Access Control Lists

¡Supera tus tareas y exámenes ahora con Quizwiz!

What are two main types of access control?

physical and logical. Physical access control limits access to campuses, buildings, rooms and physical IT assets. Logical access control limits connections to computer networks, system files and data.

ranges of UDP and TCP ports

port ranges 0-11023 registered ports 1024-49151 private or/ dynamic ports 49152-65535

example of a access control list

!--- This command is used to permit IP traffic from 10.1.1.0 !--- network to 172.16.1.0 network. All packets with a source !--- address not in this range will be rejected. access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 !--- This command is used to permit IP traffic from 10.1.1.0 !--- network to 172.16.1.0 network. All packets with a source !--- address not in this range will be rejected. access-list 102 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 access-list 102 deny ip any any !--- This command is used to permit Telnet traffic !--- from machine 10.1.1.2 to machine 172.16.1.1. access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet !--- This command is used to permit tcp traffic from !--- 10.1.1.2 host machine to 172.16.1.1 host machine. access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1 !--- This command is used to permit udp traffic from !--- 10.1.1.2 host machine to 172.16.1.1 host machine. access-list 101 permit udp host 10.1.1.2 host 172.16.1.1 !--- This command is used to permit ip traffic from !--- 10.1.1.0 network to 172.16.1.10 network. access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

Troubleshooting IPv6 ACLs - Example 2

, R3 is configured with an IPv6 ACL named RESTRICTED-ACCESS that should enforce the following policy for the R3 LAN: Permit access to the :10 network Deny access to the :11 network Permit SSH access to the PC at 2001:DB8:CAFE:11::11 However, after configuring the ACL, PC3 cannot reach the 10 network or the 11 network, and it cannot SSH into the host at 2001:DB8:CAFE:11::11. Solution: In this situation the problem is not with how the ACL was applied. At the interface, the ACL is not misspelled and the direction and location are correct, as shown in Figure 2. A close look at the IPv6 ACL reveals that the problem is with the order and criteria of the ACE rules. The first permit statement should allow access to the :10 network. However, the administrator configured a host statement and did not specify a prefix. In this case, only access to the 2001:DB8:CAFE:10:: host is allowed. To correct this issue, remove the host argument and change the prefix to /64. You can do this without removing the ACL by replacing the ACE using the sequence number 10, as shown in Figure 3. The second error in the ACL is the order of the next two statements. The policy specifies that hosts on the R3 LAN should be able to SSH into host 2001:DB8:CAFE:11::11. However, the deny statement for :11 network is listed before the permit statement. Therefore, all attempts to access the :11 network are denied before the statement permitting SSH access can be evaluated. After a match is made, no further statements are analyzed. To correct this issue, you will need to remove the statements first, and then enter them in the correct order.

Extended ACL's can filter?

1. Source IP protocol (IP/TCP/UDP) 2. Source hostnames or host IP address 3. Source or destination socket number 4. Destination hostname or host IP address 5. Precedence or TOS values

ACL Logic Operations

ACL and Routing and ACL Processes on a Router The figure shows the logic of routing and ACL processes. When a packet arrives at a router interface, the router process is the same, whether ACLs are used or not. As a frame enters an interface, the router checks to see whether the destination Layer 2 address matches its interface Layer 2 address, or whether the frame is a broadcast frame. If the frame address is accepted, the frame information is stripped off and the router checks for an ACL on the inbound interface. If an ACL exists, the packet is tested against the statements in the list. If the packet matches a statement, the packet is either permitted or denied. If the packet is accepted, it is then checked against routing table entries to determine the destination interface. If a routing table entry exists for the destination, the packet is then switched to the outgoing interface, otherwise the packet is dropped. Next, the router checks whether the outgoing interface has an ACL. If an ACL exists, the packet is tested against the statements in the list. If the packet matches a statement, it is either permitted or denied. If there is no ACL or the packet is permitted, the packet is encapsulated in the new Layer 2 protocol and forwarded out the interface to the next device.

How many ACLs can be applied to an interface?

ACLs can be applied using the "three P's"; Per protocol (IP, IPX, etc), Per direction (In or Out), Per Interface/Subinterface (Ethernet, FastEthernet, etc). Each "P" can have only one ACL.

Applying ACLs to an Interface

ACLs can be configured to apply to inbound traffic and outbound traffic as shown in Figure 1. The last statement of an ACL is always an implicit deny. This statement is automatically inserted at the end of each ACL even though it is not visible in show command output. you can configure one ACL per protocol, per direction, per interface: One ACL per protocol - To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface. One ACL per direction - ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic. One ACL per interface - ACLs control traffic for an interface, for example, GigabitEthernet 0/0.

What does ACL stand for and how is it used?

Access Control List Stands for "Access Control List." An ACL is a list of user permissions for a file, folder, or other object. It defines what users and groups can access the object and what operations they can perform. These operations typically include read, write, and execute.

