Access Control Lists (ACLs) Asst.Prof. Dr.Anan Phonphoem Department of Computer Engineering, Faculty of Engineering, Kasetsart University, Bangkok, Thailand

Overview ACL fundamentals ACL operations Types of ACLs (Standard / Extended) Implementing ACLs

Access Control Lists (ACLs) List of conditions to test the traffic Router can permit or deny( like a filter) Provides security Bandwidth Management Come in two Types STANDARD and EXTENDED

ACL Overview

ACL Operations Packets are compared to each statement in a list sequentially from the top down. The sooner a decision is made the better. Well written ACLs take care of the most abundant type of traffic first. All Access-lists End with an Implicit Deny All statement

ACL Operations

Implementing ACLs Step 1 - Create the Access-list Step 2 - Apply the Access-list to an Interface Must be in interface config mode (config-if)# ip access-group # in/out (routers point of view)

Types of Cisco ACLs

Standard ACLs Given a # from 1-99 Filtering based only on Source Address Should be applied closest to the destination

Extended ACLs Given a # from 100-199 Much more flexible and complex Can filter based on: Source address Destination address Session Layer Protocol (ICMP, TCP, UDP..) Port Number (80 http, 23 telnet…) Should be applied closest to the source

Placing ACLs Standard : Closed to destination Extended: Closed to source

Standard ACL format # permit/deny switch the packet or drop it access-list # permit/deny sourceIP wildcard # 1-99 permit/deny switch the packet or drop it sourceIP source IP address to which the packet should be compared. Can also use ANY wildcard (inverse mask) see next slides

Wildcard Mask Allows you to indicate a host, subnet, network or range of IP addresses The two binary values in the wildcard have different meanings: 0 = Must Match Exactly 1 = Ignore

Wildcard Mask Example

Wildcard Mask Example Network Wildcard 172.16.10.0 0.0.0.255 172.16.10.0 0.0.0.255 Result: Match the first three octets exactly but ignore the last octet. 172.16.10.0 thru 172.16.10.255 is a match since the last octet does not matter.

host and any Keywords Ex. ...permit 192.168.10.10 0.0.0.0 matches all bits shortcut  host 192.168.10.10 Ex. ...deny 0.0.0.0 255.255.255.255 ignores all bits shortcut  any

Implementing ACLs Remember the Implicit Deny All at the end of each access-list. Two Approaches: 1. List the traffic you know you want to permit Deny all other traffic 2. List the traffic you want to deny Permit all other traffic (permit any)

Standard ACL

Standard ACL example (I) R1(config)# access-list 5 deny 172.22.5.2 0.0.0.0 R1(config)# access-list 5 deny 172.22.5.3 0.0.0.0 R1(config)# access-list 5 permit any So what does this access list do? Deny any host 172.22.5.2 Deny any host 172.22.5.3 All other traffic can go

Standard ACL example (II) A(config)#access-list 5 deny 172.22.5.2 0.0.0.0 A(config)#access-list 5 deny 172.22.5.3 0.0.0.0 A(config)#access-list 5 permit any A(config)#access-list 5 deny 172.22.5.4 0.0.0.0 Why does the last line have no affect? How could you correct this situation?

Applying ACLs R1(config)# int fa 0/0 R1(config-if)# ip access-group 2 out fa0/0 s0/1 R1(config)# int s 0/1 R1(config-if)# ip access-group 6 in

Extended ACL

Restricted ACL access

Verifying ACLs show ip interface show access-lists Show running-config

Implementing ACLs Tips You cannot selectively add or remove statements from an Access-list Typically modifications are made in a text editor and then pasted to the router as a new access-list Document your Access-list After each line indicate exactly what that line is supposed to do.

Implementing ACLs Tips Verifying Your Access-list show access-lists show ip interfaces Revisit your access-list after a few days Routers keep track of the number of packets that match each statement in an access-list Use this information to reorder your access-list and thus improve it efficiency Never remove an access-list that is applied to a port – this can crash the router!

Summary Are Created and then Applied to an interface Are Implemented Sequentially- Top Down End with an implicit Deny ALL statement #1-99 Standard and # 100-199 Extended Standard - source address only Extended - source, destination, protocol, port

Lab Assignment #1 A and B can connect to each other. 192.168.11.20 B A C 192.168.10.10 192.168.12.30 A and B can connect to each other. B and C can connect to each other. A and C cannot communicate to each other.

Lab Assignment #2 A can only access web service of B. 192.168.11.20 B A C 192.168.10.10 192.168.12.30 A can only access web service of B. B can only ping C. C does not accept any ping from A.

References C.Dodge slide in Cisco Website Cisco curriculum materials