page 1 chapter 11 ccna2 chapter 11 access control lists : creating acls, using wildcard mask bits,...

Chapter 11

CCNA2 Chapter 11

Access Control Lists : Creating ACLs, using Wildcard Mask Bits, Standard and Extended ACLs

Chapter 11

ACLs are instructions that are applied to router’s interfaces.

The ACLs tell what kind of packets to accept or deny.

Acceptance / denial can be based on:

• source address

• destination address

• port number

ACLs are configured at the router to control access to a network or subnet.

ACLs must be defined separately for each protocol; one for IP, one for IPX; one for AppleTalk, etc. Some times they are called packet filters.

ACL – Access Control Lists

Chapter 11

• limit network traffic, hence increase network performancei.e. packets can be processed before other traffic

• provide traffic flow - limit traffic through the network

• provide for security

• decide which traffic is blocked and forwarded

Reasons to create ACLs

Chapter 11

Cisco IOS checks the packet and Upper - layer headers for

• destination address

• source address

• protocol

• port number

The ACL statements are checked in sequential order and when there is a match, no more checks are made. If there are no matches, then the packet is discarded.

IF additional statements are needed for an ACL, one must delete the ACL statements and re-create a new ACL. (If additional statements are added at the end, then one does not have to delete the ACL statements.)

Chapter 11

When a packet enters an interface

1) checks if there are ACLs

If there are, then tests against the conditions. If pass, then

2) checks the packet against the routing tables

Then the destination interface

1) checks for ACLs

If there are, then test against the conditions. If pass, then

2) sent out the interface

Chapter 11

ACL statements operate in logical, sequential order. When there is a match, the rest of the conditions are not checked.

If all the ACL statements are not matched, then there is implicit deny any.

access-list 10 { permit | deny } { test conditions }





access-list 10 deny anyaccess-list 10 deny any

Chapter 11

Two types of IP ACL :

• standard - has access list value of 1- 99

• extended - has access list value of 100 - 199

Must be in global configuration mode. Router (config) #

Steps in creating ACLs:

1) create the ACL (in global configuration mode)

2) apply the ACL to an interface

ACLs can be written to filter:

• inbound traffic, or

• outbound traffic

Chapter 11

Standard ACLs are placed as close as possible to the destination.

Extended ACLs are placed as close as possible to the source.

Where to place ACLs

Chapter 11

Create:

Router(config)# access-list <ACL number> { permit | deny } { test conditions }

Router(config)# access-list 1 permit { test conditions }

Router(config)# access-list 50 deny { test conditions }

Apply:

At an interface:

Router(config)# int E0

Router(config-if)# { protocol } access-group <ACL number> [in | out]

Out is the default if not mentioned

Router(config-if)# ip access-group 1


To delete all ACL statements of an access-list

Router(config)# no access-list <ACL number>

Router(config)# no access-list 50

Chapter 11

A wildcard mask is matched with an IP address or protocol address.

It is a 32 bit mask divided into 4 octets, each containing 8 bits.

A 0 in the mask means to check the bit.

A 1 in the mask means ignore the bit.

Chapter 11

To permit any address:

0.0.0.0 255.255.255.255

Address wildcard mask

Use the abbreviation any

Router(config)# access-list 1 permit 0.0.0.0 255.255.255.255

Router(config)# access-list 1 permit any

Abbreviations

Chapter 11

To match all the bits of IP address:

EX: 172. 30.16. 29 0. 0. 0. 0

Router(config)# access-list 1 permit 172.30.16.29 0.0.0.0

Router(config)# access-list 1 permit host 172.30. 16.29

Abbreviations

Chapter 11

Criteria:

• block all traffic from a network

• allow all traffic from a network

• deny entire protocol suits

Standard ACLs only check the source address.

Router(config)# access-list <ACL number> { deny | permit } source [ source wildcard] [log]

Standard ACLs

Chapter 11

What does this statement perform:

access-list 33 permit 172.16.0.0 0.0.255.255 log

Permits all traffic from 172.16.0.0 and sends messages to the console every time the access list is hit.

Standard ACLs

Chapter 11


access-list 44 deny 172.16.13.7 0.0.0.0 log

Denies traffic from host 172.16.13.7 and sends messages to the console every time the access list is hit.

