Access Control List (ACL)

W.lilakiatsakun
 ACL Fundamental
► Introduction to ACLs
► How ACLs work
► Creating ACLs
► The function of a wildcard mask
 Introduction to ACL (1)
► ACLs are lists of conditions used to test net
work traffic that tries to travel across a rout
er interface.
► These lists tell the router what types of pack
ets to accept or deny.
► Acceptance and denial can be based on spe
cified conditions.
► ACLs enable management of traffic and sec
ure access to and from a network.
ACL
 Introduction to ACL (2)
► To filter network traffic, ACLs determine if route
d packets are forwarded or blocked at the route
r interfaces.
► The router examines each packet and will forw
ard or discard it based on the conditions specifi
ed in the ACL.
► An ACL makes routing decisions based on sourc
e address, destination address, protocols, and u
pper-layer port numbers.
► How many of these factors are used in the ACL
depends, in part, on whether we are using a
“standard” or an “extended” ACL.
Cisco IOS check the packet and
upper header
 Introduction to ACL (3)
► ACLs must be defined on a per protocol, per direction,
direction
or per port basis.
► To control traffic flow on an interface, an ACL must be d
efined for each protocol enabled on the interface.
► ACLs control traffic in one direction at a time on an int
erface.
► Two separate ACLs must be created to control inboun
d and outbound traffic.
► Every interface can have multiple protocols and direc
tions defined.
 If the router has two interfaces configured for IP, AppleTalk, and IPX, 12 s
eparate ACLs would be needed
 There would be one ACL for each protocol (3), times two for each direction
(2), times two for the number of ports (2).
► (2 interfaces for IP in, 2 IP out, 2 IPX in, 2 IPX out, 2 A-Talk in, 2 A-Talk out) .
Access Control List
grouping in a router
 ACL Tasks (1)
► Limit network traffic and increase network performance
.
 For example, ACLs that restrict video traffic could greatly red
uce the network load and increase network performance.
► Provide traffic flow control. ACLs can restrict the deliver
y of routing updates.
 If updates are not required because of network conditions, ba
ndwidth is preserved.
► Provide a basic level of security for network access.
 ACLs can allow one host to access a part of the network and
prevent another host from accessing the same area.
 For example, Host A is allowed to access the Human Resourc
es network and Host B is prevented from accessing it.
 ACL Tasks (2)
► Decide which types of traffic are forwarded or blocked
at the router interfaces.
 ACLs can permit e-mail traffic to be routed, but block all Tel
net traffic.
► Controlwhich areas a client can access on a network.
► Screen hosts to permit or deny access to a network se
gment.
 ACLs can be used to permit or deny a user to access file typ
es such as FTP or HTTP.
 ACL Fundamental
► Introduction to ACLs
► How ACLs work
► Creating ACLs
► The function of a wildcard mask
 How ACL works (1)
► The order in which ACL statements are placed is i
mportant.
► The packet is tested against each condition statem
ent in order from the top of the list to the bottom.
► Once a match is found in the list, the accept or rej
ect action is performed and no other ACL stateme
nts are checked.
► If a condition statement that permits all traffic is lo
cated at the top of the list, no statements added b
elow that will ever be checked.
 How ACL works (2)
► ACL statements operate in sequential, logical order.
► If a condition match is true, the packet is permitted or
denied and the rest of the ACL statements are not che
cked.
► If all the ACL statements are unmatched, an implicit “
deny any” statement is placed at the end of the list b
y default.
► The invisible deny any statement at the end of the A
CL will not allow unmatched packets to be accepted.
► When first learning how to create ACLs, it is a good id
ea to add the deny any at the end of ACLs to reinforc
e the dynamic presence of the implicit deny.
 How ACL works (3)
► Ifadditional condition statements are needed in
an access list, the entire ACL must be delete
d and recreated with the new condition statem
ents!
 Nothing is more aggravating than having to re-enter
a 50-line ACL just to make one change!
► To make the process of revising an ACL simpler
it is a good idea to use a text editor such as N
otepad and paste the ACL into the router config
uration.
 Routing Process (1)
► The beginning of the router process is the same, wh
ether ACLs are used or not.
► As a frame enters an interface, the router checks to
see whether the Layer 2 address matches or if it i
s a broadcast frame.
► If the frame address is accepted, the frame inform
ation is stripped off and the router checks for an A
CL on the inbound interface.
► If an ACL exists, the packet is now tested against
the statements in the list.
► If the packet matches a statement, the packet is eit
her accepted or rejected.
 Routing Process (2)
► If the packet is accepted in the interface, it will then
be checked against routing table entries to determ
ine the destination interface and switched to that
interface.
► Next, the router checks whether the destination inte
rface has an ACL.
 (this is still within the same router)
► If an ACL exists, the packet is tested against the sta
tements in the list.
► If the packet matches a statement, it is either accep
ted or rejected.
► If there is no ACL or the packet is accepted, the pac
ket is encapsulated in the new Layer 2 protocol a
nd forwarded out the interface to the next device.
 ACL Fundamental
► Introduction to ACLs
► How ACLs work
► Creating ACLs
► The function of a wildcard mask
 Creating rules for ACLs (1)
► There is an implicit deny any at the end of all access l
ists.
 This will not appear in the configuration listing.
► Access list entries should filter in the order from specifi
c to general.
 Specific hosts should be denied first, and groups or general f
ilters should come last.
► The match condition is examined first.
 The permit or deny is examined only if the match is true.
► Never work with an access list that is actively applied.
► A text editor should be used to create comments that
outline the logic. Then fill in the statements that perfor
m the logic.
