CCNA2 Chapter 7 Access Control Lists
ACL Operation
ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. ACLs do not act on packets that originate from the router itself. ACLs can be configured to apply to inbound traffic and outbound traffic as shown in the figure. · Inbound ACLs - Incoming packets are processed before they are routed to the outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. If the packet is permitted by the ACL, it is then processed for routing. Inbound ACLs are best used to filter packets when the network attached to an inbound interface is the only source of packets that need to be examined. · Outbound ACLs - Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL. Outbound ACLs are best used when the same filter will be applied to packets coming from multiple inbound interfaces before exiting the same outbound interface.
Access Control List Advantages and Disadvantages
Access control lists Advantages Prevention of Theft Varying Levels of Security Diadvantages Hacking
Applying Standard IPv4 ACLs to Interfaces
After a standard IPv4 ACL is configured, it is linked to an interface using the ip access-group command in interface configuration mode: Router(config-if)# ip access-group { access-list-number | access-list-name } { in | out } To remove an ACL from an interface, first enter the no ip access-group command on the interface, and then enter the global no access-list command to remove the entire ACL. Figure 1 lists the steps and syntax to configure and apply a numbered standard ACL on a router. an ACL designed to permit a single network. This ACL allows only traffic from source network 192.168.10.0 to be forwarded out of interface S0/0/0. Traffic from networks other than 192.168.10.0 is blocked. The first line identifies the ACL as access list 1. It permits traffic that matches the selected parameters. In this case, the IPv4 address and wildcard mask identifying the source network is 192.168.10.0 0.0.0.255. Recall that there is an implicit deny all statement that is equivalent to adding the line access-list 1 deny 0.0.0.0 255.255.255.255 or access-list deny any to the end of the ACL. The ip access-group 1 out interface configuration command links and ties ACL 1 to the Serial 0/0/0 interface as an outbound filter. Therefore, ACL 1 only permits hosts from the 192.168.10.0/24 network to exit router R1. It denies any other network including the 192.168.11.0 network
ACL Statistics
After an ACL has been applied to an interface and some testing has occurred, the show access-lists command will show statistics for each statement that has been matched. In the output in Figure 1, note that some of the statements have been matched. When traffic is generated that should match an ACL statement, the matches shown in the show access-lists command output should increase. For instance, in this example, if a ping is issued from PC1 to PC3 or PC4, the output will show an increase in the matches for the deny statement of ACL 1. Both permit and deny statements will track statistics for matches; however, recall that every ACL has an implied deny any as the last statement. This statement will not appear in the show access-lists command; therefore, statistics for that statement will not appear. To view statistics for the implied deny any statement, the statement can be configured manually and will appear in the output. During testing of an ACL, the counters can be cleared using the clear access-list counters command. This command can be used alone or with the number or name of a specific ACL. this command clears the statistic counters for an ACL.
What is the ACL?
An ACL is a series of IOS commands that control whether a router forwards or drops packets based on information found in the packet header. ACLs are among the most commonly used features of Cisco IOS software. When configured, ACLs perform the following tasks: · Limit network traffic to increase network performance. For example, if corporate policy does not allow video traffic on the network, ACLs that block video traffic could be configured and applied. This would greatly reduce the network load and increase network performance. · Provide traffic flow control. ACLs can restrict the delivery of routing updates to ensure that the updates are from a known source. · Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For example, access to the Human Resources network can be restricted to authorized users. · Filter traffic based on traffic type. For example, an ACL can permit email traffic, but block all Telnet traffic. · Screen hosts to permit or deny access to network services. ACLs can permit or deny a user to access file types, such as FTP or HTTP. By default, a router does not have ACLs configured; therefore, by default a router does not filter traffic. Traffic that enters the router is routed solely based on information within the routing table. However, when an ACL is applied to an interface, the router performs the additional task of evaluating all network packets as they pass through the interface to determine if the packet can be forwarded. In addition to either permitting or denying traffic, ACLs can be used for selecting types of traffic to be analyzed, forwarded, or processed in other ways. For example, ACLs can be used to classify traffic to enable priority processing. This capability is similar to having a VIP pass at a concert or sporting event. The VIP pass gives selected guests privileges not offered to general admission ticket holders, such as priority entry or being able to enter a restricted area.
purpose of ACL
An ACL or Access control list is a common means by which access to and denial of services is controlled. On network devices such as Routers and firewalls, they act as filters for network traffic, packet storms, services and host access. Most of these devices come with standard or default ACL and allow for custom ACL's.
