Access Control List (ACL)Access Control List (ACL)

W.lilakiatsakunW.lilakiatsakun

Transport Layer Review (1) Transport Layer Review (1)

• TCP (Transmission Control Protocol)TCP (Transmission Control Protocol)– HTTP (Web)HTTP (Web)– SMTP (Mail)SMTP (Mail)

• UDP (User Datagram Protocol)UDP (User Datagram Protocol)– DNS (Domain Name Service) DNS (Domain Name Service) – SNMP (Simple Management Protocol)SNMP (Simple Management Protocol)

Transport Layer Review (2)Transport Layer Review (2)

Transport Layer Review (3)Transport Layer Review (3)

TCP Port

Transport Layer Review (4)Transport Layer Review (4)

UDP Port

Transport Layer Review (5)Transport Layer Review (5)

TCP/UDP Common Port

Packet Filtering (1)Packet Filtering (1)

• To controls access to a network by To controls access to a network by analyzing the incoming and outgoing analyzing the incoming and outgoing packets and passing or halting them packets and passing or halting them based on stated criteria. based on stated criteria.

• A router acts as a packet filter when A router acts as a packet filter when it forwards or denies packets it forwards or denies packets according to filtering rules. according to filtering rules.

Packet Filtering (2)Packet Filtering (2)

Packet Filtering (3)Packet Filtering (3)

Packet Filtering (4)Packet Filtering (4)

• A packet-filtering router uses rules to A packet-filtering router uses rules to determine whether to permit or deny determine whether to permit or deny traffic based on traffic based on source and source and destination IP addresses, source port destination IP addresses, source port and destination port, and the and destination port, and the protocol of the packetprotocol of the packet. .

• These rules are defined using access These rules are defined using access control lists or ACLs. control lists or ACLs.

Packet Filtering (5)Packet Filtering (5)

- Only permit web access to users from network A. - Deny web access to users from network B, - Permit them Network B to have all other access."

ACL (Access Control List) (1)ACL (Access Control List) (1)

• An ACL is a An ACL is a router configuration script router configuration script that controls whether a router permits that controls whether a router permits or denies packets to pass based on or denies packets to pass based on criteria found in the packet header. criteria found in the packet header.

• ACLs are also ACLs are also used for selecting types used for selecting types of traffic to be analyzedof traffic to be analyzed, forwarded, or , forwarded, or processed in other ways. processed in other ways.

ACL (Access Control List) (2)ACL (Access Control List) (2)

ACL (Access Control List) (3)ACL (Access Control List) (3)

ACL guideline (1)ACL guideline (1)

• Use ACLs in firewall routers Use ACLs in firewall routers positioned positioned between your internal between your internal network and an external network network and an external network such as the Internet. such as the Internet.

• Use ACLs on a router positioned Use ACLs on a router positioned between between two parts of your network to two parts of your network to control traffic entering or exiting control traffic entering or exiting a a specific part of your internal network. specific part of your internal network.

ACL guideline (2)ACL guideline (2)• Configure ACLs on Configure ACLs on border routers-routers border routers-routers

situated at the edges of your networks.situated at the edges of your networks.– This provides a very basic buffer from the This provides a very basic buffer from the

outside network, or between a less controlled outside network, or between a less controlled area of your own network and a more area of your own network and a more sensitive area of your network. sensitive area of your network.

• Configure ACLs for Configure ACLs for each network protocol each network protocol configured configured on the border router interfaces.on the border router interfaces.– You can configure ACLs on an interface to filter You can configure ACLs on an interface to filter

inbound traffic, outbound traffic, or both.inbound traffic, outbound traffic, or both.

ACL Operation (1)ACL Operation (1)

• Inbound ACLs Inbound ACLs – Incoming packets are processed before Incoming packets are processed before

they are routed to the outbound interface. they are routed to the outbound interface. – An inbound ACL is efficient because it An inbound ACL is efficient because it

saves the overhead of routing lookups if saves the overhead of routing lookups if the packet is discarded. the packet is discarded.

• Outbound ACLs Outbound ACLs – Incoming packets are routed to the Incoming packets are routed to the

outbound interface, and then they are outbound interface, and then they are processed through the outbound ACL.processed through the outbound ACL.

