18 Ccna 200-120 Ipv4 Services Basic Acl

Cisco certification training

Instructor:- ASHOK TAMBE

Contact us :- 9930157345 ashok tambe

Training for

CCNA,CCNP,

CCNA SECURITY

CCIP,

MPLS, BGP, IPV6

NETWORK+, SEURITY+



Copyright 2015 NETworkingWANschool

CCNA 200-120

https://www.facebook.com/Networkingwanschool


CCNA 200-120


IPv4 Services

Basic IPv4 Access Control Lists

Advanced IPv4 ACLs and Device Security

Network Address Translation


CCNA 200-120


IPv4 Services



Network security is a huge subject, and much of it is far beyond the scope of this course. However, one of the most important skills a network administrator needs is mastery of access control lists (ACLs). Administrators use ACLs to stop traffic or permit only specified traffic while stopping all other traffic on their networks. This chapter includes an opportunity to develop your mastery of ACLs with a series of lessons, activities, and lab exercises.

Network designers use firewalls to protect networks from unauthorized use. Firewalls are hardware or software solutions that enforce network security policies. Consider a lock on a door to a room inside a building. The lock only allows authorized users with a key or access card to pass through the door. Similarly, a firewall filters unauthorized or potentially dangerous packets from entering the network. On a Cisco router, you can configure a simple firewall that provides basic traffic filtering capabilities using ACLs.

An ACL is a sequential list of permit or deny statements that apply to addresses or upper-layer protocols. ACLs provide a powerful way to control traffic into and out of your network. You can configure ACLs for all routed network protocols

The most important reason to configure ACLs is to provide security for your network. This chapter explains how to use standard and extended ACLs as part of a security solution and teaches you how to configure them on a Cisco router. Included are tips, considerations, recommendations, and general guidelines on how to use ACLs.

IPv4 ACLs perform many functions in Cisco routers, with the most common use as a packet filter.

Packet filtering, sometimes called static packet filtering, controls access to a network by analyzing the incoming and outgoing packets and passing or halting them based on stated criteria

A router acts as a packet filter when it forwards or denies packets according to filtering rules. When a packet arrives at the packet-filtering router, the router extracts certain information from the packet header and makes decisions according to the filter rules as to whether the packet can pass through or be discarded. Packet filtering works at the network layer of the Open Systems Interconnection (OSI) model, or the Internet layer of TCP/IP.

As a Layer 3 device, a packet-filtering router uses rules to determine whether to permit or deny traffic based on source and destination IP addresses, source port and destination port, and the protocol of the packet. These rules are defined using access control lists or ACLs.

Recall that an ACL is a sequential list of permit or deny statements that apply to IP addresses or upper-layer protocols. The ACL can extract the following information from the packet header, test it against its rules, and make "allow" or "deny" decisions based on: Source IP address Destination IP address ICMP message type The ACL can also extract upper layer information and test it against its rules. Upper layer information includes: TCP/UDP source port TCP/UDP destination port

Packet Filtering To understand the concept of how a router uses packet filtering, imagine that a guard has been posted at a locked door. The guard's instructions are to allow only people whose names appear on a list to pass through the door. The guard is filtering people based on the criterion of having their names on the authorized list. For example, you could say, "Only permit web access to users from network A. Deny web access to users from network B, but permit them to have all other access." Refer to the figure to examine the decision path the packet filter uses to accomplish this task.

An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header. ACLs are among the most commonly used objects in Cisco IOS software. ACLs are also used for selecting types of traffic to be analysed, forwarded, or processed in other ways.

As each packet comes through an interface with an associated ACL, the ACL is checked from top to bottom, one line at a time, looking for a pattern matching the incoming packet. The ACL enforces one or more corporate security policies by applying a permit or deny rule to determine the fate of the packet. ACLs can be configured to control access to a network or subnet. *******(must remember)

By default, a router does not have any ACLs configured and therefore does not filter traffic. Traffic that enters the router is routed according to the routing table. If you do not use ACLs on the router, all packets that can be routed through the router pass through the router to the next network segment. *******(must remember)

The Three Ps A general rule for applying ACLs on a router can be recalled by remembering the three Ps. You can configure one ACL per protocol, per direction, per interface: One ACL per protocol-To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface. One ACL per direction-ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic. One ACL per interface-ACLs control traffic for an interface, for example, Fast Ethernet 0/0

ACLs perform the following tasks

Limit network traffic to increase network performance.

