ACLs Access Control Lists 2017/4/27

What are ACLs? ACLs are lists of instructions you apply to a router's interface. These lists tell the router what kinds of packets to accept and what kinds of packets to deny. Acceptance and denial can be based on certain specifications, such as Protocol, source address, destination address, port number. 2017/4/27

Packet Filtering Packet filtering, sometimes called static packet filtering, controls access to a network by analyzing the incoming and outgoing packets and passing or halting them based on stated criteria. 2017/4/27

Packet Filtering 2017/4/27

Fields of packet to be checked 2017/4/27

What are ACLs? 2017/4/27

What are ACLs? ACLs enable you to manage traffic and scan specific packets by applying the ACL to a router interface.  Any traffic going through the interface is tested against certain conditions that are part of the ACL. 2017/4/27

ACLs on a Router 2017/4/27

ACLs on Router’s Interfaces 2017/4/27

Inbound or Outbound ACLs Inbound ACLs-Incoming packets are processed before they are routed to the outbound interface Outbound ACLs-Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL 2017/4/27

Inbound ACLs An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. If the packet is permitted by the tests, it is then processed for routing. 2017/4/27

How ACLs Work (Inbound) 2017/4/27

How ACLs Work (Outbound) 2017/4/27

Routing & ACLs on Routers - 1 2017/4/27

Routing & ACLs on Routers - 2 2017/4/27

Implied "Deny All Traffic" At the end of every access list is an implied "deny all traffic" criteria statement. "implicit deny any" statement. If a packet does not match any of the ACL entries, it is automatically blocked. 2017/4/27

Access List Grouping ACLs must be defined on a per-protocol, per direction, or per port basis 2017/4/27

Steps in Enforcing ACL Step 1 : 設定 ACL 條件 Configuring Standard, Extended & Named ACLs Step 2 : 將 ACL 應用於 Router 的某個介面 Config)# int serial 0 Config-if)# ip access-group 1 in (or out) Outbound ACLs are generally more efficient than inbound, and are therefore preferred. A router with an inbound ACL must check every packet to see whether it matches the ACL condition before switching the packet to an outbound interface. 2017/4/27

Command syntax in applying ACL to router interface Router(config-if)#ip access-group {access-list-number | access-list-name} {in | out} 2017/4/27

Types of ACL Numbered ACL Named ACL Standard ACL Extended ACL 2017/4/27

ACL Examples This is so called Standard ACL … …. Any other ACLs? router(config)#access-list 1 permit 172.16.0.0 0.0.255.255 log Global config ACL number Wildcard Mask 判決 (deny/permit or remark) Source Address This is so called Standard ACL … …. Any other ACLs? 2017/4/27

Wildcard Mask Wildcard = 外卡 Wildcard mask is NOT Subnet Mask What’s 外卡? Wildcard mask is NOT Subnet Mask Wildcard mask 的 1 代表 “不檢查與該 bit 同樣位置的 IP address” 2017/4/27

Wild Card 2017/4/27

Wild Card Mask Examples 2017/4/27

Standard ACL Check only source address Syntax Router (config) # access-list access-list-number {deny | permit | remark} source [source-wildcard ] [log] access-list-number = [1~99] & [1300~1999] in recent IOS Check only IP packets Router(config)#access-list access-list-number deny/permit remarksource [source-wildcard] [log] 2017/4/27

Remark keyword The remark keyword is used for documentation and makes access lists a great deal easier to understand. 2017/4/27

Examples of Standard ACL 2017/4/27

2017/4/27

2017/4/27

2017/4/27

host 2017/4/27

Host & any 2017/4/27

Extended ACL Check the following 4 parameters Syntax Protocol (of routing packet) Source Destination Port number (Transport layer header) Syntax Router (config) # access-list access-list-number {permit | deny | remark} protocol source [source-wildcard] [operator operand] [port port-number or name] destination [destination-wildcard] [operator operand] [port port-number or name] [established] 2017/4/27

Examples of Extended ACL 2017/4/27

Extended ACL Examples 2017/4/27

2017/4/27

2017/4/27

established This parameter allows responses to traffic that originates from the 192.168.10.0 /24 network to return inbound on the s0/0/0. A match occurs if the TCP datagram has the ACK or reset (RST) bits set, which indicates that the packet belongs to an existing connection. Without the established parameter in the ACL statement, clients could send traffic to a web server, but would not receive traffic from the web server. 使內網能主動訪問外網，而外網不能主動訪問內網 2017/4/27

