Modules 4 -5
Wildcard Mask
"0" equals a match and "1" equals ignore The 0.0.0.0 wildcard mask stipulates that every bit must match exactly. (Keyword: host) an ACE that permits all hosts in the 192.168.1.0/24 network. The wildcard mask 0.0.0.255 stipulates that the very first three octets must match exactly but the fourth octet does not. ACE that permits all hosts in the 192.168.16.0/24, 192.168.17.0/24, ..., 192.168.31.0/24 networks. The wildcard mask 0.0.15.255 would correctly filter that range of addresses. The wildcard 1.1.1.1 permits any address. (Keyword: any)
Inbound ACL process
1. The router extracts the source IPv4 address from the packet header. 2. The router starts at the top of the ACL and compares the source IPv4 address to each ACE in a sequential order. 3. When a match is made, the router carries out the instruction, either permitting or denying the packet, and the remaining ACEs in the ACL, if any, are not analyzed. 4. If the source IPv4 address does not match any ACEs in the ACL, the packet is discarded because there is an implicit deny ACE automatically applied to all ACLs. * An ACL must have at least 1 permit statement, otherwise all traffic will be defined due to the implicit deny ACE statement.
Extended ACL's
ACL's filter at Layer 3 using the source and / or destination IPv4 address. Can also filter at Layer 4 using TCP, UDP ports, and optional protocol type information.
Standard ACLs
ACLs only filter at Layer 3 using the source IPCv4 address only.
R1(config)# access-list 100 permit tcp any any eq 22 R1(config)# access-list 100 permit tcp any any eq 443 R1(config)#
Configuring the port number is required when there is not a specific protocol name listed such as SSH (port number 22) or an HTTPS (port number 443).
R1(config)# access-list 110 permit tcp 192.168.10.0 0.0.0.255 any eq www R1(config)# access-list 110 permit tcp 192.168.10.0 0.0.0.255 any eq 443 R1(config)# interface g0/0/0 R1(config-if)# ip access-group 110 in R1(config-if)# exit R1(config)#
Create ACL that permits both HTTP and HTTPS traffic from the 192.168.10.0 network to go to any destination.
PERMIT-PC1 ACL is applied inbound REPLY-PC1 ACL applied outbound R1(config)# ip access-list extended PERMIT-PC1 R1(config-ext-nacl)# Remark Permit PC1 TCP access to internet R1(config-ext-nacl)# permit tcp host 192.168.10.10 any eq 20 R1(config-ext-nacl)# permit tcp host 192.168.10.10 any eq 21 R1(config-ext-nacl)# permit tcp host 192.168.10.10 any eq 22 R1(config-ext-nacl)# permit tcp host 192.168.10.10 any eq 23 R1(config-ext-nacl)# permit tcp host 192.168.10.10 any eq 53 R1(config-ext-nacl)# permit tcp host 192.168.10.10 any eq 80 R1(config-ext-nacl)# permit tcp host 192.168.10.10 any eq 443 R1(config-ext-nacl)# deny ip 192.168.10.0 0.0.0.255 any R1(config-ext-nacl)# exit R1(config)# R1(config)# ip access-list extended REPLY-PC1 R1(config-ext-nacl)# Remark Only permit returning traffic to PC1 R1(config-ext-nacl)# permit tcp any host 192.168.10.10 established R1(config-ext-nacl)# exit R1(config)# interface g0/0/0 R1(config-if)# ip access-group PERMIT-PC1 in R1(config-if)# ip access-group REPLY-PC1 out R1(config-if)# end R1#
Create Extended ACL name PERMIT-PC1 permits PC1 (192.168.10.10) TCP access to the FTP (i.e., ports 20 and 21) SSH (22) Telnet (23) DNS (53) HTTP (80) HTTPS (443) ACL name REPLY-PC-1 permit return traffic to PC1 Consider: The device to apply it on The interface to apply it on The direction to apply it
R1(config)# access-list 110 permit 192.168.10.0 0.0.0.255 any eq www R1(config)# int g0/0/0 R1(config-if)# ip access-group 110 in R1(config)# access-list 120 permit tcp any 192.168.10.0 0.0.0.255 established R1(config)# interface g0/0/0 R1(config-if)# ip access-group 120 out R1(config-if)# end *The established parameter allows only responses to traffic that originates from the 192.168.10.0/24 network to return to that network.
Create Extended ACL 110, that will filter traffic from the inside private network. ACL 120, using the established keyword, to filter traffic coming into the inside private network from the outside public network.
use the following global configuration command: Router(config)# access-list access-list-number {deny | permit | remark text} source [source-wildcard] [log] no access-list access-list-number global configuration command to remove a numbered standard ACL. source This identifies the source network or host address to filter. Use the any keyword to specify all networks. Use the host ip-address keyword or simply enter an ip-address (without the host keyword) to identify a specific IP address.
Create a numbered ACL
configuration for the inbound SURFING ACL and the outbound BROWSING ACL. R1(config)# ip access-list extended SURFING R1(config-ext-nacl)# Remark Permits inside HTTP and HTTPS traffic R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 80 R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 443 R1(config-ext-nacl)# exit R1(config)# R1(config)# ip access-list extended BROWSING R1(config-ext-nacl)# Remark Only permit returning HTTP and HTTPS traffic R1(config-ext-nacl)# permit tcp any 192.168.10.0 0.0.0.255 established R1(config-ext-nacl)# exit R1(config)# interface g0/0/0 R1(config-if)# ip access-group SURFING in R1(config-if)# ip access-group BROWSING out R1(config-if)# end
Create an Extended name ACL that allows surfing and browsing (only permitting return traffic).