If corporate policy does not allow video traffic, ACLs can block video traffic.

Provide traffic flow control.

ACLs can restrict the delivery of routing updates.

If updates are not required because of network conditions, bandwidth is preserved.

Provide a basic level of security for network access.

ACLs can allow one host to access a part of the network and prevent others from accessing the same area.

Decide which types of traffic to forward or block at the router interfaces.

For example, an ACL can permit e-mail traffic, but block all Telnet traffic.

Control which areas a client can access on a network.

Screen hosts to permit or deny access to network services.

ACLs can permit or deny a user to access file types, such as FTP or HTTP.

ACLs inspect network packets based on criteria, such as source address, destination address, protocols, and port numbers.

ACL can classify traffic to enable priority processing down the line.

ACL Location and Direction

Cisco routers can apply ACL logic to packets at the point at which the IP packets enter an interface, or the point at which they exit an interface. In other words, the ACL becomes associated with an interface and for a direction of packet flow (either in or out). That is, the ACL can be applied inbound to the router, before the router makes its forwarding (routing) decision, or outbound, after the router makes its forwarding decision and has determined the exit interface to use. *** (must remember )

The arrows in Figure show the locations at which you could filter packets flowing left to right in the topology. For example, imagine that you wanted to allow packets sent by host A to server S1, but to discard packets sent by host B to server S1. Each arrowed line represents a location and direction at which a router could apply an ACL, filtering the packets sent by host B.

The four arrowed lines in the figure point out the location and direction for the

router interfaces used to forward the packet from host B to server S1. In this

particular example, those interfaces and direction are inbound on R1s F0/0 interface, outbound on R1s S0/0/0 interface, inbound on R2s S0/0/1 interface, and outbound on R2s F0/0 interface. If, for example, you enabled on ACL on R2s F0/1 interface, in either direction, that ACL could not possibly filter the packet sent

from host B to server S1, because R2s F0/1 interface is not part of the route from B to S1.

How ACLs Work

ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. ACLs do not act on packets that originate from the router itself. ACLs are configured either to apply to inbound traffic or to apply to outbound traffic. Inbound ACLs-Incoming packets are processed before they are routed(before routing lookup)to the

outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. If the packet is permitted by the tests, it is then processed for routing. ***(must remember )

Outbound ACLs-Incoming packets are routed (after routing lookup) to the outbound interface, and

then they are processed through the outbound ACL.***(must remember)

ACL statements operate in sequential order. They evaluate packets against the ACL, from the top down, one statement at a time***(must remember)

ACL statements operate in sequential order.

They evaluate packets against the ACL, from the top down, one

statement at a time.

If a packet header and an ACL statement match, the rest of the

statements in the list are skipped,

and the packet is permitted or denied as determined by the

matched statement.

If a packet header does not match a statement, the packet is tested

against the next statement in the list.

This matching process continues until the end of the list.

A final implied (IMPLICIT) statement covers all packets for which

conditions did not test true.

This final statement is often referred to as the "implicit deny

any statement" or the "deny all traffic" statement.

Because of this statement, an ACL should have at least one

permit statement in it; otherwise, the ACL blocks all traffic.

Once you apply the ACL on an interface, the router MUST compare

every packet. Causes significant processor load.

ACL Operation - Inbound ACLs

Before a packet is forwarded to an outbound interface, the router

checks the routing table to see if the packet is routable.

If the packet is not routable, it is dropped.

Next, the router checks to see whether the outbound interface is

grouped to an ACL.

If the outbound interface is not grouped to an ACL,

The packet is sent directly to the outbound interface.

If the outbound interface is grouped to an ACL,

the packet is not sent out on the outbound interface until it

is tested by the combination of ACL statements that are

associated with that interface.

A final implied (IMPLICIT) statement covers all packets for which

conditions did not test true.

This final statement is often referred to as the "implicit

deny any statement" or the "deny all traffic" statement.

ACL Operation - Outbound ACLs

As a frame enters an interface, the router checks the destination Layer 2 address.

If the frame is accepted and the router checks for an ACL on the inbound interface.

If an ACL exists, the packet is now tested against the statements in the list.

If the packet matches a statement, the packet is either accepted or rejected.

If the packet is accepted in the interface, it is then checked against routing table entries to determine the

destination interface and switched to that interface.

