Page 1 Chapter 11 CCNA2 Chapter 11 Access Control Lists : Creating ACLs, using Wildcard Mask Bits, Standard and Extended ACLs

Page 2 Chapter 11 ACLs are instructions that are applied to router’s interfaces. The ACLs tell what kind of packets to accept or deny. Acceptance / denial can be based on: source address destination address port number ACLs are configured at the router to control access to a network or subnet. ACLs must be defined separately for each protocol; one for IP, one for IPX; one for AppleTalk, etc. Some times they are called packet filters. ACL – Access Control Lists

Page 3 Chapter 11 limit network traffic, hence increase network performance i.e. packets can be processed before other traffic provide traffic flow - limit traffic through the network provide for security decide which traffic is blocked and forwarded Reasons to create ACLs

Page 4 Chapter 11 Cisco IOS checks the packet and Upper - layer headers for destination address source address protocol port number The ACL statements are checked in sequential order and when there is a match, no more checks are made. If there are no matches, then the packet is discarded. IF additional statements are needed for an ACL, one must delete the ACL statements and re-create a new ACL. (If additional statements are added at the end, then one does not have to delete the ACL statements.)

Page 5 Chapter 11 When a packet enters an interface 1) checks if there are ACLs If there are, then tests against the conditions. If pass, then 2) checks the packet against the routing tables Then the destination interface 1) checks for ACLs If there are, then test against the conditions. If pass, then 2) sent out the interface

Page 6 Chapter 11 ACL statements operate in logical, sequential order. When there is a match, the rest of the conditions are not checked. If all the ACL statements are not matched, then there is implicit deny any. access-list 10 { permit | deny } { test conditions } access-list 10 deny any

Page 7 Chapter 11 Two types of IP ACL : standard - has access list value of extended - has access list value of Must be in global configuration mode. Router (config) # Steps in creating ACLs: 1) create the ACL (in global configuration mode) 2) apply the ACL to an interface ACLs can be written to filter: inbound traffic, or outbound traffic

Page 8 Chapter 11 Standard ACLs are placed as close as possible to the destination. Extended ACLs are placed as close as possible to the source. Where to place ACLs

Page 9 Chapter 11 Create: Router(config)# access-list { permit | deny } { test conditions } Router(config)# access-list 1 permit { test conditions } Router(config)# access-list 50 deny { test conditions } Apply: At an interface: Router(config)# int E0 Router(config-if)# { protocol } access-group [in | out] Out is the default if not mentioned Router(config-if)# ip access-group 1 Router(config-if)# ip access-group 50 To delete all ACL statements of an access-list Router(config)# no access-list Router(config)# no access-list 50

Page 10 Chapter 11 A wildcard mask is matched with an IP address or protocol address. It is a 32 bit mask divided into 4 octets, each containing 8 bits. A 0 in the mask means to check the bit. A 1 in the mask means ignore the bit.

Page 11 Chapter 11 To permit any address: Address wildcard mask Use the abbreviation any Router(config)# access-list 1 permit Router(config)# access-list 1 permit any Abbreviations

Page 12 Chapter 11 To match all the bits of IP address: EX: Router(config)# access-list 1 permit Router(config)# access-list 1 permit host Abbreviations

Page 13 Chapter 11 Criteria: block all traffic from a network allow all traffic from a network deny entire protocol suits Standard ACLs only check the source address. Router(config)# access-list { deny | permit } source [ source wildcard] [log] Standard ACLs

Page 14 Chapter 11 What does this statement perform: access-list 33 permit log Permits all traffic from and sends messages to the console every time the access list is hit. Standard ACLs

Page 15 Chapter 11 What does this statement perform: access-list 44 deny log Denies traffic from host and sends messages to the console every time the access list is hit. Standard ACLs

Page 16 Chapter 11 What does this statement perform: access-list 55 deny Denies all traffic from network Standard ACLs

Page 17 Chapter 11 The log command: Prints messages to the console: includes the ACL number, whether the packet was permitted or denied, the source address, and the number of packets. The message is generated for the first packet that matches, and then at five- minute intervals, including the number of packets permitted or denied in the prior five-minute interval. Use for debugging. Not used for live networks. Standard ACLs

Page 18 Chapter 11 Example of applying the access-list (note: it is at the interface): Router(config-if)# ip access-group 33 in Router(config-if)# ip access-group 44 out Router(config-if)# ip access-group 44 Standard ACLs

Page 19 Chapter 11 To monitor IP access list: (at the EXEC mode) show access-list Displays all access lists and their parameters configured on the router. (Does not show which interface the list is set on.) show access-list Shows only the parameters for the access list. (Does not show the interface the list is set on.) show ip access-list Shows only the IP access lists configured on the router show ip interface Shows which interfaces have access lists set. show running-config Shows the access lists and which interfaces have access lists set Standard ACLs

