0% found this document useful (0 votes)

221 views68 pages

Network Security v1.0 - Module 8

Uploaded by

Ernesto Silverio Flores

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

221 views68 pages

Network Security v1.0 - Module 8

Uploaded by

Ernesto Silverio Flores

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

You are on page 1/ 68

What to Expect in this Module

 To facilitate learning, the following features within the GUI may be included in this module:
Feature Description

Animations Expose learners to new skills and concepts.

Expose learners to new skills and concepts.
Videos
Check Your Per topic online quiz to help learners gauge content understanding.
Understanding(CYU)

Interactive Activities A variety of formats to help learners gauge content understanding.

Small simulations that expose learners to Cisco command line to practice
Syntax Checker configuration skills.
Simulation and modeling activities designed to explore, acquire, reinforce, and
PT Activity expand skills.

Networking Security v1.0

(NETSEC)
Module Objectives
Module Title: Access Control Lists

Module Objective: Implement access control lists (ACLs) to filter traffic and mitigate network attacks on a
network.
Topic Title Topic Objective
Describe standard and extended ACLs.
Introduction to Access Control Lists
Explain how ACLs use wildcard masks.
Wildcard Masks
Explain how to configure ACLs.
Configure ACLs
Use sequence numbers to edit existing standard IPv4 ACLs.
Modify ACLs
Implement ACLs.
Implement ACLs
Use ACLs to mitigate common network attacks.
Mitigate Attacks with ACLs
Configure IPv6 ACLs using CLI.
IPv6 ACLs

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Introduction to Access Control Lists
What is an ACL?
An ACL is a series of IOS commands that are used to filter packets based on information found in the
packet header.
Task Example
Limit network traffic to increase • A corporate policy prohibits video traffic on the network to reduce the network load.
network performance • A policy can be enforced using ACLs to block video traffic.
Provide traffic flow control • A corporate policy requires that routing protocol traffic be limited to certain links only.
• A policy can be implemented using ACLs to restrict the delivery of routing updates to only those that
come from a known source.
Provide a basic level of security for • Corporate policy demands that access to the Human Resources network be restricted to authorized
network access users only.
• A policy can be enforced using ACLs to limit access to specified networks.
Filter traffic based on traffic type • Corporate policy requires that email traffic be permitted into a network, but that Telnet access be
denied.
• A policy can be implemented using ACLs to filter traffic by type.
Screen hosts to permit or deny • Corporate policy requires that access to some file types (e.g., FTP or HTTP) be limited to user groups.
access to network services • A policy can be implemented using ACLs to filter user access to services.
Provide priority to certain classes • Corporate traffic specifies that voice traffic be forwarded as fast as possible to avoid any interruption.
of network traffic • A policy can be implemented using ACLs and QoS services to identify voice traffic and process it
immediately.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Introduction to Access Control Lists
Packet Filtering

Packet filtering controls access

to a network by analyzing the
incoming and/or outgoing
packets and forwarding them or
discarding them based on given
criteria. Packet filtering can
occur at Layer 3 or Layer 4.
Cisco routers support standard
and extended ACLs.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Introduction to Access Control Lists
Numbered and Named ACLs

Numbered ACLs - ACLs number 1 to 99, or 1300

to 1999 are standard ACLs while ACLs number
100 to 199, or 2000 to 2699 are extended ACLs,
as shown in the output.

Named ACLs - Named ACLs is the preferred

method to use when configuring ACLs.
Specifically, standard and extended ACLs
can be named to provide information about
the purpose of the ACL. The ip access-list
global configuration command is used to
create a named ACL.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Introduction to Access Control Lists
ACL Operation
ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that
relay through the router, and packets that exit outbound interfaces of the router.

An inbound ACL filters packets before they are routed to the outbound interface. If the packet is permitted
by the ACL, it is then processed for routing. Inbound ACLs are best used to filter packets when the
network attached to an inbound interface is the only source of packets that need to be examined.

An outbound ACL filters packets after being routed, regardless of the inbound interface. Incoming packets
are routed to the outbound interface and then they are processed through the outbound ACL. Outbound
ACLs are best used when the same filter will be applied to packets coming from multiple inbound
interfaces before exiting the same outbound interface.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Introduction to Access Control Lists
Packet Tracer - ACL Demonstration

In this activity, you will observe how an access control list (ACL) can be used to
prevent a ping from reaching hosts on remote networks. After removing the ACL from
the configuration, the pings will be successful.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Wildcard Masking
Wildcard Mask Overview
A wildcard mask is like a subnet mask in that it uses the ANDing process to identify which bits in an IPv4
address to match. However, they differ in the way they match binary 1s and 0s. Unlike a subnet mask, in which
binary 1 is equal to a match and binary 0 is not a match, in a wildcard mask, the reverse is true.
Last Octet
Wildcard Mask (in Binary) Meaning (0 - match, 1 - ignore)

0.0.0.0 00000000 Match all octets.

0.0.0.63 00111111 • Match the first three octets
• Match the two left most bits of the last octet
• Ignore the last 6 bits
0.0.0.15 00001111 • Match the first three octets
• Match the four left most bits of the last octet
• Ignore the last 4 bits of the last octet
0.0.0.252 11111100 • Match the first three octets
• Ignore the six left most bits of the last octet
• Match the last two bits
0.0.0.255 11111111 • Match the first three octet
• Ignore the last octet

Wildcard Mask to Match

a Host

Wildcard Mask to Match

an IPv4 Subnet

Wildcard Mask to Match

an IPv4 Address Range

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Wildcard Masking
Wildcard Mask Calculation
Calculating wildcard masks can be challenging. One shortcut method is to subtract the subnet mask
from 255.255.255.255.

