ccna2 m11 access control lists

5/27/2018 CCNA2 M11 Access Control Lists

1/22

CCNA Semester2

Module 11

Access Control Lists

Objectives

Standard and extended ACLs

The rules for placement of ACLs

Create and apply named ACLs


2/22

Access Control List

Fundamentals

What are ACLs

ACLs are lists of conditions that are applied to traffic

traveling across a router's interface.

These lists tell the router what types of packets to accept

ordeny.

Acceptance and denial can be based on specified

conditions.


3/22

ACL

Reasons to create ACLs

Limit network traffic and increase network

performance.

Provide traffic flow control.

Provide a basic level of security for network

access.

Decide which types of traffic are forwarded or

blocked at the router interfaces.


4/22

Testing packets with ACLs

The orderin which you

place ACL statements is

important.

A packet is checked againsteach condition statement,

in the order in which the

statements were created.

After a match is found, no

more condition statements

are checked.

If all the ACL statements are

unmatched, an implicit

"deny any" statement is

imposed.

Configuration task list

ACL are classified as: numbered ofnamed ACL,

each has 2 types: standard and extended.

Configuration task includes 2 steps:

Create an ACL

ApplyACL to interface


5/22

Assigning ACL number

ACL number must be within the specific range

specified for the protocol.

Modification of a numbered ACL involves deleting theentire list and creating a new one

Remove numbered ACL:

no access-list list-number

Apply Access Lists

An ACL can be assigned to one or more interfaces and

can filter inbound or outbound traffic.

ACLs must be defined on a per-protocol, per direction,

orper interface basis.

Eg: Only 1 IP access list on interface s0 inbound

direction


6/22

Types of Access Control Lists

Standard ACL Overview

When you want to: block all traffic from a network,

allow all traffic from a network,

permit or deny an entire protocol suite.

Standard ACLs check the source address of

packets that could be routed. Results in either permit or deny of an entire

protocol suite, based on the network, subnet,and host addresses.


7/22

Standard ACL commands

access-listaccess-list-number

{deny | permit} source [source-wildcard] [log]

access-listaccess-list-number

{deny | permit} source [source-wildcard] [log]

Router (config)#

ip access-groupaccess-list-number{ in | out }ip access-groupaccess-list-number{ in | out }

Router (config-if)#

Access list number: 1 99 or 1300 1999 in

recent IOS

Wildcard mask bits

A wildcard mask is a 32-bit quantity that is divided into

four octets, with each octet containing 8 bits.

A wildcard mask bit 0 means "check the corresponding

bit value.

A wildcard mask bit 1 means "do not check (ignore) that

corresponding bit value".


8/22

Wildcard & Subnet mask

Wildcard mask operate differently from IP

subnet mask.

Subnet mask: The zeros and ones determine the network(or subnet) and host portions of the corresponding IP

address.

Wildcard mask: The zeros and ones determine whether

the corresponding bits in an IP address should be

checked or ignored for ACL purposes.

Wildcard any


9/22

Wildcard host

Examples: any, host

Router(config)# access-list 1 permit 0.0.0.0

255.255.255.255

Router(config)# access-list 1 permit any

Router(config)# access-list 1 permit

172.30.16.29 0.0.0.0

Router(config)# access-list 1 permit host

172.30.16.29


10/22

Verifying ACLs

show ip interface command displays IP interface

information and indicates whether any ACLs are

set. show access-lists command displays the

contents of all ACLs on the router.

show running-config command will also reveal the

access lists on a router and the interface

assignment information.

Show ip interface


11/22

Show access-lists

Standard ACL examples


12/22

ACL Requirement

1. Do not allow traffic between outside and

network 172.16.3.0

2. - Node 172.16.4.13 can only access Internet- Network 172.16.4.0 (accept 172.16.4.13) can

not access Internet

Extended ACL Overview

Provide a greater range of control than standard

ACLs including:

Protocols (IP, IPX, ICMP, TCP)

Source address (IP address, IPX address)

Destination address

Services or ports (Telnet, HTTP, FTP ) Other parameters (SYN, ACK, Echo)


13/22

Extended ACL commands

access-listACL-number{permit | deny}

protocol source [source-mask operator extended-para]

destination [destination-mask operator extended-para]

[log | log input]

access-listACL-number{permit | deny}

protocolsource [source-mask operator extended-para]

destination [destination-mask operator extended-para]

[log | log input]