Next, the router checks whether the destination interface has an ACL.

If an ACL exists, the packet is tested against the statements in the list.

If there is no ACL or the packet is accepted, the packet is encapsulated in the new Layer 2 protocol and forwarded

out the interface to the next device.

ACL and Routing and ACL Processes on a Router

Matching Packets

When you think about the location and direction for an ACL, you must already be thinking about what packets you plan to filter (discard), and which ones you want to allow through. To tell the router those same ideas, you must configure the router with an IP ACL that matches packets. Matching packets refers to how to configure the ACL commands to look at each packet, listing how to identify which packets should be discarded, and which should be allowed through.

For example, consider an example with Figure , in which you want to allow packets from host A to server S1, but to discard packets from host B going to that same server. The hosts all now have IP addresses, and the figure shows pseudocode for an ACL on R2. Figure also shows the chosen location to enable the ACL: inbound on R2s S0/0/1 interface.

Taking Action When a Match Occurs

When using IP ACLs to filter packets, only one of two actions can be chosen. The configuration commands use keywords deny and permit, and they mean (respectively) to discard the packet or to allow it to keep going as if the ACL did not exist.

The Implied "Deny All Traffic" Criteria Statement At the end of every access list is an implied "deny all traffic" criteria statement. It is also sometimes referred to as the "implicit deny any" statement. Therefore, if a packet does not match any of the ACL entries, it is automatically blocked. The implied "deny all traffic" is the default behaviour of ACLs and cannot be changed. ***(must remember )

Types of IP ACLs

Cisco IOS has supported IP ACLs since the early days of Cisco routers. Beginning with the original standard numbered IP ACLs in the early days of IOS, which could enable the logic shown earlier Cisco has added many ACL features, including:

Standard Numbered ACLs (199) Extended Numbered ACLs (100199) Additional ACL Numbers (13001999 standard, 20002699 extended) Named ACLs Improved Editing with Sequence Numbers

Numbering and Naming ACLs

Using numbered ACLs is an effective method for determining the ACL type on

smaller networks.

Standard ACL for IP 1-99

Extended ACL for IP 100-199

Starting with Cisco IOS Release 11.2, you can use a name to identify a Cisco

ACL.

Numbering and Naming ACLs

When configuring ACLs on a router, each ACL must be uniquely identified by assigning a number to it.

(the number scheme)

Named ACLs help identify the function. Some ACLs (reflexive) MUST be named.

Access-list 5 permit Access-list 5 permit Access-list 5 permit Access-list 5 permit Access-list 5 permit

Access-list 1 permit Access-list 2 permit Access-list 3 permit Access-list 4 permit Access-list 5 permit

One group with the number 5 5 different groups

OR

Where to Place ACLs

ACLs can act as firewalls to filter packets and eliminate unwanted traffic.

Every ACL should be placed where it has the greatest impact on efficiency.

The basic rules are:

Locate extended ACLs as close as possible to the source of the traffic denied.

This way, undesirable traffic is filtered without crossing the network infrastructure.

Because standard ACLs do not specify destination addresses, place them as close

to the destination as possible.

2 Types of Cisco ACLs: standard and extended

Standard ACLs

Standard ACLs allow you to permit or deny traffic

from source IP addresses.

Apply these ACLs closest to the destination!

The destination of the packet and the ports

involved do not matter.

The example allows all traffic from network

192.168.30.0/24 network.

Because of the implied "deny any" at the end, all other

traffic is blocked with this ACL.

Extended ACLs

Extended ACLs filter IP packets based

on several attributes, for example,

protocol type, source IP address,

destination IP address, source TCP or

UDP ports, destination TCP or UDP

ports, and optional protocol type

information for finer granularity of

control.

In the figure, ACL 103 permits traffic

originating from any address on the

192.168.30.0/24 network to any destination host port 80 (HTTP).

Where to Place ACLs

Standard ACL: In the figure, the

administrator wants to prevent

traffic originating in the

192.168.10.0/24 network from

getting to the 192.168.30.0/24

network.

An standard ACL on the

outbound interface of R1

denies R1 the ability to send

traffic to other places as well.

The solution is to place a

standard ACL on the inbound

interface of R3 to stop all

traffic from the source

address192.168.10.0/24.

A standard ACL is only concern

with source IP addresses.