Assume you wanted an ACE in ACL

10 to permit access to all users in
the 192.168.3.0/24 network. To
calculate the wildcard mask,
subtract the subnet mask (i.e.,
255.255.255.0) from
255.255.255.255, as shown in the
table.

The solution produces the wildcard

mask 0.0.0.255. Therefore, the ACE
would be access-list 10 permit
192.168.3.0 0.0.0.255.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Wildcard Masking
Wildcard Mask Keywords
Keywords reduce ACL keystrokes and make it easier to read the ACE:
• host - This keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address bits must match
to filter just one host address.
• any - This keyword substitutes for the 255.255.255.255 mask. This mask says to ignore the entire IPv4
address or to accept any addresses.

For example, these ACL commands…

…can be rewritten as follows:

When configuring a complex ACL, it is suggested that you:

• Use a text editor and write out the specifics of the policy to be implemented.
• Add the IOS configuration commands to accomplish those tasks.
• Include remarks to document the ACL.
• Copy and paste the commands onto the device.
• Always thoroughly test an ACL to ensure that it correctly applies the desired policy .

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Configure ACLs
Numbered Standard IPv4 ACL Syntax
To create a numbered standard ACL, use the following global configuration command:

Use the no access-list access-list-number global configuration command to remove a

numbered standard ACL.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Configure ACLs
Numbered Standard IPv4 ACL Syntax (Cont.)
This table provides a detailed explanation of the syntax for a standard ACL.
Parameter Description
access-list-number • This is the decimal number of the ACL.
• Standard ACL number range is 1 to 99 or 1300 to 1999.
deny This denies access if the condition is matched.
permit This permits access if the condition is matched.
remark text • (Optional) This adds a text entry for documentation purposes.
• Each remark is limited to 100 characters.
source • This identifies the source network or host address to filter.
• Use the any keyword to specify all networks.
• Use the host ip-address keyword or simply enter an ip-address (without the host keyword) to identify a
specific IP address.
source-wildcard (Optional) This is a 32-bit wildcard mask that is applied to the . If omitted, a default 0.0.0.0 mask is assumed.
log • (Optional) This keyword generates and sends an informational message whenever the ACE is matched.
• Message includes ACL number, matched condition (i.e., permitted or denied), source address, and number
of packets.{`{" "}`}
• This message is generated for the first matched packet.
• This keyword should only be implemented for troubleshooting or security reasons.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Configure ACLs
Named Standard IPv4 ACL Syntax
ACL names are alphanumeric, case sensitive, and must be unique. Capitalizing ACL names is recommended.
To create a named standard ACL, use the following global configuration command:

In the example, a named standard IPv4 ACL called NO-ACCESS is created. Notice that the prompt
changes to named standard ACL configuration mode. Use the help facility to view all the named standard
ACL ACE options.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Configure ACLs
Numbered Extended IPv4 ACL Syntax
The procedural steps for configuring extended ACLs are the same as for standard ACLs. The extended ACL
is first configured, and then it is activated on an interface. However, the command syntax and parameters are
more complex to support the additional features provided by extended ACLs.

To create a numbered extended ACL, use the following global configuration command:

The parameters are reviewed on the next two slides.

The command to apply an extended IPv4 ACL to an interface is the same as the command
used for standard IPv4 ACLs.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Configure ACLs
Numbered Extended IPv4 ACL Syntax (Cont.)
Although there are many keywords and parameters for extended ACLs, it is not necessary to use all of them
when configuring an extended ACL. The table provides a detailed explanation of the syntax for an extended
ACL.
Parameter Description
access-list-number This is the decimal number of the ACL.
Extended ACL number range is 100 to 199 and 2000 to 2699.
deny This denies access if the condition is matched.
permit This permits access if the condition is matched.
remark text • (Optional) Adds a text entry for documentation purposes.
• Each remark is limited to 100 characters.
protocol • Name or number of an internet protocol.
• Common keywords include ip, tcp, udp, and icmp.
• The ip keyword matches all IP protocols.
source • This identifies the source network or host address to filter.
• Use the any keyword to specify all networks.
• Use the host ip-address keyword or simply enter an ip-address (without the host keyword) to identify a
specific IP address.
source-wildcard (Optional) A 32-bit wildcard mask that is applied to the source.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
(table continued on next slide)
Configure ACLs
Numbered Extended IPv4 ACL Syntax (Cont.)
Parameter Description
destination • This identifies the destination network or host address to filter.
• Use the any keyword to specify all networks.
• Use the host ip-address keyword or ip-address.
destination-wildcard (Optional) This is a 32-bit wildcard mask that is applied to the destination.
operator • (Optional) This compares source or destination ports.
• Some operators include lt (less than), gt (greater than), eq (equal), and neq (not equal).
port (Optional) The decimal number or name of a TCP or UDP port.
established • (Optional) For the TCP protocol only.
• This is a 1st generation firewall feature.
log • (Optional) This keyword generates and sends an informational message whenever the ACE is matched.
• This message includes ACL number, matched condition (i.e., permitted or denied), source address, and
number of packets.
• This message is generated for the first matched packet.
• This keyword should only be implemented for troubleshooting or security reasons.

