Scribd Logo
Upload

Welcome to Scribd!

  • Access Lists

    Uploaded by

    homan
    23 views46 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    23 views46 pages

    Access Lists

    Uploaded by

    homan

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 46

    ACCESS CONTROL LISTS

    ` What are ACLs?

    • ACLs are lists of conditions used to test


    network traffic that tries to travel across a
    router interface. These lists tell the router
    what types of packets to accept or deny.
    ` Why Use Access Lists?

    – Manage IP traffic as network access grows


    – Filter packets as they pass through the router
    ` Access List Applications

    – Permit or deny packets moving through the router.


    – Permit or deny vty access to or from the router.
    – Without access lists, all packets could be transmitted
    onto all parts of your network.
    ` Other Access List Uses

    • Special handling for traffic based on packet tests


    Types of Access Lists

    • Standard
    – Checks source address
    – Generally permits or denies entire protocol suite
    • Extended
    – Checks source and destination address
    – Generally permits or denies specific protocols
    ` How to Identify Access Lists

    – Standard IP lists (1-99) test conditions of all IP packets from


    source addresses.
    – Extended IP lists (100-199) test conditions of source and
    destination addresses, specific TCP/IP protocols, and destination
    ports.
    – Standard IP lists (1300-1999) (expanded range).
    – Extended IP lists (2000-2699) (expanded range).
    – Other access list number ranges test conditions for other
    networking protocols.
    ` Testing Packets with
    Standard Access Lists
    ` Testing Packets with
    Extended Access Lists
    ` Outbound ACL Operation

    • If no access list statement matches, then discard the packet.


    ` A List of Tests: Deny or Permit
    ACL CONFIGURATION
    `Grouping ACLs to interfaces

    • ACLs are assigned to one or more


    interfaces and can filter inbound traffic or
    outbound traffic.
    • Outbound ACLs are generally more
    efficient than inbound, and are therefore
    preferred.
    • A router with an inbound ACL must check
    every packet to see whether it matches
    the ACL condition before switching the
    packet to an outbound interface.
    `ACL configuration task: Step 1
    `ACL configuration task: Step 2
    ` Wildcard Bits: How to Check the
    Corresponding Address Bits

    – 0 means check value of corresponding address bit.


    – 1 means ignore value of corresponding address bit.
    ` Wildcard Bits to Match a Specific IP
    Host Address

    • Check all the address bits (match all).


    • Verify an IP host address, for example:

    – For example, 172.30.16.29 0.0.0.0 checks all the


    address bits.
    – Abbreviate this wildcard mask using the IP
    address preceded by the keyword host (host
    172.30.16.29).
    ` Wildcard Bits to Match Any IP Address

    • Test conditions: Ignore all the address bits (match any).


    • An IP host address, for example:

    – Accept any address: any


    – Abbreviate the expression using the
    keyword any.
    `Example

    • Router(config)# access-list 1
    permit 0.0.0.0 255.255.255.255
    • Router(config)# access-list 1
    permit any

    • Router(config)# access-list 1
    permit 172.30.16.29 0.0.0.0
    • Router(config)# access-list 1
    permit host 172.30.16.29
    ` Wildcard Bits to Match IP Subnets

    • Check for IP subnets 172.30.16.0/24 to 172.30.31.0/24.


    – Address and wildcard mask:
    172.30.16.0 0.0.15.255
    `Wildcard mask and Subnet mask

    • Although both are 32-bit quantities,


    wildcard masks and IP subnet masks
    operate differently.
    • The zeros and ones in a subnet mask
    determine the network, subnet, and host
    portions of the corresponding IP address.
    • The zeros and ones in a wildcard
    determine whether the corresponding bits
    in the IP address should be checked or
    ignored for ACL purposes.
    STANDARD ACLs
    `Overview

    • When you want to block all traffic from a


    network, allow all traffic from a specific
    network, or deny protocol suites.
    • Standard ACLs check the source address
    of packets that could be routed.
    • The result permits or denies output for an
    entire protocol suite, based on the
    network, subnet, and host addresses.
    `Standard ACL
    `Standard ACL commands

    • Access list number: 1 Æ 99

    • Router(config)# access-list access-


    list-number {deny | permit} source
    [source-wildcard ] [log]

    • Router(config-if)# ip access-group
    access-list-number {in | out}

    • Router# show access-lists


    ` Standard IP Access List
    Example 1

    • Permit my network only.


    ` Standard IP Access List
    Example 2

    • Deny a specific host.


