RSE Ch. 7 Access Control Lists (ACLs)
What is a wildcard mask?
A wildcard mask is a string of 32 binary digits used by the router to determine which bits of the address to examine for a match. 1's and 0's 1= ignore bits 0= match the bits ^ reverse of subnet mask
IPv6 ACLs also use wildcard masks. (true or false)
FALSE: IPv6 ACLs do not use wildcard masks, instead, the prefix-length is used to indicate how much of an IPv6 source or destination address should be matched.
When are inbound ACLs best used?
Inbound ACLs are best used to filter packets when the network attached to an inbound interface is the only source of packets that need to be examined.
The last statement of an ACL is always an implicit deny. (true or false)
True The last statement of an ACL is always an implicit deny. This statement is automatically inserted at the end of each ACL even though it is not physically present. The implicit deny blocks all traffic. Because of this implicit deny, an ACL that does not have at least one permit statement will *block all traffic.*
Which type of ACL statements are commonly reordered by the Cisco IOS as the first ACEs?
host
In which configuration would an outbound ACL placement be preferred over an inbound ACL placement?
when the ACL is applied to an outbound interface to filter packets coming from multiple inbound interfaces before the packets exit the interface
To deny host 192.168.5.7, what would the wildcard mask be?
0.0.0.0, which matches with one IPv4 address
To permit host 10.10.10.1, what wildcard mask would work?
0.0.0.0, which matches with one IPv4 address
What wildcard mask would "deny host 172.18.33.1"
0.0.0.0, which matches with one IPv4 address
To permit all hosts from the 192.168.5.0/27 subnetwork, what would the wildcard mask be?
0.0.0.31 255.255.255.255- subnet mask
Configuring ACLs on a router:
1) create the standard ACL 2) activate the ACL on an interface syntax: Router(config)# access-list access-list-number { deny | permit | remark } source [ source-wildcard ][ log ]
5 Tasks performed by ACLs
1) limit network traffic to increase network performance 2) provide traffic flow control. (ACLs can restrict the delivery of routing updates to ensure that the updates are from a known source) 3) ACLs provide a basic level of security for network access (allow one host access to part of a network but not all) 4) filter traffic based on traffic type (allow email traffic, block Telnet traffic) 5) ACLs can screen hosts to permit or deny access to network services (allowing or denying a user to access file types like FTP or HTTP) *limit network traffic, manage traffic flow, secure network access, filter traffic, and screen hosts*
A router with three interfaces and two network protocols (ipv4 and ipv6) can have as many as ____ active ACLs.
12
How does a router filter?
A router that is configured with a standard IPv4 ACL extracts the source IPv4 address from the packet header. The router starts at the top of the ACL and compares the address to each ACE sequentially When a match is made, the router carries out the instruction, either permitting or denying the packet. After a match is made, the remaining ACEs in the ACL, if any, are not analyzed. If the source IPv4 address does not match any ACEs in the ACL, the packet is discarded.
One ACL per interface does what
ACLs control traffic for an interface, for example, GigabitEthernet 0/0.
One ACL per direction does what
ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic.
ACLs act on packets that enter inbound interfaces, packets that relay through the router, packets that exit outbound interfaces of the router, and packets that originate from the router itself. (true or false)
FALSE!! ACLs act on packets coming in and out of interfaces, and on packets relaying through the router, but they *DO NOT act on packets that originate from the router itself*.
Refer to the following output. What is the significance of the 4 match(es) statement? R1# <output omitted> 10 permit 192.168.1.56 0.0.0.7 20 permit 192.168.1.64 0.0.0.63 (4 match(es)) 30 deny any (8 match(es))
Four packets have been allowed through the router from PCs in the network of 192.168.1.64.
Packet filtering occurs at what layers?
Network (3) or transport (4) standard ACLs only filter at Layer 3, extended ACLs filter at layer 3 and 4. (we only learn about standard ACLs in this course)
On a Cisco router, you can configure a simple _______ that provides basic traffic filtering capabilities using ____.
On a Cisco router, you can configure a simple *firewall* that provides basic traffic filtering capabilities using *ACLs*.
ACLs
One of the most important skills a network administrator needs is mastery of access control lists (ACLs). *ACLs* provide security for a network
When are outbound ACLs best used?
Outbound ACLs are best used when the same filter will be applied to packets coming from multiple inbound interfaces before exiting the same outbound interface.
How to configure a wildcard mask:
R1(config)# access-list 10 permit (IPv4 address here) it is more efficient to configure the mask this way: R1(config)# access-list 10 permit 192.168.10.0 0.0.1.255
To create a statement that will permit a range of IPv4 addresses in a numbered ACL 10 that permits all IPv4 addresses in the network 192.168.10.0/24 what would you enter into the global configuration line?
