Chabot College ELEC 99.08 Access Control Lists - Introduction CISCO NETWORKING ACADEMY ACL Topics • • • • • Function of ACLs ACL Types & Syntax Wildcard Bitmasks Placement of ACLs Commands CISCO NETWORKING ACADEMY Typical Functions • Security • Firewalling CISCO NETWORKING ACADEMY Types • Standard • Extended CISCO NETWORKING ACADEMY Standard ACLs • Use rules based only the packet’s source address • 1-99 CISCO NETWORKING ACADEMY Extended ACLs • Provide more precise (finer tuned) packet selection based on: – Source and destination addresses – Protocols – Port numbers • 100-199 CISCO NETWORKING ACADEMY Steps to Configure ACLs 1) Create ACL (global config mode) – The list may contain many rules, each on one line. – The list is identified by a number or name. 2) Apply to an interface (interface config mode) CISCO NETWORKING ACADEMY How do ACLs work? • Processing occurs line by line from top to bottom of the list. • Each line tests a packet for a “match”. • If there is a match, a “permit” or “deny” rule is applied. • When a “match” occurs, no further rules are checked. • Invisible last line of an ACL is an implicit “deny any.” CISCO NETWORKING ACADEMY How do ACLs work? • ACL example: oak#sh ru oak#... oak#access-list 10 deny 192.168.1.0 0.0.0.255 oak#access-list 10 permit any oak#access-list 10 deny any (implicit) oak#... CISCO NETWORKING ACADEMY How does a Standard ACL work? • Permits or denies if source IP address is matched: – Permit – packet is allowed – Deny – packet is dropped – Implicit Deny – If a packet’s address does not match an earlier statement, an implicit deny any occurs at the end of every ACL and the packet is dropped. CISCO NETWORKING ACADEMY Wildcard Masks • Are used to specify (by bits) the part of the ip address to be matched. • Looks like a subnet mask but it its not! • Example: 172.16.0.0 0.0.255.255 The network address to be matched CISCO NETWORKING ACADEMY The wildcard bitmask Wildcard Masks • Specify the part of the ip address to be matched. • Use 0s to match,1s to ignore. (Reverse of subnet masks!) • In the example below, only the 1st 2 octets will be examined for a match: 172.16.0.0 0.0.255.255 Match this part of the address CISCO NETWORKING ACADEMY This is the wildcard bitmask Wildcard Masks 172.16.0.0 0.0.255.255 address to match wildcard bitmask 172 16 0 0 10101100 00010000 00000000 00000000 Wildcard 00000000 Mask 0 00000000 0 11111111 11111111 255 Address Check for a match CISCO NETWORKING ACADEMY 255 Ignore Wildcard Masks • In this example, which octets will be examined for a match? 172.16.5.0 0.0.0.255 CISCO NETWORKING ACADEMY Wildcard Masks • In this example, which octets will be examined for a match? 172.16.5.0 0.0.0.255 • The first 3: 172.16.5.0 0.0.0.255 Match this part of the address CISCO NETWORKING ACADEMY Wildcard Masks • In this example, which octets will be examined for a match? 172.16.5.2 0.0.0.0 CISCO NETWORKING ACADEMY Wildcard Masks • In this example, which octets will be examined for a match? 172.16.5.2 0.0.0.0 • All 4 octets: 172.16.5.2 0.0.0.0 Match the entire address (permit or deny this specific host) CISCO NETWORKING ACADEMY Wildcard Masks • In Cisco 2, we will work only with wildcard bitmasks that are 0 or 255 for an entire octet. • In Cisco 3, you’ll work with masks where the change from 0 to 1 does not fall on an octet boundary: – e.g. 0.0.15.255 CISCO NETWORKING ACADEMY Keyword: “any” • Identical statements – access-list 22 permit 0.0.0.0 255.255.255.255 – access-list 22 permit any CISCO NETWORKING ACADEMY