The Order of ACEs in an ACL
Cisco IOS applies an internal logic when accepting and processing standard ACEs. As discussed previously, ACEs are processed sequentially; therefore, the order in which ACEs are entered is important. ACL 3 contains two ACEs. The first ACE uses a wildcard mask to deny a range of addresses, which includes all hosts in the 192.168.10.0/24 network. The second ACE is a host statement that examines a specific host, 192.168.10.10, that belongs to the 192.168.10.0/24 network. The IOS internal logic for standard access lists rejects the second statement and returns an error message because it is a subset of the previous statement. ACL 4 has the same two statements but in reverse order. This is a valid sequence of statements because the first statement refers a specific host, not a range of hosts. ACL 5 shows that a host statement can be configured after a statement that denotes a range of hosts. The host must not be within the range covered by a previous statement. The 192.168.11.10 host address is not a member of the 192.168.10.0/24 network so this is a valid statement.
access-class command
Configure the vty lines to accept incoming ssh connections using access list 21. R1(config)# line vty 0 4 R1(config-line)# login local R1(config-line)# transport input ssh R1(config-line)# access-class 21 in Exit to global mode and create access list 21 to permit the 192.168.10.0/24 network and explicitly deny all others. R1(config-line)# exit R1(config)# access-list 21 permit 192.168.10.0 0.0.0.255 R1(config)# access-list 21 deny any You successfully secured the vty lines on R1.
General Guidelines for Creating ACLs
Here are some guidelines for using ACLs: · Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet. · Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network. · Configure ACLs on border routers, that is, routers situated at the edges of your networks. This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network. · Configure ACLs for each network protocol configured on the border router interfaces.
Troubleshooting Standard IPv4 ACLs - Example 3
Security Policy: Only PC1 is allowed SSH remote access to R1. In Figure 1, PC1 is unable to remotely access R1 using an SSH connection. Viewing the running configuration section for the VTY lines reveals that an ACL named PC1-SSH is correctly applied for inbound connections. The VTY lines are correctly configured to only allow SSH connections. From the output of the show access-list command, you notice that the IPv4 address is the G0/0 interface for R1, not the IPv4 address of PC1. Also, notice that the administrator configured an explicit deny any statement in the ACL. This is helpful because, in this situation, you will see matches for failed attempts to remotely access R1. Solution: Figure 2 shows the process for correcting the error. Because the statement that needs to be corrected is the first statement, we use the sequence number 10 to delete it by entering no 10. We then configure the correct IPv4 address for PC1. The clear access-list counters command resets the output to only show new matches. An attempt from PC2 to remotely access R1 is successful, as shown in the output for the show access-list command.
Troubleshooting Standard IPv4 ACLs - Example 2
Security Policy: The 192.168.11.0/24 network should not be able to access the 192.168.10.0/24 network. In Figure 1, PC2 cannot access PC1. Nor can it access the Internet through R2. When viewing the output of the show access-list command, you can see that PC2 is matching the deny statement. ACL 20 seems to be configured correctly. You suspect that it must be incorrectly applied and view the interface configurations for R1 In Figure 2, the show run command filtered to view the interface configurations reveals that ACL 20 was applied to the wrong interface and in the wrong direction. All traffic from the 192.168.11.0/24 is denied inbound access through the G0/1 interface. Solution: To correct this error, remove ACL 20 from the G0/1 interface and apply it outbound on the G0/0 interface, as shown in Figure 3. PC2 cannot access PC1, but can now access the Internet.
Verifying ACLs
Shows all ACLs configured on a router with counters at the end of each statement: R1# show access-lists ! OR R1# show ip access-list Shows only the specified ACL: R1# show ip access-list 101 Includes a reference to the ACLs enabled on that interface either in or out: R1# show ip interface f0/0
Method 1 - Use a Text Editor
Step 1. Display the ACL using the show running-config command. The example in the figure uses the include keyword to display only the ACEs. Step 2. Highlight the ACL, copy it, and then paste it into Microsoft Notepad. Edit the list as required. After the ACL is correctly displayed in Microsoft Notepad, highlight it and copy it. Step 3. In global configuration mode, remove the access list using the no access-list 1 command. Otherwise, the new statements would be appended to the existing ACL. Then paste the new ACL into the configuration of the router. Step 4. Using the show running-config command, verify the changes
Method 2 - Use Sequence Numbers
Step 1. Display the current ACL using the show access-lists 1 command. The output from this command will be discussed in more detail later in this section. The sequence number is displayed at the beginning of each statement. The sequence number was automatically assigned when the access list statement was entered. Notice that the misconfigured statement has the sequence number 10. Step 2. Enter the ip access-lists standard command that is used to configure named ACLs. The ACL number 1, is used as the name. First, the misconfigured statement needs to be deleted using the no 10 command with 10 referring to the sequence number. Next, a new sequence number 10 statement is added using the command, 10 deny host 192.168.10.10. Note: Statements cannot be overwritten using the same sequence number as an existing statement. The current statement must be deleted first, and then the new one can be added. Step 3. Verify the changes using the show access-lists command. As discussed previously, Cisco IOS implements an internal logic to standard access lists. The order in which standard ACEs are entered may not be the order in which they are stored, displayed or processed by the router. The show access-lists command displays the ACEs with their sequence numbers.
