Access Control List (ACL) W.lilakiatsakun. ACL Fundamental ► Introduction to ACLs ► How ACLs...

Access Control List Access Control List (ACL)(ACL)

W.lilakiatsakunW.lilakiatsakun

ACL FundamentalACL Fundamental

► Introduction to ACLs Introduction to ACLs► How ACLs work How ACLs work► Creating ACLs Creating ACLs► The function of a wildcard mask The function of a wildcard mask

Introduction to ACL (1)Introduction to ACL (1)

► ACLs are lists of conditions used to test ACLs are lists of conditions used to test network traffic that tries to travel acros network traffic that tries to travel acros

s a router interface. s a router interface.► These lists tell the router what types of These lists tell the router what types of

packets to accept or deny. packets to accept or deny.► Acceptance and denial can be based on Acceptance and denial can be based on

specified conditions. specified conditions.► ACLs enable management of traffic and ACLs enable management of traffic and

secure access to and from a network. secure access to and from a network.

ACL ACL

Introduction to ACL (2)Introduction to ACL (2)► To filter network traffic, ACLs determine if r To filter network traffic, ACLs determine if r

outed packets are forwarded or blocked at outed packets are forwarded or blocked at the router interfaces. the router interfaces.

► The router examines each packet and will f The router examines each packet and will f orward or discard it based on the condition orward or discard it based on the condition

s specified in the ACL. s specified in the ACL.► An ACL makes routing decisions based on s An ACL makes routing decisions based on s

ource address, destination address, protoc ource address, destination address, protoc - ols, and upper layer port numbers. - ols, and upper layer port numbers.

►How many of these factors are used in the How many of these factors are used in the ACL depends, in part, on whether we are ACL depends, in part, on whether we are using a “standard” or an “extended” ACL.using a “standard” or an “extended” ACL.

Cisco IOS check the packet and Cisco IOS check the packet and upper header upper header

Introduction to ACL (3)Introduction to ACL (3)► ACLs must be defined on a per ACLs must be defined on a per protocolprotocol , per , per directidirectionon , or per , or per portport basis. basis.

► To control traffic flow on an interface, an ACL must be To control traffic flow on an interface, an ACL must be defined for defined for each protocol each protocol enabled on the interface. enabled on the interface.

► ACLs control traffic in ACLs control traffic in one direction one direction at a time on an i at a time on an i nterface. nterface.

► Two Two separateseparate ACLs must be created to control ACLs must be created to control inboinboundund and and outboundoutbound traffic. traffic.

► Every interface can have Every interface can have multiple protocols multiple protocols and and didirectionsrections defined. defined. If the router has two interfaces configured for IP, AppleTalk, and IPX, If the router has two interfaces configured for IP, AppleTalk, and IPX, 1212

separate ACLs separate ACLs would be neede would be neededd There would be one ACL for each protocol There would be one ACL for each protocol (3) (3) , times two for each directi , times two for each directi

onon (2), (2), times two for the number of ports times two for the number of ports (2) (2) . .► (2 interfaces for IP in, 2 IP out, 2 IPX in, 2 IPX out, 2 A-Talk in, 2 A-Talk out)(2 interfaces for IP in, 2 IP out, 2 IPX in, 2 IPX out, 2 A-Talk in, 2 A-Talk out)..

Access Control List Access Control List grouping in a routergrouping in a router

ACL TasksACL Tasks (1)(1)► Limit network traffic and increase network performan Limit network traffic and increase network performan

ce. ce. For example, ACLs that restrict video traffic could greatly r For example, ACLs that restrict video traffic could greatly r

educe the network load and increase network performance educe the network load and increase network performance . .

► Provide traffic flow control. ACLs can restrict the deliv Provide traffic flow control. ACLs can restrict the deliv ery of routing updates. ery of routing updates.

If updates are not required because of network conditions, If updates are not required because of network conditions, bandwidth is preserved. bandwidth is preserved.

