Download - Access Control List (ACL) W.lilakiatsakun. ACL Fundamental Introduction to ACLs Introduction to ACLs How ACLs work How ACLs work Creating ACLs Creating.

Access Control List Access Control List (ACL)(ACL)

W.lilakiatsakunW.lilakiatsakun

ACL FundamentalACL Fundamental

► Introduction to ACLs Introduction to ACLs► How ACLs work How ACLs work► Creating ACLs Creating ACLs► The function of a wildcard mask The function of a wildcard mask

Introduction to ACL (1)Introduction to ACL (1)

► ACLs are lists of conditions used to test ACLs are lists of conditions used to test network traffic that tries to travel acros network traffic that tries to travel acros

s a router interface. s a router interface.► These lists tell the router what types of These lists tell the router what types of

packets to accept or deny. packets to accept or deny.► Acceptance and denial can be based on Acceptance and denial can be based on

specified conditions. specified conditions.► ACLs enable management of traffic and ACLs enable management of traffic and

secure access to and from a network. secure access to and from a network.

ACL ACL


► To filter network traffic, ACLs determine To filter network traffic, ACLs determine if routed packets are forwarded or block if routed packets are forwarded or block

ed at the router interfaces. ed at the router interfaces.► The router examines each packet and wi The router examines each packet and wi

ll forward or discard it based on the cond ll forward or discard it based on the cond itions specified in the ACL. itions specified in the ACL.

► An ACL makes routing decisions based o An ACL makes routing decisions based o n source address, destination address, p n source address, destination address, p

- rotocols, and upper layer port numbers. - rotocols, and upper layer port numbers.

Cisco IOS check the packet and Cisco IOS check the packet and upper header upper header


► ACLs must be defined on a per protocol, per direction, ACLs must be defined on a per protocol, per direction, or per port basis. or per port basis.

► To control traffic flow on an interface, an ACL must be To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface. defined for each protocol enabled on the interface.

► ACLs control traffic in one direction at a time on an int ACLs control traffic in one direction at a time on an int erface. erface.

► Two separate ACLs must be created to control inboun Two separate ACLs must be created to control inboun d and outbound traffic. d and outbound traffic.

► Every interface can have multiple protocols and direc Every interface can have multiple protocols and direc tions defined. tions defined.

If the router has two interfaces configured for IP, AppleTalk, a If the router has two interfaces configured for IP, AppleTalk, a nd IPX, nd IPX, 1212 separate ACLs would be needed. separate ACLs would be needed.

There would be one ACL for each protocol, times two for each There would be one ACL for each protocol, times two for each direction, times two for the number of ports. direction, times two for the number of ports.

Access Control List Access Control List grouping in a routergrouping in a router

ACL TasksACL Tasks (1)(1)► Limit network traffic and increase network performa Limit network traffic and increase network performa

nce. nce. For example, ACLs that restrict video traffic could greatly r For example, ACLs that restrict video traffic could greatly r

educe the network load and increase network performanc educe the network load and increase network performanc e. e.

► Provide traffic flow control. ACLs can restrict the deli Provide traffic flow control. ACLs can restrict the deli very of routing updates. very of routing updates.

If updates are not required because of network conditions, If updates are not required because of network conditions, bandwidth is preserved. bandwidth is preserved.

► Provide a basic level of security for network access. Provide a basic level of security for network access. ACLs can allow one host to access a part of the network an ACLs can allow one host to access a part of the network an

d prevent another host from accessing the same area. d prevent another host from accessing the same area. For example, Host A is allowed to access the Human Reso For example, Host A is allowed to access the Human Reso

urces network and Host B is prevented from accessing it. urces network and Host B is prevented from accessing it.

ACL TasksACL Tasks (2)(2)

► Decide which types of traffic are forwarded o Decide which types of traffic are forwarded o r blocked at the router interfaces. r blocked at the router interfaces. - ACLs can permit e mail traffic to be routed, but blo - ACLs can permit e mail traffic to be routed, but blo

ck all Telnet traffic. ck all Telnet traffic.

► Control which areas a client can access on a Control which areas a client can access on a network. network.

► Screen hosts to permit or deny access to a ne Screen hosts to permit or deny access to a ne twork segment. twork segment.

ACLs can be used to permit or deny a user to acce ACLs can be used to permit or deny a user to acce ss file types such as FTP or HTTP. ss file types such as FTP or HTTP.

How ACL works (1)How ACL works (1)

► The order in which ACL statements are place The order in which ACL statements are place d is important. d is important.

► TT he packet he packet is tested is tested against each condition s against each condition s tatement in order from the top of the list to th tatement in order from the top of the list to th

e bottom. e bottom.► Once a match is found in the list, the accept Once a match is found in the list, the accept

or reject action is performed and no other AC or reject action is performed and no other AC L statements are checked. L statements are checked.

