Semester 2 v3'1'1: Routers and Routing Basics

1
Semester 2 v3.1.1Routers and Routing Basics

• MODULE 11
• Access Control Lists (ACLs)

2
We Have Data Incoming

• Routers filter incoming data for sorting
  purposes.
• Packets filtered based on destination IP address,
  subsequently routed out the appropriate
  interface.
• What if we want only data originating from a
  special-access subnet to gain access to that
  certain destination IP address?
• Routers can also filter incoming data to block
  traffic according to defined access rules, called
  Access Control Lists (ACLs).

3
Introduction to ACLs

• Access Control Lists (ACLs) are sets of rules
  that test data as it reaches the router.
• ACLs are sequential lists of permit or deny
  statements that apply to addresses or Layer 3 and
  4 protocols.
• Can be a simple single line-statement that
  permits packets from a specific host.
• Can be a complex set of rules and conditions that
  defines network traffic.

4
How do we use ACLs?

• A router interface accepts or denies incoming
  packets based on conditions specified in ACLs.
• For any router interface where ACLs are to be
  applied, there must be
• An ACL per Layer 3 protocol.
• An ACL for inbound and another ACL for outbound
  traffic.
• An ACL for each Layer 4 port to be allowed access
  to.
• Thus ACLs can be used to
• Preserve bandwidth and enhance network
  performance
• Provide basic network security
• Provide or deny access to services

5
How do ACLs work?

• Irrespective of an ACL applying to a router
  interface or not, incoming frames are checked for
  validity.
• If the frame address is accepted, the frame
  information is stripped off and the router checks
  for an ACL on the inbound interface.
• The router compares incoming packets against each
  statement in the ACL from the top of the list to
  the bottom.
• When the first match is found, the router either
  accepts or rejects the packet according to the
  rules defined in the statement. No checking
  against further statements occurs.
• The order of ACL statements is of utmost
  importance!
• If the packet doesnt match any ACL statements,
  it is automatically rejected by the router.

6
How do I make an ACL?

• There are three types of ACLs
• Standard ACLs (IP lists use numbers 1-99),
  applied closest to the destination host/subnet
  whose access is to be restricted.
• Extended ACLs, (IP lists use numbers 100-199),
  Applied closest to the source host/subnet whose
  access is to be restricted.
• Named ACLs
• Steps to creating an access control list
• Decide if the access list requires a number or if
  it is to be named.
• ACL number helps define which protocol this list
  applies to.
• Determine if the list will be used to permit or
  deny access.
• Specify the host/subnet whose traffic is to be
  scrutinised.
• When used with a wildcard mask, the result is a
  match value.
• Where applicable, add test conditions to the
  statement.
• Lastly, apply the access list to the relevant
  router interface for either inbound or outbound
  traffic

7
Wildcard Masks

• Wildcard masks tell an ACL which bits of IP
  addresses on incoming packets should be checked
  against the ACL match value.
• Wildcard masks look like IP subnet masks
• Both are 32 bits long
• Wildcard masks can look like the reverse of
  subnet masks
• THE SIMILARITY ENDS THERE!!!
• Binary 0s represent bits that MUST match the ACL.
  Binary 1s represent bits that are ignored.

8
How to make a Wildcard Mask

• To match a single host Wildcard Mask 0.0.0.0
• Eg., we would like to restrict access to the
  192.168.14.3 host.
• Convert the host IP address 192.168.14.3 to
  binary 11000000.10101000.00001110.00000011
• To restrict access to a single host, the wildcard
  mask will be all 0s for every bit of the IP
  address.
• To match a single IP address, every bit counts!
• Wildcard Mask 00000000.00000000.00000000.00000000
  
• 11000000.10101000.00001110.00000011 ? Host IP
  192.168.14.3
• 00000000.00000000.00000000.00000000 ? Wildcard
  0.0.0.0
• -------------------------------------------------
  
• 11000000.10101000.00001110.00000011 ? Match
  Value
• The match value is only the IP address whose
  entire 32 bits equate to 192.168.14.3.

9
How to make a Wildcard Mask

• To match entire network Wildcard Mask Inverse
  of Subnet Mask.
• Eg., we would like to restrict access to the
  172.16.0.0/16 network.
• Convert the network address 172.16.0.0 to binary
  10101100.00010000.00000000.00000000
• To restrict access to the entire network, the
  wildcard mask will be all 0s for every bit of the
  network portion of the IP address.
• The host portion does not matter, as we want to
  check all packets bound for the network
  regardless of which host on the network is the
  destination.
• Wildcard Mask 00000000.00000000.11111111.11111111
  
• 10101100.00010000.00000000.00000000 ? Network
  IP 172.16.0.0
• 00000000.00000000.11111111.11111111 ? Wildcard
  0.0.255.255
• -------------------------------------------------
  
• 10101100.00010000.xxxxxxxx. xxxxxxxx ? Match
  Value
• The match value is any IP address whose first 16
  bits equate to 172.16. Remaining 16 bits can be
  anything the ACL doesnt care!

