CCNA2 LS CH9
The Three Ps
A general rule for applying ACLs on a router can be recalled by remembering the three Ps. You can configure one ACL per protocol, per direction, per interface: One ACL per protocol - To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface. One ACL per direction - ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic. One ACL per interface - ACLs control traffic for an interface, for example, GigabitEthernet 0/0.
Wildcard Masking
IPv4 ACEs include the use of wildcard masks. A wildcard mask is a string of 32 binary digits used by the router to determine which bits of the address to examine for a match. Note: Unlike IPv4 ACLs, IPv6 ACLs do not use wildcard masks. Instead, the prefix-length is used to indicate how much of an IPv6 source or destination address should be matched. IPv6 ACLs are discussed later in this chapter. As with subnet masks, the numbers 1 and 0 in the wildcard mask identify how to treat the corresponding IP address bits. However, in a wildcard mask, these bits are used for different purposes and follow different rules. Note: Wildcard masks are often referred to as an inverse mask. The reason is that, unlike a subnet mask in which binary 1 is equal to a match and binary 0 is not a match, in a wildcard mask the reverse is true. Wildcard masks are also used when configuring some IPv4 routing protocols, such as OSPF, to enable the protocol on specific interfaces.
If using port numbers instead of port names, the commands would be written as:
#access-list 101 deny tcp 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 20 #access-list 101 deny tcp 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 21 Note: The examples in Figures 1 and 2 both use the permit ip any any statement at the end of the ACL. For greater security the permit 192.168.11.0 0.0.0.255 any command may be used.
To remove an ACL from an interface
#no ipv6 traffic-filter command on the interface, and then enter the global no ipv6 access-list command to remove the access list. Note: IPv4 and IPv6 both use the access-class command to apply an access list to VTY ports.
ACLs perform the following tasks:
- Limit network traffic to increase network performance. For example, if corporate policy does not allow video traffic on the network, ACLs that block video traffic could be configured and applied. This would greatly reduce the network load and increase network performance. - Provide traffic flow control. ACLs can restrict the delivery of routing updates. If updates are not required because of network conditions, bandwidth is preserved. - Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For example, access to the Human Resources network can be restricted to authorized users. - Filter traffic based on traffic type. For example, an ACL can permit email traffic, but block all Telnet traffic. - Screen hosts to permit or deny access to network services. ACLs can permit or deny a user to access file types, such as FTP or HTTP.
General Guidelines for Using ACLs
- Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet. - Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network. - Configure ACLs on border routers, that is, routers situated at the edges of your networks. - This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network. - Configure ACLs for each network protocol configured on the border router interfaces.
Deny Entry
A single-entry ACL with only one deny entry has the effect of denying all traffic. At least one permit ACE must be configured in an ACL or all traffic is blocked.
Standard ACL Placement
A standard ACL can only filter traffic based on a source address. The basic rule for placement of a standard ACL is to place the ACL as close as possible to the destination network. This allows the traffic to reach all other networks except the network where the packets will be filtered.
ACL Operation
ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. ACLs do not act on packets that originate from the router itself. ACLs are configured to apply to inbound traffic or to apply to outbound traffic.
ACLs
Administrators use ACLs to stop traffic or permit only specified traffic on their networks. An ACL is a sequential list of permit or deny statements that apply to addresses or upper-layer protocols. ACLs provide a powerful way to control traffic into and out of a network. ACLs can be configured for all routed network protocols. By default, a router does not have ACLs configured. when an ACL is applied to an interface, the router performs the additional task of evaluating all network packets as they pass through the interface to determine if the packet can be forwarded. An ACL is a sequential list of permit or deny statements, known as access control entries (ACEs).
Editing Extended ACLs
An extended ACL can be modified using: Method 1 Text editor - Using this method, the ACL is copied and pasted into the text editor where the changes are made. The current access list is removed using the no access-list command. The modified ACL is then pasted back into the configuration. Method 2 Sequence numbers - Sequence numbers can be used to delete or insert an ACL statement. The ip access-list extended name command is used to enter named-ACL configuration mode. If the ACL is numbered instead of named, the ACL number is used in the name parameter. ACEs can be inserted or removed.
