Managing Traffic with Access Lists

1
Chapter 10

• Managing Traffic with Access Lists

2
Objectives

• Configure IP standard access lists
• Configure IP extended access lists
• Configure Named access lists
• Monitor verify access lists

3
Access Control Lists
ACLs are lists of instructions you apply to a
router's interface. These lists tell the router
what kinds of packets to accept and what kinds of
packets to deny. Any traffic going through the
interface is tested against certain conditions
that are part of the ACL.
4
Access Lists

• Purpose
• Used to permit or deny packets moving through the
  router
• Permit or deny Telnet (VTY) access to or from a
  router
• Other security tools lack the flexibility of
  basic traffic filtering
• Create dial-on demand (DDR) interesting traffic
  that triggers dialing to a remote location

5
Reasons to Create ACLs

• Limit network traffic and increase network
  performance.
• Provide traffic flow control.
• Provide a basic level of security for network
  access.
• Decide which types of traffic are forwarded or
  blocked at the router interfaces.
• (Caution adding complex access lists to an
  interface can increase latency.)

6
Important Rules to Remember

• Packets are compared to each line of the assess
  list in sequential order
• Packets are compared with lines of the access
  list only until a match is made
• Once a match is made acted upon no further
  comparisons take place
• An implicit deny is at the end of each access
  list
• If no matches have been made, the packet will be
  discarded

7
Important Rules to Remember

• If you create a condition statement that permits
  all traffic, no statements added later will ever
  be checked.
• If you need additional statements in a standard
  or extended ACL, you must delete the ACL and
  re-create it with the new condition statements.
• This is why it's a good idea to edit a routers
  configuration on a PC using a text editor and
  then TFTP the configuration to the router (or use
  Notepad and cut and paste).

8
Packet and Upper Layer Headers

• You can create an ACL for each protocol you want
  to filter for each router interface.
• There can be only one access list per protocol
  per interface.
• Cisco IOS ACLs check the packet and upper-layer
  headers.

9
What are Access Lists?
10
Types of Access Lists

• Standard Access List
• Filter by source IP addresses only
• Extended Access List
• Filter by
• Source IP
• Destination IP
• Layer 3 sub-protocols (ICMP, IGMP, etc..)
• Layer 4 (TCP, UDP)
• Port Number Application Layer

11
Application of Access Lists

• Inbound Access Lists
• Packets are processed before being routed to the
  outbound interface
• Outbound Access Lists
• Packets are routed to the outbound interface
  then processed through the access list

12
The Man in the Router
Out Packets leaving the routers interface(s)
and going to the network. In Packets arriving
at the routers interface(s) from the network.
13
ACL Guidelines

• End ACLs with a permit any command
• Create ACLs then apply them to an interface
• ACLs do not filter traffic originated from the
  router
• Put Standard ACLs close to the destination
• Put Extended ACLs close to the source

• One access list per interface, per protocol, or
  per direction
• More specific tests at the top of the ACL
• New tests are placed at the bottom of the ACL
• Individual lines cannot be removed

14
Standard IP Access Lists

• Routerconfig t
• Enter configuration commands, one per line. End
  with CNTL/Z.
• Router(config)access-list ?
• lt1-99gt IP standard access list
• lt100-199gt IP extended access list
• lt1000-1099gt IPX SAP access list
• lt1100-1199gt Extended 48-bit MAC address access
  list
• lt1200-1299gt IPX summary address access list
• lt1300-1999gt IP standard access list (expanded
  range)
• lt200-299gt Protocol type-code access list
• lt2000-2699gt IP extended access list (expanded
  range)
• lt300-399gt DECnet access list
• lt600-699gt Appletalk access list
• lt700-799gt 48-bit MAC address access list
• lt800-899gt IPX standard access list
• lt900-999gt IPX extended access list

15
Standard IP Access Lists

• Creating a standard IP access list
• Router(config)access-list 10 ?
• deny Specify packets to reject
• permit Specify packets to forward
• Permit or deny?
• Router(config)access-list 10 deny ?
• Hostname or A.B.C.D Address to match
• any any source host
• host A single host address
• Using the host command
• Router(config)access-list 10 deny host
  172.16.30.2

16
Classroom Example

Example say you want to only permit Workstation
2 () to access the 223.8.151.0 (yellow) network.
access-list 20 permit host 192.5.5.12 ?????
17

• The ip access-group command links an existing
  access list to an interface.
• Only one access list per interface per protocol
  per direction is allowed.
• access-list-number Indicates the number of the
  access list to be linked to this interface.
• in out Selects whether the access list is
  applied to the incoming or outgoing interface. If
  in or out is not specified, out is the default.

18

• Step 1 Create the Access-list
• Lab-C config t
• Lab-C(config) access-list 10 permit 192.5.5.12
  0.0.0.0
• Implicit deny any (do not need to add this)
• access-list 10 deny 0.0.0.0 255.255.255.255
• Step 2 Apply the Access-group to interface(s)
• Lab-C(config) interface e 0
• Lab-C(config-if) ip access-group 10
• Step 3 Verify
• Lab-C show ip interface
• (allows you to view the placement of an access
  list)
• Lab-C show access-lists (display the contents
  of all ACLs)

19

• NOTE To remove an access list, first enter the
  no ip access-group command, including list
  number,for each interface where the list had
  been used, then enter the no access-list
  command (with list number).

