cap9 Access Control Lists.doc

8/10/2019 cap9 Access Control Lists.doc

1/87

cap9 Access Control Lists

Network security is a huge subject, and much of it is far beyond the scope of this course. However, one of themost important skills a network administrator needs is mastery of access control lists (AC s !.

Network designers use firewalls to protect networks from unauthori"ed use. #irewalls are hardware or software solutions that enforce network security policies. Consider a lock on a door to a room inside a

building. $he lock allows only authori"ed users with a key or access card to pass through the door. %imilarly, afirewall filters unauthori"ed or potentially dangerous packets from entering the network. &n a Cisco router,you can configure a simple firewall that provides basic traffic filtering capabilities using AC s.Administrators use AC s to stop traffic or permit only specified traffic on their networks.

An AC is a se'uential list of permit or deny statements that apply to addresses or upper layer protocols.AC s provide a powerful way to control traffic into and out of a network. AC s can be configured for allrouted network protocols. $he most important reason to configure AC s is to provide security for a network.$his chapter e)plains how to use standard and extended ACLs on a Cisco router as part of a securitysolution . *ncluded are tips, considerations, recommendations, and general guidelines on how to use AC s.

$his chapter includes an opportunity to develop your mastery of AC s with a series of lessons, activities, andlab e)ercises.


2/87

An AC is a series of *&% commands that control whether a router forwards or drops packets based oninformation found in the packet header. AC s are among the most commonly used features of Cisco *&%software.

+hen configured, AC s perform the following tasks

imit network traffic to increase network performance. #or e)ample, if corporate policy does notallow video traffic on the network, AC s that block video traffic could be configured and applied. $hiswould greatly reduce the network load and increase network performance.

-rovide traffic flow control. AC s can restrict the delivery of routing updates. *f updates are notre'uired because of network conditions, bandwidth is preserved.

-rovide a basic level of security for network access. AC s can allow one host to access a part of thenetwork and prevent another host from accessing the same area. #or e)ample, access to the Human

esources network can be restricted to authori"ed users.

#ilter traffic based on traffic type. #or e)ample, an AC can permit email traffic, but block all $elnettraffic.

%creen hosts to permit or deny access to network services. AC s can permit or deny a user to accessfile types, such as #$- or H$$-.

/y default, a router does not have AC s configured0 therefore, by default a router does not filter traffic.$raffic that enters the router is routed solely based on information within the routing table. However, when anAC is applied to an interface, the router performs the additional task of evaluating all network packets asthey pass through the interface to determine if the packet can be forwarded.

*n addition to either permitting or denying traffic, AC s can be used for selecting types of traffic to beanaly"ed, forwarded, or processed in other ways. #or e)ample, AC s can be used to classify traffic to enable

priority processing. $his capability is similar to having a 1*- pass at a concert or sporting event. $he 1*- passgives selected guests privileges not offered to general admission ticket holders, such as priority entry or beingable to enter a restricted area.

$he figure shows a sample topology with AC s applied.


3/87

AC s enable administrators to control traffic into and out of a network. $his control can be as simple as permitting or denying traffic based on network addresses or as comple) as controlling network traffic basedon the $C- port being re'uested. *t is easier to understand how an AC filters traffic by e)amining thedialogue that occurs during a $C- conversation, such as when re'uesting a webpage.

TCP Communication

+hen a client re'uests data from a web server, *- manages the communication between the -C (source! andthe server (destination!. $C- manages the communication between the web browser (application! and thenetwork server software.

+hen you send an email, look at a webpage, or download a file, $C- is responsible for breaking data downinto segments for *- before they are sent. $C- also manages assembling the data from the segments when theyarrive. $he $C- process is very much like a conversation in which two nodes on a network agree to pass data

between one another.

$C- provides a connection oriented, reliable, byte stream service. Connection oriented means that the twoapplications must establish a $C- connection prior to e)changing data. $C- is a full duple) protocol, meaningthat each $C- connection supports a pair of byte streams, each stream flowing in one direction. $C- includesa flow control mechanism for each byte stream that allows the receiver to limit how much data the sender cantransmit. $C- also implements a congestion control mechanism.

$he animation shown in #igure 2 illustrates how a $C-3*- conversation takes place. $C- segments are markedwith flags that denote their purpose a %4N starts (synchroni"es! the session0 an AC5 is an acknowledgmentthat an e)pected segment was received, and a #*N finishes the session. A %4N3AC5 acknowledges that thetransfer is synchroni"ed. $C- data segments include the higher level protocol needed to direct the application

data to the correct application.

$he $C- data segment also identifies the port which matches the re'uested service. #or e)ample, H$$- is port 67, %8$- is port 9:, and #$- is port 97 and port 92. #igure 9 shows ranges of ;


4/87

#igures = through : e)plore $C-3;


5/87

%o how does an AC use the information passed during a $C-3*- conversation to filter traffic>

-acket filtering, sometimes called static packet filtering, controls access to a network by analy"ing theincoming and outgoing packets and passing or dropping them based on given criteria, such as the source *-address, destination *- addresses, and the protocol carried within the packet.

A router acts as a packet filter when it forwards or denies packets according to filtering rules. +hen a packetarrives at the packet filtering router, the router e)tracts certain information from the packet header. ;sing thisinformation, the router makes decisions, based on configured filter rules, as to whether the packet can passthrough or be discarded. As shown in the figure, packet filtering can work at different layers of the &%* model,or at the internet layer of $C-3*-.

A packet filtering router uses rules to determine whether to permit or deny traffic. A router can also perform packet filtering at ayer ?, the transport layer. $he router can filter packets based on the source port anddestination port of the $C- or ;


6/87

An AC is a se'uential list of permit or deny statements, known as access control entries (AC@s!. AC@s arealso commonly called AC statements. AC@s can be created to filter traffic based on certain criteria such asthe source address, destination address, the protocol, and port numbers. +hen network traffic passes throughan interface configured with an AC , the router compares the information within the packet against eachAC@, in se'uential order, to determine if the packet matches one of the statements. *f a match is found, the

packet is processed accordingly. *n this way, AC s can be configured to control access to a network or subnet.

$o evaluate network traffic, the AC e)tracts the following information from the ayer = packet header %ource *- address


7/87

$his is just a simple e)ample. 8ultiple rules can be configured to further permit or deny services to specificusers.

AC s define the set of rules that give added control for packets that enter inbound interfaces, packets thatrelay through the router, and packets that e)it outbound interfaces of the router. AC s do not act on packetsthat originate from the router itself.AC s are configured to apply to inbound traffic or to apply to outbound traffic as shown in the figure.

Inbound ACLs *ncoming packets are processed before they are routed to the outbound interface. Aninbound AC is efficient because it saves the overhead of routing lookups if the packet is discarded. *f

the packet is permitted by the tests, it is then processed for routing. *nbound AC s are best used tofilter packets when the network attached to an inbound interface is the only source of the packetsneeded to be e)amined.

Outbound ACLs *ncoming packets are routed to the outbound interface, and then they are processedthrough the outbound AC . &utbound AC s are best used when the same filter will be applied to

packets coming from multiple inbound interfaces before e)iting the same outbound interface.$he last statement of an AC is always an implicit deny. $his statement is automatically inserted at the end ofeach AC even though it is not physically present. $he implicit deny blocks all traffic. /ecause of this implicitdeny, an AC that does not have at least one permit statement will block all traffic.

tandard !ersus Extended IP!" ACLs


8/87

$he two types of Cisco *-v? AC s are standard and e)tended.#ote Cisco *-v AC s are similar to *-v? e)tended AC s and are discussed in a later section.

tandard ACLs tandard ACLs can be used to permit or deny traffic only from source IP!" addresses . $he destination of

the packet and the ports involved are not evaluated. $he e)ample in #igure 2 allows all traffic from the2D9.2 6.=7.739? network. /ecause of the implied Bdeny anyB at the end, all other traffic is blocked with thisAC . %tandard AC s are created in global configuration mode.Extended ACLs @)tended AC s filter *-v? packets based on several attributes

-rotocol type %ource *-v? address


9/87

egarding numbered AC s, numbers 977 to 29DD are skipped because those numbers are used by other protocols, many of which are legacy or obsolete. $his course focuses only on *- AC s. @)amples of legacyAC protocol numbers are 77 to DD used by Apple$alk, and numbers 677 to 6DD used by *-E.

$ildcard %asking *-v? AC@s include the use of wildcard masks. A wildcard mask is a string of =9 binary digits used by therouter to determine which bits of the address to e)amine for a match.#ote ;nlike *-v? AC s, *-v AC s do not use wildcard masks. *nstead, the prefi) length is used to indicatehow much of an *-v source or destination address should be matched. *-v AC s are discussed later in thischapter.As with subnet masks, the numbers 2 and 7 in the wildcard mask identify how to treat the corresponding *-address bits. However, in a wildcard mask, these bits are used for different purposes and follow different rules.