► Provide a basic level of security for network access. Provide a basic level of security for network access. ACLs can allow one host to access a part of the network an ACLs can allow one host to access a part of the network an

d prevent another host from accessing the same area. d prevent another host from accessing the same area. For example, Host A is allowed to access the Human Resou For example, Host A is allowed to access the Human Resou

rces network and Host B is prevented from accessing it. rces network and Host B is prevented from accessing it.

ACL TasksACL Tasks (2)(2)

► Decide which types of traffic are forwarded or bl Decide which types of traffic are forwarded or bl ocked at the router interfaces. ocked at the router interfaces.

- ACLs can permit e mail traffic to be routed, but block - ACLs can permit e mail traffic to be routed, but block all Telnet traffic. all Telnet traffic.

► Control which areas a client can access on a net Control which areas a client can access on a net work. work.

► Screen hosts to permit or deny access to a netw Screen hosts to permit or deny access to a netw ork segment. ork segment.

ACLs can be used to permit or deny a user to access fil ACLs can be used to permit or deny a user to access fil e types such as FTP or HTTP. e types such as FTP or HTTP.

How ACL works (1)How ACL works (1)

► The order in which ACL statements are place The order in which ACL statements are place d is important. d is important.

► TT he packet he packet is tested is tested against each condition s against each condition s tatement in order from the top of the list to t tatement in order from the top of the list to t

he bottom. he bottom.► Once a match is found in the list, the accept Once a match is found in the list, the accept

or reject action is performed and no other AC or reject action is performed and no other AC L statements are checked. L statements are checked.

► If a condition statement that permits all traffi If a condition statement that permits all traffi c is located at the top of the list, no statemen c is located at the top of the list, no statemen ts added below that will ever be checked. ts added below that will ever be checked.

How ACL works (2)How ACL works (2)► ACL statements operate in sequential, logical order. ACL statements operate in sequential, logical order.► If a condition match is true, the packet is permitted If a condition match is true, the packet is permitted

or denied and the rest of the ACL statements are not or denied and the rest of the ACL statements are not checked. checked.

► If all the ACL statements are unmatched, an implicit If all the ACL statements are unmatched, an implicit““ deny any deny any”” statement is placed at the end of the li statement is placed at the end of the li

st by default. st by default.► The invisible The invisible deny any deny any statement at the end of the statement at the end of the

ACL will not allow unmatched packets to be accepte ACL will not allow unmatched packets to be accepte d. d.

► When first learning how to create ACLs, it is a good i When first learning how to create ACLs, it is a good i dea to add the dea to add the deny any deny any at the end of ACLs to reinf at the end of ACLs to reinf orce the dynamic presence of the implicit deny. orce the dynamic presence of the implicit deny.

How ACL works (3)How ACL works (3)► II f additional condition statements are nee f additional condition statements are nee

ded in an access list, the e ded in an access list, the e ntire ACL mus ntire ACL mus t be deleted t be deleted and recreated with the new and recreated with the new

condition statements condition statements!! Nothing is more aggravating than having to Nothing is more aggravating than having to

re-enter a 50-line ACL just to make one re-enter a 50-line ACL just to make one change!change!

► To make the process of revising an ACL si To make the process of revising an ACL si mpler it is a good idea to use a mpler it is a good idea to use a text edito text edito

r r such as Notepad and paste the ACL into t such as Notepad and paste the ACL into t he router configuration. he router configuration.

Routing Process (1)Routing Process (1)

► The beginning of the router process is the sam The beginning of the router process is the sam e, whether ACLs are used or not. e, whether ACLs are used or not.

► As a frame enters an interface, the router chec As a frame enters an interface, the router chec ks to see whether the ks to see whether the Layer Layer22 address matc address matc

hes hes or if it is a or if it is a broadcastbroadcast frame. frame.► If the frame address is If the frame address is acceptedaccepted , the frame inf , the frame inf

ormation is stripped off and the router ormation is stripped off and the router checkschecks for an for an ACLACL on the on the inboundinbound interface. interface.

► If an If an ACL exists ACL exists , the packet is now , the packet is now testedtested ag ag ainst the statements in the list. ainst the statements in the list.

► If the packet If the packet matchesmatches a statement, the packet a statement, the packet is either is either acceptedaccepted or or rejectedrejected . .

