Access Control Lists Lecture 1 PJC CCNA Semester 2 Ver. 3.0 by William Kelly ACL Definition An ACL is a sequential group of permit and/or deny statements that control the flow of particular protocols or protocol suits in or out of an interface to a specific host or group of hosts ACL Concepts Applied to a router’s interface Traffic is forwarded or blocked Each protocol must have it’s own ACL defined (You are only allowed 1 ACL per protocol, per port, per direction) Why Use ACL’s ? Controlling traffic can increase network performance Distribution of routing updates can be controlled Security can be added at the network boundary Specific types of traffic can be permitted or blocked An administrator controls what areas a client can access Screen certain hosts to either allow or deny access to part of a network Calculate number of ACL’s 2 ports, each port running IP, IPX 2 ports, each port running IP, IPX, Appletalk (Remember you need an ACL for each protocol in each direction on each port) How ACL’s Work Packets enter the interface If the packets are routable then they are routed toward the outbound interface If there is no access list then the packets proceed out the outbound interface If there is an ACL then the packets are filtered using the sequential ACL statements ACL Basic Flowchart Packets Enter Match 1st Test Yes No Match 2nd Test Yes Permit No Match Last Test No (Implicit Deny Packets Discarded Yes Permit or Deny Deny How does a Router Process an ACL? Does the Layer 2 address match? Is there an inbound ACL? Is there an outbound ACL? Creating Standard ACL’s ACL statements must be in the correct order! (Use a flowchart to plan your logic) ACL’s can’t be modified (only created and deleted). Use a text editor to write your ACL’s Configuring ACL’s ACL’s are created in Global Configuration Mode Standard ACL’s are 1-99 and Extended ACL’s are 100 – 199 Plan your ACL’s in a flowchart considering the protocol or protocol suite, host or group of hosts, and interface and direction of filtering Configuring ACL’s (cont.) Define ACL Router(config)# access-list access-list-num {permit | deny} {test conditions} Apply ACL to interface Router(config-if)# {protocol} access-group access-list number Points to remember creating ACL’s Outbound ACL’s are more efficient If you need to alter an ACL use no access-list list-number (Remember you can’t modify an standard ACL so you must erase it and create it again with your changes. This is why you should create ACL’s in a text file) (See Basic Rules in Online Curriculum) Wildcard Mask Bits Wildcard mask bits appear “similar” to a reverse subnet mask but have NO RELATIONSHIP TO SUBNET MASKS!! 0 means check a position 1 means don’t check a position Common Wildcard command and Abbreviations Permit 0.0.0.0 255.255.255.255 is the same as permit any Permit 181.16.1.1 0.0.0.0 is the same as permit host 181.16.1.1 (ONLY A PARTICULAR HOST IS MATCHED!!) Commands to verify ACL’s show ip interface – indicates whether any ACL’s are set show access-lists – Displays the contents of all the ACL’s show running-config – Also shows access lists and the interface to which they are assigned Standard ACL’s Allow denying/permitting traffic from a specific host/group of hosts and/or protocol suite Use number 1 – 99 Only 1 protocol per port per interface is allowed Can only check source address so they should be put as close to the destination as possible Extended ACL’s Allow denying/permitting traffic from a specific host/group of hosts and/or protocol suite/protocol and/or port/group of ports Use number 100 – 199 Only 1 protocol per port per interface is allowed Can check source and destination address so they should be put as close to the source as possible Named ACL’s Names for standard and extended ACL’s can be alphanumeric strings Use deny/no deny or permit/no permit to change conditions of a named standard or extended ACL You can’t use the same alphanumeric name twice!