%ubnet masks use binary 2s and 7s to identify the network, subnet, and host portion of an *- address. +ildcardmasks use binary 2s and 7s to filter individual *- addresses or groups of *- addresses to permit or deny accessto resources.+ildcard masks and subnet masks differ in the way they match binary 2s and 7s. +ildcard masks use thefollowing rules to match binary 2s and 7s

+ildcard mask bit 7 8atch the corresponding bit value in the address. +ildcard mask bit 2 *gnore the corresponding bit value in the address.

#igure 2 shows how different wildcard masks filter *- addresses. *n the e)ample, remember that binary 7signifies a bit that must match, and binary 2 signifies a bit that can be ignored.

#ote +ildcard masks are often referred to as an inverse mask. $he reason is that, unlike a subnet mask inwhich binary 2 is e'ual to a match and binary 7 is not a match, in a wildcard mask the reverse is true.

&sing a $ildcard %ask

$he table in #igure 9 shows the results of applying a 7.7.9::.9:: wildcard mask to a =9 bit *-v? address.emember that a binary 7 indicates a value that is matched.

+ildcard masks are also used when configuring some *-v? routing protocols, such as &%-#, to enable the protocol on specific interfaces.


10/87

$ildcard %asks in ACLs $ildcard %asks to %atc' IP!" ubnets Calculating the wildcard mask can take some practice. #igure 2 provides three e)amples of wildcard masks.*n the first e)ample the wildcard mask stipulates that every bit in the *-v? 2D9.2 6.2.2 must match e)actly.*n the second e)ample, the wildcard mask stipulates that anything will match.*n the third e)ample, the wildcard mask stipulates that any host within the 2D9.2 6.2.739? network will match.$hese e)amples were fairly simple and straightforward. However, the calculation of wildcard masks can bemore comple).$ildcard %asks to %atc' (anges $he two e)amples in #igure 9 are more comple). *n e)ample 2, the first two octets and first four bits of thethird octet must match e)actly. $he last four bits in the third octet and the last octet can be any valid number.$his results in a mask that checks for the range of networks 2D9.2 6.2 .7 to 2D9.2 6.=2.7.


11/87

@)ample 9 shows a wildcard mask that matches the first two octets, and the least significant bit in the thirdoctet. $he last octet and the first seven bits in the third octet can be any valid number. $he result is a mask thatwould permit or deny all hosts from odd subnets from the 2D9.2 6.7.7 major network.

Calculating wildcard masks can be challenging. &ne shortcut method is to subtract the subnet mask from9::.9::.9::.9::.$ildcard %ask Calculation) Example * *n the first e)ample in the figure, assume you wanted to permit access to all users in the 2D9.2 6.=.7 network./ecause the subnet mask is 9::.9::.9::.7, you could take the 9::.9::.9::.9:: and subtract the subnet mask9::.9::.9::.7. $he solution produces the wildcard mask 7.7.7.9::.$ildcard %ask Calculation) Example + *n the second e)ample in the figure, assume you wanted to permit network access for the 2? users in thesubnet 2D9.2 6.=.=9396. $he subnet mask for the *- subnet is 9::.9::.9::.9?7, therefore take9::.9::.9::.9:: and subtract the subnet mask 9::.9::.9::.9?7. $he solution this time produces the wildcardmask 7.7.7.2:.$ildcard %ask Calculation) Example , *n the third e)ample in the figure, assume you wanted to match only networks 2D9.2 6.27.7 and 2D9.2 6.22.7.Again, you take the 9::.9::.9::.9:: and subtract the regular subnet mask which in this case would be9::.9::.9:?.7. $he result is 7.7.2.9::.4ou could accomplish the same result with statements like the two shown below


12/87

2(config!F access-list *. permit *9+/*01/*./. 2(config!F access-list *. permit *9+/*01/**/.

*t is far more efficient to configure the wildcard mask in the following way2(config!F access-list *. permit *9+/*01/*./. ././*/+22

Consider the configuration below to match networks in the range between 2D9.2 6.2 .7 to 2D9.2 6.=2.72(config!F access-list *. permit *9+/*01/*0/. 2(config!F access-list *. permit *9+/*01/*3/. 2(config!F access-list *. permit *9+/*01/*1/. 2(config!F access-list *. permit *9+/*01/*9/. 2(config!F access-list *. permit *9+/*01/+./. 2(config!F access-list *. permit *9+/*01/+*/. 2(config!F access-list *. permit *9+/*01/++/. 2(config!F access-list *. permit *9+/*01/+,/. 2(config!F access-list *. permit *9+/*01/+"/. 2(config!F access-list *. permit *9+/*01/+2/. 2(config!F access-list *. permit *9+/*01/+0/. 2(config!F access-list *. permit *9+/*01/+3/. 2(config!F access-list *. permit *9+/*01/+1/.

2(config!F access-list *. permit *9+/*01/+9/. 2(config!F access-list *. permit *9+/*01/,./. 2(config!F access-list *. permit *9+/*01/,*/.

$he previous 2 configuration statements can be reduced to a single statement using the correct wildcardmask as shown below

2(config!F access-list *. permit *9+/*01/*0/. ././*2/+22

$ildcard 4it %ask 5ey6ords

+orking with decimal representations of binary wildcard mask bits can be tedious. $o simplify this task, thekeywords 'ost and any help identify the most common uses of wildcard masking. $hese keywords eliminateentering wildcard masks when identifying a specific host or an entire network. $hese keywords also make iteasier to read an AC by providing visual clues as to the source or destination of the criteria.

$he 'ost keyword substitutes for the 7.7.7.7 mask. $his mask states that all *-v? address bits must match oronly one host is matched.


13/87

$he any option substitutes for the *- address and 9::.9::.9::.9:: mask. $his mask says to ignore the entire*-v? address or to accept any addresses.

Example *) $ildcard %asking Process 6it' a ingle IP Address

*n @)ample 2 in the figure, instead of entering *9+/*01/*./*. ./././. , you can use 'ost *9+/*01/*./*. .

Example +) $ildcard %asking Process 6it' a %atc' Any IP Address

*n @)ample 9 in the figure, instead of entering ./././. +22/+22/+22/+22 , you can use the keyword any byitself.

#ote $he keywords 'ost and any can also be used when configuring an *-v AC .

T'e any and 'ost 5ey6ords

@)ample 2 in the figure shows how to use the any keyword to substitute for the *-v? address 7.7.7.7 with awildcard mask of 9::.9::.9::.9::.

@)ample 9 shows how to use the 'ost keyword to substitute for the wildcard mask when identifying a singlehost.


14/87


15/87

7uidelines for ACL creation

+riting AC s can be a comple) task. #or every interface there may be multiple policies needed to manage thetype of traffic allowed to enter or e)it that interface. $he router in the figure has two interfaces configured for*-v? and *-v . *f we needed AC s for both protocols, on both interfaces and in both directions, this wouldre'uire eight separate AC s. @ach interface would have four AC s0 two AC s for *-v? and two AC s for*-v . #or each protocol, one AC is for inbound traffic and one for outbound traffic.

#ote AC s do not have to be configured in both directions. $he number of AC s and their direction appliedto the interface will depend on the re'uirements being implemented.

Here are some guidelines for using AC s

;se AC s in firewall routers positioned between your internal network and an e)ternal network suchas the *nternet.

;se AC s on a router positioned between two parts of your network to control traffic entering ore)iting a specific part of your internal network.

Configure AC s on border routers, that is, routers situated at the edges of your networks. $his provides a very basic buffer from the outside network, or between a less controlled area of your ownnetwork and a more sensitive area of your network.

Configure AC s for each network protocol configured on the border router interfaces.

T'e T'ree Ps

A general rule for applying AC s on a router can be recalled by remembering the three -s. 4ou can configureone AC per protocol, per direction, per interface

One ACL per protocol $o control traffic flow on an interface, an AC must be defined for each protocol enabled on the interface.


16/87

One ACL per direction AC s control traffic in one direction at a time on an interface. $wo separateAC s must be created to control inbound and outbound traffic.

One ACL per interface AC s control traffic for an interface, for e)ample, Gigabit@thernet 737.

Using ACLs requires attention to detail and great care. Mistakes can be costly in terms of downtime, troubleshooting e orts, and poor network ser ice. !efore con"guring an ACL, basicplanning is required. #he "gure presents guidelines that form the basis of an ACL best practiceslist.


17/87

$he proper placement of an AC can make the network operate more efficiently. An AC can be placed toreduce unnecessary traffic. #or e)ample, traffic that will be denied at a remote destination should not beforwarded using network resources along the route to that destination.

