1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)
Objectives
Overview ACLs enable management of traffic and secure access to and from a network. Access Control Lists (ACLs) provides basic filtering capabilities based on – source and/or destination IP addresses – protocol types and port numbers ACLs can be as simple as a single line intended to permit packets from a specific host, or they can be extremely complex sets of rules and conditions that can precisely define traffic and shape the performance of router processes
What is an ACL? ACLs are lists of conditions used to test network traffic that tries to travel across a router interface. These lists tell the router what types of packets to accept or deny.
What is an ACL? An ACL is a sequential list of permit or deny statements that apply to addresses, upper-layer protocols or port numbers.
How ACLs Work The router examines each packet to determine whether to forward or drop it, based on the conditions specified in the ACL. Some ACL decision points are: IP source address IP destination addresses UDP or TCP protocols port numbers
ACLs can be created for various network protocols; IP, IPX, or AppleTalk. Note that there can only be one access list, per interface, per direction, per protocol. Application of ACLs
Execution of ACL Statements ACL statements operate in sequential, logical order, from top to bottom. If a condition is matched, the packet is permitted or denied and the rest of the ACL is not checked. e.g. If a condition statement that permits all traffic is located at the top of the list, no statements added below that will ever be checked. Order important. An implicit "deny any" statement is at end of list by default However it is good practice
Limit network traffic to increase network _____________. Provide traffic flow control by restricting the delivery of ________________. __________ - allow one host access but prevent another. Control which types of traffic are __________ or ________ by the router. Ability to control which _______ a client can access. Restrict user access to only certain _____________, (eg. Web pages). If ACLs are not configured, __________ passing through the router will be allowed onto _________ of the network. Why use ACLS? performance routing updates Security forwardedblocked areas types of files all packets all parts
Updating Access Lists If additional condition statements are needed in an access list, the entire ACL must be deleted and recreated with the new condition statements Command no access-list list-number
Protocols with ACLs Specified by Numbers
Rio(config)# Creating ACLs There are many different types of ACLs. Each ACL is uniquely identified by assigning a number (or a name) to it. This number identifies the type of access list created and must fall within the specific range of numbers: access-list ? IP standard access list IP extended access list Protocol type-code access list DECnet access list Appletalk access list 48-bit MAC address access list IPX standard access list IPX extended access list IPX SAP access list Extended 48-bit MAC address access list IPX summary address access list IP standard access list (expanded range) IP extended access list (expanded range)
Creating ACLs
Applying ACLs Creating the access list is the first step. The second step involves assigning the list to an interface/s (as in or out). Rio(config)# interface fastethernet 0/0 Rio(config-if)#ip access-group ? IP access list (standard or extended) IP expanded access list (standard or extended) WORD Access-list name Rio(config-if)# in inbound packets out outbound packets ip access-group 10 ? From inside the router A numbered ACL cannot be edited on the router. To edit an ACL: 1.Copy it to a text file. 2.Remove from router configuration with ‘no’ form of ACL statement. 3.Make necessary changes to text file. 4.Paste back to global configuration mode.
The Function of a Wildcard Mask
Wildcard Masks Two keywords used in ACLs: any host Wildcard masks are 32 bits long and paired with an IP address. Wildcard masks are used with ACLs to filter groups of IP addresses. Example 1: Rio(config)# access-list 10 permit In this exampl, by applying the WM to the IP address, the router will ignore the values of the last two octets. This statement will permit traffic with source IP: _______________________ Example 2: Rio(config)# access-list 10 permit This WM ignores the value of the 4 th octet, and 4 bits from the 3 rd octet (moving left to right). If M = Match D = Don’t Care, WM = MMMMMMMMMMMMMMMMMMMMDDDDDDDDDDDD This statement will permit traffic from range ___________ to _____________ [anything].[anything] means an IP address of _______ and WM ______________ matches an address exactly, or WM __________ ones and zeros mean something different in a wildcard mask as opposed to a subnet mask
Standard ACLs
Extended ACLs Extended ACLs check the ________ and ___________ packet addresses as well as being able to check for __________ and _____________. Standard ACLs Standard IP ACLs check only the ______________ of packets to be routed.source address Rio(config)# access-list Rio(config)#access-list 50 permit Deny or PermitWildcard Mask No WM specified, mask = deny Number between 1 and 99, or 1300 to1999 (recent IOS) sourcedestination protocolsport numbers access-list 101 permit ip host any access-list 101 deny ip any access-list 101 deny tcp host eq 23 access-list 101 permit tcp any eq telnet 1.Specifically permit all IP traffic from this host (only) to any other network or host More general statement denying other traffic from /24 network 3.Specifically denies host (only) telnet access to /24 network 4.More general statement permitting telnet from all other hosts on /24 network ProtocolSourceDestinationPort