10
How to make a Wildcard Mask

• To match a subnet Wildcard Mask Inverse of
  Subnet Mask. Again.
• Eg., we would like to restrict access to the
  172.16.16.0/20 subnet.
• Convert the subnet address 172.16.16.0 to binary
  10101100.00010000.00010000.00000000
• To restrict access to a subnet, the wildcard mask
  will be all 0s for every bit of the network and
  subnet portions of the address.
• The host portion does not matter, as we want to
  check all packets bound for the subnet regardless
  of which subnet host is the destination.
• Wildcard Mask 00000000.00000000.00001111.11111111
  
• Notice the wildcard mask covers half of the third
  octet, as the first half is the subnet portion
  and the other half is part of the host portion.
• 10101100.00010000.00010000.00000000 ? Network
  IP 172.16.16.0
• 00000000.00000000.00001111.11111111 ? Wildcard
  0.0.15.255
• -------------------------------------------------
  
• 10101100.00010000.0001xxxx. xxxxxxxx ? Match
  Value
• The match value is any IP address whose first 20
  bits equal 172.16.16 172.16.31. The remaining
  12 bits are ignored ACL still doesnt care!

11
How to make a Wildcard Mask

• To match a custom IP address range Have fun!
• Eg., we would like to restrict access to hosts
  with odd-numbered IP addresses on the
  172.16.16.0/20 subnet.
• Convert the subnet address 172.16.16.0 to binary
  10101100.00010000.00010000.00000000
• To restrict access to a subnet, the wildcard mask
  will be all 0s for every bit of the network and
  subnet portions of the address.
• The host portion does not matter, EXCEPT for the
  final bit on the right.
• Wildcard Mask 00000000.00000000.00001111.11111110
  
• Remember that were targeting odd-numbered hosts
  172.16.16.1, .3, .5 so the original IP address
  must be modified to cater for this.
• 10101100.00010000.00010000.00000001 ? Custom IP
  172.16.16.1
• 00000000.00000000.00001111.11111110 ? Wildcard
  0.0.15.254
• -------------------------------------------------
  -----------------------
• 10101100.00010001.0001xxxx. xxxxxxx1 ? Match
  Value
• The match value are host IPs whose first 20 bits
  equate to 172.16.16 172.16.31. The next 11 bits
  are ignored, but the last bit is crucial it
  MUST be a binary 1 to be an odd-numbered address.

12
Standard ACLs

• Router(config) access-list list-number permit
  deny remark source source-wildcard log
• list-number A number from 1-99 for standard IP
  ACLs.
• permit deny Permits or denies access for the
  packet if the conditions are matched.
• remark Add an optional description of the ACL.
• source The host/subnet whose traffic is to be
  scrutinised.
• source-wildcard Wildcard mask to be applied to
  the source.
• log Optional logging message can be sent to the
  console every time ACLs are referred to.
• Router(config) interface router-interface
• Router(config-if) ip access-group list-number
  in out
• Router(config) line vty 0 4
• Router(config-line) access-class list-number
  in out

13
Extended ACLs

• Router(config) access-list list-number dynamic
  dynamic-name timeout minutes permit deny
  remark protocol source source-wildcard operator
  port port-number port-name destination
  destination-wildcard operator port port-number
  port-name established precedence
  precedence tos tos log log-input time-range
  time-range-name icmp-type icmp-code icmp-message
  igmp-type fragments
• Extended ACLs are more precise in their
  definitions, hence can be applied in a more
  specific fashion but FAR more complex!
• Both source and destination can be specified.
• ACL can match on port number as well.
• Pre-established connections can be treated
  differently to new connections, using established
  option.
• Router(config) interface router-interface
• Router(config-if) ip access-group list-number
  in out

14
Named ACLs

• Router(config) ip access-list standard
  extended list-name
• Named ACLs provide the convenience of describing
  ACLs, rather than just assigning numbers.
• Unlike standard and extended ACLs, we can define
  as many named ACLs as we like.
• Router(config) interface router-interface
• Router(config-if) ip access-group list-name in
  out

15
Where do I apply ACLs?

• Placement of ACLs is crucial to their
  effectiveness
• Must secure the network as defined in the ACL
  statements.
• Has to be efficient, else network traffic wont
  be reduced as hoped.
• In general
• Extended ACLs can be very specific in their
  definition, and as such should be placed as close
  as possible to the source of traffic to be
  restricted. Eg., deny FTP from LAN on Router A to
  LAN on Router D.
• Standard ACLs are broadly defined and cannot
  specify destination address, and as such should
  be placed as close as possible to the destination
  of traffic to be restricted. Eg., deny all
  traffic from LAN on Router A from reaching Router
  D.

16
ACLs for firewalls?

• Instead of using a single router or appliance as
  a firewall, ideally a network firewall using
  multiple ACLs should be implemented.
• In the above figure the exterior router directs
  all incoming traffic to the application gateway,
  or proxy server.
• Exterior router can let in all traffic on only
  certain specific ports
• Blocks all other traffic on non-standard ports,
  helping to protect the integrity of the proxy
  server.
• In turn, the interior router only accepts
  Internet traffic from the proxy server, not
  directly from the exterior router.
• Allows control of traffic entering or exiting a
  specific part of the internal network.

17
Welcome to my world )

• Daniel Comarmond
• CCNP, CCDP, CCSP, CCAI
• Cisco Networking Academy Instructor
• Systems Engineer Cisco Systems
• E-Mail dcom_at_it.uts.edu.au
• MSN dcom82_at_dcom82.com
• Phone 61 2 8446-5037
• Website http//www-staff.it.uts.edu.au/dcom
• Take care, and SMILE!!! )