3-CCNA BRYPHIL

advertisement
Access Control List
ACL
An ACL is a series of IOS commands that
control whether a router forwards or
drops packets based on information
found in the packet header. ACLs are
among the most commonly used
features of Cisco IOS software.
Service
Port Number
HTTP
80
HTTPS
443
DNS
53
POP3
110
SMTP
25
TELNET
23
FTP
20-21
TFTP
69
See appendix 3A for more services and their ports
Functions of ACL
1. Limit network traffic to increase network
performance
2. Provide traffic flow control
3. Provide a basic level of security for network access
4. Filter traffic based on traffic type. For example, an
ACL can permit email traffic, but block all Telnet
traffic
5. Screen hosts to permit or deny access to network
services. ACLs can permit or deny a user to access file
types, such as FTP or HTTP.
Please not that, by default a router doesn’t have an ACL.
And therefore doesn’t filters traffic.
ACLs enable administrators to control traffic
into and out of a network. This control can be
as simple as permitting or denying traffic based
on network addresses, a specific host on the
network or as complex as controlling network
traffic based on the TCP port being requested.
ACL and ACE
Access Control List vs Access Control Entries
An ACL is a sequential list of permit or deny statements, known as access
control entries (ACEs). ACEs are also commonly called ACL statements. ACEs
can be created to filter traffic based on certain criteria such as: the source
address, destination address, the protocol, and port numbers. When network
traffic passes
To evaluate network traffic, the ACL extracts the following
information from the Layer 3 packet header:
Source IP address
Destination IP address
ICMP message type
The ACL can also extract upper layer information from the Layer 4
header, including:
TCP/UDP source port
TCP/UDP destination port
Check Point
Inbound ACLs - Incoming packets are
processed before they are routed to
the outbound interface. An inbound
ACL is efficient because it saves the
overhead of routing lookups if the
packet is discarded.
Outbound ACLs - Incoming packets are
routed to the outbound interface, and
then they are processed through the
outbound ACL
There are 2 types of ACLs.
1. Standard.
2. Extended.
Standard ACLs
Standard ACLs can be used to permit or deny traffic only from
source IPv4 addresses. The destination of the packet and the ports
involved are not evaluated. The example in Figure 1 allows all traffic
from the 192.168.30.0/24 network. Because of the implied "deny
any" at the end, all other traffic is blocked with this ACL. Standard
ACLs are created in global configuration mode.
There are 2 types of ACLs.
1. Standard.
2. Extended.
Extended ACLs
Extended ACLs filter IPv4 packets based on several attributes:
Protocol type
Source IPv4 address
Destination IPv4 address
Source TCP or UDP ports
Destination TCP or UDP ports
Optional protocol type information for finer control
Key Word:
1.
2.
3.
4.
5.
Host
Any
Permit
Deny
All
You could accomplish the same result with statements like the
two shown below:
R1(config)# access-list 10 permit 192.168.10.0
R1(config)# access-list 10 permit 192.168.11.0
It is far more efficient to configure the wildcard mask in the
following way:
R1(config)# access-list 10 permit 192.168.10.0 0.0.3.255
Consider the configuration below to match networks in
the range between 192.168.16.0 to 192.168.31.0:
R1(config)# access-list 10 permit 192.168.16.0
R1(config)# access-list 10 permit 192.168.17.0
R1(config)# access-list 10 permit 192.168.18.0
R1(config)# access-list 10 permit 192.168.19.0
R1(config)# access-list 10 permit 192.168.20.0
R1(config)# access-list 10 permit 192.168.21.0
R1(config)# access-list 10 permit 192.168.22.0
R1(config)# access-list 10 permit 192.168.23.0
R1(config)# access-list 10 permit 192.168.24.0
R1(config)# access-list 10 permit 192.168.25.0
R1(config)# access-list 10 permit 192.168.26.0
R1(config)# access-list 10 permit 192.168.27.0
R1(config)# access-list 10 permit 192.168.28.0
R1(config)# access-list 10 permit 192.168.29.0
R1(config)# access-list 10 permit 192.168.30.0
R1(config)# access-list 10 permit 192.168.31.0
The previous 16 configuration statements can be reduced to a single
statement using the correct wildcard mask as shown below:
R1(config)# access-list 10 permit 192.168.16.0 0.0.15.255
Key Word: Host, Any
Example 1: Wildcard Masking Process with a Single IP Address
In Example 1 in the figure, instead of entering 192.168.10.10
0.0.0.0, you can use host 192.168.10.10.
Example 2: Wildcard Masking Process with a Match Any IP
Address
In Example 2 in the figure, instead of entering 0.0.0.0
255.255.255.255, you can use the keyword any by itself.
Note: The keywords host and any can also be used when
configuring an IPv4 or IPv6
The any and host Keywords
Example 1 in the figure shows how to use the
any keyword to substitute for the IPv4 address
0.0.0.0 with a wildcard mask of
255.255.255.255.
Example 2 shows how to use the host keyword
to substitute for the wildcard mask when
identifying a single host.
Guidelines for using ACLs
1. Use ACLs in firewall routers positioned between your internal network and
an external network such as the Internet.
2. Use ACLs on a router positioned between two parts of your network to
control traffic entering or exiting a specific part of your internal network.