Where to Place ACLs

Extended ACL: Placement must be

determined in the control of the network

administrator extends. (close to the

SOURCE as possible)

In this figure, the administrator of the

192.168.10.0/24 and 192.168.11.0/24

(referred to as Ten and Eleven) wants to

deny Telnet and FTP traffic from Eleven to

the 192.168.30.0/24 (Thirty). At the same

time, other traffic must be permitted to

leave Ten. (Use Bridge example to explain)

There are several ways to do this. 1. An extended ACL on R3 blocking Telnet and FTP from Eleven would accomplish the task, but the solution also still allows unwanted traffic to cross the entire network, only to be blocked at the destination. 2. Use an outbound extended, Telnet and FTP traffic from Eleven is not allowed to go to Thirty." Place this extended ACL on the outbound S0/0/0 port of R1. A disadvantage of this is that traffic from Ten would also be processing by the ACL, even though traffic is allowed.

The better solution is to place an extended ACL on the inbound Fa0/2 of R1. This ensures that packets from Eleven do not enter R1, and cannot cross over into Ten.

General Guidelines for Creating ACLs: Activity

Entering Criteria Statements Recall that when traffic comes into the router, it is compared to ACL statements based on the order that the entries occur

in the router. The router continues to process the ACL statements until it has a match.

For this reason, you should have the most frequently used ACL entry at the top of the list.

If no matches are found when the router reaches the end of the list, the traffic is denied because there is an implied

deny for traffic.

A single-entry ACL with only one deny entry has the effect of denying all traffic. You must have at least one permit

statement in an ACL or all traffic is blocked.

For example, the two ACLs (101 and 102) in the figure have the same effect.

Network 192.168.10.0 would be permitted to access network 192.168.30.0 while 192.168.11.0 would not be allowed.

Standard ACL Logic

Standard ACL Logic In the figure, packets that come in Fa0/0 are checked for their source addresses: access-list 2 deny 192.168.10.1 access-list 2 permit 192.168.10.0 0.0.0.255 access-list 2 deny 192.168.0.0 0.0.255.255 access-list 2 permit 192.0.0.0 0.255.255.255 If packets are permitted, they are routed through the router to an output interface. If packets are not permitted, they are dropped at the incoming interface

Configuring a Standard ACL

To configure numbered standard ACLs on a Cisco router, you must first create the standard ACL and then activate the ACL on an interface. The access-list global configuration command defines a standard ACL with a number in the range of 1 to 99. Cisco IOS Software Release 12.0.1 extended these numbers by allowing 1300 to 1999 to provide a maximum of 798 possible standard ACLs. These additional numbers are referred to as expanded IP ACLs.

The full syntax of the standard ACL command is as follows: Router(config)# access-list access-list-number deny permit remark source [source-wildcard] [log] The figure provides a detailed explanation of the syntax for a standard ACL. For example, to create a numbered ACL designated 10 that would permit network 192.168.10.0 /24, you would enter: R1(config)# access-list 10 permit 192.168.10.0

Remove ACL

The no form of this command removes a standard ACL. In the figure, the output of the show access-list command displays the current ACLs configured on router R1. To remove the ACL, the global configuration no access-list command is used. Issuing the show access-list command confirms that access list 10 has been removed.

Remark a Standard ACL

Typically, administrators create ACLs and fully understand each the purpose of each statement within the ACL. However, when an ACL is revisited at a later time, it may no longer as obvious as it once was. The remark keyword is used for documentation and makes access lists a great deal easier to understand. Each remark is limited to 100 characters. The ACL in the figure, although fairly simple, is used to provide an example. When reviewing the ACL in the configuration, the remark is also displayed.

Matching the Exact IP Address

To match a specific source IP address, the entire IP address, all you have to do is

type that IP address at the end of the command. For example, the previous example

uses pseudocode for permit if source = 10.1.1.1. The following command configures that logic with correct syntax using ACL number 1:

access-list 1 permit 10.1.1.1

Matching the exact full IP address is that simple.

In earlier IOS versions, the syntax included a host keyword. Instead of simply typing

the full IP address, you first typed the host keyword, and then the IP address. Note

that in later IOS versions, if you use the host keyword, IOS accepts the command,

but then removes the keyword.

access-list 1 permit host 10.1.1.1

Matching a Subset of the Address with Wildcards

Often, the business goals you want to implement with an ACL does not match a single particular IP address, but rather a range of IP addresses. Maybe you want to match all IP addresses in a subnet.