► If a condition statement that permits all traffi If a condition statement that permits all traffi c is located at the top of the list, no statemen c is located at the top of the list, no statemen ts added below that will ever be checked. ts added below that will ever be checked.

How ACL works (2)How ACL works (2)► ACL statements operate in sequential, logical order. ACL statements operate in sequential, logical order.► If a condition match is true, the packet is permitted If a condition match is true, the packet is permitted

or denied and the rest of the ACL statements are not or denied and the rest of the ACL statements are not checked. checked.

► If all the ACL statements are unmatched, an implicit If all the ACL statements are unmatched, an implicit deny any deny any statement is placed at the end of the list statement is placed at the end of the list

by default. by default.► The invisible The invisible deny any deny any statement at the end of the statement at the end of the

ACL will not allow unmatched packets to be accepte ACL will not allow unmatched packets to be accepte d. d.

► When first learning how to create ACLs, it is a good i When first learning how to create ACLs, it is a good i dea to add the dea to add the deny any deny any at the end of ACLs to reinf at the end of ACLs to reinf orce the dynamic presence of the implicit deny. orce the dynamic presence of the implicit deny.

How ACL works (3)How ACL works (3)

► II f additional condition statements are n f additional condition statements are n eeded in an access list, the entire ACL eeded in an access list, the entire ACL

must be deleted and recreated with the must be deleted and recreated with the new condition statements. new condition statements.

► To make the process of revising an ACL To make the process of revising an ACL simpler it is a good idea to use a text ed simpler it is a good idea to use a text ed

itor such as Notepad and paste the ACL itor such as Notepad and paste the ACL into the router configuration. into the router configuration.

Routing Process (1)Routing Process (1)

► The beginning of the router process is the sam The beginning of the router process is the sam e, whether ACLs are used or not. e, whether ACLs are used or not.

► As a frame enters an interface, the router chec As a frame enters an interface, the router chec ks to see whether the Layer ks to see whether the Layer22 address matches address matches or if it is a broadcast frame. or if it is a broadcast frame.

► If the frame address is accepted, the frame inf If the frame address is accepted, the frame inf ormation is stripped off and the router checks f ormation is stripped off and the router checks f

or an ACL on the inbound interface. or an ACL on the inbound interface.► If an ACL exists, the packet is now tested again If an ACL exists, the packet is now tested again

st the statements in the list. st the statements in the list.► If the packet matches a statement, the packet If the packet matches a statement, the packet

is either accepted or rejected. is either accepted or rejected.

Routing Process (2)Routing Process (2)

► If the packet is accepted in the interface, it wil If the packet is accepted in the interface, it wil l then be checked against routing table entrie l then be checked against routing table entrie s to determine the destination interface and s s to determine the destination interface and s

witched to that interface. witched to that interface.► Next, the router checks whether the destinati Next, the router checks whether the destinati

on interface has an ACL. on interface has an ACL.► If an ACL exists, the packet is tested against t If an ACL exists, the packet is tested against t

he statements in the list. he statements in the list.► If the packet matches a statement, it is either If the packet matches a statement, it is either

accepted or rejected. accepted or rejected.► If there is no ACL or the packet is accepted, th If there is no ACL or the packet is accepted, th

e packet is encapsulated in the new Layer e packet is encapsulated in the new Layer22 p p rotocol and forwarded out the interface to the rotocol and forwarded out the interface to the

next device. next device.


► Introduction to ACLs Introduction to ACLs► How ACLs work How ACLs work► Creating ACLs Creating ACLs ► The function of a wildcard mask The function of a wildcard mask

Creating rules for ACLs (1)Creating rules for ACLs (1)

► There is an implicit There is an implicit deny any deny any at the end of all a at the end of all a ccess lists. ccess lists.

This will not appear in the configuration listing. This will not appear in the configuration listing.► Access list entries should filter in the order fro Access list entries should filter in the order fro

m specific to general. m specific to general. Specific hosts should be denied first, and groups or Specific hosts should be denied first, and groups or

general filters should come last. general filters should come last.► The match condition is examined first. The match condition is examined first.

The permit or deny is examined only if the match is t The permit or deny is examined only if the match is t rue. rue.

► Never work with an access list that is actively a Never work with an access list that is actively a pplied. pplied.

► A text editor should be used to create commen A text editor should be used to create commen ts that outline the logic. Then fill in the stateme ts that outline the logic. Then fill in the stateme

nts that perform the logic. nts that perform the logic.


► New lines are always added to the end of the acc New lines are always added to the end of the acc ess list. ess list.

A A - no access list x - no access list x command will remove the whole li command will remove the whole li st. st.