Protocol Options - The four highlighted

protocols are the most popular options.
Use the ? to get help when entering a
complex ACE. If an internet protocol is
not listed, then the IP protocol number
could be specified. For instance, the
ICMP protocol number 1, TCP is 6, and
UDP is 17.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Configure ACLs
Protocols and Port Numbers (Cont.)
Port Keyword Options - Selecting a protocol influences port
options. For instance, selecting the:

• tcp protocol would provide TCP related ports options

• udp protocol would provide UDP specific ports options
• icmp protocol would provide ICMP related ports (i.e.,
message) options

Notice how many TCP port options are available. The

highlighted ports are popular options. Port names or number
can be specified. However, port names make it easier to
understand the purpose of an ACE. Notice how some common
ports names (e.g., SSH and HTTPS) are not listed. For these
protocols, port numbers will have to be specified.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Configure ACLs
Protocols and Port Numbers Configuration Examples
Extended ACLs can filter on different port number and port name options. This example
configures an extended ACL 100 to filter HTTP traffic. The first ACE uses the www port name.
The second ACE uses the port number 80. Both ACEs achieve exactly the same result.

Configuring the port number is required when there is not a specific protocol name listed such
as SSH (port number 22) or an HTTPS (port number 443)

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Configure ACLs
TCP Established Extended ACL

TCP can also perform basic stateful

firewall services using the TCP
established keyword. The keyword
enables inside traffic to exit the inside
private network and permits the returning
reply traffic to enter the inside private
network. However, TCP traffic generated
by an outside host and attempting to
communicate with an inside host is
denied. The established keyword can be
used to permit only the return HTTP
traffic from requested websites, while
denying all other traffic.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Configure ACLs
TCP Established Extended ACL (Cont.)

In this example, ACL 120 is configured to only permit returning web traffic to the inside hosts.
The new ACL is then applied outbound on the R1 G0/0/0 interface. The show access-lists
command displays both ACLs. Notice from the match statistics that inside hosts have been
accessing the secure web resources from the internet.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Configure ACLs
Named Extended IPv4 ACL Syntax

Naming an ACL makes it easier to understand its function. This command enters the named
extended configuration mode. Recall that ACL names are alphanumeric, case sensitive, and must
be unique. To create a named extended ACL, use the following global configuration command:

In the example, a named extended ACL called NO-FTP-ACCESS is created and the prompt
changed to named extended ACL configuration mode. ACE statements are entered in the
named extended ACL sub configuration mode.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Configure ACLs
Named Extended IPv4 ACL Example

Named extended ACLs are created in

essentially the same way that named
standard ACLs are created. The topology in
the figure is used to demonstrate configuring
and applying two named extended IPv4 ACLs
to an interface:
• SURFING - This will permit inside HTTP
and HTTPS traffic to exit to the internet.
• BROWSING - This will only permit
returning web traffic to the inside hosts
while all other traffic exiting the R1 G0/0/0
interface is implicitly denied.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Configure ACLs
Named Extended IPv4 ACL Example (Cont.)

The SURFING ACL permits HTTP and

HTTPS traffic from inside users to exit the
G0/0/1 interface connected to the internet.
Web traffic returning from the internet is
permitted back into the inside private network
by the BROWSING ACL.
The SURFING ACL is applied inbound and
the BROWSING ACL applied outbound on
the R1 G0/0/0 interface.

Inside hosts have been accessing the secure

web resources from the internet. The show
access-lists command is used to verify the
ACL statistics.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
8.4 Modify ACLs

After an ACL is configured, it may need to be modified. ACLs with multiple ACEs can be complex
to configure. Sometimes the configured ACE does not yield the expected behaviors. For these
reasons, ACLs may initially require a bit of trial and error to achieve the desired filtering result.
There are two methods to use when modifying an ACL:

• Use a Text Editor

• Use Sequence Numbers

ACLs with multiple ACEs should be created in a text editor. This allows you to plan the
required ACEs, create the ACL, and then paste it into the router interface. It also simplifies the
tasks to edit and fix an ACL. To modify an ACL using a text editor:
• Copy the ACL from the running configuration and paste it into the text editor.
• Make the necessary edits changes.
• Remove the previously configured ACL on the router otherwise, pasting the edited ACL
commands will only append (i.e., add) to the existing ACL ACEs on the router.
• Copy and paste the edited ACL back to the router.

An ACL ACE can also be deleted or added using the ACL sequence numbers. Sequence numbers are
automatically assigned when an ACE is entered. These numbers are listed in the show access-lists command.
The show running-config command does not display sequence numbers.

Use the ip access-list standard command to edit an ACL. Statements cannot be overwritten using the same
sequence number as an existing statement. Therefore, the current statement must be deleted first with the no
10 command. Then the correct ACE can be added using sequence number 10 as configured. Verify the changes
using the show access-lists command.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Implement ACLs
ACL Configuration Guidelines

An ACL is made up of one or more access control entries (ACEs) or statements. When configuring
and applying an ACL, be aware of the guidelines summarized in this list:

• Create an ACL globally and then apply it.