A TCP Conversation

Administrators can control network traffic based on a number of characteristics, including the TCP port being requested. It is easier to understand how an ACL filters traffic by examining the dialogue that occurs during a TCP conversation, such as when requesting a webpage. When a client requests data from a web server, IP manages the communication between the PC (source) and the server (destination). TCP manages the communication between the web browser (application) and the network server software. The animation shown in Figure 1 illustrates how a TCP/IP conversation takes place. TCP segments are marked with flags that denote their purpose: a SYN starts (synchronizes) the session; an ACK is an acknowledgment that an expected segment was received, and a FIN finishes the session. A SYN/ACK acknowledges that the transfer is synchronized. TCP data segments include the higher level protocol needed to direct the application data to the correct application. The TCP data segment also identifies the port which matches the requested service.

Apply a Standard IPv4 ACL

After a standard IPv4 ACL is configured, it is linked to an interface using the ip access-group command in interface configuration mode: Router(config-if)# ip access-group { access-list-number | access-list-name } { in | out } To remove an ACL from an interface, first enter the no ip access-group command on the interface, and then enter the global no access-list command to remove the entire ACL. The figure shows an example of an ACL designed to permit a single network. Only traffic from the 192.168.10.0/24 network will be permitted out the Serial 0/0/0 interface.

IPv6 ACL Examples

After an IPv6 ACL is configured, it is linked to an interface using the ipv6 traffic-filter command: Router(config-if)# ipv6 traffic-filter access-list-name { in | out } The figure shows the NO-R3-LAN-ACCESS ACL configured previously and the commands used to apply the IPv6 ACL inbound to the S0/0/0 interface. Applying the ACL to the inbound S0/0/0 interface will deny packets from 2001:DB8:CAFE:30::/64 to both of the LANs on R1. To remove an ACL from an interface, first enter the no ipv6 traffic-filter command on the interface, and then enter the global no ipv6 access-list command to remove the access list. Note: IPv4 and IPv6 both use the access-class command to apply an access list to VTY ports Applying an IPv6 ACL to an Interface Deny FTP The topology for the examples is shown in Figure 1. In the first example (Figure 2), router R1 is configured with an IPv6 access list to deny FTP traffic to 2001:DB8:CAFE:11::/64. Ports for both FTP data (port 20) and FTP control (port 21) need to be blocked. Because the filter is applied inbound on the G0/1 interface on R1, only traffic from the 2001:DB8:CAFE:10::/64 network will be denied. Restricted Access In the second example (Figure 3), an IPv6 ACL is configured to give the LAN on R3 limited access to the LANs on R1. Comments are added in the configuration to document the ACL. The following features have been labelled in the ACL: 1. The first two permit statements allow access from any device to the web server at 2001:DB8:CAFE:10::10. 2. All other devices are denied access to the 2001:DB8:CAFE:10::/64 network. 3. PC3 at 2001:DB8:CAFE:30::12 is permitted Telnet access to PC2 which has the IPv6 address 2001:DB8:CAFE:11::11. 4. All other devices are denied Telnet access to PC2. 5. All other IPv6 traffic is permitted to all other destinations. 6. The IPv6 access list is applied to interface G0/0 in the inbound direction, so only the 2001:DB8:CAFE:30::/64 network is affected.

Applying an IPv6 ACL to an Interface

After an IPv6 ACL is configured, it is linked to an interface using the ipv6 traffic-filter command: Router(config-if)# ipv6 traffic-filter access-list-name { in | out } The figure shows the NO-R3-LAN-ACCESS ACL configured previously and the commands used to apply the IPv6 ACL inbound to the S0/0/0 interface. Applying the ACL to the inbound S0/0/0 interface will deny packets from 2001:DB8:CAFE:30::/64 to both of the LANs on R1. To remove an ACL from an interface, first enter the no ipv6 traffic-filter command on the interface, and then enter the global no ipv6 access-list command to remove the access list. Note: IPv4 and IPv6 both use the access-class command to apply an access list to VTY ports.

Comparing IPv4 and IPv6 ACLs

Although IPv4 and IPv6 ACLs are similar, there are three significant differences between them: The first difference is the command used to apply an IPv6 ACL to an interface. IPv4 uses the command ip access-group to apply an IPv4 ACL to an IPv4 interface. IPv6 uses the ipv6 traffic-filter command to perform the same function for IPv6 interfaces. Unlike IPv4 ACLs, IPv6 ACLs do not use wildcard masks. Instead, the prefix-length is used to indicate how much of an IPv6 source or destination address should be matched. The last major difference has to with the addition of two implicit permit statements at the end of each IPv6 access list. At the end of every IPv4 standard or extended ACL is an implicit deny any or deny ip any any. IPv6 includes a similar deny ipv6 any any statement at the end of each IPv6 ACL. The difference is IPv6 also includes two other implicit statements by default: permit icmp any any nd-na and permit icmp any any nd-ns. These two statements allow the router to participate in the IPv6 equivalent of ARP for IPv4. Recall that ARP is used in IPv4 to resolve Layer 3 addresses to Layer 2 MAC addresses. As shown in the figure, IPv6 uses ICMP Neighbor Discovery (ND) messages to accomplish the same thing. ND uses Neighbor Solicitation (NS) and Neighbor Advertisement (NA) messages. ND messages are encapsulated in IPv6 packets and require the services of the IPv6 network layer while ARP for IPv4 does not use Layer 3. Because IPv6 uses the Layer 3 service for neighbor discovery, IPv6 ACLs need to implicitly permit ND packets to be sent and received on an interface. Specifically, both Neighbor Discovery - Neighbor Advertisement (nd-na) and Neighbor Discovery - Neighbor Solicitation (nd-ns) messages are permitted.

