IT 225 NETWORKING 3

Security and Traffic Management

Security and Traffic Management
• ensure safe and efficient data transmission
Access Control List (ACL):
• to regulate traffic flow controls traffic flow into
• prevent unauthorized access or out of a network
interface
• optimize network performance
• Standard ACLs – Filter
traffic only based on
source IP
• Extended ACLs – Filter
traffic based on source
IP, destination IP,
protocol, port
numbers, etc
Functions of ACLs
• Traffic management: Controlling bandwidth by blocking unnecessary traffic
• Network security: Preventing unauthorized access to or from a network
• Access restriction: Limiting access to specific resources
• Bandwidth management: Prioritize or limit traffic types
• Monitoring & logging: Detect unwanted traffic patterns
• Policy enforcement: Apply access policies for users and applications
IPv4 Access Control List (ACL)
• filter network traffic and improve security
• implemented in routers and switches to secure networks by permitting or
denying specific packets based on various parameters
• source/destination IP
• Protocols
• port numbers
Types of IPv4 ACLs
• Standard ACLs
• Filter traffic based on source IP address only
• Allowing or blocking entire subnets or hosts
• Numbered range: 1–99, 1300-1999
• Extended ACLs
• Filter traffic based on source IP, destination IP, protocol, port number
• Provides greater control over traffic filtering
• Numbered range: 100–199, 2000-2699
• Named ACLs
• More flexible and readable
• Can be standard or extended
• Use names instead of numbers for easier identification
General Rules on ACLs
• Use standard ACLs close to the destination
• Use extended ACLs close to the source
• As soon as a match is
• Always include a permit statement for required traffic found, the action
(permit or deny) is
• ACLs are processed top-down until a match is found taken
• If no match is found,
• Document ACL rules with comments the implicit deny at
the end blocks the
• Test ACLs in a lab or simulate using tools before applying in packet
production
Standard ACL Configurations
• Numbered ACL
access-list [1-99|1300-1999] {permit|deny} source [wildcard]

• Named ACL
ip access-list standard NAME
{permit|deny} source [wildcard]

• ACL Implementation

interface FastEthernet0/0
ip access-group 10 in

• Inbound: Filters packets as they enter the interface

• Outbound: Filters packets as they exit the interface
Wildcard Mask Basics
Subnet Mask Wildcard Mask
255.255.255.0 0.0.0.255
255.255.0.0 0.0.255.255
255.0.0.0 0.255.255.255

Wildcard masks are the opposite of subnet masks:

0.0.0.0 match all bits (exact IP)
0.0.0.255 match first 3 octets, ignore last
0.255.255.255 match only the first octet

192.168.1.0 0.0.0.255 matches 192.168.1.0 to 192.168.1.255

Allow only Host 192.168.10.10 to access the network via Router's interface

• HOST

access-list 10 permit 192.168.10.10

interface GigabitEthernet0/0
ip access-group 10 in

• SUBNET

access-list 10 deny 192.168.10.0 0.0.0.255

access-list 10 permit any

interface GigabitEthernet0/0
ip access-group 10 in
Named ACL
ip access-list standard BLOCK_USERS
deny 192.168.10.66
permit any

interface g0/0
ip access-group BLOCK_USERS in
Verification Commands
• Always add a permit
any at the end if
show access-lists needed, or it will deny
everything by default
show ip interface [interface]
• Use named ACLs for
show running-config better documentation
• Place Standard ACLs as
close to the
destination as possible
(since it only filters by
source IP)
• Plan ACLs carefully to
avoid breaking
services
• Use show access-lists
to verify
Standard IPv4 Features
Filters On Source IP only
Number Range 1-99, 1300-1999
Named Support Yes
Use Cases Simple host/network filtering
Interface Direction Inbound / Outbound
Layer Works at Layer 3 (Network)
Extended Numbered IP Access Control Lists
• identified by a number from the range 100-199, 2000-2699
• filter traffic more flexible based on multiple parameters
• Source IP address
• Destination IP addressProtocol (TCP, UDP, ICMP)
• Source and destination port numbers (TCP and UDP)
• Packet types (ICMP echo requests)
• Interface on which the traffic is received or sent
Extended ACL Configuration
access-list <100-199 | 2000-2699> [permit | deny] <protocol> <source
IP> <wildcard> <destination IP> <wildcard> [operator] [port]