Standard ACLs

Chapter 11


access-list 55 deny 172.16.64.0 0.0.0.255

Denies all traffic from network 172.16.64.0

Standard ACLs

Chapter 11

The log command:

Prints messages to the console:

includes the ACL number, whether the packet was permitted or denied, the source address, and the number of packets.

The message is generated for the first packet that matches, and then at five-minute intervals, including the number of packets permitted or denied in the prior five-minute interval.

Use for debugging. Not used for live networks.

Standard ACLs

Chapter 11

Example of applying the access-list (note: it is at the interface):

Router(config-if)# ip access-group 33 in

Router(config-if)# ip access-group 44 out


Standard ACLs

Chapter 11

To monitor IP access list: (at the EXEC mode)

show access-list

Displays all access lists and their parameters configured on the router. (Does not show which interface the list is set on.)

show access-list <ACL number>

Shows only the parameters for the access list <ACL number>. (Does not show the interface the list is set on.)

show ip access-list

Shows only the IP access lists configured on the router

show ip interface

Shows which interfaces have access lists set.

show running-config

Shows the access lists and which interfaces have access lists set

Standard ACLs

Chapter 11

172.16.3.0 172.16.4.0

Non-172.16.0.0

R(config)# access-list 1 permit 172.16.0.0 0.0.255.255

R(config)# Interface E0

R(config-if)# ip access-group 1 out



What does it do?

E0 E1

S0

172.16.4.13

server

Standard ACLs

Chapter 11

172.16.3.0 172.16.4.0

Non-172.16.0.0

R(config)# access-list 1 permit 172.16.0.0 0.0.255.255





Allows only traffic from source network 172.16.0.0 to be forwarded and non-172.16.0.0 traffic is blocked.

E0 E1

S0

172.16.4.13

server

Standard ACLs

Chapter 11

172.16.3.0 172.16.4.0

Non-172.16.0.0

R(config)# access-list 1 deny 172.16.4.13 0.0.0.0

R(config)# access-list 1 permit any



What does this do?

E0 E1

S0

172.16.4.13

server

Standard ACLs

Chapter 11

172.16.3.0 172.16.4.0

Non-172.16.0.0

R(config)# access-list 1 deny 172.16.4.13 0.0.0.0

R(config)# access-list 1 permit any



Denies traffic from a specific device, 172.16.4.13 and allows all other traffic thru E0 to network 172.16.3.0.

E0 E1

S0

172.16.4.13

server

Standard ACLs

Chapter 11

172.16.3.0 172.16.4.0

Non-172.16.0.0

access-list 1 deny 172.16.4.0 0.0.0.255

access-list 1 permit any

Interface E0

ip access-group 1 out

What does this do?

E0 E1

S0

172.16.4.13

Standard ACLs

Chapter 11

172.16.3.0 172.16.4.0

Non-172.16.0.0

access-list 1 deny 172.16.4.0 0.0.0.255

access-list 1 permit any

Interface E0

ip access-group 1 out

Denies traffic from the subnet, 172.16.4.0 and allows all other traffic thru E0 to network 172.16.3.0.

E0 E1

S0

172.16.4.13

Standard ACLs

Chapter 11

Criteria:

• check for both source and destination packet addresses

• check for specific protocol

• check for specific port numbers

• permit or denied pings / telnets / FTP, etc.

• for IP, the ACL values range between 100 - 199

Extended ACLs

Chapter 11

Port Numbers (decimal) IP Protocol

20 FTP data

21 FTP program (control)

23 Telnet

25 Simple Mail Transport Protocol (SMTP)

53 DNS

69 TFTP

Extended ACLs

Chapter 11

Router(config)# access-list <ACL number> { permit | deny } protocol source source-mask

destination destination-mask operator operand {established}

ACL number100 - 199

permit | denyEntry is allowed or blocks the specified address

protocol IP, TCP, UDP, ICMP, GRE or IGRP

source Source address

source-maskACL wildcard mask

destination Destination address

destination-maskACL wildcard mask

Extended ACLs

Chapter 11

Router(config)# access-list <ACL number> { permit | deny } protocol source source-mask

destination destination-mask operator operand [established]

operatorlt, gt, eq, neq

OperandPort number

established Allows TCP traffic to pass if the packet uses an established connection ( for example, has ACK bits set ).

access-list 101 permit tcp 172.16.4.0 0.0.0.255 any eq 25

Extended ACLs

Chapter 11

Assign the ACL to an interface:

Router(config-if)# ip access-group <ACL number> { in | out }

NOTE: out is the default (though with the present IOS, you have to put out).



