Title: Chap 5
1Chap 5 Access Control Lists Learning
Objectives
- Explain how ACLs are used to secure a medium-size
Enterprise branch office network. - Configure standard ACLs in a medium-size
Enterprise branch office network. - Configure extended ACLs in a medium-size
Enterprise branch office network. - Describe complex ACLs in a medium-size Enterprise
branch office network. - Implement, verify and troubleshoot ACLs in an
enterprise network environment.
2Access Control Lists (ACL)
ACLs are lists of instructions applied to a
router's interface to tell the router which kind
of packets to permit and which kind to deny.
3Access Control Lists (ACL)
- An ACL is a sequential list of permit or deny
statements that apply to IP addresses or
upper-layer protocols. The ACL can extract the
following information from the packet header,
test it against its rules, and make "allow" or
"deny" decisions based on - Source IP address
- Destination IP address
- ICMP message type
- The ACL can also extract upper layer information
and test it against its rules. Upper layer
information includes - TCP/UDP source port
- TCP/UDP destination port
4Access Control Lists (ACL)
- Limit network traffic and increase network
performance. Provide traffic flow control. - ACLs can restrict the delivery of routing
updates. If updates are not required because of
network conditions, bandwidth is preserved. - Provide a basic level of security for network
access. ACLs can allow one host to access a part
of the network and prevent another host from
accessing the same area. - Decide which types of traffic are forwarded or
blocked at the router interfaces. ACLs can permit
e-mail traffic to be routed, but block all Telnet
traffic. - Control which areas a client can access on a
network. - ACLs can be used to permit or deny a user to
access file types such as FTP or HTTP.
5Packet Filtering
Frame Header
Packet Header
Segment Header
Data
From which network?
192.168.1.0
Yes
Permit
No
Deny
192.168.2.0
Yes
Deny
No
Permit
6How ACLs Work
- ACLs must be defined on a per protocol, per
direction, or per port basis. - To control traffic flow on an interface, an ACL
must be defined for each protocol enabled on the
interface. - ACLs control traffic in one direction at a time
on an interface.
7How ACLs Work
- ACL statements operate in sequential, logical
order, from top to bottom. - If a condition is matched, the packet is
permitted or denied and the rest of the ACL isnt
checked. - An implicit deny any statement is at end of all
lists by default. - This last line "deny any" is not visible but it
will not allow any unmatched packets to be
permitted.
Route packet to outbound interface
ACL on interface?
Yes
No
Frame arrives at inbound interface
Yes
ACL on interface?
No
L2 address match?
Any matches?
Default Deny
Yes
No
Yes
No
Default Deny
Yes
Yes
Yes
Forward packet
No
8Standard ACLs
- Standard ACLs allow you to permit or deny traffic
from source IP addresses. - The destination of the packet and the ports
involved do not matter.
- The example allows all traffic from network
192.168.30.0/24 network. - Because of the implied deny any at the end, all
other traffic is blocked with this ACL. - Standard ACLs are created in global configuration
mode.
9Standard ACLs
- Extended ACLs filter IP packets based on several
attributes, for example, protocol type, source IP
address, destination IP address, source TCP or
UDP ports, destination TCP or UDP ports, and
optional protocol type information for finer
granularity of control.
- In the example, ACL 103 permits traffic
originating from any address on the
192.168.30.0/24 network to any destination host
port 80 (HTTP). - Extended ACLs are created in global configuration
mode.
10Numbering Naming ACLs
- Numbered ACLs - Assign a number based on which
- protocol is to be filtered filtered
- (1 to 99) and (1300 to 1999) Standard IP ACL
- (100 to 199) and (2000 to 2699) Extended IP ACL
- Named ACLs - assign a name by providing the name
of - the ACL
- Names can contain alphanumeric characters.
- Recommended that the name be written in CAPITAL
LETTERS. - Names cannot contain spaces or punctuation and
mustbegin with a letter. - Possible to add or delete entries within the ACL.
