Transcript
CCNA Discovery - Introducing Routing and Switching in the Enterprise
8 Filtering Traffic Using Access Control Lists
8.0 Chapter Introduction
8.0.1 Introduction Page 1: 8.0.1 - Introduction Enterprise networks need security to ensure that only authorized users access the network. Traffic filtering tools, like Access Control Lists, are an important component of enterprise network security. ACL's permit and deny specific types of inbound and outbound traffic. Network engineers and technicians plan, configure, and verify ACL's on routers and other networking devices. After completion of this chapter, you should be able to: Describe traffic filtering. Explain how Access Control Lists (ACL's) can filter traffic at router interfaces. Analyze the use of wild-card masks. Configure and implement ACL's. Create and apply ACL's to control specific types of traffic. Log ACL activity and ACL best practices.
8.1 Using Access Control Lists
8.1.1 Traffic Filtering Page 1: Security within an enterprise network is extremely critical. It is important to prevent access by unauthorized users and protect the network from various attacks, such as DoS attacks. Unauthorized users can modify, destroy, or steal sensitive data on servers. DoS attacks prevent valid users from accessing facilities. Both of these situations cause a business to lose time and money.
Through traffic filtering, an administrator controls traffic in various segments of the network. Filtering is the process of analyzing the contents of a packet to determine if the packet should be allowed or blocked.
Packet filtering can be simple or complex, denying or permitting traffic based on:
y y y y y
Source IP address Destination IP address MAC addresses Protocols Application type
Packet filtering can be compared to junk email filtering. Many email applications allow the user to adjust the configuration to automatically delete email from a particular source address. Packet filtering can be done in the same way by configuring a router to identify unwanted traffic.
Traffic filtering improves network performance. By denying unwanted or restricted traffic close to its source, the traffic does not travel across a network and consume valuable resources.
8.1.1 - Traffic Filtering The diagram depicts the use of traffic filtering. There is a circle with an internal network inside; the internal network contains four hosts connected to a switch. The switch is connected to a router which connects the internal network to external networks. The router is receiving four external packets. The packets labeled HTTP Protocol and Network 172.16.0.0 are allowed access into the network. The packets labeled IP Address 192.168.1.5 and Telnet are being blocked from accessing the network. The internal network uses MAC Address filtering. One of the four hosts is blocked from using the network.
Page 2: Devices most commonly used to provide traffic filtering are:
y
Firewalls built into integrated routers
y y
Dedicated security appliances Servers
Some devices only filter traffic that originates from the internal network. More sophisticated security devices recognize and filter known types of attacks from external sources.
Enterprise routers recognize harmful traffic and prevent it from accessing and damaging the network. Nearly all routers filter traffic based on the source and destination IP addresses of packets. They also filter on specific applications and on protocols such as IP, TCP, HTTP, FTP, and Telnet.
8.1.1 - Traffic Filtering The diagram depicts four traffic filtering devices: Cisco Security Appliances. Server-Based Firewall. Linksys Wireless Router with Integrated Firewall. Cisco Router with I O S Firewall.
8.1.2 Access Control Lists Page 1: One of the most common methods of traffic filtering is the use of access control lists (ACLs). ACLs can be used to manage and filter traffic that enters a network, as well as traffic that exits a network.
An ACL ranges in size from one statement that allows or denies traffic from one source, to hundreds of statements that allow or deny packets from multiple sources. The primary use of ACLs is to identify the types of packets to accept or deny.
ACLs identify traffic for multiple uses such as:
y y y y y
Specifying internal hosts for NAT Identifying or classifying traffic for advanced features such as QoS and queuing Restricting the contents of routing updates Limiting debug output Controlling virtual terminal access to routers
The following potential problems can result from using ACLs:
y y y
The additional load on the router to check all packets means less time to actually forward packets. Poorly designed ACLs place an even greater load on the router and might disrupt network usage. Improperly placed ACLs block traffic that should be allowed and permit traffic that should be blocked.
8.1.2 - Access Control Lists The diagram depicts the placement of Access Control Lists. Two ACL's that are placed strategically on the network are used to block specific traffic from accessing parts of the network.
8.1.3 Types and Usage of ACLs Page 1: When creating access control lists, a network administrator has several options. The complexity of the design guidelines determines the type of ACL required.
There are three types of ACLs:
Standard ACLs
The Standard ACL is the simplest of the three types. When creating a standard IP ACL, the ACLs filter based on the source IP address of a packet. Standard ACLs permit or deny based on the entire protocol, such as IP. So, if a host device is denied by a standard ACL, all services from that host are denied. This type of ACL is useful for allowing all services from a specific user, or LAN, access through a router while denying other IP addresses access. Standard ACLs are identified by the number assigned to them. For access lists permitting or denying IP traffic, the identification number can range from 1 to 99 and from 1300 to 1999.
Extended ACLs
Extended ACLs filter not only on the source IP address but also on the destination IP address, protocol, and port numbers. Extended ACLs are used more than Standard ACLs because they are more specific and provide greater control. The range of numbers for Extended ACLs is from 100 to 199 and from 2000 to 2699.
Named ACLs
Named ACLs (NACLs) are either Standard or Extended format that are referenced by a descriptive name rather than a number. When configuring named ACLs, the router IOS uses a NACL subcommand mode.
8.1.3 - Types and Usage of ACL's The diagram depicts a table of information about I O S Access Control Lists. The column head-ers include Type of ACL, Sample ACL Command/Statement, and Purpose of Statement. The type of ACL's described are Standard, Extended, and Named. Type of ACL: Standard Sample ACL Command/Statement: Router (config)# access-list 1 permit host 172.16.2.88 Purpose of statement: Permits a specific IP address. Type of ACL: Extended Sample ACL Command/Statement: Router (config)# access-list 100 deny tcp 172.16.2.0 0.0.0.255 any eq telnet Purpose of statement: Denies access from the 172.16.2.0 /24 subnet to any other host if they are attempting to use telnet. Type of ACL: Named Sample ACL Command/Statement: Router (config)# IP access-list standard permit-IP Router (config-ext-n ACL) # permit host 192.168.5.47 Purpose of statement: Creates a standard access list named permit-IP Allows access from IP address 192.168.5.47 The first command puts the router into N ACL sub-command mode
Page 2:
8.1.3 - Types and Usage of ACL's The diagram depicts an activity in which you must decide if each of the following characteristics belongs to a Standard, Extended, or Named ACL. One.Simplest type of ACL. Two.Uses a special sub-configuration mode. Three.Uses a numeric identifier and can filter on protocol and port numbers. Four.Can create both standard and extended access lists. Five.Identified by number range from 100-199. Six.Can only filter on source IP address or range. Seven.Uses a numeric identifier and can filter on source or destination IP address. Eight.Identified by number range from 1-99 Nine.Can be assigned a meaningful descriptive identifier.
8.1.4 ACL Processing Page 1: Access control lists consist of one or more statements. Each statement either permits or denies traffic based on specified parameters. Traffic is compared to each statement in the ACL sequentially until a match is found or until there are no more statements.
The last statement of an ACL is always an implicit deny. This statement is automatically inserted at the end of each ACL even though it is not physically present. The implicit deny blocks all traffic. This feature prevents the accidental entry of unwanted traffic.
After creating an access control list, apply it to an interface for it to become effective. The ACL targets traffic that is either inbound or outbound through the interface. If a packet matches a permit statement, it is allowed to enter or exit the router. If it matches a deny statement, it goes no further. An ACL that does not have at least one permit statement blocks all traffic. This is because at the end of every ACL is an implicit deny. Therefore an ACL will deny all traffic not specifically permitted.
8.1.4 - ACL Processing The animation depicts the use of ACL's to limit traffic on a network. Network Topology There is a network cloud with two hosts, H1 and H2. The H1 IP address is 192.168.1.1. The H2 IP address is 192.168.1.5. There is a router, R1, attached to the cloud via S0/0/0. A switch, S1, is connected to R1 via S0/0/1. S1 is connected to two hosts, H3 and H4. A packet is sent from H1 to R1 via S0/0/0. R1 has an ACL on the inbound interface S0/0/0, as follows:
access-list 1 permit host 192.168.1.1 access-list 1 deny any (implied) The IP address in the ACL statement matches the source IP in the packet so the packet is forwarded. A packet is sent from H2 to R1 via S0/0/0. R1 has an ACL on the inbound interface S0/0/0, as follows: access-list 1 permit host 192.168.1.1 access-list 1 deny any (implied) This time the IP address in the ACL does not match the source IP in the packet. The packet is denied from being forwarded, receiving the Implicit Deny statement.
Page 2: An administrator applies either an inbound or outbound ACL to a router interface. The inbound or outbound direction is always from the perspective of the router. Traffic coming in an interface is inbound and traffic going out an interface is outbound.
When a packet arrives at an interface, the router checks the following parameters:
y y y
Is there an ACL associated with the interface? Is the ACL inbound or outbound? Does the traffic match the criteria for permitting or denying?
An ACL applied outbound to an interface has no effect on traffic inbound on that same interface.
Each interface of a router can have one ACL per direction for each network protocol. For the IP protocol, one interface can have one ACL inbound and one ACL outbound at the same time.
ACLs applied to an interface add latency to the traffic. Even one long ACL can affect router performance.
8.1.4 - ACL Processing The animation depicts how inbound and outbound ACL's process traffic. Network Topology There is a network cloud with a host, H1, with the IP address 192.168.1.1. Router, R1, is connected to the cloud via S0/0/0. R1 is connected to switch S1 via F A 0 /0. S1 is connected to two hosts, H2, I' P address 172.22.4.1, and H3, IP address 172.22.4.2. Inbound Traffic A packet is sent from H1 to R1. R1 says, "I have an ACL associated with the S0/0/0 interface." The packet reaches R1 where the ACL is applied to Interface S0/0/0 inbound. R1 says, "I have to filter traffic inbound. You match the permit statement of the ACL therefore move ahead." The ACL has the following information: access-list 1 permit host 192.168.1.1 access-list 1 deny any (implied) The packet is forwarded to its destination. Outbound Traffic A packet is sent from H1 to R1. R1 says, "I will switch you to the F A 0 /0 interface to reach your destination." The packet reaches R1. R1 says, "I have an ACL associated with the F A 0 /0 interface." The ACL is applied to Interface F A 0 /0 outbound. R1 says, "I have to filter traffic outbound. You match the permit statement of the ACL therefore move ahead." The ACL has the following information: access-list 1 permit host 192.168.1.1 access-list 1 deny any (implied) The packet is forwarded to its destination.
Page 3: 8.1.4 - ACL Processing The diagram depicts an activity in which you must determine if the packet will be permitted or denied, based on the given Source IP Address.
One.Source IP Address: 192.168.1.133 ACL Statements: access-list 1 permit host 192.168.1.33 access-list 1 permit host 192.168.1.233 Two.Source IP Address: 192.168.1.228 ACL Statements: access-list 2 permit host 192.168.1.215 Three.Source IP Address: 10.1 0.10.5 ACL Statements: access-list 3 permit host 10.1 0.10.5 access-list 3 deny host 172.22.4.1 Four.Source IP Address: 172.22.4.1 ACL Statements: access-list 4 deny host 172.22.4.1 access-list 4 permit host 172.22.4.2 Five.Source IP Address: 172.22.4.1 ACL Statements: access-list 5 permit host 10.1 0.10.5 access-list 5 permit host 172.22.4.1 Six.Source IP Address: 172.22.4.3 ACL Statements: access-list 6 deny host 172.22.4.3
8.2 Using a Wildcard Mask
8.2.1 ACL Wildcard Mask Purpose and Structure Page 1: Simple ACLs specify only one permitted or denied address. Blocking multiple addresses or ranges of addresses requires using either multiple statements or a wildcard mask. Using an IP network address with a wildcard mask allows much more flexibility. A wildcard mask can block a range of addresses or a whole network with one statement.
