Semester 2 v3'1'1: Routers and Routing Basics - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Semester 2 v3'1'1: Routers and Routing Basics

Description:

Packets filtered based on destination IP address, subsequently routed out the ... What if we want only data originating from a special-access subnet to gain ... – PowerPoint PPT presentation

Number of Views:44
Avg rating:3.0/5.0
Slides: 18
Provided by: danielco
Category:

less

Transcript and Presenter's Notes

Title: Semester 2 v3'1'1: Routers and Routing Basics


1
Semester 2 v3.1.1Routers and Routing Basics
  • MODULE 11
  • Access Control Lists (ACLs)

2
We Have Data Incoming
  • Routers filter incoming data for sorting
    purposes.
  • Packets filtered based on destination IP address,
    subsequently routed out the appropriate
    interface.
  • What if we want only data originating from a
    special-access subnet to gain access to that
    certain destination IP address?
  • Routers can also filter incoming data to block
    traffic according to defined access rules, called
    Access Control Lists (ACLs).

3
Introduction to ACLs
  • Access Control Lists (ACLs) are sets of rules
    that test data as it reaches the router.
  • ACLs are sequential lists of permit or deny
    statements that apply to addresses or Layer 3 and
    4 protocols.
  • Can be a simple single line-statement that
    permits packets from a specific host.
  • Can be a complex set of rules and conditions that
    defines network traffic.

4
How do we use ACLs?
  • A router interface accepts or denies incoming
    packets based on conditions specified in ACLs.
  • For any router interface where ACLs are to be
    applied, there must be
  • An ACL per Layer 3 protocol.
  • An ACL for inbound and another ACL for outbound
    traffic.
  • An ACL for each Layer 4 port to be allowed access
    to.
  • Thus ACLs can be used to
  • Preserve bandwidth and enhance network
    performance
  • Provide basic network security
  • Provide or deny access to services

5
How do ACLs work?
  • Irrespective of an ACL applying to a router
    interface or not, incoming frames are checked for
    validity.
  • If the frame address is accepted, the frame
    information is stripped off and the router checks
    for an ACL on the inbound interface.
  • The router compares incoming packets against each
    statement in the ACL from the top of the list to
    the bottom.
  • When the first match is found, the router either
    accepts or rejects the packet according to the
    rules defined in the statement. No checking
    against further statements occurs.
  • The order of ACL statements is of utmost
    importance!
  • If the packet doesnt match any ACL statements,
    it is automatically rejected by the router.

6
How do I make an ACL?
  • There are three types of ACLs
  • Standard ACLs (IP lists use numbers 1-99),
    applied closest to the destination host/subnet
    whose access is to be restricted.
  • Extended ACLs, (IP lists use numbers 100-199),
    Applied closest to the source host/subnet whose
    access is to be restricted.
  • Named ACLs
  • Steps to creating an access control list
  • Decide if the access list requires a number or if
    it is to be named.
  • ACL number helps define which protocol this list
    applies to.
  • Determine if the list will be used to permit or
    deny access.
  • Specify the host/subnet whose traffic is to be
    scrutinised.
  • When used with a wildcard mask, the result is a
    match value.
  • Where applicable, add test conditions to the
    statement.
  • Lastly, apply the access list to the relevant
    router interface for either inbound or outbound
    traffic

7
Wildcard Masks
  • Wildcard masks tell an ACL which bits of IP
    addresses on incoming packets should be checked
    against the ACL match value.
  • Wildcard masks look like IP subnet masks
  • Both are 32 bits long
  • Wildcard masks can look like the reverse of
    subnet masks
  • THE SIMILARITY ENDS THERE!!!
  • Binary 0s represent bits that MUST match the ACL.
    Binary 1s represent bits that are ignored.

8
How to make a Wildcard Mask
  • To match a single host Wildcard Mask 0.0.0.0
  • Eg., we would like to restrict access to the
    192.168.14.3 host.
  • Convert the host IP address 192.168.14.3 to
    binary 11000000.10101000.00001110.00000011
  • To restrict access to a single host, the wildcard
    mask will be all 0s for every bit of the IP
    address.
  • To match a single IP address, every bit counts!
  • Wildcard Mask 00000000.00000000.00000000.00000000
  • 11000000.10101000.00001110.00000011 ? Host IP
    192.168.14.3
  • 00000000.00000000.00000000.00000000 ? Wildcard
    0.0.0.0
  • -------------------------------------------------
  • 11000000.10101000.00001110.00000011 ? Match
    Value
  • The match value is only the IP address whose
    entire 32 bits equate to 192.168.14.3.

9
How to make a Wildcard Mask
  • To match entire network Wildcard Mask Inverse
    of Subnet Mask.
  • Eg., we would like to restrict access to the
    172.16.0.0/16 network.
  • Convert the network address 172.16.0.0 to binary
    10101100.00010000.00000000.00000000
  • To restrict access to the entire network, the
    wildcard mask will be all 0s for every bit of the
    network portion of the IP address.
  • The host portion does not matter, as we want to
    check all packets bound for the network
    regardless of which host on the network is the
    destination.
  • Wildcard Mask 00000000.00000000.11111111.11111111
  • 10101100.00010000.00000000.00000000 ? Network
    IP 172.16.0.0
  • 00000000.00000000.11111111.11111111 ? Wildcard
    0.0.255.255
  • -------------------------------------------------
  • 10101100.00010000.xxxxxxxx. xxxxxxxx ? Match
    Value
  • The match value is any IP address whose first 16
    bits equate to 172.16. Remaining 16 bits can be
    anything the ACL doesnt care!