Wildcard Masking
Subtract your subnet mask from 255.255.255.255. so for example subnet mask is 255.255.255.0 wildcard is 0.0.0.255. so to understand the wild card is what is left from the subnet mask is not all sections are fully used. but if all sections are fully used the wildcard would be 0.0.0.0.
Named Standard IPv4 ACL Syntax
Step 1. Starting from the global configuration mode, use the ip access-list command to create a named ACL. ACL names are alphanumeric, case sensitive, and must be unique. The ip access-list standard name command is used to create a standard named ACL. After entering the command, the router is in standard (std) named ACL (nacl) configuration mode as indicated by the second prompt. Note: Numbered ACLs use the global configuration command access-list, whereas named IPv4 ACLs use the ip access-list command. Step 2. From the named ACL configuration mode, use permit or deny statements to specify one or more conditions for determining whether a packet is forwarded or dropped. You can use remark to add a comment to the ACL. Step 3. Apply the ACL to an interface using the ip access-group name command. Specify whether the ACL should be applied to packets as they enter the interface (in) or applied to packets as they exit the interface (out). commands used to configure a standard named ACL on router R1, interface G0/0, that denies host 192.168.11.10 access to the 192.168.10.0 network. The ACL is named NO_ACCESS. Capitalizing ACL names is not required, but makes them stand out when viewing the running-config output. It also makes it less likely that you will accidentally create two different ACLs with the same name but with different uses of capitalization.
implicit deny any
The blocking of access to any entity that has not been specifically granted access. R1(config)#access-list 101 deny any
Cisco IOS Reorders Standard ACLs
The order in which standard ACEs are entered may not be the order that they are stored, displayed, or processed by the router. Figure 1 shows the configuration of a standard access list. Range statements that deny three networks are configured first followed by five host statements. The host statements are all valid statements because their host IPv4 addresses are not part of the previously entered range statements. The show running-config command is used to verify the ACL configuration. Notice that the statements are listed in a different order than they were entered. We will use the show access-lists command to understand the logic behind this. As shown in Figure 2, the show access-lists command displays ACEs along with their sequence numbers. We might expect the order of the statements in the output to reflect the order in which they were entered. However, the show access-lists output shows that this is not the case. The order in which the standard ACEs are listed is the sequence used by the IOS to process the list. Notice that the statements are grouped into two sections, host statements followed by range statements. The sequence number indicates the order that the statement was entered, not the order the statement will be processed. The host statements are listed first but not necessarily in the order that they were entered. The IOS puts host statements in an order using a special hashing function. The resulting order optimizes the search for a host ACL entry. The range statements are displayed after the host statements. These statements are listed in the order in which they were entered. Note: The hashing function is only applied to host statements in an IPv4 standard access list. The details of the hashing function are beyond the scope of this course. Recall that standard and numbered ACLs can be edited using sequence numbers. When inserting a new ACL statement, the sequence number will only affect the location of a range statement in the list. Host statements will always be put in order using the hashing function. Continuing with the example, after saving the running-configuration, the router is reloaded. As shown in Figure 2, the show access-lists command displays the ACL in the same order, however the statements have been renumbered. The sequence numbers are now in numerical order.
Standard ACL Placement
The topology in the figure is used to demonstration how a standard ACL can be placed. The administrator wants to prevent traffic originating in the 192.168.10.0/24 network from reaching the 192.168.30.0/24 network. Following the basic placement guidelines of placing the standard ACL close to the destination, the figure shows two possible interfaces on R3 to apply the standard ACL: · R3 S0/0/1 interface - Applying a standard ACL to prevent traffic from 192.168.10.0/24 from entering the S0/0/1 interface will prevent this traffic from reaching 192.168.30.0/24 and all other networks reachable by R3. This includes the 192.168.31.0/24 network. Because the intent of the ACL is to filter traffic destined only for 192.168.30.0/24, a standard ACL should not be applied to this interface. · R3 G0/0 interface - Applying the standard ACL to traffic exiting the G0/0 interface will filter packets from 192.168.10.0/24 to 192.168.30.0/24. This will not affect other networks reachable by R3. Packets from 192.168.10.0/24 will still be able to reach 192.168.31.0/24.
