This action might not be possible to undo. Are you sure you want to continue?
This Week ± Access Control Lists
What are ACLs? What are they for? How do they work? Standard ACLs Extended ACLs Where to place them
17 March 2009 ITCN
Reasons for ACLs
Limit network traffic to where we define and increase network performance Provide traffic flow control
ACLs can restrict or reduce the contents of routing updates
Provide a basic level of security for network access Decide which types of traffic are forwarded or blocked at router interfaces
17 March 2009 ITCN
Consider an arbitrary Network 4 17 March 2009 ITCN .
Routers and ACLs Router can read packets Packets contain much data We can choose to act upon this data Permits us to allow or deny whichever part of this data we wish ACLs implement this policy 5 17 March 2009 ITCN .
The task of ACLs An ACL is a group of statements that define how or whether packets: Enter inbound interfaces Exit outbound interfaces of the router Relay through the router or not 6 17 March 2009 ITCN .
The Order of ACLs is important IOS tests the packet against each condition statement in the order in which the statements were created Note: After a match is found. an implicit "deny any" statement is imposed 17 March 2009 ITCN 7 . no statements added later will ever be checked If all the ACL statements are unmatched. no more condition statements are checked If you create a condition statement that permits all traffic.
ACL Statement Order Implicit µlast statement¶ denies all traffic Must make statements preceding this allow the permitted traffic to flow Construct statements carefully Anything not explicitly permitted will be denied 8 17 March 2009 ITCN .
g.Standard ACLs You use standard ACLs when you : want to block all traffic from a network allow all traffic from a specific network deny entire protocol suites e. www or icmp Standard ACLs check the source address of packets that could be routed across your network Standard ACLs are not used very often 9 17 March 2009 ITCN .
g.Extended ACLs These are used whenever we want to be more specific about the type of traffic to block e.g. a certain host or an entire protocol e. www or ftp or icmp (ping) These are used very frequently 10 17 March 2009 ITCN .
Router(config)# Enter the command ip access-list [standard|extended] number (to identify it) Router prompt changes accordingly 17 March 2009 ITCN 11 .e.Creating ACLs Enter global configuration mode i.
Using Notepad Create ACLs in Notepad (or other text editor) They can be easily manipulated and reordered ± This is not possible on a router ± it is necessary to delete the entire list and start again Once the ACL is correct. it can be pasted into the router¶s CLI 12 17 March 2009 ITCN .
Standard and Extended ACLs ACL 1 to 99 are for standard ACL statements Router(config-std-nacl)# ACL 100 to 199 are for extended ACL statements Router(config-ext-nacl)# Logically order the ACL Permitted IP protocols must be specified ± all other protocols should be denied 13 17 March 2009 ITCN .
Which Interface to place the ACL? ACLs assigned to one or more interfaces Can filter inbound or outbound traffic Outbound ACLs are generally more efficient than inbound ± Only checks packets on that interface Inbound ACLs must check all packets before switching packet to outbound interface 17 March 2009 ITCN 14 .
0.255.255 (all 1s are now 0s and all 0s are now 1s) 17 March 2009 ITCN 15 .0. in a µclass C¶ address range we use the subnet mask 255.255.0 To specify the same range with a wildcard mask we use 0.Wildcard Mask This identifies a host or range of addresses It is the binary inversion of the subnet mask i.e.
Wildcard Mask Bits Sometimes we need to specify a range of IP addresses Wild card mask is 32-bit quantity divided into four 32octets Each octet contains 8 bits Wildcard mask bit 0 means "check corresponding bit value" 16 Wildcard mask bit 1 means "do not check (ignore) 17 March 2009 ITCN that corresponding bit value" .
17 17 March 2009 ITCN .
60.1 to 220.127.116.11.31 ? Hint ± convert to binary first Write first and last addresses to compare like and unlike bits Convert back to decimal afterwards 17 March 2009 ITCN 18 .Example What is the dotted decimal wildcard mask you would use to check for all traffic from hosts in the range 193.
Quad Zero Address 0. 19 17 March 2009 ITCN .0 is known as the Quad Zero address and it is µshorthand¶ for any IP address.0.0.
0 255.255 Is the same as (but shorter) Router(config-std-nacl)# access-list 1 permit any 20 17 March 2009 ITCN .255.255.0.Useful Commands ± ANY To specify that any source address will be permitted to pass Router(config-std-nacl)# access-list 1 permit 0.0.
0 Is the same as (but this is shorter) Router(config-std-nacl)# accesslist 1 deny host 172.16.16.29 21 17 March 2009 ITCN .0.29 0.HOST Command A specific IP host address will be denied in an ACL test Router(config-std-nacl)# accesslist 1 deny 18.104.22.168.
0.0.168.0 0.255.Examples of ACLs access-list 33 permit 192.0 (denies traffic from only the host 192.0.7 0.255.13.0 any (permits all traffic from any network ) 22 17 March 2009 ITCN .168.255) access-list 44 deny 192.255 (permits all traffic in the range 22.214.171.124) access-list 55 permit 0.168.0 to 126.96.36.199.0.0.
Extended ACLs Provide a greater range of control than standard ACLs E. port numbers and other parameters can be checked for Packets can be permitted or denied output based on where the packet originated and based on its destination 17 March 2009 ITCN 23 . Specific protocols.g. we can allow Web traffic but deny File Transfer Protocol (FTP) or TELNET or other traffic Extended ACLs check for both source and destination packet addresses.
0.0.0.3 0.2.0.1.Extended ACL example chatham(config)#ip access-list extended 150 chatham(config-ext-nacl)#? default Set a command to its defaults deny Specify packets to reject exit Exit from access-list configuration mode no Negate a command or set its defaults permit Specify packets to forward remark Access list entry comment chatham(config-ext-nacl)#permit tcp 192.255 24 17 March 2009 ITCN .255 192.1 0.168.168.
Well-known Port numbers Some ports are commonly used Their numbers are well-known PC can be configured by a hacker to use a different port ! 25 17 March 2009 ITCN .
26 17 March 2009in ITCN .
Placing Standard and Extended ACLs Put the Extended ACLs as close as possible to the source machine or range (on your network) for the traffic type denied Standard ACLs do not specify destination addresses. so you have to put the standard ACL as near to the destination machine (or range) we want to deny as possible 17 March 2009 ITCN 27 .
you need to apply it to an interface either IN or OUT If we have written access-list 101.Applying ACLs to an interface Once you have written an ACL. we could apply it to the Fa0/0 interface inbound int fa0/0 ip access-group 101 in ACLs can also be placed on an interface in the outbound direction 17 March 2009 ITCN 28 .
Placing ACLs Imagine you are standing INSIDE the router The direction of the ACL for an interface will be the same as our perspective standing INSIDE the router 29 17 March 2009 ITCN .
Conclusion ACLs will check packets for certain conditions Standard ACLs test simple conditions Extended ACLs test for more rigorous conditions Define ACL ± Apply to interface Place ACLs sensibly Be sure to order ACLs sensibly too! 17 March 2009 ITCN 30 .