Ca Ex S4 C5 Ac Ls
77
CCNA – Semester 4 Chapter 5: ACLs CCNA Exploration 4.0
-
Upload
neo-kim -
Category
Technology
-
view
1.000 -
download
3
Transcript of Ca Ex S4 C5 Ac Ls
CCNA – Semester 4
Chapter 5: ACLs
CCNA Exploration 4.0
2
Objectives
• Explain how ACLs are used to secure a medium-size enterprise branch office network, including the concept of packet filtering, the purpose of ACLs, how ACLs are used to control access, and the types of Cisco ACLs.
• Configure standard ACLs in a medium-size enterprise branch office network, including defining filtering criteria, configuring standard ACLs to filter traffic, and applying standard ACLs to router interfaces.
• Configure extended ACLs in a medium-size enterprise branch office network, including configuring extended ACLs and named ACLs, configuring filters, verifying and monitoring ACLs, and troubleshooting extended ACL issues.
• Describe complex ACLs in a medium-size enterprise branch office network, including configuring dynamic, reflexive, and timed ACLs, verifying and troubleshooting complex ACLs, and explaining relevant caveats.
3
Using ACLs to Secure Networks
4
A TCP Conversation
• ACLs enable you to control traffic into and out of your network.
• To understand how an ACL works with TCP, let us look at the dialogue that occurs during a TCP conversation
5
A TCP Conversation
6
Packet Filtering
• Packet filtering, sometimes called static packet filtering, controls access to a network by analyzing the incoming and outgoing packets and passing or halting them based on stated criteria.
• A router acts as a packet filter when it forwards or deniespackets according to filtering rules.
• These rules are defined using access control lists or ACLs.
• An ACL is a sequential list of permit or deny statements that apply to IP addresses or upper-layer protocols. Based on:
– Source IP address
– Destination IP address
– ICMP message type
– TCP/UDP source port
– TCP/UDP destination port
7
Packet Filtering
8
Packet Filtering Example
• "Only permit web access to users from network A. Deny web
access to users from network B, but permit them to have all
other access."
9
What are ACLs?
• An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header.
• By default, a router does not have any ACLs configured and therefore does not filter traffic.
10
What are ACLs?
Guidelines for using ACLs:
• Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet.
• Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network.
• Configure ACLs on border routers-routers situated at the edges of your networks. This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network.
• Configure ACLs for each network protocol configured on the border router interfaces. You can configure ACLs on an interface to filter inbound traffic, outbound traffic, or both.
11
What are ACLs?
• ACLs perform the following tasks:
– Limit network traffic to increase network performance.
– Provide traffic flow control.
– Provide a basic level of security for network access.
– Decide which types of traffic to forward or block at the router
interfaces.
– Control which areas a client can access on a network.
– Screen hosts to permit or deny access to network services.
The Three
Ps
12
• ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. ACLs do not act on packets that originate from the router itself.
• ACLs are configured either to apply to inbound traffic or to apply to outbound traffic.
– Inbound ACLs-Incoming packets are processed before they are routed to the outbound interface.
– Outbound ACLs-Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL.
• ACL statements operate in sequential order. They evaluate packets against the ACL, from the top down, one statement at a time.
• There is an implicit deny at the end of all access lists.
How ACLs Work?
13
How ACLs Work?
14
ACLson
Interface?Statement
ListMatch?
RoutePacket toOutboundinterface
Layer2Addressmatch
Permitpacket?
Yes Yes Yes Yes
No
DefaultDeny
No
ACLson
Interface?Statement
ListMatch?
Permitpacket?
Yes
Yes Yes
No
DefaultDeny
No
SendTo thedevice
No
ACLs and Routing Processes on a Router
15
Types of Cisco ACLs
16
How a Standard ACLs Work
• A standard ACL is a sequential collection of permit and deny
conditions that apply to IP addresses.
• The destination of the packet and the ports involved are not
covered.
17
Numbering and Naming ACLs
• Numbered ACLs:
– You assign a number based on which protocol you want filtered:
• (1 to 99) and (1300 to 1999): Standard IP ACL
• (100 to 199) and (2000 to 2699): Extended IP ACL
• Named ACLs:
– You assign a name by providing the name of the ACL:
• Names can contain alphanumeric characters.
• It is suggested that the name be written in CAPITAL LETTERS.