11ACL Placement
- Standard ACLs should be placed close to the
destination. - Extended ACLs should be placed close to the
source.
12ACL Best Practice
Using ACLs requires attention to detail and great
care. Mistakes can be costly in terms of
downtime, troubleshooting efforts, and poor
network service. Before starting to configure an
ACL, basic planning is required
- Base ACLs on the security policy of the
organisation. - Prepare a description of what ACLs are required
to do. - Use a text editor to create, edit and save ACLs.
- Test ACLs on a development network before
implementing them on a production network.
13Configuring Standard ACLs
192.168.30.0/24
192.168.10.1/24
192.168.11.1/24
Fa0/0
Fa0/1
PC1 192.168.10.10/24
PC2 192.168.11.10/24
Fa0/1
Fa0/1
Fa0/2
Fa0/2
- Both ACLs have the same effect, due to the
implicit deny at the end of all ACLs
14Creating Standard ACLs
access-list permit/deny source IP wildcard
To delete
15Packet Header
Segment Header
Data
Standard ACL access-list 2 deny
192.168.10.1 access-list 2 permit 192.168.10.0
0.0.0.255 access-list 2 deny 192.168.0.0
0.0.255.255 access-list 2 permit 192.0.0.0
0.255.255.255
Yes
Deny
Yes
No
Permit
Yes
No
Deny
Yes
No
Permit
No
Implicit Deny
16Verify Standard ACLs
- The remark keyword is used for documentation and
makes access lists a great deal easier to
understand. Each remark is limited to 100
characters. - When reviewing the ACL in the configuration, the
remark is also displayed.
17Wildcard Masks
- ACLs statements include masks, also called
wildcard masks. The mask determines how much of
an IP source or destination address to apply to
the address match. The numbers 1 and 0 in the
mask identify how to treat the corresponding IP
address bits. They are different to subnet masks,
and follow different rules. - Wildcard masks and subnet masks are both 32 bits
long and use binary 1s and 0s. Subnet masks use
binary 1s and 0s to identify the network, subnet,
and host portion of an IP address. - Wildcard masks use binary 1s and 0s to filter
individual or groups of IP addresses to permit or
deny access to resources based on an IP address.
By carefully setting wildcard masks, you can
permit or deny a single or several IP addresses
18Wildcards (Inverse Mask)
- Allows you to indicate a host, subnet, network or
range of IP addresses. - The two binary values in the wildcard have
different meanings - 0 Must Match Exactly
- 1 Ignore
19Wildcard Masks
- Source IP Wildcard
- 172.16.10.10 0.0.0.0
10101100.
00010000.
00001010.
00001010
Source IP
Wildcard
00000000.
00000000.
00000000.
00000000
Range of matching addresses
172.16.10.10 only
20Wildcard Masks
- Source IP Wildcard
- 172.16.10.0 0.0.0.255
10101100.
00010000.
00001010.
00000000
Source IP
Wildcard
00000000.
00000000.
00000000.
11111111
Range of matching addresses
172.16.10.0 to 172.16.10.255
21Wildcard Masks
- Source IP Wildcard
- 172.16.10.0 0.0.255.255
10101100.
00010000.
00001010.
00000000
Source IP
Wildcard
00000000.
00000000.
11111111.
11111111
Range of matching addresses
172.16.0.0 to 172.16.255.255
22ACL Example 1
- Standard Access List Format
- access-list permit/deny source IP wildcard
- A(config)access-list 5 deny 172.22.5.2 0.0.0.0
- A(config)access-list 5 deny 172.22.5.3 0.0.0.0
- A(config)access-list 5 permit any
- So what does this access list do?
23ACL Example 2
- Sample
- A(config)access-list 5 deny 172.22.5.2 0.0.0.0
- A(config)access-list 5 deny 172.22.5.3 0.0.0.0
- A(config)access-list 5 permit any
- What happens if you now type in the following
- A(config)access-list 5 deny 172.22.5.4 0.0.0.0?
