefore both eq 20 and eq 21 must be specified to deny FTP
Chapter 534
Applying Extended ACLs
R1
192.168.10.1/24
Computer
Fa0/1PC1
192.168.10.10/24
Fa0/2
Fa0/0
Computer
Fa0/1
Fa0/2
Fa0/1
192.168.11.1/24
PC2192.168.11.10/24
10.1.1.1/30
S0/0/0
•Deny Telnet traffic from 192.168.11.0 leaving interface Fa0/0, but allow all other IP traffic from any other source to any destination out Fa0/0. Note the use of the any keywords, meaning from anywhere going to anywhere.
Chapter 535
Chap 5 – Access Control Lists Learning Objectives
• Explain how ACLs are used to secure a medium-size Enterprise branch office network.
• Configure standard ACLs in a medium-size Enterprise branch office network.
• Configure extended ACLs in a medium-size Enterprise branch office network.
• Describe complex ACLs in a medium-size Enterprise branch office network.
• Implement, verify and troubleshoot ACLs in an enterprise network environment.
Chapter 536
AnyQuestions?
Chapter 537
Lab TopologyChapter 5.2.8 – StandardACLs
S0/0/0 S0/0/1DCE
R2
R1
S0/0/0DCE S0/0/1
10.2.2.0/30
R3
10.1.1.0/30
.1
.2 .1
.2
Computer
PC1192.168.10.10
Fa0/0 Fa0/1
ComputerComputer Computer
Fa0/0
PC2192.168.11.10
PC3192.168.30.10
PC4192.168.30.128
192.168.10.0/24 192.168.11.0/24 192.168.30.0/24
WWW/TFTP192.168.20.254/24
Fa0/0192.168.20.1/254 ISPS0/1/0
S0/0/1DCE209.165.200.224/27
Computer
WWW209.165.201.30/27
Ext Host209.165.202.158/27
Fa0/0
Fa0/1
S1 S2 S3
.225.226
209.165.201.1/27
209.165.202.129/27
•The 192.168.10.0/24 network is allowed access to all locations, except the 192.168.11.0/24 network.
•The 192.168.11.0/24 network is allowed access to all destinations, except to any networks connected to the ISP.
•The 192.168.30.0/10 network is allowed access to all destinations.
•Host 192.168.30.128 is not allowed access outside of the LAN.
•Allow only PC 1 to Telnet to R3
Chapter 538
Lab TopologyChapter 5.3.4 – ExtendedACLs
S0/0/0 S0/0/1DCE
R2
R1
S0/0/0DCE S0/0/1
10.2.2.0/30
R3
10.1.1.0/30
.1
.2 .1
.2
Computer
PC1192.168.10.10
Fa0/0 Fa0/1
Computer
ComputerComputer
Fa0/0
PC2192.168.11.10
PC3192.168.30.10
PC4192.168.30.128
192.168.10.0/24 192.168.11.0/24 192.168.30.0/24
WWW/TFTP192.168.20.254/24
Fa0/0192.168.20.1/254 ISPS0/1/0
S0/0/1DCE209.165.200.224/27
Computer
WWW209.165.201.30/27
Ext Host209.165.202.158/27
Fa0/0
Fa0/1
S1 S2 S3
.225.226
209.165.201.1/27
209.165.202.129/27
•All IP addresses of the 192.168.30.0/24 network are blocked from accessing all IP addresses of the 192.168.20.0/24 network.
•The first half of 192.168.30.0/24 is allowed access to all other destinations.
•The second half of 192.168.30.0/24 network is allowed access to the 192.168.10.0/24 and 192.168.11.0/24 networks.
•The second half of 192.168.30.0/24 is allowed web and ICMP access to all remaining destinations.
•All other access is implicitly denied.
•For the 192.168.10.0/24 network, block Telnet access to all locations and TFTP access to the corporate Web/TFTP server at 192.168.20.254. All other access is allowed.
•For the192.168.11.0/24 network, allow TFTP access and web access to the corporate Web/TFTP server at 192.168.20.254. Block all other traffic from the 192.168.11.0/24 network to the 192.168.20.0/24 network. All other access is allowed.
•Outside hosts are allowed to establish a web session with the internal web server on port 80 only.
•Only established TCP sessions are allowed in.
•Only ping replies are allowed through R2.
Chapter 539
Lab TopologyChapter 5.2.8 /5.3.4 – Standard/Extended
ACLs