Both ACEs achieve exactly the same result. R1(config)# access-list 100 permit tcp any any eq www R1(config)# access-list 100 permit tcp any any eq 80
Extended ACL configuration to filter HTTP traffic.
Text Editor Method R1(config)# no access-list 1 R1(config)# R1(config)# access-list 1 deny 192.168.10.10 R1(config)# access-list 1 permit 192.168.10.0 0.0.0.255 R1(config)# Sequence Number Method R1# conf t R1(config)# ip access-list standard 1 R1(config-std-nacl)# no 10 R1(config-std-nacl)# 10 deny host 192.168.10.10 R1(config-std-nacl)# end R1# show access-lists Standard IP access list 1 10 deny 192.168.10.10 20 permit 192.168.10.0, wildcard bits 0.0.0.255
How do you correct this mistake? R1# show run | section access-list access-list 1 deny 19.168.10.10 access-list 1 permit 192.168.10.0 0.0.0.255 R1# R1# show access-lists Standard IP access list 1 10 deny 19.168.10.10 20 permit 192.168.10.0, wildcard bits 0.0.0.255
a dual-stacked (i.e, IPv4 and IPv6) router interface can have up to four ACLs applied, a router interface can have: one outbound IPv4 ACL one inbound IPv4 ACL one inbound IPv6 ACL one outbound IPv6 ACL
How many ACL's can be on an interface?
Limit network traffic to increase network performance A corporate policy prohibits video traffic on the network to reduce the network load. A policy can be enforced using ACLs to block video traffic. Provide traffic flow control A corporate policy requires that routing protocol traffic be limited to certain links only. A policy can be implemented using ACLs to restrict the delivery of routing updates to only those that come from a known source. Provide a basic level of security for network access Corporate policy demands that access to the Human Resources network be restricted to authorized users only. A policy can be enforced using ACLs to limit access to specified networks. Filter traffic based on traffic type Corporate policy requires that email traffic be permitted into a network, but that Telnet access be denied. A policy can be implemented using ACLs to filter traffic by type. Screen hosts to permit or deny access to network services Corporate policy requires that access to some file types (e.g., FTP or HTTP) be limited to user groups. A policy can be implemented using ACLs to filter user access to services. Provide priority to certain classes of network traffic Corporate traffic specifies that voice traffic be forwarded as fast as possible to avoid any interruption. A policy can be implemented using ACLs and QoS services to identify voice traffic and process it immediately.
Router task that require ACL's:
When configuring a complex ACL, you should:
Use a text editor and write out the specifics of the policy to be implemented. Add the IOS configuration commands to accomplish those tasks. Include remarks to document the ACL. Copy and paste the commands onto the device. Always thoroughly test an ACL to ensure that it correctly applies the desired policy. These recommendations enable you to create the ACL thoughtfully without impacting the traffic on the network.
Subnet to allow these would be 255.255.254.0 Wildcard Mask would be 0.0.1.255
Want ACE to permit only networks 192.168.10.0 and 192.168.11.0
The subnet for 192.168.3.32/28 is 255.255.255.240 Wildcard mask would be 0.0.0.15
Want an ACE to perming network access for the 14 users in the subnet 192.168.3.32/28
ACL (Access Control List)
a series of IOS commands that are used to filter packets based on information found in the packet header. When applied to an interface, the router performs the additional task of evaluating all network packets as they pass through the interface to determine if the packet can be forwarded. set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. *do not act on packets that originate from the router itself.
Packet Filtering
controls access to a network by analyzing the incoming and/or outgoing packets and forwarding them or discarding them based on given criteria. Can occur at Layer 3 (Network) or Layer 4 (Transport)
Extend ACL Options
deny This denies access if the condition is matched. permit This permits access if the condition is matched. remark text (Optional) Adds a text entry for documentation purposes. Each remark is limited to 100 characters. protocol Name or number of an internet protocol. Common keywords include ip, tcp, udp, and icmp. The ip keyword matches all IP protocols. If an internet protocol is not listed, then the IP protocol number could be specified. The ICMP protocol number 1, TCP is 6, and UDP is 17. source This identifies the source network or host address to filter. Use the any keyword to specify all networks. Use the host ip-address keyword or simply enter an ip-address (without the host keyword) to identify a specific IP address. source-wildcard (Optional) A 32-bit wildcard mask that is applied to the source. destination This identifies the destination network or host address to filter. Use the any keyword to specify all networks. Use the host ip-address keyword or ip-address. destination-wildcard (Optional) This is a 32-bit wildcard mask that is applied to the destination. operator (Optional) This compares source or destination ports. Possible operands include It (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). port (Optional) The decimal number or name of a TCP or UDP port. established (Optional) For the TCP protocol only. This is a 1st generation firewall feature. log (Optional) This keyword generates and sends an informational message whenever the ACE is matched. This message includes ACL number, matched condition (i.e., permitted or denied), source address, and number of packets. This message is generated for the first matched packet. This keyword should only be implemented for troubleshooting or security reasons.
TCP established keyword *a match occurs if the returning TCP segment has the ACK or reset (RST) flag bits set. This indicates that the packet belongs to an existing connection. Without the established parameter in the ACL statement, clients could send traffic to a web server, but not receive traffic returning from the web server.
keyword enables inside traffic to exit the inside private network and permits the returning reply traffic to enter the inside private network can be used to permit only the return HTTP traffic from requested websites, while denying all other traffic.
Access Control Entries
sequential list of permit or deny statements Also ACL statements