• Names cannot contain spaces or punctuation and must begin with a letter.
• You can add or delete entries within the ACL.
18
Where to Place ACLs
19
Where to Place ACLs
20
General Guidelines for Creating ACLs
Guideline Benefit
Base your ACLs on the
security policy of the
organization.
This will ensure you implement
organizational security
guidelines.
Prepare a description of
what you want your ACLs to
do.
This will help you avoid
inadvertently creating potential
access problems.
Use a text editor to create,
edit and save ACLs.
This will help you create a library
of reusable ACLs.
Test your ACLs on a
development network before
implementing them on a
production network.
This will help you avoid costly
errors.
Activity 5.1.9.2
21
Configuring Standard ACLs
22
Entering Criteria Statements
• The router checks ACL statements based on the order that the entries occur in the router. The router continues to process the ACL statements until it has a match. For this reason, you should have the most frequently used ACL entry at the top of the list.
23
Standard ACL Logic
24
Configuring Standard ACLs: Step1
• Router(config)# access-list access-list-number
deny/permit/remark source [source-wildcard] [log]
25
Configuring Standard ACLs
• Using no access-list access-list-number command to
remove the ACLs
26
Wildcard Masking
• ACLs statements include masks, also called wildcard masks.
• A wildcard mask is a string of binary digits telling the router
which parts of the subnet number to look at.
• A wildcard mask is a 32-bit quantity that is divided into four
octets, with each octet containing 8 bits.
– Wildcard mask bit 0 - Match the corresponding bit value in
the address
– Wildcard mask bit 1 - Ignore the corresponding bit value
in the address
27
Wildcard Masking
28
Wildcard Mask Example
No match – Packet rejected
29
Wildcard Mask Example
30
Wildcard Masks to Match IP Subnets
RouterB(config)#access-list 10 permit __________ ___________
Permit the following networks:
Network/Subnet Mask Address/Wildcard Mask
A. 172.16.0.0 255.255.0.0
B. 172.16.1.0 255.255.255.0
C. 192.168.1.0 255.255.255.0
D. 172.16.16.0 255.255.240.0
E. 172.16.128.0 255.255.192.0
Permit the following hosts:
Network/Subnet Mask Address/Wildcard Mask
A. 172.16.10.100
B. 192.168.1.100
C. All hosts
31
Wildcard Masks to Match IP Subnets
RouterB(config)#access-list 10 permit __________ ___________
Permit the following networks:
Network/Subnet Mask Address/Wildcard Mask
A. 172.16.0.0 255.255.0.0 172.16.0.0 0.0.255.255
B. 172.16.1.0 255.255.255.0 172.16.1.0 0.0.0.255
C. 192.168.1.0 255.255.255.0 192.168.1.0 0.0.0.255
D. 172.16.16.0 255.255.240.0 172.16.16.0 0.0.15.255
E. 172.16.128.0 255.255.192.0 172.16.128 0.0.63.255
Permit the following hosts:
Network/Subnet Mask Address/Wildcard Mask
A. 172.16.10.100 172.16.10.100 0.0.0.0
B. 192.168.1.100 192.168.1.100 0.0.0.0
C. All hosts 0.0.0.0 255.255.255.255
Note: The curriculum 5.2.3.2 is not clearly!
32
Wildcard Bit Mask Keywords
33
The any and host Keywords
34
Applying Standard ACLs to Interfaces: Step2
{protocol} access-group access-list-number in/out
Router (config-if)#
ACL command Description
protocol a protocol specified for the interface
access-group any packets that pass the ACL test conditions can
be permitted to use any interface in the access
group of interfaces
access-list-number the ACL identified by this ACL number to be
associated to this interface
In/out Apply inbound or outbound traffic
• Applies access list to interface
35
Example 1
• Allows only traffic from source network 192.168.10.0 to be
forwarded out on S0/0/0. Traffic from networks other than
192.168.10.0 is blocked.
36
Example 2
• Allows only traffic from source network 192.168.10.0 excepts PC1 to be forwarded out on S0/0/0. Traffic from networks other than 192.168.10.0 is blocked.
37
Example 3
• Blocks traffic from the host PC1, permits all other LAN traffic
to exit from router R1.
38
Using an ACL to Control VTY Access
39
Editing Numbered ACLs
• When configuring an ACL, the statements are added in the
order that they are entered at the end of the ACL.