ACLs and the Wildcard Mask

An ACL is a sequential list of permit or deny statements, known as access control entries (ACEs). ACEs are also commonly called ACL statements. When network traffic passes through an interface configured with an ACL, the router compares the information within the packet against each ACE, in sequential order, to determine if the packet matches one of the ACEs. IPv4 ACEs include the use of wildcard masks. A wildcard mask is a string of 32 binary digits used by the router to determine which bits of the address to examine for a match. Figure 1 shows how different wildcard masks filter IPv4 addresses. In the example, remember that binary 0 signifies a bit that must match, and binary 1 signifies a bit that can be ignored. Figure 2 provides three examples of wildcard masks that match subnets. In the first example the wildcard mask stipulates that every bit in the IPv4 192.168.1.1 must match exactly. In the second example, the wildcard mask stipulates that anything will match. In the third example, the wildcard mask stipulates that any host within the 192.168.1.0/24 network will match

ACLs and the Wildcard Mask

An ACL is a sequential list of permit or deny statements, known as access control entries (ACEs). ACEs are also commonly called ACL statements. When network traffic passes through an interface configured with an ACL, the router compares the information within the packet against each ACE, in sequential order, to determine if the packet matches one of the ACEs. IPv4 ACEs include the use of wildcard masks. A wildcard mask is a string of 32 binary digits used by the router to determine which bits of the address to examine for a match. Figure 1 shows how different wildcard masks filter IPv4 addresses. In the example, remember that binary 0 signifies a bit that must match, and binary 1 signifies a bit that can be ignored. Figure 2 provides three examples of wildcard masks that match subnets. In the first example the wildcard mask stipulates that every bit in the IPv4 192.168.1.1 must match exactly. In the second example, the wildcard mask stipulates that anything will match. In the third example, the wildcard mask stipulates that any host within the 192.168.1.0/24 network will match Click card to see

What is the purpose of ACLs?

An ACL or Access control list is a common means by which access to and denial of services is controlled. On network devices such as Routers and firewalls, they act as filters for network traffic, packet storms, services and host access.

What is the purpose of access control list?

An ACL or Access control list is a common means by which access to and denial of services is controlled. On network devices such as Routers and firewalls, they act as filters for network traffic, packet storms, services and host access. Most of these devices come with standard or default ACL and allow for custom ACL's.

What is ACL security?

An access control list (ACL) is a list of access control entries (ACE). Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. The security descriptor for a securable object can contain two types of ACLs: a DACL and a SACL.

What are ACL permissions?

An access control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation.

What is Access Control List in router?

Cisco provides basic traffic filtering capabilities with access control lists (also referred to as access lists). Access lists can be configured for all routed network protocols (IP, AppleTalk, and so on) to filter the packets of those protocols as the packets pass through a router.

Where to Place ACLs

Every ACL should be placed where it has the greatest impact on efficiency. As shown in the figure, the basic rules are: Extended ACLs - Locate extended ACLs as close as possible to the source of the traffic to be filtered. This way, undesirable traffic is denied close to the source network without crossing the network infrastructure. Standard ACLs - Because standard ACLs do not specify destination addresses, place them as close to the destination as possible. If a standard ACL was placed at the source of the traffic, the "permit" or "deny" will occur based on the given source address no matter where the traffic is destined. Placement of the ACL and therefore, the type of ACL used, may also depend a variety of factors: The extent of the network administrator's control - Placement of the ACL can depend on whether or not the network administrator has control of both the source and destination networks. Bandwidth of the networks involved - Filtering unwanted traffic at the source prevents transmission of the traffic before it consumes bandwidth on the path to a destination. This is especially important in low bandwidth networks. Ease of configuration - If a network administrator wants to deny traffic coming from several networks, one option is to use a single standard ACL on the router closest to the destination. The disadvantage is that traffic from these networks will use bandwidth unnecessarily. An extended ACL could be used on each router where the traffic originated. This will save bandwidth by filtering the traffic at the source, but requires creating extended ACLs on multiple routers. Note: For CCNA certification, the general rule is that extended ACLs are placed as close as possible to the source and standard ACLs are placed as close as possible to the destination.

Extended ACLs should be placed

Extended ACLs evaluate lots of the other fields in the Layer 3 and 4 headers of an IP packet. They can evaluate source and destination IP addresses, the protocol field in the Network layer header, and the port number at the Transport layer header. This gives extended ACLs the ability to enforce highly specific network traffic control conditions.

What is an extended access control list?

Extended Access Control Lists (ACLs) allow you to permit or deny traffic from specific IP addresses to a specific destination IP address and port. It also allows you to specify different types of traffic such as ICMP, TCP, UDP, etc.

What is a named ACL?

IP Named Access Control Lists. Access control lists (ACLs) perform packet filtering to control the movement of packets through a network. Packet filtering provides security by limiting the access of traffic into a network, restricting user and device access to a network, and preventing traffic from leaving a network.

