Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Training for
CCNA,CCNP,
CCNA SECURITY
CCIP,
MPLS, BGP, IPV6
NETWORK+, SEURITY+
https://www.facebook.com/Networkingwanschool
CCNA 200-120
IPv4 Services
CCNA 200-120
IPv4 Services
Basic IPv4 Access Control Lists
Network designers use firewalls to protect networks from unauthorized use. Firewalls are
hardware or software solutions that enforce network security policies. Consider a lock on a
door to a room inside a building. The lock only allows authorized users with a key or access
card to pass through the door. Similarly, a firewall filters unauthorized or potentially dangerous
packets from entering the network. On a Cisco router, you can configure a simple firewall that
provides basic traffic filtering capabilities using ACLs.
An ACL is a sequential list of permit or deny statements that apply to addresses or upperlayer protocols. ACLs provide a powerful way to control traffic into and out of your
network. You can configure ACLs for all routed network protocols
The most important reason to configure ACLs is to provide security for your network. This
chapter explains how to use standard and extended ACLs as part of a security solution and
teaches you how to configure them on a Cisco router. Included are tips, considerations,
recommendations, and general guidelines on how to use ACLs.
IPv4 ACLs perform many functions in Cisco routers, with the most common use as a packet
filter.
Packet filtering, sometimes called static packet filtering, controls access to a network by
analyzing the incoming and outgoing packets and passing or halting them based on
stated criteria
A router acts as a packet filter when it forwards or denies packets according to filtering
rules. When a packet arrives at the packet-filtering router, the router extracts certain
information from the packet header and makes decisions according to the filter rules
as to whether the packet can pass through or be discarded. Packet filtering works at
the network layer of the Open Systems Interconnection (OSI) model, or the Internet
layer of TCP/IP.
As a Layer 3 device, a packet-filtering router uses rules to determine whether to permit or deny traffic
based on source and destination IP addresses, source port and destination port, and the protocol of
the packet. These rules are defined using access control lists or ACLs.
Recall that an ACL is a sequential list of permit or deny statements that apply to IP
addresses or upper-layer protocols. The ACL can extract the following information from the
packet header, test it against its rules, and make "allow" or "deny" decisions based on:
Source IP address
Destination IP address
ICMP message type
The ACL can also extract upper layer information and test it against its rules. Upper layer
information includes:
TCP/UDP source port
TCP/UDP destination port
Packet Filtering
To understand the concept of how a router uses packet filtering, imagine that a guard has been posted
at a locked door. The guard's instructions are to allow only people whose names appear on a list to pass
through the door. The guard is filtering people based on the criterion of having their names on the
authorized list.
For example, you could say, "Only permit web access to users from network A. Deny web access to
users from network B, but permit them to have all other access." Refer to the figure to examine the
decision path the packet filter uses to accomplish this task.
An ACL is a router configuration script that controls whether a router permits or denies packets to pass
based on criteria found in the packet header. ACLs are among the most commonly used objects in Cisco
IOS software. ACLs are also used for selecting types of traffic to be analysed, forwarded, or processed in
other ways.
As each packet comes through an interface with an associated ACL, the ACL is checked from top to
bottom, one line at a time, looking for a pattern matching the incoming packet. The ACL enforces one
or more corporate security policies by applying a permit or deny rule to determine the fate of the
packet. ACLs can be configured to control access to a network or subnet. *******(must remember)
By default, a router does not have any ACLs configured and therefore does not filter traffic. Traffic that
enters the router is routed according to the routing table. If you do not use ACLs on the router, all
packets that can be routed through the router pass through the router to the next network segment.
*******(must remember)
The Three Ps
A general rule for applying ACLs on a router can be recalled by remembering the three Ps. You can
configure one ACL per protocol, per direction, per interface:
One ACL per protocol-To control traffic flow on an interface, an ACL must be defined for each protocol
enabled on the interface.
One ACL per direction-ACLs control traffic in one direction at a time on an interface. Two separate ACLs
must be created to control inbound and outbound traffic.
One ACL per interface-ACLs control traffic for an interface, for example, Fast Ethernet 0/0
corporate policy does not allow video traffic, ACLs can block video traffic.
can allow one host to access a part of the network and prevent others from
accessing the same area.
example, an ACL can permit e-mail traffic, but block all Telnet traffic.
can permit or deny a user to access file types, such as FTP or HTTP.
ACL can classify traffic to enable priority processing down the line.
ACL Operation
Inbound ACLs
evaluate packets against the ACL, from the top down, one
statement at a time.