2017/4/27

2017/4/27

Other ACL numbering Numbers 200 to 1299 are skipped, it is because those numbers are used by other protocols. For example, numbers 600 to 699 are used by AppleTalk, and numbers 800 to 899 are used by IPX This course focuses only on IP ACLs 2017/4/27

Verifying ACL Show access-lists 2017/4/27

Named ACLs There are cases that … You have more than 99 (+699) simple and 100 (+699) extended ACLs to be configured in a router for a given protocol This is less likely now … You want to intuitively identify ACLs using an alphanumeric name. 2017/4/27

Named ACLs 2017/4/27

Named ACL 2017/4/27

Named ACL Syntax 2017/4/27

2017/4/27

2017/4/27

Modifying Named ACL Named ACLs have a big advantage over numbered ACLs in that they are easier to edit. Starting with Cisco IOS Software Release 12.3, named IP ACLs allow you to delete individual entries in a specific ACL. You can use sequence numbers to insert statements anywhere in the named ACL. If you are using an earlier Cisco IOS software version, you can add statements only at the bottom of the named ACL. Because you can delete individual entries, you can modify your ACL without having to delete and then reconfigure the entire ACL. 2017/4/27

Modifying Named ACL 2017/4/27

ACL Best Practices 2017/4/27

Things to note with ACLs - 1 Conditions in ACL are tested sequentially in the order in which they were created The order in which you place ACL statements is important. After a match is found, no more condition statements are checked If you create a condition statement that permits all traffic, no statements added later will ever be checked If all the ACL statements are unmatched, an implicit "deny any" statement is imposed 2017/4/27

Things to note with ACLs - 2 Try to minimize number of ACL statements as long as possible by careful thinking Make good use of wildcard mask, see example below 2017/4/27

More to note … (any command) 2017/4/27

More to note … (host command) You can omit the wildcard if it is all zeros access-list 2 permit 36.48.0.3 access-list 2 permit 36.48.0.3 0.0.0.0 2017/4/27

When Modifying standard/extended ACLs … If you need additional statements in a ACL you must delete the ACL and re-create it with the new condition statements. This is why it's a good idea to edit router a configuration on a PC using a text editor and then Trivial File Transfer Protocol (TFTP) it to the router. 2017/4/27

Placing ACLs The rule is to Put the extended ACLs as close as possible to the source of the traffic denied Extended ACLs can filter using source and/or destination addresses Put the standard ACLs as close as possible to the destination. Standard ACLs do not specify destination addresses 2017/4/27

Example Condition 1 Condition 2 1.Need to prevent FTP access from Router A’s FA0/1 subnet to Ruter D 2.Need to prevent all traffic from Router A’s FA0/1 subnet to Router D 2017/4/27

Firewall Outside router direct all traffic to Application gateway Inside router accept traffic from Application gateway only ACLs should be used in firewall routers 2017/4/27

Complex ACLs 2017/4/27

Dynamic ACLs Dynamic ACL configuration starts with the application of an extended ACL to block traffic through the router. Users who want to traverse the router are blocked by the extended ACL until they use Telnet to connect to the router and are authenticated. The Telnet connection is then dropped, and a single-entry dynamic ACL is added to the extended ACL that exists. This permits traffic for a particular period; idle and absolute timeouts are possible. 2017/4/27

Dynamic ACLs 2017/4/27

When to Use Dynamic ACLs When you want a specific remote user or group of remote users to access a host within your network, connecting from their remote hosts via the Internet. When you want a subset of hosts on a local network to access a host on a remote network that is protected by a firewall. 2017/4/27

Dynamic ACL Examples 2017/4/27

Reflexive ACLs Network administrators use reflexive ACLs to allow IP traffic for sessions originating from their network while denying IP traffic for sessions originating outside the network. 2017/4/27

Example 2017/4/27

Time-based ACLs Time-based ACLs are similar to extended ACLs in function, but they allow for access control based on time. To implement time-based ACLs, you create a time range that defines specific times of the day and week. 2017/4/27

Example 2017/4/27

Trouble-shooting ACL Order of statements are essential… 2017/4/27

Trouble-shooting ACL What protocol does TFTP use? 2017/4/27

Trouble-shooting ACL Are you sure you have correct syntax? 2017/4/27

Trouble-shooting ACL IP address 2. Position of extended ACL 2017/4/27

Trouble-shooting ACL Not sure where the error is… 2017/4/27