Page 20 Chapter Non R(config)# access-list 1 permit R(config)# Interface E0 R(config-if)# ip access-group 1 out R(config)# Interface E1 R(config-if)# ip access-group 1 out What does it do? E0 E1 S server Standard ACLs

Page 21 Chapter Non R(config)# access-list 1 permit R(config)# Interface E0 R(config-if)# ip access-group 1 out R(config)# Interface E1 R(config-if)# ip access-group 1 out Allows only traffic from source network to be forwarded and non traffic is blocked. E0 E1 S server Standard ACLs

Page 22 Chapter Non R(config)# access-list 1 deny R(config)# access-list 1 permit any R(config)# Interface E0 R(config-if)# ip access-group 1 out What does this do? E0 E1 S server Standard ACLs

Page 23 Chapter Non R(config)# access-list 1 deny R(config)# access-list 1 permit any R(config)# Interface E0 R(config-if)# ip access-group 1 out Denies traffic from a specific device, and allows all other traffic thru E0 to network E0 E1 S server Standard ACLs

Page 24 Chapter Non access-list 1 deny access-list 1 permit any Interface E0 ip access-group 1 out What does this do? E0 E1 S Standard ACLs

Page 25 Chapter Non access-list 1 deny access-list 1 permit any Interface E0 ip access-group 1 out Denies traffic from the subnet, and allows all other traffic thru E0 to network E0 E1 S Standard ACLs

Page 26 Chapter 11 Criteria: check for both source and destination packet addresses check for specific protocol check for specific port numbers permit or denied pings / telnets / FTP, etc. for IP, the ACL values range between Extended ACLs

Page 27 Chapter 11 Port Numbers (decimal)IP Protocol 20FTP data 21FTP program (control) 23Telnet 25Simple Mail Transport Protocol (SMTP) 53DNS 69TFTP Extended ACLs

Page 28 Chapter 11 Router(config)# access-list { permit | deny } protocol source source-mask destination destination-mask operator operand {established} ACL number permit | deny Entry is allowed or blocks the specified address protocol IP, TCP, UDP, ICMP, GRE or IGRP source Source address source-mask ACL wildcard mask destination Destination address destination-mask ACL wildcard mask Extended ACLs

Page 29 Chapter 11 Router(config)# access-list { permit | deny } protocol source source-mask destination destination-mask operator operand [established] operator lt, gt, eq, neq Operand Port number established Allows TCP traffic to pass if the packet uses an established connection ( for example, has ACK bits set ). access-list 101 permit tcp any eq 25 Extended ACLs

Page 30 Chapter 11 Assign the ACL to an interface: Router(config-if)# ip access-group { in | out } NOTE: out is the default (though with the present IOS, you have to put out). Router(config)# int E0 Router(config-if)# ip access-group 101 in Extended ACLs

Page 31 Chapter Non access-list 101 deny tcp eq 21 access-list 101 permit ip Interface E0 ip access-group 101 What does this do? E0 E1 S Extended ACLs

Page 32 Chapter Non access-list 101 deny tcp eq 21 access-list 101 permit ip Interface E0 ip access-group 101 Blocks FTP traffic from all host on to any device on and allows all other traffic to E0 E1 S Extended ACLs

Page 33 Chapter Non access-list 101 deny tcp eq 23 access-list 101 permit ip any any Interface E0 ip access-group 101 What does this do? E0 E1 S Extended ACLs

Page 34 Chapter Non access-list 101 deny tcp eq 23 access-list 101 permit ip any any Interface E0 ip access-group 101 Denies only telnet traffic from to network and permits all other traffic thru E0 to any address. E0 E1 S Extended ACLs

Page 35 Chapter 11 NOTE: Standard ACL numbers: 1-99; Extended ACL numbers: ; Extended/Standard ACL numbers for IP

Page 36 Chapter 11 One can not add ACL statements to the access-list (except at the end of the list). The access list must be deleted first, and then rewritten. That is why it is a good idea to first write your access-list in text (using Notepad), and then transfer it to your router. Outbound filters do not affect traffic originating from the local router! Extended/Standard ACL

Page 37 Chapter 11 NOTE: named ACLs are not compatible with Cisco IOS release prior to Release 11.2 cannot use the same name for multiple ACLs. Ex. Can’t specify a standard ACL named XYZ and an extended ACL with same name. can be used both for standard and extended use an alphanumeric string instead of the ACL number ( ) use Named ACLs to intuitively identify ACLs using an alphanumeric name use Named ACLs when having more than 99 standard and 100 extended ACLs to be configured in a router for a given protocol Configuring Named ACLs

Page 38 Chapter 11 Router(config)# ip access-list { standard | extended } name { deny | permit } { commands } ip access-list standard internetfilter deny permit permit ip access-list extended marketing-group permit tcp any eq telnet deny udp any lt 1024 Configuring Named ACLs