24ACL Example 3
- Source IP Wildcard
- 172.16.10.0 0.0.31.255
128 64 32 16 8 4 2 1
31 in binary is 0 0 0 1 1 1 1 1 3rd octet
10 00001010. All packets are compared to this
value and the mask 31 So the first three bits
must be 0s and the last 5 bits do not matter.
So acceptable values are 172.16.0.0 through
172.16.31.255
dont care
Must match
25ACL Example 4
The hosts on subnet 192.168.1.32/27 are to be
split, with the lower half denied access to a
router. Write the required access list.
- 192.168.1.32/27 has an increment size of 32
- The first address in the 2nd half of the subnet
3216 48
- Compare last address from 1st half with 1st
address in 2nd half in binary
128 64 32 16 8 4 2 1
47 0 0 1 0 1 1 1 1
48 0 0 1 1 0 0 0 0
- All numbers between 32 and 47 have bit 16 0
- All numbers after 47 have bit 16 1
26ACL Example 4
128 64 32 16 8 4 2 1
47 0 0 1 0 1 1 1 1
48 0 0 1 1 0 0 0 0
Wildcard Mask 0 0 0 0 1 1 1 1
15
Access-list 20 deny 192.168.1.32 0.0.0.15
27ACL Example 5
The hosts on subnet 192.168.23.64/28 are to be
split, with the upper half denied access to a
router. Write the required access list.
- 192.168.23.64/28 has an increment size of 16
- The first address in the 2nd half of the subnet
648 72
- Compare last address from 1st half with 1st
address in 2nd half in binary
128 64 32 16 8 4 2 1
64 0 1 0 0 0 0 0 0
72 0 1 0 0 1 0 0 0
- All numbers between 64 and 71 have bit 8 0
- All numbers after 72 have bit 8 1
28ACL Example 5
128 64 32 16 8 4 2 1
64 0 1 0 0 0 0 0 0
72 0 1 0 0 1 0 0 0
Wildcard Mask 0 0 0 0 0 1 1 1
7
Access-list 20 permit 192.168.23.64 0.0.0.7
29ACL Example 6
- Permit network access for the 14 users in the
subnet 192.168.3.32 /28. - Subtract the subnet mask of the network from
255.255.255.255 - 255.255.255.255
- 255.255.255.240
- 0 . 0 . 0 . 15
Access-list 20 permit 192.168.3.32 0.0.0.15
30Wildcard Mask Keywords
- The keywords host and any help identify the most
common uses of wildcard masking, eliminating the
need to enter wildcard masks when identifying a
specific host or network.
- The host option substitutes for the 0.0.0.0 mask
- Instead of entering 192.168.10.10 0.0.0.0, use
host 192.168.10.10.
- The any option substitutes for the IP address and
255.255.255.255 mask - instead of entering 0.0.0.0 255.255.255.255, can
use the keyword any by itself.
31Applying Standard ACLs
10.1.1.1/30
S0/0/0
192.168.10.1/24
192.168.11.1/24
Fa0/0
Fa0/1
PC1 192.168.10.10/24
PC2 192.168.11.10/24
Fa0/1
Fa0/1
Fa0/2
Fa0/2
- After a standard ACL is configured, it is linked
to an interface using the ip access-group
command
- Direction refers to the direction in which
packets must be are flowing in order for the ACL
to check them.
32Standard ACLs to Control VTY Access
10.1.1.1/30
S0/0/0
192.168.10.1/24
192.168.11.1/24
Fa0/0
Fa0/1
PC1 192.168.10.10/24
PC2 192.168.11.10/24
Fa0/1
Fa0/1
Fa0/2
Fa0/2
- Restricting VTY access allows the definition of
which IP addresses are allowed Telnet access to
the router EXEC process. This technique can be
used with with SSH to further improve
administrative access security.
33Editing Numbered ACLs
- When configuring an ACL, the statements are added
in the order that they are entered at the end of
the ACL. However, there is no built-in editing
feature that allows you to edit a change in an
ACL - selectively inserting or deleting lines is
not possible. - Therefore, any ACL is best constructed in a text
editor such as MS Notepad, allowing the ACL to be
edited and then pasted into the router as
follows - Display the ACL using the sh run command.
