Access Control Lists (ACLs): cause a router to discard some packets based on criteria defined by the network engineer.
- Prevent hackers
- Prevent employees from using parts of the system
- Filter routing updates
- Match packets for VPN tunneling
- Match packets for implementing QoS features
IP Standard ACL Concepts
ACL is applied on an interface, either as it is entering or as it is leaving an interface.
(Inbound or Outbound packets)
Deny: the packet will be filtered
Allow: the packet will be not be filtered
-> At the end of every access list, there is an implied "Deny
All Access" list. If a packet does not match any access list statement,
the packet will be filtered.
If multiple rules in the Access List
1. Matching parameters of access-list are compared to the packet.
2. Is a match made, the action defined in the access-list statement is performed.
3. If a match is not made, repeat steps 1-2 until a match is made.
4. If no match is made, the deny action is performed.
Wilcard Masks
Access Lists match packets by looking at the IP, TCP, and UDP headers of the packet. Standard Access lists only look at the Source IP Address
Wilcard masks define the portion of the IP packet that should be examined.
* 0 = match those bits
* 1 = ignore those bits |
Wildcard Masks
Examples
| Wildcard Mask | Description |
| 0.0.0.0 | The entire IP address must match. |
| 0.0.0.255 | The first 3 octets must match |
| 0.0.255.255 | The first 2 octets must match |
| 0.0.15.255 | The first 20 bits must match. |
To match all hosts in a single subnet: Subtract the subnet mask from 255.255.255.255
Standard IP Access List Configuration
| Command | Description |
| permit} source [source-wildcard] [log] | Global command for standard number access lists. |
| access-list access-list-number remark text | Remark that comments what the list does |
| name [in | out]} | Interface subcommand that enable access lists |
| name [in | out] | Line subcommand to enable standard or extended access lists |
Show Commands
show ip interface
show access-lists [access list number/name]
show ip access-list [access list number/name]
| Configuration to Deny 1 Specific User interface Ethernet0 ip address [address][subnet mask] ip access-group 1 out access-list 1 remark stop all traffic whose source ID is this user access-list 1 deny [ip address][wildcard mask] Explanation of Commands * Standard Access list can be in the range of 1-99, or 1300-1999 * access-list commands are the global access list * Then, to enable on specific interface, use ip-access group command Remember, access list referenced from top to bottom, so it looks for a specific IP to filter, and then allows all IP addresses (Wildcard of 255.255.255.255) |
** Note **
If you run show run config, would say "deny host x" and "permit any"
| Extended IP Access Control Lists The one key difference is the variety of fields in the packet that can be compared for matching by extended access lists. |
* Note *
If TCP/UDP used, can filter on Source/Destination Port
| Access-list Statement | What it Matches |
| access-list 101 deny ip any host 10.1.1.1 | Any IP packet, any source IP address, with a destination IP address of 10.1.1.1 |
| access-list 101 deny tcp any gt 1023 host 10.1.1.1 eq 23 | Packets with a TCP header, any source IP address, with a source port greater than (gt) 1023. Packet must have a destination of 10.1.1.1 and a destination port of 23. |
| access-list 101 deny tcp any host 10.1.1.1 eq 23 | The same as above, but any source port (it is omitted) |
| access-list 101 deny tcp any host 10.1.1.1 eq telnet | Telnet used rather than port number |
| access-list 101 deny udp 1.0.0.0 0.255.255.255 lt 1023 any | A packet with a source in network 1.0.0.0, using UDP with a source port less than (lt) 1023, with any destination IP address. |
Sequence options follow:
[protocol type] [source IP] [source port] [destination IP] [destination port]
Extended IP ACL Configuration
| Command | Configuration Mode and Description |
| permit} protocol source source-wildcard destination destination-wildcard [log | log-input] | Global command for extended numbered access lists. Number between 100-199 and 2000-2699. |
| name [in | out]] | Interface subcommand to enable access lists |
| access-list access list # remark text | Create comment about what ACL does |
| name [in | out] | Line subcommand for standard/extended access lists. |
'Show Commands'
| Command | Description |
| show ip interfaces [type number] | References access lists enabled on the interface |
| access-list-name] | Shows details of access lists for all protocols |
| access-list-name] | Show IP access lists |
Extended Access List Range: 100 to 199, or 2000 to 2699
Cisco recommends you locate Extended ACL as close to the source as possible.
| Misc ACL Topics Named ACLs: Identifies ACLs using names, can delete individual lines in a named IP access list. * Use a global command that places the user in a named IP access list submode * When named matching statement is deleted, only that line is deleted * With numbered lists, the deletion of any statement in the list deletes all statements in the list Command to create ACL: ip access-list extended [ACL name] Command to delete line: no deny ip [source] [destination] [wildcard] Controlling Telnet with ACLs: Can control who can telnet to/from a router line vty 0 4 login password cisco access-class 3 in access-list 3 permit 10.1.1.0 0.0.0.255 |
ACL Implementation Considerations
1. Create ACLs using text editor
outside the router, and copy/paste into configuration. This makes
fixing typos easier, allows for a backup of configuration, which makes
adding/deleting from them easier.
2. Place extended ACLs as close to the source of the packet as possible to discard packets quickly.
3. Place standard ACLs as close to the packet's destination as
possible, because standard ACLs often discard packets that you do not
want discarded when they are placed close to the source.
4. Place more-specific statements early in the ACL.
5. Disable an ACL from its interface (no ip access-group) before making changes to it.
0 comments:
Post a Comment