20
Wildcards

• What are they???
• Used with access lists to specify a.
• Host
• Network
• Part of a network
• That the access-list pertains to

21

• IP access lists use wildcard masking.
• Wildcard masking for IP address bits (0 or 1)
  used to identify how to treat the corresponding
  IP address bits.
• A wildcard mask bit 0 means check the
  corresponding bit value.
• A wildcard mask bit 1 means do not check
  (ignore) that corresponding bit value.

22
Example

• 172.16.30.5 0.0.0.255
• The 0s tell the router to match the 1st three
  octets exactly
• The 255 tells the router the 4th octet can be any
  value
• This shows how a full subnet (172.16.30.0) is
  specified
• An Online Wildcard Calculator

23
Sample Network
What if we wanted Router A to Permit entire
sales network and just the 172.16.50.2 station to
get to the Administrative network.
/24
/24
/24
24

• Using Wildcard Masks
• RouterA(config) access-list 11 permit
  172.16.30.0 0.0.0.255
• RouterA(config) access-list 11 permit
  172.16.50.2 0.0.0.0
• 172.16.30.0 0.0.0.255
• 0 check - make sure first octet is 172
• 0 check - make sure second octet is 16
• 0 check - make sure third octet is 30
• 255 - dont check (permit any fourth octet)

25

• RouterA(config) access-list 11 permit
  172.16.50.2 0.0.0.0
• 172.16.50.2 0.0.0.0
• 0 check - make sure first octet is 172
• 0 check - make sure second octet is 16
• 0 check - make sure third octet is 50
• 0 check - make sure fourth octet is 2

26

• Remember implicit deny any (deny everything else)
• access-list 11 permit 172.16.30.0 0.0.0.255
• access-list 11 permit 172.16.50.2 0.0.0.0
• access-list 11 deny 0.0.0.0 255.255.255.255
• When we set the wildcard mask to all 1s
  (255.255.255.255) we are saying dont check any
  of the bits, it doesnt matter, and in this case
  we are denying everything.

27
Block Sizes

• 64 32 16 8 4
• Rules
• When specifying a range of addresses, choose the
  closest block size
• Each block size must start at 0
• A 0 in a wildcard means that octet must match
  exactly
• A 255 in a wildcard means that octet can be any
  value
• The command any is the same thing as writing out
  the wildcard 0.0.0.0 255.255.255.255

28
Specifying a Range of Subnets

• (Remember specify a range of values in a block
  size)
• Requirement Block access in the range from
  172.16.8.0
• through 172.16.15.0
  block size 8
• Network number 172.16.8.0
• Wildcard 0.0.7.255
• The wildcard is always one number less than
  the block size

29
wildcard matching lists example
access-list 1 permit 169.222.30.8 0.0.0.7
0000 1000 0000 0111
0000 1xxx therefore,
169.222.30.8 0.0.0.7 which
includes matches 0000 1000 .8
169.222.30.8 0000 1001 .9
169.222.30.9 0000 1010 .10
169.222.30.10 0000 1011 .11
169.222.30.11 0000 1100 .12
169.222.30.12 0000 1101 .13
169.222.30.13 0000 1110 .14
169.222.30.14 0000 1111 - .15
169.222.30.15
30
Practice

• The administrator wants to use IP wildcard
  masking bits to match subnets 172.30.16.0 to
  172.30.31.0
• Answer 0.0.15.255

31
Examples

• RouterA(config)access-list 10 deny 172.16.10.0
  0.0.0.255
• RouterA(config)access-list 10 deny 172.16.0.0
  0.0.255.255
• RouterA(config)access-list 10 deny 172.16.16.0
  0.0.3.255
• RouterA(config)access-list 10 deny 172.16.16.0
  0.0.7.255
• RouterA(config)access-list 10 deny 172.16.32.0
  0.0.31.255
• RouterA(config)access-list 10 deny 172.16.64.0
  0.0.63.255

32
Examples

• Acmeconfig t
• Acme(config)access-list 10 deny 172.16.40.0
  0.0.0.255
• Acme(config)access-list 10 permit any
• (permit any Acme(config)access-list 10 permit
  0.0.0.0 255.255.255.255)
• Acme(config)int e0
• Acme(config-if)ip access-group 10 out

33
Controlling VTY (Telnet) Access

• Why??
• Without an ACL any user can Telnet into the
  router via VTY and gain access
• Controlling access
• Create a standard IP access list
• Permitting only the host/hosts authorized to
  Telnet into the router
• Apply the ACL to the VTY line with the
• access-class command

34
Example

• RouterA(config)access-list 50 permit
  172.16.10.3
• RouterA(config)line vty 0 4
• RouterA(config-line)access-class 50 in
• (implied deny)