Keyword: “host” • Identical statements – Access-list 23 permit 172.16.1.1 0.0.0.0 – Access-list 23 permit host 172.16.1.1 CISCO NETWORKING ACADEMY Standard IP ACL command access-list ACL-number {permit |deny} source-ip-address wildcard-mask • ACL number: 1-99 • Global Config mode CISCO NETWORKING ACADEMY Standard ACL Example • To permit all packets from the network number 172.16.0.0 access-list 20 permit 172.16.0.0 0.0.255.255 CISCO NETWORKING ACADEMY Standard ACL Example • To permit traffic from the host 172.16.1.1 only access-list 20 permit 172.16.1.1 0.0.0.0 OR access-list 20 permit host 172.16.1.1 CISCO NETWORKING ACADEMY Standard ACL Example • To permit traffic from any source address. access-list 20 permit 0.0.0.0 255.255.255.255 OR access-list 20 permit any CISCO NETWORKING ACADEMY How does an Extended ACL work? • Permits or denies if all conditions match: – Source Address – Destination Address – Protocol – Port No. or Protocol Options CISCO NETWORKING ACADEMY Extended IP ACL command access-list ACL-number {permit|deny} protocol source-ip-address source-wildcardmask destination-ip-address destinationwildcard-mask eq port-number • ACL number: 100-199 • Global Config mode CISCO NETWORKING ACADEMY Extended ACL Example • To permit traffic from the network 192.168.1.0 to the host 192.168.3.10 only on telnet: access-list 101 permit tcp 192.168.1.0 0.0.0.255 192.168.3.10 0.0.0.0 eq telnet • More about extended ACLs later... CISCO NETWORKING ACADEMY Major differences • Standard ACL – Use only source address – Requires fewer CPU cycles. – Place as close to destination as possible. (because they can only check source address) • Extended ACL – Uses source, destination, protocol, port – Requires more CPU cycles. – Place as close to source as possible. (This stops undesired traffic early.) CISCO NETWORKING ACADEMY Command to apply IP ACL ip access-group ACL-number {in |out} • Interface Config mode • The group of rules in the list is applied to the interface being configured. • Use “in” and “out” as if looking at the interface from inside the router. CISCO NETWORKING ACADEMY Do I place an ACL in? • In – Coming into the router. – Requires less CPU processing because every packet bypasses processing before it is routed. – Filtering decision is made prior to the routing table. CISCO NETWORKING ACADEMY Do I place an ACL out? • Out – Going out of the router. – Routing decision has been made and the packet is switched to the proper outbound interface before it is tested against the access list. – ACLs are outbound unless otherwise specified. CISCO NETWORKING ACADEMY ACL Configuration Example What will this list do? oak(config)#access-list 10 permit 192.168.1.0 0.0.0.255 oak(config)#access-list 10 permit 192.168.2.10 0.0.0.0 oak(config)#int e0 oak(config-if)#ip-access group 10 out oak(config-if)#^z S1 S0 fre E0 S0 192.168.3.0 192.168.2.10 oak E0 192.168.2.0 CISCO NETWORKING ACADEMY S1 E0 192.168.1.0 192.168.1.10 hay 192.168.3.10 ACL Configuration Example What’s the problem here? oak(config)#access-list 10 permit any oak(config)#access-list 10 deny 192.168.2.10 0.0.0.0 oak(config)#int e0 oak(config-if)#ip-access group 10 out oak(config-if)#^z S1 S0 fre E0 S0 192.168.3.0 192.168.2.10 oak E0 192.168.2.0 CISCO NETWORKING ACADEMY S1 E0 192.168.1.0 192.168.1.10 hay 192.168.3.10 Commands to show ACLs show access-lists • Privileged exec mode • Displays the ACLs on the router. show ip interface • Privileged exec mode • Shows which ACLs are set on that interface. CISCO NETWORKING ACADEMY