Extended ACL Placement
An extended ACL can filter traffic based on the source address. However, an extended ACL can also filter traffic based on the destination address, protocol, and port number. This allows network administrators more flexibility in the type of traffic that can be filtered and where to place the ACL. The basic rule for placing an extended ACL is to place it as close to the source as possible. This prevents unwanted traffic from being sent across multiple networks only to be denied when it reaches its destination.
Comparing IPv4 and IPv6 ACLs
Applying an IPv6 ACL The first difference is the command used to apply an IPv6 ACL to an interface. IPv4 uses the command ip access-group to apply an IPv4 ACL to an IPv4 interface. IPv6 uses the ipv6 traffic-filter command to perform the same function for IPv6 interfaces. No Wildcard Masks Unlike IPv4 ACLs, IPv6 ACLs do not use wildcard masks. Instead, the prefix-length is used to indicate how much of an IPv6 source or destination address should be matched. Additional Default Statements The last major difference has to with the addition of two implicit permit statements at the end of each IPv6 access list. At the end of every IPv4 standard or extended ACL is an implicit deny any or deny ip any any. IPv6 includes a similar deny ipv6 any any statement at the end of each IPv6 ACL. The difference is IPv6 also includes two other implicit statements by default: permit icmp any any nd-na permit icmp any any nd-ns These two statements allow the router to participate in the IPv6 equivalent of ARP for IPv4. Recall that ARP is used in IPv4 to resolve Layer 3 addresses to Layer 2 MAC addresses. As shown in the figure, IPv6 uses ICMP Neighbor Discovery (ND) messages to accomplish the same thing. ND uses Neighbor Solicitation (NS) and Neighbor Advertisement (NA) messages.
Standard ACLs
Because standard ACLs do not specify destination addresses, place them as close to the destination as possible. Placing a standard ACL at the source of the traffic will effectively prevent that traffic from reaching any other networks through the interface where the ACL is applied.
Internal Logic
Cisco IOS applies an internal logic when accepting and processing standard ACEs. As discussed previously, ACEs are processed sequentially. Therefore, the order in which ACEs are entered is important. The IOS internal logic for standard access lists rejects the second statement and returns an error message because it is a subset of the previous statement. Note: The order in which standard ACEs are entered may not be the order that they are stored, displayed, or processed by the router. This will be discussed in a later section
Standard ACL Sequence Numbers
Cisco IOS implements an internal logic to standard ACLs. Another part of the IOS internal logic involves the internal sequencing of standard ACEs. The show running-config command is used to verify the ACL configuration. Notice that the statements are listed in a different order than they were entered. We will use the show access-lists command to understand the logic behind this.
Testing Packets with Extended ACLs
Extended ACLs are used more often than standard ACLs because they provide a greater degree of control. extended ACLs check source addresses of packets, but they also check the destination address, protocols, and port numbers (or services). This provides a greater range of criteria on which to base the ACL. For example, an extended ACL can simultaneously allow email traffic from a network to a specific destination while denying file transfers and web browsing.
Extended ACLs
Extended ACLs filter IPv4 packets based on several attributes: - Protocol type - Source IPv4 address - Destination IPv4 address - Source TCP or UDP ports - Destination TCP or UDP ports - Optional protocol type information for finer control
Bandwidth of the networks involved
Filtering unwanted traffic at the source prevents transmission of the traffic before it consumes bandwidth on the path to a destination. This is especially important in low bandwidth networks.
Ease of configuration
If a network administrator wants to deny traffic coming from several networks, one option is to use a single standard ACL on the router closest to the destination. The disadvantage is that traffic from these networks will use bandwidth unnecessarily. An extended ACL could be used on each router where the traffic originated. This will save bandwidth by filtering the traffic at the source but requires creating extended ACLs on multiple routers.