 Creating rules for ACLs (2)
► New lines are always added to the end of the acces
s list.
 A no access-list x command will remove the whole list.
 It is not possible to selectively add and remove lines with
numbered ACLs
► An IP access list will send an ICMP host unreachabl
e message to the sender of the rejected packet and
will discard the packet in the bit bucket.
► An access list should be removed carefully.
 If an access list that is applied to a production interface i
s removed, some versions of IOS will apply a default den
y any to the interface and all traffic will be halted.
► Outbound filters do not affect traffic that originates
from the local router.
 Creating rules for ACLs (3)
► There should be one access list per protocol per dir
ection.
► Standard access lists should be applied closest to t
he destination.
► Extended access lists should be applied closest to t
he source.
► The inbound or outbound interface should be refer
enced as if looking at the port from inside the route
r.
► Statements are processed sequentially from the top
of the list to the bottom until a match is found.
► If no match is found then the packet is denied, and
discarded.
Applying ACLs
 ACL Fundamental
► Introduction to ACLs
► How ACLs work
► Creating ACLs
► The function of a wildcard mask
 The function of a wildcard mask
►A wildcard mask is a 32-bit quantity that is divided
into four octets.
► A wildcard mask is paired with an IP address.
► The numbers one and zero in the mask are used t
o identify how to treat the corresponding IP addre
ss bits.
► Wildcard masks have no functional relationship wit
h subnet masks. They are used for different purpo
ses and follow different rules.
 Wildcard Mask Vs Subnet Mask
► The subnet mask and the wildcard mask represent
two different things when they are compared to a
n IP address.
► Subnet masks use binary ones and zeros to identif
y the network, subnet, and host portion of an IP a
ddress.
► Wildcard masks use binary ones and zeros to filter
individual or groups of IP addresses to permit or d
eny access to resources based on an IP address.
► The only similarity between a wildcard mask and
a subnet mask is that they are both thirty-two bits
long and use binary ones and zeros.
Wildcard Mask EX (1)
Wildcard Mask EX (2)
Wildcard Mask EX (3)
Wildcard Mask EX (4)
 Wildcard Mask Keyword
► There are two special keywords that are used in A
CLs, the any and host options.
► The any option substitutes 0.0.0.0 for the IP addre
ss and 255.255.255.255 for the wildcard mask.
 This option will match any address that it is compared a
gainst.
► The host option substitutes 0.0.0.0 for the mask.
► This mask requires that all bits of the ACL address
and the packet address match.
 This option will match just one address.
 Standard ACL
► Standard ACLs check the source address of IP pack
ets that are routed.
► The ACL will either permit or deny access for an en
tire protocol suite, based on the network, subnet, a
nd host addresses.
► For example, packets that come in Fa0/0 are check
ed for their source addresses and protocols.
► If they are permitted, the packets are routed throug
h the router to an output interface.
► If they are not permitted, they are dropped at the i
ncoming interface.
 Extended ACLs (1)
► Extended ACLs are used more often than standard
ACLs because they provide a greater range of contr
ol.
► Extended ACLs check the source and destination pa
cket addresses and can also check for protocols an
d port numbers.
► This gives greater flexibility to describe what the A
CL will check.
► Access can be permitted or denied based on where
a packet originates, its destination, protocol type, a
nd port addresses.
 Extended ACLs (2)
► For a single ACL, multiple statements may be confi
gured.
► Each statement should have the same access list n
umber, to relate the statements to the same
► ACL. There can be as many condition statements a
s needed, limited only by the available router mem
ory.
► Of course, the more statements there are, the mor
e difficult it will be to comprehend and manage the
ACL.
 ACLs LAB
► 11.2.1a standard ACLs configuraiton 1
► 11.2.1b standard ACLs configuraiton 2
► 11.2.2 a extended ACLs configuration 1
► 11.2.2 b extended ACLs configuration 2
 Named ACL
► Named ACLs allow standard and extended ACLs to b
e given names instead of numbers.
► The following are advantages that are provided by
a named access list:
 Alphanumeric names can be used to identify ACLs.
 The IOS does not limit the number of named ACLs that ca
n be configured.
 Named ACLs provide the ability to modify ACLs without de
letion and reconfiguration.
 However, a named access list will only allow for statement
s to be inserted at the end of a list.
 It is a good idea to use a text editor to create named ACL
s.
 Placing ACLs (1)
► Proper ACL placement will filter traffic and make th
e network more efficient.
► The ACL should be placed where it has the greates
t impact on efficiency.
► The general rule is to put the extended ACLs as cl
ose as possible to the source of the traffic denied.
► Standard ACLs do not specify destination addresse
s, so they should be placed as close to the destina
tion as possible.
Placing ACLs (2)
 Placing ACLs example (1)
► In Figure, the administrator wants to deny Telnet or
FTP traffic from the Router A Ethernet LAN segment
to the switched Ethernet LAN Fa0/1 on Router D.
► At the same time, other traffic must be permitted.
► The recommended solution is an extended ACL that
specifies both source and destination addresses.
► Place this extended ACL in Router A. Then, packets
do not cross the Router A Ethernet segment or the s
erial interfaces of Routers B and C, and do not enter
Router D.
► Traffic with different source and destination address
es will still be permitted.
 Placing ACLs example (2)
► To prevent traffic from Router A to Router D
segment
► a standard ACL should be placed on Fa 0/0 o
f Router D.
 Deploy ACL
► ACLs may be used with
 Firewall
 To protect virtual terminal access
 etc
Restricting Virtual terminal access
(1)
Restricting Virtual terminal access
(2)