Page 39 Chapter 11 A named ACL will allow the deletion of statements, but will only allow for the statements to be inserted a the end of the list. Named ACL

Page 40 Chapter 11 access-list 1 permit xxxxxxxx. xxxxxxxx xxxxxxxx. xxxxxxxx Matched value Incoming packet with address of Will it be permitted? Source : Wildcard mask: xxxxxxxx. xxxxxxxx xxxxxxxx. xxxxxxxx Result More Details

Page 41 Chapter 11 access-list 1 permit xxxxxxxx. xxxxxxxx xxxxxxxx. xxxxxxxx Matched value Incoming packet with address of Will it be permitted? Source : Wildcard mask: xxxxxxxx. xxxxxxxx xxxxxxxx. xxxxxxxx Result Does the result equal the matched value? No! The incoming packet will not be permitted.

Page 42 Chapter 11 access-list 1 permit xxxxxxxx. xxxxxxxx xxxxxxxx. xxxxxxxx Matched value Incoming packet with address of Will it be permitted? Source : Wildcard mask: xxxxxxxx. xxxxxxxx xxxxxxxx. xxxxxxxx Result Does the result equal the matched value? Yes! The incoming packet will be permitted.

Page 43 Chapter 11 access-list 1 permit xxxxxxxx. xxxxxxx xxxxxxxx. xxxxxxx0 Matched value Incoming packet with address of Will it be permitted? Source : Wildcard mask: xxxxxxxx. xxxxxxx xxxxxxxx. xxxxxxx1 Result Incoming packet with address of Will it be permitted? Source : Wildcard mask: xxxxxxxx. xxxxxxx xxxxxxxx. xxxxxxx0 Result

Page 44 Chapter 11 access-list 1 permit xxxxxxxx. xxxxxxx xxxxxxxx. xxxxxxx0 Matched value Incoming packet with address of Will it be permitted? Source : Wildcard mask: xxxxxxxx. xxxxxxx xxxxxxxx. xxxxxxx1 Result Thi access list permits , and denies and Permits all even addresses from the network

Page 45 Chapter 11 One can permit or deny a block of addresses. However, the blocks must be a power of 2! (Example, 2, 4, 8, 16, 32, 64, 128, etc.) When we need to specify a range of addresses - choose the closet block size for our needs. Example: block access to part of a network that is in the range from through This is a block size of 8. Hence: Note: the wildcard part is always 1 less than the block size! Also, in this case for a block of 8, the beginning address must either start at 0, 8, 16, etc. Permit/Deny blocks of addresses

Page 46 Chapter 11 Example: A subnet whose addresses range from to To divide this network so the top half addresses are permitted and the bottom half are denied to any other network. What is the access list? The block range is:64 What is the access-list for the bottom? access-list 101 deny ip any What is the access-list for the top? access-list 101 permit ip any Permit/Deny blocks of addresses

Page 47 Chapter 11 What does this do? access-list 10 deny Denies a block of 64 subnetworks starting at Permit/Deny blocks of addresses

Page 48 Chapter 11 To block access through the vty ports in order to control telnet sessions into the router. Write the ACL as usual but use access-class to apply it. Example: Router(config t)# access-list 1 permit Router(config t)# line vty 0 4 Router(config-line)# login Router(config-line)# password cisco Router(config-line)# access-class 1 in Note: only numbered access lists can be applied to virtual lines! Virtual Terminal ACL

Page 49 Chapter 11 The ‘establish’ option in an access-list occurs only with TCP datagrams. There are cases when one wants to stop a host B from initiating a connection with a host A while permitting A to initiate connections with B. establish response establish A B Established option

Page 50 Chapter E0 E INTERNET Router(config)# access-list 101 permit tcp any eq www established Router(config)# access-list 101 permit icmp any any Router(config)# access-list 101 permit udp any any eq 53 Router(config)# int E1 Router(config-if)# ip access-group 101 in Note: established argument is limited to tcp which means UDP, ICMP and all other IP protocols are not matched - and will be denied unless specifically allowed. Established option

Page 51 Chapter 11 Cisco’s definition: Standard ACL Put the ACL as near the destination as possible. one might not have access to all the routers Extended ACL Put the ACL as close as possible to the source of the traffic denied. Where to place ACLs?

Page 52 Chapter 11 Allow host with internet connection, but don’t allow the internet to initialize any sessions E0 E INTERNET Real life example:

Page 53 Chapter E0 E INTERNET Router(config)# access-list 101 permit tcp any established Router(config)# access-list 101 permit tcp any host eq. www Router(config)# int E1 Router(config-if)# ip access-group 101 in Established option

Page 54 Chapter E0 E INTERNET Router(config)# access-list 101 permit tcp any eq www established Router(config)# int E1 Router(config-if)# ip access-group 101 in Established option