R1(config)# access-list 10 permit 192.168.10.0 0.0.0.255
Commands to name a standard IPv4 ACL:
R1(config)# ip access-list standard ________ (name has to be unique and can't start with a #) R1(config-std-nacl)# here you would use permit/deny statements to specify one or more conditions for packet movement (ex. permit any) R1(config-std-nacl)# exit R1(config)# interface g0/0 R1(config-if)# ip access-group (name) in/out to activate ^
How to configure vty lines to accept incoming ssh connections using access list 21
R1(config)# line vty 0 4 R1(config-line)# login local R1(config-line)# transport input ssh R1(config-line)# access-class 21 in R1(config-line)# exit R1(config)# access-list 21 permit 192.168.10.0 0.0.0.255 R1(config)# access-list 21 deny any
Deny a specific host and permit a specific subnet commands:
R1(config)# no access-list 1 R1(config)# access-list 1 deny host 192.168.10.10 R1(config)# access-list 1 permit 192.168.10.0 0.0.0.255 R1(config)# interface s0/0/0 R1(config-if)# ip access-group 1 out
Deny a specific host and permit all other traffic commands:
R1(config)# no access-list 1 R1(config)# access-list 1 deny host 192.168.10.10 R1(config)# access-list 1 permit any R1(config)# interface g0/0 R1(config-if)# ip access-group 1 in
An administrator has configured an access list on R1 to allow SSH administrative access from host 172.16.1.100. Which command correctly applies the ACL?
R1(config-line)# access-class 1 in
A network administrator needs to configure a standard ACL so that only the workstation of the administrator with the IP address 192.168.15.23 can access the virtual terminal of the main router. Which two configuration commands can achieve the task? (Choose two.)
Router1(config)# access-list 10 permit host 192.168.15.23 Router1(config)# access-list 10 permit 192.168.15.23 0.0.0.0
in/out activation command
Specifies whether the ACL should be applied to packets as they enter the interface (in) or applied to packets as they exit the interface (out).
What is the effect of configuring an ACL with only ACEs that deny traffic?
The ACL will block all traffic.
To remove an ACL from an interface:
To remove an ACL from an interface, first enter the no ip access-group command on the interface, and then enter the global no access-list command to remove the entire ACL.
How do you remove an ACL?
To remove the ACL, the global configuration no access-list command is used. Issuing the show access-list command confirms that access list 10 has been removed.
ACLs can be used to classify traffic to enable priority processing. (true or false)
True In addition to either permitting or denying traffic, ACLs can be used for selecting types of traffic to be analyzed, forwarded, or processed in other ways. For example, ACLs can be used to classify traffic to enable priority processing. This capability is similar to having a VIP pass at a concert or sporting event.
Consider the following output for an ACL that has been applied to a router via the access-class in command. What can a network administrator determine from the output that is shown? R1# <output omitted> Standard IP access list 2 10 permit 192.168.10.0, wildcard bits 0.0.0.255 (2 matches) 20 deny any (1 match)
Two devices were able to use SSH or Telnet to gain access to the router.
What is the quickest way to remove a single ACE from a named ACL?
Use the no keyword and the sequence number of the ACE to be removed.
Packet filtering
When network traffic passes through an interface configured with an ACL, the router compares the information within the packet against each ACE, in sequential order, to determine if the packet matches one of the ACEs. this process is called packet filtering, and it controls access to a network
ACEs
access control entries- a sequential list of permit or deny statements (aka ACL statements)
What single access list statement matches all of the following networks? 192.168.16.0 192.168.17.0 192.168.18.0 192.168.19.0
access-list 10 permit 192.168.16.0 0.0.3.255
remark parameter
add a remark about entries in an IP access list to make the list easier to understand and scan.
For outbound ACLs, incoming packets are processes ______ routing has been performed.
after
An access-class statement is configured on what?
an access-class statement is configured on your VTY lines to specify which IP addresses are allowed remote access to the router. The *access-class* command configured in line configuration mode restricts incoming and outgoing connections between a particular VTY (into a Cisco device) and the addresses in an access list.
For inbound ACLs, incoming packets are processed ______ routing has been performed.
before
The clear access-list counters command does what?
clears the counters that show matches in the access-lists
One ACL per protocol does what
controls traffic flow on an interface, and ACL must be defined for each protocol enabled on the interface
deny parameter
denies access if the conditions are matched
An Access Control List (ACL) controls whether the router will ______ or _______ packet traffic based on packet header criteria
deny or permit
For every ACL, there is an implied deny statement. If a packet does not match any of the ACL criteria, it will be _________.
discarded
Extended v. Standard ACL placement
extended ACLs- locate extended ACLs as close as possible to the source of the traffic to be filtered. this way, undesirable traffic is denied close to the source network without crossing the network infrastructure. standard ACLs- because standard ACLs do not specify destination addresses, place them as close to the destination as possible. Placing a standard ACL at the source of the traffic will effectively prevent that traffic from reaching any other networks through the interface where the ACL is applied.
