Chapter 09 access control lists Fetel Academy

Access Control lists

ELECTRONICS AND TELECOMMUNICATION FACULTY CISCO NETWORKING ACADEMY

ae — Febel Academy

tt UNIVERSITY OF SCIENCE, HOCHIMINE CITY, VIETNAM

Networking ‘Academy

CHAPTER

ele Access Control Lists

IP ACL Operation Standard IPv4 ACLs Extended IPv4 ACLSs

Contextual Unit: Debug with ACLs Troubleshoot ACLs

Contextual Unit: IPv6 ACLs

1 2 3 4 SỈ 6

Objectives

After completing this chapter, you will be able to:

Explain how ACLs are used to filter traffic Compare standard and extended IPv4 ACLs Explain how ACLs use wildcard masks

Explain the guidelines for creating ACLs

Explain the guidelines for placement of ACLs

Configure standard IPv4 ACLs to filter traffic according to networking requirements

Modify a standard IPv4 ACL using sequence numbers

Configure a standard ACL to secure vty access

Explain the structure of an extended access control entry (ACE)

Configure extended IPv4 ACLs to filter traffic according to networking requirements Configure an ACL to limit debug output

Explain how a router processes packets when an ACL is applied

Troubleshoot common ACL errors using CLI commands

Compare IPv4 and IPv6 ACL creation

Configure I|Pv6 ACLs to filter traffic according to networking requirements

1 IP ACL Operation

What is an ACL?

“+ An ACL is a series of IOS commands that control whether a

router forwards or drops packets based on information found in the packet header

“* ACLs perform the following tasks:

o Limit network traffic to increase network performance o Provide traffic flow control

o Provide a basic level of security for network access o Filter traffic based on traffic type

o Screen hosts to permit or deny access to network services

What is an

Allow Incoming Email Deny Incoming Telnet

Cm)

Si alec Deny HR access

eee H AcL =>

ACL

Day FT “ By default, a router

ew TỶ does not have ACLs

configured

s To either permitting or denying traffic, ACLs can be used for selecting types of traffic to be analyzed, forwarded, or processed in other ways

|Cisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam

Packet Filtering

+» Packet Filtering:

= Controls access to a network by analyzing the incoming and outgoing packets and passing or halting them based

on stated criteria

» These criteria are defined using ACLs

»An Access Control List (ACL) is a sequential list of permit or deny statements that apply to IP addresses

or upper-layer protocols

“+ A router acts as a packet filter when it forwards or denies packets according to filtering rules

An ACL is a sequential list of permit or deny statements,

known as access control entries (ACEs)

Packet Filtering

+ Packet Filtering:

= The ACL extracts the information from the Layer 3

packet header:

»Source IP address

>» Destination IP address > ICMP message type

OSI Model

Application Presentation

Session

Transport

Packet filtering works at Layer 3 and Layer 4

Network

= And from the Layer 4 header: Deta hig >TCP/UDP source port Physical

>TCP/UDP destination port

Packet Filterin

Frame Header

(For example

HDLC) (IP Header) Packet Data Segment (TCP Header)

From which Asking for Port

network? 80 services?

Network B N

Asking for Port

80 services?

For Example:

No

ACL Operation

s* Access list statements operate in sequential, logical order

s* They evaluate packets from the top - down

s*Once there is an access list statement match, the router

skips the rest of the statements

“+ If a condition match is true, the packet is permitted or

denied

s* There is an implicit deny any at the end of every access list ** ACLs do not block packets that originate within the router

(i.e pings, telnets, ssh, etc.)

s* ACLs are configured to apply to inbound traffic or to apply to

outbound traffic

Outbound ACL

An inbound ACL filters packets coming into a specific interface and before they are routed to the

outbound interface

An outbound ACL filters packets after being routed, regardless of

the inbound interface

ACL Operati

Permit

(to destination interface)

No (Implicit Deny)

“+ Incoming packets are processed before they are routed to

the outbound interface

ACL Operati

Permit

(to destination interface)

“+ ACL statements are processed in a sequential, logical order

“+ The logic used to create the list and the order of the list items is very important

L Operation

Packets to interfaces in the access group

Permit

(to destination intertace)}

“+ If a condition match is true, the packet is permitted or denied and the rest of the ACL statements are not checked “+ If all the ACL statements are unmatched, an implicit deny

any statement is placed at the end of the list by default

L Operation Outbound Interface ——> Discard Packot

s* Before a packet is forwarded to an outbound interface, the router checks the routing table Next, the router checks to see whether the outbound

interface is grouped to an ACL (access group command)