A wildcard mask uses 0s to indicate the portion of an IP address that must match exactly and 1s to indicate the portion of the IP address that does not have to match a specific number.
A wildcard mask of 0.0.0.0 requires an exact match on all 32 bits of the IP address. This mask equates to the use of the host parameter.
8.2.1 - ACL Wild-card Mask Purpose and Structure The diagram depicts a person sitting at a workstation with the following information displayed on the monitor: Wild-card masks that permit a single host: 172.16.22.87 0.0.0.0 host 172.2 2.8.17 Wild-card mask that permits a range of hosts for a /24 network: 172.16.22.0 0.0.0.255 Wild-card mask that permits an entire /16 network: 172.16.0.0 0.0.255.255 Wild-card mask that permits an entire /8 network: 10.0.0.0 0.255.255.255
Page 2: The wildcard mask used with ACLs functions like the one used in the OSPF routing protocol. However, the purpose of each mask is different. With ACL statements, the wildcard mask specifies a host or range of addresses to be permitted or denied.
When creating an ACL statement, the IP address and wildcard mask become the comparison fields. All packets that enter or exit an interface are compared to each statement of the ACL to determine if there is a match. The wildcard mask determines how many bits of the incoming IP address match the comparison address.
As an example, the following statement permits all hosts from the 192.168.1.0 network and blocks all others:
access-list 1 permit 192.168.1.0 0.0.0.255
The wildcard mask specifies that only the first three octets must match. Therefore, if the first 24 bits of the incoming packet match the first 24 bits of the comparison field, the packet is permitted. Any packet with a source IP address in the range of 192.168.1.1 to 192.168.1.255 matches the example comparison address and mask combination. All other packets are denied by the ACL implicit deny any statement.
8.2.1 - ACL Wild-card Mask Purpose and Structure The diagram depicts the steps involved to create an ACL with the following information: R1 (config) # access-list 1 permit 192.168.1.0 0.0.0.255 Steps. Step 1.Convert the decimal comparison to binary. Comparison Address: Decimal equivalent: 192.168.1.0 Binary equivalent: 11000000.10101000.00000001.00000000 Step 2.Convert the decimal wild-card mask to binary. Wild-card Mask: Decimal equivalent: 0.0.0.255 Binary equivalent: 00000000.00000000.00000000.11111111 Step 3.Compare the wild-card mask match bits (24 zeros) with comparison address bits. Comparison Address bits to match: Decimal equivalent: 192.168.1.X Binary equivalent: 11000000.10101000.00000001.XXXXXXXX Step 4.Compare the first 24 bits of an incoming packet IP address to the first 24 bits of the comparison address. Incoming Packet Address: Decimal equivalent: 192.168.1.27 Binary equivalent: 11000000.10101000.00000001.00011011 Step 5.Incoming packet IP address is a match with comparison address and wild-cards. If the bits match, the packet is permitted by the ACL.
Page 3: 8.2.1 - ACL Wild-card Mask Purpose and Structure The diagram depicts an activity in which you must determine the wild-card mask for each of the following ACL statement objectives. A.CL Statement Objective One.Deny all hosts from the 192.168.55.0 /24 network Two.Permit all hosts from the 172.20.4.0 /24 subnet Three.Permit only host 10.1 0.10.1 Four.Deny only host 192.168.93.240 Five.Deny all hosts from the 172.30.0.0 /16 network Six.Deny all hosts from the 172.25.0.0 /16 network Seven.Permit all hosts from the 10.0.0.0 /8 network Eight.Deny all hosts from the 10.0.0.0 /16 network
8.2.2 Analyzing the Effects of the Wildcard Mask Page 1: When creating an ACL, there are two special parameters that can be used in place of a wildcard mask: host and any.
Host parameter
To filter a single, specific host, use either the wildcard mask 0.0.0.0 after the IP address or the host parameter prior to the IP address.
R1(config)#access-list 9 deny 192.168.15.99 0.0.0.0
Is the same as:
R1(config)#access-list 9 deny host 192.168.15.99
Any parameter
To filter all hosts, use the all 1s parameter by configuring a wildcard mask of 255.255.255.255. When using a wildcard mask of 255.255.255.255 all bits are conside red matches, therefore, the IP address is typically represented as 0.0.0.0. Another way to filter all hosts is to use the any parameter.
R1(config)#access-list 9 permit 0.0.0.0 255.255.255.255
Is the same as:
R1(config)#access-list 9 permit any
Consider the following example that denies a specific host and permits all others:
R1(config)#access-list 9 deny host 192.168.15.99
R1(config)#access-list 9 permit any
The permit any command permits all traffic not specifically denied in the ACL. When this is configured, no packets will reach the implicit deny any at the end of the ACL.
8.2.2 - Analyzing the Effects of the Wild-card Mask The diagram depicts a router connected to a switch with the following ACL inbound on F A 0 /0: access-list 9 deny host 192.168.15.99 access-list 9 permit any Network Topology Four hosts are connected to the switch. Three of the hosts with the following IP addresses can transmit ok: 192.168.15.77, 192.168.15.22, and 192.168.15.33. The host with the IP address 192.168.15.99 cannot transmit.
Page 2: In an enterprise network with a hierarchical IP addressing scheme, it is often necessary to filter subnet traffic.
If 3 bits are used for subnetting the 192.168.77.0 network, the subnet mask is 255.255.255.224. Subtract ing the subnet mask from the all 255s mask results in a wildcard mask of 0.0.0.31. To permit the hosts on the 192.168.77.32 subnet, the ACL statement is:
access-list 44 permit 192.168.77.32 0.0.0.31
The first 27 bits of each packet match the first 27 bits of the comparison address. The overall range of addresses that this statement permits is from 192.168.77.33 to 192.168.77.63, which is the range of all addresses on the 192.168.77.32 subnet.
8.2.2 - Analyzing the Effects of the Wild-card Mask The diagram depicts a subnet mask chart with the following explanation. Subnet address: 192.168.77.32 255.255.255.224. Comparison/Base Address: 192.168.77.32 0.0.0.31. Bit value, for one octet: 128, 64, 32, 16, 8, 4, 2, and 1. All 1s, for binary octet: 1, 1, 1, 1 1, 1, 1, and 1 gives a decimal value of 255. Subnet Mask: 1, 1, 1, 0, 0, 0, 0, and 0 gives a decimal value of 224. Wild-card Mask: 0, 0, 0, 1, 1, 1, 1, and 1 gives a decimal value of 224. Match Bits: First three bits of the above octet. Non-Match Bits: Last five bits of the above octet. More Information Popup A network that is a full Class A, B, or C has a subnet mask and a wild-card mask that divide evenly at an octet boundary. Subnets that do not break on an octet boundary produce a different wild-card mask value. An octet boundary is a place between the first and second or second and third octet. Example: A default Class A subnet falls between bit positions 8 and 9. This breaks at the end of one octet and the beginning of the next is the boundary of the next octet.
Page 3: Creating accurate wildcard masks for ACL statements provides the control required to finetune traffic flow. Filtering different subnet traffic is the most difficult concept for beginners.
The 192.168.77.0 network, with a subnet mask of 255.255.255.192 or /26, creates the following four subnets:
192.168.77.0/26
192.168.77.64/26
192.168.77.128/26
192.168.77.192/26
To create an ACL to filter any of these four subnets, subtract the subnet mask 255.255.255.192 from the all 255s mask resulting in a wildcard mask of 0.0.0.63. To permit traffic from the first two of these subnets, use two ACL statements:
access-list 55 permit 192.168.77.0 0.0.0.63 access-list 55 permit 192.168.77.64 0.0.0.63
The first two networks also summarize to 192.168.77.0/25. Subtracting the summarized subnet mask of 255.255.255.128 from the all 255s mask results in a wildcard mask of 0.0.0.127. Using this mask groups these two subnets together into one ACL statement instead of two.
access-list 5 permit 192.168.77.0 0.0.0.127
8.2.2 - Analyzing the Effects of the Wild-card Mask The diagram depicts the effects of the wild-card mask. Network Topology A router has an ACL outbound on S0/0/0. This router is connected to four networks on Fast Ethernet ports. Networks 192.168.77.192 /26 and 192.168.77.128 /26 are blocked. Networks 192.168.77.64 /26 and 192.168.77.0 /26 are ok. OPTION A access-list 55 permit 192.168.77.0 0.0.0.63 access-list 55 permit 192.168.77.64 0.0.0.63 (implied deny any) OPTION B access-list 5 permit 192.168.77.0 0.0.0.127 (implied deny any)
Page 4: 8.2.2 - Analyzing the Effects of the Wild-card Mask The diagram depicts an activity in which you must analyze the comparison address and wildcard mask. Decide whether each packet will be permitted or denied based on the information. One. ACL Statements: access-list 66 permit 192.168.122.128 0.0.0.63 IP Packet Address 192.168.122.195 Two. ACL Statements: access-list 66 permit 192.168.223.64 0.0.0.31 IP Packet Address: 192.168.223.27 Three. ACL Statements: access-list 66 permit 192.168.223.32 0.0.0.31 IP Packet Address: 192.168.223.60 Four. ACL Statements: access-list 66 permit 192.168.155.0 0.0.0.255 IP Packet Address: 192.168.155.245 Five. ACL Statements: access-list 66 permit 10.93.76.8 0.0.0.3 IP Packet Address: 10.93.76.10 Six. ACL Statements: access-list 66 permit 192.168.155.0 0.0.0.255 IP Packet Address: 192.168.156.245 Seven. ACL Statements: access-list 66 permit 172.16.0.0 0.0.255. IP Packet Address: 255 172.17.0.5
8.3 Configuring Access Control Lists
8.3.1 Placing Standard and Extended ACLs Page 1: Properly designed access control lists have a positive impact on network performance and availability. Plan the creation and placement of access control lists to maximize this effect.
Planning involves the following steps:
1. Determine the traffic filtering requirements
2. Decide which type of ACL best suits the requirements
3. Determine the router and the interface on which to apply the ACL
4. Determine in which direction to filter traffic
Step 1: Determine Traffic Filtering Requirements Gather traffic filtering requirements from stakeholders from within each department of an enterprise. These requirements differ from enterprise to enterprise and are based on customer needs, traffic types, traffic loads, and security concerns.
8.3.1 - Placing Standard and Extended ACL's The diagram depicts a boardroom environment with several people sitting at the boardroom table. The people are viewing a graphic on the overhead projector.
Page 2: Step 2: Decide Type of ACL to Suit Requirements The decision to use a Standard ACL or an Extended ACL depends on the filtering requirements of the situation. The choice of ACL type can affect the flexibility of the ACL, as well as the router performance, and network link bandwidth.