• Ensure the last statement is an implicit deny any or deny ip any any.
• Remember that statement order is important because ACLs are processed top-down.
• As soon as a statement is matched the ACL is exited.
• Ensure that the most specific statements are at the top of the list.
• Remember that only one ACL is allowed per interface, per protocol, per direction.
• Remember that new statements for an existing ACL are added to the bottom of the ACL by
default.
• Remember that router-generated packets are not filtered by outbound ACLs.
• Place standard ACLs as close to the destination as possible.
• Place extended ACLs as close to the source as possible.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Implement ACLs
Apply an ACL
After creating an ACL, the administrator can apply it in a number of different ways. The following shows the
command syntax to apply an ACL to an interface or to the vty lines.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Implement ACLs
Apply an ACL (Cont.)
The figure below shows a named standard ACL applied to outbound traffic.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Implement ACLs
Apply an ACL (Cont.)
This figure shows two named extended ACLs. The SURFING ACL is applied to inbound traffic and the
BROWSING ACL is applied to outbound traffic.

This example shows an ACL applied to the vty lines.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Implement ACLs
Where to Place ACLs
Every ACL should be placed where it is
the most efficient.

The figure illustrates where standard

and extended ACLs should be located
in an enterprise network. Assume the
objective is to prevent traffic that
originates in the 192.168.10.0/24
network from reaching the
192.168.30.0/24 network.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Implement ACLs
Where to Place ACLs (Cont.)
Placement of the ACL and therefore, the type of ACL used, may also depend on a variety of factors as listed
in the table.

Factors Influencing ACL Placement Explanation

The extent of organizational control Placement of the ACL can depend on whether or not the organization has control of both the
source and destination networks.
Bandwidth of the networks involved It may be desirable to filter unwanted traffic at the source to prevent transmission of
bandwidth-consuming traffic.
Ease of configuration • It may be easier to implement an ACL at the destination, but traffic will use bandwidth
unnecessarily.
• An extended ACL could be used on each router where the traffic originated. This would
save bandwidth by filtering the traffic at the source, but it would require creating
extended ACLs on multiple routers.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Implement ACLs
Standard ACL Placement Example

Following the guidelines for ACL

placement, standard ACLs should be
located as close to the destination as
possible. In the figure, the
administrator wants to prevent traffic
originating in the 192.168.10.0/24
network from reaching the
192.168.30.0/24 network.

The senior network administrator has asked you to create a named standard ACL to
prevent access to a file server. All clients from one network and one specific workstation
from a different network should be denied access.

Standard access control lists are router configuration scripts that control whether a router
permits or denies packets based on the source address. This activity focuses on defining
filtering criteria, configuring standard ACLs, applying ACLs to router interfaces, and verifying
and testing the ACL implementation. The routers are already configured.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Implement ACLs
Extended ACL Placement Example
Extended ACLs should be located as close
to the source as possible. This prevents
unwanted traffic from being sent across
multiple networks only to be denied when it
reaches its destination. However, the
organization can only place ACLs on devices
that they control. Therefore, the extended
ACL placement must be determined in the
context of where organizational control
extends.

Company A wants to deny Telnet and FTP

traffic to Company B’s 192.168.30.0/24
network from their 192.168.11.0/24 network
while permitting all other traffic.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Implement ACLs
Packet Tracer- Configuring Extended ACLs Scenario 1

In this Packet Tracer activity, you will complete the following objectives:

• Part 1: Configure, Apply, and Verify an Extended Numbered IPv4 ACL

• Part 2: Configure, Apply, and Verify an Extended Named IPv4 ACL

In this Packet Tracer activity, you will complete the following objectives:

• Part 1: Configure a Named Extended IPv4 ACL

• Part 2: Apply and Verify the Extended IPv4 ACL

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
Mitigate Attacks with ACLs
Mitigate Spoofing Attacks
IP address spoofing overrides the normal packet
creation process by inserting a custom IP header
with a different source IP address. There are many
well-known classes of IP addresses that should
never be source IP addresses for traffic entering
an organization’s network. The S0/0/0 interface is
attached to the internet and should never accept
inbound packets from the following addresses:
• All zeros addresses
• Broadcast addresses
• Local host addresses (127.0.0.0/8)
• Automatic Private IP Addressing (APIPA)
addresses (169.254.0.0/16)
• Reserved private addresses (RFC 1918)
• IP multicast address range (224.0.0.0/4)
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Mitigate Attacks with ACLs
Permit Necessary Traffic through a Firewall

An effective strategy for mitigating attacks

is to explicitly permit only certain types of
traffic through a firewall. For example,
Domain Name System (DNS), Simple Mail
Transfer Protocol (SMTP), and File
Transfer Protocol (FTP) are services that
often must be allowed through a firewall.
Secure Shell (SSH), syslog, and Simple
Network Management Protocol (SNMP)
are examples of services that a router may
need to include. The figure shows an
example topology with ACL configurations
to permit specific services on the Serial
0/0/0 interface.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
Mitigate Attacks with ACLs
Mitigate ICMP Attacks
Both ICMP echo and redirect messages should be blocked inbound by the router. Several ICMP messages are
recommended for proper network operation and should be allowed into the internal network:
• Echo reply - Allows users to ping external hosts.
• Source quench - Requests that the sender decrease the traffic rate of messages.
• Unreachable - Generated for packets that are administratively denied by an ACL.

Several ICMP messages are required for proper network operation and should be allowed to exit the network:
• Echo - Allows users to ping external hosts.
• Parameter problem - Informs the host of packet header problems.
• Packet too big - Enables packet maximum transmission unit (MTU) discovery.
• Source quench - Throttles down traffic when necessary.

As a rule, block all other ICMP message types outbound.

The example shows a sample

topology and possible ACL
configurations to permit specific
ICMP services on the G0/0 and
S0/0/0 interfaces.

