320 likes | 362 Views
Access Control Lists (ACLs). Asst.Prof. Dr.Anan Phonphoem Department of Computer Engineering, Faculty of Engineering, Kasetsart University, Bangkok, Thailand. Overview. ACL fundamentals ACL operations Types of ACLs (Standard / Extended) Implementing ACLs. Access Control Lists (ACLs).
E N D
Access Control Lists (ACLs) Asst.Prof. Dr.Anan Phonphoem Department of Computer Engineering, Faculty of Engineering, Kasetsart University, Bangkok, Thailand
Overview • ACL fundamentals • ACL operations • Types of ACLs (Standard / Extended) • Implementing ACLs
Access Control Lists (ACLs) • List of conditions to test the traffic • Router can permit or deny( like a filter) • Provides security • Bandwidth Management • Come in two Types • STANDARD and EXTENDED
ACL Operations • Packets are compared to each statement in a list sequentially from the top down. • The sooner a decision is made the better. • Well written ACLs take care of the most abundant type of traffic first. • All Access-lists End with an Implicit Deny Allstatement
Implementing ACLs • Step 1 - Create the Access-list • Step 2 - Apply the Access-list to an Interface • Must be in interface config mode (config-if)# • ip access-group#in/out(routers point of view)
Standard ACLs • Given a # from 1-99 • Filtering based only on Source Address • Should be applied closest to the destination
Extended ACLs • Given a # from 100-199 • Much more flexible and complex • Can filter based on: • Source address • Destination address • Session Layer Protocol (ICMP, TCP, UDP..) • Port Number (80 http, 23 telnet…) • Should be applied closest to the source
Placing ACLs Standard : Closed to destination Extended: Closed to source
Standard ACL format access-list #permit/denysourceIPwildcard
Wildcard Mask • Allows you to indicate a host, subnet, network or range of IP addresses • The two binary values in the wildcard have different meanings: • 0 = Must Match Exactly • 1 = Ignore
Wildcard Mask Example NetworkWildcard 172.16.10.0 0.0.0.255 • Result: Match the first three octets exactly but ignore the last octet. • 172.16.10.0 thru 172.16.10.255 is a match since the last octet does not matter.
host and any Keywords • Ex....permit 192.168.10.10 0.0.0.0 • matches all bits • shortcut host 192.168.10.10 • Ex....deny 0.0.0.0 255.255.255.255 • ignores all bits • shortcut any
Implementing ACLs • Remember the Implicit Deny All at the end of each access-list. • Two Approaches: • 1. List the traffic you know you want to permit Deny all other traffic • 2. List the traffic you want to deny Permit all other traffic (permit any)
Standard ACL example (I) R1(config)# access-list 5 deny172.22.5.20.0.0.0 R1(config)# access-list 5 deny172.22.5.30.0.0.0 R1(config)# access-list 5 permit any So what does this access list do? • Deny any host 172.22.5.2 • Deny any host 172.22.5.3 • All other traffic can go
Standard ACL example (II) A(config)#access-list 5 deny172.22.5.20.0.0.0 A(config)#access-list 5 deny172.22.5.30.0.0.0 A(config)#access-list 5 permit any A(config)#access-list 5 deny172.22.5.40.0.0.0 Why does the last line have no affect? How could you correct this situation?
s0/1 fa0/0 Applying ACLs R1(config)# int fa 0/0 R1(config-if)# ip access-group 2 out R1(config)# int s 0/1 R1(config-if)# ip access-group 6 in
Verifying ACLs • show ip interface • show access-lists • Show running-config
Implementing ACLs Tips • You cannot selectively add or remove statements from an Access-list • Typically modifications are made in a text editor and then pasted to the router as a new access-list • Document your Access-list • After each line indicate exactly what that line is supposed to do.
Implementing ACLs Tips • Verifying Your Access-list • show access-lists • show ip interfaces • Revisit your access-list after a few days • Routers keep track of the number of packets that match each statement in an access-list • Use this information to reorder your access-list and thus improve it efficiency • Never remove an access-list that is applied to a port – this can crash the router!
Summary • Are Created and then Applied to an interface • Are Implemented Sequentially- Top Down • End with an implicit Deny ALL statement • #1-99 Standard and # 100-199 Extended • Standard - source address only • Extended - source, destination, protocol, port
Lab Assignment #1 192.168.11.20 B A C 192.168.10.10 192.168.12.30 A and B can connect to each other. B and C can connect to each other. A and C cannot communicate to each other.
Lab Assignment #2 192.168.11.20 B A C 192.168.10.10 192.168.12.30 A can only access web service of B. B can only ping C. C does not accept any ping from A.
References • C.Dodge slide in Cisco Website • Cisco curriculum materials