Types of IPv6 ACLs

IPv6 ACLs are similar to IPv4 ACLs in both operation and configuration. Being familiar with IPv4 access lists makes IPv6 ACLs easy to understand and configure. In IPv4 there are two types of ACLs, standard and extended. Both types of ACLs can be either numbered or named ACLs. With IPv6, there is only one type of ACL, which is equivalent to an IPv4 extended named ACL. There are no numbered ACLs in IPv6. An IPv4 ACL and an IPv6 ACL cannot share the same name.

Configuring IPv6 ACLs

In IPv6 there are only named ACLs. The configuration is similar to that of an IPv4 extended named ACL. Figure 1 shows the command syntax for IPv6 ACLs. The syntax is similar to the syntax used for an IPv4 extended ACL. One significant difference is the use of the IPv6 prefix-length instead of an IPv4 wildcard mask. There are three basic steps to configure an IPv6 ACL: Step 1. From global configuration mode, use the ipv6 access-list name command to create an IPv6 ACL. Like IPv4 named ACLs, IPv6 names are alphanumeric, case sensitive, and must be unique. Unlike IPv4, there is no need for a standard or extended option. Step 2. From the named ACL configuration mode, use the permit or deny statements to specify one or more conditions to determine if a packet is forwarded or dropped. Step 3. Return to privileged EXEC mode with the end command. Figure 2 demonstrates the steps to create an IPv6 ACL with a simple example based on the previous topology. The first statement names the IPv6 access list NO-R3-LAN-ACCESS. Similar to IPv4 named ACLs, capitalizing IPv6 ACL names is not required, but makes them stand out when viewing the running-config output. The second statement denies all IPv6 packets from the 2001:DB8:CAFE:30::/64 destined for any IPv6 network. The third statement allows all other IPv6 packets. Figure 3 shows the ACL in context with the topology.

Inbound and Outbound ACL Logic

Inbound ACL Logic Figure 1 shows the logic for an inbound ACL. If the information in a packet header and an ACL statement match, the rest of the statements in the list are skipped, and the packet is permitted or denied as specified by the matched statement. If a packet header does not match an ACL statement, the packet is tested against the next statement in the list. This matching process continues until the end of the list is reached. At the end of every ACL is a statement is an implicit deny any statement. This statement is not shown in output. This final implied statement applied to all packets for which conditions did not test true. This final test condition matches all other packets and results in a "deny" action. Instead of proceeding into or out of an interface, the router drops all of these remaining packets. This final statement is often referred to as the "implicit deny any statement" or the "deny all traffic" statement. Because of this statement, an ACL should have at least one permit statement in it; otherwise, the ACL blocks all traffic. Outbound ACL Logic Figure 2 shows the logic for an outbound ACL. Before a packet is forwarded to an outbound interface, the router checks the routing table to see if the packet is routable. If the packet is not routable, it is dropped and is not tested against the ACEs. Next, the router checks to see whether the outbound interface is grouped to an ACL. If the outbound interface is not grouped to an ACL, the packet can be sent to the output buffer. Examples of outbound ACL operation are as follows: No ACL applied to the interface - If the outbound interface is not grouped to an outbound ACL, the packet is sent directly to the outbound interface. ACL applied to the interface - If the outbound interface is grouped to an outbound ACL, the packet is not sent out on the outbound interface until it is tested by the combination of ACEs that are associated with that interface. Based on the ACL tests, the packet is permitted or denied. For outbound lists, "permit" means to send the packet to the output buffer, and "deny" means to discard the packet.

What is an ACL in networking?

Network ACLs. A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.

How many types of ACL are there?

On Cisco routers, there are two main types: standard and extended. These two types are the most widely used ACLs and the ones I will focus on in this and future articles, but there are some advanced ACLs as well.

ACL Packet Filtering

Packet filtering controls access to a network by analyzing the incoming and outgoing packets and forwarding them or discarding them based on given criteria. Packet filtering can occur at Layer 3 or Layer 4. Standard ACLs only filter at Layer 3. Extended ACLs filter at Layer 3 and Layer 4. For example, an ACL could be configured to logically, "Permit web access to users from network A but deny all other services to network A users. Deny HTTP access to users from network B, but permit network B users to have all other access." Refer to the figure to examine the decision path the packet filter uses to accomplish this task. For this scenario, the packet filter looks at each packet as follows: If the packet is a TCP SYN from Network A using Port 80, it is allowed to pass. All other access is denied to those users. If the packet is a TCP SYN from Network B using Port 80, it is blocked. However, all other access is permitted. This is just a simple example. Multiple rules can be configured to further permit or deny services to specific users.

Configuring Extended ACLs

R1(config)# access-list 103 permit tcp 192168.10.0 0.0.0.255 eq 80 R1(config)# access-list 103 permit tcp 192168.10.0 0.0.0.255 eq 443 R1(config)# access-list 104 permit tcp 192168.10.0 0.0.0.255 eq established

Applying Extended ACLs to Interfaces

R1(config)# access-list 103 permit tcp 192168.10.0 0.0.0.255 eq 80 R1(config)# access-list 103 permit tcp 192168.10.0 0.0.0.255 eq 443 R1(config)# access-list 104 permit tcp 192168.10.0 0.0.0.255 eq established R1(config)# interface g0/0 R1(config)# access-group 103 out R1(config)# access-group 104 in

What are the ranges for extended ACLs?

