Topic5-Access Control Lists ACL
Topic5-Access Control Lists ACL
• 2nd step:
– Place the Access Control List at the Interface
Part 1: Part 4:
You must have A host
Create ACL this to create a A LAN / IP subnets
in global standard ACL Any Host
configuration
mode Part 2: Source IP/source IP Subnet
Access list number.
Use 1-99 for
standard ACL.
Introduction to Wildcard Mask
• As you’ve observed, a portion of “part 4” in defining the IP
subnet in ACL contain:
– A wildcard mask: 0.0.0.255
– Instead of a subnet mask: 255.255.255.0
• For example: An IP subnet of 172.16.1.0 to 172.16.1.255
– With subnet mask (in setting static IP route):
• R1(config)#ip route 172.16.1.0 255.255.255.0 10.1.1.2
– With wildcard mask (in setting access list):
• R1(config)#access-list 9 permit 172.16.1.0 0.0.0.255
• The first step to know wildcard mask is:
– Wildcard mask IS NOT subnet mask.
– Wildcard mask have inverse relation with subnet mask.
– Wildcard mask use a different set of rules compared to subnet mask.
Difference Between Subnet mask and
Wildcard mask
• Unlike subnet mask, wildcard mask:
– Does not restrict to left all ‘0’ and right all ‘1’
– That means, there can be 232 wildcard mask
• versus only 32 valid subnet mask
– Hence, this is allow:
• 01001000.10001111.11111111.00000001
– Does not perform “bitwise and” process with IP
address
Wildcard Mask
• A wildcard mask is a string of binary digits telling the router
which parts of the subnet number to look at.
• A wildcard mask is simply the inverse of a subnet mask
• 255.255.255.255
- 255.255.255.240 (SM)
---------------------------
0. 0. 0. 15 (WM)
or
00000000.00000000.00000000.00001111(WM in binary form)
8
Wildcard Mask
All match
All ignore
First 3 octet
must match
till
192.168.1.255
9
Wildcard Mask
R1(config)#int fa0/0
R1(config-if)#no ip access-group list_number in
Show running-config
R1#show run
version 12.2
hostname R1
interface FastEthernet0/0
ip address 192.168.14.1 255.255.255.0
ip access-group 23 in
duplex auto
speed auto
!
• Show running-config command display the binding or
placement of access list on a particular interface.
• It is also a good practice to test the access lists with
sample traffic to ensure that the access list logic is
correct.
Show IP Interface
R1#show ip interface
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 192.168.14.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is not set
Inbound access list is 1
Proxy ARP is enabled
Security level is default
Split horizon is enabled
…
• The show ip interface command displays IP interface
information and indicates whether any ACLs are set.
While you delete Access List
• When you delete a particular ACLs,
– Only the content of the ACL is empty
– The binding ACLs is still at the interface
– Meaning the Interface still has the ACL
– Problem occurs if you “unintentionally” re-use the deleted ACL…
Example:
R1(config)#no access-list 2
R1(config)#exit
R1#show run
version 12.2
hostname R1
interface FastEthernet0/0
ip address 192.168.14.1 255.255.255.0
ip access-group 2 in
!
Placing ACL at VTY
• Here is an example of allowing only host 172.16.10.3 to
telnet into a router:
• Because of the implied deny any at the end of the list, the
access list stops any host from telnetting into the router
except the host 172.16.10.3, regardless of which individual
IP address on the router is used as a target.
• For VTY line, use access-class to bind the ACL
– instead of ip access-group for other type of interfaces.
Creating IP Extended List
R1(config)#access-list 114 permit tcp 172.16.6.0 0.0.0.255 any eq telnet
R1(config)#access-list 114 permit tcp 172.16.6.0 0.0.0.255 any eq ftp
R1(config)#access-list 114 permit tcp 172.16.6.0 0.0.0.255 any eq ftp-data
Part 7
• Part 3:
– deny or permit
• Part 4:
– Layer 3 protocol
– Layer 4 protocol
Extended ACL – Part 5-8
• Part 5:
– Source address • Part 8:
• Host, any, IP subnet
• Same as standard ACL
– Port numbers
• Part 6: – Port number
– “Normally” Destination equivalent network
address service
• Part 7 • telnet (port 22)
– Normally conditional
phrase
• gt = greater than
• eq = equal
• lt = less than
• neq = not equal
Extended List Placement
R1#show ip interface
R1#show run
27
Creating Named ACLs - 1
• A named ACL is created with the ip access-list command.
• The advantages that a named access list provides are:
– Intuitively identify an ACL using an alphanumeric name.
• Named ACLs provide the ability to modify ACLs without
deleting and then reconfiguring them.
• It is important to note that a named access list will allow the
deletion of statements but will only allow for statements to
be inserted at the end of a list. Even with named ACLs it is
a good idea to use a text editor to create them.
• Consider the following before implementing named ACLs.
– Named ACLs are not compatible with Cisco IOS releases prior to
Release 11.2.
– The same name may not be used for multiple ACLs. For example, it
is not permissible to specify both a standard and extended ACL
named George.
Creating Named ACLs (Standard)
• IP named ACLs were introduced in Cisco IOS Software
Release 11.2, allowing standard and extended ACLs to be
given names instead of numbers.
continue
Standard Named ACLs
30
Monitoring and Verifying ACL
31
Editing Named ACLs
• Named ACLs have a big advantage over numbered ACLs in that
they are easier to edit.
• Starting with Cisco IOS Software Release 12.3, named IP ACLs
allow you to delete individual entries in a specific ACL.
• You can use sequence numbers to insert statements anywhere in
the named ACL
32
Inserting a line in Named ACL - 1
Inserting a line in Named ACL - 2
Where to Place ACLs?
• The basic rules are:
- Locate extended ACLs as close as possible to the
source of the traffic denied. This way, undesirable traffic is
filtered without crossing the network infrastructure.
- Because standard ACLs do not specify destination
addresses, place them as close to the destination as
possible.
Best Practices
38
Access-List Grouping in a Router
Inbound ACL
48
ACL “Logic”
Outbound ACL
49