ACL Operation (2)ACL Operation (2)

Inbound ACLs

ACL Operation (3)ACL Operation (3)

Outbound ACLs

ACL Operation (4)ACL Operation (4)

Type of CISCO ACL Type of CISCO ACL

Standard ACL (1)Standard ACL (1)

The two main tasks involved in using ACLs are as follows:Step 1. Create an access list by specifying an access list number or name and access conditions.Step 2. Apply the ACL to interfaces or terminal lines.

Numbering and Naming ACLNumbering and Naming ACL

Where to Place ACL (1) Where to Place ACL (1)

• Locate extended ACLs as close as Locate extended ACLs as close as possible to the source of the traffic possible to the source of the traffic denieddenied..– This way, undesirable traffic is filtered This way, undesirable traffic is filtered

without crossing the network without crossing the network infrastructure.infrastructure.

• Because Because standard ACLs standard ACLs do not specify do not specify destination addresses, destination addresses, place them as place them as close to the destination as possible. close to the destination as possible.

Where to Place ACL (2) Where to Place ACL (2)

Standard ACL

Where to Place ACL (3) Where to Place ACL (3)

Extended ACL

ACL Best Practice (1)ACL Best Practice (1)

ACL Criteria (1)ACL Criteria (1)

Configuring Standard ACL Configuring Standard ACL (1)(1)

Access Control Condition Access Control Condition

Permit IP from network 192.168.10.0/24 Permit IP from network 192.168.10.0/24 except 192.168.10.1except 192.168.10.1

Permit IP from network 192.0.0.0/8 except Permit IP from network 192.0.0.0/8 except 192.168.0.0/16192.168.0.0/16

– access-list 2 deny 192.168.10.1access-list 2 deny 192.168.10.1– access-list 2 permit 192.168.10.0 0.0.0.255access-list 2 permit 192.168.10.0 0.0.0.255– access-list 2 deny 192.168.0.0 0.0.255.255access-list 2 deny 192.168.0.0 0.0.255.255– access-list 2 permit 192.0.0.0 0.255.255.255access-list 2 permit 192.0.0.0 0.255.255.255

Configuring Standard ACL Configuring Standard ACL (2)(2)

Configuring Standard ACL Configuring Standard ACL (3)(3)

Configuring Standard ACL Configuring Standard ACL (4)(4)

Removing ACL

Router(config)#access-list access-list-number [deny | permit | remark] source [source-wildcard] [log]

Configuring Standard ACL Configuring Standard ACL (5)(5)

Documenting ACL

ACL Wildcard Masking (1)ACL Wildcard Masking (1)

• Wildcard masks use the following Wildcard masks use the following rules to match binary 1s and 0s: rules to match binary 1s and 0s: – Wildcard mask bit 0 - Match the Wildcard mask bit 0 - Match the

corresponding bit value in the address corresponding bit value in the address – Wildcard mask bit 1 - Ignore the Wildcard mask bit 1 - Ignore the

corresponding bit value in the addresscorresponding bit value in the address

ACL Wildcard Masking (2)ACL Wildcard Masking (2)

ACL Wildcard Masking (3)ACL Wildcard Masking (3)

ACL Wildcard Masking (4)ACL Wildcard Masking (4)

ACL Wildcard Masking (5)ACL Wildcard Masking (5)

ACL Wildcard Masking (6)ACL Wildcard Masking (6)

Apply Standard ACL (1)Apply Standard ACL (1)

Apply Standard ACL (2)Apply Standard ACL (2)

Apply Standard ACL (3)Apply Standard ACL (3)

Apply Standard ACL (4)Apply Standard ACL (4)

Apply Standard ACL (5)Apply Standard ACL (5)

Commenting ACLCommenting ACL

Named ACL (1)Named ACL (1)

Named ACL (2)Named ACL (2)

Verifying ACLVerifying ACL

Extended ACL (1)Extended ACL (1)

Extended ACLs check the source packet addresses, but they also check the destination address, protocols and port numbers (or services). This gives a greater range of criteria on which to base the ACL.