IOS allows standard ACLs to match a range of addresses using a tool called a wildcard mask. Note that this is not a subnet mask. The wildcard mask (which this book abbreviates as WC mask) gives the engineer a way to tell IOS to ignore parts of the address when making comparisons, essentially treating those parts as wildcards, as if they already matched.

ACLs statements include masks, called wildcard masks. A wildcard mask is a string of binary digits telling the router which parts of the subnet number to look at. Although wildcard masks have no functional relationship with subnet masks, they do provide a similar function. The mask determines how much of an IP source or destination address to apply to the address match. The numbers 1 and 0 in the mask identify how to treat the corresponding IP address bits. However, they are used for different purposes and follow different rules.

ACLs statements include wildcard masks.

A wildcard mask is a string of binary digits telling the router which parts of the subnet number to look at.

The numbers 1 and 0 in the mask identify how to treat the corresponding IP address bits.

Wildcard masks are referred to as an inverse mask.

Wildcard masks and subnet masks differ in the way they match binary 1s and 0s. Wildcard masks use the following

rules to match binary 1s and 0s:

Wildcard mask bit 0 - Match the corresponding bit value in the address

Wildcard mask bit 1 - Ignore the corresponding bit value in the address

The table in the figure shows the results of applying a 0.0.255.255 wildcard mask to a 32-bit IP address.

ACL Wildcard Masks to Match IP Subnets

The first example the wildcard mask stipulates that every bit in the IP

192.168.1.1must match exactly.

The wildcard mask is 0.0.0.0.

In the second example, the wildcard mask stipulates that anything will match.


In the third example, the wildcard mask stipulates that it will match any host

within the 192.168.1.0 /24 network.


The second figure are more complicated.

In example 1, the first two octets and first four bits of the third octet must

match exactly.

This checks for 192.168.16.0 to 192.168.31.0


Example 2 , a wildcard mask that matches the first two octets, and the least

significant bit in the third octet.

The result is a mask that would permit or deny all hosts from odd

subnets (/24) from the 192.168.0.0 major network.


ACL Wildcard Masks to Match IP Subnets

Although you could accomplish the result with two statements:

R1(config)# access-list 10 permit 192.168.10.0 0.0.0.255


It is far more efficient to configure the wildcard mask such as:


That may not seem more efficient, but when you consider if you wanted to match network 192.168.16.0 to 192.168.31.0 :

















You can see that configuring the following wildcard mask makes it far more efficient:


ACL Wildcard Masks to Match IP Subnets Calculating wildcard masks can be difficult, but you can

do it easily by subtracting the subnet mask from

255.255.255.255.

Example 1: assume you wanted to permit access to all

users in the 192.168.3.0 network.

Because the subnet mask is 255.255.255.0, you could take

the 255.255.255.255 and subtract from the subnet mask.

The solution produces the wildcard mask 0.0.0.255.

Example 2: Now assume you wanted to permit network

access for the 14 users in the subnet 192.168.3.32 /28.

The subnet mask for the IP subnet is 255.255.255.240,

take 255.255.255.255 and subtract the subnet mask

255.255.255.240

The solution this time produces the wildcard mask 0.0.0.15.

Example 3: assume you wanted to match only networks

192.168.10.0 and 192.168.11.0.

take 255.255.255.255 and subtract the subnet mask

255.255.254.0.

The result is 0.0.1.255.

Wildcard Bit Mask Keywords The keywords host and any help identify the most common uses of wildcard

masking.

The host option substitutes for the 0.0.0.0 mask. This mask states that all IP

address bits must match or only one host is matched.

The any option substitutes for the IP address and 255.255.255.255 mask.

This mask says to ignore the entire IP address or to accept any

addresses.

Example for keyword any:

Instead of entering

R1(config)# access-list 1 permit 0.0.0.0 255.255.255.255,

you can use

R1(config)# access-list 1 permit any

Example for keyword host:

Instead of entering

R1(config)# access-list 1 permit 192.168.10.10 0.0.0.0,

you can use

R1(config)# access-list 1 permit host 192.168.10.10.

