Download presentation
Presentation is loading. Please wait.
Published byHolly Sims Modified over 8 years ago
1
Access Control List ACL’s 5/26/2016 1
2
What Is an ACL? An ACL is a sequential collection of permit or deny statements that apply to addresses or upper-layer protocols. Routers provide basic traffic filtering capabilities, such as blocking internet traffic, with access control lists (ACLs. ACLs are lists of instructions you apply to a router's interface. These lists tell the router what kinds of packets to accept and what kinds of packets to deny. 5/26/2016 2
3
ACL’s Acceptance and denial can be based on certain specifications, such as source address, destination address, and port number. ACLs can be created for all routed network protocols, such as internet protocol (IP) and Internetwork packet exchange (IPX). Can be configured at the router to control access to a network or subnet. Must be defined on a per-protocol basis. 5/26/2016 3
4
Reasons to Create ACL’s Limit network traffic and increase network performance. Provide traffic flow control. ACLs can restrict or reduce the contents of routing updates. Provide a basic level of security for network access. Decide which types of traffic are forwarded or blocked at the router interfaces. 5/26/2016 4
5
Access Control Lists (ACLs) The order in which you place ACL statements is important. (IOS) software tests the packet against each condition statement, in the order in which the statements were created. After a match is found, no more condition statements are checked. Once created, if you need additional statements, in a standard or extended ACL you must delete the ACL and re-create it with the new condition statements. 5/26/2016 5
6
How ACL’s Work You can create an ACL for each protocol you want to filter for each router interface. 5/26/2016 6
7
How ACL’s Work An ACL is a group of statements that define how packets: enter inbound interfaces, relay through the router, exit outbound interfaces of the router. As a packet enters an interface, the router checks to see whether the packet is routable or bridgeable. Now, the router checks whether the inbound interface has an ACL. If one exists, the packet is now tested against the conditions in the list. 5/26/2016 7
8
How ACL’s Work ACL statements operate in sequential, logical order. If a condition match is true, the packet is permitted or denied and the rest of the ACL statements are not checked. If all the ACL statements are unmatched, an implicit "deny any" statement is imposed. This means that even though you will not see the "deny any" as the last line of an ACL, it is there. 5/26/2016 8
9
Creating ACLs You create ACLs by using the global configuration mode. Specifying an ACL number from 1 to 99 instructs the router to accept standard ACL statements. Specifying an ACL number from 100 to 199 instructs the router to accept extended ACL statements. You must carefully select and logically order the ACL. 5/26/2016 9
10
Creating ACLs Two steps: 1. define the ACL Example, router(config)#access-list access list number permit/deny {test conditions} 2. Apply ACL to an interface (ex. E0, s0, s1) by using the access-group command. Router(config-if) protocol access-group access-list number in/out 5/26/2016 10
11
Deleting an ACL If you want to alter an ACL containing numbered ACL statements, you need to delete all the statements in the numbered ACL by using the command no access- list list-number. If you have already applied the access-group to an interface, use the command no access- group list-number in/out before the no access- list list-number command. 5/26/2016 11
12
Wildcard Masks A wildcard mask is a 32-bit quantity that is divided into four octets, with each octet containing 8 bits. A wildcard mask bit 0 means "check the corresponding bit value" and a wildcard mask bit 1 means "do not check (ignore) that corresponding bit value". A wildcard mask is paired with an IP address. 5/26/2016 12
13
Wildcard Masks The zero and one bits in an ACL wildcard mask cause the ACL to either check or ignore the corresponding bit in the IP address. Say you want to test an IP address for subnets that will be permitted or denied. You want to use IP wildcard mask bits to permit all packets from any host in the 172.30.16.0 to 172.30.31.0 subnets. Example will be done on board. 5/26/2016 13
14
Wildcard Any To indicate any IP address, you would enter 0.0.0.0; Then, to indicate that the ACL should ignore (that is, allow without checking) any value, the corresponding wildcard mask bits for this address would be all ones (that is, 255.255.255.255). Instead of typing 0.0.0.0 255.255.255.255, you can use the word any by itself as the keyword. 5/26/2016 14
15
The Host Command Say you want to specify that a specific IP host address will be permitted in an ACL test. To indicate a host IP address, you would enter the full address (for example, 172.30.16.29); Then, to indicate that the ACL should check all the bits in the address. That is 0.0.0.0 in wildcard mask form. You can use the abbreviation host to communicate this same test condition to Cisco IOS ACL software. 5/26/2016 15
16
Standard ACLs You use standard ACLs when you want to block all traffic from a network, allow all traffic from a specific network, or deny protocol suites. Standard ACLs check the source address of packets that could be routed. The result permits or denies output for an entire protocol suite, based on the network, subnet, and host addresses. 5/26/2016 16
17
Standard Access-list Example Router(config)# access-list access-list-number {deny | permit} source [source-wildcard ] [log] Access-list 33 permit 172.16.0.0 0.0.255.255 log (permits all traffic from 172.16.0.0) Access-list 44 deny 172.16.13.7 0.0.0.0 log (denies traffic from host 172.16.13.7) Access-list 55 deny 172.16.64.0 any log (denies all traffic from network 172.16.64.0) 5/26/2016 17
18
How to Verify Access Lists You use the show access-lists EXEC command to display the contents of all ACLs. In addition, you use the show access- lists EXEC command followed by the name or number of an ACL to display the contents of one ACL. 5/26/2016 18
19
Standard Access-lists The ip access-group command groups an existing ACL to an interface. Remember that only one ACL per port per protocol per direction is allowed. Router(config-if)#ip access-group access-list-number {in | out}. 5/26/2016 19
20
Extended Access-list Provide a greater range of control than standard ACLs. Extended ACLs check for both source and destination packet addresses. They also can check for specific protocols, port numbers, and other parameters. 5/26/2016 20
21
Extended Access-list Packets can be permitted or denied output based on where the packet originated and based on its destination. Router(config)# access-list access-list- number {permit | deny} protocol source [source-mask destination destination- mask operator operand] [established] 5/26/2016 21
22
Extended Access-list For more precise traffic-filtering control, you use extended ACLs. Extended ACL statements check for source address and for destination address. In addition, at the end of the extended ACL statement, you gain additional precision from a field that specifies the optional TCP or user Datagram protocol (UDP) protocol port number.. Extended ACLs use a number in the range 100 to 199. 5/26/2016 22
23
Extended Access-group The ip access-group command links an existing extended ACL to an interface. Remember that only one ACL per interface, per direction, per protocol is allowed. Router(config-if)# ip access-group access-list-number {in | out} 5/26/2016 23
24
Placing ACL’s The rule is to put the extended ACLs as close as possible to the source of the traffic denied. Standard ACLs do not specify destination addresses, so you have to put the standard ACL as near the destination as possible. ACLs should be used in firewall routers, which are often positioned between the internal network and an external network, such as the internet. 5/26/2016 24
25
Placing ACL’s To provide the security benefits of ACLs, you should at a minimum configure ACLs on border routers, which are routers situated on the boundaries of the network. This provides basic security from the outside network, or from a less controlled area of the network, into a more private area of the network. 5/26/2016 25
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.