It is not possible to selectively add and remove lines w It is not possible to selectively add and remove lines w ith numbered ACLs ith numbered ACLs

► An IP access list will send an ICMP host unreacha An IP access list will send an ICMP host unreacha ble message to the sender of the rejected packet ble message to the sender of the rejected packet and will discard the packet in the bit bucket. and will discard the packet in the bit bucket.

► An access list should be removed carefully. An access list should be removed carefully. If an access list that is applied to a production interfac If an access list that is applied to a production interfac

e is removed, some versions of IOS will apply a default e is removed, some versions of IOS will apply a default deny any to the interface and all traffic will be halted. deny any to the interface and all traffic will be halted.

► Outbound filters do not affect traffic that originat Outbound filters do not affect traffic that originat es from the local router. es from the local router.


► There should be one access list per protocol pe There should be one access list per protocol pe r direction. r direction.

► Standard access lists should be applied Standard access lists should be applied closest closest to the destination. to the destination.

► Extended access lists should be applied Extended access lists should be applied closest closest to the source. to the source.

► The inbound or outbound interface should be r The inbound or outbound interface should be r eferenced as if looking at the port from inside t eferenced as if looking at the port from inside t

he router. he router.► Statements are processed sequentially from th Statements are processed sequentially from th

e top of the list to the bottom until a match is fo e top of the list to the bottom until a match is fo und. und.

► If no match is found then the packet is denied, If no match is found then the packet is denied, and discarded. and discarded.

Applying ACLsApplying ACLs

The function of a wildcard ma The function of a wildcard masksk

► A wildcard mask is a A wildcard mask is a 3232- bit quantity that is di- bit quantity that is di vided into four octets. vided into four octets.

► A wildcard mask is paired with an IP address. A wildcard mask is paired with an IP address.► The numbers one and zero in the mask are u The numbers one and zero in the mask are u

sed to identify how to treat the correspondin sed to identify how to treat the correspondin g IP address bits. g IP address bits.

► Wildcard masks have no functional relations Wildcard masks have no functional relations hip with subnet masks. They are used for diff hip with subnet masks. They are used for diff

erent purposes and follow different rules. erent purposes and follow different rules.

Wildcard Mask Vs Subnet Wildcard Mask Vs Subnet MaskMask

► The subnet mask and the wildcard mask represe The subnet mask and the wildcard mask represe nt two different things when they are compared nt two different things when they are compared to an IP address. to an IP address.

► Subnet masks use binary ones and zeros to iden Subnet masks use binary ones and zeros to iden tify the network, subnet, and host portion of an I tify the network, subnet, and host portion of an I

P address. P address.► Wildcard masks use binary ones and zeros to filt Wildcard masks use binary ones and zeros to filt

er individual or groups of IP addresses to permit er individual or groups of IP addresses to permit or deny access to resources based on an IP addr or deny access to resources based on an IP addr

ess.ess.► The only similarity between a wildcard mask an The only similarity between a wildcard mask an

- d a subnet mask is that they are both thirty two - d a subnet mask is that they are both thirty two bits long and use binary ones and zeros. bits long and use binary ones and zeros.

Wildcard Mask EX (1)Wildcard Mask EX (1)

Wildcard Mask KeywordWildcard Mask Keyword

► There are two special keywords that are used There are two special keywords that are used in ACLs, the in ACLs, the anyany and and hosthost options. options.

► The The anyany option substitutes option substitutes 0.0.0.00.0.0.0 for the IP a for the IP a ddress and ddress and 255.255.255.255255.255.255.255 for the wildcard for the wildcard

mask. mask. This option will match any address that it is compa This option will match any address that it is compa

red against. red against.► The The hosthost option substitutes option substitutes 0.0.0.00.0.0.0 for the m for the m

ask. ask.► This mask requires that all bits of the ACL add This mask requires that all bits of the ACL add

ress and the packet address match. ress and the packet address match. This option will match just one address. This option will match just one address.

Standard ACL Standard ACL

► Standard ACLs check the source address of IP Standard ACLs check the source address of IP packets that are routed. packets that are routed.

► The ACL will either permit or deny access for The ACL will either permit or deny access for an entire protocol suite, based on the network an entire protocol suite, based on the network

, subnet, and host addresses. , subnet, and host addresses.► For example, packets that come in Fa For example, packets that come in Fa0/00/0 are c are c

hecked for their source addresses and protoco hecked for their source addresses and protoco ls. ls.

► If they are permitted, the packets are routed t If they are permitted, the packets are routed t hrough the router to an output interface. hrough the router to an output interface.

► If they are not permitted, they are dropped at If they are not permitted, they are dropped at the incoming interface. the incoming interface.