Once you apply the ACL on an interface, the router MUST compare
every packet. Causes significant processor load.
ACL Operation
Outbound ACLs
As a frame enters an interface, the router checks the destination Layer 2 address.
If the frame is accepted and the router checks for an ACL on the inbound interface.
If an ACL exists, the packet is now tested against the statements in the list.
If the packet is accepted in the interface, it is then checked against routing table entries to determine the
destination interface and switched to that interface.
Next, the router checks whether the destination interface has an ACL.
If an ACL exists, the packet is tested against the statements in the list.
If there is no ACL or the packet is accepted, the packet is encapsulated in the new Layer 2 protocol and forwarded
out the interface to the next device.
Matching Packets
When you think about the location and direction for an ACL, you must already be thinking about what
packets you plan to filter (discard), and which ones you want to allow through. To tell the router those
same ideas, you must configure the router with an IP ACL that matches packets. Matching packets
refers to how to configure the ACL commands to look at each packet, listing how to identify which
packets should be discarded, and which should be allowed through.
For example, consider an example with Figure , in which you want to allow packets from host A
to server S1, but to discard packets from host B going to that same server. The hosts all now have IP
addresses, and the figure shows pseudocode for an ACL on R2. Figure also shows the chosen
location to enable the ACL: inbound on R2s S0/0/1 interface.
At the end of every access list is an implied "deny all traffic" criteria statement. It is also
sometimes referred to as the "implicit deny any" statement. Therefore, if a packet does not
match any of the ACL entries, it is automatically blocked. The implied "deny all traffic" is
the default behaviour of ACLs and cannot be changed. ***(must remember )
Types of IP ACLs
Cisco IOS has supported IP ACLs since the early days of Cisco routers. Beginning with the original
standard numbered IP ACLs in the early days of IOS, which could enable the logic shown earlier
Cisco has added many ACL features, including:
Using numbered ACLs is an effective method for determining the ACL type on
smaller networks.
Starting with Cisco IOS Release 11.2, you can use a name to identify a Cisco
ACL.
(the
number scheme)
Named ACLs help identify the function. Some ACLs
(reflexive) MUST be named.
Access-list 5 permit
Access-list 5 permit
Access-list 5 permit
Access-list 5 permit
Access-list 5 permit
One group with the number 5
OR
Access-list 1 permit
Access-list 2 permit
Access-list 3 permit
Access-list 4 permit
Access-list 5 permit
5 different groups
ACLs can act as firewalls to filter packets and eliminate unwanted traffic.
Every ACL should be placed where it has the greatest impact on efficiency.
Standard ACLs
Extended ACLs
The better solution is to place an extended ACL on the inbound Fa0/2 of R1. This ensures
that packets from Eleven do not enter R1, and cannot cross over into Ten.
Recall that when traffic comes into the router, it is compared to ACL statements based on the order that the entries occur
in the router. The router continues to process the ACL statements until it has a match.
For this reason, you should have the most frequently used ACL entry at the top of the list.
If no matches are found when the router reaches the end of the list, the traffic is denied because there is an implied
deny for traffic.
A single-entry ACL with only one deny entry has the effect of denying all traffic. You must have at least one permit
statement in an ACL or all traffic is blocked.
For example, the two ACLs (101 and 102) in the figure have the same effect.
Network 192.168.10.0 would be permitted to access network 192.168.30.0 while 192.168.11.0 would not be allowed.
For example, to create a numbered ACL designated 10 that would permit network
192.168.10.0 /24, you would enter:
R1(config)# access-list 10 permit 192.168.10.0
Remove ACL
The no form of this command removes a standard ACL. In the figure, the output of the show
access-list command displays the current ACLs configured on router R1.
To remove the ACL, the global configuration no access-list command is used. Issuing the show
access-list command confirms that access list 10 has been removed.
Often, the business goals you want to implement with an ACL does not match a single
particular IP address, but rather a range of IP addresses. Maybe you want to match all IP
addresses in a subnet.
IOS allows standard ACLs to match a range of addresses using a tool called a wildcard
mask. Note that this is not a subnet mask. The wildcard mask (which this book
abbreviates as WC mask) gives the engineer a way to tell IOS to ignore parts of the
address when making comparisons, essentially treating those parts as wildcards, as if
they already matched.
ACLs statements include masks, called wildcard masks. A wildcard mask is a string of
binary digits telling the router which parts of the subnet number to look at. Although
wildcard masks have no functional relationship with subnet masks, they do provide a
similar function. The mask determines how much of an IP source or destination address to
apply to the address match. The numbers 1 and 0 in the mask identify how to treat the
corresponding IP address bits. However, they are used for different purposes and follow
different rules.