L Operation Inbound Interface Packets Outbound Interface ——>

%If no ACL is present, the packet is forwarded out the interface

“+ If an ACL is present, the packet is tested by the combination

of ACL statements that are associated with that interface

L Operation Outbound Interface Discard Packet, k5 Discard Bucket

The packet is either permitted (sent to the outbound interface) or denied (dropped)

“+ If the packet does not meet any of the criteria, it is dropped

(Implicit Deny)

Activity

1 IP ACL Operation

Types of Cisco IPv4 ACLs

“+ Two types:

= Standard ACLs:

»Standard ACLs allow you to permit or deny traffic based on the source IPv4 addresses

>The destination of the packet and the ports involved do

not matter

access-list 10 permit 192.168.30.0 0.0.0.255

>Permit all traffic from network 192.168.30.0/24 network

Types of Cisco IPv4 ACLs

+ Two types:

= Extended ACLs:

>Extended ACLs filter IPv4 packets based on several attributes;

oProtocol type, source and/or destination IPv4 address, source and/or destination TCP or UDP

ports

access-list 103 permit tcp 192.168.30.0 0.0.0.255 any eq 80

o Permits traffic originating from any address on the 192.168.30.0/24 network to any destination host port 80 (HTTP)

s* Using numbered ACLs is an effective method for determining the ACL type on smaller networks with more homogeneously defined traffic

Numbered ACL:

Assign a number based on protocol to be filtered (1 to 99) and (1300 and 1999): Standard IP ACL

(100 to 199) and (2000 to 2699): Extended IP ACL

“+ When configuring ACLs on a router, each ACL must be uniquely identified by assigning a number

One group numbered 8 Multiple groups

s* Using named ACLs:

= A numbered ACL does not tell you the purpose of the list = Starting with Cisco IOS Release 11.2, you can use a name

to identify a Cisco ACL

Assign a name to identify the ACL

Names can contain alphanumeric characters

It is suggested that the name be written in CAPITAL LETTERS Names cannot contain spaces or punctuation

Entries can be added or deleted within the ACL

1 IP ACL Operation

Introducing ACL Wildcard Masking

“+ Wildcard Masking:

= ACLs statements include wildcard masks >» (Remember OSPF network entries?)

= A wildcard mask is a string of binary digits telling the

router to check specific parts of the subnet number

>The numbers 1 and 0 in the mask identify how to treat the corresponding IP address bits

= Wildcard masks are referred to as an inverse mask

>» Unlike a subnet mask in which binary 1 is equal to a match (network) and binary 0 is not a match (host), the reverse is true

>It also does not have to be contiguous 1's and 0’s

L Wildcard Masking

“+ Wildcard Masking:

= Wildcard masks use the following rules to match binary 1s and Os:

> Wildcard mask bit 0:

oThe corresponding bit value in the IP Address to be tested must match the bit value in the address specified in the ACL

»>Wildcard mask bit 1:

olIgnore the corresponding bit value

Leyte) 2U 1002 2V CỔ Address IP Address to be 192.168.10.0 11000000.10101000.00001010.00000000 Processed Wildcard Mask 0.0.255.255 00000000.00000000.11111111.11111111 Resulting IP 192.168.0.0 11000000.10101000.00000000.00000000 Address

Octet Bit Position and Address Value for Bit 128 64 32 16 8

ÿ3§999$1 Examples

0 0 0 0 0 0 0 0 = Match All Address Bits (Match All) 0 1 De Ignore Last 6 Address Bits

0 0 0 0 1 1 1 1 = Ignore Last 4 Address Bits 1 1 1 1 0 0 = lgnore First6 Address Bits 1 1 1 1 1 i 1 1= lgnore All Bits in Octet 0 means to match the value of the corresponding address bit

1 means to ignore the value of the corresponding address bit

Example 1 111m =3 IP Address 192.168.1.1 11000000.10101000.00000001.00000001 Wildcard Mask | 0.0.0.0 00000000.00000000.00000000.00000000 Result 192.168.1.1 11000000.10101000.00000001.00000001 Example 2 IP Address 192.168.1.1 11000000.10101000.00000001.00000001 Wildcard Mask 255.255.255.255 11111111.11111111.11111111.11111111 Result 0.0.0.0 00000000.00000000.00000000.00000000 a mm IP Address 192.168.1.1 11000000.10101000.00000001.00000001 Wildcard Mask _ 0.0.0.255 00000000.00000000.00000000.11111111 Result 192.168.1.0 11000000.10101000.00000001.00000000