Exploitation of SNMP vulnerabilities can

be mitigated by applying interface ACLs
to filter SNMP packets from non-
authorized systems. These security
measures are helpful, but the most
effective means of exploitation
prevention is to disable the SNMP
server on IOS devices for which it is not
required. Use the command no snmp-
server to disable SNMP services on
Cisco IOS devices.

In this Packet Tracer, you will complete the following objectives:

• Verify connectivity among devices before firewall configuration.

• Use ACLs to ensure remote access to the routers is available from only management station PC-C.
• Configure ACLs on R1 and R3 to mitigate attacks.
• Verify ACL functionality.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
IPv6 ACLs
IPv6 ACL Overview
As the migration to IPv6 continues, IPv6 attacks are
becoming more pervasive. IPv4 will not disappear
overnight. IPv4 will coexist with IPv6 and then
gradually be replaced by IPv6. This creates potential
security holes. An example of a security concern is
attackers leveraging IPv4 to exploit IPv6 in dual stack
environments.

As shown in the figure, threat actors can accomplish

stealth attacks that result in trust exploitation by
using dual-stacked hosts, rogue Neighbor Discovery
Protocol (NDP) messages, and tunneling techniques.
To protect against these threats, filter at the edge
using various techniques, such as IPv6 ACLs.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
IPv6 ACLs
IPv6 ACL Syntax
The ACL functionality in IPv6 is like ACLs in IPv4. However, there is no equivalent to IPv4 standard ACLs. All
IPv6 ACLs must be configured with a name. IPv6 ACLs allow filtering based on source and destination
addresses that are traveling inbound and outbound to a specific interface. They also support traffic filtering
based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of
control, like extended ACLs in IPv4.

To configure an IPv6 ACL, use the ipv6 access-list command to enter into IPv6 ACL configuration mode.
Next, use the syntax shown in the figure to configure each access list entry to specifically permit or deny
traffic. Apply an IPv6 ACL to an interface with the ipv6 traffic-filter command.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
IPv6 ACLs
IPv6 ACL Syntax (Cont.)
Parameter Description
deny | permit Specifies whether to deny or permit the packet.
protocol Enter the name or number of an Internet protocol, or an integer representing an IPv6
protocol number.
source-ipv6-prefix/prefix-length The source or destination IPv6 network or class of networks for which to set deny or permit
conditions.
destination-ipv6-address/prefix-
length
any Enter any as an abbreviation for the IPv6 prefix ::/0. This matches all addresses.
host For host source-ipv6-address or destination-ipv6-address , enter the source or destination
IPv6 host address for which to set deny or permit conditions.
operator (Optional) An operand that compares the source or destination ports of the specified
protocol. Operands are lt (less than), gt (greater than), eq (equal), neq (not equal), and
range.
port-number (Optional) A decimal number or the name of a TCP or UDP port for filtering TCP or UDP,
respectively.

(table continued on next slide)

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
IPv6 ACLs
IPv6 ACL Syntax (Cont.)
Parameter Description
dscp (Optional) Matches a differentiated services codepoint value against the traffic class value in the Traffic Class
field of each IPv6 packet header. The acceptable range is from 0 to 63.
fragments (Optional) Matches non-initial fragmented packets where the fragment extension header contains a non-zero
fragment offset. The fragments keyword is an option only if the operator [port-number ] arguments are not
specified. When this keyword is used, it also matches when the first fragment does not have Layer 4
information.
log (Optional) Causes an informational logging message about the packet that matches the entry to be sent to the
console. (The level of messages logged to the console is controlled by the logging console command.)
log input (Optional) Provides the same function as the log keyword, except that the logging message also includes the
input interface.
sequence value (Optional) Specifies the sequence number value for the access list statement. The acceptable range is from 1
to 4294967295.
time-range name (Optional) Specifies the time range that applies to the permit statement. The name of the time range and its
restrictions are specified by the time-range and absolute or periodic commands, respectively.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
IPv6 ACLs
Configure IPv6 ACLs
An IPv6 ACL contains an implicit deny ipv6 any
command. Each IPv6 ACL also contains implicit permit
rules to enable IPv6 neighbor discovery. The IPv6 NDP
requires the IPv6 network layer to send neighbor
advertisements (NAs) and neighbor solicitations (NSs). If
an administrator configures the deny ipv6 any command
without explicitly permitting neighbor discovery, then the
NDP will be disabled.
R1 is permitting inbound traffic on G0/0 from the
2001:DB8:1:1::/64 network. NA and NS packets are
explicitly permitted. Traffic sourced from any other IPv6
address is explicitly denied. If the administrator only
configured the first permit statement, the ACL would have
the same effect. However, it is a good practice to
document the implicit statements by explicitly configuring
them. © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
IPv6 ACLs
Packet Tracer - Configure IPv6 ACLs

In this Packet Tracer, you will complete the following objectives:

• Configure, apply, and verify an IPv6 ACL

• Configure, apply, and verify a second IPv6 ACL

• An ACL uses a sequential list of permit or deny statements, known as ACEs.

• The packet filtering process occurs when network traffic passes through an interface configured with an
ACL.
• Packet filtering can occur at Layer 3 or Layer 4.
• Named ACLs are the preferred method to use when configuring ACLs.
• An IPv4 ACE uses a 32-bit wildcard mask to determine which bits of the address to examine for a
match.
• Unlike a subnet mask, in which binary 1 is equal to a match and binary 0 is not a match, in a wildcard
mask, the reverse is true.
• Subtract the subnet mask from 255.255.255.255 to calculate the wildcard mask.
• Two keywords, host and any, can be used to simplify the most common uses of wildcard masking.
• Use a text editor to configure more complex ACLs, and then copy and paste the commands onto the
device.