35
Extended IP Access Lists

• Allows you to choose...
• IP Source Address
• IP Destination Address
• Protocol
• Port number

36
Extended Access List Configuration
37
Extended IP Access Lists

• Routerconfig t
• Enter configuration commands, one per line. End
  with CNTL/Z.
• Router(config)access-list ?
• lt1-99gt IP standard access list
• lt100-199gt IP extended access list
• lt1000-1099gt IPX SAP access list
• lt1100-1199gt Extended 48-bit MAC address access
  list
• lt1200-1299gt IPX summary address access list
• lt1300-1999gt IP standard access list (expanded
  range)
• lt200-299gt Protocol type-code access list
• lt2000-2699gt IP extended access list (expanded
  range)
• lt300-399gt DECnet access list
• lt600-699gt Appletalk access list
• lt700-799gt 48-bit MAC address access list
• lt800-899gt IPX standard access list
• lt900-999gt IPX extended access list

38
Extended IP ACLs

• Router(config)access-list 110 deny ?
• lt0-255gt An IP protocol number
• ahp Authentication Header Protocol
• eigrp Cisco's EIGRP routing protocol
• esp Encapsulation Security Payload
• gre Cisco's GRE tunneling
• icmp Internet Control Message Protocol
• igmp Internet Gateway Message Protocol
• igrp Cisco's IGRP routing protocol
• ip Any Internet Protocol
• ipinip IP in IP tunneling
• nos KA9Q NOS compatible IP over IP
  tunneling
• ospf OSPF routing protocol
• pcp Payload Compression Protocol
• tcp Transmission Control Protocol
• udp User Datagram Protocol
• Router(config)access-list 110 deny tcp ?
• A.B.C.D Source address

39
Extended IP ACL Steps

• 1 Select the access list
• RouterA(config)access-list 110
• 2 Decide on deny or permit
• RouterA(config)access-list 110 deny
• 3 Choose the protocol type
• RouterA(config)access-list 110 deny tcp
• 4 Choose source IP address of the host or
  network
• RouterA(config)access-list 110 deny tcp any
• 5 Choose destination IP address
• RouterA(config)access-list 110 deny tcp any
  host 172.16.30.2
• 6 Choose the type of service, port, logging
• RouterA(config)access-list 110 deny tcp any
  host 172.16.30.2 eq 23 log

40

• Well-Known Port Number (Decimal) IP Protocol
• 20 File Transfer Protocol (FTP) data
• 21 FTP program (use both 20 21)
• 23 Telnet
• 25 Simple Mail Transport Protocol (SMTP)
• 69 Trivial File Transfer Protocol (TFTP)
• 53 Domain Name System (DNS)
• 80 Hyper Text Transfer Protocol (http)

41
Steps (cont.)

• RouterA(config)access-list 110 deny tcp any host
  172.16.30.2 eq 23 log
• RouterA(config)access-list 110 permit ip any
  0.0.0.0 255.255.255.255
• RouterA(config-if)ip access-group 110 in
• or
• RouterA(config-if)ip access-group 110 out

42
Example

• Acmeconfig t
• Acme(config)access-list 110 deny tcp any host
  172.16.10.5 eq 21
• Acme(config)access-list 110 deny tcp any host
  172.16.10.5 eq 23
• Acme(config)access-list 110 permit ip any any
• Acme(config)int e0
• Acme(config-if)ip access-group 110 out

43
What if we wanted Router A to permit only the
Engineering Workstation to be able to access the
web server in Admin with the ip address
172.16.10.2 and port address 80.
44

• RouterA(config)
• access-list 110 permit tcp host 172.16.50.2 host
  172.16.10.2 eq 80
• RouterA(config) inter e 0
• RouterA(config-if) ip access-group 110 out

45
Extended Access List Configuration Example 1
Deny FTP, but permit all other traffic from
subnet 172.16.4.0 to be forwarded to any other
networks or subnetworks via interface E0. Should
be two statements, for both 20 and 21. (20FTP
control, 21FTP data)
46
Using Named IP Access Lists
47

• This feature allows IP simple and extended access
  lists to be identified with an alphanumeric
  string (name) instead of the current numeric
  representation.
• Named IP access lists can be used to delete
  individual entries from a specific access list.
• This enables you to modify your access lists
  without deleting and then reconfiguring them.
• router(config) ip access-list standard george
• router(config std-george) permit/deny statements
• router(config-if) ip access-group george inout

48
Where to Place IP Access Lists
49
Monitoring IP Access Lists

• Display all access lists their parameters
• show access-list
• Show only the parameters for the access list 110
• show access-list 110
• Shows only the IP access lists configured
• show ip access-list
• Shows which interfaces have access lists set
• show ip interface
• Shows the access lists which interfaces have
  access lists set
• show running-config

50
Monitoring Access Lists
The show ip interface command displays IP
interface information and indicates whether any
access lists are set.
51
Monitoring Access Lists
The show access-list command displays the
contents of all access lists. By entering the
access list name or number as an option for this
command, you can see a specific list.
52
(No Transcript)