390 likes | 650 Views
CCNA 2 v3. 1 Module 11. CCNA 2 Module 11 Access Control Lists (ACLs). Overview. Denying unwanted access to the network ACL provides basic filtering capabilities based on source/destination IP addresses protocol types and port numbers
E N D
Overview • Denying unwanted access to the network • ACL provides basic filtering capabilities based on • source/destination IP addresses • protocol types and port numbers • ACL lists permit or deny statements that apply to addresses or upper-layer protocols.
What are ACLs • Lists of acceptance/denial conditions • applied to traffic across a router's interface • Permit or deny traffic to and from the network • based on • Source IP address • Destination IP addresses • Port numbers • Protocols • can be created for all routed network protocols • Example IP, IPX, Appletalk
What are ACLs • Primary reasons to create ACLs • Limit network traffic and increase network performance • Provide traffic flow control • E.g., Restrict the delivery of routing updates – conserve bandwidth • Provide a basic level of security for network access • Student Hosts can access Application package Network • Student Hosts cannot access Administration Network
Decide which types of traffic are forwarded or blocked • Permit e-mail traffic to be routed • Block all telnet traffic • Allow an administrator to control whatareas a client can access on a network • Screen certain hosts to either permit or deny access • to part of a network • Certain types of files – ftp, http etc
How ACLs work • IOS tests the packets by matching each condition statement in order from top of the list to the bottom • If a match is found, perform the accept or reject action defined in that statement • No further ACL statements are checked for that packet • The rest of the statements in the ACL is ignored • The order in which ACL statements are placed is important
If all the ACL statements are unmatched, implicit "deny any" statement is applied by default • Deny any always EXISTS and is APPLIED • Any packets not matched in the ACL will be denied
How ACL’s work • Router’s routing and filtering process overall • Check L2 destination address of the incoming frame • If matched, accept to test inbound ACL • Accept for routing if ACL permits or no ACL is found • Route to the outbound interface to test outbound ACL • Send to the network if ACL permits or no ACL is found • Discard the packet in any other case
How ACLs work This is where the outgoing frame is examined This is where the incoming frame is examined
Creating ACLs • Assign unique number or name for a control list • Numbers are categorized • Number should be in the range of the right category • Used to identify each ACL rule
Creating ACLs • Define the access list statements • Router(config)#access-list access-list-no {permit|deny} {test-condition} • An access-list-nocan be a name (named ACL) • test-conditions are the targets to control • Assign them to the proper interface • Router(config-if)#{protocol} access-group access-list no {in|out} • In or out is defined looking at inside the router
Example of applying ACL • router#configterminal • Router(config)#access list 2 deny 172.16.1.1 • Router(config)#access list 2 permit 172.16.1.0 0.0.0.255 • Router(config)#access list 2 permit any • Router(config)#interface e0 • Router(config-if)#ip access-group 2 in • Example of canceling an access list • Router(config)# no access-group 2
Creating ACLs • Basic rules • One access list per protocol per direction • Standard access lists should be applied closest to the destination • Extended access control lists should be applied closest to the source • Use the inbound or outbound interface reference as if looking at the port from inside the router
Statements are processed sequentially from the top of list to the bottom until a match is found • There is an implicit deny at the end of all access lists • This will not appear in the configuration listing • If no match is found then the packet is denied • Access list entries should filter in the order from specific to general • The match condition is examined first, then permit|deny
Creating ACLs • Basic rules (continued) • It is not possible to selectively add and remove lines with numbered ACLs • Remove the whole list usingno access-list x command and re-define the ACL • New lines can be added @ named ACL • always added to the end of the access list • The router will discard the packet andsend ICMP host unreachable message to the sender
Creating ACLs • Basic rules (continued) • Care should be used when removing an access list • In some version of IOS, default deny any may not be removed after the access list is removed at an interface • Then all traffic will be halted Outbound filters do not affect traffic originating from the local router • Outbound filters do not affect traffic originating from the local router
The function of a wildcard mask • Designed to specify target individual or groups of IP addresses based on the given address • Given with the specified IP address or the network number • 32bits long with 0’s and 1’s • ‘1’ means • No match needed • Target address can have any bit value (wildcard; 0 or 1) at the position where the mask bits are 1 • ‘0’ means • Match needed • Target address can only have the same bit value as in the given address at the position where the mask bits are 0
If you wanted a specific IP address to be checked • IP address • 227.254.3.5 • 11100011.11111110.00000011.00000101 • Wildcard if all bits must be checked • 0.0.0.0 • 00000000.00000000.00000000.00000000 • To deny host 227.254.3.5 • Router(config)#access-list 3 deny 227.254.3.5 0.0.0.0 • This can also be written as • Router(config)#access-list 3 deny host 227.254.3.5 • A wildcard of 0.0.0.0 checks an exact address
If you wanted a specific network to be checked • IP network address Class C • 227.254.3.0 • 11100011.11111110.00000011.00000000 • Wildcard if all bits must be checked • 0.0.0.255 • 00000000.00000000.00000000.11111111 • None of the host bits will be checked • To permit all hosts on network 227.254.3.0 • Router(config)#access-list 3 permit 227.254.3.0 0.0.0.255
Any host on Any network • IP address to represent any network • 0.0.0.0 • Because it does not matter what each bit is • Wildcard to prevent all bits being examined • 255.255.255.255 • 11111111.11111111.11111111.11111111 • To permit any host on any network • Router(config)#access-list 3 permit 0.0.0.0 255.255.255.255 • Can also be written as • Router(config)#access-list 3 permit any • A wildcard mask of 255.255.255.255 means any
