CISCO NETWORKING ACADEMY PROGRAM (CNAP) SEMESTER 2/ MODULE 11

CISCO NETWORKING ACADEMY PROGRAM (CNAP)SEMESTER 2/ MODULE 11

Access Control List

CISCO NETWORKING ACADEMY PROGRAMSEMESTER 2/ MODULE 11

Overview

ACLs

- Access Control Lists (ACLs)

- ACL Configuration Tasks

- Standard ACLs

- Extended ACLs

- Named ACLs

- Placing ACLs

- Verifying ACLs


What are ACLs?

ACLs

- ACLs are lists of instructions you apply to a router interface.

- These lists tell the router what kinds of packets to accept and what kinds of packets to deny.

- Acceptance and denial can be based on certain specifications, such as source address, destination address, and port number.

- ACLs are used to manage traffic and scan specific packets by applying the ACL to a router interface.

Reasons to create ACLs

- Limit network traffic and increase network performance.

- Provide traffic flow control.

- Provide a basic level of security for network access.

- Decide which types of traffic are forwarded or blocked at the router interfaces.


ACLs

Testing Packets with ACLs

- The order in which you place ACL statements is important.

- When the router is deciding whether to forward or block a packet, the Cisco Internetwork Operating System (IOS) software tests the packet against each condition statement, in the order in which the statements were created.

NOTE: After a match is found, no more

condition statements are checked.


ACLs

How ACLs Work?

- An ACL is a group of statements that define how packets:

- Enter inbound interfaces

- Relay through the router

- Exit outbound interfaces

- ACL statements operate in sequential, logical order.

- If a condition match is true, the packet is permitted or denied and the rest of the ACL statements are not checked.

- If the packet does not match any of the written ACL statements, then the packet will match the final implicit "deny any" statement.


ACLs

Flowchart of ACLs Test Matching


ACLs

Creating ACLs

There are two basic steps for creating ACL:

First: Create an ACL definition

- Create ACLs by using the global configuration mode

- Specify an ACL number

- Must carefully select and logically order the ACL statements

- Select which IP protocols to check; any other protocols are not checked

Second: Apply the ACL to an interface

- Apply ACLs specified above to one or more interfaces

- They can filter inbound traffic or outbound traffic, depending on the configuration.

- A router with an inbound ACL must check every packet to see whether it matches the ACL condition before switching the packet to an outbound interface.


ACLs

ACL Numbers

- When configuring ACLs on a router, you must identify each ACL uniquely by assigning a number to the ACL for a protocol.

- When you use a number to identify an ACL, the number must be within the specific range of numbers that is valid for the protocol.


ACLs

Wildcard Mask Bits

- A wildcard mask is a 32-bit number that is divided into four octets, with each octet containing 8 bits.

- The 0s and 1s in a wildcard determine whether the corresponding bits in the IP address should be checked or ignored for ACL purposes.

- A wildcard mask bit 0 means 'check the corresponding bit value.

- A wildcard mask bit 1 means 'do not check (ignore) that corresponding bit value.


ACLs

Wildcard Mask Bits


ACLs

The Any Command

- EX, If you want to specify that any destination address will be permitted in an ACL test.

- To indicate any IP address, you would enter 0.0.0.0. Then, to indicate that the ACL should ignore (that is, allow without checking) any value, the corresponding wildcard mask bits for this address would be all ones (that is, 255.255.255.255).

- Instead of typing 0.0.0.0 255.255.255.255, you can use the word any by itself as the keyword.

INSTEAD OF THIS:

- Router(config)# access-list 1 permit 0.0.0.0 255.255.255.255 YOU CAN USE THIS:

- Router(config)# access-list 1 permit any


ACLs

The host Command

- You can use the abbreviation host to test the specific IP host address in an ACL condition.

- EX, instead of typing 172.30.16.29 0.0.0.0, you can use the word host in front of the address.

INSTEAD OF THIS:

- Router(config)# access-list 1 permit 172.30.16.29 0.0.0.0

YOU CAN USE THIS:

Router(config)# access-list 1 permit host 172.30.16.29


ACLs

Standard ACLs

- Standard ACLs will be used when want to block all traffic from a network, allow all traffic from a specific network, or deny protocol suites.