3. Configure ACLs on border routers, that is, routers situated at the edges of
your networks. This provides a very basic buffer from the outside network,
or between a less controlled area of your own network and a more
sensitive area of your network.
4. Configure ACLs for each network protocol configured on the border router
interfaces.
Every ACL should be placed where it has the greatest impact on
efficiency. As shown in the figure, the basic rules are:
Extended ACLs - Locate extended ACLs as close as possible to the
source of the traffic to be filtered. This way, undesirable traffic is
denied close to the source network without crossing the network
infrastructure.
Standard ACLs - Because standard ACLs do not specify destination
addresses, place them as close to the destination as possible. Placing
a standard ACL at the source of the traffic will effectively prevent that
traffic from reaching any other networks through the interface where
the ACL is applied.
!
Note: For CCNA certification the general rule is that
extended ACLs are placed as close as possible to the source
and standard ACLs are placed as close as possible to the
destination.
ES and SD
A standard ACL can only filter
traffic based on a source address.
The basic rule for placement of a
standard ACL is to place the ACL as
close as possible to the destination
network. This allows the traffic to
reach all other networks except the
network where the packets will be
filtered.
In the figure, the administrator wants to prevent traffic
originating in the 192.168.10.0/24 network from reaching
the 192.168.30.0/24 network.
If the standard ACL is placed on the outbound interface of
R1, this would prevent traffic on the 192.168.10.0/24
network from reaching any networks reachable through
the Serial 0/0/0 interface of R1.
Following the basic placement guidelines of placing the
standard ACL close to the destination, the figure shows
two possible interfaces on R3 to apply the standard ACL:
R3 S0/0/1 interface - Applying a standard ACL to prevent
traffic from 192.168.10.0/24 from entering the S0/0/1
interface will prevent this traffic from reaching
192.168.30.0/24 and all other networks reachable by R3.
This includes the 192.168.31.0/24 network. Because the
intent of the ACL is to filter traffic destined only for
192.168.30.0/24, a standard ACL should not be applied to
this interface.
R3 G0/0 interface - Applying the standard ACL to traffic
exiting the G0/0 interface will filter packets from
192.168.10.0/24 to 192.168.30.0/24. This will not affect
other networks reachable by R3. Packets from
192.16810.0/24 will still be able to reach 192.168.31.0/24.
Here, the administrator wants to deny Telnet and FTP traffic
from the .11 network to Company B’s 192.168.30.0/24 (.30, in
this example) network. At the same time, all other traffic from
the .11 network must be permitted to leave Company A
without restriction.
There are several ways to accomplish these goals. An extended
ACL on R3 that blocks Telnet and FTP from the .11 network
would accomplish the task, but the administrator does not
control R3. In addition, this solution also allows unwanted
traffic to cross the entire network, only to be blocked at the
destination. This affects overall network efficiency.
A better solution is to place an extended ACL on R1 that
specifies both source and destination addresses (.11 network
and .30 network, respectively), and enforces the rule, "Telnet
and FTP traffic from the .11 network is not allowed to go to the
.30 network." The figure shows two possible interfaces on R1
to apply the extended ACL:
R1 S0/0/0 interface (outbound) - One possibility is to apply an
extended ACL outbound on the S0/0/0 interface. Because the
extended ACL can examine both source and destination
addresses, only FTP and Telnet packets from 192.168.11.0/24
will be denied. Other traffic from 192.168.11.0/24 and other
networks will be forwarded by R1. The disadvantage of placing
the extended ACL on this interface is that all traffic exiting
S0/0/0 must be processed by the ACL including packets from
192.168.10.0/24.
R1 G0/1 interface (inbound) - Applying an extended ACL to
traffic entering the G0/1 interface means that only packets
from the 192.168.11.0/24 network are subject to ACL
processing on R1. Because the filter is to be limited to only
those packets leaving the 192.168.11.0/24 network, applying
the extended ACL to G0/1 is the best solution.
The order of your ACE Matters a lot
When traffic enters the router, the traffic is
compared to all ACEs in the order that the
entries occur in the ACL. The router
continues to process the ACEs until it finds a
match. The router will process the packet
based on the first match found and no other
ACEs will be examined. If it doesn’t finds a
rule, the implicit deny is automatically
applied.
access-list 2 deny 192.168.10.10
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 2 deny 192.168.0.0 0.0.255.255
access-list 2 permit 192.0.0.0 0.255.255.255
Router(config)# access-list access-list-number { deny | permit | remark } source [ source-wildcard ][ log ]
Applying an ACL
Name Access List
Naming an ACL makes it easier to understand its function. For example, an ACL
configured to deny FTP could be called NO_FTP. When you identify your ACL with
a name instead of with a number, the configuration mode and command syntax
are slightly different.
Step 1. Starting from the global configuration mode, use the ip access-list
command to create a named ACL. ACL names are alphanumeric, case sensitive,
and must be unique. The ip access-list standard name is used to create a standard
named ACL, whereas the command ip access-list extended name is for an
extended access list. After entering the command, the router is in named standard
ACL configuration mode as indicated by the prompt.
Note: Numbered ACLs use the global configuration command access-list whereas
named IPv4 ACLs use the ip access-list command.
Extended Access List
Download