@very AC should be placed where it has the greatest impact on efficiency. As shown in the figure, the basicrules are

Extended ACLs ocate e)tended AC s as close as possible to the source of the traffic to be filtered.$his way, undesirable traffic is denied close to the source network without crossing the networkinfrastructure.

tandard ACLs /ecause standard AC s do not specify destination addresses, place them as close tothe destination as possible. -lacing a standard AC at the source of the traffic will effectively preventthat traffic from reaching any other networks through the interface where the AC is applied.

-lacement of the AC and therefore the type of AC used may also depend on

T'e extent of t'e net6ork administrator8s control -lacement of the AC can depend on whetheror not the network administrator has control of both the source and destination networks.

4and6idt' of t'e net6orks in!ol!ed #iltering unwanted traffic at the source prevents transmissionof the traffic before it consumes bandwidth on the path to a destination. $his is especially important inlow bandwidth networks.

Ease of configuration *f a network administrator wants to deny traffic coming from severalnetworks, one option is to use a single standard AC on the router closest to the destination. $hedisadvantage is that traffic from these networks will use bandwidth unnecessarily. An e)tended ACcould be used on each router where the traffic originated. $his will save bandwidth by filtering thetraffic at the source but re'uires creating e)tended AC s on multiple routers.


18/87

#ote #or CCNA certification the general rule is that e)tended AC s are placed as close as possible to thesource and standard AC s are placed as close as possible to the destination.

A standard AC can only filter traffic based on a source address. $he basic rule for placement of a standardAC is to place the AC as close as possible to the destination network. $his allows the traffic to reach allother networks e)cept the network where the packets will be filtered.

*n the figure, the administrator wants to prevent traffic originating in the 2D9.2 6.27.739? network fromreaching the 2D9.2 6.=7.739? network.

*f the standard AC is placed on the outbound interface of 2, this would prevent traffic on the2D9.2 6.27.739? network from reaching any networks reachable through the %erial 73737 interface of 2.

#ollowing the basic placement guidelines of placing the standard AC close to the destination, the figureshows two possible interfaces on = to apply the standard AC

(, . . * interface Applying a standard AC to prevent traffic from 2D9.2 6.27.739? from enteringthe %73732 interface will prevent this traffic from reaching 2D9.2 6.=7.739? and all other networksreachable by =. $his includes the 2D9.2 6.=2.739? network. /ecause the intent of the AC is to filtertraffic destined only for 2D9.2 6.=7.739?, a standard AC should not be applied to this interface.

(, 7. . interface Applying the standard AC to traffic e)iting the G737 interface will filter packetsfrom 2D9.2 6.27.739? to 2D9.2 6.=7.739?. $his will not affect other networks reachable by =. -acketsfrom 2D9.2 627.739? will still be able to reach 2D9.2 6.=2.739?.


19/87

ike a standard AC , an e)tended AC can filter traffic based on the source address. However, an e)tendedAC can also filter traffic based on the destination address, protocol, and port number. $his allows networkadministrators more fle)ibility in the type of traffic that can be filtered and where to place the AC . $he basicrule for placing an e)tended AC is to place it as close to the source as possible. $his prevents unwantedtraffic from being sent across multiple networks only to be denied when it reaches its destination.

Network administrators can only place AC s on devices that they control. $herefore, placement must bedetermined in the conte)t of where the control of the network administrator e)tends. *n the figure, theadministrator of Company A, which includes the 2D9.2 6.27.739? and 2D9.2 6.22.739? networks (referred toas .27 and .22 in this e)ample! wants to control traffic to Company /. %pecifically, the administrator wants todeny $elnet and #$- traffic from the .22 network to Company / s 2D9.2 6.=7.739? (.=7, in this e)ample!network. At the same time, all other traffic from the .22 network must be permitted to leave Company Awithout restriction.

$here are several ways to accomplish these goals. An e)tended AC on = that blocks $elnet and #$- fromthe .22 network would accomplish the task, but the administrator does not control =. *n addition, thissolution also allows unwanted traffic to cross the entire network, only to be blocked at the destination. $hisaffects overall network efficiency.

A better solution is to place an e)tended AC on 2 that specifies both source and destination addresses (.22network and .=7 network, respectively!, and enforces the rule, B$elnet and #$- traffic from the .22 network isnot allowed to go to the .=7 network.B $he figure shows two possible interfaces on 2 to apply the e)tendedAC

(* . . . interface :outbound; &ne possibility is to apply an e)tended AC outbound on the %73737interface. /ecause the e)tended AC can e)amine both source and destination addresses, only #$-and $elnet packets from 2D9.2 6.22.739? will be denied. &ther traffic from 2D9.2 6.22.739? and other

networks will be forwarded by 2. $he disadvantage of placing the e)tended AC on this interface isthat all traffic e)iting %73737 must be processed by the AC including packets from 2D9.2 6.27.739?.

(* 7. * interface :inbound; Applying an e)tended AC to traffic entering the G732 interfacemeans that only packets from the 2D9.2 6.22.739? network are subject to AC processing on 2.


20/87

/ecause the filter is to be limited to only those packets leaving the 2D9.2 6.22.739? network, applyingthe e)tended AC to G732 is the best solution.

+hen traffic enters the router, the traffic is compared to all AC@s in the order that the entries occur in theAC . $he router continues to process the AC@s until it finds a match. $he router will process the packet basedon the first match found and no other AC@s will be e)amined.*f no matches are found when the router reaches the end of the list, the traffic is denied. $his is because, by

default, there is an implied deny at the end of all AC s for traffic that was not matched to a configured entry.A single entry AC with only one deny entry has the effect of denying all traffic. At least one permit AC@must be configured in an AC or all traffic is blocked.


21/87

#or the network in the figure, applying either AC 2 or AC 9 to the %73737 interface of 2 in the outbounddirection will have the same effect. Network 2D9.2 6.27.7 will be permitted to access the networks reachablethrough %73737 while 2D9.2 6.22.7 will not be allowed to access those networks.

tandard ACL Logic *n the figure, packets that enter the router through interface G737 are checked for their source addresses basedon the following entriesaccess-list + deny *9+/*01/*./*. access-list + permit *9+/*01/*./. ./././+22 access-list + deny *9+/*01/./. ././+22/+22

access-list + permit *9+/././. ./+22/+22/+22 *f packets are permitted, they are routed through the router to an output interface. *f packets are denied, theyare dropped at the incoming interface.


22/87

Configuring tandard ACLs

$o use numbered standard AC s on a Cisco router, you must first create the standard AC and then activate

the AC on an interface.

$he access-list global configuration command defines a standard AC with a number in the range of 2through DD. Cisco *&% %oftware elease 29.7.2 e)tended these numbers by allowing 2=77 to 2DDD to be usedfor standard AC s. $his allows for a ma)imum of ID6 possible standard AC s. $hese additional numbers arereferred to as e)panded *- AC s.

$he full synta) of the standard AC command is as follows

outer(config!F access-list access-list-number J deny Kpermit Kremark L source M source-wildcard Mlog

#igure 2 provides a detailed e)planation of the synta) for a standard AC .

AC@s can deny or permit an individual host or a range of host addresses. $o create a host statement innumbered AC 27 that permits a specific host with the *- address 2D9.2 6.27.7, you would enter

2(config!F access-list *. permit 'ost *9+/*01/*./*.

As shown in #igure 9, to create a statement that will permit a range of *-v? addresses in a numbered AC 27that permits all *-v? addresses in the network 2D9.2 6.27.739?, you would enter

2(config!F access-list *. permit *9+/*01/*./. ./././+22

$o remove the AC , the global configuration no access-list command is used. *ssuing the s'o6 access-list command confirms that access list 27 has been removed.