Inbound ACL Logic
If the information in a packet header and an ACL statement match, the rest of the statements in the list are skipped, and the packet is permitted or denied as specified by the matched statement. If a packet header does not match an ACL statement, the packet is tested against the next statement in the list. This matching process continues until the end of the list is reached. At the end of every ACL is a statement is an implicit deny any statement. This statement is not shown in output. This final implied statement applied to all packets for which conditions did not test true. This final test condition matches all other packets and results in a "deny" action.
ACL applied to the interface:
If the outbound interface is grouped to an outbound ACL, the packet is not sent out on the outbound interface until it is tested by the combination of ACEs that are associated with that interface. Based on the ACL tests, the packet is permitted or denied.
No ACL applied to the interface:
If the outbound interface is not grouped to an outbound ACL, the packet is sent directly to the outbound interface.
Error Example 1
In the figure, host 192.168.10.10 has no connectivity with 192.168.30.12. When viewing the output of the show access-lists command, matches are shown for the first deny statement. This is an indicator that this statement has been matched by traffic. Solution - Look at the order of the ACEs. Host 192.168.10.10 has no connectivity with 192.168.30.12 because of the order of rule 10 in the access list. Because the router processes ACLs from the top down, statement 10 denies host 192.168.10.10, so statement 20 can never be matched. Statements 10 and 20 should be reversed. The last line allows all other non-TCP traffic that falls under IP (ICMP, UDP, etc.).
Error Example 5
In the figure, host 192.168.30.12 can use Telnet to connect to 192.168.31.12, but according to the security policy, this connection should not be allowed. Output from the show access-lists 150 command indicate that no matches have occurred for the deny statement as expected. Solution - Host 192.168.30.12 can use Telnet to connect to 192.168.31.12 because of the direction in which access list 150 is applied to the G0/1 interface. Statement 10 denies any source address to connect to host 192.168.31.12 using telnet. However, this filter should be applied outbound on G0/1 to filter correctly.
Error Example 4
In the figure, host 192.168.30.12 is able to Telnet to connect to 192.168.31.12, but company policy states that this connection should not be allowed. Output from the show access-lists 140 command indicate that the permit statement has been matched. Solution - Host 192.168.30.12 can use Telnet to connect to 192.168.31.12 because there are no rules that deny host 192.168.30.12 or its network as the source. Statement 10 of access list 140 denies the router interface on which traffic enters the router. The host IPv4 address in statement 10 should be 192.168.30.12.
Error Example 2
In the figure, the 192.168.10.0/24 network cannot use TFTP to connect to the 192.168.30.0/24 network. Solution - The 192.168.10.0/24 network cannot use TFTP to connect to the 192.168.30.0/24 network because TFTP uses the transport protocol UDP. Statement 30 in access list 120 allows all other TCP traffic. However, because TFTP uses UDP instead of TCP, it is implicitly denied. Recall that the implied deny any statement does not appear in show access-lists output and therefore matches are not shown. Statement 30 should be ip any any. This ACL works whether it is applied to G0/0 of R1, or S0/0/1 of R3, or S0/0/0 of R2 in the incoming direction. However, based on the rule about placing extended ACLs closest to the source, the best option is to place it inbound on G0/0 of R1 because it allows undesirable traffic to be filtered without crossing the network infrastructure.
Error Example 3
In the figure, the 192.168.11.0/24 network can use Telnet to connect to 192.168.30.0/24, but according to company policy, this connection should not be allowed. The results of the show access-lists 130 command indicate that the permit statement has been matched. Solution - The 192.168.11.0/24 network can use Telnet to connect to the 192.168.30.0/24 network, because the Telnet port number in statement 10 of access list 130 is listed in the wrong position in the ACL statement. Statement 10 currently denies any source packet with a port number that is equal to Telnet. To deny Telnet traffic inbound on G0/1, deny the destination port number that is equal to Telnet, for example, deny tcp any any eq telnet.
Inbound ACLs
Incoming packets are processed before they are routed to the outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. If the packet is permitted by the tests, it is then processed for routing. Inbound ACLs are best used to filter packets when the network attached to an inbound interface is the only source of the packets needed to be examined. The last statement of an ACL is always an implicit deny.
