Any Questions?. Chapter 6 IP Access Control Lists Standard IP Access Control Lists Extended IP Access Control Lists Advances in Managing ACL Configuration

Any Questions?

Chapter 6 IP Access Control Lists

• Standard IP Access Control Lists

• Extended IP Access Control Lists

• Advances in Managing ACL Configuration

• Miscellaneous ACL Topics

Do I know this?

Go through the Quiz-

5 minutes

1. Barney is a host with IP address 10.1.1.1 in subnet 10.1.1.0/24. Which of the following are things that a standard IP ACL could be configured to do?

a. Match the exact source IP addressb. Match IP addresses 10.1.1.1 through 10.1.1.4 with one

access-list command without matching other IP addresses

c. Match all IP addresses in Barney’s subnet with one access-list command without matching other IP addresses

d. Match only the packet’s destination IP address

1. Barney is a host with IP address 10.1.1.1 in subnet 10.1.1.0/24. Which of the following are things that a standard IP ACL could be configured to do?

a. Match the exact source IP addressb. Match IP addresses 10.1.1.1 through 10.1.1.4 with one

access-list command without matching other IP addresses

c. Match all IP addresses in Barney’s subnet with one access-list command without matching other IP addresses

d. Match only the packet’s destination IP addressAnswer:A&C

2. Which of the following wildcard masks is most useful for matching all IP packets in subnet 10.1.128.0, mask 255.255.255.0?

a. 0.0.0.0b. 0.0.0.31c. 0.0.0.240d. 0.0.0.255e. 0.0.15.0f. 0.0.248.255


a. 0.0.0.0b. 0.0.0.31c. 0.0.0.240d. 0.0.0.255e. 0.0.15.0f. 0.0.248.255Answer: D


a. 0.0.0.0b. 0.0.0.31c. 0.0.0.240d. 0.0.0.255e. 0.0.15.255f. 0.0.248.255


a. 0.0.0.0b. 0.0.0.31c. 0.0.0.240d. 0.0.0.255e. 0.0.15.255f. 0.0.248.255Answer: E

4. Which of the following fields cannot be compared based on an extended IP ACL?

a. Protocol

b. Source IP address

c. Destination IP address

d. TOS byte

e. URL

f. Filename for FTP transfers

4. Which of the following fields cannot be compared based on an extended IP ACL?

a. Protocol



d. TOS byte

e. URL

f. Filename for FTP transfers

Answer: E&F

5. Which of the following access-list commands permits traffic that matches packets going from host 10.1.1.1 to all web servers whose IP addresses begin with 172.16.5?

a. access-list 101 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www

b. access-list 1951 permit ip host 10.1.1.1 172.16.5.0 0.0.0.255 eq www

c. access-list 2523 permit ip host 10.1.1.1 eq www 172.16.5.0 0.0.0.255

d. access-list 2523 permit tcp host 10.1.1.1 eq www 172.16.5.0 0.0.0.255

e. access-list 2523 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www

5. Which of the following access-list commands permits traffic that matches packets going from host 10.1.1.1 to all web servers whose IP addresses begin with 172.16.5?



c. access-list 2523 permit ip host 10.1.1.1 eq www 172.16.5.0 0.0.0.255

d. access-list 2523 permit tcp host 10.1.1.1 eq www 172.16.5.0 0.0.0.255

e. access-list 2523 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www

Answer: A&E

6. Which of the following access-list commands permits traffic that matches packets going to any web client from all web servers whose IP addresses begin with 172.16.5?



c. access-list 2523 permit tcp any eq www 172.16.5.0 0.0.0.255

d. access-list 2523 permit tcp 172.16.5.0 0.0.0.255 eq www 172.16.5.0 0.0.0.255

e. access-list 2523 permit tcp 172.16.5.0 0.0.0.255 eq www any

6. Which of the following access-list commands permits traffic that matches packets going to any web client from all web servers whose IP addresses begin with 172.16.5?



c. access-list 2523 permit tcp any eq www 172.16.5.0 0.0.0.255

d. access-list 2523 permit tcp 172.16.5.0 0.0.0.255 eq www 172.16.5.0 0.0.0.255

e. access-list 2523 permit tcp 172.16.5.0 0.0.0.255 eq www any

Answer: E

7. Which of the following fields can be compared using a named extended IP ACL but not a numbered extended IP ACL?

a. Protocol



d. TOS byte

e. None of the other answers are correct.