Standard ACLs are simple to create and implement. However, standard ACLs only filter based on the source address and will filter all traffic without regard to the type or the destination of the traffic. With routes to multiple networks, a standard ACL placed too close to the source may unintentionally block traffic that should be permitted. Therefore, it is important to place standard ACLs as close to the destination as possible.
When filtering requirements are more complex, use an Extended ACL. Extended ACLs offer more control than Standard ACLs. They filter on source and destination addresses. They also filter by looking at the network layer protocol, transport layer protocol, and port numbers if required. This increased filtering detail allows a network administrator to create ACLs that meet the specific needs of a security plan.
Place an Extended ACL close to the source address. By looking at both the source and destination address, the ACL blocks packets intended for a specific destination network before they leave the source router. The packets are filtered before they cross the network, which helps conserve bandwidth.
8.3.1 - Placing Standard and Extended ACL's The diagram depicts two scenarios that include a description and an example of Standard ACL Placement and Extended ACL Placement. Four routers are directly connected in a circle by a serial link. Each of the routers, R1 through R4, has a FastEthernet port in use. The network addresses for each connected network are as follows: R1: 192.168.1.0 /24 R2: 192.168.2.0 /24 R3: 192.168.3.0 /24 R4: 192.168.4.0 /24 Network Topology R1 and R4 are opposite each other. There are blocks at R1 and R4 between the router and its FastEthernet port. These blocks indicate where an ACL may be placed. Scenario 1: Standard ACL Placement ACL access-list 9 deny 192.168.1.0 0.0.0.255 access-list 9 permit any Requirements: Prevents traffic from the 192.168.1.0 network from entering the 192.168.4.0 network. Allow 192.168.1.0 to reach other networks. Bad Location: Meets some of the requirements. Prevents traffic from 192.168.1.0 network from reaching networks 192.168.2.0 and 192.168.3.0. Good Location: Meets all requirements. Scenario 2: Extended ACL Placement ACL access-list 109 deny IP 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 109 permit any any Requirements: Use extended ACL to prevent traffic from the 192.168.1.0 network from entering the 192.168.4.0 network, but allow the 192.168.1.0 network to reach other networks.
Good Location: Extended ACL is placed closest to source which prevents traffic from 192.168.1.0 network from reaching 192.168.4.0 but also allows it to reach other networks.
Page 3: Step 3: Determine Router and Interface for ACL Place ACLs on routers in either the Access or Distribution Layer. A network administrator must have control of these routers and be able to implement a security policy. A network administrator who does not have access to a router cannot configure an ACL on it.
Selection of the appropriate interface depends on the filtering requirements, the ACL type, and the location of the designated router. It is best to filter traffic before it advances onto a lower bandwidth serial link. The interface selection is usually obvious once the router is chosen.
Step 4: Determine Direction to Filter Traffic When determining the direction in which to apply an ACL, visualize the traffic flow from the perspective of the router.
Inbound traffic is traffic that is coming into a router interface from outside. The router compares the incoming packet to the ACL before looking up the destination network in the routing table. Packets discarded at this point save the overhead of routing lookups. This makes the inbound access control list more efficient for the router than an outbound access list.
Outbound traffic is inside the router and leaves through an interface. For an outbound packet, the router has already done a routing table lookup and has switched the packet to the correct interface. The packet is compared to the ACL just before leaving the router.
8.3.1 - Placing Standard and Extended ACL's This animation depicts the process of determining the type and placement of an ACL. Network Topology Router, R1, is connected to routers R2 and R3 via serial links. The following are the network address assignments for each router: R1:
F A 0 /1: 192.168.4.0 /24 F A 0 /0: 192.168.1.0 /24 R2: F A 0 /0: 192.168.2.0 /24 R3: F A 0 /0: 192.168.3.0 /24 The requirements given in the diagram are as follows: "We need to prevent traffic from the 192.168.1.0 network from entering the 192.168.2.0 network but allow it to reach other networks." The Standard ACL and Extended ACL commands are listed below: Standard ACL access-list 1 deny 192.168.1.0 access-list 1 permit any Extended ACL access-list 101 deny 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 101 permit IP any any The following are questions included in the diagram. One.What kind of ACL? Answer: Extended ACL. Two.On which router? Answer: R1. Three.On which interface? Answer: F A 0 /0. Four.In which direction? Answer: Inbound. The extended ACL is placed on the interface F A 0/0 on R1 to control access to the 192.168.1.0 network.
Page 4: 8.3.1 - Placing Standard and Extended ACL's The diagram depicts an activity in which you must match the correct router, interface, and direction for the placement of the ACL in each of the following two scenarios. Scenario 1 Requirement: You have an extended ACL that prevents traffic from the 172.16.1.0 network from reaching the 172.16.3.0 network, but allows it to reach 172.16.2.0 network and the ISP. You need to minimize traffic on the WAN links and can only place the ACL on one interface. ACL access-list 101 deny IP 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255 access-list 101 permit IP any any
Scenario 2 Requirement: You have a standard ACL that permits all traffic from any 172.16.0.0 network to reach the ISP network but blocks all other traffic. ACL access-list permit 172.16.0.0 0.0.255.255 Network Topology The diagram depicts three routers, R1, R2, and R3, that are directly connected by serial link to each other. The networks connected to the FastEthernet ports of each of the routers are listed below: R1 F A 0 /0: 172.16.1.0 /24. R2: F A 0 /0: 172.16.2.0 /24. R3 F A 0 /0: 172.16.3.0 /24. The following are the router, interface, and direction options. Decide which ones belong to each scenario. Option 1.S0/0/1 Option 2.R3 Option 3.S0/0/0 Option 4.R2 Option 5.S0/1/0 Option 6.OUT Option 7.IN Option 8.R1 Option 9.F A 0 /0
8.3.2 Basic ACL Configuration Process Page 1: After capturing the requirements, planning the access control list, and determining the location, configure the ACL.
Each ACL requires a unique identifier. This identifier can be either a number or a descriptive name.
In numbered access control lists, the number identifies the type of ACL created:
y y
Standard IP ACLs have numbers in the ranges from 1 to 99 and from 1300 to 1999. Extended IP ACLs have numbers in the ranges from 100 to 199 and from 2000 to 2699.
It is also possible to create AppleTalk and IPX ACLs.
The limit for any one router interface is one ACL per protocol per direction. If a router is running IP exclusively, each interface handles a maximum of two ACLs: one inbound and one outbound. Since each ACL compares every packet passing through an interface, ACLs add to latency.
8.3.2 - Basic ACL Configuration Process The diagram depicts the following guidelines for ACL Processing and Creation. ACL Processing and Creation Guidelines Configuring only one access list per protocol per direction. Apply standard access lists closest to the destination. Apply extended access lists closest to the source. Use the correct number range for the type of list. Determine the inbound or outbound direction looking at the port from inside the router. Process statements sequentially from the top of the list to the bottom. Deny packet if no match is found. Enter the Access list statements in order from specific to general. Configure an ACL with a permit statement or all traffic will be denied. More Information Popup Rejected packets cause an IP access list to send an ICMP host unreachable message to the sender and discards the packet. Outbound filters do not affect traffic that originates from the local router. An implicit deny any is at the end of all access lists (does not appear in the listing). Create your ACL's in a text editor to make it easier to edit them. You can copy and paste ACL statements into the router.
Page 2: Configuring an access control list requires two steps: creation and application.
ACL Creation
Enter global configuration mode. Using the access-list command, enter the access control list statements. Enter all statements with the same ACL number until the access control list is complete.
The syntax for the Standard ACL statement is:
access-list [access-list-number] [deny|permit] [source address] [source-wildcard][log]
Since every packet is compared to every ACL statement until a match is found, the order that statements are placed within the ACL can effect the latency introduced. Therefore, order the statements so that the more common conditions appear in the ACL before the less common ones. For example, statements that find a match for the highest amount of traffic should be placed toward the beginning of the ACL.
Keep in mind, however, that once a match is found, the packet is no longer compared to any other statements within the ACL. This means that if one line permits a packet, but a line further down the ACL denies it, the packet will be permitted. For this reason, plan the ACL so that the more specific requirements appear before more general ones. In other words, deny a specific host of a network before permitting the remainder of the entire network.
Document the function of each section or statement of the ACL using the remark command:
access-list [list number] remark [text]
To delete an ACL, use the command:
no access-list [list number] It is not possible to delete a single line from a standard or extended ACL. Instead, the ACL as a whole is deleted and must be replaced in its entirety.
8.3.2 - Basic ACL Configuration Process The diagram depicts an ACL configuration process. Network Topology Two routers, R1 and R2, are directly connected to each other via a serial link. R1 has its two FastEthernet ports in use. The network addresses assigned to these networks are 192.168.1.0 /24 and 192.168.2.0 /24. R2 has its two FastEthernet ports in use. The assigned network addresses for these networks are 192.168.3.0 /24 and 192.168.4.0 /24. There is a server connected with the address 192.168.3.200, and a client computer connected with the address 192.168.4.12. The ACL commands are listed below for the placement on R2 on FastEthernet F A 0 /0. R2 (config) # access-list 3 remark to departmental server R2 (config) # access-list 3 deny host 192.168.4.12 R2 (config) # access-list 3 permit 192.168.4.0 0.0.0.255 R2 (config) # access-list 3 permit 192.168.1.66 Note: access-list 3 deny host 192.168.4.12 is specific. access-list 3 permit 192.168.4.0 0.0.0.255 is general.
8.3.3 Configuring Numbered Standard ACLs Page 1: An ACL does not filter traffic until it has been applied, or assigned, to an interface.
ACL Application
Assign an ACL to one or more interfaces, specifying either inbound traffic or outbound traffic. Apply a standard ACL as close to the destination as possible.
R2(config-if)#ip access-group access list number [in | out]
The following commands place access-list 5 on the R2 Fa0/0 interface filtering inbound traffic:
R2(config)#interface fastethernet 0/0 R2(config-if)#ip access-group 5 in
The default direction for an ACL applied to an interface is out. Even though out is the default, it is very important to specify the direction to avoid confusion and to ensure that traffic filters in the correct direction.
To remove an ACL from an interface while leaving the ACL intact, use the no ip accessgroup interface command.
8.3.3 - Configuring Numbered Standard ACL's The animation depicts the application of an ACL to an interface. Network Topology Two routers connected by a serial link. There is a server and computer connected to each FastEthernet port of R2. One computer is connected to the FastEthernet port of R1. The commands for configuring the ACL are listed below: R2 (config) # access-list 3 remark to departmental server R2 (config) # access-list 3 deny host 192.168.4.12 R2 (config) # access-list 3 permit 192.168.4.0 0.0.0.255 R2 (config) # access-list 3 permit 192.168.1.66 After the ACL is configured on R2, packets still travel freely across the network. The commands for applying the ACL are listed below: R2 (config) # interface F A 0 /0 R2 (config) # IP access-group 3 out Once the ACL is applied to the F A 0 /0 interface of R2 the appropriate traffic from 192.168.4.12 is denied.
Page 2: Several ACL commands evaluate the proper syntax, order of statements, and placement on interfaces.
show ip interface
y
Displays IP interface information and indicates any assigned ACLs.
show access-lists [access list number]
y
Displays the contents of all ACLs on the router. It also displays the number of matches for each permit or deny statement since application of the ACL. To see a specific list, add the ACL name or number as an option for this command.
show running-config
y
Displays all configured ACLs on a router, even if they are not currently applied to an interface.