Protocol Range Standard IP 1-99 and 1300-1999 Extended IP 100-199 and 2000-2699 Ethernet type code 200-299 Ethernet address 700-799 Transparent bridging (protocol type) 200-299 Transparent bridging (vendor code) 700-799 Extended transparent bridging 1100-1199 DECnet and extended DECnet 300-399 Xerox Network Systems (XNS) 400-499 Extended XNS 500-599 AppleTalk 600-699 Source-route bridging (protocol type) 200-299 Source-route bridging (vendor code) 700-799 Internetwork Packet Exchange (IPX) 800-899 Extended IPX 900-999 IPX Service Advertising Protocol (SAP) 1000-1099 Standard Virtual Integrated Network Service (VINES) 1-100 Extended VINES 101-200 Simple VINES 201-300

Troubleshooting IPv6 ACLs - Example 3

R1 is configured with an IPv6 ACL named DENY-ACCESS that should enforce the following policy for the R3 LAN: Permit access to the :11 network from the :30 network Deny access to the :10 network Figure 2 shows the configuration and application of the IPv6 ACL. The DENY-ACCESS ACL is supposed to permit access to the :11 network from the :30 network while denying access to the :10 network. However, after applying the ACL to the interface the :10 network is still reachable from the :30 network. Solution: In this situation, the problem is not with how the ACL statements were written but with the location of the ACL. Because IPv6 ACLs must be configured with both a source and a destination, they should be applied closest to the source of the traffic. The DENY-ACCESS ACL was applied in the outbound direction on the R1 G0/1 interface which is closest to the destination. As a result, traffic to the :10 network is completely unaffected because it reaches the :10 network through the other LAN interface, G0/0. You could apply the ACL inbound on the R1 S0/0/0 interface. However, because we have control over R3, the best location would be to configure and apply the ACL closest to the source of the traffic. Figure 3 shows the removal of the ACL on R1 and the correct configuration and application of the ACL on R3.

Configure a Standard IPv4 ACL

R1(config)# access-list 10 permit host 192.168.10.10 0.0.0.255 R1(config)# exit R1# show access-lists R1(config)# no access-list 10 R1# show running-config R1(config)# access-list 10 remarks permit hosts from 192.168.10.0 LAN R1(config)# access-list 10 permit host 192.168.10.0 0.0.0.255 R1(config)# exit R1# show running-config the remark keyword is used for documentation and makes access lists a great deal easier to understand

Troubleshooting IPv6 ACLs - Example 1

Similar to IPv4 ACLs, use the show ipv6 access-list and show running-config commands to reveal typical IPv6 ACL errors. In Figure 1, R1 is configured with an IPv6 ACL to deny FTP access from the :10 network to the :11 network. However, after configuring the ACL, PC1 is still able to connect to the FTP server running on PC2. Referring to the output for the show ipv6 access-list command in Figure 2, matches are shown for the permit statement but not the deny statements. Solution: The ACEs in the ACL reveal no problems in their order, or in the criteria of their rules. The next step is to consider how the ACL is applied at the interface using the ipv6 traffic-filter command. Did the ACL get applied using the correct name, the correct interface, and in the correct direction? To check for interface configuration errors, display the running configuration, as shown in Figure 2. The ACL was applied using the correct name, but not the correct direction. The direction, in or out, is from the perspective of the router, meaning the ACL is currently applied to traffic before it is forwarded out the G0/0 interface and enters the :10 network. To correct the issue, remove the ipv6 traffic-filter NO-FTP-TO-11 out and replace it with ipv6 traffic-filter NO-FTP-TO-11 in, as shown in Figure 3. Now PC1's attempts to access the FTP server are denied, as verified with the show ipv6 access-list command.

Standard ACL Decision Process

Standard ACLs only examine the source IPv4 address. The destination of the packet and the ports involved are not considered. The decision process for a standard ACL is mapped in the figure. Cisco IOS software tests addresses against the conditions in the ACL one by one. The first match determines whether the software accepts or rejects the address. Because the software stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the address is rejected.

What is a standard access control list?

Standard Access-list. Prerequisite - Access-lists (ACL) Access-list (ACL) is a set of rules defined for controlling the network traffic and reducing network attacks. ACLs are used to filter traffic based on the set of rules defined for the incoming or out going of the network. Standard Access-list -

Creating Named Extended ACLs

Step 1. From global configuration mode, use the ip access-list extended name command to define a name for the extended ACL. Step 2. In named ACL configuration mode, specify the conditions to permit or deny. Step 3. From interface configuration mode, apply the named ACL using the ip access-groupname [ in | out ] command. Step 4. Return to privileged EXEC mode and verify the ACL with the show access-lists name command. Step 5. Save the entries in the configuration file with the copy running-config startup-config command.

Filtering Ports and Services

The ability to filter on protocol and port number allows network administrators to build very specific extended ACLs. An application can be specified by configuring either the port number or the name of a well-known port. Figure 1 shows some examples of how an administrator specifies a TCP or UDP port number by placing it at the end of the extended ACL statement. Logical operations can be used, such as equal (eq), not equal (neq), greater than (gt), and less than (lt). Figure 2 shows how to display a list of port numbers and keywords that can be used when building an ACL using the command: R1(config)# access-list 101 permit tcp any any eq ?

