1 Module 05 Security Chapter 17 IP Access Control List Security 2 Table of Content 1 Access Control List Fundamentals 2 Access Control Lists (ACLs) 3 ACCESS CONTROL LIST FUNDAMENTALS 4 What are ACLs 5 What are ACLs  ACLs are lists of conditions that are applied to traffic traveling across a router's interface.  These lists tell the router what kinds of packets to accept and what kinds of packets to deny.  Acceptance and denial can be based on specified conditions.  ACLs can be created for all routed network protocols to filter packets, such a IP, IPX.  ACLs can be configured at the router to control access to a network or subnet. 6 ACLs check the packet and header 7 How ACLs control traffic flow IP IPX Apple Talk IP IPX Apple Talk One list, per port, per direction, per protocol 8 The primary reasons to create ACLs  Limit network traffic and increase network performance.  Provide traffic flow control.  Provide a basic level of security for network access.  Decide which types of traffic are forwarded or blocked at the router interfaces.  Allow an administrator to control what areas a client can access on a network.  Screen certain hosts to either allow or deny access to part of a network 9 How the ACL work: order of ACL statements 1 0 ACL and Routing process in a router ACLs on Interface? Statement List Match? Route Packet to Outbound interface Layer2 Address match Permit packet? Yes Yes Yes Yes No Default Deny No ACLs on Interface? Statement List Match? Permit packet? Yes Yes Yes No Default Deny No Send To the device No No [...]... Standard ACL commands Router (config)# access- list access- list- number access- list access- list- number {deny | permit} source [source-wildcard] [log] {deny | permit} source [source-wildcard] [log] Router (config-if)# ip access- group access- list- number { in || out } ip access- group access- list- number { in out }  Access list number: 1  99  Commands:  Router# show access- lists Standard ACL examples EXTENDED...Creating ACLs: Step 1 Router (config)# access- list access- list- number { permit || deny } {test-conditions} access- list access- list- number { permit deny } {test-conditions}  Defines an ACL  Alert an ACL use no access- list access- list- number ACL command Description access- list defines an access list access- list- number protocol-dependent ACL number Permit defines a statement to allow... | deny} protocol source [source-mask destination protocol source [source-mask destination destination-mask operator operand] [established] destination-mask operator operand] [established] Router (config-if)# ip access- group access- list- number { in | out } ip access- group access- list- number { in | out }  Access list number: 100  199  Commands:  Router# show access- lists Reserved port numbers Extended... traffic test-conditions ACL test conditions ACL numbers Creating ACLs: Step 2 Router (config-if)# {protocol} access- group access- list- number {protocol} access- group access- list- number  Applies access list to interface ACL command Description protocol a protocol specified for the interface access- group any packets that pass the ACL test conditions can be permitted to use any interface in the access group... Match ACL list entry Yes Does destination address match ACL list entry Yes No Move to next statement No Is This the Last entry in the ACL Does Protocol and Port match Permit Yes Permit or Deny condition Route Packet to proper outbound interface Deny Yes Send Destination Not found message Extended ACL commands Router (config)# access- list access- list- number {permit | deny} access- list access- list- number... with an access list that is actively applied  Use a text editor to create comments outlining the logic, then, fill in the statements that perform the logic These basic rules should be followed (3)  New lines are always added to the end of the access list A no access- list x command will remove the whole list It is not possible to selectively add and remove lines with numbered ACLs  An IP access list. .. be permitted to use any interface in the access group of interfaces access- list- number the ACL identified by this ACL number to be associated to this interface These basic rules should be followed (1)  One access list per protocol per direction  Standard access lists should be applied closest to the destination  Extended access lists should be applied closest to the source  Use the inbound or outbound... Example Wildcard any Wildcard host Verifying ACLs: show ip interface Verifying ACLs: show access- lists Verifying ACLs: show running-config STANDARD ACLs Standard ACLs: Overview How the Standard ACL work? No No Is this an IP packet Yes Is there a Standard access list On this interface Yes Does source Address match ACL List entry Yes No Permit or Deny condition Deny Move to next statement No Is This the... used when removing an access list If the access list is applied to a production interface and the access list is removed, depending on the version of the IOS, there may be a default deny any applied to the interface, and all traffic will be halted  Outbound filters do not affect traffic originating from the local router The function of a wildcard mask  A wildcard mask is a 32-bit quantity that is... if looking at the port from inside the router  Statements are processed sequentially from the top of list to the bottom until a match is found, if no match is found then the packet is denied  There is an implicit deny at the end of all access lists These basic rules should be followed (2)  Access list entries should filter in the order from specific to general Specific hosts should be denied first, . use no access- list access- list- number 1 2 ACL numbers 1 3 Creating ACLs: Step 2 { protocol } access- group access- list- number { protocol } access- group access- list- number Router (config-if)# ACL. 1 Module 05 Security Chapter 17 IP Access Control List Security 2 Table of Content 1 Access Control List Fundamentals 2 Access Control Lists (ACLs) 3 ACCESS CONTROL LIST FUNDAMENTALS 4 What. Yes No Default Deny No Send To the device No No 1 1 access- list access- list- number { permit | deny } { test-conditions } access- list access- list- number { permit | deny } { test-conditions } Router (config)# Creating