Extended ACL (2)Extended ACL (2)

Extended ACL (2)Extended ACL (2)

Configuring Extended ACL Configuring Extended ACL (1)(1)

• The network administrator needs to The network administrator needs to restrict Internet access to allow only restrict Internet access to allow only website browsing. website browsing. – ACL 103 applies to traffic leaving the ACL 103 applies to traffic leaving the

192.168.10.0 network192.168.10.0 network– ACL 104 to traffic coming into the ACL 104 to traffic coming into the

network. network.

Configuring Extended ACL Configuring Extended ACL (2)(2)

Configuring Extended ACL Configuring Extended ACL (3)(3)

• ACL 103 accomplishes the first part ACL 103 accomplishes the first part of the requirement. of the requirement. – It allows traffic coming from any address It allows traffic coming from any address

on the 192.168.10.0 network to go to on the 192.168.10.0 network to go to any destination, subject to the limitation any destination, subject to the limitation that traffic goes to ports 80 (HTTP) and that traffic goes to ports 80 (HTTP) and 443 (HTTPS) only.443 (HTTPS) only.

Configuring Extended ACL Configuring Extended ACL (4)(4)

• ACL 104 does that by blocking all ACL 104 does that by blocking all incoming traffic, except for the incoming traffic, except for the established connections. established connections. – HTTP establishes connections starting HTTP establishes connections starting

with the original request and then with the original request and then through the exchange of ACK, FIN, and through the exchange of ACK, FIN, and SYN messages. SYN messages.

Configuring Extended ACL Configuring Extended ACL (5)(5)

• The The establishedestablished parameter allows parameter allows responses to traffic that originates from responses to traffic that originates from the 192.168.10.0 /24 network to return the 192.168.10.0 /24 network to return inbound on the s0/0/0. inbound on the s0/0/0. • A match occurs if the TCP datagram has A match occurs if the TCP datagram has

the ACK or reset (RST) bits set, which the ACK or reset (RST) bits set, which indicates that the packet belongs to an indicates that the packet belongs to an existing connection. existing connection.

Apply Extended ACL (1)Apply Extended ACL (1)

Apply Extended ACL (2)Apply Extended ACL (2)

Apply Extended ACL (3)Apply Extended ACL (3)

Named Extended ACLNamed Extended ACL

Complex ACLComplex ACL

Dynamic ACL (1)Dynamic ACL (1)

• AKA lock-and-key ACLAKA lock-and-key ACL– Users who want to traverse the router Users who want to traverse the router

are blocked by the extended ACL until are blocked by the extended ACL until they use Telnet to connect to the router they use Telnet to connect to the router and are authenticated. and are authenticated.

– The Telnet connection is then dropped, The Telnet connection is then dropped, and a single-entry dynamic ACL is added and a single-entry dynamic ACL is added to the extended ACL that exists. to the extended ACL that exists.

Dynamic ACL (2)Dynamic ACL (2)

Dynamic ACL (3)Dynamic ACL (3)

Reflexive ACL (1)Reflexive ACL (1)

• Reflexive ACLs force the reply traffic Reflexive ACLs force the reply traffic from the destination of a known from the destination of a known recent outbound packet to go to the recent outbound packet to go to the source of that outbound packet. source of that outbound packet.

• This adds greater control to what This adds greater control to what traffic you allow into your network traffic you allow into your network and increases the capabilities of and increases the capabilities of extended access lists.extended access lists.

Reflexive ACL (2)Reflexive ACL (2)

Reflexive ACL (3)Reflexive ACL (3)

Time Based ACL (1)Time Based ACL (1)

• Time-based ACLs are similar to Time-based ACLs are similar to extended ACLs in function, but they extended ACLs in function, but they allow for access control based on allow for access control based on time. time.

• To implement time-based ACLs, you To implement time-based ACLs, you create a time range that defines create a time range that defines specific times of the day and week. specific times of the day and week.

Time Based ACL (2)Time Based ACL (2)

Time Based ACL (3)Time Based ACL (3)

Troubleshooting ACL (1)Troubleshooting ACL (1)

Troubleshooting ACL (2)Troubleshooting ACL (2)

UDP

Troubleshooting ACL (3)Troubleshooting ACL (3)

Troubleshooting ACL (4)Troubleshooting ACL (4)

Troubleshooting ACL (5)Troubleshooting ACL (5)