480 likes | 616 Views
Filtering Traffic Using Access Control Lists. Introducing Routing and Switching in the Enterprise – Chapter 8. Objectives. Describe traffic filtering and explain how Access Control Lists (ACLs) can filter traffic at router interfaces. Analyze the use of wildcard masks.
E N D
Filtering Traffic Using Access Control Lists Introducing Routing and Switching in the Enterprise– Chapter 8
Objectives • Describe traffic filtering and explain how Access Control Lists (ACLs) can filter traffic at router interfaces. • Analyze the use of wildcard masks. • Configure and implement ACLs. • Create and apply ACLs to control specific types of traffic. • Log ACL activity and integrate ACL best practices.
Traffic Filtering • Analyze the contents of a packet • Allow or block the packet • Based on source IP, destination IP, MAC address, protocol, application type
Traffic Filtering Devices providing traffic filtering: • Firewalls built into integrated routers • Dedicated security appliances • Servers
Traffic Filtering Uses for ACLs: • Specify internal hosts for NAT • Classify traffic for QoS • Restrict routing updates, limit debug outputs, control virtual terminal access
Traffic Filtering Possible issues with ACLs: • Increased load on router • Possible network disruption
Describe Traffic Filtering • Standard ACLs filter based on source IP address • Extended ACLs filter on source and destination, as well as protocol and port number • Named ACLs can be either standard or extended
Describe Traffic Filtering • ACLs consist of statements • At least one statement must be a permit statement • Final statement is an implicit deny • ACL must be applied to an interface in order to work
Describe Traffic Filtering • ACL is applied inbound or outbound • Direction is from the router’s perspective • Each interface can have one ACL per direction for each network protocol
Inbound ACLs • Incoming packets are processed before they are routed to the outbound interface. • An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. • If the packet is permitted by the tests, it is then processed for routing.
Outbound ACLs • Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL.
Analyze the Use of Wildcard Masks • Wildcard mask can block a range of addresses or a whole network with one statement • 0s indicate which part of an IP address must match the ACL • 1s indicate which part does not have to match specifically
Analyze the Use of Wildcard Masks • Use the host parameter in place of a 0.0.0.0 wildcard • Use the any parameter in place of a 255.255.255.255 wildcard
Wild card mask abbreviations host any
Wild card mask abbreviations any host
Configure and Implement Access Control Lists • Determine traffic filtering requirements • Decide which type of ACL to use • Determine the router and interface on which to apply the ACL • Determine in which direction to filter traffic
Configure and Implement Access Control Lists: Numbered Standard ACL • Use access-list command to enter statements • Use the same number for all statements • Number ranges: 1-99, 1300-1999 • Apply as close to the destination as possible
Configure and Implement Access Control Lists: Numbered Extended ACL • Use access-list command to enter statements • Use the same number for all statements • Number ranges: 100-199, 2000-2699 • Specify a protocol to permit or deny • Place as close to the source as possible
Configure and Implement Access Control Lists: Named ACLs • Descriptive name replaces number range • Use ip access-list command to enter initial statement • Start succeeding statements with either permit or deny • Apply in the same way as standard or extended ACL
Numbering and Naming ACLs • Locate extended ACLs as close as possible to the source of the traffic denied. This way, undesirable traffic is filtered without crossing the network infrastructure. • Because standard ACLs do not specify destination addresses, place them as close to the destination as possible.
Configure and Implement Access Control Lists: VTY access • Create the ACL in line configuration mode • Use the access-class command to initiate the ACL • Use a numbered ACL • Apply identical restrictions to all VTY lines
Editing ACLs in a text editor Copy Paste
Create and Apply ACLs to Control Specific Types of Traffic • Use a specified condition when filtering on port numbers: eq, lt, gt • Deny all appropriate ports for multi-port applications like FTP • Use the range operator to filter a group of ports
Create and Apply ACLs to Control Specific Types of Traffic • Block harmful external traffic while allowing internal users free access • Ping: allow echo replies while denying echo requests from outside the network • Stateful Packet Inspection
Create and Apply ACLs to Control Specific Types of Traffic • Account for NAT when creating and applying ACLs to a NAT interface • Filter public addresses on a NAT outside interface • Filter private addresses on a NAT inside interface
Create and Apply ACLs to Control Specific Types of Traffic • Examine every ACL one line at a time to avoid unintended consequences
Create and Apply ACLs to Control Specific Types of Traffic • Apply ACLs to VLAN interfaces or subinterfaces just as with physical interfaces
Log ACL Activity and ACL Best Practices • Logging provides additional details on packets denied or permitted • Add the log option to the end of each ACL statement to be tracked
Log ACL Activity and ACL Best Practices Syslog messages: • Status of router interfaces • ACL messages • Bandwidth, protocols in use, configuration events
Log ACL Activity and ACL Best Practices • Always test basic connectivity before applying ACLs • Add deny ip any to the end of an ACL when logging • Use reload in 30 when testing ACLs on remote routers
Summary • ACLs enable traffic management and secure access to and from a network and its resources • Apply an ACL to filter inbound or outbound traffic • ACLs can be standard, extended, or named • Using a wildcard mask provides flexibility • There is an implicit deny statement at the end of an ACL • Account for NAT when creating and applying ACLs • Logging provides additional details on filtered traffic