If using numbered ACLs, statements entered after the initial creation of the ACL are added to the end. This order may not yield the desired results. To resolve this issue, remove the original ACL and recreate it.
It is often recommended to create ACLs in a text editor. This allows the ACL to be easily edited and pasted into the router configuration. However, keep in mind when coping and pasting the ACL that it is important to remove the currently applied ACL first, otherwise all statements will be pasted to the end.
8.3.3 - Configuring Numbered Standard ACL's The diagram depicts sample output for the following show commands on R2: show IP interface, show access-lists, and show running-config. Network Topology Two routers, R1 and R2, are connected by serial link. A server and computer are connected to each FastEthernet port of R2 and one computer is connected to the FastEthernet port of R1. In the diagram, selecting the buttons show IP interface, show access-list, and show runningconfig shows how adding an ACL to a configuration affects the output. Applying ACL's is covered in the labs and the outputs to these commands are available once the ACL has been placed.
Page 3: 8.3.3 - Configuring Numbered Standard ACL's The diagram depicts an activity in which you must determine the correct sequence of commands to configure and apply a standard ACL that will control entry into the 192.168.1.0 LAN. Network Topology R1 is connect to R2 via a serial link. R1 is connected to the following: LAN1 192.168.1.0 /24 via F A 0 /0 LAN2 192.168.2.0 /24 via F A 0 /1 R2 is connected to the following: LAN3 192.168.3.0 /24 via F A 0 /0 LAN4 192.168.4.0 /24 via F A 0 /1 The 192.168.3.77 host should not be able to access 192.168.1.0 LAN but all other hosts on the 192.168.3.0 and 192.168.4.0 network should be permitted access. The list of commands stated below are not in the correct order. A.access-list 44 deny any. B.IP access-group 44 out. C.access-list 44 permit 192.168.4.0 0.0.0.255. D.interface F A 0 /0. E.access-list 44 deny 192.168.3.77 0.0.0.0. F.access-list 44 permit 192.168.3.0 0.0.0.255.
Page 4: Lab Activity Configure and verify a Standard ACL.
Click the lab icon to begin.
8.3.3 - Configuring Numbered Standard ACL's Link to Hands-on Lab: Configuring and Verifying Standard ACL's Configure and verify a standard ACL.
8.3.4 Configuring Numbered Extended ACLs
Page 1: Extended ACLs provide a greater range of control than Standard ACLs. The Extended ACL permits or denies access based on source IP address, destination IP address, protocol type, and port numbers. Since Extended ACLs can be very specific, they tend to grow in size quickly. The more statements that an ACL contains, the more difficult it is to manage.
Extended ACLs use an access-list number in the ranges 100 to 199 and 2000 to 2699. The same rules that apply to Standard ACLs also apply to Extended ACLs :
y y y
Configure multiple statements in one ACL. Assign the same ACL number to each statement. Use the host or any keywords to represent IP addresses.
A key difference in the Extended ACL syntax is the requirement to specify a protocol after the permit or deny condition. This protocol can be IP, indicating all IP traffic, or it can indicate filtering on a specific IP protocol such as TCP, UDP, ICMP, and OSPF.
8.3.4 - Configuring Numbered ACL's The diagram depicts an ACL A brief description of each of the fields of the ACL is given. The following is the ACL. R2 (config) # access-list 105 permit tcp 192.168.5.0 0.0.0.255 host 172.1 6.5.254 eq http ACL Fields Destination IP Address - host 172.1 6.5.254 Identifies the IP address of the destination of the packets. This value can be: An individual host address A range of host addresses The host parameter The any parameter Matching Condition - eq Determines whether certain fields must match the application equally, greater than, less than, and so on. Condition - permit Identifies whether a packet is to be permitted or denied. Source IP Address - 192.168.5.0 0.0.0.255 Identifies the IP address of the source of the packet. This value can be:
An individual host address A range of host addresses The host parameter The any parameter ACL Number - 105 Identifies an ACL with a unique number. A standard ACL uses numbers in the range of 1 to 99, and 1300 to 1999. Extended ACL's use numbers in the range of 100 to 199, and 2000 to 2699. Protocol - tcp Identifies Layer 3 / 4 protocols. Common options include: EIGRP - Ciscos EIGRP routing protocol ESP - Encapsulation Security Payload GRE - Ciscos GRE tunneling ICMP - Internet Control Message Protocol IGMP - Internet Gateway Message Protocol IP - Any Internet Protocol TCP Application - http Identifies the application either by port number or acronym.
Page 2: There are often many different ways to meet a set of requirements.
For example, a company has a server with the address of 192.168.3.75. It has the following requirements:
y y y y
Allow access to hosts on the 192.168.2.0 LAN. Allow access to host 192.168.1.66. Deny access to hosts on 192.168.4.0 LAN. Permit access to everyone else in the enterprise.
There are at least two possible solutions that satisfy these requirements. When planning the ACL, try to minimize statements where possible.
Some ways to minimize statements and reduce the processing load of the router include:
y y y
Match high volume traffic and deny blocked traffic early in the ACL. This approach ensures that packets do not compare to later statements. Consolidate multiple permit and deny statements into a single statement using ranges. Consider denying a particular group rather than permitting a larger, opposite group.
8.3.4 - Configuring Numbered ACL's The diagram depicts numbered extended ACL configuration. Network Topology Two routers directly are connected by serial link. Two LAN's, LAN3 and LAN4, are directly connected to each of the FastEthernet ports of R2. LAN3 has one server connected. Two LAN's, LAN1 and LAN2, are directly connected to the FastEthernet ports of R1. LAN1 has one computer connected. In this topology, all traffic from the 192.168.4.0 /24 network should not be able to access the server 192.168.3.75. However, all other traffic should be allowed. Below are two options that can be used to configure this ACL. Both options achieve the same results. Option A R2 (config) # access-list 103 permit IP 192.168.2.0 0.0.0.255 host 192.168.3.75 R2 (config) # access-list 103 permit IP host 192.168.1.66 host 192.168.3.75 R2 (config) # access-list 103 deny IP 192.168.4.0 0.0.0.255 host 192.168.3.75 R2 (config) # access-list 103 permit IP any any R2 (config) # interface F A 0 /0 R2(config-if)# IP access-group 103 out Option B R2 (config) # access-list 103 deny 192.168.4.0 0.0.0.255 host 192.168.3.75 R2 (config) # access-list 103 permit any any R2 (config) # interface F A 0 /0 R2(config-if)# IP access-group 103 out
Page 3: 8.3.4 - Configuring Numbered ACL's The diagram depicts an activity in which you must determine if packets will be permitted or denied, based on the ACL listed below. Network Topology There are two routers, R1 and R2. Host 192.168.1.66 connects to R1 via F A 0 /0. Network 192.168.2.0 /24 connects to R1 via F A 0 /1. R1 connects to R2 via S0/0/0, 172.16.1.0 /30. R2 connects to LAN 192.168.4.0 /24, where the host, 192.169.4.12, is connected, via F A 0 /1. R2 connects to server 192.168.3.200 /24 via F A 0 /0. ACL Statement
ACL 103 Applied to R1 interface F A 0 /0 - Inbound Access-list 103 permit IP host 192.168.1.66 host 192.168.3.75 Access-list 103 permit IP host 192.168.1.77 host 192.168.3.75 Access-list 103 deny IP 192.168.1.0 0.0.0.255 host 192.168.3.75 Access-list 103 deny IP 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255 Access-list 103 permit IP 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 Access-list 103 deny any any (implied) Source IP: 192.168.1.66 Destination IP: 192.168.3.51 Source IP: 192.168.1.66 Destination IP: 192.168.3.75 Source IP: 192.168.1.88 Destination IP: 192.168.2.51 Source IP: 192.168.1.88 Destination IP: 192.168.3.75 Source IP: 192.168.1.77 Destination IP: 192.168.3.75 Source IP: 192.168.1.33 Destination IP: 192.168.2.34
Page 4: Lab Activity Plan, configure, and verify an Extended ACL.
Click the lab icon to begin.
8.3.4 - Configuring Numbered ACL's Link to Hands-on Lab: Planning, Configuring, and Verifying Extended ACL's Plan, configure, and verify an Extended ACL.
8.3.5 Configuring Named ACLs Page 1:
Cisco IOS versions 11.2 and higher can create Named ACLs (NACLs). In an NACL, a descriptive name replaces the numerical ranges required for Standard and Extended ACLs. Named ACLs offer all the functionality and advantages of Standard and Extended ACLs; only the syntax for creating them is different.
The name given to an ACL is unique. Using capital letters in the name makes it easier to recognize in router command output and troubleshooting.
A Named ACL is created with the command:
ip access-list {standard | extended} name
After issuing this command, the router switches to NACL configuration subcommand mode. After the initial naming command, enter all permit and deny statements, one at a time. NACLs use Standard or Extended ACL command syntax starting with the permit or deny statement.
Apply a Named ACL to an interface in the same manner as applying a Standard or Extended ACL.
The commands that help with evaluating Named ACLs for proper syntax, order of statements, and placement on interfaces are the same as the commands for Standard ACLs.
8.3.5 - Configuring Named ACL's The diagram depicts a person configuring a router. The commands used to configure the router are listed below: R1 (config) # IP access-list extended SALES-ONLY R1 (config-ext-n ACL) # permit IP 192.168.1.66 0.0.0.0 any R1 (config-ext-n ACL) # permit IP 192.168.1.77 0.0.0.0 any R1 (config) #interface F A 0 /0 R1 (config-if) # IP access-group SALES-ONLY in
Page 2:
Editing ACLs with older versions of IOS make it necessary to:
y y y
Copy the ACL to a text editor. Remove the ACL from the router. Recreate and apply the edited version.
Unfortunately, this process allows all traffic to flow through the interface during the editing cycle, thereby leaving the network open to potential security breaches.
With current versions of the IOS, edit numbered and Named ACLs using the ip access-list command. ACLs display with the lines numbered as 10, 20, 30, and so forth. To see the line numbers, use the command:
show access-lists
To edit an existing line:
y y
Remove the line using the no line number command. Re-add the same line using its line number.
To insert a new line between existing lines 20 and 30:
y
Issue the new ACL statement, starting with a number between the two existing lines, such as 25.
Issue the show access-lists command to display the lines re-sorted and renumbered by 10s.
8.3.5 - Configuring Named ACL's The diagram depicts two editing techniques: Delete/Change and Insert. The commands used in these techniques are listed below:
Delete/Change R1 (config) # IP access-list extended SERVER-ACCESS R1 (config-ext-n ACL)# no 20 R1 (config-ext-n ACL) # 20 permit IP host 192.168.1.77 any R1 (config-ext-n ACL) #end R1 # show access-lists Extended IP access list SERVER-ACCESS 10 permit IP host 192.168.1.66 host 192.168.3.75 20 permit IP host 192.168.1.77 any 30 deny IP 192.168.1.0 0.0.0.255 host 192.168.3.75 Insert R1 (config) # IP access-list extended SERVER-ACCESS R1 (config-ext-n ACL) # 25 deny IP host 192.168.1.88 any R1 (config-ext-n ACL) # end R1 # show access-lists Extended IP access-list SERVER-ACCESS 10 permit IP host 192.168.1.66 host 192.168.3.75 20 permit IP host 192.168.1.77 any 25 deny IP host 192.168.1.88 any 30 deny IP 192.168.1.0 0.0.0.255 host 192.168.3.75
Page 3: Packet Tracer Activity Configure and verify a Standard Named ACL.