Even addresses • Examples of even addresses • 00000000 0 00000010 2 • 00000100 4 00000110 6 • 11111100 252 11111110 254 • After examining the above figures • The last digit is always 0 • All the other digits can vary depending on the number • Therefore the only digit that must be checked is the first digit • IP network address Class C • 227.254.3.0 • 11100011.11111110.00000011.00000000 • Wildcard if even bits must be checked • 0.0.0.254 • 00000000.00000000.00000000.11111110 • To permit all even hosts on network 227.254.3.0 • Router(config)#access-list 3 permit 227.254.3.0 0.0.0.254 [ ]
Odd Address • Examples of odd addresses • 00000001 1 00000011 3 • 00000101 5 00000111 7 • 11111101 253 11111111 255 • After examining the above figures • The last digit is always 1 • All the other digits can vary depending on the number • Therefore the only digit that must be checked is the first digit • IP network address Class C • 227.254.3.0 • 11100011.11111110.00000011.00000000 • Wildcard if odd bits must be checked • 0.0.0.254 • 00000000.00000000.00000000.11111110 • To permit all odd hosts on network 227.254.3.0 • Router(config)#access-list 3 permit 227.254.3.1 0.0.0.254
Verifying ACLs • Show ip interface • displays IP interface information and indicates whether any ACLs are set • Show access-lists • displays the contents of all ACLs on the router • Show access-list 1 • Displays the content of ACL 1 on the router • Show running config • reveal the access lists on a router and the interface assignment information
Standard ACLs • Checks source IP address • Host IP address, subnet, or network address • Affects entire protocol suit • TCP, HTTP, IP etc.. • Valid numbers • Standard IP ACL 1-99 (1300 to 1999 in recent IOS) • Always applied to port closest to destination • Adding an ACL • router(config)#access-list access-list-number {permit|deny} source {source-wildcard} [log] • Log sends information about matched packet to console • Removing an ACL • Router(config)#no access-list access-list-number
Extended ACLs • Provides a greater range of control and flexibility • Checks the source and destination packet addresses • Checks protocol types and port numbers • Valid numbers • Extended IP ALC 100-199 2000~2699 in recent IOS • Always applied to port closest to source • Adding an Extended ACL • Router(config)#access-list access-list-number {permit|deny} protocol source [source-mask destination destination-mask operator operand] [ established] • Protocols - IP, TCP, UDP, ICMP, IGRP, GRE • Operator is lt (<), gt (>), eq (=), or neq (≠) • Operand is a port number or application layer protocol
Extended ACLs • Well-known ports for TCP/IP applications • Linking an existing extended ACL to an interface • Router(config)#interface fa0/0 • Router(config-if)#ip access-group access-list-number {in|out} • Only one ACL per interface, per direction, per protocol
Named ACLs • Introduced in IOS 11.2 • Give standard and extend ACLs names instead of numbers • Procedure for defining a named ACL • Define a named ACL • Router(config)#ip access-list {extended|standard} name • router(config)#ip access-list extended test • Add each permit/deny statement • router(config-ext-nacl)#access-list permit….. • Apply the named access list to the interface • Router(config)#interface serial0/0 • Router(config-if)#ip access-group test out
Named ACLs • Advantages • Intuitively identify an ACL using an alphanumeric name. • Eliminate the limit of 798 simple and 799 extended ACLs • Can modify ACLs without deleting and then reconfiguring them • allow the deletion of statements • only allow for statements to be inserted at the end of a list • it is a good idea to use a text editor to create them
Example Named ACL • Router(config)# ip access-list standard George • Router(config)# deny host 172.16.70.35 • Router(config)# access-list permit any • Router(config)# interface fa0/0 • Router(config)# ip access-group George out
Placing ACLs • General rules in placing ACLs • Place ACLs where it can maximize increasing efficiency • Put the extended ACLs as close as possible to the source of the traffic denied • Unnecessary traffic will be minimized • Standard ACLs should be placed as close to the destination as possible • ACL does not know the destination
Firewall External router Internal router Firewalls • Definition • An architectural structure between the user and the outside world to protect the internal network from intruders • General features • Consists of several equipments working together • Prevents unwanted and illegal access
Firewalls • Operation of the firewall • The external router directs all traffic to the application gateway • The internal router accepts packets only from the application gateway • The gateway controls the delivery of network-based services both into and from the internal network • Processes every packet to block or pass according to the filtering rule
Firewalls • Use of ACLs in the firewall routers • Control traffic entering or exiting a specific part of the internal network • Provides basic security from the outside network into a more private area of the network • Ex) If the only application that is permitted is mail, then configure ACL so that only mail packets can be allowed through the router. • This protects the application gateway and avoids overwhelming it with packets that it would otherwise discard.
Restricting virtual terminal access • Properties of virtual line • Access to vty is accomplished using the Telnet to a nonphysical interface • Standard and extended ACLs are not designed to block packets originating from the router • Telnet into/from a router can be blocked by • Either defining inbound/outbound extended ACL for TCP 23 port on each of the physical network interfaces (complicated) • Or defining the vty ACL on the virtual lines (simple)
Restricting virtual terminal access • Blocking packets to vty using vty ACL • There is only one type of vty access list • Only numbered ACL can be applied to virtual lines • Identical restrictions should be placed on all vty lines • A user can attempt to connect to any of them • Defining an ACL • Router(config)#access-list 2 permit 172.16.1.0 0.0.0.0 • Router(config)#access-list 2 deny any • Apply ACL to vty line • Router(config)#line vty 0 4 • Router(config-line)#password cisco • Router(config-line)#login • Router(config-line)#access-class 2 in