Numbered Standard IPv4 ACL Syntax
To use numbered standard ACLs on a Cisco router, you must first create the standard ACL and then activate the ACL on an interface. The access-list global configuration command defines a standard ACL with a number in the range of 1 through 99. Cisco IOS Software Release 12.0.1 extended these numbers by allowing 1300 to 1999 to be used for standard ACLs. This allows for a maximum of 798 possible standard ACLs. These additional numbers are referred to as expanded IPv4 ACLs. The full syntax of the standard ACL command is as follows: Router(config)# access-list access-list-number { deny | permit | remark } source [ source-wildcard ][ log ] Figure 1 provides a detailed explanation of the syntax for a standard ACL. ACEs can permit or deny an individual host or a range of host addresses. To create a host statement in numbered ACL 10 that permits a specific host with the IPv4 address 192.168.10.10, you would enter: R1(config)# access-list 10 permit host 192.168.10.10 to create a statement that will permit a range of IPv4 addresses in a numbered ACL 10 that permits all IPv4 addresses in the network 192.168.10.0/24, you would enter: R1(config)# access-list 10 permit 192.168.10.0 0.0.0.255 To remove the ACL, the global configuration no access-list command is used. Issuing the show access-list command confirms that access list 10 has been removed. Typically, when an administrator creates an ACL, the purpose of each statement is known and understood. However, to ensure that the administrator and others recall the purpose of a statement, remarks should be included. The remark keyword is used for documentation and makes access lists a great deal easier to understand. Each remark is limited to 100 characters. The ACL although fairly simple, is used to provide an example. When reviewing the ACL in the configuration using the show running-config command, the remark is also displayed.
Troubleshooting Standard IPv4 ACLs - Example 1
Using the show commands described earlier reveals most of the more common ACL errors. The most common errors are entering ACEs in the wrong order and not specifying adequate ACL rules. Other common errors include applying the ACL using the wrong direction, the wrong interface, or the wrong source addresses. Security Policy: PC2 should not be able to access the File Server. In Figure 1, although PC2 cannot access the File Server, neither can PC1. When viewing the output of the show access-list command, only PC2 is explicitly denied. However, there is no permit statement allowing other access. Solution: All access out the G0/0 interface to the 192.168.30.0/24 LAN is currently implicitly denied. Add a statement to ACL 10 to permit all other traffic, as shown in Figure 2. PC1 should now be able to access the file server. Output from the show access-list command verifies that a ping from PC1 to the File Server matches the permit any statement.
Routing Processes and ACLs
When a packet arrives at a router interface, the router process is the same, whether ACLs are used or not. As a frame enters an interface, the router checks to see whether the destination Layer 2 address matches its interface Layer 2 address, or whether the frame is a broadcast frame. If the frame address is accepted, the frame information is stripped off and the router checks for an ACL on the inbound interface. If an ACL exists, the packet is tested against the statements in the list. If the packet matches a statement, the packet is either permitted or denied. If the packet is accepted, it is then checked against routing table entries to determine the destination interface. If a routing table entry exists for the destination, the packet is then switched to the outgoing interface, otherwise the packet is dropped. Next, the router checks whether the outgoing interface has an ACL. If an ACL exists, the packet is tested against the statements in the list. If the packet matches a statement, it is either permitted or denied. If there is no ACL or the packet is permitted, the packet is encapsulated in the new Layer 2 protocol and forwarded out the interface to the next device.
Wildcard Mask Keywords
Working with decimal representations of binary wildcard mask bits can be tedious. To simplify this task, the keywords host and any help identify the most common uses of wildcard masking. These keywords eliminate entering wildcard masks when identifying a specific host or an entire network. These keywords also make it easier to read an ACL by providing visual clues as to the source or destination of the criteria. The host keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address bits must match to filter just one host address. The any option substitutes for the IPv4 address and 255.255.255.255 mask. This mask says to ignore the entire IPv4 address or to accept any addresses. Example 1: Wildcard Masking Process with a Single IPv4 Address In Example 1 instead of entering 192.168.10.10 0.0.0.0, you can use host 192.168.10.10. Example 2: Wildcard Masking Process with a Match Any IPv4 Address In Example 2 instead of entering 0.0.0.0 255.255.255.255, you can use the keyword any by itself.
Rules for Applying ACLs
You can configure one ACL per protocol, per direction, per interface: · One ACL per protocol - To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface. · One ACL per direction - ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic. · One ACL per interface - ACLs control traffic for an interface, for example, GigabitEthernet 0/0.