Outbound ACLs
Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL. Outbound ACLs are best used when the same filter will be applied to packets coming from multiple inbound interfaces before exiting the same outbound interface.
Editing Standard Named ACLs
Inserting a line to a named ACL. - In the first show command output, you can see that the ACL named NO_ACCESS has two numbered lines indicating access rules for a workstation with the IPv4 address 192.168.11.10. - The ip access-list standard command used to configure named ACLs. From named access list configuration mode statements can be inserted or removed. - The no sequence-number command is used to delete individual statements. - To add a statement to deny another workstation requires inserting a numbered line. In the example, the workstation with the IPv4 address 192.168.11.11 is being added using a new sequence number of 15. - The final show command output verifies that the new workstation is now denied access.
Wildcard Bit Mask Keywords
Keywords host and any help identify the most common uses of wildcard masking. These keywords eliminate entering wildcard masks when identifying a specific host or an entire network. These keywords also make it easier to read an ACL by providing visual clues as to the source or destination of the criteria. The host keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address bits must match or only one host is matched. The any option substitutes for the IP address and 255.255.255.255 mask. This mask says to ignore the entire IPv4 address or to accept any addresses.
Extended ACLs
Locate extended ACLs as close as possible to the source of the traffic to be filtered. This way, undesirable traffic is denied close to the source network without crossing the network infrastructure.
Extended ACL Decision Process
Logical decision path used by an extended ACL built to filter on source and destination addresses, and protocol and port numbers. In this example, the ACL first filters on the source address, then on the port and protocol of the source. It then filters on the destination address, then on the port and protocol of the destination, and makes a final permit or deny decision.
Creating Named Standard ACLs
Naming an ACL makes it easier to understand its function. For example, an ACL configured to deny FTP could be called NO_FTP. When you identify your ACL with a name instead of with a number, the configuration mode and command syntax are slightly different. Step 1. Starting from the global configuration mode, use the ip access-list command to create a named ACL. ACL names are alphanumeric, case sensitive, and must be unique. The ip access-list standard name is used to create a standard named ACL, whereas the command ip access-list extended name is for an extended access list. After entering the command, the router is in named standard ACL configuration mode as indicated by the prompt. Note: Numbered ACLs use the global configuration command access-list whereas named IPv4 ACLs use the ip access-list command. Step 2. From the named ACL configuration mode, use permit or deny statements to specify one or more conditions for determining whether a packet is forwarded or dropped. Step 3. Apply the ACL to an interface using the ip access-group command. Specify if the ACL should be applied to packets as they enter into the interface (in) or applied to packets as they exit the interface (out).
ACLs evaluate network traffic.
Packet Filtering works at Transport and Network Layer. ACL extracts the following information from the Layer 3 packet header: - Source IP address - Destination IP address - ICMP message type The ACL can also extract upper layer information from the Layer 4 header, including: - TCP/UDP source port - TCP/UDP destination port
How to display a list of port numbers and keywords that can be used when building an ACL using the command:
R1(config)# access-list 101 permit tcp any any eq ?
The extent of the network administrator's control
Placement of the ACL can depend on whether or not the network administrator has control of both the source and destination networks.
To create a statement that will permit a range of IPv4 addresses in a numbered ACL 10 that permits all IPv4 addresses in the network 192.168.10.0/24, you would enter:
R1(config)# access-list 10 permit 192.168.10.0 0.0.0.255
To create a host statement in numbered ACL 10 that permits a specific host with the IP address 192.168.10.10, you would enter:
R1(config)# access-list 10 permit host 192.168.10.10
Using an ACL to Control VTY Access
Restricting VTY access is a technique that allows you to define which IP addresses are allowed Telnet access to the router EXEC process. The following should be considered when configuring access lists on VTYs: - Both named and numbered access lists can be applied to VTYs. - Identical restrictions should be set on all the VTYs, because a user can attempt to connect to any of them.
