1102.book Page 839 Tuesday, May 20, 2003 2:53 PM Objectives Upon completion of this chapter, you will be able to ■ Understand the purpose of ACLs ■ Describe how ACLs work ■ Determine which wildcard mask should be used ■ Describe and use standard ACLs, extended ACLs, and named ACLs ■ Describe a simple firewall architecture 1102.book Page 840 Tuesday, May 20, 2003 2:53 PM Chapter 20 Access Control Lists In this chapter, you learn about using standard and extended access control lists (ACLs) as a means to control network traffic and how ACLs are used as part of a security solution. In addition, this chapter includes tips, considerations, recommendations, and general guidelines on how to use ACLs, and includes the commands and configurations needed to create ACLs. Finally, this chapter provides examples of standard and extended ACLs and shows how to apply ACLs to router interfaces. Please be sure to look at this chpater’s associated e-Labs, Videos, and PhotoZooms that you will find on the CD-ROM accompanying this book. These CD elements are designed to supplement the material and reinforce the concepts introduced in this chapter. ACL Overview Network administrators must be capable of denying unwanted access to the network while allowing appropriate access. Although security tools such as passwords, callback equipment, and physical security devices are helpful, they often lack the flexibility of basic traffic filtering and the specific controls that most administrators prefer. For exam- ple, a network administrator might want to allow users access to the Internet but might not want external users Telnetting into the LAN. Routers provide basic traffic-filtering capabilities, such as blocking Internet traffic, with access control lists (ACLs). An ACL is a sequential collection of permit or deny state- ments that apply to addresses or upper-layer protocols. 1102.book Page 841 Tuesday, May 20, 2003 2:53 PM 842 Chapter 20: Access Control Lists It is important to configure ACLs correctly and to know where to place ACLs on the network. ACLs serve multiple purposes in a network. Common ACL functions include the following: ■ Filtering packets internally ■ Protecting the internal network from illegal Internet access ■ Restricting access to virtual terminal ports ACLs are lists of instructions that you apply to a router’s interface. These lists tell the router what kinds of packets to accept and what kinds of packets to deny. Acceptance and denial can be based on certain specifications, such as source address, destination address, and TCP/UDP port number. ACLs enable you to manage traffic and scan specific packets by applying the ACL to a router interface. Any traffic going through the interface is tested against certain condi- tions that are part of the ACL. ACLs can be created for all routed network protocols, such as Internet Protocol (IP) and Internetwork Packet Exchange (IPX), to filter packets as the packets pass through a router. ACLs can be configured at the router to control access to a network or subnet. ACLs filter network traffic by controlling whether routed packets are forwarded or blocked at the router’s interfaces. The router examines each packet to determine whether to forward or drop it, based on the conditions specified in the ACL. ACL conditions could be the source address of the traffic, the destination address of the traffic, the upper-layer protocol, the port, or applications. ACLs must be defined on a per-protocol basis. In other words, you must define an ACL for every protocol enabled on an interface if you want to control traffic flow for that protocol on that interface. (Note that some protocols refer to ACLs as filters.) For example, if your router interface were configured for IP, AppleTalk, and IPX, you would need to define at least three ACLs. As shown in Figure 20-1, ACLs can be used as a tool for network control by adding the flexibility to filter the packets that flow in or out of router interfaces. This is accomplished by establishing a numbering range or scheme for each protocol’s ACL. You learn more about the ACL numbers later in this chapter. N O TE ACLs consume CPU resources in the router because every packet has to be punted to the CPU. 1102.book Page 842 Tuesday, May 20, 2003 2:53 PM Why Create ACLs? 843 Figure 20-1 ACL Example Why Create ACLs? Many reasons exist for creating ACLs. ACLs can be used to do the following: ■ Limit network traffic and increase network performance. For example, ACLs can designate certain packets to be processed by a router before other traffic, on the basis of a protocol. This is referred to as