Extended ACL Placement Example

The basic rule for placing an extended ACL is to place it as close to the source as possible. This prevents unwanted traffic from being sent across multiple networks only to be denied when it reaches its destination. However, network administrators can only place ACLs on devices that they control. Therefore, placement must be determined in the context of where the control of the network administrator extends. In the figure, the administrator of Company A, which includes the 192.168.10.0/24 and 192.168.11.0/24 networks (referred to as .10 and .11 in this example) wants to control traffic to Company B. Specifically, the administrator wants to deny Telnet and FTP traffic from the .11 network to Company B's 192.168.30.0/24 (.30, in this example) network. At the same time, all other traffic from the .11 network must be permitted to leave Company A without restriction. There are several ways to accomplish these goals. An extended ACL on R3 that blocks Telnet and FTP from the .11 network would accomplish the task, but the administrator does not control R3. In addition, this solution also allows unwanted traffic to cross the entire network, only to be blocked at the destination. This affects overall network efficiency. A better solution is to place an extended ACL on R1 that specifies both source and destination addresses (.11 network and .30 network, respectively), and enforces the rule, "Telnet and FTP traffic from the .11 network is not allowed to go to the .30 network." The figure shows two possible interfaces on R1 to apply the extended ACL: R1 S0/0/0 interface (outbound) - One possibility is to apply an extended ACL outbound on the S0/0/0 interface. Because the extended ACL can examine both source and destination addresses, only FTP and Telnet packets from 192.168.11.0/24 will be denied. Other traffic from 192.168.11.0/24 and other networks will be forwarded by R1. The disadvantage of placing the extended ACL on this interface is that all traffic exiting S0/0/0 must be processed by the ACL including packets from 192.168.10.0/24. R1 G0/1 interface (inbound) - Applying an extended ACL to traffic entering the G0/1 interface means that only packets from the 192.168.11.0/24 network are subject to ACL processing on R1. Because the filter is to be limited to only those packets leaving the 192.168.11.0/24 network, applying the extended ACL to G0/1 is the best solution.

Configuring IPv6 Topology

The topology is similar to the previous IPv4 topology except for the IPv6 addressing scheme. There are three 2001:DB8:CAFE::/64 subnets: 2001:DB8:CAFE:10::/64 2001:DB8:CAFE:11::/64 2001:DB8:CAFE:30::/64 Two serial networks connect the three routers: 2001:DB8:FEED:1::/64 2001:DB8:FEED:2::/64 the IPv6 address configuration for each router. The show ipv6 interface brief command is used to verify the address and the state of the interface. Note: The no shutdown command and the clock rate command are not shown.

Standard and Extended IPv4 ACLs

The two types of Cisco IPv4 ACLs are standard and extended. Standard ACLs can be used to permit or deny traffic only from source IPv4 addresses. The destination of the packet and the ports involved are not evaluated. The example in Figure 1 allows all traffic from the 192.168.30.0/24 network. Because of the implied "deny any" at the end, all traffic except for traffic coming from the 192.168.30.0/24 network is blocked with this ACL. Standard ACLs are created in global configuration mode. Extended ACLs filter IPv4 packets based on several attributes: Protocol type Source IPv4 address Destination IPv4 address Source TCP or UDP ports Destination TCP or UDP ports Optional protocol type information for finer control ACL 103 permits traffic originating from any address on the 192.168.30.0/24 network to any IPv4 network if the destination host port is 80 (HTTP). Extended ACLs are created in global configuration mode.

Numbered and Named ACLs

The two types of Cisco IPv4 ACLs are standard and extended. Standard ACLs can be used to permit or deny traffic only from source IPv4 addresses. The destination of the packet and the ports involved are not evaluated. The example in Figure 1 allows all traffic from the 192.168.30.0/24 network. Because of the implied "deny any" at the end, all traffic except for traffic coming from the 192.168.30.0/24 network is blocked with this ACL. Standard ACLs are created in global configuration mode. Extended ACLs filter IPv4 packets based on several attributes: Protocol type Source IPv4 address Destination IPv4 address Source TCP or UDP ports Destination TCP or UDP ports Optional protocol type information for finer control ACL 103 permits traffic originating from any address on the 192.168.30.0/24 network to any IPv4 network if the destination host port is 80 (HTTP). Extended ACLs are created in global configuration mode. Standard and Extended IPv4 ACLs Standard and extended ACLs can be created using either a number or a name to identify the ACL and its list of statements. Using numbered ACLs is an effective method for determining the ACL type on smaller networks with more homogeneously defined traffic. However, a number does not provide information about the purpose of the ACL. For this reason, a name can be used to identify a Cisco ACL.

What extended ACL?