Applying Standard ACL to Interfaces

After a standard ACL is configured, it is linked to an interface using the ip access-group command: Router(config-if)#ip access-group {access-list-number | access-list-name} {in | out} To remove an ACL from an interface, first enter the no ip access-group command on the interface, and then enter the global no access-list command to remove the entire ACL. The figure lists the steps and syntax to configure and apply a numbered standard ACL on a router.

Example 1: use an ACL to permit a

single network.

This ACL allows only traffic from source

network 192.168.10.0 to be forwarded out on

S0/0/0. Traffic from networks other than

192.168.10.0 is blocked.

The first line identifies the ACL as access list

1. It permits traffic that matches the

selected parameters.

access-list 1 permit 192.168.10.0 0.0.0.255

The unseen implicit deny all other traffic.

The ip access-group 1 out interface

configuration command links and ties ACL 1

to the Serial 0/0/0 interface as an outbound filter.

Example 2: an ACL that denies a

specific host.

The first command deletes the previous

ACL 1.

The next ACL statement, denies the

PC1 host located at 192.168.10.10.

Every other host on the 192.168.10.0

/24 network is permitted.

The implicit deny statement matches

other network.

The ACL is again reapplied to interface S0/0/0 in an outbound direction.

Example 3: an ACL that denies a

specific host.

This ACL replaces the previous example

but still blocks traffic from the host

PC1. It also permits all other LAN

traffic to exit from router R1.

The first command deletes the previous

version of ACL 1 and the next ACL

statement denies the PC1 host located

at 192.168.10.10.

The third line is new and permits all

hosts from the 192.168.x.x /16

networks.

The ACL is again reapplied to interface S0/0/0 in an outbound direction.

Using an ACL to Control VTY Access

Cisco recommends using SSH for administrative connections to routers and switches. If the Cisco IOS software image on your router does not support SSH, you can partially improve the security of administrative lines by restricting VTY access. Restricting VTY access is a technique that allows you to define which IP addresses are allowed Telnet access to the router EXEC process. You can control which administrative workstation or network manages your router with an ACL and an access-class statement to your VTY lines. You can also use this technique with SSH to further improve administrative access security.

The access-class command in line configuration mode restricts incoming and outgoing connections between a particular VTY (into a Cisco device) and the addresses in an access list.

Filtering Telnet traffic is typically considered an extended IP ACL function because it filters a higher level protocol. However, because you are using the access-class command to filter incoming or outgoing Telnet sessions by source address and apply filtering to VTY lines, you can use standard ACL statements to control VTY access.

The command syntax of the access-class command is: access-class access-list-number {in [vrf-also] | out} The parameter in restricts incoming connections between a particular Cisco device and the addresses in the access list, while the parameter out restricts outgoing connections between a particular Cisco device and the addresses in the access list. An example allowing VTY 0 and 4 is shown in the figure. For example, the ACL in the figure is configured to permit networks 192.168.10.0 and 192.168.11.0 access to VTYs 0 - 4. All other networks are denied access to the VTYs. The following should be considered when configuring access lists on VTYs: Only numbered access lists can be applied to VTYs. Identical restrictions should be set on all the VTYs,

because a user can attempt to connect to any of them.

Commenting ACLs

You can use the remark keyword to include comments about entries in any ACL.

The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters.

To include a comment for IP numbered standard or extended ACLs,

access-list access-list number remark remark command.

To remove the remark, use the no form of this command.

For an entry in a named ACL,

use the remark configuration command.

To remove the remark, use the no form of this command.

Creating Standard Named ACLs

Naming an ACL makes it easier to understand.

For example, an ACL to deny FTP could be called NO_FTP.

When you identify your ACL with a name, the configuration command syntax are slightly different.

The steps to create a standard named ACL.

Step 1. Starting from the global configuration mode, use the ip access-list command to create a named ACL.

ACL names are alphanumeric, must be unique and must not begin with a number.

Step 2. From the named ACL configuration mode, use the permit or deny statements to specify one or more

conditions for determining if a packet is forwarded or dropped.

Step 3. Return to privileged EXEC mode with the end command.

Creating Standard Named ACLs

Naming an ACL makes it easier to understand its function. For example, an ACL to deny FTP could be called NO_FTP. When you identify your ACL with a name instead of with a number, the configuration mode and command syntax are slightly different. The figure shows the steps to create a standard named ACL. Step 1. Starting from the global configuration mode, use the ip access-list command to create a named ACL. ACL names are alphanumeric, must be unique and must not begin with a number. Step 2. From the named ACL configuration mode, use the permit or deny statements to specify one or more conditions for determining if a packet is forwarded or dropped. Step 3. Return to privileged EXEC mode with the end command

Monitoring and Verifying ACLs

When you finish an ACL configuration, use Cisco IOS show commands to verify the configuration.