- Highlight the ACL, copy it, and then paste it
into MS Notepad. Edit the list as required. Once
the ACL is correctly displayed in MS Notepad,
highlight it and copy it. - In global configuration mode, remove the old
access list using the no access-list command.
Then paste the new ACL into the configuration of
the router.
34Creating Named ACLs
10.1.1.1/30
S0/0/0
192.168.10.1/24
192.168.11.1/24
Fa0/0
Fa0/1
PC1 192.168.10.10/24
PC2 192.168.11.10/24
Fa0/1
Fa0/1
Fa0/2
Fa0/2
- Naming an ACL makes it easier to understand its
function. Named ACLs have a different
configuration mode and command syntax
35Verifying ACLs
- There are many show commands that will verify
- the content and placement of ACLs on the
- router
- show ip interface
- show access-lists
- show access-list ltACL-numbergt
- show running-config
36Editing Named ACLs
10.1.1.1/30
S0/0/0
192.168.10.1/24
192.168.11.1/24
Fa0/0
Fa0/1
PC1 192.168.10.10/24
PC2 192.168.11.10/24
Fa0/1
Fa0/1
Fa0/2
Fa0/2
- Use of sequence
- numbers allows lines to be added and removed from
named ACLs
37Extended ACLs
- Extended ACLs are used more often than standard
ACLs because they provide a greater range of
control and, therefore, add additional security. - Like standard ACLs, extended ACLs check the
source packet addresses, but they also check the
destination address, protocols and port numbers
(or services).
38Extended ACLs
At the end of the extended ACL statement, an
administrator can specify a TCP or UDP port
number.
Using Port Numbers
Using Keywords
39Extended ACLs
- Use the ? to display a list of layer-4
protocols and their associated port numbers
40Creating Extended ACLs
S0/1/0 209.165.200.255/27
S0/0/1 10.2.2.1/30
S0/0/0 10.1.1.1/30
S0/0/1 10.2.2. 2/30
192.168.11.0/24
192.168.10.0/24
Fa0/0
Fa0/0
- Administrator needs to restrict Internet access
to allow only website browsing. ACL 103 applies
to traffic leaving the 192.168.10.0 network, and
ACL 104 to traffic coming into the network.
41Extended ACLs - Established
- Allow access to traffic that originated in the
network only - Allow external network testing
In
Out
- A(config)access-list 101 Permit TCP Any Any
Established - A(config)access-list 101 Permit ICMP Any Any
Echo-Reply - A(config)access-list 101 Permit ICMP Any Any
Unreachable
42Applying Extended ACLs
S0/1/0 209.165.200.255/27
S0/0/1 10.2.2.1/30
S0/0/0 10.1.1.1/30
S0/0/1 10.2.2. 2/30
192.168.11.0/24
192.168.10.0/24
Fa0/0
Fa0/0
- ACL 103 is allowing internal users to access the
Internet it is applied to the S0/0/0 outbound. - ACL 104 is allowing established Internet traffic
to enter network 192.168.10.0 it is applied to
S0/0/0 inbound.
43Applying Extended ACLs
10.1.1.1/30
S0/0/0
192.168.10.1/24
192.168.11.1/24
Fa0/0
Fa0/1
PC1 192.168.10.10/24
PC2 192.168.11.10/24
Fa0/1
Fa0/1
Fa0/2
Fa0/2
- Deny FTP traffic from subnet 192.168.11.0 going
to subnet 192.168.10.0, but permitting all other
traffic. FTP requires ports 20 and 21, therefore
y both eq 20 and eq 21 must be specified to deny
FTP
44Applying Extended ACLs
10.1.1.1/30
S0/0/0
192.168.10.1/24
192.168.11.1/24
Fa0/0
Fa0/1
PC1 192.168.10.10/24
PC2 192.168.11.10/24
Fa0/1
Fa0/1
Fa0/2
Fa0/2
- Deny Telnet traffic from 192.168.11.0 leaving
interface Fa0/0, but allow all other IP traffic
from any other source to any destination out
Fa0/0. Note the use of the any keywords, meaning
from anywhere going to anywhere.