23/87

$ypically, when an administrator creates an AC , the purpose of each statement is known and understood.However, to ensure that the administrator and others recall the purpose of a statement, remarks should beincluded. $he remark keyword is used for documentation and makes access lists a great deal easier tounderstand. @ach remark is limited to 277 characters. $he AC in #igure =, although fairly simple, is used to

provide an e)ample. +hen reviewing the AC in the configuration using the s'o6 running-config command,the remark is also displayed.

remo ing an acl


24/87

Cisco *&% applies an internal logic when accepting and processing standard AC@s. As discussed previously,AC@s are processed se'uentially. $herefore, the order in which AC@s are entered is important.#or e)ample, in #igure 2 AC = contains two AC@s. $he first AC@ uses a wildcard mask to deny a range ofaddresses, which includes all hosts in the 2D9.2 6.27.739? network. $he second AC@ is a host statement thate)amines a specific host 2D9.2 6.27.27. $his is a host within the range of hosts that was configured in the

previous statement. *n other words, 2D9.2 6.27.27 is a host in the 2D9.2 6.27.739? network. $he *&% internallogic for standard access lists rejects the second statement and returns an error message because it is a subsetof the previous statement. Notice in the figure that the router automatically assigns se'uence num 27 as these'uence number assigned to the first statement entered in this e)ample. $he router output includes themessage that the rule is Opart of the e)isting rule at se'uence num 27P and does not accept the statement.#ote Currently, e)tended AC s do not produce a similar error.$he configuration in #igure 9 of AC ? has the same two statements but in reverse order. $his is a validse'uence of statements because the first statement refers a specific host, not a range of hosts.*n #igure =, AC : shows that a host statement can be configured after a statement that denotes a range ofhosts. $he host must not be within the range covered by a previous statement. $he 2D9.2 6.22.27 host addressis not a member of the 2D9.2 6.27.739? network so this is a valid statement.#ote $he order in which standard AC@s are entered may not be the order that they are stored, displayed, or

processed by the router. $his will be discussed in a later section.confict with statements


25/87

tandard ACL Configuration Procedures

After a standard AC is configured, it is linked to an interface using the ip access-group command ininterface configuration mode

outer(config if!F ip access-group J access-list-number Kaccess-list-name L J in Kout L

$o remove an AC from an interface, first enter the no ip access-group command on the interface, and thenenter the global no access-list command to remove the entire AC .

#igure 2 lists the steps and synta) to configure and apply a numbered standard AC on a router.

#igure 9 shows an e)ample of an AC to permit a single network.

$his AC allows only traffic from source network 2D9.2 6.27.7 to be forwarded out of interface %73737.

$raffic from networks other than 2D9.2 6.27.7 is blocked.$he first line identifies the AC as access list 2. *t permits traffic that matches the selected parameters. *n thiscase, the *-v? address and wildcard mask identifying the source network is 2D9.2 6.27.7 7.7.7.9::. ecallthat there is an implicit deny all statement that is e'uivalent to adding the line access-list * deny ./././.+22/+22/+22/+22 .

$he ip access-group * out interface configuration command links and ties AC 2 to the %erial 73737 interfaceas an outbound filter.

$herefore, AC 2 only permits hosts from the 2D9.2 6.27.739? network to e)it router 2. *t denies any other

network including the 2D9.2 6.22.7 network.


26/87

Configure tandard IP!" ACLs

#igure 2 shows an e)ample of an AC that permits a specific subnet e)cept for a specific host on that subnet.

$his AC replaces the previous e)ample, but also blocks traffic from a specific address. $he first commanddeletes the previous version of AC 2. $he ne)t AC statement, denies the -C2 host located at 2D9.2 6.27.27.


27/87

@very other host on the 2D9.2 6.27.739? network is permitted. Again the implicit deny statement matchesevery other network.

$he AC is reapplied to interface %73737 in an outbound direction.

#igure 9 an e)ample of an AC that denies a specific host. $his AC replaces the previous e)ample. $hise)ample still blocks traffic from host -C2 but permits all other traffic.

$he first two commands are the same as the previous e)ample. $he first command deletes the previousversion of AC 2 and the ne)t AC statement denies the -C2 host that is located at 2D9.2 6.27.27.

$he third line is new and permits all other hosts. $his means that all hosts from the 2D9.2 6.27.739? networkwill be permitted e)cept for -C2 which was denied in the previous statement.

$his AC is applied to interface G737 in the inbound direction. /ecause the filter only affects the2D9.2 6.27.739? AN on G737 it is more efficient to apply the AC to the inbound interface. $he AC could

be applied to s73737 in the outbound direction but then 2 would have to e)amine packets from all networksincluding 2D9.2 6.22.739?.


28/87

Naming an AC makes it easier to understand its function. #or e)ample, an AC configured to deny #$-could be called N&Q#$-. +hen you identify your AC with a name instead of with a number, theconfiguration mode and command synta) are slightly different.

#igure 2 shows the steps re'uired to create a standard named AC .

tep */ %tarting from the global configuration mode, use the ip access-list command to create a named AC .AC names are alphanumeric, case sensitive, and must be uni'ue. $he ip access-list standard name is usedto create a standard named AC , whereas the command ip access-list extended name is for an e)tendedaccess list. After entering the command, the router is in named standard AC configuration mode as indicated

by the prompt.

#ote Numbered AC s use the global configuration command access-list whereas named *-v? AC s use theip access-list command.

tep +/ #rom the named AC configuration mode, use permit or deny statements to specify one or moreconditions for determining whether a packet is forwarded or dropped.

tep ,/ Apply the AC to an interface using the ip access-group command. %pecify if the AC should beapplied to packets as they enter into the interface ( in ! or applied to packets as they e)it the interface ( out !.

#igure 9 shows the commands used to configure a standard named AC on router 2, interface G737 thatdenies host 2D9.2 6.22.27 access to the 2D9.2 6.27.7 network. $he AC is named N&QACC@%%.

Capitali"ing AC names is not re'uired, but makes them stand out when viewing the running config output. *talso makes it less likely that you will accidentally create two different AC s with the same name but withdifferent uses of capitali"ation.


29/87

4ou can use the remark keyword to include comments (remarks! about entries in any *- standard or e)tendedAC . $he remarks make the AC easier for you to understand and scan. @ach remark line is limited to 277characters.

$he remark can go before or after a permit or deny statement. 4ou should be consistent about where you putthe remark so that it is clear which remark describes which permit or deny statement. #or e)ample, it would

be confusing to have some remarks before the associated permit or deny statements and some remarks afterthe statements.

$o include a comment for *-v? numbered standard or e)tended AC s, use the access-list access-list_number remark remark global configuration command. $o remove the remark, use the no form of this command.


30/87

*n the first e)ample, the numbered AC denies the 2D9.2 6.27.27 guest workstation from e)iting %73737 but permits all other devices from 2D9.2 6.7.732 .

#or an entry in a named standard or e)tended AC , use the remark access list configuration command. $oremove the remark, use the no form of this command. @)ample 9 shows a standard named AC . *n thise)ample, the remark statements indicate that the lab workstation with the host address 2D9.2 6.22.27 is denied

but devices from all other networks are permitted.

modify ip $ acl

Editing #umbered ACLs

+hen configuring a standard AC , the statements are added to the running config. However, there is no builtin editing feature that allows you to edit a change in an AC .

$here are two ways that a standard numbered AC can be edited.

%et'od *) &sing a Text Editor

After someone is familiar with creating and editing AC s, it may be easier to construct the AC using a te)teditor such as 8icrosoft Notepad. $his allows you to create or edit the AC and then paste it into the router.#or an e)isting AC , you can use the s'o6 running-config command to display the AC , copy and paste itinto the te)t editor, make the necessary changes, and paste it back in.

Configuration #or e)ample, assume that the host *-v? address in the figure was incorrectly entered. *nsteadof the 2D9.2 6.27.DD host, it should have been the 2D9.2 6.27.27 host. Here are the steps to edit and correctAC 2

tep */


31/87

tep +/ Highlight the AC , copy it, and then paste it into 8icrosoft Notepad. @dit the list as re'uired. Afterthe AC is correctly displayed in 8icrosoft Notepad, highlight it and copy it.

tep ,/ *n global configuration mode, remove the access list using the no access-list * command. &therwise,the new statements would be appended to the e)isting AC . $hen paste the new AC into the configuration of the router.

tep "/ ;sing the s'o6 running-config command, verify the changes

*t should be mentioned that when using the no access-list command, different *&% software releases actdifferently. *f the AC that has been deleted is still applied to an interface, some *&% versions act as if no ACis protecting your network while others deny all traffic. #or this reason it is good practice to remove thereference to the access list from the interface before modifying the access list. Also, be aware that if there is anerror in the new list, disable it and troubleshoot the problem. *n that instance, again, the network has no ACduring the correction process.

*n a previous e)ample, se'uence numbers were used to edit a standard numbered AC . /y referring to thestatement se'uence numbers, individual statements can easily be inserted or deleted. $his method can also beused to edit standard named AC s.

$he figure shows an e)ample of inserting a line to a named AC .

*n the first s'o6 command output, you can see that the AC named N&QACC@%% has two numberedlines indicating access rules for a workstation with the *-v? address 2D9.2 6.22.27.

$he ip access-list standard command used to configure named AC s. #rom named access listconfiguration mode statements can be inserted or removed. $he no sequence-number command is usedto delete individual statements.


32/87

$o add a statement to deny another workstation re'uires inserting a numbered line. *n the e)ample, theworkstation with the *-v? address 2D9.2 6.22.22 is being added using a new se'uence number of 2:.