The full syntax of the standard ACL command is as follows:
Router(config)# access-list access-list-number { deny | permit | remark } source [ source-wildcard ][ log ]
After a standard ACL is configured, it is linked to an interface:
Router(config-if)# ip access-group { access-list-number | access-list-name } { in | out }
After an IPv6 ACL is configured, it is linked to an interface using the ipv6 traffic-filter command:
Router(config-if)# ipv6 traffic-filter access-list-name { in | out }
The command syntax of the access-class command is:
Router(config-line)# access-class access-list-number { in [ vrf-also ] | out }
Standard ACLs
Standard ACLs can be used to permit or deny traffic only from source IPv4 addresses. The destination of the packet and the ports involved are not evaluated.
Method 1: Configuration
Step 1. Display the ACL using the show running-config command. The example in the figure uses the include keyword to display only the ACEs. Step 2. Highlight the ACL, copy it, and then paste it into Microsoft Notepad. Edit the list as required. After the ACL is correctly displayed in Microsoft Notepad, highlight it and copy it. Step 3. In global configuration mode, remove the access list using the no access-list 1 command. Otherwise, the new statements would be appended to the existing ACL. Then paste the new ACL into the configuration of the router. Step 4. Using the show running-config command, verify the changes It should be mentioned that when using the no access-list command, different IOS software releases act differently. If the ACL that has been deleted is still applied to an interface, some IOS versions act as if no ACL is protecting your network while others deny all traffic. For this reason it is good practice to remove the reference to the access list from the interface before modifying the access list.
Method 2: Using the Sequence Number
Step 1. Display the current ACL using the show access-lists 1 command. The output from this command will be discussed in more detail later in this section. The sequence number is displayed at the beginning of each statement. The sequence number was automatically assigned when the access list statement was entered. Notice that the misconfigured statement has the sequence number 10. Step 2. Enter the ip access-lists standard command that is used to configure named ACLs. The ACL number, 1, is used as the name. First the misconfigured statement needs to be deleted using the no 10 command with 10 referring to the sequence number. Next, a new sequence number 10 statement is added using the command, 10 deny host 192.168.10.10. Note: Statements cannot be overwritten using the same sequence number as an existing statement. The current statement must be deleted first, and then the new one can be added. Step 3. Verify the changes using the show access-lists command. As discussed previously, Cisco IOS implements an internal logic to standard access lists. The order in which standard ACEs are entered may not be the order in which they are stored, displayed or processed by the router. The show access-lists command displays the ACEs with their sequence numbers.
Creating Named Extended ACLs
Step 1. From global configuration mode, use the ip access-list extended name command to define a name for the extended ACL. Step 2. In named ACL configuration mode, specify the conditions to permit or deny. Step 3. Return to privileged EXEC mode and verify the ACL with the show access-lists name command. Step 4. Save the entries in the configuration file with the copy running-config startup-config command. To remove a named extended ACL, use the no ip access-list extended name global configuration command.
TCP conversation Process
TCP segments are marked with flags that denote their purpose: a SYN starts (synchronizes) the session; an ACK is an acknowledgment that an expected segment was received, and a FIN finishes the session. A SYN/ACK acknowledges that the transfer is synchronized. TCP data segments include the higher level protocol needed to direct the application data to the correct application. The TCP data segment also identifies the port which matches the requested service. For example, HTTP is port 80, SMTP is port 25, and FTP is port 20 and port 21. Figure 2 shows ranges of UDP and TCP ports.
Testing for Ports and Services
The ability to filter on protocol and port number allows network administrators to build very specific extended ACLs. An application can be specified by configuring either the port number or the name of a well-known port.
Standard ACL Decision Process
The decision process for a standard ACL is mapped in the figure. Cisco IOS software tests addresses against the conditions in the ACL one by one. The first match determines whether the software accepts or rejects the address. Because the software stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the address is rejected.
established parameter
The established parameter allows only responses to traffic that originates from the 192.168.10.0/24 network to return to that network. A match occurs if the returning TCP segment has the ACK or reset (RST) bits set, which indicates that the packet belongs to an existing connection. Without the established parameter in the ACL statement, clients could send traffic to a web server, but not receive traffic returning from the web server.
