Cisco Lvl4=>Chap5 [ACL(1+2)]
what are the 2 main tasks in applying ACLs
1. Create an ACL # or name and specify access conditions 2. Group (or assign) the ACL to interfaces or vty lines
how do you verify ACLs
#show startup-config #show access-lists [ <number> | <NAME> ]
An ACL is a ...... list of permit / deny statements
- An ACL is a sequential list of permit or deny statements
what are some ACL best practices
- Base ACLs on security policy - Write a description of ACL's function (pseudocode) - Use a text editor to create, edit and save the ACL - Test the ACL on a development network first
define packet filtering
- Controls access by analyzing packets and passing/stopping based on some rules
what are the two rules that apply when considering placement of ACLs
- Extended ACLs as close as possible to the source o Undesirable traffic is filtered before crossing network - Standard ACLs as close to the destination as possible o Because they do not specify a destination address
what is the ACL syntax
- Fig)# access-list {num} deny | permit {IPnum [wildcard] } o E. G. fig)# access-list 10 permit 192.168.10.1
what happens when a packet and an ACL statement match / does not match
- If a packet and an ACL statement match, the rest of the list is skipped and the packet is permitted or denied - If the packet does not match and ACL statement, a final implied statement covers all conditions
what are 3 things that ACLs do
- Limit network traffic to increase network performance (ie. policy blocking video traffic) - Provide traffic flow control - Provide a basic level of security for network access
where should you place most frequently used entries
- Most frequently used entries should be at the top of the list
what are the "3 Ps"
- Only one ACL per protocol, per direction, per interface - A router with 2 interfaces and running c4 & v6 could possibly require 8 separate ACLs
what is the Standard ACL # range and Extended ACL # range
- Standard ACLs use numbers: 1 - 99 & 1300 - 1999 - Extended ACLs use numbers 100 - 199 & 2000 - 2699
what is the final implied statement
- This final condition matches all packets and results in an "implicit deny any" or "deny all traffic" statement - An ACL without at least 1 permit will block all traffic!
how do you remove an ACL
- To remove the ACL --> fig)# no access-list {num}
what are some ACL guidelines on placement and configuration
- Use ACLs in firewall/border routers and between internal networks and the outside - Use ACLs between areas to control traffic entering/exiting - Configure ACLs for each network protocol (IPv4, v6, etc) and in each direction (in/out)
how do you block all incoming traffic, except for established connections; and where is this ACL placed
...... permit tcp any host x.x.x.x eq 80 est o Only HTTP (TCP) packets w/ ACK or RST are permitted o Placed inbound from Internet
how do you apply Extended ACLs
> Apply extended ACL to block traffic through the router > Users who want access are blocked until they Telnet or SSH to the router and are authenticated > The SSH conn is then dropped and a single-entry dynamic ACL is added to the extended ACL
what happens when a packet passes an interface with an ACL
> As packets pass an interface with an ACL, the ACL is checked top to bottom, 1 line at a time, looking for a match
ACLs are configured for either ......... or ........ traffic
ACLs are configured for either inbound or outbound traffic
what attributes can Extended ACLs check for
ACLs first filter on source IP, port and protocol and then on the destination IP, port and protocol and then check for permit/deny
what is ACL and some characteristics of it
Access Control Lists > Are lists of instructions that permit or deny specific packets > Enforce security policies by controlling traffic into or out of a network > They can be based on IPs, ports, or a variety of protocols
what is the extended ACL syntax
Access-list # permit | deny prot src wldC [op #] dest wldC op #
how do you create a named ACL
Fig)# ip access-list standard | extended <NAME>
characteristics of extended ACLs
Filter based on protocol type, source and destination IP, source and destination ports and other parameters
when are inbound packets processed
Inbound packets processed before they are routed --> saves overhead of routing lookups
where are new ACL statements added (in the list)
New ACL statements are always added to the end > You cannot selectively insert or delete lines
how are outbound packets processed
Outbound - Incoming packets are routed to the outbound interface and then processed through the ACL
what are the two main types of Cisco ACLs
Standard ACLs, Extended ACLs
when would you use the remark keyword while placing ACLs
The remark keyword is used for documentation Fig)# access-list {num} remark {comments} (≤ 100 characters)
what protocol should you use when trying to allow/disallow all traffic
To permit or deny all traffic use ip (not
what are the keywords for ping and ping reply
deny icmp any host 10.93.105.1 echo-reply (type code 0) ---> deny icmp any host 10.93.105.1 0 o echo request = type code 8 = "echo"
what are the logical operators
eq, neq, gt & lt
what are the possible protocol codes
ip, tcp, udp, icmp, etc.
how do you apply an ACL to an interface (syntax)
o -if)# ip access-group {ACL-num} | {ACL-name} in | out [log]
what is the syntax and best practice while applying ACLs to vty lines (Telnet SSH)
o -line)# access-class <num> in | out o Best practice for vty ACLs = standard ACLs - IN only
what are the two mask keywords and what do they stand for
o 0.0.0.0 (to match one host IP address exactly) --- HOST o 255.255.255.255 (to accept and IP address at all) --- ANY
what are the tree categories of complex ACLs and purposes of each
o Dynamic - Lock and key - uses Telnet authentication o Reflexive - Allow outbound traffic, and inbound only in response to outbound o Time-based - Allows access based on the time of day/week
characteristics of Standard ACLs
o Permit of deny traffic from source IP addresses ONLY! o The destination IP and ports involved are NOT checked
what are some different ways to write deny tcp any host 10.93.105.1 eq 23
o deny tcp quad0 quad255 host 10.93.105.1 eq 23 o deny tcp any 10.93.105.1 0.0.0.0 eq 23 o deny tcp any host 10.93.105.1 eq telnet