$he final s'o6 command output verifies that the new workstation is now denied access.

As shown in #igure 2, the s'o6 ip interface command is used to verify the AC on the interface. $he outputfrom this command includes the number or name of the access list and the direction in which the AC wasapplied. $he output shows router 2 has the access list 2 applied to its %73737 outbound interface and theaccess list N&QACC@%% applied to its g737 interface also in the outbound direction.

$he e)ample in #igure 9 shows the result of issuing the s'o6 access-lists command on router 2. $o view anindividual access list use the s'o6 access-lists command followed by the access list number or name. $he

N&QACC@%% statements may look strange. Notice that se'uence number 2: is displayed prior to se'uencenumber 27. $his is a result of the router internal process and will be discussed later in this section.


33/87

&nce the AC has been applied to an interface and some testing has occurred, the s'o6 access-lists commandwill show statistics for each statement that has been matched. *n the output in #igure 2, note that some of thestatements have been matched. +hen traffic is generated that should match an AC statement, the matchesshown in the s'o6 access-lists command output should increase. #or instance in this e)ample, if a ping isissued from -C2 to -C= or -C?, the output will show an increase in the matches for the deny statement ofAC 2.

/oth permit and deny statements will track statistics for matches0 however, recall that every AC has animplied deny any as the last statement. $his statement will not appear in the s'o6 access-lists command,therefore, statistics for that statement will not appear. $o view statistics for the implied deny any statement, thestatement can be configured manually and will appear in the output. @)treme caution should be taken whenmanually configuring the deny any statement, as it will match all traffic. *f this statement is not configured asthe last statement in the AC , it could cause une)pected results.


34/87

Cisco *&% implements an internal logic to standard AC s. As discussed previously, part of this logic preventshost statements from being configured after a range statement if the host is a member of that range, as shownin #igure 2.

Another part of the *&% internal logic involves the internal se'uencing of standard AC@s. #igure 9 shows theconfiguration of a standard access list. ange statements that deny three networks are configured firstfollowed by five host statements. $he host statements are all valid statements because their host *- addressesare not part of the previously entered range statements.

$he s'o6 running-config command is used to verify the AC configuration. Notice that the statements arelisted in a different order than they were entered. +e will use the s'o6 access-lists command to understandthe logic behind this.

As shown in #igure =, the s'o6 access-lists command displays AC@s along with their se'uence numbers. +emight e)pect the order of the statements in the output to reflect the order in which they were entered.However, the s'o6 access-lists output shows that this is not the case.

$he order in which the standard AC@s are listed is the se'uence used by the *&% to process the list. Noticethat the statements are grouped into two sections, host statements followed by range statements. $he se'uencenumber indicates the order that the statement was entered, not the order the statement will be processed.

$he host statements are listed first but not necessarily in the order that they were entered. $he *&% puts hoststatements in an order using a special hashing function. $he resulting order optimi"es the search for a hostAC entry.

$he range statements are displayed after the host statements. $hese statements are listed in the order in whichthey were entered.

ecall that standard and numbered AC s can be editing using se'uence numbers. $he se'uence numbershown in the s'o6 access-lists command output is the number used when deleting an individual statementfrom the list. +hen inserting a new AC statement, the se'uence number will only affect the location of arange statement in the list. Host statements will always be put in order using the hashing function.

Continuing with the e)ample, after saving the running configuration the router is reloaded (rebooted!. Asshown in #igure =, the s'o6 access-lists command displays the AC in the same order, however thestatements have been renumbered. $he se'uence numbers are now in numerical order.


35/87

#ote $he hashing function is only applied to host statements in an *-v? standard access list. $he algorithm isnot used for *-v? e)tended AC s or *-v AC s. $his is because e)tended and *-v AC s filter on more than

just a single source address. $he details of the hashing function are beyond the scope of this course.

ecuring


36/87

&sing an ACL to Control


37/87

fter the AC to restrict access to the 1$4 lines is configured, it is important to verify that it is working ase)pected. $he figure shows two devices attempting to connect to 2 using %%H. Access list 92 has beenconfigured on the 1$4 lines on 2. -C2 is successful while -C9 fails to establish a %%H connection. $his isthe e)pected behavior, as the configured access list permits 1$4 access from the 2D9.2 6.27.739? networkwhile denying all other devices.

$he output for 2 shows the result of issuing the s'o6 access-lists command after the %%H attempts by -C2

and -C9. $he match in the permit line of the output is a result of a successful %%H connection by -C2. $hematch in the deny statement is due to the failed attempt to create an %%H connection by -C9, a device on the2D9.2 6.22.739? network.


38/87

Testing Packets 6it' Extended ACLs

#or more precise traffic filtering control, e)tended *-v? AC s can be created. @)tended AC s are numbered277 to 2DD and 9777 to 9 DD, providing a total of IDD possible e)tended numbered AC s. @)tended AC s canalso be named.

@)tended AC s are used more often than standard AC s because they provide a greater degree of control. Asshown in the figure, like standard AC s, e)tended AC s check source addresses of packets, but they alsocheck the destination address, protocols, and port numbers (or services!. $his provides a greater range ofcriteria on which to base the AC . #or e)ample, an e)tended AC can simultaneously allow email traffic froma network to a specific destination while denying file transfers and web browsing.


39/87

Testing for Ports and er!ices

$he ability to filter on protocol and port number allows network administrators to build very specific e)tendedAC s. An application can be specified by configuring either the port number or the name of a well known

port.

#igure 2 shows some e)amples of how an administrator specifies a $C- or ; ?


40/87

$he procedural steps for configuring e)tended AC s are the same as for standard AC s. $he e)tended AC isfirst configured, and then it is activated on an interface. However, the command synta) and parameters aremore comple) to support the additional features provided by e)tended AC s.

#ote $he internal logic applied to the ordering of standard AC statement does not apply to e)tended AC s.$he order in which the statements are entered during configuration is the order they are displayed and

processed.

#igure 2 shows the common command synta) for e)tended *-v? AC s. Note that there are many keywordsand parameters for e)tended AC s. *t is not necessary to use all of the keywords and parameters whenconfiguring an e)tended AC . ecall that the ? can be used to get help when entering comple) commands.

#igure 9 shows an e)ample of an e)tended AC . *n this e)ample, the network administrator has configuredAC s to restrict network access to allow website browsing only from the AN attached to interface G737 toany e)ternal network. AC 27= allows traffic coming from any address on the 2D9.2 6.27.7 network to go toany destination, subject to the limitation that the traffic is using ports 67 (H$$-! and ??= (H$$-%! only.

$he nature of H$$- re'uires that traffic flow back into the network from websites accessed from internal

clients. $he network administrator wants to restrict that return traffic to H$$- e)changes from re'uestedwebsites, while denying all other traffic. AC 27? does that by blocking all incoming traffic, e)cept for

previously established connections. $he permit statement in AC 27? allows inbound traffic using theestablis'ed parameter.

$he establis'ed parameter allows only responses to traffic that originates from the 2D9.2 6.27.739? networkto return to that network. A match occurs if the returning $C- segment has the AC5 or reset ( %$! bits set,which indicates that the packet belongs to an e)isting connection. +ithout the establis'ed parameter in theAC statement, clients could send traffic to a web server, but not receive traffic returning from the web server.


41/87

*n the previous e)ample, the network administrator configured an AC to allow users from the2D9.2 6.27.739? network to browse both insecure and secure websites. @ven though it has been configured,the AC will not filter traffic until it is applied to an interface. $o apply an AC to an interface, first consider


42/87

whether the traffic to be filtered is going in or out. +hen a user on the internal AN accesses a website on the*nternet, traffic is traffic going out to the *nternet. +hen an internal user receives an email from the *nternet,traffic is coming into the local router. However, when applying an AC to an interface, in and out take ondifferent meanings. #rom an AC consideration, in and out are in reference to the router interface.

*n the topology in the figure, 2 has three interfaces. *t has a serial interface, %73737, and two Gigabit @thernetinterfaces, G737 and G732. ecall that an e)tended AC should typically be applied close to the source. *n thistopology the interface closest to the source of the target traffic is the G737 interface.

+eb re'uest traffic from users on the 2D9.2 6.27.739? AN is inbound to the G737 interface. eturn trafficfrom established connections to users on the AN is outbound from the G737 interface. $he e)ample appliesthe AC to the G737 interface in both directions. $he inbound AC , 27=, checks for the type of traffic. $heoutbound AC , 27?, checks for return traffic from established connections. $his will restrict 2D9.2 6.27.7*nternet access to allow only website browsing.

#ote $he access lists could have been applied to the %73737 interface but in that case, the router s AC process would have to e)amine all packets entering the router, not only traffic to and from 2D9.2 6.22.7. $hiswould cause unnecessary processing by the router.