Click the Packet Tracer icon to begin.
8.3.5 - Configuring Named ACL's Link to Packet Tracer Exploration: Configuring and Verifying Standard Named ACL's Configure and verify a Standard Named ACL.
Page 4: Lab Activity Configure and verify an Extended Named ACL.
Click the lab icon to begin.
8.3.5 - Configuring Named ACL's Link to Hands-on Lab: Configuring and Verifying Extended Named ACL's Configure and verify an Extended Named ACL.
8.3.6 Configure Router VTY Access Page 1: Network administrators often need to configure a router located at a remote location. To log into the remote router, they use a program such as Telnet or a Secure Shell (SSH) client. Telnet transmits username and password in plain text and, therefore, is not very secure. SSH transmits the username and password information in an encrypted format.
When a network administrator connects to a remote router using Telnet, the router initiates an inbound session. Telnet and SSH are in-band network management tools and require the IP protocol and a network connection to the router.
The purpose of restricting virtual teletype terminal (VTY) access is to increase network security. Outside intruders may attempt to gain access to a router. If an access control list is not in place on the router virtual port, anyone who can determine the Telnet username and password can gain entry. If an ACL is applied to the router vty port that permits only specific IP addresses, anyone trying to telnet to the router from an IP address not permitted in the ACL will be denied access. Keep in mind, however, that this can create issues if the administrator must connect to the router from different locations using different IP addresses.
8.3.6 - Configure Router VTY Access The diagram depicts router vty access configuration. Network Topology An Internet cloud is directly connected to a router, labeled 01234, by serial link. Also connected to the Internet cloud is a network administrator who telnets from a local machine with the IP address 209.165.202.130 to the address 209.165.200.225. The last connection is from a hacker located outside the Internet cloud. The IP address of the hacker is 209.165.201.5. The hacker telnets to the address 209.165.200.225 for router 01234. The router has the following commands entered at the console session: R1 (config) # access-list 3 permit host 209.165.202.130
R1 (config) # line vty 0 4 R1 (config-line) # access-class 3 in The network administrator is permitted Telnet access to router 01234, while the hacker's request to a Telnet session is denied.
Page 2: The process used to create the VTY access control list is the same as for an interface. However, applying the ACL to a VTY line uses a different command. Instead of using the ip access-group command, use the access-class command.
Follow these guidelines when configuring access lists on VTY lines:
y y
Apply a numbered ACL, not a Named ACL, to the VTY lines. Place identical restrictions on all VTY lines, because it is not possible to control the line on which a user may connect.
VTY sessions are established between the Telnet client software and the destination router. The network administrator establishes a session with the destination router, enters a username and password, and makes configuration changes.
8.3.6 - Configure Router VTY Access The diagram depicts the configuration of the Standard Numbered ACL and the VTY Lines, and applying the ACL. Network Topology Two routers, R1 and R2, are directly connected by serial link to each other. The network address bound to this link is 192.168.2.0. Connected to the FastEthernet F A 0 /0 of R2 is the network 192.168.3.0. The network connected to the FastEthernet port of R1 is 192.168.1.0. Within this network, connected to R1, is the client 192.168.1.23. The client announces, "I need to configure a Standard Numbered ACL, so that only I can configure the router remotely." The following command is used to configure access to the R1: R1 (config) # access-list 2 permit host 192.168.1.23 The client then announces, "I need to configure the VTY Lines and apply the ACL." The client then enters the commands listed below:
R1 (config) # line vty 0 4 R1 (config-line) # login R1 (config-line) # password its a secret R1 (config-line) # access-class 2 IN
Page 3: Lab Activity Configure and verify router VTY restrictions.
Click the lab icon to begin.
8.3.6 - Configure Router VTY Access Link to Hands-on Lab: Configuring and Verifying VTY Restrictions Configure and verify router VTY restrictions.
Page 4: Packet Tracer Activity Plan, configure, and verify Standard, Extended, and Named ACLs.
Click the Packet Tracer icon to begin.
8.3.6 - Configure Router VTY Access Link to Packet Tracer Exploration: Planning, Configuring, and Verifying Standard, Extended, and Named ACL's Plan, configure, and verify Standard, Extended, and Named ACL's.
8.4 Permitting and Denying Specific Types of Traffic
8.4.1 Configuring ACLs for Application and Port Filtering Page 1:
Extended ACLs filter on source and destination IP addresses. It is often desirable to filter on even more specific packet details. OSI Layer 3 network protocol, Layer 4 transport protocols and application ports provide this capability.
Some of the protocols available to use for filtering include IP, TCP, UDP, and ICMP.
Extended ACLs also filter on destination port numbers. These port numbers describe the application or service required by the packet. Each application has a registered port number assigned.
The router must investigate the Ethernet frame to extract all of the IP addresses and port number information required for comparison with ACLs.
In addition to entering port numbers, it is necessary to specify a condition before the statement is matched. The abbreviations most commonly used are:
y y y
eq - equals gt - greater than lt - less than
Consider the following example:
R1(config)#access-list 122 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.89 eq 80
This ACL statement permits traffic from 192.168.1.0 that is requesting HTTP access using port 80. If a user attempts to telnet or FTP into host 192.168.2.89, the user is denied due to the implicit deny statement assumed at the end of every access list.
8.4.1 - Configuring ACL's for Application and Port Filtering The diagram depicts a frame head-er with the Source IP, the Destination IP, and the Destination Port Number highlighted for the following ACL: access-list 101 permit tcp host 192.168.1.5 host 192.168.3.7 e q 80
Page 2: Filtering based on a particular application requires knowledge of the port number for that application. Applications are associated with both a port number and a name. An ACL can reference port 80 or HTTP.
If neither the port number nor the name is known for an application, try these steps for locating that information:
1. Research one of the IP addressing registry sites on the web, such as http://www.iana.org/
2. Refer to the software documentation.
3. Refer to the website of the application vendor.
4. Use a packet sniffer and capture data from the application.
5. Use the ? option in the access-list command. The list includes well-known port names and numbers for the TCP protocol.
Some applications use more than one port number. For example, FTP data transmits using port 20, but the session control that makes FTP possible uses port 21. To deny all FTP traffic, deny both ports.
To accommodate multiple port numbers, Cisco IOS ACLs filter a range of ports. Use the gt, lt, or range operators in the ACL statement to accomplish this. For example, two FTP ACL statements can filter into one with the command:
R1(config)#access-list 181 deny tcp any 192.168.77.0 0.0.0.255 range 20 21
8.4.1 - Configuring ACL's for Application and Port Filtering The diagram depicts a list of types of TCP protocols and port numbers for the following command: R1 (config) # access-list 101 permit tcp host 192.168.1.1 host 192.168.2.89 eq? The computer user says, I need to filter email traffic. What port numbers should I filter? The following protocols are highlighted: pop3 Post Office Protocol v3 (110) smtp Simple Mail Transport Protocol (25)
Page 3: Packet Tracer Activity
Configure and verify Extended ACLs that filter on port numbers.
Click the Packet Tracer icon to begin.
8.4.1 - Configuring ACL's for Application and Port Filtering Link to Packet Tracer Exploration: Configuring and Verifying Extended ACL's Configure and verify Extended ACL's that filter on port numbers.
8.4.2 Configuring ACLs to Support Established Traffic Page 1: ACLs are often created to protect an internal network from outside sources. However, while protecting the internal network, it should still allow internal users access to all resources. When internal users access external resources, those requested resources must pass through the ACL. For example, should an internal user wish to establish a connection with an external web server, the ACL must permit the requested html packets. Due to the ACLs use of implicit deny, resources must be specifically permitted by the ACL. Individual permit statements for all possible requested resources can result in a long ACL and leave security holes.
To resolve this issue, it is possible to create a single statement that permits internal users to establish a TCP session with external resources. Once the TCP three-way handshake is
accomplished and the connection is established, all packets sent between the two devices will be permitted. To accomplish this, use the keyword: established.
access-list 101 permit tcp any any established
Using this statement, all external tcp packets will be permitted under the condition that they are responses to internal requests. Permitting the incoming responses to established communications is a form of Stateful Packet Inspection (SPI).
In addition to established traffic, it may be necessary for an internal user to ping external devices. It is not desirable, however, to allow external users to ping or trace a device on the inside network. In this case, a statement using the keywords echo-reply and unreachable can be written to permit ping responses and unreachable messages. A ping originating from external sources, however, will be denied unless specifically permitted in another statement.
8.4.2 - Configuring ACL's to Support Established Traffic The animation shows how an ACL is used to filter specific traffic from entering an internal network, but allow the same traffic access from the internal network. Network Topology An internal network has hosts, H1 and H2, connected by a switch to router, R1. R1 is connected to router, R2, via a serial connection. R2 is part of the ISP cloud, which also includes a web server. A foreign network with host, H3, is also connected to the ISP . H1 sends a request to the web server. The packet successfully travels across the network to the web server. The web server sends a response. When the response reaches the F A 0 /0 of R1, the following ACL command is matched and the packet is allowed access to H1. access-list 101 permit tcp any any established Next, H2 sends a ping, also known as an echo request, to R2. R2 sends a ping, echo reply, back to H2. When the ping reaches the F A 0 /0 of R1, the following ACL command is matched and the packet is allowed access to H2. access-list 101 permit icmp any any echo-reply Finally, H3, located on the foreign network, sends a ping, echo request, to the internal network. When the ping reaches the F A 0 /0 of R1, the following ACL command is matched and the packet is denied. access-list 101 deny any any
The output of R1's command prompt is as follows: R1 (config) # access-list 101 permit tcp any any established R1 (config) # access-list 101 permit icmp any any echo-reply R1 (config) # access-list 101 permit icmp any any unreachable R1 (config) # access-list 101 deny any any R1 (config) # interface F A 0 /0 R1 (config-if) # ip access-group 101 out
Page 2: 8.4.2 - Configuring ACL's to Support Established Traffic The diagram depicts an activity in which you must determine whether the packets will be permitted or denied, based on Source and Destination addresses in the following ACL statements. ACL Statement R1 (config) # access-list 101 permit tcp any any established R1 (config) # access-list 101 permit icmp any 192.168.3.0 0.0.0.255 echo-reply R1 (config) # interface S0/0/0 R1 (config-if) # IP access-group 101 In Network Topology There are two routers, R1and R2. R1 is connected to R2 via serial link, S0/0/0. R1 has networks 192.168.2.0 and 192.168.3.0 attached. R2 has network 192.168.1.0 attached to interface F A 0 /0. Packet Information Source IP: 192.168.1.77 Destination IP: 192.168.3.75 Packet type: echo-reply Source IP: 192.168.1.77 Destination IP: 192.168.2.75 Packet type: echo-request Source IP: 192.168.1.15 Destination IP: 192.168.2.44 Packet type: FTP response Source IP: 192.168.1.25 Destination IP: 192.168.3.44 Packet type: Web response Source IP: 192.168.1.66 Destination IP: 192.168.3.12
Packet type: Web request Source IP: 192.168.1.66 Destination IP: 192.168.2.12 Packet type: echo-reply
8.4.3 Effects of NAT and PAT on ACL Placement Page 1: Implementing NAT and PAT may create a problem when planning ACLs. Network administrators need to account for the address translation when creating and applying ACLs to interfaces where NAT occurs.