Late cisc Example 1 ====————=======ễẺẼễễ CV TẫâẵL Ẽ IP Address 192.168.16.0 11000000.10101000.00010000.00000000 Wildcard Mask | 0.0.15.255 00000000.00000000.00001111.11111111 Result Range 192.168.16.0 11000000.10101000.00010000.00000000 to to 192.168.31.255 11000000.10101000.00011111.11111111 Example 2 eS määấăkLE ĐỀ IP Address 192.168.1.0 1000000.10101000.00000001.00000000 Wildcard Mask | 0.0.254.255 00000000.00000000.11111110.11111111 Result 192.168.1.0 11000000.10101000.00000001 00000000

Calculating the Wildcard Mask

Network 172.16.32.0 Subnet Mask 255.255.240.0

We can calculate the Wildcard Mask using the Subnet Mask

255 255 255 255

minus Subnet Mask 255 255 240 0

Wildcard Mask: 0 0 15 255

Calculating the Wildcard Mask

RouterB (config) #access-list 10 permit ?

Permit the following networks:

A 172.16.0.0 255.255.0.0 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 172.16.16.0 255.255.240.0 172.16.128.0 255.255.192.0 moo 0œ

Permit the following hosts:

A 172.16.10.100 B 192.168.1.100 C All hosts

Address / Wildcard Mask

172.16.0.0 0.0.255.255 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255 172.16.16.0 0.0.15.255 172.16.128.0 0.0.63.255 172.16.10.100 0.0.0.0 192.168.1.100 0.0.0.0 0.0.0.0 255.255.255.255

Example 1

+ 192.168.10.10 0.0.0.0

matches all of the address bits

+ Abbreviate this wildcard mask

using the IP address preceded by the keyword host (host

192.168.10.10) Example 2

+ 0.0.0.0 255.255.255.255 ignores all address bits

+ Abbreviate expression with the keyword any

|Cisco Networking Academy, Electronics and Telecommunications Facult

192.168.10.10

Wildcard Mask: (Match All Bits) 0.0 r

0.0 0.0

ttt

Wildcard Mask: 255.255 255.255

(Ignore All Bits)

Example 1:

R1 (config) #access-list 1 permit 0.0.0.0 255.255.255.255

R1 (config) #access-list 1 permit any

Example 2:

R1 (config) #access-list 1 permit 192.168.10.10 0.0.0.0

R1 (config) #access-list 1 permit host 192.168.10.10

Determine the Correct Wildcard Mask

Determine the Permit or Deny

| ee

1 IP ACL Operation

bi General Guidelines for Creating ACLs

1 One ACL Per protocol:

= An ACL must be defined for each protocol enabled on the interface

2 One ACL Per direction:

= ACLs control traffic in one direction at a time on an interface

»Two separate ACLs must be created to control:

oInbound Traffic: Traffic coming into the interface o Outbound Traffic: Traffic leaving an interface

3 One ACL Per interface:

= ACLs control traffic for an interface (Gi0/0, s0/0/0)

IPv4 V sa IPv4

IPv6 IPv6

One list per interface, per direction, and per protocol

With two interfaces and two protocols running, this router could have a total of 8 separate ACLs applied

The three Ps for using ACLs

You can only have one ACL per protocol, per interface, and per direction:

* One ACL per protocol (e.g., IPv4 or IPv6)

+ One ACL per direction (i.e., IN or OUT)

+ One ACL per interface (e.g., FastEthernet0/0)

L Best Practices

CT

Base your ACLs on the security policy | This will ensure you implement organizational

of the organization security guidelines

Prepare a description of what you This will help you avoid inadvertently creating

want your ACLs to do potential access problems

Use a text editor to create, edit, and This will help you create a library of reusable

save ACLs ACLs

Test your ACLs on a development This will help you avoid costly errors

network before implementing them on

a production network

ACL Operation

1 IP ACL Operation

Where to Place ACLs

* Every ACL should be placed where it has the greatest impact

on efficiency The basic rules are:

o Standard ACLs - Place standard ACLs as close to the destination as possible because do not specify destination addresses

o Extended ACLs - Locate extended ACLs as close as possible to the source of the traffic to be filtered

»Undesirable traffic is filtered without crossing the network infrastructure

“+ Placement of the ACL and therefore the type of ACL used may also depend on: the extent of the network administrator's control, bandwidth of the networks involved

and ease of configuration