The two types of Cisco IPv4 ACLs are standard and extended. Standard ACLs can be used to permit or deny traffic only from source IPv4 addresses. The destination of the packet and the ports involved are not evaluated. The example in Figure 1 allows all traffic from the 192.168.30.0/24 network. Because of the implied "deny any" at the end, all traffic except for traffic coming from the 192.168.30.0/24 network is blocked with this ACL. Standard ACLs are created in global configuration mode. Extended ACLs filter IPv4 packets based on several attributes: Protocol type Source IPv4 address Destination IPv4 address Source TCP or UDP ports Destination TCP or UDP ports Optional protocol type information for finer control ACL 103 permits traffic originating from any address on the 192.168.30.0/24 network to any IPv4 network if the destination host port is 80 (HTTP). Extended ACLs are created in global configuration mode. Standard and Extended IPv4 ACLs Standard and extended ACLs can be created using either a number or a name to identify the ACL and its list of statements. Using numbered ACLs is an effective method for determining the ACL type on smaller networks with more homogeneously defined traffic. However, a number does not provide information about the purpose of the ACL. For this reason, a name can be used to identify a Cisco ACL.

What is ACL and its types?

There are several types of access control lists and most are defined for a distinct purpose or protocol. On Cisco routers, there are two main types: standard and extended. ... Dynamic ACLs or lock-and-key ACLs are created to allow user access to a specific source/destination host through a user authentication process.

What are the different types of access control lists?

There are several types of access control lists and most are defined for a distinct purpose or protocol. On Cisco routers, there are two main types: standard and extended. These two types are the most widely used ACLs and the ones I will focus on in this and future articles, but there are some advanced ACLs as well.

Troubleshooting IPv4 ACLs - Example 1

Using the show commands described earlier reveals most of the common ACL errors. The most common errors are entering ACEs in the wrong order and not applying adequate criteria to the ACL rules. In the figure, host 192.168.10.10 has no Telnet connectivity with 192.168.30.12. When viewing the output of the show access-lists command, matches are shown for the first deny statement. This is an indicator that this statement has been matched by traffic. Solution - Look at the order of the ACEs. Host 192.168.10.10 has no connectivity with 192.168.30.12 because of the order of rule 10 in the access list. Because the router processes ACLs from the top down, statement 10 denies host 192.168.10.10, so statement 20 can never be matched. Statements 10 and 20 should be reversed. The last line allows all other non-TCP traffic that falls under IP (ICMP, UDP, e

Filtering Traffic with Extended ACLs

denies FTP traffic from subnet 192.168.11.0 that is going to subnet 192.168.10.0, but permits all other traffic. Remember that FTP uses TCP ports 20 and 21; therefore, the ACL requires both port name keywords ftp and ftp-data or eq 20 and eq 21 to deny FTP. If using port numbers instead of port names, the commands would be written as: access-list 101 deny tcp 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 20 access-list 101 deny tcp 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 21 To prevent the implied deny any statement at the end of the ACL from blocking all traffic, the permit ip any any statement is added. Without at least one permit statement in an ACL, all traffic on the interface where that ACL was applied would be dropped. The ACL should be applied inbound on the G0/1 interface so that traffic from the 192.168.11.0/24 LAN is filtered as it enters the router interface. denies Telnet traffic from any source to the 192.168.11.0/24 LAN, but allows all other IP traffic. Because traffic destined for the 192.168.11.0/24 LAN is outbound on interface G0/1, the ACL would be applied to G0/1 using the out keyword. Note the use of the any keywords in the permit statement. This permit statement is added to ensure that no other traffic is blocked. Note: The examples in Figures 1 and 2 both use the permit ip any any statement at the end of the ACL. For greater security the permit 192.168.11.0 0.0.0.255 any command may be used.

Troubleshooting IPv4 ACLs - Example 2

he 192.168.10.0/24 network cannot use TFTP to connect to the 192.168.30.0/24 network. Solution - The 192.168.10.0/24 network cannot use TFTP to connect to the 192.168.30.0/24 network because TFTP uses the transport protocol UDP. Statement 30 in access list 120 allows all other TCP traffic. However, because TFTP uses UDP instead of TCP, it is implicitly denied. Recall that the implied deny any statement does not appear in show access-lists output and therefore matches are not shown. Statement 30 should be ip any any. This ACL works whether it is applied to G0/0 of R1, or S0/0/1 of R3, or S0/0/0 of R2 in the incoming direction. However, based on the rule about placing extended ACLs closest to the source, the best option is to place it inbound on G0/0 of R1 because it allows undesirable traffic to be filtered without crossing the network infrastructure.

Troubleshooting IPv4 ACLs - Example 5

host 192.168.30.12 can use Telnet to connect to 192.168.31.12, but according to the security policy, this connection should not be allowed. Output from the show access-lists 150 command indicate that no matches have occurred for the deny statement as expected. Solution - Host 192.168.30.12 can use Telnet to connect to 192.168.31.12 because of the direction in which access list 150 is applied to the G0/1 interface. Statement 10 denies any source address to connect to host 192.168.31.12 using Telnet. However, this filter should be applied outbound on G0/1 to filter correctly.

Troubleshooting IPv4 ACLs - Example 4

host 192.168.30.12 is able to Telnet to connect to 192.168.31.12, but company policy states that this connection should not be allowed. Output from the show access-lists 140 command indicate that the permit statement has been matched. Solution - Host 192.168.30.12 can use Telnet to connect to 192.168.31.12 because there are no rules that deny host 192.168.30.12 or its network as the source. Statement 10 of access list 140 denies the router interface on which traffic enters the router. The host IPv4 address in statement 10 should be 192.168.30.12.