Restricted Access
The following features have been labelled in the ACL: 1. The first two permit statements allow access from any device to the web server at 2001:DB8:CAFE:10::10. 2. All other devices are denied access to the 2001:DB8:CAFE:10::/64 network. 3. PC3 at 2001:DB8:CAFE:30::12 is permitted Telnet access to PC2 which has the IPv6 address 2001:DB8:CAFE:11::11. 4. All other devices are denied Telnet access to PC2. 5. All other IPv6 traffic is permitted to all other destinations. 6. The IPv6 access list is applied to interface G0/0 in the inbound direction, so only the 2001:DB8:CAFE:30::/64 network is affected.
Where to Place ACLs
The proper placement of an ACL can make the network operate more efficiently. An ACL can be placed to reduce unnecessary traffic. For example, traffic that will be denied at a remote destination should not be forwarded using network resources along the route to that destination. Every ACL should be placed where it has the greatest impact on efficiency. Note: For CCNA certification the general rule is that extended ACLs are placed as close as possible to the source and standard ACLs are placed as close as possible to the destination. Network administrators can only place ACLs on devices that they control. Therefore, placement must be determined in the context of where the control of the network administrator extends.
Configuring Extended ACLs
The procedural steps for configuring extended ACLs are the same as for standard ACLs. The extended ACL is first configured, and then it is activated on an interface. However, the command syntax and parameters are more complex to support the additional features provided by extended ACLs. Note: The internal logic applied to the ordering of standard ACL statement does not apply to extended ACLs. The order in which the statements are entered during configuration is the order they are displayed and processed.
Host statements.
The range statements are displayed after the host statements. These statements are listed in the order in which they were entered. Recall that standard and numbered ACLs can be editing using sequence numbers. The sequence number shown in the show access-lists command output is the number used when deleting an individual statement from the list. When inserting a new ACL statement, the sequence number will only affect the location of a range statement in the list. Host statements will always be put in order using the hashing function.
# remark
The remark keyword is used for documentation and makes access lists a great deal easier to understand. Each remark is limited to 100 characters. The ACL in Figure 3, although fairly simple, is used to provide an example. When reviewing the ACL in the configuration using the show running-config command, the remark is also displayed.
Verifying ACLs
The show ip interface command is used to verify the ACL on the interface. The output from this command includes the number or name of the access list and the direction in which the ACL was applied. To view an individual access list use the show access-lists command followed by the access list number or name. The NO_ACCESS statements may look strange.
Types of Cisco IPv4 ACLs
The two types of Cisco IPv4 ACLs are standard and extended. Note: Cisco IPv6 ACLs are similar to IPv4 extended ACLs and are discussed in a later section.
Configuring IPv6 ACLs
There are three basic steps to configure an IPv6 ACL: Step 1. From global configuration mode, use the ipv6 access-list name command to create an IPv6 ACL. Like IPv4 named ACLs, IPv6 names are alphanumeric, case sensitive, and must be unique. Unlike IPv4, there is no need for a standard or extended option. Step 2. From the named ACL configuration mode, use the permit or deny statements to specify one or more conditions to determine if a packet is forwarded or dropped. Step 3. Return to privileged EXEC mode with the end command.
implicit deny
This statement is automatically inserted at the end of each ACL even though it is not physically present. The implicit deny blocks all traffic. Because of this implicit deny, an ACL that does not have at least one permit statement will block all traffic.
#ip access-group
To remove an ACL from an interface, first enter the no ip access-group command on the interface, and then enter the global no access-list command to remove the entire ACL.
# no access-list
To remove the ACL, the global configuration no access-list command is used. Issuing the show access-list command confirms that access list 10 has been removed.