$he e)ample shown in #igure 2 denies #$- traffic from subnet 2D9.2 6.22.7 that is going to subnet2D9.2 6.27.7, but permits all other traffic. Note the use of wildcard masks and the e)plicit deny any statement.

emember that #$- uses $C- ports 97 and 920 therefore the AC re'uires both port name keywords ftp andftp-data or e> +. and e> +* to deny #$-.

*f using port numbers instead of port names, the commands would be written as

access-list **" permit tcp *9+/*01/+./. ./././+22 any e> +.

access-list **" permit tcp *9+/*01/+./. ./././+22 any e> +*


43/87

$o prevent the implied deny any statement at the end of the AC from blocking all traffic, the permit ip anyany statement is added. +ithout at least one permit statement in an AC , all traffic on the interface wherethat AC was applied would be dropped. $he AC should be applied inbound on the G732 interface so thattraffic from the 2D9.2 6.22.739? AN is filtered as it enters the router interface.

$he e)ample shown in #igure 9, denies $elnet traffic from any source to the 2D9.2 6.22.739? AN, but allowsall other *- traffic. /ecause traffic destined for the 2D9.2 6.22.739? AN is outbound on interface G732, theAC would be applied to G732 using the out keyword. Note the use of the any keywords in the permitstatement. $his permit statement is added to ensure that no other traffic is blocked.

#ote $he e)amples in #igures 2 and 9 both use the permit ip any any statement at the end of the AC . #orgreater security the permit *9+/*01/**/. ./././+22 any command may be used.


44/87

Named e)tended AC s are created in essentially the same way that named standard AC s are created. #ollowthese steps to create an e)tended AC , using names

tep */ #rom global configuration mode, use the ip access-list extended name command to define a name forthe e)tended AC .

tep +/ *n named AC configuration mode, specify the conditions to permit or deny .

tep ,/ eturn to privileged @E@C mode and verify the AC with the s'o6 access-lists name command.

tep "/ %ave the entries in the configuration file with the copy running-config startup-config command.

$o remove a named e)tended AC , use the no ip access-list extended name global configuration command.

$he figure shows the named versions of the AC s created in the previous e)amples. $he named AC ,%; #*NG, permits the users on the 2D9.2 6.27.739? AN to access web sites. $he named AC ,/ &+%*NG, allows the return traffic from established connections. ;sing the AC names, the rules areapplied inbound and outbound on the G737 interface.


45/87

After an AC has been configured and applied to an interface, use Cisco *&% s'o6 commands to verify theconfiguration. *n the figure, the top e)ample shows the Cisco *&% command used to display the contents of allAC s. $he bottom e)ample shows the result of issuing the s'o6 ip interface g. . command on router 2.

;nlike standard AC s, e)tended AC s do not implement the same internal logic and hashing function. $heoutput and se'uence numbers displayed in the s'o6 access-lists command output is the order in which thestatements were entered. Host entries are not automatically listed prior to range entries.

$he s'o6 ip interface command is used to verify the AC on the interface and the direction in which it wasapplied. $he output from this command includes the number or name of the access list and the direction inwhich the AC was applied. $he capitali"ed AC names / &+%*NG and %; #*NG stand out in the screenoutput.

After an AC configuration has been verified, the ne)t step is to confirm that the AC s work as planned0 blocking and permitting traffic as e)pected.

$he guidelines discussed earlier in this section, suggest that AC s should be configured on a test network andthen implemented on the production network.


46/87

@diting an e)tended AC can be accomplished using the same process as editing a standard AC as discussed

in a previous section. An e)tended AC can be modified using

%et'od * Text editor ;sing this method, the AC is copied and pasted into the te)t editor where thechanges are made. $he current access list is removed using the no access-list command. $he modifiedAC is then pasted back into the configuration.

%et'od + e>uence numbers %e'uence numbers can be used to delete or insert an AC statement.$he ip access-list extended name command is used to enter named AC configuration mode. *f theAC is numbered instead of named, the AC number is used in the name parameter. AC@s can beinserted or removed.

*n the figure the administrator needs to edit the AC named %; #*NG to correct a typo in the source networkstatement. $o view the current se'uence numbers, the s'o6 access-lists command is used. $he statement to beedited is identified as statement 27. $he original statement is removed with the no sequence_# command. $hecorrected statement is added replacing the original statement.


47/87


48/87


49/87


50/87


51/87

troubleshoot aclsInbound ACL Logic

#igure 2 shows the logic for an inbound AC . *f the information in a packet header and an AC statementmatch, the rest of the statements in the list are skipped, and the packet is permitted or denied as specified bythe matched statement. *f a packet header does not match an AC statement, the packet is tested against thene)t statement in the list. $his matching process continues until the end of the list is reached.

At the end of every AC is a statement is an implicit deny any statement. $his statement is not shown inoutput. $his final implied statement applied to all packets for which conditions did not test true. $his final testcondition matches all other packets and results in a BdenyB action. *nstead of proceeding into or out of aninterface, the router drops all of these remaining packets. $his final statement is often referred to as theBimplicit deny any statementB or the Bdeny all trafficB statement. /ecause of this statement, an AC shouldhave at least one permit statement in it0 otherwise, the AC blocks all traffic.

Outbound ACL Logic

#igure 9 shows the logic for an outbound AC . /efore a packet is forwarded to an outbound interface, therouter checks the routing table to see if the packet is routable. *f the packet is not routable, it is dropped and isnot tested against the AC@s. Ne)t, the router checks to see whether the outbound interface is grouped to anAC . *f the outbound interface is not grouped to an AC , the packet can be sent to the output buffer.@)amples of outbound AC operation are as follows

#o ACL applied to t'e interface) *f the outbound interface is not grouped to an outbound AC , the packet is sent directly to the outbound interface.

ACL applied to t'e interface) *f the outbound interface is grouped to an outbound AC , the packet isnot sent out on the outbound interface until it is tested by the combination of AC@s that are associatedwith that interface. /ased on the AC tests, the packet is permitted or denied.

#or outbound lists, BpermitB means to send the packet to the output buffer, and BdenyB means to discard the packet.

ACL and (outing and ACL Processes on a (outer

$he figure shows the logic of routing and AC processes. +hen a packet arrives at a router interface, therouter process is the same, whether AC s are used or not. As a frame enters an interface, the router checks to


52/87

see whether the destination ayer 9 address matches its interface ayer 9 address, or whether the frame is a broadcast frame.

*f the frame address is accepted, the frame information is stripped off and the router checks for an AC on theinbound interface. *f an AC e)ists, the packet is tested against the statements in the list.

*f the packet matches a statement, the packet is either permitted or denied. *f the packet is accepted, it is thenchecked against routing table entries to determine the destination interface. *f a routing table entry e)ists forthe destination, the packet is then switched to the outgoing interface, otherwise the packet is dropped.

Ne)t, the router checks whether the outgoing interface has an AC . *f an AC e)ists, the packet is testedagainst the statements in the list.

*f the packet matches a statement, it is either permitted or denied.

*f there is no AC or the packet is permitted, the packet is encapsulated in the new ayer 9 protocol andforwarded out the interface to the ne)t device.

%tandard AC s only e)amine the source *-v? address. $he destination of the packet and the ports involved arenot considered.

$he decision process for a standard AC is mapped in the figure. Cisco *&% software tests addresses againstthe conditions in the AC one by one. $he first match determines whether the software accepts or rejects theaddress. /ecause the software stops testing conditions after the first match, the order of the conditions iscritical. *f no conditions match, the address is rejected.

$he figure shows the logical decision path used by an e)tended AC built to filter on source and destinationaddresses, and protocol and port numbers. *n this e)ample, the AC first filters on the source address, then onthe port and protocol of the source. *t then filters on the destination address, then on the port and protocol of

the destination, and makes a final permit or deny decision.

ecall that entries in AC s are processed one after the other, so a No decision does not necessarily e'ual a


53/87

;sing the s'o6 commands described earlier reveals most of the more common AC errors. $he mostcommon errors are entering AC@s in the wrong order and not applying ade'uate criteria to the AC rules.

Error Example *

*n the figure, host 2D9.2 6.27.27 has no connectivity with 2D9.2 6.=7.29. +hen viewing the output of thes'o6 access-lists command, matches are shown for the first deny statement. $his is an indicator that thisstatement has been matched by traffic.

olution ook at the order of the AC@s. Host 2D9.2 6.27.27 has no connectivity with 2D9.2 6.=7.29 because of the order of rule 27 in the access list. /ecause the router processes AC s from the top down,

statement 27 denies host 2D9.2 6.27.27, so statement 97 can never be matched. %tatements 27 and 97 should be reversed. $he last line allows all other non $C- traffic that falls under *- (*C8-, ;


54/87

Error Example +

*n the figure, the 2D9.2 6.27.739? network cannot use $#$- to connect to the 2D9.2 6.=7.739? network.

olution $he 2D9.2 6.27.739? network cannot use $#$- to connect to the 2D9.2 6.=7.739? network because$#$- uses the transport protocol ; telnet .