When using NAT with ACLs, it is important to know how they interact in the router.
1. If the packet comes inbound into a NAT outside interface, the router:
y y y
Applies the inbound ACL Translates the destination address from outside to inside, or global to local Routes the packet
2. If the packet goes outbound through a NAT outside interface, the router:
y y
Translates the source address from inside to outside, or local to global Applies outbound ACL
Plan the ACL so that it filters either the private or public addresses, depending on the relationship with NAT. If traffic is inbound or outbound on a NAT outside interface, the addresses to filter are the public ones.
8.4.3 - Effects of NAT and PAT on ACL Placement The animation depicts a conflict between NAT and an ACL statement that has been implemented. Users from outside the 10.1.0.0 /16 network have been given access to a server in an ACL statement, however NAT has blocked the traffic from entering the network.
ACL Statement R1 (config) # access-list 101 permit 10.1.0.0 0.0.255.255 host 209.165.200.230 R1 (config) # interface S0/0/0 R1 (config-if) # IP access-group 101 out Network Topology There are two routers, R1 and R2. R1 is connected to R2 via serial link, S0/0/0. R1 has network 10.1.0.0 /16 attached on its F A 0 /0 interface. R2 is connected to an ISP cloud containing a web server 209.165.200.230. A packet from the 10.1.0.0 /16 network is sent to the server 209.165.200.230. When the packet reaches the S0/0/0 of R1, the NAT, enabled on R1, translates the source address from the private address of 10.1.0.0 /16 to a public address of 209.165.200.226. The ACL is unable to match this newly translated address, so the packet is denied. The computer user in the diagram asks, "Why cant the users on the 10.1.0.0 network access the server?"
Page 2: Lab Activity
Configure an ACL with NAT.
Click the lab icon to begin.
8.4.3 - Effects of NAT and PAT on ACL Placement Link to Hands-on Lab: Configure an ACL with NAT
8.4.4 Analyzing Network ACLs and Placement Page 1: Network administrators evaluate the effect of every statement in an ACL prior to implementation. An improperly designed ACL can immediately cause problems when it is applied to an interface. These problems range from a false sense of security to an unnecessary load on a router or even a non-functioning network.
Administrators need to examine the ACL, one line at a time, and answer the following questions:
y y y y y y
What service does the statement deny? What is the source and what is the destination? What port numbers are denied? What would happen if the ACL was moved to another interface? What would happen if the ACL filtered traffic in a different direction? Is NAT an issue?
When evaluating an Extended ACL, it is important to remember these key points:
y y
The keyword tcp permits or denies protocols like FTP, HTTP, Telnet, and so on. The key phrase permit ip is used to permit all IP, including any TCP, UDP, and ICMP protocols.
8.4.4 - Analyzing Network ACL's and Placement The diagram depicts the placement and use of ACL's to filter traffic to and from specific parts of a network. Network Topology There are four routers, Main, Sales, HQ, and R1. HQ is attached to Main and Sales via Serial link. Main is attached to Sales via Serial link. HQ is attached to R1 via Serial link, HQ: S0/0/0. HQ has Network 192.168.1.0 /24 connected to interface FA0/0. Network 192.168.1.0 /24 has a Server Farm with three servers, IP: 192.168.1.3 - .15, as well as two hosts, Net Admin, 192.168.1.2, and H1, 192.168.1.30.
Main has Network 192.168.5.0 /24 connected to interface FA0/0, attached to the Payroll Server, server IP: 192.168.5.57. Sales has Network 192.168.3.0 /24 attached on Interface FA0/0, attached to the File Server, server IP: 192.168.3.39. There are ACL's on the FA0/0 interface of the HQ, Main, and Sales Routers. There is an ACL on the S0/0/0 interface of HQ. The ACL's and the functions of each are as follows: HQ S0/0/0 ACL HQ - Extended ACL 105 - Interface S0/0/0 IN
Access-list 105 permit icmp any any echo-reply - allow pings from inside to return from Internet Access-list 105 permit icmp any any unreachable - Allow error messages to return from Internet Access-list 105 permit tcp any any established - Allow established TCP sessions from Internet HQ F A 0 /0 ACL HQ - Extended ACL 100 - Interface FA0/0 IN Access-list 100 permit IP 192.168.1.0 0.0.0.15 any - Allow Net Admin and Server Farm full access Access-list 100 deny tcp 192.168.1.0 0.0.0.255 eq 23 - Deny user PC's Telnet access Access-list 100 permit IP any any - Allow all other traffic Sales F A 0 /0 ACL Sales - Extended ACL 122 - Interface FA0/0 IN Access-list 122 deny IP 192.168.3.0 0.0.0.255 host 192.168.5.57 - Deny access from this net to Payroll Server Access-list 122 permit udp 192.168.3.0 0.0.0.255 any range 20 21 - Allow all users on this net access to FTP Data and FTP session control Access-list 122 permit udp 192.168.3.0 0.0.0.255 any eq 53 - Allow all users on this net access to remote DNS Access-list 122 permit tcp 192.168.3.0 0.0.0.255 any eq 80 - Allow all users on this net access to Web services Main F A 0 /0 ACL Main - Extended ACL 111 - Interface FA0/0 IN Access-list 111 permit IP host 192.168.5.57 any - Allow Payroll server access to anywhere Access-list 111 permit udp 192.168.5.0 0.0.0.255 any eq 53 - Allow all users on this net access to remote DNS Access-list 111 permit tcp 192.168.5.0 0.0.0.255 any eq 80 - Allow all users on this net access to Web services
Page 2: 8.4.4 - Analyzing Network ACL's and Placement The diagram depicts an activity in which you must create an extended ACL given the following requirements and Network Topology. Some components will not be used. Network Topology There are two routers, R1 and R2. R1 is connected to R2 via serial link (R1: S0/0/0, R2: S0/0/0). R2 has network 10.1.1.0 /24 attached to interface F A 0 /0. R2 has network 10.1.2.0 /24 attached to interface F A 0 /1. R1 has network 182.168.1.0 /25 attached to interface F A 0 /0. R1 has Web Server attached to interface F A 0 /0 (Web Server IP: 192.168.1.84) Create the Numbered Extended ACL statement that will only allow users on network 10.1.1.0
/24 HTTP access to Web Server on network 192.168.1.0. The ACL will be applied to the R2 S0/0/0 interface outbound. Select from the following fields to populate nine fields for the numbered extended ACL. Components Choice 1.99 Choice 2.IP Choice 3.192.168.1.0 Choice 4.deny Choice 5.0.0.255.255 Choice 6.access-list Choice 7.10.1.2.0 Choice 8.192.168.1.84 Choice 9.permit Choice 10.10.1.1.0 Choice 11.udp Choice 12.eq 80 Choice 13.0.0.0.255 Choice 14.101 Choice 15.eq 21 Choice 16.Host Choice 17.Any Choice 18.tcp
8.4.5 Configuring ACLs with Inter-VLAN Routing Page 1: When routing between VLANs in a network, it is sometimes necessary to control traffic from one VLAN to another using ACLs.
Apply ACLs directly to VLAN interfaces or subinterfaces on a router just as with physical interfaces.
Enterprise networks typically have servers on a different VLAN than user groups. In such cases, access to the server VLAN requires filtering.
All rules and guidelines for creation and application are the same for ACLs on subinterfaces as they are for physical interfaces.
8.4.5 - Configuring ACL's with Inter-V LAN Routing The diagram depicts the use of V LAN's to separate network devices. Network Topology There are two V LAN's. V LAN1 contains three servers, and V LAN2 contains three hosts. Both V LAN's are connected through a switch, S1, which is connected to a router, R1.
Page 2: Lab Activity Configure and verify ACLs to filter inter-VLAN traffic.
Click the lab icon to begin.
8.4.5 - Configuring ACL's with Inter-V LAN Routing Link to Hands-on Lab: Configuring and Verifying ACL's to filter Inter-V LAN Traffic Configure and verify ACL's to filter inter-V LAN traffic.
Page 3: Packet Tracer Activity Configure and verify an Extended ACL that creates a DMZ and protects the corporate network.
Click the Packet Tracer icon to begin.
8.4.5 - Configuring ACL's with Inter-V LAN Routing Link to Packet Tracer Exploration: Configuring and Verifying Extended ACL's with a DMZ Configure and verify an Extended ACL that creates a DMZ and protects the corporate network.
8.5 Filtering Traffic Using Access Control Lists
8.5.1 Using Logging to Verify ACL Functionality Page 1: After writing an ACL and applying it to an interface, a network administrator evaluates the number of matches. When the fields of an incoming packet are equal to all ACL comparison fields, this is a match. Viewing the number of matches helps to identify whether the ACL statements are having the desired effect.
By default, an ACL statement captures the number of matches and displays them at the end of each statement. View the matches using the following command:
show access-list
The basic match counts that are displayed with the show access-list command provide the number of ACL statements matched and the number of packets processed. The output does not indicate the source or destination of the packet or the protocols in use.
For additional details on packets permitted or denied, activate a process called logging. Logging activates for individual ACL statements. To activate this feature, add the log option to the end of each ACL statement to be tracked.
Use logging for a short time only to complete testing of the ACL. The process of logging events places an additional load on the router.
8.5.1 - Using Logging to Verify ACL Functionality This animation depicts the different methods of viewing ACL matches, default and logging. Default Network Topology Host, H1, has the IP address 192.168.1.2. Host, H2 has the IP address 192.168.1.3. Both hosts are connected to the F A 0 /0 of R1. The ACL has been placed on F A 0 /0. R1 connects via S0/0/0 to the S0/0/0 port of router R2. The link between the two routers is on the network 192.168.2.0. R2 is connected via F A 0 /0 to H3. Host, H3 has the address 192.168.3.11. The ACL configuration is listed, as follows: R1 (config) # access-list 123 deny tcp host 192.168.1.2 host 192.168.3.11 e q 23 R1 (config) # access-list 123 permit IP host 192.168.1.0 0.0.0.255 any
R1 (config) # R1 (config) # Int F A 0 /0 R1(config-if)# IP access-group 123 in R1 (config) # end R1# show access-list 123 Extended IP Access list 123 10 deny tcp host 192.168.1.2 host 192.168.3.11 eq telnet (1 matches) 20 permit IP 192.168.1.0 0.0.0.255 any (1 matches) H1 sends a packet onto the network. When the packet reaches the F A 0 /0 of R1, the packet is denied, as highlighted in the ACL output. R1# show access-list 123 Extended IP Access list 123 10 deny tcp host 192.168.1.2 host 192.168.3.11 eq telnet (1 matches) 20 permit IP 192.168.1.0 0.0.0.255 any (1 matches) Next, H2 sends a packet onto the network. When the packet reaches the F A 0 /0 of R1, the packet is allowed as highlighted in the ACL output. R1 # show access-list 123 Extended IP Access list 123 10 deny tcp host 192.168.1.2 host 192.168.3.11 eq telnet (1 matches) 20 permit IP 192.168.1.0 0.0.0.255 any (1 matches) By looking at the text taken from the end of the following router config and subsequent show access list command you can see where matches were made and if the matches were denied or permitted. Logging Network Topology H1 has the IP address 192.168.1.2. H1 connects to F A 0 /0 of router R1. R1 connects via S0/0/0 to the S0/0/0 port of router R2. The link between these two routers is on the network 192.168.2.0. R2 is connected via F A 0 /0 to host H2. H2 has the address 192.168.3.11. The ACL configuration is listed, as follows: R1 (config) # no access-list 123 R1 (config) # access-list 123 deny tcp host 192.168.1.2 host 192.168.3.11 eq 23 log R1 (config) # access-list 123 permit IP host 192.168.1.0 0.0.0.255 any log R1 (config) # access-list 123 deny IP R1 (config) # end R1 # H1 sends three packets onto the network. The following logged entries from the router configuration describe the outcome. H1 sends the first packet using its IP address as the source 192.168.1.2, destination 192.168.3.11 using port 30.