Packet Filtering Example
To understand the concept of how a router uses packet filtering, imagine that a guard has been posted at a locked door. The guard's instructions are to allow only people whose names appear on a list to pass through the door. The guard is filtering people based on the criterion of having their names on the authorized list. An ACL works in a similar manner, making decisions based on set criteria. An ACL could be configured to logically, "Permit web access to users from network A but deny all other services to network A users.
Configuring Standard ACLs
To use numbered standard ACLs on a Cisco router, you must first create the standard ACL and then activate the ACL on an interface.
ACL Best Practices
Using ACLs requires attention to detail and great care. Mistakes can be costly in terms of downtime, troubleshooting efforts, and poor network service. Before configuring an ACL, basic planning is required. The figure presents guidelines that form the basis of an ACL best practices list.
Numbering and Naming ACLs
Using numbered ACLs is an effective method for determining the ACL type on smaller networks with more homogeneously defined traffic. However, a number does not provide information about the purpose of the ACL. For this reason, starting with Cisco IOS Release 11.2, a name can be used to identify a Cisco ACL. Regarding numbered ACLs, numbers 200 to 1299 are skipped because those numbers are used by other protocols, many of which are legacy or obsolete. This course focuses only on IP ACLs. Examples of legacy ACL protocol numbers are 600 to 699 used by AppleTalk, and numbers 800 to 899 used by IPX.
A TCP Conversation
When a client requests data from a web server, IP manages the communication between the PC (source) and the server (destination). TCP manages the communication between the web browser (application) and the network server software. TCP also manages assembling the data from the segments when they arrive. The TCP process is very much like a conversation in which two nodes on a network agree to pass data between one another. TCP provides a connection-oriented, reliable, byte stream service.
ACL and Routing and ACL Processes on a Router
When a packet arrives at a router interface, the router process is the same, whether ACLs are used or not. As a frame enters an interface, the router checks to see whether the destination Layer 2 address matches its interface Layer 2 address, or whether the frame is a broadcast frame. If the frame address is accepted, the frame information is stripped off and the router checks for an ACL on the inbound interface. If an ACL exists, the packet is tested against the statements in the list. If the packet matches a statement, the packet is either permitted or denied. If the packet is accepted, it is then checked against routing table entries to determine the destination interface. If a routing table entry exists for the destination, the packet is then switched to the outgoing interface, otherwise the packet is dropped. Next, the router checks whether the outgoing interface has an ACL. If an ACL exists, the packet is tested against the statements in the list. If the packet matches a statement, it is either permitted or denied. If there is no ACL or the packet is permitted, the packet is encapsulated in the new Layer 2 protocol and forwarded out the interface to the next device.
Editing Numbered ACLs
When configuring a standard ACL, the statements are added to the running-config. However, there is no built-in editing feature that allows you to edit a change in an ACL.
Entering Criteria Statements
When traffic enters the router, the traffic is compared to all ACEs in the order that the entries occur in the ACL. The router continues to process the ACEs until it finds a match. The router will process the packet based on the first match found and no other ACEs will be examined. If no matches are found when the router reaches the end of the list, the traffic is denied. This is because, by default, there is an implied deny at the end of all ACLs for traffic that was not matched to a configured entry.
Wildcard masks use binary 1s and 0s
Wildcard masks use binary 1s and 0s to filter individual IP addresses or groups of IP addresses to permit or deny access to resources. Wildcard masks and subnet masks differ in the way they match binary 1s and 0s. Wildcard masks use the following rules to match binary 1s and 0s: Wildcard mask bit 0 - Match the corresponding bit value in the address. Wildcard mask bit 1 - Ignore the corresponding bit value in the address.
Type of IPv6 ACLs
With IPv6, there is only one type of ACL, which is equivalent to an IPv4 extended named ACL. There are no numbered ACLs in IPv6. To summarize, IPv6 ACLs are: Named ACLs only Equivalent to the functionality of an IPv4 Extended ACL An IPv4 ACL and an IPv6 ACL cannot share the same name.