- Standard ACLs check the source address of packets that could be routed.

- The result permits or denies output for an entire protocol suite, based on the network, subnet, and host addresses.


ACLs

Standard ACLs

- The full syntax of the command is:

Router(config)# access-list access-list-number {deny | permit} source [source-wildcard ]

- Type no in front of the command when want to remove a standard ACL:

Router(config)# no access-list access-list-number


ACLs

Standard ACLs

- In order to apply ACL conditions to an interface, ip access-group command must be used.

- Remember that only one ACL per port per protocol per direction is allowed.

- The format of the command is:

Router(config-if)# ip access-group access-list-number {in | out}


ACLs

Standard ACLs


ACLs


ACLs

Standard ACLs


ACLs

Extended ACLs

- Extended ACLs are used most often to test conditions because they provide a greater range of control than standard ACLs.

- Extended ACLs check for both source and destination packet addresses.

- They can also check for specific protocols, port numbers, and other parameters.

- This gives more flexibility to describe what checking the ACL will do.

- Packets can be permitted or denied output based on where the packet originated and based on its destination.

- EX, the extended ACL can allow e-mail traffic from E0 to specific S0 destinations, while denying remote logins or file transfers.


ACLs

Extended ACLs

- Extended ACL statements check for source address and destination address.

- At the end of the extended ACL statement, you gain additional precision from a field that specifies the optional TCP or User Datagram Protocol (UDP) protocol port number.

- These can be the well-known port numbers for TCP/IP.

- Extended ACLs use a number in the range 100 to 199.


ACLs

Extended ACLs

- The complete form of the access-list command:

Router(config)# access-list access-list-number {permit| deny} protocol source-address source-mask destination-address destination-mask [operator port]

- The ip access-group command applies an extended ACL to an interface. The format of the command is:

Router(config-if)# ip access-group access-list-number { in| out}


ACLs

Extended ACLs


ACLs

Configuring Named ACLs

Consider the following before implementing named ACLs:

- Named ACLs are not compatible with Cisco IOS releases prior to Release 11.2.

- You cannot use the same name for multiple ACLs. In addition, ACLs of different types cannot have the same name. For example, it is illegal to specify a standard ACL named George and an extended ACL with the same name.


ACLs


- To name the ACL, use the following command:

Router(config)# ip access-list {standard | extended} name

- In ACL configuration mode, specify one or more conditions permitted or denied. This determines whether the packet is passed or dropped:

Router(config)# deny {source [source-wildcard] | any}

or

Router(config)# permit {source [source-wildcard] | any}


ACLs



ACLs


- The full syntax for deny command is:

Router(config)# deny {source [source-wildcard] | any}

- To remove a deny condition, using the following syntax:

Router(config)# no deny {source [source-wildcard] | any}

- The full syntax of permit command is:

Router(config)# permit {source [source-wildcard] | any}

- To remove a condition from an ACL, using the following syntax:

Router(config)# no permit {source [source-wildcard]| any}


ACLs



ACLs

Restrict Virtual Terminal ACLs

The following should be considered when configuring access lists on vty

lines:

- When controlling access to an interface, a name or number can be used.

- Only numbered access lists can be applied to virtual lines.

- Set identical restrictions on all the virtual terminal lines, because a user can attempt to connect to any of them.


ACLs

Restrict Virtual Terminal ACLs


ACLs

Placing ACLs

- The rule is to put the extended ACLs as close as possible to the source of the traffic denied.

- Standard ACLs do not specify destination addresses, so you have to put the standard ACL as near the destination as possible.


ACLs

Verify ACLs

- The show ip interface command displays IP interface information and indicates whether any ACLs are set.

- The show access-lists command displays the contents of all ACLs.

NOTE: By entering the ACL name or number as an option for this command, you can see a specific list.


ACLs

Verify ACLs

CISCO NETWORKING ACADEMY PROGRAM (CNAP) SEMESTER 2/ MODULE 11

Documents

Transcript of CISCO NETWORKING ACADEMY PROGRAM (CNAP) SEMESTER 2/ MODULE 11