Semester 3 Chapter 6 ACLs
Overview Router can provide basic traffic filtering capability Access Control Lists can prevent packets from passing through the interface –Sequential collection of permit or deny statements –Can be applied IN or OUT of interface port –Can apply to addresses or upper-layer protocols
WHAT ARE ACLs? List of instructions applied to a router interface –Tells what kinds of packets to accept –Tells what kinds of packets to deny Two Types – Standard and Extended –IP Standard use source address only –IP Extended use destination address, upper- layer protocols, port numbers
WHAT ARE ACLs Continued Can be created for all routed protocols Control access to a network or subnetwork Examined by router as packet comes in or goes out a port Must be defined on a per/protocol basis –IPX, IP, Appletalk Would require three access list statements
Why Create ACLs? Act as a firewall to provide a level of security Prioritize packets based on protocol (queuing) Limit network traffic –Limit information about specific networks from propagating Can block traffic at LAN interface
HOW ACLs WORK A group of statements that: –Define entry into or out of an interface –Relay through the router Executed in the order entered into CLI Applied as a GROUP against interface –Specify IN or OUT of interface A NO Access-list statement eliminates all with the same number
HOW ACCESS LISTS WORK CONTINUED There is an implicit DENY ALL at the end of an Access List –To PERMIT ALL requires a statement Access-List number identifies Routing Protocol and Extended/Standard Access-List statements should be tested with trial data to ensure they work as planned LOG at the end of a statement will show packets denied
Important Helps Since they are executed sequentially in order entered into the Configuration File And Since all Access-List statements are deleted with one command ENTER ACCESS LISTS INTO TEXT EDITOR AND COPY/PASTE TO ROUTER
Flowchart ACL Test Matching Process Each packet is compared to access-list statements in sequential order When there is a match, the appropriate action is taken When there is no match, the next statement in the list is compared to the packet All statements are compared against each packet until a match is found No match, the implicit DENY ALL will be used
Creating ACLs Use GLOBAL configuration mode Specify an ACL number (1-99 for IP standard) Create in order indicated by flowchart logic Select appropriate IP protocol to check Group ACL LIST statements to Interface –Can be assigned to one or more interfaces –Outbound checking is more efficient than inbound –Can assign only one IN and one OUT per interface (IP)
ACL Numbers 1-99Standard IP Extended IP Standard Novell Extended Novell Novell SAP Appletalk, DecNet, and Xerox are between
Sample ACL Statements Access-list 1 deny Access-list 1 permit any Access-list 101 deny tcp – eq 21 Access-list 101 permit ip any any – is a wildcard mask –Tcp is upper-layer protocol –21 is a port number –Any any means any source and any destination address
Wild Cards?? Wildcards are used to identify ranges of addresses to be Permitted or denied Wildcard masks resemble subnet masks and are related but are quite different Represented by decimal equivalent of 4 octet ip address –0 means check bit –1 means ignore bit –255 means ignore every bit in the octet –0 means check every bit in the octet
Wild Card Mask Important because –Can limit router work 255 means router can ignore that octet Careful construction can permit or deny subgroups –Odd numbered hosts –Even numbered hosts –Upper half of address range –Lower half of address range
Relation to Subnetmask Important when you want to deny an entire subnet or part of a subnet Subnet mask is or you have an IP address with a CIDR of 20 –This means 20 ones in subnet mask –Class B network with 4 borrowed bits for SN –To deny a subnet, you would want to match first 4 bits in subnet number and all network bits Subnet mask is to deny all hosts Statement would be deny ip
The HOST command You can use the HOST command when a specific address is to be checked (a single host) –Access-list 1 permit –Or Access-list 1 permit host
The ANY Command The any command permits any IP number to be routed Access-list 1 permit is same as Access-list 1 permit any
How to Write an Access List Determine what traffic you want to block (deny) Determine what traffic you want to let in (permit) Determine if there is any precedence Flow Chart the sequence Write the appropriate statements