7. Which of the following fields can be compared using a named extended IP ACL but not a numbered extended IP ACL?

a. Protocol



d. TOS byte

e. None of the other answers are correct.

Answer: E

8. In a router running IOS 12.3, an engineer needs to delete the second line in ACL 101, which currently has four commands configured. Which of the following options could be used?

a. Delete the entire ACL and reconfigure the three ACL statements that should remain in the ACL.

b. Delete one line from the ACL using the no access-list... command.

c. Delete one line from the ACL by entering ACL configuration mode for the ACL and then deleting only the second line based on its sequence number.

d. Delete the last three lines from the ACL from ACL configuration mode, and then add the last two statements back into the ACL.

8. In a router running IOS 12.3, an engineer needs to delete the second line in ACL 101, which currently has four commands configured. Which of the following options could be used?

a. Delete the entire ACL and reconfigure the three ACL statements that should remain in the ACL.

b. Delete one line from the ACL using the no access-list... command.

c. Delete one line from the ACL by entering ACL configuration mode for the ACL and then deleting only the second line based on its sequence number.

d. Delete the last three lines from the ACL from ACL configuration mode, and then add the last two statements back into the ACL.

Answer: A & C

9. What general guideline should you follow when placing extended IP ACLs?

a. Perform all filtering on output if at all possible.b. Put more-general statements early in the ACL.c. Filter packets as close to the source as

possible.d. Order the ACL commands based on the source

IP addresses, lowest to highest, to improve performance.

9. What general guideline should you follow when placing extended IP ACLs?

a. Perform all filtering on output if at all possible.b. Put more-general statements early in the ACL.c. Filter packets as close to the source as

possible.d. Order the ACL commands based on the source

IP addresses, lowest to highest, to improve performance.

Answer: C

10. Which of the following tools requires the end user to telnet to a router to gain access to hosts on the other side of the router?

a. Named ACLsb. Reflexive ACLsc. Dynamic ACLsd. Time-based ACLsAnswer: C

Any Questions?

ACL History

• Original Support for Numbered ACLS– We will learn this first

• Then support for named ACLS– Also cover this– IOS 11.2

• Now support for Sequence numbers for ACLS– WAY easier– IOS 12.3

Pg 231

Access Control Lists

• Allow a router to drop packets based on certain criteria– You build a list with multiple lines– Each line is one of the rules to check

• Filter router updates• Match packets for

– Priority– QOS– VPN

Pg 232

ACLs Questions

• Which packets to filter• Where to filter them

Pg 232

Where to filter

Pg 233

Key ACL ideas

• Packets can be filtered as they enter an interface, before the routing decision.

• Packets can be filtered before they exit an interface, after the routing decision.

• Deny is the term used in Cisco IOS software to imply that the packet will be filtered.

• Permit is the term used in Cisco IOS software to imply that the packet will not be filtered.

• The filtering logic is configured in the access list.• At the end of every access list is an implied “deny all

traffic” statement. Therefore, if a packet does not match any of your access list statements, it is blocked.

Pg 233

Any Questions?

ACL Logic

• Matching– Examine packets to match against ACL

statements

• Action– Permit of deny

Pg 234

ACL Logic-KEY IDEA

1. The matching parameters of the access-list statement are compared to the packet.

2. If a match is made, the action defined in this access-list statement (permit or deny) is performed.

3. If a match is not made in Step 2, repeat Steps 1 and 2 using each successive statement in the ACL until a match is made.