*Sep 9 20:02:11.979: %SEC-6-IP ACCESS LOG P: list 123 permitted udp 192.168.1.2(2138) 192.168.3.11(30), 1 packet H1 sends the second packet using its IP address as the source 192.168.1.2, destination 192.168.3.11 using port 23. *Sep 9 20:02:53.067: %SEC-6-IP ACCESS LOG P: list 123 denied tcp 192.168.1.2(1141) 192.168.3.11(23), 1 packet H1 sends the third packet using its IP address as the source 192.168.1.2, destination 192.168.3.20 using the protocol CMP. *Sep 9 20:03:48.279: %SEC-6-IP ACCESS LOG P: list 123 denied icmp 192.168.1.2 192.168.3.20(8 /0), 1 packet
Page 2: Logging to the console uses router memory, which is a limited resource. Instead, configure a router to send logging messages to an external server. These messages, called syslog messages, allow the user to view them both, in real time or at a later date.
The message types include eight message severity levels. The levels range from 0, representing an emergency or an unusable system, to level 7, representing informational messages such as debugging.
ACL logging generates an informational message that contains:
y y y y
ACL number Packet permitted or denied Source and destination addresses Number of packets
The message generates for the first packet that matches and then at 5-minute intervals.
To turn off logging, use:
no logging console
To turn off all debugging, use:
undebug all
To turn off specific debugging, such as ip packet, use:
no debug ip packet
8.5.1 - Using Logging to Verify ACL Functionality The diagram depicts a desktop PC with a large red alert sign displayed on the screen. More Information Popup Logging Levels: alerts - Immediate action needed. Severity Level: (severity =1). Logging Levels: critical - Critical conditions. Severity Level: (severity =2). Logging Levels: debugging - debugging messages. Severity Level: (severity =7). Logging Levels: emergencies - System is unusable. Severity Level: (severity =0). Logging Levels: errors - Error conditions. Severity Level: (severity =3). Logging Levels: filtered - Enable filtered logging. Severity Level: not available Logging Levels: guaranteed - Guarantee console messages Severity Level: not available Logging Levels: informational - Informational messages Severity Level: (severity =6) Logging Levels: notifications - Normal but significant conditions Severity Level: (severity =5) Logging Levels: warnings - Warning conditions Severity Level: (severity =4) Logging Levels: xml - Enable logging in XML Severity Level: not available
Page 3:
Lab Activity Configure ACLs and verify using the show access-lists command and console logging.
Click the lab icon to begin.
8.5.1 - Configuring ACL's and Verifying with Console Logging Link to Hands-on Lab: Configuring ACL's and Verifying with Console Logging Configure ACL's and verify using the show access-lists command and console logging.
8.5.2 Analyzing Router Logs Page 1: Logging to the console uses router memory, which is a limited resource. Instead, configure a router to send logging, sometimes called syslog messages, to an external server. This method allows viewing the messages in real time and also at a later time.
Types of reported events include the status of:
y y y y y
Router interfaces Protocols in use Bandwidth usage ACL messages Configuration events
It is advisable to include the option to notify a network administrator by email, pager, or cell phone when a critical event occurs.
Other configurable options include:
y y y
Providing notification of new messages received Sorting and grouping messages Filtering messages by severity
y
Removal of all or selected messages
Syslog software is available from many resources. The level of reporting and ease of use vary with the price, but there are also several free programs available on the Internet.
Syslog is a protocol supported by all network equipment, including switches, routers, firewalls, storage systems, modems, wireless devices, and UNIX hosts.
8.5.2 - Analyzing Router Logs The diagram depicts a man on his cellular phone, thinking, "The router is alerting me to an emergency on the network." In the diagram, a router is sending out an emergency message to the man.
Page 2: To use a syslog server, install the software on a Windows, Linux, UNIX, or MAC OS server and configure the router to send logged events to the syslog server.
A sample of the command that specifies the IP address of the host where the syslog server is installed is:
logging 192.168.3.11
When troubleshooting a problem, always set the service timestamps for logging. Be sure the router date and time are set correctly so that log files display the proper time stamp.
Use the show clock command to check the date and time setting.
R1>show clock *00:03:45.213 UTC Mon Mar 1 2007
To set the clock, first set the time zone. Base the time zone on Greenwich Mean Time (GMT) and then set the clock. Note that the clock set command is not used in configuration mode.
To set the time zone:
R1(config)#clock timezone CST -6
To set the clock:
R1#clock set 10:25:00 Sep 10 2007
8.5.2 - Analyzing Router Logs The diagram depicts a map of the world with a vertical line that passes through Greenwich England, indicating Greenwich Mean Time (GMT).
Page 3: Lab Activity Configure ACLs and download a syslog server to record ACL activity.
Click the lab icon to begin.
8.5.2 - Analyzing Router Logs Link to Hands-on Lab: Configuring ACL's and Recording Activity to a Syslog Server Configure ACL's and download a syslog server to record ACL activity.
8.5.3 ACL Best Practices Page 1: ACLs are a very powerful filtering tool. They are active immediately after application onto an interface.
It is far better to spend extra time planning and troubleshooting before applying an ACL, than trying to troubleshoot after applying the ACL.
Always test basic connectivity before applying ACLs. If pinging a host is unsuccessful because of a bad cable or an IP configuration problem, the ACL can compound the problem and make it harder to troubleshoot.
When logging, add the deny ip any statement to end of ACL. This statement allows tracking the number of matches for packets denied.
Use the reload in 30 command when working with remote routers and testing ACL functionality. If a mistake in an ACL blocks access to the router, remote connectivity may be denied. Using this command, the router reloads in 30 minutes and reverts to the startup configuration. When satisfied with how the ACL is functioning, copy the running configuration to the startup configuration.
8.5.3 - ACL Best Practices The diagram depicts a list of Best Practices. Best Practices Create and edit ACL's in a text editor, such as notepad, do not edit a live ACL. Always test basic connectivity before applying ACL's. When logging, add the deny IP any any statement to end of ACL. Use the reload in 30 command when working with remote routers and testing ACL functionality.
8.6 Chapter Summary
8.6.1 Summary Page 1: 8.6.1 - Summary Diagram 1, Image The diagram depicts a router directly connected to a switch. The switch is connected to four computers on an internal network.
Diagram 1 text Traffic filtering is the process of analyzing the contents of a packet to determine if the packet should be allowed or blocked. ACL's enable management of traffic and security access to and from a network and its resources. There are three types of ACL's: Standard, Extended, and Named ACL. ACL's filter traffic based on source and destination IP address, application, and protocol. Apply an ACL to a router interface to examine packets that are inbound or outbound. Diagram 2, Image The diagram depicts four lines of information as listed below. Wild-card masks that permit a single host 172.16.22.87 0.0.0.0 host 172.22.8.17 Wild-card mask that permits a range of hosts for a /24 network: 172.16.22.0 0.0.0.255 Wild-card mask that permits an entire /16 network: 172.16.0.0 0.0.255.255 Wild-card mask that permits an entire /8 network: 10.0.0.0 0.255.255.255 Diagram 2 text Using a wild-card mask provides flexibility, and can block a range of addresses or whole networks with one statement. The wild-card mask compares the incoming address to a comparison address to determine which bits match. To determine the wild-card mask, subtract the decimal subnet mask for an address or range from the all-255s mask (255.255.255.255). There is implied deny any statement at end of the ACL. The keyword any refers to all hosts and the keyword host refers to an individual IP address. Diagram 3, Image The diagram depicts ACL Processing and Creation Guidelines. Standard ACL's filter on source IP address, and are placed as close to the destination as possible. Extended ACL's can filter on source and destination addresses, as well as on protocol and port number, and should be placed as close to the source as possible. Decide placement of ACL's based on type of ACL and requirements. Each interface supports one ACL per direction per protocol. Create an ACL using a unique identifier and apply either inbound or outbound on an interface using the IP access-group command. The show IP interface, show access-lists and show running-config commands allow a
network administrator to view all ACL's that have been configured on a router. Named ACL's offer all the functionality and advantages of Standard and Extended ACL's. ACL's restrict VTY access to increase network security. The access-class command is used to apply VTY ACL. Diagram 3 text Configuring only one access list per protocol per direction. Apply standard access lists closest to the destination. Apply extended access lists closest to the source. Use the correct number range for the type of list. Determine the inbound or outbound direction looking at the port from inside the router. Process statements sequentially from the top of the list to the bottom. Deny packet if no match is found. Enter the Access list statements in order from specific to general. Configure an ACL with a permit statement or all traffic will be denied. Diagram 4, Image
The diagram depicts the image of an Ethernet frame. The frame consists of the following: MAC address head-er IP head-er addresses TCP head-er ports Data FCS Diagram 4 text Extended ACL's filter source and destination IP addresses, protocol, and the destination application port numbers in a frame. ACL's filter a range of ports using gt, lt, or range operators. Use the established parameters to filter traffic that is a response to a request. The order in which the statements are written has an impact on how the router performs. There are different ways to approach writing ACL's: permit specific traffic first and then deny general traffic or deny specific traffic first then permit general traffic. Network administrators account for NAT when creating and applying ACL's. Apply ACL's directly to V LAN interfaces just as with physical interfaces. Diagram 5, Image The image depicts a map of the world focused on GMT, Greenwich Mean Time. The relevant information is shown in a summary: Diagram 5 text An ACL statement captures the number of matches and displays them at the end of each statement matched. Logging gives additional details on packets permitted or denied. To activate logging add the log option to the end of each ACL statement.
Add the deny IP any any log to monitor the number of packets that are not matched by previous ACL statements. The process if logging events, places an additional load on the router. The log contents can be sent to an external syslog server. Always set the service timestamp for logging and be sure the router date and time are set correctly, so that Log files display the proper stamp.
