CCNA Semester2

Module 11 Access Control Lists

Objectives

Standard and extended ACLs The rules for placement of ACLs Create and apply named ACLs

Access Control List Fundamentals

What are ACLs

ACLs are lists of conditions that are applied to traffic traveling across a router's interface. These lists tell the router what types of packets to accept or deny. Acceptance and denial can be based on specified conditions.

ACL

Reasons to create ACLs

Limit network traffic and increase network performance. Provide traffic flow control. Provide a basic level of security for network access. Decide which types of traffic are forwarded or blocked at the router interfaces.

Testing packets with ACLs

The order in which you place ACL statements is important. A packet is checked against each condition statement, in the order in which the statements were created. After a match is found, no more condition statements are checked. If all the ACL statements are unmatched, an implicit "deny any" statement is imposed.

Configuration task list

ACL are classified as: numbered of named ACL, each has 2 types: standard and extended. Configuration task includes 2 steps:
Create an ACL Apply ACL to interface

Assigning ACL number

ACL number must be within the specific range specified for the protocol. Modification of a numbered ACL involves deleting the entire list and creating a new one Remove numbered ACL: no access-list list-number

Apply Access Lists

An ACL can be assigned to one or more interfaces and can filter inbound or outbound traffic. ACLs must be defined on a per-protocol, per direction, or per interface basis. Eg: Only 1 IP access list on interface s0 inbound direction

Types of Access Control Lists

Standard ACL Overview

When you want to:
block all traffic from a network, allow all traffic from a network, permit or deny an entire protocol suite.

Standard ACLs check the source address of packets that could be routed. Results in either permit or deny of an entire protocol suite, based on the network, subnet, and host addresses.

Standard ACL commands

Router (config)# access-list access-list access-list-number access-list-number {deny {deny || permit} permit} source source [[source-wildcard source-wildcard]] [log] [log] Router (config-if)# ip ip access-group access-group access-list-number access-list-number { { in in || out out } }

Access list number: 1 99 or 1300 1999 in recent IOS

Wildcard mask bits

A wildcard mask is a 32-bit quantity that is divided into four octets, with each octet containing 8 bits. A wildcard mask bit 0 means "check the corresponding bit value. A wildcard mask bit 1 means "do not check (ignore) that corresponding bit value".

Wildcard & Subnet mask

Wildcard mask operate differently from IP subnet mask.
Subnet mask: The zeros and ones determine the network (or subnet) and host portions of the corresponding IP address. Wildcard mask: The zeros and ones determine whether the corresponding bits in an IP address should be checked or ignored for ACL purposes.

Wildcard any

Wildcard host

Examples: any, host

Router(config)# access-list 1 permit 0.0.0.0 255.255.255.255 Router(config)# access-list 1 permit any

Router(config)# access-list 1 permit 172.30.16.29 0.0.0.0 Router(config)# access-list 1 permit host 172.30.16.29

Verifying ACLs
show ip interface command displays IP interface information and indicates whether any ACLs are set. show access-lists command displays the contents of all ACLs on the router. show running-config command will also reveal the access lists on a router and the interface assignment information.

Show ip interface

Show access-lists

Standard ACL examples

ACL Requirement
1. Do not allow traffic between outside and network 172.16.3.0 2. - Node 172.16.4.13 can only access Internet - Network 172.16.4.0 (accept 172.16.4.13) can not access Internet

Extended ACL Overview

Provide a greater range of control than standard ACLs including:
Protocols (IP, IPX, ICMP, TCP) Source address (IP address, IPX address) Destination address Services or ports (Telnet, HTTP, FTP ) Other parameters (SYN, ACK, Echo)

Extended ACL commands

Router (config)# access-list access-list ACL-number ACL-number {permit {permit || deny} deny} protocol protocol source source [source-mask [source-mask operator operator extended-para] extended-para] destination destination [destination-mask [destination-mask operator operator extended-para] extended-para] [log [log || log log input] input] Router (config-if)# ip ip access-group access-group access-list-number access-list-number { { in in || out out } }
Access list number: 100 199 or 2000 2699 in recent IOS

Extended ACL parameters

Parameters
access-list access-list-number permit/deny protocol source/destination source-mask/destination-mask operator