Editing Names ACLs

Named ACLs have a big advantage over numbered ACLs in that they are easier to edit.

Starting with Cisco IOS 12.3, named IP ACLs allow you to delete individual entries in a specific ACL.

You can use sequence numbers to insert statements anywhere in the named ACL.

If you are using an earlier Cisco IOS version, you can add statements only at the bottom of the named ACL.

The example in the figure shows an ACL applied to the S0/0/0 interface of R1. It restricted access to the web server. Looking at this

example,

In the first show command output, you can see that the ACL named WEBSERVER has three numbered lines.

To grant another workstation access in the list only requires inserting a numbered line. The workstation with the IP address

192.168.11.10 is being added.

The final show command output verifies that the new workstation is now allowed access.

Extended Numbered IP Access Control Lists

Extended IP access lists have many similarities compared to the standard numbered IP

ACLs discussed in the previous chapter. Just like standard IP ACLs, you enable extended

access lists on interfaces for packets either entering or exiting the interface. IOS searches

the list sequentially.

Extended ACLs also use first-match logic, because the router stops the search through the

list as soon as the first statement is matched, taking the action defined in the first-matched

statement. All these features are also true of standard numbered access lists (and named

ACLs).

Extended ACLs differ from standard ACLs mostly because of the larger variety of packet

header fields that can be used to match a packet. One extended ACL statement can

examine multiple parts of the packet headers, requiring that all the parameters be matched

correctly to match that one ACL statement. That powerful matching logic makes extended

access lists both more useful and more complex than standard IP ACLs.

Matching the Protocol, Source IP, and Destination IP

Like standard numbered IP ACLs, extended numbered IP ACLs also use the access-list global

command. The syntax is identical, at least up through the permit or deny keyword. At that point, the

command lists matching parameters, and those differ, of course. In particular, the extended ACL

access-list command requires three matching parameters: the IP protocol type, the source IP address, and the destination IP address.

The IP headers Protocol field identifies the header that follows the IP header. Figure shows the location of the IP Protocol field, the concept of it pointing to the type of header that follows, along with some

details of the IP header for reference.

IOS requires that you configure parameters for the three highlighted parts of Figure . For the protocol type,

you simply use a keyword, such as tcp, udp, or icmp, matching IP packets that happen to have a TCP,

UDP, or ICMP header, respectively, following the IP header. Or you can use the keyword ip, which means all ip packets.

Extended ACL Syntax, with Required Fields

Note

When matching IP addresses in the source and destination fields, there is

one difference with standard ACLs: When matching a specific IP address,

the extended ACL requires the use of the host keyword. You cannot simply

list the IP address alone.

In an extended ACL access-list command, all the matching parameters must

match the packet for the packet to match the command.**** (must remember )

Matching TCP and UDP Port Numbers

Extended ACLs can also examine parts of the TCP and UDP headers, particularly the source

and destination port number fields. The port numbers identify the application that sends or

receives the data.

The most useful ports to check are the well-known ports used by servers. For example, web

servers use well-known port 80 by default. Figure shows the location of the port numbers in

the TCP header, following the IP header.

When an extended ACL command includes either the tcp or udp keyword, that command

can optionally reference the source and/or destination port. To make these comparisons, the

syntax uses keywords for equal, not equal, less than, greater than, and for a range of port

numbers. Additionally, the command can use either the literal decimal port numbers, or

more convenient keywords for some well-known application ports. Figure shows the

positions of the source and destination port fields in the access-list command and these

port number keywords.

For example, consider the simple network shown in Figure . The FTP server sits on the right,

with the client on the left. The figure shows the syntax of an ACL that matches the following:

Packets that include a TCP header Packets sent from the client subnet Packets sent to the server subnet Packets with TCP destination port 21 (FTP server control port)

Conversely, Figure shows the reverse flow, with a packet sent by the server back toward

PC1. In this case, the packets TCP header has a source port of 21, so the ACL must check the source port value of 21, and the ACL must be located on different interfaces. In

this case, the eq 21 parameters follow the source address field, but comes before the

destination address field.