4. If no match is made with an entry in the access list, the deny action is performed.

Pg 234

Wildcard Masks

• ACLs can match based on IP addresses– Standard ACLs only on source address

• Wildcards let you specify a range of addresses in a single statement– Stop all hosts on a subnet

• Logic– 0 in mask says compare– 1 in mask says it doesn’t matter– Can add the mask to the original address

Pg 235

Mask Examples

Pg 235

Wildcard Mas Binary Version of the Mask Description

0.0.0.0 00000000.00000000.00000000.00000000 The entire IP address must match.

0.0.0.255 00000000.00000000.00000000.11111111 Just the first 24 bits must match.



255.255.255.255 11111111.11111111.11111111.11111111 Automatically considered to match any and all addresses.



Figure out Wildcard masks

• Use the subnet number as the address value in the access-list command.

• Use a wildcard mask found by subtracting the subnet mask from 255.255.255.255.

• Example-To match all hosts in subnet 172.16.8.0 255.255.252.0

Pg 237

Any Questions?

ACL Command

• Step 1 Use the address in the access-list command as if it were a subnet number.

• Step 2 Use the number found by subtracting the wildcard mask from 255.255.255.255 as a subnet mask.

• Step 3 Treat the values from the first two steps as a subnet number and subnet mask, and find the broadcast address for the subnet. The ACL matches the range of addresses between the subnet number and broadcast address, inclusively.– Access-list 1 permit 172.16.200.0 0.0.7.255

Pg 237-238

Standard ACL configuration

• Memorize syntax (it is not easy)– access-list access-list-number {deny |

permit} source [source-wildcard]

• Think about which is the source machine!

• Don’t forget the deny all at the end– default

Pg 238

ACL LogicStep 1 Plan the location (router and interface) and direction (in or out)

on that interface:a. Standard ACLs should be placed near to the destination of the packets

so that it does not unintentionally discard packets that should not be discarded.

b. Because standard ACLs can only match a packet’s source IP address, identify the source IP addresses of packets as they go in the direction that the ACL is examining.

Step 2 Configure one or more access-list global configuration commands to create the ACL, keeping the following in mind:a. The list is searched sequentially, using first-match logic. In other words,

when a packet matches one of the access-list statements, the search is over, even if the packet would match subsequent statements.

b. The default action, if a packet does not match any of the access-list commands, is to deny (discard) the packet.

Step 3 Enable the ACL on the chosen router interface, in the correct direction, using the ip access-group number {in | out} interface subcommand.

Pg 239

ACL Example– interface Ethernet0

– ip address 172.16.1.1 255.255.255.0

– ip access-group 1 out

– !

– access-list 1 remark stop all traffic whose source IP is Bob

– access-list 1 deny 172.16.3.10 0.0.0.0

– access-list 1 permit 0.0.0.0 255.255.255.255

• Created access-list by adding statement• Add access-list to interface in or out

Pg 240

Example

Pg 242

Yosemite configinterface serial 0ip access-group 3 out!access-list 3 deny host 10.1.2.1access-list 3 permit any

Seville Configurationinterface serial 1ip access-group 4 out!access-list 4 deny 10.1.3.0 0.0.0.255access-list 4 permit any

Any Questions?

Extended ACL concepts

Pg 244

Extended IP ACLS

• Can match on more fields

Pg 245

Type of Access List What Can Be Matched

Both standard andextended ACLs

Source IP address Portions of the source IP address using a wildcard mask

Only extended ACLs Destination IP address Portions of the destination IP address using a wildcard

mask Protocol type (TCP, UDP, ICMP, IGRP, IGMP, and others) Source port Destination port All TCP flows except the first IP TOS IP precedence

Examples

Pg 246

ACLS and Port numbers• The access-list command must use protocol keyword tcp to be

able to match TCP ports and the udp keyword to be able to match UDP ports. The ip keyword does not allow for matching the port numbers.

• The source port and destination port parameters on the access-list command are positional. In other words, their location in the command determines if the parameter examines the source or destination port.

• Remember that ACLs can match packets sent to a server by comparing the destination port to the well-known port number. However, ACLs need to match the source port for packets sent by the server.

• It is useful to memorize the most popular TCP and UDP applications, and their wellknown ports, as listed in Table 6-5, as shown later in this chapter.