Outbound ACLs
filter packets after being routed, regardless of the inbound interface. incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL.
Inbound ACLs
filter packets coming into a specific interface and before they are routed to the outbound interface. inbound ACLs are efficient because it saves the overhead of routing lookups if the packet is discarded. if the packet is permitted by the ACL, it is then processed for routing.
ACLs are often used in routers between internal and external networks to provide a __________.
firewall
ACL and Routing Processes in a Router:
frame arrives on router interface layer 2 address match? no, discarded. yes: ACLs on interface? no, skips next step. yes: Statement list match? no, default deny, trash. yes: checked in routing tables for destination interface. next, router checks for outgoing ACL. if one exists, the packet is tested against those statements in the list. denied, trash. permitted: the packet is encapsulated in the new layer 2 protocol and forwarded out the interface to the next device.
Wildcard mask keywords:
host- this keyword substitutes for the 0.0.0.0 mask (this mask states all IPv4 address bits *must match to filter just one host address*) any- this keyword substitutes for the IPv4 address and 255.255.255.255 mask (this mask says ignore the entire IPv4 address aka *accept any addresses*)
Adding the line access-list deny 0.0.0.0 255.255.255.255 or access-list deny any to the end of the ACL does what?
implicates a deny all statement
Four ways to use ACLs:
in firewall routers on a router between two parts of the network to control traffic internally on border routers, providing basic buffer from the outside network configuring ACLs for each network protocol configured on the border router interfaces
The order of ACEs in an ACL:
input permit/deny statements for specific hosts before permit/deny statements for entire networks a host cannot be within the range covered by the previous statement.
ACLs can filter data traffic per protocol, per direction, and per _________.
interface
After a standard IPv4 ACL is configured, it is linked to an interface using what command?
ip access-group command Router(config-if)# ip access-group { access-list-number | access-list-name } { in | out } in this case, out will activate the ACL
Placement of ACLs
is really important to make the network as efficient as possible
access-list-number parameter
is the number of an ACL. This is a decimal number from 1 to 99, or 1300 to 1999 (for a standard ACL)
Remarks
like a notes section to refer to... Typically, when an administrator creates an ACL, the purpose of each statement is known and understood. However, to ensure that the administrator and others recall the purpose of a statement, remarks should be included. The remark keyword is used for documentation and makes access lists a great deal easier to understand. Each remark is limited to 100 characters.
source parameter
number of the network or host from which the packet is being sent. there are two ways to specify the source: 1) use a 32 bit quantity in 4-part decimal dotted format 2) use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255
source-wildcard parameter
optional 32-bit wildcard mask to be applied to the source. places ones in the bit positions you want to ignore.
permit parameter
permits access if the conditions are matched
ACLs can filter traffic based on source/destination address, ____________, and port numbers.
protocol
no access-list #
removes reference to the access list from the interface before modifying the access list
How to verify the VTY port is secured:
show access-lists command will show permitted matches and denied matches
Commands to verify ACLs
show ip interface show access-lists show access-lists (# of access list or name)
How to calculate the wildcard mask physically:
subtract the subnet mask from 255.255.255.255
What is the filtering criteria set in each ACE of a standard IPv4 ACL?
the *source IPv4 address* is the filtering criteria set in each ACE of a standard IPv4 ACL.
Placement of the ACL and the type used may also depend on:
the extent of the network administrator's control bandwidth of the networks involved ease of configuration
All traffic is blocked unless at least one permit ACE is configured in an ACL. (true or false)
true A single-entry ACL with only one deny entry has the effect of denying all traffic. At least one permit ACE must be configured in an ACL or all traffic is blocked.
Restricting VTY access is a technique that allows you to define which IP addresses are allowed remote access to the router EXEC process. (true or false)
true, You can improve the security of administrative lines by restricting VTY access.
Firewalls
used by network designers to protect networks from unauthorized use. Firewalls are hardware or software solutions that enforce network security policies. similar to a lock on a door to a room in a building- only authorized "key holders" are granted access firewalls filter unauthorized or potentially dangerous packets from entering the network
Which type of router connection can be secured by the access-class command?
vty
When would a network administrator use the clear access-list counters command?
when troubleshooting an ACL and needing to know how many packets matched
host 192.168.10.10 is
wildcard mask allowing only this host through
the keyword *any* by itself means
wildcard masking process that allows any IPv4 address to match
Rules for applying ACLs:
you can configure one ACL per protocol (ipv4 / ipv6), per direction (inbound traffic, outbound traffic), and per interface