Description
Defines an access list Protocol-dependent ACL number (100-199) Defines a statement to allow/block traffic The protocol in question, including: IP, TCP, UDP, ICMP, GRE, ICMP Source/destination address Wildcard mask: zeros must match bit; ones do not match bit Logical operator: lt: less than gt: greater than eq: equal to neq: not equal to

extended-para log [log input] in|out

Extended parameter of the protocols used, eg : port (for TCP/UDP), echo (for ICMP) Records all ACL matches including violations applies this access list to inbound or outbound traffic

Extended ACL: TCP/UDP protocol

Router (config)# access-list access-list access-list-number access-list-number {permit {permit || deny} deny} [tcp [tcp || udp] udp] source source [s-mask [s-mask operator operator s-port] s-port] destination destination [d-mask [d-mask operator operator d-port] d-port] [established] [established] [log [log || log log input] input]
established: only match if ACK bit is set

Router (config-if)# ip ip access-group access-group access-list-number access-list-number { { in in || out out } }

Reserved port numbers

Extended ACL: ICMP protocol

Router (config)# access-list access-list access-list-number access-list-number {permit {permit || deny} deny} icmp icmp source source [source-mask [source-mask destination destination destination-mask] destination-mask] [icmp-type [icmp-type || [[icmp-type [[icmp-type icmpicmpcode] code] || [icmp-message]] [icmp-message]] [log [log || log log input] input]

Router (config-if)# ip ip access-group access-group access-list-number access-list-number { { in in || out out } }

Extended ACL: ICMP parameters

Parameters Icmp type Icmp code Description (Optional) A number from between 0 and 255 specifying the ICMP message type (Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255. (Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name.

icmp-message

Named ACL Overview

Uses a name string to identify standard and extended IP ACLs instead of the numeric (1 to 199) representation. Considerations:
Named ACLs are not compatible with Cisco IOS releases prior to Release 11.2. You cannot use the same name for multiple ACLs.

Named ACLs vs. Numbered ACLs

Named ACLs have individual configuration mode with shorter and clearer command line. Named ACLs can be used to remove individual entries from a specific ACL. Using name is more understandable than using number Eliminate the limit of 798 simple and 799 extended ACLs

Named ACL commands

Router(config)# ip access-list {standard | extended} name Router(config {std- | ext-}nacl)# deny {source [source-wildcard] | any} Router(config {std- | ext-}nacl)# permit {source [source-wildcard] | any}. Router(config-if)# ip access-group name {in | out} Router# show access-lists

Named ACL example

Inbound and Outbound

If the ACL is inbound, when the router receives a packet and prior to the routing process, router checks the ACL's statements for a match. If the ACL is outbound, after receiving and routing a packet to the outbound interface, router checks the ACL's statements for a match.

Recommended Rule
Place extended ACLs as close to the source of the traffic denied as possible. Place the standard ACL as close to the destination as possible. Place ACLs on the inbound interfaces may help to reduce routing processing tasks. Place ACLs on the outbound interfaces may avoid filterring unnessecary traffic.

Firewall architecture

Control VTY access with Access list

Instead of applying ACL on all router interfaces to filter telnet sessions to router interfaces, use ACL on vty lines. Access into and out of virtual terminal line ports can be controlled by IP numbered ACLs.
line vty 0 4 login password cisco access-class access-list-number {in|out}

Interface access lists are applied only to traffics passing the router, not to traffics originated from the router.

VTY Control Example

Extended ACL examples

RA 172.16.3.100

Access List Requirements

1. 2. 3. 4. Prevents telnet and ftp access from Internet to 172.16.3.100 and 172.16.4.13 Prevents all hosts except 172.16.4.13 on network 172.16.4.0 to access server 65.10.13.133 Prevents all hosts, except 172.16.3.100, on network 172.16.3.0 to access 172.16.4.13 using web and tftp Allow all hosts on local network as well as Internet to access companys web site on server 172.16.4.13. Block all other types of access to this server.

ACL Challenge
Outer-network cant ping into innernetwork Do not allow outer-network to access inner-network except web service in Web Server(.66). Traffic between Net1 and Net3 is not allowed Other networks can only access web .96 service in Web Server Packets between PC1(.48) and PC3 (.80) are only allowed if routed across the direct serial link Telnet to routers only from PC1 All other kind of traffic is allowed
PC1 Net1 .32 Net3
S1 E1 S0

Internet
E0

R_1

S1

192.169.10.0/24
S0 S1

S0

R_2
E0

R_3 E0

PC2

PC3 Net2 .64

Web

Summary
ACL definition How ACL works Wild-card mask Standard numbered ACL configuration Extended numbered ACL configuration Named numbered ACL configuration Placing ACLs

CCNA2 Module11