55/87

Error Example "

*n the figure, host 2D9.2 6.=7.29 is able to $elnet to connect to 2D9.2 6.=2.29, but company policy states thatthis connection should not be allowed. &utput from the s'o6 access-lists *". command indicate that the

permit statement has been matched.

olution Host 2D9.2 6.=7.29 can use $elnet to connect to 2D9.2 6.=2.29 because there are no rules that denyhost 2D9.2 6.=7.29 or its network as the source. %tatement 27 of access list 2?7 denies the router interface onwhich traffic enters the router. $he host *-v? address in statement 27 should be 2D9.2 6.=7.29.


56/87

Error Example 2

*n the figure, host 2D9.2 6.=7.29 can use $elnet to connect to 2D9.2 6.=2.29, but according to the security policy, this connection should not be allowed. &utput from the s'o6 access-lists *2. command indicate thatno matches have occurred for the deny statement as e)pected.

olution Host 2D9.2 6.=7.29 can use $elnet to connect to 2D9.2 6.=2.29 because of the direction in whichaccess list 2:7 is applied to the G732 interface. %tatement 27 denies any source address to connect to host2D9.2 6.=2.29 using telnet. However, this filter should be applied outbound on G732 to filter correctly.


57/87

*-v AC s are very similar to *-v? AC s in both operation and configuration. /eing familiar with *-v?access lists makes *-v AC s easy to understand and configure.

*n *-v? there are two types of AC s, standard and e)tended. /oth types of AC s can be either numbered ornamed AC s.

+ith *-v , there is only one type of AC , which is e'uivalent to an *-v? e)tended named AC . $here are nonumbered AC s in *-v . $o summari"e, *-v AC s are

Named AC s only

@'uivalent to the functionality of an *-v? @)tended AC

An *-v? AC and an *-v AC cannot share the same name.


58/87

IP!0 ACL Creation

Although *-v? and *-v AC s are very similar, there are three significant differences between them.

Applying an IP!0 ACL

$he first difference is the command used to apply an *-v AC to an interface. *-v? uses the command ip

access-group to apply an *-v? AC to an *-v? interface . *-v uses the ip!0 traffic-filter command to perform the same function for *-v interfaces .

#o $ildcard %asks

;nlike *-v? AC s, *-v AC s do not use wildcard masks. *nstead, the prefi) length is used to indicate howmuch of an *-v source or destination address should be matched.

Additional @efault tatements

$he last major difference has to with the addition of two implicit permit statements at the end of each *-vaccess list. At the end of every *-v? standard or e)tended AC is an implicit deny any or deny any any . *-vincludes a similar deny ip!0 any any statement at the end of each *-v AC . $he difference is *-v alsoincludes two other implicit statements by default

permit icmp any any nd-na

permit icmp any any nd-ns

$hese two statements allow the router to participate in the *-v e'uivalent of A - for *-v?. ecall that A -is used in *-v? to resolve ayer = addresses to ayer 9 8AC addresses. As shown in the figure, *-v uses

*C8- Neighbor N< messages are encapsulated in *-v packets and re'uire the services of the *-v network layer while A -for *-v? does not use ayer =. /ecause *-v uses the ayer = service for neighbor discovery, *-v AC s needto implicitly permit N< packets to be sent and received on an interface. %pecifically, both Neighbor


59/87

#igure 2 shows the topology that will be used for configuring *-v AC s. $he topology is similar to the previous *-v? topology e)cept for the *-v addressing scheme. $here are three 9772


60/87


61/87

*n *-v there are only named AC s. $he configuration is similar to that of an *-v? e)tended named AC .

#igure 2 shows the command synta) for *-v AC s. $he synta) is similar to the synta) used for an *-v?e)tended AC . &ne significant difference is the use of the *-v prefi) length instead of an *-v? wildcardmask.

$here are three basic steps to configure an *-v AC

tep */ #rom global configuration mode, use the ip!0 access-list name command to create an *-v AC . ike*-v? named AC s, *-v names are alphanumeric, case sensitive, and must be uni'ue. ;nlike *-v?, there is noneed for a standard or e)tended option.

tep +/ #rom the named AC configuration mode, use the permit or deny statements to specify one or moreconditions to determine if a packet is forwarded or dropped.

tep ,/ eturn to privileged @E@C mode with the end command.

#igure 9 demonstrates the steps to create an *-v AC with a simple e)ample based on the previous topology.$he first statement names the *-v access list N& = AN ACC@%%. %imilar to *-v? named AC s,capitali"ing *-v AC names is not re'uired, but makes them stand out when viewing the running configoutput.

$he second statement denies all *-v packets from the 9772


62/87

After an *-v AC is configured, it is linked to an interface using the ip!0 traffic-filter command


63/87

outer(config if!F ip!0 traffic-filter access-list-name J in Kout L

$he figure shows the N& = AN ACC@%% AC configured previously and the commands used to apply the*-v AC inbound to the %73737 interface. Applying the AC to the inbound %73737 interface will deny

packets from 9772


64/87

?. All other devices are denied $elnet access to -C9.

:. All other *-v traffic is permitted to all other destinations.

. $he *-v access list is applied to interface G737 in the inbound direction, so only the9772


65/87

$he commands used to verify an *-v access list are similar to those used for *-v? AC s. ;sing thesecommands, the *-v access list @%$ *C$@< ACC@%% that was configured previously can be verified.#igure 2 shows the output of the s'o6 ip!0 interface command. $he output confirms that @%$ *C$@uence number of 2/ 8anually add the new deny AC@ with a se'uence number of 2:.Add a deny any any AC@ to access list 2.Create a second access list denying the host and apply it to the same interface.

,


69/87

Launc' PT D ide and a!e PTOpen t'e PT Acti!ity/ Perform t'e tasks in t'e acti!ity instructions and t'en ans6er t'e >uestion/

$'y is t'e ACL not 6orking?

$he AC is missing a deny ip any any AC@.$he AC is applied in the wrong direction.$he access list 27: command or commands are incorrect.T'e ACL is applied to t'e 6rong interface/

No AC is needed for this scenario.

" $'ic' statement describes a c'aracteristic of standard IP!" ACLs?

$hey are configured in the interface configuration mode.$hey can be created with a number but not with a name.T'ey filter traffic based on source IP addresses only/ $hey can be configured to filter traffic based on both source *- addresses and source ports.

2

(efer to t'e ex'ibit/ T'e net6ork administrator t'at 'as t'e IP address of *././3./+, +2 needs to 'a!eaccess to t'e corporate FTP ser!er :*././2"/2 +1;/ T'e FTP ser!er is also a 6eb ser!er t'at is accessibleto all internal employees on net6orks 6it'in t'e *./x/x/x address/ #o ot'er traffic s'ould be allo6ed tot'is ser!er/ $'ic' extended ACL 6ould be used to filter t'is traffic and 'o6 6ould t'is ACL beapplied? :C'oose t6o/;


70/87

access list 27: permit ip host 27.7.I7.9= host 27.7.:?.:access list 27: permit tcp any host 27.7.:?.: e' wwwaccess list 27: permit ip any any

2(config!F interface s737372(config if!F ip access group 27: out

(*:config;B interface gi. .(*:config-if;B ip access-group *.2 out

access-list *.2 permit tcp 'ost *././3./+, 'ost *././2"/2 e> +.access-list *.2 permit tcp 'ost *././3./+, 'ost *././2"/2 e> +*access-list *.2 permit tcp *./././. ./+22/+22/+22 'ost *././2"/2 e> 666access-list *.2 deny ip any 'ost *././2"/2access-list *.2 permit ip any any

access list 27: permit tcp host 27.7.:?.: any e' wwwaccess list 27: permit tcp host 27.7.I7.9= host 27.7.:?.: e' 97

access list 27: permit tcp host 27.7.I7.9= host 27.7.:?.: e' 92

9(config!F interface gi7379(config if!F ip access group 27: in

0 /$'at are t6o possible uses of access control lists in an enterprise net6ork? :C'oose t6o/;limiting debug outputs reducing the processing load on routerscontrolling the physical status of router interfaces

controlling !irtual terminal access to routers allowing ayer 9 traffic to be filtered by a router 3/ An administrator 'as configured an access list on (* to allo6 administrati!e access from 'ost*3+/*0/*/*../ $'ic' command correctly applies t'e ACL?