A wildcard mask is a string of binary digits telling the router which parts of the subnet number to look at.
The numbers 1 and 0 in the mask identify how to treat the corresponding IP address bits.
Wildcard masks and subnet masks differ in the way they match binary 1s and 0s. Wildcard masks use the following
rules to match binary 1s and 0s:
Wildcard
Wildcard
The table in the figure shows the results of applying a 0.0.255.255 wildcard mask to a 32-bit IP address.
The first example the wildcard mask stipulates that every bit in the IP
192.168.1.1must match exactly.
In the second example, the wildcard mask stipulates that anything will match.
In the third example, the wildcard mask stipulates that it will match any host
within the 192.168.1.0 /24 network.
In example 1, the first two octets and first four bits of the third octet must
match exactly.
Example 2 , a wildcard mask that matches the first two octets, and the least
significant bit in the third octet.
The result is a mask that would permit or deny all hosts from odd
subnets (/24) from the 192.168.0.0 major network.
That may not seem more efficient, but when you consider if you wanted to match network 192.168.16.0 to 192.168.31.0 :
You can see that configuring the following wildcard mask makes it far more efficient:
The keywords host and any help identify the most common uses of wildcard
masking.
The
host option substitutes for the 0.0.0.0 mask. This mask states that all IP
address bits must match or only one host is matched.
The
Instead of entering
Instead of entering
Filtering Telnet traffic is typically considered an extended IP ACL function because it filters a
higher level protocol. However, because you are using the access-class command to filter
incoming or outgoing Telnet sessions by source address and apply filtering to VTY lines, you
can use standard ACL statements to control VTY access.
Commenting ACLs
You can use the remark keyword to include comments about entries in any ACL.
The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters.
When you identify your ACL with a name, the configuration command syntax are slightly different.
Step 1. Starting from the global configuration mode, use the ip access-list command to create a named ACL.
ACL names are alphanumeric, must be unique and must not begin with a number.
Step 2. From the named ACL configuration mode, use the permit or deny statements to specify one or more
conditions for determining if a packet is forwarded or dropped.
Named ACLs have a big advantage over numbered ACLs in that they are easier to edit.
Starting
You
If
with Cisco IOS 12.3, named IP ACLs allow you to delete individual entries in a specific ACL.
can use sequence numbers to insert statements anywhere in the named ACL.
you are using an earlier Cisco IOS version, you can add statements only at the bottom of the named ACL.
The example in the figure shows an ACL applied to the S0/0/0 interface of R1. It restricted access to the web server. Looking at this
example,
In
the first show command output, you can see that the ACL named WEBSERVER has three numbered lines.
To
grant another workstation access in the list only requires inserting a numbered line. The workstation with the IP address
192.168.11.10 is being added.
The
final show command output verifies that the new workstation is now allowed access.
Extended IP access lists have many similarities compared to the standard numbered IP
ACLs discussed in the previous chapter. Just like standard IP ACLs, you enable extended
access lists on interfaces for packets either entering or exiting the interface. IOS searches
the list sequentially.
Extended ACLs also use first-match logic, because the router stops the search through the
list as soon as the first statement is matched, taking the action defined in the first-matched
statement. All these features are also true of standard numbered access lists (and named
ACLs).
Extended ACLs differ from standard ACLs mostly because of the larger variety of packet
header fields that can be used to match a packet. One extended ACL statement can
examine multiple parts of the packet headers, requiring that all the parameters be matched
correctly to match that one ACL statement. That powerful matching logic makes extended
access lists both more useful and more complex than standard IP ACLs.
IOS requires that you configure parameters for the three highlighted parts of Figure . For the protocol type,
you simply use a keyword, such as tcp, udp, or icmp, matching IP packets that happen to have a TCP,
UDP, or ICMP header, respectively, following the IP header. Or you can use the keyword ip, which means
all ip packets.
Note
When matching IP addresses in the source and destination fields, there is
one difference with standard ACLs: When matching a specific IP address,
the extended ACL requires the use of the host keyword. You cannot simply
list the IP address alone.
In an extended ACL access-list command, all the matching parameters must
match the packet for the packet to match the command.**** (must remember )
When an extended ACL command includes either the tcp or udp keyword, that command
can optionally reference the source and/or destination port. To make these comparisons, the
syntax uses keywords for equal, not equal, less than, greater than, and for a range of port
numbers. Additionally, the command can use either the literal decimal port numbers, or
more convenient keywords for some well-known application ports. Figure shows the
positions of the source and destination port fields in the access-list command and these
port number keywords.