45Named Extended ACLs
S0/1/0 209.165.200.255/27
S0/0/1 10.2.2.1/30
S0/0/0 10.1.1.1/30
S0/0/1 10.2.2. 2/30
192.168.11.0/24
192.168.10.0/24
Fa0/0
Fa0/0
- Named extended ACLs are created in essentially
the same way as named standard ACLs
46Complex ACLs
- Dynamic ACLs (lock-and-key) - Users that want to
traverse the router are blocked until they use
Telnet to connect to the router and are
authenticated. - Reflexive ACLs - Allows outbound traffic and
limits inbound traffic in response to sessions
that originate inside the router. - Time-based ACLs - Allows for access control based
on the time of day and week
47Dynamic ACLs
- Dynamic ACLs have the following security benefits
over - standard and static extended ACLs
- Use of a challenge mechanism to authenticate
individual users - Simplified management in large internetworks
- In many cases, reduction of the amount of router
processing that is required for ACLs - Reduction of the opportunity for network
break-ins by network hackers - Creation of dynamic user access through a
firewall, without compromising other configured
security restrictions
48Dynamic ACLs
S0/1/0 209.165.200.255/27
S0/0/1 10.2.2.1/30
S0/0/0 10.1.1.1/30
S0/0/1 10.2.2. 2/30
PC1 192.168.10.10/24
PC2 192.168.30.10/24
Fa0/0
Fa0/0
- PC1 is an administrator that requires a back door
access to the 192.168.30.0 /24 network located on
router R3. - A dynamic ACL has been configured to allow FTP
and HTTP on router R3 access but only for a
limited time.
49Reflexive ACLs
- Reflexive ACLs force the reply traffic from the
destination of a known recent outbound packet to
go to the source of that outbound packet. - Network administrators use reflexive ACLs to
allow IP traffic for sessions originating from
their network while denying IP traffic for
sessions originating outside the network. These
ACLs allow the router to manage session traffic
dynamically. - Reflexive ACLs provide a truer form of session
filtering than an extended ACL that uses the
established parameter introduced earlier.
Although similar in concept to the established
parameter, reflexive ACLs also work for UDP and
ICMP, which have no ACK or RST bits.
50Reflexive ACLs
- Reflexive ACLs have the following benefits
- Help secure networks against network hackers and
can be included in a firewall defense. - Provide a level of security against spoofing and
certain DoS attacks. Reflexive ACLs are much
harder to spoof because more filter criteria must
match before a packet is permitted through. For
example, source and destination addresses and
port numbers, not just ACK and RST bits, are
checked. - Simple to use and, compared to basic ACLs,
provide greater control over which packets
entering a network.
51Reflexive ACLs
S0/1/0 209.165.200.255/27
S0/0/1 10.2.2.1/30
S0/0/0 10.1.1.1/30
S0/0/1 10.2.2. 2/30
192.168.11.0/24
192.168.10.0/24
Fa0/0
Fa0/0
- ACL permits ICMP outbound and inbound traffic,
while it permits only TCP traffic that has been
initiated from inside the network. - All other traffic will be denied.
52Time-Based ACLs
- Time-based ACLs are similar to extended ACLs in
function, but they allow for access control based
on time. To implement time-based ACLs, create a
time range that defines specific times of the day
and week. Identify the time range with a name and
then refer to it by a function. The time
restrictions are imposed on the function itself. - Time-based ACLs benefits include
- Offers the network administrator more control
over permitting or denying access to resources. - Allows network administrators to control logging
messages. ACL entries can log traffic at certain
times of the day, but not constantly.