queuing. Queuing ensures that routers will not process packets that are not needed. As a result, queuing limits network traffic and reduces network congestion. ■ Provide traffic flow control. For example, ACLs can restrict or reduce the con- tents of routing updates. These restrictions are used to limit information about specific networks from propagating through the network. ■ Provide a basic level of security for network access. ACLs can allow one host to access a part of your network and prevent another host from accessing the same area. In Figure 20-2, Host A is allowed to access the Human Resources network, and Host B is prevented from accessing the Human Resources network. If you do not configure ACLs on your router, all packets passing through the router could be allowed onto all parts of the network. ■ Decide which type of traffic is forwarded or blocked at the router interface. For example, you can permit e-mail traffic to be routed, but at the same time block all Telnet traffic. FDDI Token Ring 172.16.0.0 172.17.0.0 Internet ACL ACL NOTE The rule of thumb is one ACL per interface per direction. chpt_20.fm Page 843 Tuesday, May 27, 2003 9:18 AM 844 Chapter 20: Access Control Lists Figure 20-2 Limiting Network Traffic Creating an ACL: Why Order Matters Order matters when creating an ACL. As traffic enters or exits a router’s interface, where an ACL is applied, Cisco IOS Software compares the packet against the rules defined in the ACL. Statements are evaluated in the order they were entered into the ACL by the network administrator. The packet is compared, one at a time in sequence, until a match is found. After a match is found, the action specified in the line matching the traffic in question is taken. No more conditions are checked. For example, if a condition statement permitting all traffic is created, statements added later will never be checked. If additional statements are required or if statements must be changed, you must delete the ACL and re-create it with the new statements. It is a good idea to use a PC text editor to create and modify ACLs and then send them to the router via Trivial File Transfer Protocol (TFTP) or HyperTerminal text file transfer. Using ACLs You can create an ACL for each protocol that you want to filter for each router inter- face. For some protocols, you create one ACL to filter inbound traffic and one ACL to filter outbound traffic. After an ACL statement checks a packet for a match, the packet can be denied or per- mitted to use an interface in the access group. Cisco IOS Software ACLs check the packet and upper-layer headers, as shown in Figure 20-3. Human Resources Network Research and Development Network Host B Host A X N O TE When an ACL is cre- ated, new lines are added to the end of the ACL. Individual lines cannot be deleted. Only entire ACLs can be deleted. 1102.book Page 844 Tuesday, May 20, 2003 2:53 PM How ACLs Work 845 Figure 20-3 Checking the Packet and Upper-Layer Headers How ACLs Work An ACL is a group of statements that define how packets do the following: ■ Enter inbound router interfaces ■ Relay through the router ■ Exit outbound router interfaces As shown in Figure 20-4, the beginning of the communication process is the same, whether ACLs are used or not. As a packet enters an interface, the router checks to see whether the packet is routable or bridgeable. Now the router checks whether the inbound interface has an ACL. If one exists, the packet is tested against the conditions in the list. If the packet is allowed, it then is checked against routing table entries to determine the destination interface. ACLs filter not packets that originate in the router itself, but packets from other sources. Next, the router checks whether the destination interface has an ACL. If it does not, the packet can be sent to the destination interface directly; for example, if it will use E0, which has no ACLs, the packet uses E0 directly. ACL statements operate in a sequential, logical order. If a condition match is true, the packet is permitted or denied and the rest of the ACL statements are not checked. If all the ACL statements are unmatched, an implicit deny any statement is imposed. Even though you will not see the deny any as the last line of an ACL, it is there by default. In Figure 20-5, if by matching the first test a packet is denied access to the destination, it is discarded and dropped into the bit bucket. It is not exposed to any ACL tests that follow. If the packet does not match the conditions of the first test, it drops to the next statement in the ACL. Frame Header (For Example, HDLC) Packet (IP Header) Segment (For Example, TCP Header) Port Number Deny Destination Address Source Address Protocol Data Use Access List Statements to Test the Packet Permit 1102.book Page 845 Tuesday, May 20, 2003 2:53 PM 846 Chapter 20: Access Control Lists Figure 20-4 How ACLs Work Figure 20-5 ACL Test Matching and Implicit deny any Choose Interface Route/ Bridge ? N Y Permit ? N Y Table Entry ? Inbound Interface Packet Discard Bucket Unwanted Packet Firewall Notify Sender Packets N N Y ACL Y Test ACL Statements Packets Packets Outbound Interfaces Y Match First Test Packet Discard Bucket N Y Match Next Test(s) Packets to Interface(s) in the Access Group Destination Interface(s) N YY YY Match Next Test N Deny Deny Deny Deny Implicit Deny Permit Permit Permit 1102.book Page 846 Tuesday, May 20, 2003 2:53 PM Assigning a Unique Number to Each ACL 847 ACLs enable you to control what clients can access on your network. Conditions in an ACL file can do the following: ■ Screen out certain hosts to either allow or deny access to part of your network ■ Grant or deny users permission to access only certain types of applications, such as FTP or HTTP ACL Configuration Tasks In practice, ACL commands can be lengthy character strings. Key tasks covered in this section for creating ACLs include the following: ■ You create ACLs by using global configuration mode. ■ Specifying an ACL number from 1 to 99 defines a standard ACL for IP and instructs the router to accept standard ACL statements. ■ Specifying an ACL number from 100 to 199 defines an extended ACL for IP and instructs the router to accept extended ACL statements. ■ You must carefully select and logically order the ACL. Permitted IP protocols must be specified; all other protocols should be denied unless required. ■ You need to select which protocols to check; any other protocols are not checked. Later in the procedure, you can specify an optional destination port for more precision. ■ You apply an ACL to an interface. Although each protocol has its own set of specific tasks and rules that are required to provide traffic filtering, in general most protocols require two basic steps: Step 1 Create an ACL definition. Step 2 Apply the ACL to an interface. ACLs are assigned to one or more interfaces and can filter inbound traffic or outbound traffic, depending on the configuration and how they are applied. Outbound ACLs generally are more efficient than inbound and, therefore, are preferred. A router with an inbound ACL must check every packet to see whether it matches the ACL condition before switching the packet to an outbound interface. Assigning a Unique Number to Each ACL When configuring ACLs on a router, you must identify each ACL uniquely by assign- ing a number to the protocol’s ACL. When you use a number to identify an ACL, the 1102.book Page 847 Tuesday, May 20, 2003 2:53 PM 848 Chapter 20: Access Control Lists number must be within the specific range of numbers that is valid for the protocol. Example 20-1 defines ACLs 1 and 2 and applies the ACLs to interface Ethernet 0: Table 20-1 lists valid protocol ACL numbers. Using Wildcard Mask Bits A wildcard mask is a 32-bit quantity that is divided into four octets, with each octet containing 8 bits. A wildcard mask bit of 0 means “check the corresponding bit value,” and a wildcard mask bit of 1 means “do not check (ignore) that corresponding bit value” (see Figure 20-6). Example 20-1 Assigning ACLs to an Interface access-list 1 permit 5.6.0.0 0.0.255.255 access-list 1 deny 7.9.0.0 0.0.255.255 ! access-list 2 permit 1.2.3.4 access-list 2 deny 1.2.0.0 0.0.255.255 ! interface ethernet 0 ip address 1.1.1.1 255.0.0.0 ! ip access-group 1 in ip access-group 2 out Table 20-1 Protocols, ACLs, and Their Corresponding Numbers Protocol Range IP 1 to 99 Extended IP 100 to 199 AppleTalk 600 to 699 IPX 800 to 899 Extended IPX 900 to 999 IPX Service Advertising Protocol 1000 to 1099 1102.book Page 848 Tuesday, May 20, 2003 2:53 PM . 0.0 .25 5 .25 5 access-list 1 deny 7.9.0.0 0.0 .25 5 .25 5 ! access-list 2 permit 1. 2. 3.4 access-list 2 deny 1. 2. 0.0 0.0 .25 5 .25 5 ! interface ethernet 0 ip address 1. 1 .1. 1 25 5.0.0.0 ! ip access-group 1 in ip access-group 2. traffic. FDDI Token Ring 17 2 .16 .0.0 17 2 .17 .0.0 Internet ACL ACL NOTE The rule of thumb is one ACL per interface per direction. chpt _20 .fm Page 843 Tuesday, May 27 , 20 03 9 :18 AM 844 Chapter 20 : Access Control. be used ■ Describe and use standard ACLs, extended ACLs, and named ACLs ■ Describe a simple firewall architecture 11 02. book Page 840 Tuesday, May 20 , 20 03 2: 53 PM Chapter 20 Access Control Lists In