Routing Process (2)Routing Process (2)► If the packet is If the packet is acceptedaccepted in the interface, it will t in the interface, it will t

hen be hen be checkedchecked against against routing table entries routing table entries to determine the to determine the destination interface destination interface and and ss

witchedwitched to that interface. to that interface.► Next, the router checks whether the Next, the router checks whether the destinatiodestinationn interfaceinterface has an has an ACLACL.. (this is still within the same router)(this is still within the same router)

► If an If an ACL exists ACL exists , the packet is , the packet is testedtested against th against th e statements in the list. e statements in the list.

► If the packet If the packet matchesmatches a statement, it is either a statement, it is either aacceptedccepted or or rejectedrejected . .

► If there is If there is no ACL no ACL or the packet is or the packet is acceptedaccepted , the , the packet is packet is encapsulatedencapsulated in the in the new Layer new Layer22 pr pr otocol otocol and and forwardedforwarded out the interface to the out the interface to the

next device. next device.


► Introduction to ACLs Introduction to ACLs► How ACLs work How ACLs work► Creating ACLs Creating ACLs ► The function of a wildcard mask The function of a wildcard mask

Creating rules for ACLs (1)Creating rules for ACLs (1)► There is an implicit There is an implicit deny any deny any at the end of all ac at the end of all ac

cess lists. cess lists. This will not appear in the configuration listing. This will not appear in the configuration listing.

► Access list entries should filter in the order from Access list entries should filter in the order from specific to general. specific to general.

Specific hosts should be denied first, and groups or ge Specific hosts should be denied first, and groups or ge neral filters should come last. neral filters should come last.

► The match condition is examined first. The match condition is examined first. The permit or deny is examined only if the match is tr The permit or deny is examined only if the match is tr

ue. ue.► Never work with an access list that is actively ap Never work with an access list that is actively ap

plied. plied.► A text editor should be used to create comments A text editor should be used to create comments

that outline the logic. Then fill in the statements that outline the logic. Then fill in the statements that perform the logic. that perform the logic.

Creating rules for ACLs (2)Creating rules for ACLs (2)

► New lines are always added to the end of the acc New lines are always added to the end of the acc ess list. ess list.

A A - no access list x - no access list x command will remove the whole li command will remove the whole li st. st.

It is not possible to selectively add and remove lines w It is not possible to selectively add and remove lines w ith numbered ACLs ith numbered ACLs

► An IP access list will send an ICMP host unreacha An IP access list will send an ICMP host unreacha ble message to the sender of the rejected packet ble message to the sender of the rejected packet and will discard the packet in the bit bucket. and will discard the packet in the bit bucket.

► An access list should be removed carefully. An access list should be removed carefully. If an access list that is applied to a production interfac If an access list that is applied to a production interfac

e is removed, some versions of IOS will apply a default e is removed, some versions of IOS will apply a default deny any to the interface and all traffic will be halted. deny any to the interface and all traffic will be halted.

► Outbound filters do not affect traffic that originat Outbound filters do not affect traffic that originat es from the local router. es from the local router.

Creating rules for ACLs (3)Creating rules for ACLs (3)

► There should be one access list per protocol pe There should be one access list per protocol pe r direction. r direction.

► Standard access lists should be applied Standard access lists should be applied closest closest to the destination. to the destination.

► Extended access lists should be applied Extended access lists should be applied closest closest to the source. to the source.

► The inbound or outbound interface should be r The inbound or outbound interface should be r eferenced as if looking at the port from inside t eferenced as if looking at the port from inside t

he router. he router.► Statements are processed sequentially from th Statements are processed sequentially from th

e top of the list to the bottom until a match is fo e top of the list to the bottom until a match is fo und. und.

► If no match is found then the packet is denied, If no match is found then the packet is denied, and discarded. and discarded.

Applying ACLsApplying ACLs

The function of a wildcard ma The function of a wildcard masksk

► A wildcard mask is a A wildcard mask is a 3232- bit quantity that is di- bit quantity that is di vided into four octets. vided into four octets.