8.6.2 Critical Thinking Page 1: 8.6.2 - Critical Thinking The diagram depicts an activity in which you must answer questions regarding Access Controls Lists based on specified requirements and a network topology diagram. Network Topology: Three routers, RTA, RTB and RTC are connected with each supporting a LAN. Router RTA interface S0/0/1 is connected to RTB interface S0/2/0 using subnetwork number 192.168.10.0 /30. Router RTA interface S0/2/0 is connected to RTC interface S0/1/0 using a serial link. Router RTA interface Fa0/0/1 is connected to a LAN switch and two PCs using subnetwork number 10.10.20.0 /24. Router RTB interface Fa0/0/1 is connected to a LAN switch and an FTP Server and PC using subnetwork number 10.10.30.0 /24. The FTP Server IP address is 10.10.30.1. The PC IP address is 10.10.30.2. Router RTB interface S0/1/0 is connected to the Internet cloud. Router RTC interface Fa0/0/1 is connected to a LAN switch and one PC using network number 10.10.1.0 /24. The PC IP address is 10.10.1.1. Scenario: A single access list needs to be created to deny the 10.10.1.0 /24 subnet and the 10.10.20.0 /24 subnet from reaching the 10.10.30.0 /24 subnet. Host computer 10.10.1.1 should have access to the FTP Server only. The rest of the 10.0.0.0 network should have access to the 10.10.30.0 /24 network. All users should be able to access the Internet. Questions: Question One. What should be the first line of the access list? A.Router(config)# access-list 10 permit 10.10.1.1 0.0.0.0 B.Router(config)# access-list 10 deny 10.10.1.0 0.0.0.255 C.Router(config)# access-list 101 permit IP 10.10.1.1 0.0.0.0 10.10.30.1 0.0.0.0 D.Router(config)# access-list 101 permit IP 10.10.1.1 0.0.0.0 10.10.30.0 0.0.0.255 E.Router(config)# access-list 101 deny IP 10.10.1.0 0.0.0.255 10.10.30.0 0.0.0.255 Question Two. What should the second line of the access list be? A.Router(config)# access-list 10 permit 10.10.1.1 0.0.0.0 B.Router(config)# access-list 10 deny 10.10.1.0 0.0.0.255 C.Router(config)# access-list 101 permit IP 10.10.1.1 0.0.0.0 10.10.30.1 0.0.0.0 D.Router(config)# access-list 101 permit IP 10.10.1.1 0.0.0.0 10.10.30.0 0.0.0.255
E.Router(config)# access-list 101 deny IP 10.10.1.0 0.0.0.255 10.10.30.0 0.0.0.255 F.Router(config)# access-list 101 deny IP 10.10.1.0 0.0.0.255 any Question Three. What should the third line of the access list be? A.Router(config)# access-list 10 permit 10.10.1.1 0.0.0.0 B.Router(config)# access-list 10 deny 10.10.1.0 0.0.0.255 C.Router(config)# access-list 101 permit IP 10.10.1.1 0.0.0.0 10.10.30.1 0.0.0.0 eq ftp D.Router(config)# access-list 101 permit IP 10.10.1.1 0.0.0.0 10.10.30.0 0.0.0.255 eq any E.Router(config)# access-list 101 deny IP 10.10.20.0 0.0.0.255 10.10.30.0 0.0.0.255 eq any F.Router(config)# access-list 101 deny IP 10.10.20.0 0.0.0.255 any Question Four. What should the fourth line of the access list be? A.Router(config)# access-list 10 permit 10.10.1.1 0.0.0.0 B.Router(config)# access-list 10 permit 10.0.0.0 0.0.0.255 C.Router(config)# access-list 101 permit IP 10.0.0.0 0.0.0.0 10.10.30.0 0.0.0.0.255 D.Router(config)# access-list 101 permit IP 10.0.0.0 0.255.255.255 any E.Router(config)# access-list 101 deny IP 10.10.1.0 0.0.0.255 10.10.30.0 0.0.0.255 eq any Question Five. Where should the access list be placed to ensure it is effective? A.S0/2/0 on RTB as an outbound ACL B.S0/2/0 on RTB as an inbound ACL C.Fa0/0/1 on RTB as an inbound ACL D.S0/1/0 in RTB as an outbound list E.S0/0/1 on RTA as an outbound list F.S0/2/0 on RTA as an inbound list
8.7 Chapter Quiz
8.7.1 Quiz Page 1: Take the chapter quiz to check your knowledge.
Click the quiz icon to begin.
8.7.1 - Quiz Chapter 8 Quiz: Filtering Traffic Using Access Control Lists 1.An administrator has been asked to explain ACL's to a trainee. What are some of the suggested uses for ACL's that the trainee should learn? (Choose three.) A.limit network traffic and increase performance B.notify downstream devices in the event of increased traffic or congestion C.determine whether interfaces are active or shutdown during peak usage D.provide traffic flow control
E.provide a basic level of security for network access F.open additional links when paths become saturated 2.What statements are true regarding the meaning of the access control list wildcard mask 0.0.0.15? (Choose two.) A.The first 28 bits of a supplied IP address will be ignored. B.The last four bits of a supplied IP address will be ignored. C.The first 32 bits of a supplied IP address will be matched. D.The first 28 bits of a supplied IP address will be matched. E.The last five bits of a supplied IP address will be ignored. F.The last four bits of a supplied IP address will be matched. 3.What IP address and wildcard mask pairs will test for only addresses of a subnet containing a host configured with 192.168.12.6 255.255.255.248? A.192.168.12.0 0.0.0.7 B.192.168.12.0 0.0.0.8 C.192.168.12.6 0.0.0.15 D.192.168.12.6 0.0.0.255 4.Once an ACL has been created, it must be applied in the proper location to have the desired effect. What rules should be observed when applying ACL's? (Choose two.) A.Standard ACL's should be applied as close to the source as possible. B.Outbound filters do not affect traffic that originates within the local router. C.The inbound and outbound interface should be referenced as if looking from the outside of a router. D.Extended ACL's should be applied closest to the source. E.All ACL statements are processed for each packet through the interface. 5.A network administrator is writing a standard ACL that will deny any traffic from the 172.16.0.0/16 network, but permit all other traffic. Which two commands should be used? (Choose two.) A.Router(config)# access-list 95 deny any B.Router(config)# access-list 95 deny 172.16.0.0 0.0.255.255 C.Router(config)# access-list 95 deny 172.16.0.0 255.255.0.0 D.Router(config)# access-list 95 permit any E.Router(config)# access list 95 host 172.16.0.0 F.Router(config)# access-list 95 172.16.0.0 255.255.255.255 6.What can be concluded from the output shown below? (Choose two.) Router# show running-config Building configuration... Current configuration 1084 bytes ! version 12.1 [some output text omitted] interface Serial0/1 IP address 192.168.1.1 255.255.255.0
IP access-group 99 in no fair-queue clockrate 56000 ! IP classless no IP http server ! access-list 99 deny 10.213.177.76 access-list 99 permit any ! [some output text omitted] A.This is an extended IP access list. B.The keyword host is implied in the command line access-list 99 deny 10.213.177.76. C.The wildcard mask must be configured for this access list to function properly. D.Host 10.213.177.100 will be allowed access to the Serial0/1 interface. E.This access control list will not limit any traffic through the router. 7.The new security policy for the company allows all IP traffic from the Engineering LAN to the Internet while only web traffic from the Marketing LAN is allowed to the Internet. Which ACL can be applied in the outbound direction of Serial 0/0/1 on the Marketing router to implement the new security policy? To answer this question refer to the network topology below. Network Topology This topology consists of two routers, one named Marketing, and one named Engineering. These two routers are connected to each other via a serial link Marketing IP 198.18.106.1/24 S0/0/0 and Engineering 198.18.106.2/24 S0/0/0. The Marketing router is connected to a switch via interface F A 0 /0 on the Marketing router, 198.18.112.0/24. This network is called the Marketing LAN. The Engineering router is connected to a switch via interface F A 0 /0 on the Engineering router, 192.0.2.0/24. This network is called the Engineering LAN. The S0/0/1 interface on the Marketing Router is attached to the Internet with the IP address 198.18.114.1/24. A.access-list 197 permit IP 192.0.2.0 0.0.0.255 any access-list 197 permit IP 198.18.112.0 0.0.0.255 any eq www B.access-list 165 permit IP 192.0.2.0 0.0.0.255 any access list 165 permit tcp 198.18.112.0 0.0.0.255 any eq www access-list 165 permit IP any any C.access-list 137 permit IP 192.0.2.0 0.0.0.255 any access-list 137 permit tcp 198.18.112.0 0.0.0.255 any eq www D.access-list 89 permit TCP 192.0.2.0 0.0.0.255 any access-list 89 permit IP 198.18.112.0 0.0.0.255 any eq www 8.Which two statements are correct based on the set of commands shown in the output below? (Choose two.)
Router(config)# IP access-list extended Server1Access Router(config-ext-nacl)# deny IP 10.128.114.0 0.0.0.255 any Router(config-ext-nacl)# deny tcp 192.168.85.0 0.0.0.255 host 172.25.0.26 eq 23 Router(config-ext-nacl)# permit IP any any Router(config-ext-nacl)# exit Router(config)# interface F A 0 /0 Router(config-if)# IP access-group Server1Access out A.Host 10.128.114.76 will be able to establish a Telnet session with host 172.25.0.26. B.Host 10.128.114.76 will not be able to establish an FTP session with available hosts on the 172.25.0.0/16 network. C.Host 192.168.85.76 will be able to establish a Telnet session with host 172.25.0.26. D.Host 192.168.85.76 will be able to establish an FTP session with available hosts on the 172.25.0.0 network. E.Host 172.25.0.26 will not be able to establish a Telnet session with available hosts on the 192.168.85.0/24 network. 9.A network engineer wants to ensure that only users of the network management host can access the vty lines of R1. Place the commands in the order, which they would be entered into the router using the three router prompts listed below. (Not all commands will be used.) A.line vty 0 4 B.access-class 1 in C.IP access-group 1 in D.access-list 1 deny any E.access-list 1 deny IP any any F.access-list 1 permit host 10.0.0.1 1.First command is R1(config)# prompt 2.Second command is R1(config)# prompt 3.Third command is R1(config-line)# prompt 10.What are two purposes of IP access control lists? (Choose two.) A.ACL's control host access to a network or to another host. B.Standard ACL's can restrict access to specific applications and ports. C.ACL's provide a basic level of security for network access. D.ACL's can permit or deny traffic based upon the MAC address originating on the router. E.ACL's can be applied to only one interface. 11. Access list 101 is applied as an inbound ACL on the interface Serial 0 of Router RTA and should permit telnet access to the 172.16.28.3 host. However, telnet access fails when host 10.10.10.3 attempts to connect to host 172.16.28.3. What could be the cause? To answer this question refer to the network topology below. Network Topology This topology consists of two routers named RTA and RTB. RTA is connected to the Internet via its S0 interface. RTB is connected to the Internet via its S0 interface. RTA has a host connected via its Fa0 interface with a host addressed as 172.16.28.3/24. RTB has a host connected via its Fa0 interface with a host addressed as 10.10.10.3. Output from RTAs command line is shown as follows:
hostname RTA ! access-list 101 permit tcp 10.10.10.0 0.0.0.255 any host eq 23 access-list 101 deny IP any any A.The line access-list 101 permit tcp any any established should be added before the permit statement. B.The line access-list 101 permit tcp any any established should be added after the permit statement. C.The port number is incorrect for the access list. D.The access list should be on the outbound interface of FastEthernet 0. 12.A network administrator is interested in tracing all packets that do not match any statement in a standard ACL. What must the network administrator do to allow tracking? A.Enter the command debug ACL deny from global configuration mode. B.Add permit IP any log to the end of the ACL statements. C.Enter the syslog command in global configuration mode. D.Nothing, logging of denied packets happens automatically.
Go To Next Go To Previous Scroll To Top
All contents copyright © 2007-2008 Cisco Systems, Inc. All | Translated by the Cisco Networking Academy. About