• You cannot selectively insert or delete lines.
• It is strongly recommended that any ACL be constructed in a
text editor.
• Example:
• Edit and correct ACL 20, instead of the 192.168.10.100 host,
it should have been the 192.168.10.11 host.
– Step 1. Display the ACL using the show running-config
command (should use the include keyword)
– Step 2. Highlight the ACL, copy it, and then paste it into
Microsoft Notepad. Edit the list as required. Once the ACL
is correctly displayed in Microsoft Notepad, highlight it
and copy it.
40
Editing Numbered ACLs: Example
• Step 3. In global configuration mode, disable the access list
using the no access-list 20 command. Otherwise, the new
statements would be appended to the existing ACL. Then
paste the new ACL into the configuration of the router.
41
Commenting ACLs
• Uses the remark keyword to include comments (remarks) about entries in any IP standard or extended ACL.
• The remarks make the ACL easier for you to understand and scan.
• Each remark line is limited to 100 characters.
• The remark can go before or after a permit or deny statement.
This is a name ACLs
42
Creating Standard Named ACLs
• Naming an ACL makes it easier to understand its function.
• The configuration mode and command syntax are slightly
different.
43
Named ACLs Example
44
Monitoring and Verifying ACLs
• Use show running-config command
• Use show access-lists {access-list-number | name}
45
Editing Named ACLs
• Named ACLs have a big advantage over numbered ACLs in
that they are easier to edit.
• Starting with Cisco IOS Software Release 12.3, named IP
ACLs allow you to delete individual entries in a specific ACL.
You can use sequence numbers to insert statements
anywhere in the named ACL.
• If you are using an earlier Cisco IOS software version, you
can add statements only at the bottom of the named ACL.
• Because you can delete individual entries, you can modify
your ACL without having to delete and then reconfigure the
entire ACL.
46
Editing Named ACLs: Example
47
Configuring Extended ACLs
48
Extended ACLs
• Extended ACLs numbered 100 to 199 and 2000 to 2699
providing a total of 799 possible extended ACLs.
• Extended ACLs can also be named.
• Extended ACL built to filter on
– Source addresses
– Destination addresses
– Protocol
– Port numbers
49
Extended ACLs
50
Extended ACLs
• The ability to filter on protocol and port number allows you to
build very specific extended ACLs.
• Using the appropriate port number, you can specify an
application by configuring either the port number or the
name of a well-known port.
51
Generating Port Numbers
52
Configuring Extended ACLs
• The procedural steps for configuring extended ACLs are the
same as for standard ACLs-you first create the extended
ACL and then activate it on an interface.
53
Configuring Extended ACLs: Step1
54
Applying Extended ACLs to Interfaces: Step2
55
Example 1: Deny FTP
56
Example 2: Deny Telnet
57
Creating Named Extended ACLs
58
Configure Complex ACLs
59
What are Complex ACLs
• Standard and extended ACLs can become the basis for
complex ACLs that provide additional functionality.
60
Dynamic ACLs
61
Dynamic ACLs
• Lock-and-key is a traffic filtering security feature that uses
dynamic ACLs, which are sometimes referred to as lock-
and-key ACLs.
• Lock-and-key is available for IP traffic only.
• Dynamic ACLs are dependent on Telnet connectivity,
authentication (local or remote), and extended ACLs.
• Dynamic ACL configuration starts with the application of an
extended ACL to block traffic through the router. Users who
want to traverse the router are blocked by the extended ACL
until they use Telnet to connect to the router and are
authenticated. The Telnet connection is then dropped, and a
single-entry dynamic ACL is added to the extended ACL that
exists. This permits traffic for a particular period; idle and
absolute timeouts are possible.
62
Dynamic ACLs
• When to Use Dynamic ACLs
– When you want a specific remote user or group of remote
users to access a host within your network, connecting
from their remote hosts via the Internet. Lock-and-key
authenticates the user and then permits limited access
through your firewall router for a host or subnet for a finite
period.
– When you want a subset of hosts on a local network to
access a host on a remote network that is protected by a
firewall. With lock-and-key, you can enable access to the
remote host only for the desired set of local hosts. Lock-
and-key requires the users to authenticate through a
AAA, TACACS+ server, or other security server before it
allows their hosts to access the remote hosts.