► A wildcard mask is paired with an IP address. A wildcard mask is paired with an IP address.► The numbers one and zero in the mask are u The numbers one and zero in the mask are u

sed to identify how to treat the correspondin sed to identify how to treat the correspondin g IP address bits. g IP address bits.

► Wildcard masks have no functional relations Wildcard masks have no functional relations hip with subnet masks. They are used for diff hip with subnet masks. They are used for diff

erent purposes and follow different rules. erent purposes and follow different rules.

Wildcard Mask Vs Subnet Wildcard Mask Vs Subnet MaskMask

► The subnet mask and the wildcard mask represe The subnet mask and the wildcard mask represe nt two different things when they are compared nt two different things when they are compared to an IP address. to an IP address.

► Subnet masks use binary ones and zeros to iden Subnet masks use binary ones and zeros to iden tify the network, subnet, and host portion of an I tify the network, subnet, and host portion of an I

P address. P address.► Wildcard masks use binary ones and zeros to filt Wildcard masks use binary ones and zeros to filt

er individual or groups of IP addresses to permit er individual or groups of IP addresses to permit or deny access to resources based on an IP addr or deny access to resources based on an IP addr

ess.ess.► The only similarity between a wildcard mask an The only similarity between a wildcard mask an

- d a subnet mask is that they are both thirty two - d a subnet mask is that they are both thirty two bits long and use binary ones and zeros. bits long and use binary ones and zeros.

Wildcard Mask EX (1)Wildcard Mask EX (1)

Wildcard Mask KeywordWildcard Mask Keyword

► There are two special keywords that are used There are two special keywords that are used in ACLs, the in ACLs, the anyany and and hosthost options. options.

► The The anyany option substitutes option substitutes 0.0.0.00.0.0.0 for the IP a for the IP a ddress and ddress and 255.255.255.255255.255.255.255 for the wildcard for the wildcard

mask. mask. This option will match any address that it is compa This option will match any address that it is compa

red against. red against.► The The hosthost option substitutes option substitutes 0.0.0.00.0.0.0 for the m for the m

ask. ask.► This mask requires that all bits of the ACL add This mask requires that all bits of the ACL add

ress and the packet address match. ress and the packet address match. This option will match just one address. This option will match just one address.

Standard ACL Standard ACL

► Standard ACLs check the source address of IP Standard ACLs check the source address of IP packets that are routed. packets that are routed.

► The ACL will either permit or deny access for The ACL will either permit or deny access for an entire protocol suite, based on the network an entire protocol suite, based on the network

, subnet, and host addresses. , subnet, and host addresses.► For example, packets that come in Fa For example, packets that come in Fa0/00/0 are c are c

hecked for their source addresses and protoco hecked for their source addresses and protoco ls. ls.

► If they are permitted, the packets are routed t If they are permitted, the packets are routed t hrough the router to an output interface. hrough the router to an output interface.

► If they are not permitted, they are dropped at If they are not permitted, they are dropped at the incoming interface. the incoming interface.

Extended ACLs (1)Extended ACLs (1)

► Extended ACLs are used more often than stan Extended ACLs are used more often than stan dard ACLs because they provide a greater ran dard ACLs because they provide a greater ran

ge of control. ge of control.► Extended ACLs check the source and destinat Extended ACLs check the source and destinat

ion packet addresses and can also check for p ion packet addresses and can also check for p rotocols and port numbers. rotocols and port numbers.

► This gives greater flexibility to describe what t This gives greater flexibility to describe what t he ACL will check. he ACL will check.

► Access can be permitted or denied based on Access can be permitted or denied based on where a packet originates, its destination, pro where a packet originates, its destination, pro

tocol type, and port addresses. tocol type, and port addresses.

Extended ACLs (2)Extended ACLs (2)

► For a single ACL, multiple statements may be For a single ACL, multiple statements may be configured. configured.

► Each statement should have the same access Each statement should have the same access list number, to relate the statements to the sa list number, to relate the statements to the sa me me

► ACL. There can be as many condition stateme ACL. There can be as many condition stateme nts as needed, limited only by the available ro nts as needed, limited only by the available ro uter memory. uter memory.