Pg 246

ACLs in Use

• Connecting to a server– Think about addressing and traffic flow

access-list 101 permit tcp 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21

– Notice location of eq

Pg 247

ACL in use

• Connection from server• access-list 101 permit tcp 172.16.3.0 0.0.0.255 eq 21 172.16.1.0 0.0.0.255

– Notice location of eq

Pg 248

Extended ACL commands

Pg 249

Command Configuration Mode andDescription

access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [log | log-input]

Global command for extended numbered access lists. Use a number between 100 and 199 or 2000 and 2699, inclusive.

access-list access-list-number {deny | permit} {tcp | udp} source source-wildcard [operator [port]] estination destination-wildcard [operator [port]] [established] [log]

A version of the access-list command with TCPspecific parameters.

Extended ACL hints

• Extended ACLs should be placed as close as possible to the source of the packets to be filtered, because extended ACLs can be configured so that they do not discard packets that should not be discarded. So filtering close to the source of the packets saves some bandwidth.

• All fields in one access-list command must match a packet for the packet to be considered to match that access-list statement.

• The extended access-list command uses numbers between 100–199 and 2000–2699, with no number being inherently better than another.

Pg 249

Extended ACL Operators

Pg 250

Operator in the access-list Command

Meaning

Eq Equal to

Neq Not equal to

Lt Less than

Gt Greater than

Range Range of port numbers

Extended ACL example

Pg 250

interface Serial0ip address 172.16.12.1 255.255.255.0ip access-group 101 in!interface Serial1ip address 172.16.13.1 255.255.255.0ip access-group 101 in!access-list 101 remark Stop Bob to FTP servers, and Larry to Server1 webaccess-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftpaccess-list 101 deny tcp host 172.16.2.10 host 172.16.1.100 eq wwwaccess-list 101 permit ip any any

Any Questions?

Advanced ACL management

• Named ACL an ACL Sequence numbers– No new filtering features– Management simplified

Pg 253

Named ACLs

• New in 11.2

• Use names instead of numbers– Easier for us to remember

• Allow deletion of a single line if there is a mistake– With traditional ACL config, you have to start

over• This feature possible on regular ACLS since 12.3

Pg 253

Configuration Changes

• Global command enters a sub-command structure– Router(config)#ip access-list extended barney– Router(config-ext-nacl)#permit tcp host

10.1.1.2 eq www any

• When a match statement is deleted, only that line is deleted

Pg 254

Configuration• Enter configuration commands, one per line. End with Ctrl-Z.• Router(config)#ip access-list extended barney• Router(config-ext-nacl)#permit tcp host 10.1.1.2 eq www any• Router(config-ext-nacl)#deny udp host 10.1.1.1 10.1.2.0 0.0.0.255• Router(config-ext-nacl)#deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255• ! The next statement is purposefully wrong so that the process of changing• ! the list can be seen.• Router(config-ext-nacl)#deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255• Router(config-ext-nacl)#deny ip host 10.1.1.130 host 10.1.3.2• Router(config-ext-nacl)#deny ip host 10.1.1.28 host 10.1.3.2• Router(config-ext-nacl)#permit ip any any• Router(config-ext-nacl)#interface serial1• Router(config-if)#ip access-group barney out• Router(config-if)#^Z• Router#show running-config• Building configuration...

Pg 254

Named ACL in Running config• interface serial 1• ip access-group barney out• !• ip access-list extended barney• permit tcp host 10.1.1.2 eq www any• deny udp host 10.1.1.1 10.1.2.0 0.0.0.255• deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255• deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255• deny ip host 10.1.1.130 host 10.1.3.2• deny ip host 10.1.1.28 host 10.1.3.2• permit ip any any• Router#conf t

Pg 254

Removing a statement• Router(config)#ip access-list extended barney• Router(config-ext-nacl)#no deny ip 10.1.2.0 0.0.0.255

10.2.3.0 0.0.0.255• Router(config-ext-nacl)#^Z• Router#show access-list• Extended IP access list barney• 10 permit tcp host 10.1.1.2 eq www any• 20 deny udp host 10.1.1.1 10.1.2.0 0.0.0.255• 30 deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255• 50 deny ip host 10.1.1.130 host 10.1.3.2• 60 deny ip host 10.1.1.28 host 10.1.3.2• 70 permit ip any any

Pg 254

ACLs and Sequence Numbers

• An individual ACL permit or deny statement can be deleted just by referencing the sequence number, without deleting the rest of the ACL.