For example, consider the simple network shown in Figure . The FTP server sits on the right,
with the client on the left. The figure shows the syntax of an ACL that matches the following:
Packets that include a TCP header
Packets sent from the client subnet
Packets sent to the server subnet
Packets with TCP destination port 21 (FTP server control port)
Conversely, Figure shows the reverse flow, with a packet sent by the server back toward
PC1. In this case, the packets TCP header has a source port of 21, so the ACL must
check the source port value of 21, and the ACL must be located on different interfaces. In
this case, the eq 21 parameters follow the source address field, but comes before the
destination address field.
The procedural steps for configuring extended ACLs are the same as for standard ACLs
For example, the network administrator needs to restrict Internet access to allow only web browsing.
It allows traffic to go to any destination ports 80 (HTTP) and 443 (HTTPS) only.
ACL 104 blocking all incoming traffic, except for the established connections.
HTTP establishes connections starting with the request and then exchange of ACK, FIN, and SYN
messages.
A match occurs if the TCP datagram has the ACK or reset (RST) bits set, which indicates that the
packet belongs to an existing connection.
This parameter allows responses to traffic that originates from the 192.168.10.0 /24 network to
return to s0/0/0.
Recall that we want to allow users to browse both insecure and secure websites.
First consider whether the traffic you want to filter is going in or out.
In the example in the figure, R1 has two interfaces. It has a serial port, S0/0/0, and a Fast
Ethernet port, Fa0/0.
The example applies the ACL to the serial interface in both directions.
Denying FTP traffic from subnet 192.168.11.0 going to 192.168.10.0, but permitting all other traffic.
Remember that FTP requires ports 20 and 21, therefore you need to specify to deny FTP.
With extended ACLs, you can choose to use port numbers as in the example, or to call out a well-known port by name.
Denies Telnet traffic from 192.168.11.0 going out interface Fa0/0, but allows all other IP
traffic from any other source to any destination out Fa0/0.
Note the use of the any keywords, meaning from anywhere going to anywhere.
You can create named extended ACLs in essentially the same way you created named standard ACLs.
Step 1. Starting in the global configuration mode, use the ip access-list extended name command to define a
named extended ACL.
Step 2. In named ACL configuration mode, specify the conditions you want to allow or deny.
Step 3. Return to privileged EXEC mode and verify your ACL with the show access-lists [number | name]
command.
Step 4. As an option and recommended step, save your entries in the configuration file with the copy runningconfig startup-config command.
To remove a named extended ACL, use the no ip access-list extended name global configuration command.
ACL Editing
Now that you have a good understanding of the core concepts in IOS IP ACLs, this section
examines a few enhancements to IOS support for ACLs :- ACL editing with sequence numbers
Named ACLs allow the user to delete and add new lines to the ACL from within ACL configuration
mode.
ACL sequence numbers make it easier to edit existing ACLs when an ACL needs to change.
Numbered ACLs have existed in IOS since the early days of Cisco routers and IOS.
However, for many years, through many IOS versions, the ability to edit a numbered IP ACL
was poor. For example, to simply delete a line from the ACL, the user had to delete the
entire ACL and then reconfigure it.
Today, modern IOS versions allow CLI users to easily edit both numbered and named
ACLs. Cisco first introduced these enhanced ACL editing features in named ACLs only, and
slowly added them to numbered ACLs as well. This section examines these great ACL
editing features that have been around in IOS since Version 12.3, is now a relatively old
IOS version.
The ACL editing feature uses an ACL sequence number that is added to each ACL permit
or deny statement, with the numbers representing the sequence of statements in the
ACL. ACL sequence numbers provide the following features for both numbered and
named ACLs:
New Configuration Style for Numbered: Numbered ACLs use a configuration style like
named ACLs, as well as the traditional style, for the same ACL; the new style is required to
perform advanced ACL editing.
Deleting Single Lines: An individual ACL permit or deny statement can be deleted with a
no sequence-number subcommand.
Inserting New Lines: Newly added permit and deny commands can be configured with a
sequence number, dictating the location of the statement within the ACL.
Automatic Sequence Numbering: IOS adds sequence numbers to commands as you
configure them, even if you do not include the sequence numbers.
https://www.facebook.com/ashok.tambe.733
https://www.facebook.com/groups/networkingwanschool/
tambe.ashok@gmail.com