63
Benefits of Dynamic ACLs
• Use of a challenge mechanism to authenticate individual
users
• Simplified management in large internetworks
• In many cases, reduction of the amount of router processing
that is required for ACLs
• Reduction of the opportunity for network break-ins by
network hackers
• Creation of dynamic user access through a firewall, without
compromising other configured security restrictions
64
Dynamic ACL Examples
• Consider a requirement for a network administrator on PC1
to gain periodic access to the network (192.168.30.0 /24)
through router R3.
65
Reflexive ACLs
What are Reflexive ACLs?
• Reflexive ACLs force the reply traffic from the destination of
a known recent outbound packet to go to the source of that
outbound packet. This adds greater control to what traffic
you allow into your network and increases the capabilities of
extended access lists.
• Network administrators use reflexive ACLs to allow IP traffic
for sessions originating from their network while denying IP
traffic for sessions originating outside the network.
• The router examines the outbound traffic and when it sees a
new connection, it adds an entry to a temporary ACL to allow
replies back in. Reflexive ACLs contain only temporary
entries.
66
Reflexive ACLs
• Reflexive ACLs provide a truer form of session filtering than
an extended ACL that uses the established parameter
introduced earlier.
• Although similar in concept to the established parameter,
reflexive ACLs also work for UDP and ICMP, which have no
ACK or RST bits.
• The established option also does not work with applications
that dynamically alter the source port for the session traffic.
• The permit established statement only checks ACK and RST
bits-not source and destination address.
• Reflexive ACLs are not applied directly to an interface but
are "nested" within an extended named IP ACL that is
applied to the interface.
67
Reflexive ACLs
• Reflexive ACLs can be defined only with extended named IP
ACLs. They cannot be defined with numbered or standard
named ACLs or with other protocol ACLs.
• Reflexive ACLs can be used with other standard and static
extended ACLs.
• Benefits of Reflexive ACLs:
– Help secure your network against network hackers and
can be included in a firewall defense.
– Provide a level of security against spoofing and certain
DoS attacks. Reflexive ACLs are much harder to spoof
because more filter criteria must match before a packet is
permitted through.
– Simple to use and, compared to basic ACLs, provide
greater control over which packets enter your network.
68
Reflexive ACLs
69
Reflexive ACL Example
70
Time-based ACLs
What are Time-based ACLs?
• Time-based ACLs are similar to extended ACLs in function, but they allow for access control based on time.
• To implement time-based ACLs, you create a time range that defines specific times of the day and week.
• You identify the time range with a name and then refer to it by a function.
• Time-based ACLs have many benefits, such as:
– Offers the network administrator more control over permitting or denying access to resources.
– Allows network administrators to control logging messages. ACL entries can log traffic at certain times of the day, but not constantly. Therefore, administrators can simply deny access without analyzing the many logs that are generated during peak hours.
71
Time-based ACLs
72
Troubleshooting Common ACL Errors
• Solution: Statements 10
and 20 should be
reversed.
73
Troubleshooting Common ACL Errors
• Solution: Statement
30 should be ip any
any.
74
Troubleshooting Common ACL Errors
• Solution: If you want to
deny Telnet traffic
inbound on S0, you
should deny the
destination port number
that is equal to Telnet, for
example, deny tcp any
any eq telnet.
75
Troubleshooting Common ACL Errors
• Solution: Statement
10 of access list 140:
changes source
address to
192.168.10.10
76
Troubleshooting Common ACL Errors
• Solution:
77
Summary
• Explain how ACLs are used to secure a medium-size enterprise branch
office network, including the concept of packet filtering, the purpose of
ACLs, how ACLs are used to control access, and the types of Cisco
ACLs.
• Configure standard ACLs in a medium-size enterprise branch office
network, including defining filtering criteria, configuring standard ACLs to
filter traffic, and applying standard ACLs to router interfaces.
• Configure extended ACLs in a medium-size enterprise branch office
network, including configuring extended ACLs and named ACLs,
configuring filters, verifying and monitoring ACLs, and troubleshooting
extended ACL issues.
• Describe complex ACLs in a medium-size enterprise branch office
network, including configuring dynamic, reflexive, and timed ACLs,
verifying and troubleshooting complex ACLs, and explaining relevant
caveats.