• Newly added permit and deny commands can be configured with a sequence number, dictating the location of the statement within the ACL.

• Newly added permit and deny commands can be configured without a sequence number, with IOS creating a sequence number and placing the command at the end of the ACL.

Pg 256

ACL Sequence Number example! Step 1: The 3-line Standard Numbered IP ACL is configured.

R1#configure terminalEnter configuration commands, one per line. End with Ctrl-Z.R1(config)#ip access-list standard 24R1(config-std-nacl)#permit 10.1.1.0 0.0.0.255R1(config-std-nacl)#permit 10.1.2.0 0.0.0.255R1(config-std-nacl)#permit 10.1.3.0 0.0.0.255

! Step 2: Displaying the ACL’s contents, without leaving configuration mode.

R1(config-std-nacl)#do show ip access-list 24Standard IP access list 2410 permit 10.1.1.0, wildcard bits 0.0.0.25520 permit 10.1.2.0, wildcard bits 0.0.0.25530 permit 10.1.3.0, wildcard bits 0.0.0.255

Pg 257

Sequenced ACL management! Step 3: Still in ACL 24 configuration mode, the line with sequence number 20 is

deleted.R1(config-std-nacl)#no 20

! Step 4: Displaying the ACL’s contents again, without leaving configuration mode.! Note that line number 20 is no longer listed.

R1(config-std-nacl)#do show ip access-list 24Standard IP access list 2410 permit 10.1.1.0, wildcard bits 0.0.0.25530 permit 10.1.3.0, wildcard bits 0.0.0.255! Step 5: Inserting a new first line in the ACL.

R1(config-std-nacl)#5 deny 10.1.1.1! Step 6: Displaying the ACL’s contents one last time, with the new statement

(sequence! number 5) listed first.

R1(config-std-nacl)#do show ip access-list 24Standard IP access list 2435 deny 10.1.1.110 permit 10.1.1.0, wildcard bits 0.0.0.25530 permit 10.1.3.0, wildcard bits 0.0.0.255 Pg 257

Misc ACL Topics

• Control Telnet and SSH with ACL– Assign an ACL to the vty lines

line vty 0 4

login

password cisco

access-class 3 in

!

! Next command is a global command

access-list 3 permit 10.1.1.0 0.0.0.255

Pg 259

ACL considerations• Create your ACLs using a text editor outside the router,

and copy and paste the configurations into the router. (Even with the ability to delete and insert lines into an ACL, creating the commands in an editor will still likely be an easier process.)

• Place extended ACLs as close as possible to the source of the packet to discard the packets quickly.

• Place standard ACLs as close as possible to the packet’s destination, because standard ACLs often discard packets that you do not want discarded when they are placed close to the source.

• Place more-specific statements early in the ACL.• Disable an ACL from its interface (using the no ip

access-group command) before making changes to the ACL.

Pg 260

Any Questions?

Reflexive ACLS

• Allow an ACL to add statements when a communication session is started

Pg 263

Dynamic ACLS

• Force authentication and then dyanmically change the ACL

• Step 1 The user connects to the router using Telnet.• Step 2 The user supplies a username/password, which

the router compares to a list, authenticating the user.• Step 3 After authentication, the router dynamically adds

an entry to the beginning of the ACL, permitting traffic sourced by the authenticated host.

• Step 4 Packets sent by the permitted host go through the router to the server.

Pg 264

Time Based

• ACL only works during certain times of day

Pg 264

Any Questions?

Documents

Any Questions?. Chapter 6 IP Access Control Lists Standard IP Access Control Lists Extended IP Access Control Lists Advances in Managing ACL Configuration