• To create a numbered standard ACL, use the command access-list access-list-number {deny | permit |
remark text} source [source-wildcard] [log].
• To create a named standard ACL, use the command ip access-list standard access-list-name.
• To apply a standard or extended IPv4 ACL to an interface use the command ip access-group {access-
list-number | access-list-name} {in | out}.
• ACLs with multiple ACEs should be created in a text editor.
• An ACL ACE can also be deleted or added using the ACL sequence numbers.
• Extended ACLs should be located as close as possible to the source of the traffic to be filtered.
• Standard ACLs should be located as close to the destination as possible.
• Explicitly permit only certain types of traffic through a firewall.
• Both ICMP echo and redirect messages should be blocked inbound by the router. Apply interface ACLs to
filter SNMP packets from non-authorized systems.
• Several ICMP messages are recommended for proper network operation and should be allowed into the
internal network including echo reply, source quench, and unreachable.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75
Access Control Lists Summary
What Did I Learn in this Module?

• Several ICMP messages should be allowed to exit the network including echo, parameter problem, packet
too big, and source quench. As a rule, block all other ICMP message types outbound.
• Attackers can accomplish stealth attacks that result in trust exploitation by using dual-stacked hosts,
rogue NDP messages, and tunneling techniques.
• To mitigate attacks against IPv6 infrastructures and protocols, the strategy should include filtering at the
edge using various techniques, such as IPv6 ACLs.
• IPv6 ACLs allow filtering based on source and destination addresses that are traveling inbound and
outbound to a specific interface.
• They also support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type
information for finer granularity of control, similar to extended ACLs in IPv4.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76
Mitigating Threats
New Terms and Commands
• access control list (ACL)
• access control entry (ACE)
• packet filtering
• wildcard mask
• ANDing
• access-list access-list-number {deny | permit | remark text} protocol source source-wildcard [ operator
{port}] destination destination-wildcard [operator {port}] [established] [log]
• ip access-list {standard | extended} name
• ip access-group {access-list-number | access-list-name} {in | out}
• access-class {access-list-number | access-list-name} {in | out}
• show access-list
• ipv6 access-list access-list-name
• deny | permit protocol {source-ipv6-prefix / prefix-length | any | host source-ipv6-address} [ operator [ port-
number ]] { destination-ipv6-prefix / prefix-length | any | host destination-ipv6-address } [ operator [ port-
number ]] [ dscp value ] [ fragments ] [ log ] [ log-input ] [ sequence value ] [ time-range name ]
• show ipv6 access-list