Where is standard and extended ACL located?

n Cisco IOS the Extended ACLs can have numbers in range of 100-199 and 2000-2699. Extended ACLs should be applied close to the source of the packets so that a packet is denied near the source to save router resources and bandwidth rather then it being forwarded close to the destination and eventually being denied.

Verifying Extended ACLs

n extended ACL can be edited in one of two ways: Method 1 Text editor - Using this method, the ACL is copied and pasted into the text editor where the changes are made. The current access list is removed using the no access-list command. The modified ACL is then pasted back into the configuration. Method 2 Sequence numbers - Sequence numbers can be used to delete or insert an ACL statement. The ip access-list extended name command is used to enter named-ACL configuration mode. If the ACL is numbered instead of named, the ACL number is used in the name parameter. ACEs can be inserted or removed. In the figure the administrator needs to edit the ACL named SURFING to correct a typo in the source network statement. To view the current sequence numbers, the show access-lists command is used. The statement to be edited is identified as statement 10. The original statement is removed with the no sequence_# command. The corrected statement is added replacing the original statement.

how to Verify ACLS?

show ip interface show access-lists

Verifying IPv6 ACLs

show ipv6 interface show access-lists show running-config

Named Standard IPv4 ACLs

teps required to create a standard named ACL. Step 1. Starting from the global configuration mode, use the ip access-list command to create a named ACL. ACL names are alphanumeric, case sensitive, and must be unique. The ip access-list standard name command is used to create a standard named ACL. After entering the command, the router is in standard (std) named ACL (nacl) configuration mode as indicated by the second prompt in the Figure 1. Step 2. From the named ACL configuration mode, use permit or deny statements to specify one or more conditions for determining whether a packet is forwarded or dropped. You can use remark to add a comment to the ACL. Step 3. Apply the ACL to an interface using the ip access-group name command. Specify whether the ACL should be applied to packets as they enter the interface (in) or applied to packets as they exit the interface (out). Figure 2 shows the commands used to configure a standard named ACL on router R1, interface G0/0, which denies host 192.168.11.10 access to the 192.168.10.0 network. The ACL is named NO_ACCESS.

Troubleshooting IPv4 ACLs - Example 3

the 192.168.11.0/24 network can use Telnet to connect to 192.168.30.0/24, but according to company policy, this connection should not be allowed. The results of the show access-lists 130 command indicate that the permit statement has been matched. Solution - The 192.168.11.0/24 network can use Telnet to connect to the 192.168.30.0/24 network because the Telnet port number in statement 10 of access list 130 is listed in the wrong position in the ACL statement. Statement 10 currently denies any source packet with a port number that is equal to Telnet. To deny Telnet traffic inbound on G0/1, deny the destination port number that is equal to Telnet, for example, 10 deny tcp 192.168.11.0 0.0.0.255 192.168.30.0 0.0.0.255 eq telnet.

Where do you put an extended ACL?

the Extended ACLs can have numbers in range of 100-199 and 2000-2699. Extended ACLs should be applied close to the source of the packets so that a packet is denied near the source to save router resources and bandwidth rather then it being forwarded close to the destination and eventually being denied.

Standard ACL Placement Example

the administrator wants to prevent traffic originating in the 192.168.10.0/24 network from reaching the 192.168.30.0/24 network. If the standard ACL is placed on the outbound interface of R1 (not shown in figure), this would prevent traffic on the 192.168.10.0/24 network from reaching any networks that are reachable through the Serial 0/0/0 interface of R1. Following the basic placement guidelines of placing the standard ACL close to the destination, the figure shows two possible interfaces on R3 to apply the standard ACL: R3 S0/0/1 interface - Applying a standard ACL to prevent traffic from 192.168.10.0/24 from entering the S0/0/1 interface will prevent this traffic from reaching 192.168.30.0/24 and all other networks that are reachable by R3. This includes the 192.168.31.0/24 network. Because the intent of the ACL is to filter traffic destined only for 192.168.30.0/24, a standard ACL should not be applied to this interface. R3 G0/0 interface - Applying the standard ACL to traffic exiting the G0/0 interface will filter packets from 192.168.10.0/24 to 192.168.30.0/24. This will not affect other networks that are reachable by R3. Packets from 192.168.10.0/24 will still be able to reach 192.168.31.0/24.

Extended ACL Decision Process

the logical decision path used by an extended ACL built to filter on source and destination addresses, and protocol and port numbers. In this example, the ACL first filters on the source address, then on the port and protocol of the source. It then filters on the destination address, then on the port and protocol of the destination, and makes a final permit or deny decision. Recall that entries in ACLs are processed one after the other, so a 'No' decision does not necessarily equal a 'Deny'. As you go through the logical decision path, note that a 'No' means go to the next entry until a condition is matched.


Conjuntos de estudio relacionados

RN Concept-Based Assessment Level 2 Online Practice B

View Set

AH3 CHAPTER 14, 25,26,27,28,29 (12,28,29,30,31,32)

View Set

Chapter 21: Numerical Differentiation

View Set