Configuring Extended ACLs

The procedural steps for configuring extended ACLs are the same as for standard ACLs

first create the extended ACL

then activate it on an interface.

For example, the network administrator needs to restrict Internet access to allow only web browsing.

ACL 103 applies to traffic leaving 192.168.10.0 network,

It allows traffic to go to any destination ports 80 (HTTP) and 443 (HTTPS) only.

ACL 104 applies to traffic coming into the network.

ACL 104 blocking all incoming traffic, except for the established connections.

HTTP establishes connections starting with the request and then exchange of ACK, FIN, and SYN

messages.

A match occurs if the TCP datagram has the ACK or reset (RST) bits set, which indicates that the

packet belongs to an existing connection.

This parameter allows responses to traffic that originates from the 192.168.10.0 /24 network to

return to s0/0/0.

Applying Extended ACLs to Interfaces

Recall that we want to allow users to browse both insecure and secure websites.

First consider whether the traffic you want to filter is going in or out.

In the example in the figure, R1 has two interfaces. It has a serial port, S0/0/0, and a Fast

Ethernet port, Fa0/0.

The Internet traffic coming in is going in the S0/0/0 interface,

but is going out the Fa0/0 interface to reach PC1.

The example applies the ACL to the serial interface in both directions.

Example: Deny FTP

Denying FTP traffic from subnet 192.168.11.0 going to 192.168.10.0, but permitting all other traffic.

Remember that FTP requires ports 20 and 21, therefore you need to specify to deny FTP.

With extended ACLs, you can choose to use port numbers as in the example, or to call out a well-known port by name.

access-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq ftp

access-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq ftp-data

Example: Deny Telnet

Denies Telnet traffic from 192.168.11.0 going out interface Fa0/0, but allows all other IP

traffic from any other source to any destination out Fa0/0.

Note the use of the any keywords, meaning from anywhere going to anywhere.

Creating Named Extended ACLs You can create named extended ACLs in essentially the same way you created named standard ACLs.

Step 1. Starting in the global configuration mode, use the ip access-list extended name command to define a

named extended ACL.

Step 2. In named ACL configuration mode, specify the conditions you want to allow or deny.

Step 3. Return to privileged EXEC mode and verify your ACL with the show access-lists [number | name]

command.

Step 4. As an option and recommended step, save your entries in the configuration file with the copy running-

config startup-config command.

To remove a named extended ACL, use the no ip access-list extended name global configuration command.

ACL Editing

Now that you have a good understanding of the core concepts in IOS IP ACLs, this section

examines a few enhancements to IOS support for ACLs :- ACL editing with sequence numbers

ACL sequence numbers make it easier to edit existing ACLs when an ACL needs to change.

Named ACLs allow the user to delete and add new lines to the ACL from within ACL configuration

mode.

Numbered ACLs have existed in IOS since the early days of Cisco routers and IOS.

However, for many years, through many IOS versions, the ability to edit a numbered IP ACL

was poor. For example, to simply delete a line from the ACL, the user had to delete the

entire ACL and then reconfigure it.

Today, modern IOS versions allow CLI users to easily edit both numbered and named

ACLs. Cisco first introduced these enhanced ACL editing features in named ACLs only, and

slowly added them to numbered ACLs as well. This section examines these great ACL

editing features that have been around in IOS since Version 12.3, is now a relatively old

IOS version.

The ACL editing feature uses an ACL sequence number that is added to each ACL permit

or deny statement, with the numbers representing the sequence of statements in the

ACL. ACL sequence numbers provide the following features for both numbered and

named ACLs:

New Configuration Style for Numbered: Numbered ACLs use a configuration style like

named ACLs, as well as the traditional style, for the same ACL; the new style is required to

perform advanced ACL editing.

Deleting Single Lines: An individual ACL permit or deny statement can be deleted with a

no sequence-number subcommand.

Inserting New Lines: Newly added permit and deny commands can be configured with a

sequence number, dictating the location of the statement within the ACL.

Automatic Sequence Numbering: IOS adds sequence numbers to commands as you

configure them, even if you do not include the sequence numbers.



Contact us :- 9930157345 ashok tambe

https://www.facebook.com/ashok.tambe.733

https://www.facebook.com/groups/networkingwanschool/

[email protected]

Documents

18 Ccna 200-120 Ipv4 Services Basic Acl