10
How to make a Wildcard Mask
  • To match a subnet Wildcard Mask Inverse of
    Subnet Mask. Again.
  • Eg., we would like to restrict access to the
    172.16.16.0/20 subnet.
  • Convert the subnet address 172.16.16.0 to binary
    10101100.00010000.00010000.00000000
  • To restrict access to a subnet, the wildcard mask
    will be all 0s for every bit of the network and
    subnet portions of the address.
  • The host portion does not matter, as we want to
    check all packets bound for the subnet regardless
    of which subnet host is the destination.
  • Wildcard Mask 00000000.00000000.00001111.11111111
  • Notice the wildcard mask covers half of the third
    octet, as the first half is the subnet portion
    and the other half is part of the host portion.
  • 10101100.00010000.00010000.00000000 ? Network
    IP 172.16.16.0
  • 00000000.00000000.00001111.11111111 ? Wildcard
    0.0.15.255
  • -------------------------------------------------
  • 10101100.00010000.0001xxxx. xxxxxxxx ? Match
    Value
  • The match value is any IP address whose first 20
    bits equal 172.16.16 172.16.31. The remaining
    12 bits are ignored ACL still doesnt care!

11
How to make a Wildcard Mask
  • To match a custom IP address range Have fun!
  • Eg., we would like to restrict access to hosts
    with odd-numbered IP addresses on the
    172.16.16.0/20 subnet.
  • Convert the subnet address 172.16.16.0 to binary
    10101100.00010000.00010000.00000000
  • To restrict access to a subnet, the wildcard mask
    will be all 0s for every bit of the network and
    subnet portions of the address.
  • The host portion does not matter, EXCEPT for the
    final bit on the right.
  • Wildcard Mask 00000000.00000000.00001111.11111110
  • Remember that were targeting odd-numbered hosts
    172.16.16.1, .3, .5 so the original IP address
    must be modified to cater for this.
  • 10101100.00010000.00010000.00000001 ? Custom IP
    172.16.16.1
  • 00000000.00000000.00001111.11111110 ? Wildcard
    0.0.15.254
  • -------------------------------------------------
    -----------------------
  • 10101100.00010001.0001xxxx. xxxxxxx1 ? Match
    Value
  • The match value are host IPs whose first 20 bits
    equate to 172.16.16 172.16.31. The next 11 bits
    are ignored, but the last bit is crucial it
    MUST be a binary 1 to be an odd-numbered address.

12
Standard ACLs
  • Router(config) access-list list-number permit
    deny remark source source-wildcard log
  • list-number A number from 1-99 for standard IP
    ACLs.
  • permit deny Permits or denies access for the
    packet if the conditions are matched.
  • remark Add an optional description of the ACL.
  • source The host/subnet whose traffic is to be
    scrutinised.
  • source-wildcard Wildcard mask to be applied to
    the source.
  • log Optional logging message can be sent to the
    console every time ACLs are referred to.
  • Router(config) interface router-interface
  • Router(config-if) ip access-group list-number
    in out
  • Router(config) line vty 0 4
  • Router(config-line) access-class list-number
    in out

13
Extended ACLs
  • Router(config) access-list list-number dynamic
    dynamic-name timeout minutes permit deny
    remark protocol source source-wildcard operator
    port port-number port-name destination
    destination-wildcard operator port port-number
    port-name established precedence
    precedence tos tos log log-input time-range
    time-range-name icmp-type icmp-code icmp-message
    igmp-type fragments
  • Extended ACLs are more precise in their
    definitions, hence can be applied in a more
    specific fashion but FAR more complex!
  • Both source and destination can be specified.
  • ACL can match on port number as well.
  • Pre-established connections can be treated
    differently to new connections, using established
    option.
  • Router(config) interface router-interface
  • Router(config-if) ip access-group list-number
    in out

14
Named ACLs
  • Router(config) ip access-list standard
    extended list-name
  • Named ACLs provide the convenience of describing
    ACLs, rather than just assigning numbers.
  • Unlike standard and extended ACLs, we can define
    as many named ACLs as we like.
  • Router(config) interface router-interface
  • Router(config-if) ip access-group list-name in
    out

15
Where do I apply ACLs?
  • Placement of ACLs is crucial to their
    effectiveness
  • Must secure the network as defined in the ACL
    statements.
  • Has to be efficient, else network traffic wont
    be reduced as hoped.
  • In general
  • Extended ACLs can be very specific in their
    definition, and as such should be placed as close
    as possible to the source of traffic to be
    restricted. Eg., deny FTP from LAN on Router A to
    LAN on Router D.
  • Standard ACLs are broadly defined and cannot
    specify destination address, and as such should
    be placed as close as possible to the destination
    of traffic to be restricted. Eg., deny all
    traffic from LAN on Router A from reaching Router
    D.

16
ACLs for firewalls?
  • Instead of using a single router or appliance as
    a firewall, ideally a network firewall using
    multiple ACLs should be implemented.
  • In the above figure the exterior router directs
    all incoming traffic to the application gateway,
    or proxy server.
  • Exterior router can let in all traffic on only
    certain specific ports
  • Blocks all other traffic on non-standard ports,
    helping to protect the integrity of the proxy
    server.
  • In turn, the interior router only accepts
    Internet traffic from the proxy server, not
    directly from the exterior router.
  • Allows control of traffic entering or exiting a
    specific part of the internal network.

17
Welcome to my world )
  • Daniel Comarmond
  • CCNP, CCDP, CCSP, CCAI
  • Cisco Networking Academy Instructor
  • Systems Engineer Cisco Systems
  • E-Mail dcom_at_it.uts.edu.au
  • MSN dcom82_at_dcom82.com
  • Phone 61 2 8446-5037
  • Website http//www-staff.it.uts.edu.au/dcom
  • Take care, and SMILE!!! )
Write a Comment
User Comments (0)
About PowerShow.com