Commenting ACLs
You can use the remark keyword to include comments (remarks) about entries in any IP standard or extended ACL. The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters. The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark so that it is clear which remark describes which permit or deny statement. For example, it would be confusing to have some remarks before the associated permit or deny statements and some remarks after the statements. #access-list access-list_number remark remark
ACEs
also commonly called ACL statements. ACEs can be created to filter traffic based on certain criteria such as: the source address, destination address, the protocol, and port numbers. When network traffic passes through an interface configured with an ACL, the router compares the information within the packet against each ACE, in sequential order, to determine if the packet matches one of the statements. If a match is found, the packet is processed accordingly.
ND messages
are encapsulated in IPv6 packets and require the services of the IPv6 network layer while ARP for IPv4 does not use Layer 3. Because IPv6 uses the Layer 3 service for neighbor discovery, IPv6 ACLs need to implicitly permit ND packets to be sent and received on an interface. Specifically, both Neighbor Discovery - Neighbor Advertisement (nd-na) and Neighbor Discovery - Neighbor Solicitation (nd-ns) messages are permitted.
access-list
global configuration command defines a standard ACL with a number in the range of 1 through 99. Cisco IOS Software Release 12.0.1 extended these numbers by allowing 1300 to 1999 to be used for standard ACLs. This allows for a maximum of 798 possible standard ACLs. These additional numbers are referred to as expanded IP ACLs.
Wildcard Masking Process with a Match Any IP Address
instead of entering # 0.0.0.0 255.255.255.255, you can use the keyword #any by itself.
Wildcard Masking Process with a Single IP Address
instead of entering #192.168.10.10 0.0.0.0, you can use #host 192.168.10.10.
Method 1: Using a Text Editor
it may be easier to construct the ACL using a text editor such as Microsoft Notepad. This allows you to create or edit the ACL and then paste it into the router. For an existing ACL, you can use the show running-config command to display the ACL, copy and paste it into the text editor, make the necessary changes, and paste it back in.
TCP is a full-duplex protocol
meaning that each TCP connection supports a pair of byte streams, each stream flowing in one direction. TCP includes a flow-control mechanism for each byte stream that allows the receiver to limit how much data the sender can transmit. TCP also implements a congestion-control mechanism.
Connection-oriented
means that the two applications must establish a TCP connection prior to exchanging data
Packet Filtering
sometimes called static packet filtering, controls access to a network by analyzing the incoming and outgoing packets and passing or dropping them based on given criteria, such as the source IP address, destination IP addresses, and the protocol carried within the packet. When a packet arrives at the packet-filtering router, the router extracts certain information from the packet header. Using this information, the router makes decisions, based on configured filter rules, as to whether the packet can pass through or be discarded. As shown in the figure, packet filtering can work at different layers of the OSI model, or at the internet layer of TCP/IP.
Outbound ACL Logic
the logic for an outbound ACL. Before a packet is forwarded to an outbound interface, the router checks the routing table to see if the packet is routable. If the packet is not routable, it is dropped and is not tested against the ACEs. Next, the router checks to see whether the outbound interface is grouped to an ACL. If the outbound interface is not grouped to an ACL, the packet can be sent to the output buffer.
ACL Statistics
the show access-lists command will show statistics for each statement that has been matched. Once the ACL has been applied to an interface and some testing has occurred, the show access-lists command will show statistics for each statement that has been matched. In the output in Figure 1, note that some of the statements have been matched. When traffic is generated that should match an ACL statement, the matches shown in the show access-lists command output should increase. This statement will not appear in the show access-lists command, therefore, statistics for that statement will not appear. To view statistics for the implied deny any statement, the statement can be configured manually and will appear in the output. Extreme caution should be taken when manually configuring the deny any statement, as it will match all traffic. If this statement is not configured as the last statement in the ACL, it could cause unexpected results. During testing of an ACL, the counters can be cleared using the clear access-list counters command. This command can be used alone or with the number or name of a specific ACL.
packet-filtering router
uses rules to determine whether to permit or deny traffic. A router can also perform packet filtering at Layer 4, the transport layer. The router can filter packets based on the source port and destination port of the TCP or UDP segment. These rules are defined using ACLs.