Extended ACLs

Chapter 11

172.16.3.0 172.16.4.0

Non-172.16.0.0

access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21

access-list 101 permit ip 172.16.4.0 0.0.0.255 0.0.0.0 255.255.255.255

Interface E0

ip access-group 101

What does this do?

E0 E1

S0

172.16.4.13

Extended ACLs

Chapter 11

172.16.3.0 172.16.4.0

Non-172.16.0.0


access-list 101 permit ip 172.16.4.0 0.0.0.255 0.0.0.0 255.255.255.255

Interface E0

ip access-group 101

Blocks FTP traffic from all host on 172.16.4.0 to any device on 172.16.3.0 and allows all other traffic to 172.16.3.0

E0 E1

S0

172.16.4.13

Extended ACLs

Chapter 11

172.16.3.0 172.16.4.0

Non-172.16.0.0


access-list 101 permit ip any any

Interface E0

ip access-group 101

What does this do?

E0 E1

S0

172.16.4.13

Extended ACLs

Chapter 11

172.16.3.0 172.16.4.0

Non-172.16.0.0


access-list 101 permit ip any any

Interface E0

ip access-group 101

Denies only telnet traffic from 172.16.4.0 to 172.16.3.0 network andpermits all other traffic thru E0 to any address.

E0 E1

S0

172.16.4.13

Extended ACLs

Chapter 11

NOTE:

Standard ACL numbers: 1-99; 1300-1999

Extended ACL numbers: 100-199; 2000-2699

Extended/Standard ACL numbers for IP

Chapter 11

One can not add ACL statements to the access-list (except at the end of the list).

The access list must be deleted first, and then rewritten.

That is why it is a good idea to first write your access-list in text (using Notepad), and then transfer it to your router.

Outbound filters do not affect traffic originating from the local router!

Extended/Standard ACL

Chapter 11

NOTE:

• named ACLs are not compatible with Cisco IOS release prior to Release 11.2

• cannot use the same name for multiple ACLs.

Ex. Can’t specify a standard ACL named XYZ and an extended ACL with same name.

• can be used both for standard and extended

• use an alphanumeric string instead of the ACL number (1 - 199 )

•use Named ACLs to intuitively identify ACLs using an alphanumeric name

• use Named ACLs when having more than 99 standard and 100 extended ACLs to be configured in a router for a given protocol

Configuring Named ACLs

Chapter 11

Router(config)# ip access-list { standard | extended } name { deny | permit } { commands }

ip access-list standard internetfilter deny 172.10.15.0 0.0.0.255

permit 128.88.0.0 0.0.255.255

permit 36.0.0.0 0.0.255.255

ip access-list extended marketing-group permit tcp any 171.69.0.0 0.255.255.255

eq telnet

deny udp any 171.69.0.0 0.255.255.255 lt 1024

Configuring Named ACLs

Chapter 11

A named ACL will allow the deletion of statements, but will only allow for the statements to be inserted a the end of the list.

Named ACL

Chapter 11

access-list 1 permit 172.16.0.0 0.0.255.255

10101100.00010000.00000000.00000000

00000000.00000000.xxxxxxxx. xxxxxxxx

10101100.00010000.xxxxxxxx. xxxxxxxx Matched value

Incoming packet with address of 172.18.4.2. Will it be permitted?

Source : 10101100.00010010.00000100.00000010

Wildcard mask: 00000000.00000000.xxxxxxxx. xxxxxxxx

10101100.00010010.xxxxxxxx. xxxxxxxx Result

More Details

Chapter 11


10101100.00010000.00000000.00000000




Source : 10101100.00010010.00000100.00000010



Does the result equal the matched value?

No! The incoming packet will not be permitted.

Chapter 11


10101100.00010000.00000000.00000000




Source : 10101100.00010000.00000100.00000010



Does the result equal the matched value?

Yes! The incoming packet will be permitted.