ENSA Module 4
100% (1)
ENSA Module 4
36 pages
ENCOR Chapter 15
No ratings yet
ENCOR Chapter 15
65 pages
Network Security v1.0 - Module 13
No ratings yet
Network Security v1.0 - Module 13
22 pages
Network Security v1.0 - Module 20
No ratings yet
Network Security v1.0 - Module 20
29 pages
Applying Network Security Lecture 1 Notes
No ratings yet
Applying Network Security Lecture 1 Notes
393 pages
Cybersecurity Essentials 3.0-Module05
No ratings yet
Cybersecurity Essentials 3.0-Module05
31 pages
Net Security-ch15-Cryptographic Services
No ratings yet
Net Security-ch15-Cryptographic Services
28 pages
Module 16 Basic Integrity and Authenticity
No ratings yet
Module 16 Basic Integrity and Authenticity
44 pages
Networking Essentials 2.0 Module5
No ratings yet
Networking Essentials 2.0 Module5
41 pages
Network Security v1.0 - Module 19
No ratings yet
Network Security v1.0 - Module 19
37 pages
SRWE Module 14
100% (1)
SRWE Module 14
57 pages
Module 3: Network Security Concepts: Instructor Materials
100% (2)
Module 3: Network Security Concepts: Instructor Materials
96 pages
Module 18 VPNs
No ratings yet
Module 18 VPNs
45 pages
10.2.1.9 Lab - Configure A Site-to-Site IPsec VPN Using ISR CLI and ASA 5506-X ASDM
No ratings yet
10.2.1.9 Lab - Configure A Site-to-Site IPsec VPN Using ISR CLI and ASA 5506-X ASDM
16 pages
Chapter 7: Access Control Lists: CCNA Routing and Switching Routing and Switching Essentials v6.0
No ratings yet
Chapter 7: Access Control Lists: CCNA Routing and Switching Routing and Switching Essentials v6.0
41 pages
3KC69646KAAATRZZA - V1 - 1830 Photonic Service Switch (PSS) Release 10.0 DCN Planning and Engineering Guide (Switching Applications)
100% (1)
3KC69646KAAATRZZA - V1 - 1830 Photonic Service Switch (PSS) Release 10.0 DCN Planning and Engineering Guide (Switching Applications)
136 pages
ITN Module 13
100% (1)
ITN Module 13
27 pages
ENSA Module 11
100% (1)
ENSA Module 11
44 pages
Net Security-ch17-Public Key Cryptography
No ratings yet
Net Security-ch17-Public Key Cryptography
29 pages
Network Security v1.0 - Module 9
No ratings yet
Network Security v1.0 - Module 9
17 pages
Network Security v1.0 - Module 2
No ratings yet
Network Security v1.0 - Module 2
49 pages
SRWE Module 5
100% (1)
SRWE Module 5
52 pages
ITE8 Chp6
No ratings yet
ITE8 Chp6
64 pages
Network Security v1.0 - Module 10
No ratings yet
Network Security v1.0 - Module 10
37 pages
Networking Essentials 2.0 Module8
No ratings yet
Networking Essentials 2.0 Module8
58 pages
ENSA Module 10 Network Management
No ratings yet
ENSA Module 10 Network Management
81 pages
ENSA Module 1
100% (3)
ENSA Module 1
32 pages
Networking Essentials 2.0 Module4
No ratings yet
Networking Essentials 2.0 Module4
39 pages
SCP Exam Prep Guide
100% (1)
SCP Exam Prep Guide
10 pages
ECCouncil 312-50 878q
No ratings yet
ECCouncil 312-50 878q
521 pages
9.3.2.10 Configuring Extended ACLs Scenario 1 Instructions
No ratings yet
9.3.2.10 Configuring Extended ACLs Scenario 1 Instructions
4 pages
SRWE Module 3
100% (1)
SRWE Module 3
64 pages
Networking Essentials 2.0 Module10
100% (1)
Networking Essentials 2.0 Module10
37 pages
ENSA - Module - 5-ACL Config
100% (2)
ENSA - Module - 5-ACL Config
52 pages
Module 6: Network Design and The Access Layer: Networking Essentials (NETESS)
No ratings yet
Module 6: Network Design and The Access Layer: Networking Essentials (NETESS)
35 pages
Module 6: Nat For Ipv4: Instructor Materials
100% (1)
Module 6: Nat For Ipv4: Instructor Materials
58 pages
Module 9: Address Resolution: Instructor Materials
No ratings yet
Module 9: Address Resolution: Instructor Materials
27 pages
ENSA Module 14
No ratings yet
ENSA Module 14
66 pages
Module 7: Dhcpv4: Instructor Materials
100% (1)
Module 7: Dhcpv4: Instructor Materials
35 pages
Net Security-Ch11 - IPS Technologies
No ratings yet
Net Security-Ch11 - IPS Technologies
32 pages
Pred - 5 EtherChannel
No ratings yet
Pred - 5 EtherChannel
34 pages
Interface Control Document For The Common Image Generator Interface (CIGI) Version 3.3
No ratings yet
Interface Control Document For The Common Image Generator Interface (CIGI) Version 3.3
279 pages
Authentication, Authorization, and Accounting (AAA)
No ratings yet
Authentication, Authorization, and Accounting (AAA)
20 pages
Net Security-Ch12 - IPS Operations and Implementation
No ratings yet
Net Security-Ch12 - IPS Operations and Implementation
38 pages
ITE8 Chp5
No ratings yet
ITE8 Chp5
79 pages
Module 10: LAN Security Concepts: Instructor Materials
100% (1)
Module 10: LAN Security Concepts: Instructor Materials
41 pages
ITE8 Chp10
No ratings yet
ITE8 Chp10
41 pages
Module 12: Network Troubleshooting: Instructor Materials
No ratings yet
Module 12: Network Troubleshooting: Instructor Materials
55 pages
Networking Essentials 2.0 Module11
No ratings yet
Networking Essentials 2.0 Module11
35 pages
Network Security v1.0 - Module 2
No ratings yet
Network Security v1.0 - Module 2
52 pages
Network Security v1.0 - Module 21
No ratings yet
Network Security v1.0 - Module 21
79 pages
Cisco 1 ITN Module 8
No ratings yet
Cisco 1 ITN Module 8
38 pages
Module 7: Routing Between Networks: Networking Essentials (NETESS)
No ratings yet
Module 7: Routing Between Networks: Networking Essentials (NETESS)
27 pages
Communications in A Connected World: Data Communication and Computer Network
No ratings yet
Communications in A Connected World: Data Communication and Computer Network
38 pages
Module 3: Protocols and Models: Instructor Materials
No ratings yet
Module 3: Protocols and Models: Instructor Materials
66 pages
Module 16: Network Security Fundamentals: Instructor Materials
No ratings yet
Module 16: Network Security Fundamentals: Instructor Materials
38 pages
Routing Basics: Khawar Butt Ccie # 12353 (R/S, Security, SP, DC, Voice, Storage & Ccde)
No ratings yet
Routing Basics: Khawar Butt Ccie # 12353 (R/S, Security, SP, DC, Voice, Storage & Ccde)
12 pages
SRWE Module 2
No ratings yet
SRWE Module 2
27 pages
Module 9: Address Resolution: Instructor Materials
No ratings yet
Module 9: Address Resolution: Instructor Materials
27 pages
Vlans: Switching, Routing, and Wireless Essentials v7.0 (SRWE)
No ratings yet
Vlans: Switching, Routing, and Wireless Essentials v7.0 (SRWE)
44 pages
Instructor Materials Chapter 1: Cybersecurity and The Security Operations Center
No ratings yet
Instructor Materials Chapter 1: Cybersecurity and The Security Operations Center
18 pages
13.3.2-Lab - Use-Ping-And-Traceroute-To-Test-Network-Connectivity - CESAR RIOS
No ratings yet
13.3.2-Lab - Use-Ping-And-Traceroute-To-Test-Network-Connectivity - CESAR RIOS
11 pages
Topic 1.0 Access Control Lists
No ratings yet
Topic 1.0 Access Control Lists
29 pages
ENSA Module 4 Students-Cancel
No ratings yet
ENSA Module 4 Students-Cancel
30 pages
Access Control Lists
No ratings yet
Access Control Lists
38 pages
Sy2021-2021 T-Cpet414 Acl
No ratings yet
Sy2021-2021 T-Cpet414 Acl
59 pages
13 The Cisco Troubleshooting Methodology Answer Key
No ratings yet
13 The Cisco Troubleshooting Methodology Answer Key
5 pages
CCNA CyberOps v1.0 Final Exam
No ratings yet
CCNA CyberOps v1.0 Final Exam
111 pages
Iptables
No ratings yet
Iptables
10 pages
312-50 - 7 Version 3.0 PDF
No ratings yet
312-50 - 7 Version 3.0 PDF
169 pages
Configuring IPTables For Snort Inline
No ratings yet
Configuring IPTables For Snort Inline
10 pages
CN Network Commands
No ratings yet
CN Network Commands
5 pages
It1351 2 Marks
No ratings yet
It1351 2 Marks
25 pages
ADV-6 K
No ratings yet
ADV-6 K
303 pages
CCNA 200-301 - Lab-8 Static Floating
No ratings yet
CCNA 200-301 - Lab-8 Static Floating
8 pages
Lab 1
No ratings yet
Lab 1
11 pages
Brksec 3455
No ratings yet
Brksec 3455
87 pages
What Do You Mean by Computer Networks? What Are The Uses Computer Networks? and Applications of Computer Networks ?
No ratings yet
What Do You Mean by Computer Networks? What Are The Uses Computer Networks? and Applications of Computer Networks ?
32 pages
Lab 2 Solution
No ratings yet
Lab 2 Solution
39 pages
Amit Kumar CN File
No ratings yet
Amit Kumar CN File
40 pages
Csf3223 Networking Final Exam Notes - 240723 - 001609
No ratings yet
Csf3223 Networking Final Exam Notes - 240723 - 001609
26 pages
CSE 4471: Computer Networking Review!: - Network Layers! - Tcp/Udp! - IP!
No ratings yet
CSE 4471: Computer Networking Review!: - Network Layers! - Tcp/Udp! - IP!
15 pages
100-RP2 Presentation RIPE65
No ratings yet
100-RP2 Presentation RIPE65
35 pages
CS3591-Computer Networks Department of CSE 2022-2023
No ratings yet
CS3591-Computer Networks Department of CSE 2022-2023
33 pages
Komunikasi Data Dan Jaringan Komputer - Pertemuan 4
No ratings yet
Komunikasi Data Dan Jaringan Komputer - Pertemuan 4
28 pages
9.2.9 Packet Tracer - Examine The ARP Table
No ratings yet
9.2.9 Packet Tracer - Examine The ARP Table
4 pages
Packet Sniffing and Spoofing Lab
No ratings yet
Packet Sniffing and Spoofing Lab
12 pages
The Hacker S Handbook The Strategy Behind Breaking Into and Defending Networks 1st Edition Susan Young Download
No ratings yet
The Hacker S Handbook The Strategy Behind Breaking Into and Defending Networks 1st Edition Susan Young Download
57 pages
Playbook For DDoS
No ratings yet
Playbook For DDoS
12 pages
Lab 7
No ratings yet
Lab 7
3 pages