access-list 110 permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255

eq 80
access-list 110 deny ip any any

interface GigabitEthernet0/0
ip access-group 110 in

• allows HTTP traffic from 192.168.1.0/24 to 10.0.0.0/24

• Extended ACLs should be applied as close to the source as possible to minimize unnecessary traffic
Extended ACL Key Elements
access-list 101 ACL number (100-199 or 2000-2699)
permit / deny Action to take
ip, tcp, udp, icmp Protocol type
any or IP + wildcard Source & destination
eq, gt, lt, neq, range Port matching operators (for TCP/UDP)
log (optional) Logs match attempts
Protocol and Port Numbers
Protocol Port Description
HTTP (HyperText Transfer Protocol) 80 Web traffic
HTTPS (HyperText Transfer Protocol Secure) 443 Secure web
Telnet 23 Remote CLI
SSH (Secure Shell or Secure Socket Shell) 22 Secure CLI
FTP (File Transfer Protocol) 21 File transfer
DNS (Domain Name System) 53 Domain name lookup
Protocols Used in ACLs
Name Number
ip (Internel Protocal) 0
icmp (Internet Control Message Protocol) 1
tcp (Transmission Control Protocol) 6
udp (User Datagram Protocol) 17
gre (Generic Routing Encapsulation) 47
ospf (Open Shortest Path First) 89
Port Numbers (TCP/UDP Services)
Service Protocol Port Number
HTTP (HyperText Transfer Protocol) TCP 80
HTTPS (HyperText Transfer Protocol Secure) TCP 443
FTP (Control) – File Transfer Protocol TCP 21
FTP (Data) TCP 20
SSH (Secure Socket Shell) TCP 22
Telnet TCP 23
DNS (Domain Name System) UDP/TCP 53
DHCP/BOOTP (Dynamic Host Configuration Protocol / Bootstrap Protocol) UDP 67, 68
SNMP (Simple Network Management Protocol) UDP 161
SMTP (Simple Mail Transfer Protocol) TCP 25
POP3 (Post Office Protocol) TCP 110
IMAP (Internet message access protocol) TCP 143
Operators Used with Ports
Operator Meaning
eq Equal to
neq Not equal to
gt Greater than
lt Less than
range Between two ports

access-list 110 deny tcp any any range 20 21

Deny Telnet from a specific network
access-list 101 deny tcp 192.168.10.0 0.0.0.255 any eq 23
access-list 101 permit ip any any

• Deny any TCP traffic from 192.168.10.0/24 going to any destination on port 23
• Allow all other traffic
Allow HTTP traffic only to a web server
access-list 110 permit tcp any host 192.168.50.10 eq 80
access-list 110 deny ip any any

• Only allow HTTP traffic to a specific host

• Deny everything else
Extended ACL with Protocol and Port
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80

• matches source, destination, protocol, and port

• permits HTTP traffic from 192.168.1.0/24 to any destination
Allow ICMP from a specific network
access-list 100 permit icmp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 deny ip any any

interface GigabitEthernet0/0
ip access-group 100 in

• Allow ICMP (ping) from 192.168.10.0/24 to 192.168.20.0/24

Named ACL
ip access-list [standard|extended] [name]
permit|deny [parameters...]

ip access-list extended WEB-TRAFFIC

permit tcp 10.0.0.0 0.0.0.255 any eq 80
deny ip any any
Troubleshooting ACLs
• Verification
show access-lists
show running-config