53Time-Base ACLs
S0/1/0 209.165.200.255/27
S0/0/1 10.2.2.1/30
S0/0/0 10.1.1.1/30
S0/0/1 10.2.2. 2/30
192.168.11.0/24
192.168.10.0/24
Fa0/0
Fa0/0
Telnet connection is permitted from
192.168.10.0/24 to any network on Mon, Weds, and
Fri during business hours.
54Chap 5 Access Control Lists Learning
Objectives
- Explain how ACLs are used to secure a medium-size
Enterprise branch office network. - Configure standard ACLs in a medium-size
Enterprise branch office network. - Configure extended ACLs in a medium-size
Enterprise branch office network. - Describe complex ACLs in a medium-size Enterprise
branch office network. - Implement, verify and troubleshoot ACLs in an
enterprise network environment.
55Any Questions?
56Lab Topology
Chapter 5.2.8 Standard ACLs
S0/0/1 DCE
209.165.200.224/27
Fa0/1
Fa0/0 192.168.20.1/254
209.165.202.129/27
S0/1/0
.226
.225
Fa0/0
209.165.201.1/27
S0/0/1 DCE
S0/0/0
WWW/TFTP 192.168.20.254/24
.2
.1
Ext Host 209.165.202.158/27
10.2.2.0/30
10.1.1.0/30
S0/0/0 DCE
S0/0/1
.2
.1
WWW 209.165.201.30/27
- Allow only PC 1 to Telnet to R3
Fa0/0
Fa0/1
Fa0/0
192.168.11.0/24
192.168.30.0/24
192.168.10.0/24
- The 192.168.10.0/24 network is allowed access to
all locations, except the 192.168.11.0/24
network. - The 192.168.11.0/24 network is allowed access to
all destinations, except to any networks
connected to the ISP.
- The 192.168.30.0/10 network is allowed access to
all destinations. - Host 192.168.30.128 is not allowed access outside
of the LAN.
S1
S2
S3
PC1 192.168.10.10
PC2 192.168.11.10
PC3 192.168.30.10
PC4 192.168.30.128
57Lab Topology
Chapter 5.3.4 Extended ACLs
S0/0/1 DCE
209.165.200.224/27
Fa0/1
Fa0/0 192.168.20.1/254
209.165.202.129/27
S0/1/0
.226
.225
Fa0/0
209.165.201.1/27
S0/0/1 DCE
S0/0/0
WWW/TFTP 192.168.20.254/24
.2
.1
Ext Host 209.165.202.158/27
10.2.2.0/30
10.1.1.0/30
- Outside hosts are allowed to establish a web
session with the internal web server on port 80
only. - Only established TCP sessions are allowed in.
- Only ping replies are allowed through R2.
S0/0/0 DCE
S0/0/1
WWW 209.165.201.30/27
.2
.1
- All IP addresses of the 192.168.30.0/24 network
are blocked from accessing all IP addresses of
the 192.168.20.0/24 network. - The first half of 192.168.30.0/24 is allowed
access to all other destinations. - The second half of 192.168.30.0/24 network is
allowed access to the 192.168.10.0/24 and
192.168.11.0/24 networks. - The second half of 192.168.30.0/24 is allowed web
and ICMP access to all remaining destinations. - All other access is implicitly denied.
Fa0/0
Fa0/1
Fa0/0
192.168.11.0/24
192.168.30.0/24
192.168.10.0/24
- For the 192.168.10.0/24 network, block Telnet
access to all locations and TFTP access to the
corporate Web/TFTP server at 192.168.20.254. All
other access is allowed. - For the192.168.11.0/24 network, allow TFTP access
and web access to the corporate Web/TFTP server
at 192.168.20.254. Block all other traffic from
the 192.168.11.0/24 network to the
192.168.20.0/24 network. All other access is
allowed.
S1
S2
S3
PC1 192.168.10.10
PC2 192.168.11.10
PC3 192.168.30.10
PC4 192.168.30.128
58Lab Topology
Chapter 5.2.8 /5.3.4 Standard/Extended ACLs