► Of course, the more statements there are, the Of course, the more statements there are, the more difficult it will be to comprehend and ma more difficult it will be to comprehend and ma nage the ACL. nage the ACL.

ACLs LABACLs LAB

►11.2.1a standard ACLs configuraiton 111.2.1a standard ACLs configuraiton 1►11.2.1b standard ACLs configuraiton 211.2.1b standard ACLs configuraiton 2►11.2.2 a extended ACLs configuration 11.2.2 a extended ACLs configuration

11►11.2.2 b extended ACLs configuration 11.2.2 b extended ACLs configuration

22

Named ACL Named ACL

► Named ACLs allow standard and extended ACL Named ACLs allow standard and extended ACL s to be given names instead of numbers. s to be given names instead of numbers.

► The following are advantages that are provide The following are advantages that are provide d by a named access list: d by a named access list:

Alphanumeric names can be used to identify ACLs. Alphanumeric names can be used to identify ACLs. The IOS does not limit the number of named ACLs th The IOS does not limit the number of named ACLs th

at can be configured. at can be configured. Named ACLs provide the ability to modify ACLs with Named ACLs provide the ability to modify ACLs with

out deletion and reconfiguration. out deletion and reconfiguration. However, a named access list will only allow for stat However, a named access list will only allow for stat

ements to be inserted at the end of a list. ements to be inserted at the end of a list. It is a good idea to use a text editor to create named It is a good idea to use a text editor to create named

ACLs. ACLs.

Placing ACLs (1)Placing ACLs (1)

► Proper ACL placement will filter traffic and m Proper ACL placement will filter traffic and m ake the network more efficient. ake the network more efficient.

► The ACL should be placed where it has the gr The ACL should be placed where it has the gr eatest impact on efficiency. eatest impact on efficiency.

► The general rule is to put the extended ACLs The general rule is to put the extended ACLs as close as possible to the source of the traffi as close as possible to the source of the traffi

c denied. c denied.► Standard ACLs do not specify destination add Standard ACLs do not specify destination add

resses, so they should be placed as close to t resses, so they should be placed as close to t he destination as possible. he destination as possible.

Placing ACLs (2)Placing ACLs (2)

Placing ACLs examplePlacing ACLs example (1)(1)

► In Figure In Figure, , the administrator wants to deny Telnet the administrator wants to deny Telnet or FTP traffic from the Router A Ethernet LAN seg or FTP traffic from the Router A Ethernet LAN seg

ment to the switched Ethernet LAN Fa ment to the switched Ethernet LAN Fa0/10/1 on Rout on Rout er D. er D.

► At the same time, other traffic must be permitted. At the same time, other traffic must be permitted.► The recommended solution is an extended ACL th The recommended solution is an extended ACL th

at specifies both source and destination addresse at specifies both source and destination addresse s. s.

► Place this extended ACL in Router A. Then, packet Place this extended ACL in Router A. Then, packet s do not cross the Router A Ethernet segment or t s do not cross the Router A Ethernet segment or t

he serial interfaces of Routers B and C, and do not he serial interfaces of Routers B and C, and do not enter Router D. enter Router D.

► Traffic with different source and destination addr Traffic with different source and destination addr esses will still be permitted. esses will still be permitted.

Placing ACLs examplePlacing ACLs example (2)(2)

►TT o prevent traffic from Router A o prevent traffic from Router A to to Router D segmentRouter D segment

► a standard ACL should be placed on a standard ACL should be placed onFaFa0/00/0 of Router D. of Router D.

Deploy ACLDeploy ACL

►ACLs may be used with ACLs may be used with FirewallFirewall To protect virtual terminal accessTo protect virtual terminal access etcetc

Restricting Virtual terminal Restricting Virtual terminal access (1)access (1)

Restricting Virtual terminal Restricting Virtual terminal access (2)access (2)

Access Control List (ACL) W.lilakiatsakun. ACL Fundamental ► Introduction to ACLs ► How ACLs...

Documents

Transcript of Access Control List (ACL) W.lilakiatsakun. ACL Fundamental ► Introduction to ACLs ► How ACLs...