Extended ACLs
Named ACLs
Placing ACLs Standard ACLs should be placed close to the destination. As they filter only on source IP address Extended ACLs should be placed close to the source. Detailed filtering so bin packets as early as possible
Named ACLs IP named ACLs were introduced in Cisco IOS Software Release Advantages are: Intuitively identify ACLs using names (not just numbers). Extend possibilities beyond 798 simple and 799 extended ACLs Modification of a Named ACL without deleting and reconfiguring it. Named ACLs allow individual statements to be deleted without losing whole list. However it is still only possible to add statements to the end of a list. Rio(config)# ip access-list extended Server-Access Rio(config-ext-nacl)# Standard or ExtendedAdministrator assigned name permit tcp any host eq smtp Rio(config-ext-nacl)#permit udp any host eq 53 Rio(config-ext-nacl)#[Control + Z] Rio(config-if)# interface f 0/0Rio(config)# ip access-group Server-Access out
Verifying ACLs There are many show commands that will verify the content and placement of ACLs on the router. show ip interface show access-lists Show running-config
Verifying ACLs - show run
Verifying ACLs - Show access-lists Shows all access lists configured, not where they are applied
Verifying ACLs - show ip interface Shows ip access lists applied per interface
Firewalls A firewall is an architectural structure that exists between the user and the outside world to protect the internal network from intruders.
Firewalls Use of ACLs in the firewall routers Control traffic entering or exiting a specific part of the internal network Provides basic security from the outside network into a more private area of the network Ex. If the only application that is permitted is mail, then configure ACL so that only mail packets can be allowed through the router. This protects the application gateway and avoids overwhelming it with packets that it would otherwise discard.
Firewalls (overview) Firewalls control access to services both into and from the internal network. ACLs are used in firewalls between the internal and external network. A De-Militarised Zone contains network services available to Internet traffic. The firewall router provides isolation for the internal network and the DMZ. Border routers (at the edge of a network) use ACLs to provide security. A network firewall can be one or several machines working together to prevent unwanted access. Web Server FTP Server DMZ ExternalInternal
Restricting Virtual Terminal Access – Only numbered ACL can be applied to virtual lines
ACL Rules 1.One access list per ________, per _________, per _________. 2.Standard access lists should be applied closest to the ___________. 3.Extended access lists should be applied closest to the ________. 4.Use the inbound or outbound interface reference as if looking at the port from ________________. 5.The ______________ at the end of all access lists will not appear in the configuration listing. 6.Access list entries should filter in the order from specific to ________. 7.The permit or deny is examined ONLY if the _____________. 8.New lines are always added to the _____ of the access list. 9.___________________________ will remove the whole list. 10.It is not possible to selectively add and remove lines with _________ ACLs. 11.An IP ACL will send ____________________ to sender of rejected packet. 12.In some situations, removing an access list may result in a default ____________ being applied to the interface. 13.Outbound filters do not affect traffic originating at _____________. protocoldirectioninterface destination source inside the router implicit deny general match is true end no access-list [number] numbered ICMP host unreachable the local router ‘deny any’
ACL Summary There should be one access list per protocol per direction. Standard access lists should be applied closest to the destination. Extended access lists should be applied closest to the source. The inbound or outbound interface should be referenced as if looking at the port from inside the router. Statements are processed sequentially from the top of the list to the bottom until a match is found. If no match is found then the packet is denied, and discarded. There is an implicit deny any at the end of all access lists. This will not appear in the configuration listing. Access list entries should filter in the order from specific to general. Specific hosts should be denied first, and groups or general filters should come last. The match condition is examined first. The permit or deny is examined only if the match is true. Never work with an access list that is actively applied. A text editor should be used to create comments that outline the logic. Then fill in the statements that perform the logic. New lines are always added to the end of the access list. A no access-list x command will remove the whole list. It is not possible to selectively add and remove lines with numbered ACLs An IP access list will send an ICMP host unreachable message to the sender of the rejected packet and will discard the packet in the bit bucket. An access list should be removed carefully. If an access list that is applied to a production interface is removed, some versions of IOS will apply a default deny any to the interface and all traffic will be halted. Outbound filters do not affect traffic that originates from the local router.
Summary