Chabot College ELEC 99.08 Access Control Lists - Introduction
ACL Topics Function of ACLs ACL Types & Syntax Wildcard Bitmasks Placement of ACLs Commands
Typical Functions Security Firewalling
Types Standard Extended
Standard ACLs Use rules based only the packet’s source address 1-99
Extended ACLs Provide more precise (finer tuned) packet selection based on: Source and destination addresses Protocols Port numbers 100-199
Steps to Configure ACLs 1) Create ACL (global config mode) The list may contain many rules, each on one line. The list is identified by a number or name. 2) Apply to an interface (interface config mode)
How do ACLs work? Processing occurs line by line from top to bottom of the list. Each line tests a packet for a “match”. If there is a match, a “permit” or “deny” rule is applied. When a “match” occurs, no further rules are checked. Invisible last line of an ACL is an implicit “deny any.”
How do ACLs work? ACL example: oak#sh ru oak#... oak#access-list 10 deny 192.168.1.0 0.0.0.255 oak#access-list 10 permit any oak#access-list 10 deny any (implicit)
How does a Standard ACL work? Permits or denies if source IP address is matched: Permit – packet is allowed Deny – packet is dropped Implicit Deny – If a packet’s address does not match an earlier statement, an implicit deny any occurs at the end of every ACL and the packet is dropped.
The network address to be matched Wildcard Masks Are used to specify (by bits) the part of the ip address to be matched. Looks like a subnet mask but it its not! Example: 172.16.0.0 0.0.255.255 The network address to be matched The wildcard bitmask
Wildcard Masks Specify the part of the ip address to be matched. Use 0s to match,1s to ignore. (Reverse of subnet masks!) In the example below, only the 1st 2 octets will be examined for a match: 172.16.0.0 0.0.255.255 Match this part of the address This is the wildcard bitmask
Wildcard Masks 172.16.0.0 0.0.255.255 172 16 Address 10101100 00010000 172.16.0.0 0.0.255.255 address to match wildcard bitmask 172 16 Address 10101100 00010000 00000000 00000000 Wildcard Mask 00000000 00000000 11111111 11111111 255 255 Check for a match Ignore
Wildcard Masks In this example, which octets will be examined for a match? 172.16.5.0 0.0.0.255
Match this part of the address Wildcard Masks In this example, which octets will be examined for a match? 172.16.5.0 0.0.0.255 The first 3: Match this part of the address
Wildcard Masks In this example, which octets will be examined for a match? 172.16.5.2 0.0.0.0
Wildcard Masks In this example, which octets will be examined for a match? 172.16.5.2 0.0.0.0 All 4 octets: Match the entire address (permit or deny this specific host)
Wildcard Masks In Cisco 2, we will work only with wildcard bitmasks that are 0 or 255 for an entire octet. In Cisco 3, you’ll work with masks where the change from 0 to 1 does not fall on an octet boundary: e.g. 0.0.15.255
Keyword: “any” Identical statements access-list 22 permit 0.0.0.0 255.255.255.255 access-list 22 permit any
Keyword: “host” Identical statements Access-list 23 permit 172.16.1.1 0.0.0.0 Access-list 23 permit host 172.16.1.1
Standard IP ACL command access-list ACL-number {permit |deny} source-ip-address wildcard-mask ACL number: 1-99 Global Config mode
Standard ACL Example To permit all packets from the network number 172.16.0.0 access-list 20 permit 172.16.0.0 0.0.255.255
Standard ACL Example To permit traffic from the host 172.16.1.1 only access-list 20 permit 172.16.1.1 0.0.0.0 OR access-list 20 permit host 172.16.1.1
Standard ACL Example To permit traffic from any source address. access-list 20 permit 0.0.0.0 255.255.255.255 OR access-list 20 permit any
How does an Extended ACL work? Permits or denies if all conditions match: Source Address Destination Address Protocol Port No. or Protocol Options
Extended IP ACL command access-list ACL-number {permit|deny} protocol source-ip-address source-wildcard-mask destination-ip-address destination-wildcard-mask eq port-number ACL number: 100-199 Global Config mode
Extended ACL Example To permit traffic from the network 192.168.1.0 to the host 192.168.3.10 only on telnet: access-list 101 permit tcp 192.168.1.0 0.0.0.255 192.168.3.10 0.0.0.0 eq telnet More about extended ACLs later...
Major differences Standard ACL Extended ACL Use only source address Requires fewer CPU cycles. Place as close to destination as possible. (because they can only check source address) Extended ACL Uses source, destination, protocol, port Requires more CPU cycles. Place as close to source as possible. (This stops undesired traffic early.)
Command to apply IP ACL ip access-group ACL-number {in |out} Interface Config mode The group of rules in the list is applied to the interface being configured. Use “in” and “out” as if looking at the interface from inside the router.
Do I place an ACL in? In Coming into the router. Requires less CPU processing because every packet bypasses processing before it is routed. Filtering decision is made prior to the routing table.
Do I place an ACL out? Out Going out of the router. Routing decision has been made and the packet is switched to the proper outbound interface before it is tested against the access list. ACLs are outbound unless otherwise specified.
ACL Configuration Example What will this list do? oak(config)#access-list 10 permit 192.168.1.0 0.0.0.255 oak(config)#access-list 10 permit 192.168.2.10 0.0.0.0 oak(config)#int e0 oak(config-if)#ip-access group 10 out oak(config-if)#^z S1 S1 fre S0 hay oak S0 E0 E0 E0 192.168.1.0 192.168.2.0 192.168.3.0 192.168.1.10 192.168.2.10 192.168.3.10
ACL Configuration Example What’s the problem here? oak(config)#access-list 10 permit any oak(config)#access-list 10 deny 192.168.2.10 0.0.0.0 oak(config)#int e0 oak(config-if)#ip-access group 10 out oak(config-if)#^z S1 S1 fre S0 hay oak S0 E0 E0 E0 192.168.1.0 192.168.2.0 192.168.3.0 192.168.1.10 192.168.2.10 192.168.3.10
Commands to show ACLs show access-lists show ip interface Privileged exec mode Displays the ACLs on the router. show ip interface Shows which ACLs are set on that interface.