Extended ACLs (1)Extended ACLs (1)

► Extended ACLs are used more often than stan Extended ACLs are used more often than stan dard ACLs because they provide a greater ran dard ACLs because they provide a greater ran

ge of control. ge of control.► Extended ACLs check the source and destinat Extended ACLs check the source and destinat

ion packet addresses and can also check for p ion packet addresses and can also check for p rotocols and port numbers. rotocols and port numbers.

► This gives greater flexibility to describe what t This gives greater flexibility to describe what t he ACL will check. he ACL will check.

► Access can be permitted or denied based on Access can be permitted or denied based on where a packet originates, its destination, pro where a packet originates, its destination, pro

tocol type, and port addresses. tocol type, and port addresses.

Extended ACLs (2)Extended ACLs (2)

► For a single ACL, multiple statements may be For a single ACL, multiple statements may be configured. configured.

► Each statement should have the same access Each statement should have the same access list number, to relate the statements to the sa list number, to relate the statements to the sa me me

► ACL. There can be as many condition stateme ACL. There can be as many condition stateme nts as needed, limited only by the available ro nts as needed, limited only by the available ro uter memory. uter memory.

► Of course, the more statements there are, the Of course, the more statements there are, the more difficult it will be to comprehend and ma more difficult it will be to comprehend and ma nage the ACL. nage the ACL.

ACLs LABACLs LAB

►11.2.1a standard ACLs configuraiton 111.2.1a standard ACLs configuraiton 1►11.2.1b standard ACLs configuraiton 211.2.1b standard ACLs configuraiton 2►11.2.2 a extended ACLs configuration 11.2.2 a extended ACLs configuration

11►11.2.2 b extended ACLs configuration 11.2.2 b extended ACLs configuration

22

Named ACL Named ACL

► Named ACLs allow standard and extended ACL Named ACLs allow standard and extended ACL s to be given names instead of numbers. s to be given names instead of numbers.

► The following are advantages that are provide The following are advantages that are provide d by a named access list: d by a named access list:

Alphanumeric names can be used to identify ACLs. Alphanumeric names can be used to identify ACLs. The IOS does not limit the number of named ACLs th The IOS does not limit the number of named ACLs th

at can be configured. at can be configured. Named ACLs provide the ability to modify ACLs with Named ACLs provide the ability to modify ACLs with

out deletion and reconfiguration. out deletion and reconfiguration. However, a named access list will only allow for stat However, a named access list will only allow for stat

ements to be inserted at the end of a list. ements to be inserted at the end of a list. It is a good idea to use a text editor to create named It is a good idea to use a text editor to create named

ACLs. ACLs.

Placing ACLs (1)Placing ACLs (1)

► Proper ACL placement will filter traffic and m Proper ACL placement will filter traffic and m ake the network more efficient. ake the network more efficient.

► The ACL should be placed where it has the gr The ACL should be placed where it has the gr eatest impact on efficiency. eatest impact on efficiency.

► The general rule is to put the extended ACLs The general rule is to put the extended ACLs as close as possible to the source of the traffi as close as possible to the source of the traffi

c denied. c denied.► Standard ACLs do not specify destination add Standard ACLs do not specify destination add

resses, so they should be placed as close to t resses, so they should be placed as close to t he destination as possible. he destination as possible.

Placing ACLs (2)Placing ACLs (2)

Placing ACLs examplePlacing ACLs example (1)(1)

► In Figure In Figure, , the administrator wants to deny Telnet the administrator wants to deny Telnet or FTP traffic from the Router A Ethernet LAN seg or FTP traffic from the Router A Ethernet LAN seg

ment to the switched Ethernet LAN Fa ment to the switched Ethernet LAN Fa0/10/1 on Rout on Rout er D. er D.

► At the same time, other traffic must be permitted. At the same time, other traffic must be permitted.► The recommended solution is an extended ACL th The recommended solution is an extended ACL th

at specifies both source and destination addresse at specifies both source and destination addresse s. s.

► Place this extended ACL in Router A. Then, packet Place this extended ACL in Router A. Then, packet s do not cross the Router A Ethernet segment or t s do not cross the Router A Ethernet segment or t

he serial interfaces of Routers B and C, and do not he serial interfaces of Routers B and C, and do not enter Router D. enter Router D.

► Traffic with different source and destination addr Traffic with different source and destination addr esses will still be permitted. esses will still be permitted.

Placing ACLs examplePlacing ACLs example (2)(2)

►TT o prevent traffic from Router A o prevent traffic from Router A to to Router D segmentRouter D segment

► a standard ACL should be placed on a standard ACL should be placed onFaFa0/00/0 of Router D. of Router D.

Deploy ACLDeploy ACL

►ACLs may be used with ACLs may be used with FirewallFirewall To protect virtual terminal accessTo protect virtual terminal access etcetc

Restricting Virtual terminal Restricting Virtual terminal access (1)access (1)

Restricting Virtual terminal Restricting Virtual terminal access (2)access (2)