Chapter 11


10101100.00010000.00000000.00000000

00000000.00000000.xxxxxxxx. xxxxxxx0

10101100.00010000.xxxxxxxx. xxxxxxx0 Matched value


Source : 10101100.00010000.00000100.00000001

Wildcard mask: 00000000.00000000.xxxxxxxx. xxxxxxx0

10101100.00010000.xxxxxxxx. xxxxxxx1 Result


Source : 10101100.00010000.00000100.00000100



Chapter 11


10101100.00010000.00000000.00000000

00000000.00000000.xxxxxxxx. xxxxxxx0

10101100.00010000.xxxxxxxx. xxxxxxx0 Matched value


Source : 10101100.00010000.00000100.00000101



Thi access list permits 172.16.4.4, and denies 172.16.4.1 and 172.16.4.5

Permits all even addresses from the network 172.16.0.0

Chapter 11

One can permit or deny a block of addresses. However, the blocks must be a power of 2! (Example, 2, 4, 8, 16, 32, 64, 128, etc.)

When we need to specify a range of addresses - choose the closet block size for our needs.

Example: block access to part of a network that is in the range from 172.16.0.8 through 172.16.0.15. This is a block size of 8. Hence:

172.16.0.8 0.0.0.7

Note: the wildcard part is always 1 less than the block size!

Also, in this case for a block of 8, the beginning address must either start at 0, 8, 16, etc.

Permit/Deny blocks of addresses

Chapter 11

Example: A subnet whose addresses range from 171.17.2.128 to 171.17.2.191. To divide this network so the top half addresses are permitted and the bottom half are denied to any other network. What is the access list?

The block range is: 64

What is the access-list for the bottom?

access-list 101 deny ip 171.17.2.128 0.0.0.31 any

What is the access-list for the top?

access-list 101 permit ip 171.17.2.159 0.0.0.31 any


Chapter 11

What does this do?

access-list 10 deny 172.16.64.0 0.0.63.255

Denies a block of 64 subnetworks starting at 172.16.64.0


Chapter 11

To block access through the vty ports in order to control telnet sessions into the router.

Write the ACL as usual but use access-class to apply it.

Example:

Router(config t)# access-list 1 permit 172.16.1.0 0.0.0.255

Router(config t)# line vty 0 4

Router(config-line)# login

Router(config-line)# password cisco

Router(config-line)# access-class 1 in

Note: only numbered access lists can be applied to virtual lines!

Virtual Terminal ACL

Chapter 11

The ‘establish’ option in an access-list occurs only with TCP datagrams. There are cases when one wants to stop a host B from initiating a connection with a host A while permitting A to initiate connections with B.

Macintosh SE¾

Macintosh SE¾

establish

response

establish

A B

Established option

Chapter 11

172.16.3.0

172.16.4.0

E0E1

172.16.3.13

INTERNET

Router(config)# access-list 101 permit tcp any 172.16.0.0 0.0.255.255 eq www established

Router(config)# access-list 101 permit icmp any any

Router(config)# access-list 101 permit udp any any eq 53



Note: established argument is limited to tcp which means UDP, ICMP and all other IP protocols are not matched - and will be denied unless specifically allowed.

Established option

Chapter 11

Cisco’s definition:

Standard ACL

Put the ACL as near the destination as possible.

• one might not have access to all the routers

Extended ACL

Put the ACL as close as possible to the source of the traffic denied.

Where to place ACLs?

Chapter 11

Allow host 172.16.3.13 with internet connection, but don’t allow the internet to initialize any sessions.

172.16.3.0

172.16.4.0

E0E1

172.16.3.13

INTERNET

Real life example:

Chapter 11

172.16.3.0

172.16.4.0

E0E1

172.16.3.13

INTERNET

Router(config)# access-list 101 permit tcp any 172.16.0.0 0.0.255.255 established

Router(config)# access-list 101 permit tcp any host 172.16.3.13 eq. www



Established option

Chapter 11

172.16.3.0

172.16.4.0

E0E1

172.16.3.13

INTERNET

Router(config)# access-list 101 permit tcp any 172.16.3.13 0.0.0.0 eq www established



Established option

page 1 chapter 11 ccna2 chapter 11 access control lists : creating acls, using wildcard mask bits,...

Documents