    ` Standard IP Access List
    Example 3

    • Deny a specific subnet.


    EXTENDED ACLs
    `Overview

    • They provide a greater range of control


    than standard ACLs.
    • Extended ACLs check for both source and
    destination packet addresses.
    • They also can check for specific
    protocols, port numbers, and other
    parameters.
    `Extended ACL commands

    • Access list number: 100 Æ 199


    • Router(config)# access-list access-
    list-number {permit | deny} protocol
    source [source-mask destination
    destination-mask operator operand]
    [established][log]
    • Router(config-if)# ip access-group
    access-list-number {in | out}
    • Router# show access-lists
    `Reserved port numbers
    ` Extended Access List
    Example 1

    – Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0


    out of E0.
    – Permit all other traffic.
    ` Extended Access List
    Example 2

    – Deny only Telnet from subnet 172.16.4.0 out of E0.


    – Permit all other traffic.
    NAMED ACLs
    `Overview

    • Allow standard and extended IP ACLs to


    be identified with an name instead of the
    current numeric (1 to 199) representation.
    • Named ACLs can be used to delete
    individual entries from a specific ACL.
    `Extended ACL commands

    • Router(config)# ip access-list {standard |


    extended} name
    • Router(config {std- | ext-}nacl)# deny
    {source [source-wildcard] | any}
    • Router(config {std- | ext-}nacl)# permit
    {source [source-wildcard] | any}
    • Router(config-if)# ip access-group name {in |
    out}
    • Router# show access-lists
    ` Filtering vty Access to a Router

    – Five virtual terminal lines (0 through 4).


    – Filter addresses that can access into the
    router’s
    vty ports.
    – Filter vty access out from the router.
    ` How to Control vty Access

    • Set up an IP address filter with a standard access list


    statement.
    • Use line configuration mode to filter access with the
    access-class command.
    • Set identical restrictions on every vty.
    ` vty Commands

    Router(config)#line vty {vty# | vty-range}

    • Enters configuration mode for a vty or vty range

    Router(config-line)#access-class access-list-number
    {in | out}

    • Restricts incoming or outgoing vty connections for


    address in the access list
    ` vty Access Example

    Controlling Inbound Access


    access-list 12 permit 192.168.1.0 0.0.0.255
    (implicit deny all)
    !
    line vty 0 4
    access-class 12 in

    • Permits only hosts in network 192.168.1.0 0.0.0.255 to


    connect to the router vty
    `Placing ACLs

    •Standard ACLs should be placed close to the destination.


    •Extended ACLs should be placed close to the source.
    ` Access List Configuration Principles

    – The order of access list statements is crucial.


    • Recommended: Use a text editor on a PC to create the access-
    list statements, then cut and paste them into the router.
    • Top-down processing is important.
    • Place the more specific test statements first.

    – No reordering or removal of statements.


    • Use the no access-list number command to remove the entire
    access list.
    • Exception: Named access lists permit removal of individual
    statements.

    – Implicit deny all will be applied to any packets that do


    not match any access-list statement.
    • Unless the access list ends with an explicit permit any
    statement.
    VERIFYING ACLs
    ` Verifying Access Lists

    wg_ro_a#show ip interfaces e0
    Ethernet0 is up, line protocol is up
    Internet address is 10.1.1.11/24
    Broadcast address is 255.255.255.255
    Address determined by setup command
    MTU is 1500 bytes
    Helper address is not set
    Directed broadcast forwarding is disabled
    Outgoing access list is not set
    Inbound access list is 1
    Proxy ARP is enabled
    Security level is default
    Split horizon is enabled
    ICMP redirects are always sent
    ICMP unreachables are always sent
    ICMP mask replies are never sent
    IP fast switching is enabled
    IP fast switching on the same interface is disabled
    IP Feature Fast switching turbo vector
    IP multicast fast switching is enabled
    IP multicast distributed fast switching is disabled
    <text ommitted>
    ` Monitoring Access List Statements

    wg_ro_a#show {protocol} access-list {access-list number}

    wg_ro_a#show access-lists {access-list number}

    wg_ro_a#show access-lists
    Standard IP access list 1
    permit 10.2.2.1
    permit 10.3.3.1
    permit 10.4.4.1
    permit 10.5.5.1
    Extended IP access list 101
    permit tcp host 10.22.22.1 any eq telnet
    permit tcp host 10.33.33.1 any eq ftp
    permit tcp host 10.44.44.1 any eq ftp-data

    You might also like