• Logging with ACLs

access-list 110 deny ip any any log
IPv6 Access Control List (ACL)
• Filter traffic based on IPv6 packet parameters • Permit or deny traffic
• Filter based on
• control incoming or outgoing traffic source/destination
IPv6 addresses
• enforce security policies in a network that uses the IPv6
• Match Layer 4
protocol protocols (TCP, UDP,
ICMPv6)
• Match traffic types
such SSH, Telnet, HTTP,
and others
• Router advertisements
and other control
messages
IPv4 vs IPv6 ACLs
Feature IPv4 ACL IPv6 ACL
Address format 32-bit 128-bit
NAT support Supported NAT not typically used in IPv6
Implicit rules Implicit deny any Implicit permit IPv6 neighbor
discovery (ND) packets
Configuration access-list or ip access- ipv6 access-list only
list
Applied to Interfaces (in/out) Interfaces (in/out)
Types of IPv6 ACLs
Standard IPv6 ACLs
• Filters traffic only
• Named IPv6 ACL based on source IPv6
• Only named ACLs are allowed in IPv6 addresses
• Created using the ipv6 access-list <name> command • Less common, as most
IPv6 filtering needs
• Router ACLs vs Security ACLs more detail

• Router ACLs filter transit traffic

Extended IPv6 ACLs
• Security ACLs are used in firewalls for device-level protection
• Filters traffic based on
source/destination
addresses, protocols,
ports, and more.
• Most frequently used
in enterprise-grade
networks
Create the ACL
ipv6 access-list BLOCK_TELNET
deny tcp any any eq 23
permit ipv6 any any • Denies Telnet (TCP
port 23) from any
source to any
destination
• Enable IPv6 Routing • Permits all other IPv6
traffic
ipv6 unicast-routing
Apply ACL to Interface
interface GigabitEthernet0/0
ipv6 traffic-filter BLOCK_TELNET in • in: Filters packets
coming into the
interface

• out: Filters packets

going out of the
interface
Filter Conditions in IPv6 ACLs General Rules
• Always end ACLs with
a permit/deny
ipv6 any any to
• Source and Destination IPv6 address be explicit
• Carefully plan filtering
• Protocols (TCP, UDP, ICMPv6) to avoid blocking
essential control
• Source/Destination port numbers traffic
• Use specific
• Established sessions source/destination
• Traffic types (HTTP, Telnet, SSH, and others) addresses instead of
broad any any
when possible
• Apply ACLs in the
correct direction
(inbound or
outbound)
• Test in a lab
environment before
deploying to
production
Deny ICMPv6 (Ping) from a specific host
ipv6 access-list BLOCK_PING
deny icmp any host 2001:DB8:ACAD:1::10
permit ipv6 any any
Permit only HTTP and HTTPS traffic
ipv6 access-list WEB_ONLY
permit tcp any any eq 80
permit tcp any any eq 443
deny ipv6 any any
Deny all Telnet and SSH but allow other traffic
ipv6 access-list BLOCK_REMOTE_ACCESS
deny tcp any any eq 22
deny tcp any any eq 23
permit ipv6 any any

ipv6 access-list BLOCK_TELNET

deny tcp 2001:db8:acad::/64 any eq 23
permit ipv6 any any
Viewing and Verifying IPv6 ACLs
show ipv6 access-list
show run | section ipv6 access-list
show ipv6 interface GigabitEthernet0/0
Troubleshooting
debug ipv6 packet trace traffic
show ipv6 access-list verify hit counts and matching rules
show ipv6 interface check interface configuration
ACL Testing and Verification
• Check interface ACL attachment
show running-config interface GigabitEthernet0/0

• Test connectivity (ping or traceroute with IPv6)

ping ipv6 2001:db8::1
IPv6 Standard Commands
Task Command
Create ACL ipv6 access-list <name>

Add rule permit/deny <protocol> <src> <dst>

Apply to interface ipv6 traffic-filter <name> in/out

View ACL show ipv6 access-list

View interface filters show ipv6 interface