Network Security v1.0 - Module 8

Uploaded by

Network Security v1.0 - Module 8

Uploaded by

What to Expect in this Module

Animations Expose learners to new skills and concepts.

Interactive Activities A variety of formats to help learners gauge content understanding.

Networking Security v1.0

Packet filtering controls access

Numbered ACLs - ACLs number 1 to 99, or 1300

Named ACLs - Named ACLs is the preferred

0.0.0.0 00000000 Match all octets.

Wildcard Mask to Match

Wildcard Mask to Match

Wildcard Mask to Match

Assume you wanted an ACE in ACL

The solution produces the wildcard

For example, these ACL commands…

…can be rewritten as follows:

When configuring a complex ACL, it is suggested that you:

Use the no access-list access-list-number global configuration command to remove a

The parameters are reviewed on the next two slides.

Protocol Options - The four highlighted

• tcp protocol would provide TCP related ports options

Notice how many TCP port options are available. The

TCP can also perform basic stateful

Named extended ACLs are created in

The SURFING ACL permits HTTP and

Inside hosts have been accessing the secure

• Use a Text Editor

• Create an ACL globally and then apply it.

This example shows an ACL applied to the vty lines.

The figure illustrates where standard

Factors Influencing ACL Placement Explanation

Following the guidelines for ACL

Company A wants to deny Telnet and FTP

• Part 1: Configure, Apply, and Verify an Extended Numbered IPv4 ACL

• Part 1: Configure a Named Extended IPv4 ACL

An effective strategy for mitigating attacks

As a rule, block all other ICMP message types outbound.

The example shows a sample

Exploitation of SNMP vulnerabilities can

In this Packet Tracer, you will complete the following objectives:

• Verify connectivity among devices before firewall configuration.

As shown in the figure, threat actors can accomplish

(table continued on next slide)

In this Packet Tracer, you will complete the following objectives:

• Configure, apply, and verify an IPv6 ACL

• An ACL uses a sequential list of permit or deny statements, known as ACEs.

You might also like