Using a Wildcard Mask
a 0.0.255.255 wildcard mask to a 32-bit IPv4 address. Remember that a binary 0 indicates a value that is matched. Note: Unlike IPv4 ACLs, IPv6 ACLs do not use wildcard masks. Instead, the prefix-length is used to indicate how much of an IPv6 source or destination address should be matched.
packet filtering
a process that uses various fields in a packet's IP and TCP headers to decide what to do with the packet An ACL is a sequential list of permit or deny statements, known as access control entries (ACEs). ACEs are also commonly called ACL statements. When network traffic passes through an interface configured with an ACL, the router compares the information within the packet against each ACE, in sequential order, to determine if the packet matches one of the ACEs. This process is called packet filtering. Packet filtering controls access to a network by analyzing the incoming and outgoing packets and forwarding them or discarding them based on given criteria. Packet filtering can occur at Layer 3 or Layer 4, as shown in the figure. Standard ACLs only filter at Layer 3. Extended ACLs filter at Layer 3 and Layer 4. Note: Extended ACLs are beyond the scope of this course. The source IPv4 address is the filtering criteria set in each ACE of a standard IPv4 ACL. A router configured with a standard IPv4 ACL extracts the source IPv4 address from the packet header. The router starts at the top of the ACL and compares the address to each ACE sequentially. When a match is made, the router carries out the instruction, either permitting or denying the packet. After a match is made, the remaining ACEs in the ACL, if any, are not analyzed. If the source IPv4 address does not match any ACEs in the ACL, the packet is discarded. The last statement of an ACL is always an implicit deny. This statement is automatically inserted at the end of each ACL even though it is not physically present. The implicit deny blocks all traffic. Because of this implicit deny, an ACL that does not have at least one permit statement will block all traffic.
Wildcard Mask Keyword Examples
any host premit
Calculating Wildcard mask
assume you wanted to permit access to all users in the 192.168.3.0 network. Because the subnet mask is 255.255.255.0, you could take the 255.255.255.255 and subtract the subnet mask 255.255.255.0. The solution produces the wildcard mask 0.0.0.255. assume you wanted to permit network access for the 14 users in the subnet 192.168.3.32/28. The subnet mask for the IPv4 subnet is 255.255.255.240, therefore take 255.255.255.255 and subtract the subnet mask 255.255.255.240. The solution this time produces the wildcard mask 0.0.0.15. assume you wanted to match only networks 192.168.10.0 and 192.168.11.0. Again, you take the 255.255.255.255 and subtract the regular subnet mask which in this case would be 255.255.254.0. The result is 0.0.1.255. You could accomplish the same result with statements like the two shown below: R1(config)# access-list 10 permit 192.168.10.0 R1(config)# access-list 10 permit 192.168.11.0
Where to Place ACLs
he proper placement of an ACL can make the network operate more efficiently. An ACL can be placed to reduce unnecessary traffic. For example, traffic that will be denied at a remote destination should not be forwarded using network resources along the route to that destination. Every ACL should be placed where it has the greatest impact on efficiency. As shown in the figure, the basic rules are: · Extended ACLs - Locate extended ACLs as close as possible to the source of the traffic to be filtered. This way, undesirable traffic is denied close to the source network without crossing the network infrastructure. · Standard ACLs - Because standard ACLs do not specify destination addresses, place them as close to the destination as possible. Placing a standard ACL at the source of the traffic will effectively prevent that traffic from reaching any other networks through the interface where the ACL is applied. Placement of the ACL and therefore, the type of ACL used may also depend on: · The extent of the network administrator's control - Placement of the ACL can depend on whether or not the network administrator has control of both the source and destination networks. · Bandwidth of the networks involved - Filtering unwanted traffic at the source prevents transmission of the traffic before it consumes bandwidth on the path to a destination. This is especially important in low bandwidth networks. · Ease of configuration - If a network administrator wants to deny traffic coming from several networks, one option is to use a single standard ACL on the router closest to the destination. The disadvantage is that traffic from these networks will use bandwidth unnecessarily. An extended ACL could be used on each router where the traffic originated. This will save bandwidth by filtering the traffic at the source but requires creating extended ACLs on multiple routers.
Verifying the VTY Port is Secured
show access-lists
Editing Standard Named ACLs
· In the first show command output, you can see that the ACL named NO_ACCESS has two numbered lines indicating access rules for a workstation with the IPv4 address 192.168.11.10. · From named access list configuration mode, statements can be inserted or removed. · To add a statement to deny another workstation requires inserting a numbered line. In the example, the workstation with the IPv4 address 192.168.11.11 is being added using a new sequence number of 15. · The final show command output verifies that the new workstation is now denied access.