2(config line!F access class 2 out(*:config-line;B access-class * in

2(config if!F ip access group 2 out2(config if!F ip access group 2 in

1/$'ic' t'ree statements are generally considered to be best practices in t'e placement of ACLs?:C'oose t'ree/;Place extended ACLs close to t'e source IP address of t'e traffic/#or every inbound AC placed on an interface, there should be a matching outbound AC .-lace e)tended AC s close to the destination *- address of the traffic.Place standard ACLs close to t'e destination IP address of t'e traffic/ Filter un6anted traffic before it tra!els onto a lo6-band6idt' link/ -lace standard AC s close to the source *- address of the traffic.9/ $'ic' t'ree implicit access control entries are automatically added to t'e end of an IP!0 ACL?:C'oose t'ree/;deny icmp any anydeny ip!0 any anypermit icmp any any nd-ns

permit ipv any anydeny ip any anypermit icmp any any nd-na*./ $'ic' t6o c'aracteristics are s'ared by bot' standard and extended ACLs? :C'oose t6o/;


71/87

/oth filter packets for a specific destination host *- address.4ot' can be created by using eit'er a descripti!e name or number/4ot' include an implicit deny as a final ACE/ /oth can permit or deny specific services by port number./oth kinds of AC s can filter based on protocol type.

**

Place t'e options in t'e follo6ing order)

t'e first !alid 'ost address in a subnet

subnet6ork address of a subnet 6it' *" !alid 'ost addressesall IP address bits must matc' exactly'osts in a subnet 6it' t'e subnet mask +22/+22/+2+/.addresses 6it' a subnet mask of +22/+22/+22/+"1

D not scored -*+Consider t'e follo6ing access list t'at allo6s IP p'one configuration file transfers from a particular'ost to a TFTP ser!er)

%&'con"g() access*list &+ permit udp host &+.+.-+. / host &+.+. $. range&+ $ +++%&'con"g() access*list &+ deny ip any any%&'con"g() interface gi+0+%&'con"g*if() ip access*group &+ out

$'ic' met'od 6ould allo6 t'e net6ork administrator to modify t'e ACL and include FTP transfersfrom any source IP address?

2(config!F interface gi7372(config if!F no ip access group 27: out2(config!F access list 27: permit tcp any host 27.7.:?.: e' 97

2(config!F access list 27: permit tcp any host 27.7.:?.: e' 922(config!F interface gi7372(config if!F ip access group 27: out


72/87

2(config!F access list 27: permit tcp any host 27.7.:?.: e' 972(config!F access list 27: permit tcp any host 27.7.:?.: e' 92

2(config!F access list 27: permit udp host 27.7.I7.9= host 27.7.:?.: range 279? :7772(config!F access list 27: permit tcp any host 27.7.:?.: e' 972(config!F access list 27: permit tcp any host 27.7.:?.: e' 922(config!F access list 27: deny ip any any

(*:config;B interface gi. .(*:config-if;B no ip access-group *.2 out(*:config;B no access-list *.2(*:config;B access-list *.2 permit udp 'ost *././3./+, 'ost *././2"/2 range *.+" 2...(*:config;B access-list *.2 permit tcp any 'ost *././2"/2 e> +.(*:config;B access-list *.2 permit tcp any 'ost *././2"/2 e> +*(*:config;B access-list *.2 deny ip any any(*:config;B interface gi. .(*:config-if;B ip access-group *.2 out

*,

$'at t6o functions describe uses of an access control list? :C'oose t6o/;

ACLs pro!ide a basic le!el of security for net6ork access/ACLs can control 6'ic' areas a 'ost can access on a net6ork/ %tandard AC s can restrict access to specific applications and ports.AC s can permit or deny traffic based upon the 8AC address originating on the router.AC s assist the router in determining the best path to a destination.

*"/ $'ic' feature is uni>ue to IP!0 ACLs 6'en compared to t'ose of IP!" ACLs?

an implicit permit of neig'bor disco!ery packets an implicit deny any any AC@the use of named AC entriesthe use of wildcard masks

*2 $'ic' t'ree statements describe ACL processing of packets? :C'oose t'ree/;

@ach packet is compared to the conditions of every AC@ in the AC before a forwarding decision is made.A packet that has been denied by one AC@ can be permitted by a subse'uent [email protected]' statement is c'ecked only until a matc' is detected or until t'e end of t'e ACE list/An implicit deny any re ects any packet t'at does not matc' any ACE/ A packet that does not match the conditions of any AC@ will be forwarded by default.A packet can eit'er be re ected or for6arded as directed by t'e ACE t'at is matc'ed/

*0 $'ic' statement describes a difference bet6een t'e operation of inbound and outbound ACLs?

&n a network interface, more than one inbound AC can be configured but only one outbound AC can beconfigured.*n contrast to outbound A Cs, inbound AC s can be used to filter packets with multiple criteria.Inbound ACLs are processed before t'e packets are routed 6'ile outbound ACLs are processed aftert'e routing is completed/ *nbound AC s can be used in both routers and switches but outbound AC s can be used only on routers.

*3/ $'at is t'e only type of ACL a!ailable for IP!0?


73/87


74/87


75/87


76/87


77/87


78/87


79/87


80/87


81/87


82/87


83/87


84/87

speci"cally used by network administrators to "lter tra1c and to pro idee2tra security for their networks. #his can be applied on routers 'Cisco(.

AC s provide a powerful way to control traffic into and out of your network0 this control can beas simple as permitting or denying network hosts or addresses. 4ou can configure AC s for allrouted network protocols.

#he most important reason to con"gure ACLs is to pro ide security for yournetwork. 3owe er, ACLs can also be con"gured to control network tra1cbased on the #C4 port being used.

o6 ACLs 6orks/A router acts as a packet filter when it forwards or denies packets according to filtering rules. As a

ayer = device, a packet filtering router uses rules to determine whether to permit or deny traffic based on source and destination *- addresses, source port and destination port, and the protocol of the packet. $hese rules are defined using access control lists or AC s.

#o simplify how ACL or a router uses packet "ltering work, imagine a guardstationed at a locked door. #he guard5s instruction is to allow only peoplewhose names appear on a quest list to pass through the door. #he guard is"ltering people based on the condition of ha ing their names on theauthori6ed list.

* 7ee more at8 http800orbit*computer*solutions.com0Access*Control*Lists**ACL*.php)sthash.9mk9 pm.dpuf


85/87

+hen a packet arrives at the router, the router e)tracts certain information from the packet headerand makes decisions according to the filter rules as to whether the packet can pass through or bedropped. -acket filtering process works at the Network layer of the &pen %ystems *nterconnection(&%*! model, or the *nternet layer of $C-3*-.

%ee more at http 33orbit computer solutions.com3Access Control ists AC .phpFsthash.GmkG99pm.dpuf

#h$ use AC s

% Limits network tra1c to increase network performance.

: ACLs pro ides tra1c ;ow control by restricting the deli ery of routingupdates.

:


86/87

iv. $he fourth value is the 6ildcard mask to be applied to the previously configured *- addressto indicate the range.

Extended access lists

=2tended access lists create "lters based on source addresses, destinationaddresses, protocol, port number and other features and are used for packetbased "ltering for packets that tra erse the network.

@)ample of the command synta) for configuring an e)tended numbered *- AC

(outer!con)*"+ access,list -100,199 -permit / en$ protocolsource,a r source,wil car operator operan estination,a r

estination,wil car operator operan establishe

i. ike the standard AC s, the first value J *..-*99 or +... - +099 L specifies the AC numberrange.

ii. $he ne)t value specifies whether to permit or deny according to the criteria that follows.

iii. $he third value specifies protocol type ( *-, $C-, ;


87/87

*f you subtract 9::.9::.9::.7 (normal mask! from 9::.9::.9::.9::, it yields 7.7.7.9::.

ead about $ildcards

$he command below defines an AC that permits this network 2D9.2 6.2.7 7.7.7.9::.

access-list acl_permit permit ip 192.168.1.0 0.0.0.255

*nbound traffic to the router is compared to access lists entries based on the order that the entriesoccur in the router. $he router looks through the entries until it has a match. *f the router found nomatch when it reaches the end of the list, the traffic is denied. #or this reason, you should have thefre'uently hit entries at the top of the list. $here is an implied deny for traffic that is not permitted.%ingle entry access lists with only one deny entry has the effect of denying all traffic. 4ou musthave at least one permit statement in an AC or all traffic is blocked.

Access lists implicitly deny all access that is not e)pressly permitted. $he following line is auto appended toall access lists

deny ip any any

cap9 Access Control Lists.doc

Documents

Transcript of cap9 Access Control Lists.doc