Router (config)#


Router (config-if)#

Access list number: 100 199 or 2000 2699 in recent IOS

Extended ACL parameters

Parameters Description

access-list Defines an access list

access-list-number Protocol-dependent ACL number (100-199)

permit/deny Defines a statement to allow/block traffic

source-mask/destination-mask Wildcard mask: zeros must match bit; ones do not match bit

operator Logical operator:

lt: less than

gt: greater than

eq: equal to

neq: not equal to

extended-para Extended parameter of the protocols used, eg : port (for TCP/UDP),

echo (for ICMP)

log [log input] Records all ACL matches including violations

in|out applies this access list to inbound or outbound traffic

protocol The protocol in question, including: IP, TCP, UDP, ICMP, GRE, ICMP

source/destination Source/destination address


14/22

Extended ACL: TCP/UDP protocol

access-listaccess-list-number{permit | deny}

[tcp | udp]source [s-mask operator s-port]

destination [d-mask operator d-port][established]

[log | log input]


[tcp | udp]source [s-mask operators-port]

destination [d-mask operatord-port][established]

[log | log input]

Router (config)#

established: only match if ACK bit is set


Router (config-if)#

Reserved port numbers


15/22

Extended ACL: ICMP protocol


icmpsource [source-mask destination

destination-mask] [icmp-type | [[icmp-type icmp-

code] | [icmp-message]][log | log input]


icmpsource [source-mask destination

destination-mask][icmp-type | [[icmp-type icmp-

code] | [icmp-message]][log | log input]

Router (config)#


Router (config-if)#

Extended ACL: ICMP parameters

Parameters Description

Icmp type (Optional) A number from between 0 and 255

specifying the ICMP message type

Icmp code (Optional) ICMP packets that are filtered by ICMP

message type can also be filtered by the ICMP

message code. The code is a number from 0 to

255.

icmp-message (Optional) ICMP packets can be filtered by an

ICMP message type name or ICMP message type

and code name.


16/22

Named ACL Overview

Uses a name string to identify standard and

extended IP ACLs instead of the numeric (1 to

199) representation. Considerations:

Named ACLs are not compatible with Cisco IOS releases

prior to Release 11.2.

You cannot use the same name for multiple ACLs.

Named ACLs vs. Numbered ACLs

Named ACLs have individual configuration

mode with shorter and clearer command line.

Named ACLs can be used to remove individual

entries from a specific ACL.

Using name is more understandable than using

number

Eliminate the limit of 798 simple and 799

extended ACLs


17/22

Named ACL commands

Router(config)# ip access-list {standard |

extended} name

Router(config {std- | ext-}nacl)# deny

{source [source-wildcard] | any}

Router(config {std- | ext-}nacl)# permit

{source [source-wildcard] | any}.

Router(config-if)# ip access-group name {in |

out}

Router# show access-lists

Named ACL example


18/22

Inbound and Outbound

If the ACL is inbound, when the router receivesa packet and prior to the routing process, routerchecks the ACL's statements for a match.

If the ACL is outbound, after receiving androuting a packet to the outbound interface,router checks the ACL's statements for a match.

Recommended Rule

Place extended ACLs as close to the source ofthe traffic denied as possible.

Place the standard ACL as close to thedestination as possible.

Place ACLs on the inbound interfaces may helpto reduce routing processing tasks.

Place ACLs on the outbound interfaces mayavoid filterring unnessecary traffic.


19/22

Firewall architecture

Control VTY access with Access list

Instead of applying ACL on all router interfaces to filter telnetsessions to router interfaces, use ACL on vty lines.

Access into and out of virtual terminal line ports can be controlledby IP numbered ACLs.

line vty 0 4

loginpassword cisco

access-class access-list-number {in|out}

Interface access lists are applied only to traffics passing the router,not to traffics originated from the router.


20/22

VTY Control Example

Extended ACL examples

RA

172.16.3.100


21/22

Access List Requirements

1. Preventstelnettelnetandftpftp access from Internet to 172.16.3.100 and172.16.4.13

2. Prevents all hosts except 172.16.4.13 on network 172.16.4.0 toaccess server 65.10.13.133

3. Prevents all hosts, except 172.16.3.100, on network 172.16.3.0 toaccess 172.16.4.13 using webweb andtftptftp

4. Allow all hosts on local network as well as Internet to accesscompanys web site on server 172.16.4.13. Block all other types ofaccess to this server.

ACL ChallengeOuter-network cant ping into inner-

network

Do not allow outer-network to access

inner-network except web service in

Web Server(.66).

Traffic between Net1 and Net3 is not

allowed

Other networks can only access webservice in Web Server

Packets between PC1(.48) and PC3

(.80) are only allowed if routed across

the direct serial link

Telnet to routers only from PC1

All other kind of traffic is allowed

R_1

R_2 R_3

Internet

Net2

.64

Net3

.96

Net1

.32

192.169.10.0/24

PC1 PC2PC3 Web

E1

E0

S0 S1

S1

S0

S0

S1

E0E0


22/22

Summary

ACL definition

How ACL works

Wild-card mask

Standard numbered ACL configuration

Extended numbered ACL configuration

Named numbered ACL configuration

Placing ACLs

CCNA2 Module11

ccna2 m11 access control lists

Documents