CISCO NETWORKING ACADEMY PROGRAM (CNAP) SEMESTER 2/ MODULE 11 Access Control List CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Overview - Access Control Lists (ACLs) - ACL Configuration Tasks - Standard ACLs - Extended ACLs - Named ACLs - Placing ACLs - Verifying ACLs CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs What are ACLs? - ACLs are lists of instructions you apply to a router interface. These lists tell the router what kinds of packets to accept and what kinds of packets to deny. Acceptance and denial can be based on certain specifications, such as source address, destination address, and port number. ACLs are used to manage traffic and scan specific packets by applying the ACL to a router interface. CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Reasons to create ACLs - Limit network traffic and increase network performance. Provide traffic flow control. Provide a basic level of security for network access. Decide which types of traffic are forwarded or blocked at the router interfaces. CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Testing Packets with ACLs - The order in which you place ACL statements is important. When the router is deciding whether to forward or block a packet, the Cisco Internetwork Operating System (IOS) software tests the packet against each condition statement, in the order in which the statements were created. NOTE: After a match is found, no more condition statements are checked. CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs How ACLs Work? - An ACL is a group of statements that define how packets: - - - - Enter inbound interfaces Relay through the router Exit outbound interfaces ACL statements operate in sequential, logical order. If a condition match is true, the packet is permitted or denied and the rest of the ACL statements are not checked. If the packet does not match any of the written ACL statements, then the packet will match the final implicit "deny any" statement. CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Flowchart of ACLs Test Matching CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Creating ACLs There are two basic steps for creating ACL: First: Create an ACL definition - Create ACLs by using the global configuration mode - Specify an ACL number - Must carefully select and logically order the ACL statements - Select which IP protocols to check; any other protocols are not checked Second: Apply the ACL to an interface - Apply ACLs specified above to one or more interfaces - They can filter inbound traffic or outbound traffic, depending on the configuration. - A router with an inbound ACL must check every packet to see whether it matches the ACL condition before switching the packet to an outbound interface. CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs ACL Numbers - When configuring ACLs on a router, you must identify each ACL uniquely by assigning a number to the ACL for a protocol. When you use a number to identify an ACL, the number must be within the specific range of numbers that is valid for the protocol. CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Wildcard Mask Bits - A wildcard mask is a 32-bit number that is divided into four octets, with each octet containing 8 bits. The 0s and 1s in a wildcard determine whether the corresponding bits in the IP address should be checked or ignored for ACL purposes. A wildcard mask bit 0 means 'check the corresponding bit value. A wildcard mask bit 1 means 'do not check (ignore) that corresponding bit value. CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Wildcard Mask Bits CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs The Any Command - - EX, If you want to specify that any destination address will be permitted in an ACL test. To indicate any IP address, you would enter 0.0.0.0. Then, to indicate that the ACL should ignore (that is, allow without checking) any value, the corresponding wildcard mask bits for this address would be all ones (that is, 255.255.255.255). Instead of typing 0.0.0.0 255.255.255.255, you can use the word any by itself as the keyword. INSTEAD OF THIS: - Router(config)# access-list 1 permit 0.0.0.0 255.255.255.255 YOU CAN USE THIS: - Router(config)# access-list 1 permit any CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs The host Command - You can use the abbreviation host to test the specific IP host address in an ACL condition. EX, instead of typing 172.30.16.29 0.0.0.0, you can use the word host in front of the address. INSTEAD OF THIS: - Router(config)# access-list 1 permit 172.30.16.29 0.0.0.0 YOU CAN USE THIS: Router(config)# access-list 1 permit host 172.30.16.29 CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Standard ACLs - Standard ACLs will be used when want to block all traffic from a network, allow all traffic from a specific network, or deny protocol suites. Standard ACLs check the source address of packets that could be routed. The result permits or denies output for an entire protocol suite, based on the network, subnet, and host addresses. CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Standard ACLs - The full syntax of the command is: Router(config)# access-list access-list-number {deny | permit} source [source-wildcard ] - Type no in front of the command when want to remove a standard ACL: Router(config)# no access-list access-list-number CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Standard ACLs - In order to apply ACL conditions to an interface, ip access-group command must be used. Remember that only one ACL per port per protocol per direction is allowed. The format of the command is: Router(config-if)# ip access-group access-list-number {in | out} CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Standard ACLs CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Standard ACLs CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Standard ACLs CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Standard ACLs CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Standard ACLs CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Standard ACLs CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Extended ACLs - Extended ACLs are used most often to test conditions because they provide a greater range of control than standard ACLs. Extended ACLs check for both source and destination packet addresses. They can also check for specific protocols, port numbers, and other parameters. This gives more flexibility to describe what checking the ACL will do. Packets can be permitted or denied output based on where the packet originated and based on its destination. EX, the extended ACL can allow e-mail traffic from E0 to specific S0 destinations, while denying remote logins or file transfers. CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Extended ACLs - - Extended ACL statements check for source address and destination address. At the end of the extended ACL statement, you gain additional precision from a field that specifies the optional TCP or User Datagram Protocol (UDP) protocol port number. These can be the well-known port numbers for TCP/IP. Extended ACLs use a number in the range 100 to 199. CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Extended ACLs - The complete form of the access-list command: Router(config)# access-list access-list-number {permit| deny} protocol sourceaddress source-mask destination-address destination-mask [operator port] - The ip access-group command applies an extended ACL to an interface. The format of the command is: Router(config-if)# ip access-group access-list-number { in| out} CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Extended ACLs CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Extended ACLs CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Extended ACLs CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Extended ACLs CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Extended ACLs CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Extended ACLs CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Extended ACLs CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Configuring Named ACLs Consider the following before implementing named ACLs: - Named ACLs are not compatible with Cisco IOS releases prior to Release 11.2. - You cannot use the same name for multiple ACLs. In addition, ACLs of different types cannot have the same name. For example, it is illegal to specify a standard ACL named George and an extended ACL with the same name. CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Configuring Named ACLs - To name the ACL, use the following command: Router(config)# ip access-list {standard | extended} name - In ACL configuration mode, specify one or more conditions permitted or denied. This determines whether the packet is passed or dropped: Router(config)# deny {source [source-wildcard] | any} or Router(config)# permit {source [source-wildcard] | any} CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Configuring Named ACLs CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Configuring Named ACLs CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Configuring Named ACLs - The full syntax for deny command is: Router(config)# deny {source [source-wildcard] | any} - To remove a deny condition, using the following syntax: Router(config)# no deny {source [source-wildcard] | any} - The full syntax of permit command is: Router(config)# permit {source [source-wildcard] | any} - To remove a condition from an ACL, using the following syntax: Router(config)# no permit {source [source-wildcard]| any} CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Configuring Named ACLs CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Configuring Named ACLs CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Restrict Virtual Terminal ACLs The following should be considered when configuring access lists on vty lines: - When controlling access to an interface, a name or number can be used. - Only numbered access lists can be applied to virtual lines. - Set identical restrictions on all the virtual terminal lines, because a user can attempt to connect to any of them. CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Restrict Virtual Terminal ACLs CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Placing ACLs - The rule is to put the extended ACLs as close as possible to the source of the traffic denied. Standard ACLs do not specify destination addresses, so you have to put the standard ACL as near the destination as possible. CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Verify ACLs - The show ip interface command displays IP interface information and indicates whether any ACLs are set. - The show access-lists command displays the contents of all ACLs. NOTE: By entering the ACL name or number as an option for this command, you can see a specific list. CISCO NETWORKING ACADEMY PROGRAM SEMESTER 2/ MODULE 11 ACLs Verify ACLs