Managing Traffic With Access Lists Iccnacl002

CETTM MTNL

1Managing Traffic with Access Lists

MANAGING TRAFFIC WITH ACCESS LISTS

MODULE ID: ICCNACL002

CETTM MTNL


What is an ACL?

An ACL is a sequential list of permit or deny

statements that apply to addresses, upper-

layer protocols or port numbers.

The router examines each packet to

determine whether to forward or drop it,

based on the conditions specified in the ACL

CETTM MTNL


What is ACLSome ACL decision points are:

IP source address IP destination addresses UDP or TCP protocols upper-layer (TCP/UDP) port numbers

CETTM MTNL


Application of ACL

Packet filtering Controlling vty access to router Defining interesting traffic for DDR( Dial-on-

Demand ) Routing Classify and differentiate traffic for

implementing QoS Controlling Routing Updates.

CETTM MTNL


Rules

Important rules that a packet follows when its being compared with an access list: Its always compared with each line of the access list

in sequential order (top-to-down fashion) Its compared with lines of the access list only until a

match is made i.e. Stop at first match There is an implicit deny at the end of each access

listthis means that if a packet doesnt match the condition on any of the lines in the access list, the packet will be discarded. i.e. Default policy is to deny

CETTM MTNL


Types

There are two main types of access lists: Standard access lists

Extended access lists

Named access lists

CETTM MTNL


Types

Standard access lists: These use only the source IP address in an IP

packet as the condition test. All decisions are made based on source IP

address. This means that standard access lists permit or

deny an entire suite of protocols. They dont distinguish between any of the many

types of IP traffic such as WWW, Telnet, UDP, etc.

Naming is numeric: 1-99 and 1300-1999

CETTM MTNL


Types

Extended access lists: Extended access lists can evaluate many of the

other fields in the layer 3 and layer 4 headers of an IP packet.

They can evaluate source and destination IP addresses, the protocol field in the Network layer header, and port number at the Transport layer header.

This gives extended access lists the ability to make much more granular decisions when controlling traffic.

Naming is numeric: 100-199 and 2000-2699

CETTM MTNL


Type

Named access lists: They are either standard or extended and not

actually a new type. They are created and referred to differently than

standard and extended access lists. They are functionally the same. Naming is alphanumeric

CETTM MTNL


Note

To use an access list as a packet filter, apply it to an interface on the router where the traffic is to be filtered.

specify which direction of traffic the access list should be applied to.

use different access lists for inbound and outbound traffic on a single interface

CETTM MTNL


Classification based on direction

Inbound access lists: When an access list is applied to inbound packets

on an interface, those packets are processed through the access list before being routed to the outbound interface.

Any packets that are denied wont be routed because theyre discarded before the routing process is invoked.

Outbound access lists: When an access list is applied to outbound

packets on an interface, those packets are routed to the outbound interface and then processed through the access list before being queued.

CETTM MTNL


Steps in ACL processing

Queuing of incoming packets at an incoming interfaces input buffer.

Checking packet against inbound access lists applied to the incoming interface.

Routing table lookups for finding next hop. If found one send the packet to exit interface else drop the packet.

Checking post-routed packet against outbound access-list applied to exit interface.

Queuing of outgoing packets at exit interfaces output buffer.

CETTM MTNL


Guideline 01

ACLs can be created for various network protocols; IP, IPX, or AppleTalk.

Note that there can only be one access list, per interface, per direction, per protocol. This means that

when creating IP access lists, you can only have one inbound access list and one outbound access list per interface

CETTM MTNL


Guideline 01

CETTM MTNL


Guideline 02

More specific tests (i.e. more restrictive) are at the top of the ACL

CETTM MTNL


Guideline 03

Any time a new entry is added to the access list, it will be placed at the bottom of the list.

Using a text-editor for access lists is highly suggested, i.e copy running-config to tftp server, make changes and copy it back

CETTM MTNL


Guideline 04

A numbered ACL cannot be edited on the router. You cannot remove one line from an access list. If

you try to do this, you will remove the entire list.

To edit an ACL in CLI: Copy it to a text file. Remove from router configuration with no form

of ACL statement. Make necessary changes to text file. Paste back to global configuration mode.

CETTM MTNL


Guideline 05

Unless your access list ends with a permit any

command, all packets will be discarded if they do

not meet any of the lists tests.

Every list should have at least one permit

statement, or it will deny all traffic.

CETTM MTNL


Guideline 06

Create access lists and then apply them to an interface. Any access list applied to an interface

Without an access list present will not filter traffic.

CETTM MTNL


Guideline 07

Access lists are designed to filter traffic going through the router. They will not filter traffic that has originated from the router.

Eg. Routing updates, ping, telnet traffic originating from the router

CETTM MTNL


Guideline 08

Standard ACLs should be placed close to the destination. As they filter only on source IP address

Extended ACLs should be placed close to the source. Detailed filtering so bin packets as early as

possible

CETTM MTNL


Wildcard Masks

Wildcard masks are 32 bits long and paired with an IP address.Wildcard masks are used with ACLs to filter groups of IP addresses.

0 Match 1 Dont care

access-list 10 permit 172.16.0.0 0.0.255.255

This statement will permit traffic with source IP: 172.16.[anything].[anything]

CETTM MTNL


Wildcard Masks

access-list 10 permit 172.16.16.0 0.0.15.255

If M = Match D = Dont Care WM = MMMMMMMMMMMMMMMMMMMMDDDDDDDDDDDD

This statement will permit traffic from range 172.16.16.0 to 172.16.31.255

Two keywords used in ACLs: Any - means an IP address of 0.0.0.0 and WM

255.255.255.255 Host - matches an address exactly, or WM 0.0.0.0

CETTM MTNL


Standard ACLs

Creating :

Applying :

CETTM MTNL


Standard ACLs

CETTM MTNL


Extended ACLs

Creating :

Applying :

CETTM MTNL


Extended ACLs

CETTM MTNL


Example 01

Block access from sales to finance

CETTM MTNL


Example 02

Block Accounting access to HR Server

CETTM MTNL


Example 03

Block ftp and telnet access from sales to finance

CETTM MTNL


IP standard access list example 3

CETTM MTNL


IP standard access list example 3 - Contd

A router with four LAN connections and one WAN connection to the Internet.To write an access list that will stop access from each of the four LANs to the Internet. Each of the LANs shows a single hosts IP address, and from that you need to determine the subnet and use wildcards to configure the access list.Router(config)#access-list 1 deny 172.16.128.0 0.0.31.255Router(config)#access-list 1 deny 172.16.48.0 0.0.15.255Router(config)#access-list 1 deny 172.16.192.0 0.0.63.255Router(config)#access-list 1 deny 172.16.88.0 0.0.7.255Router(config)#access-list 1 permit anyRouter(config)#interface serial 0Router(config-if)#ip access-group 1 outthis exercise is to practice how to use block sizes with access lists

CETTM MTNL


Named ACLs

Advantages: Intuitively identify ACLs using names (not just

numbers) No limit on number of named ACLs Modification of a Named ACL without deleting and

reconfiguring it Named ACLs allow individual statements to be

deleted without losing whole list However it is still only possible to add statements

to the end of a list

CETTM MTNL


Named ACLs

CETTM MTNL


Restricting Virtual Terminal Access

Only numbered ACL can be applied to virtual lines

CETTM MTNL


Verifying ACLs

To find Placement and direction of ACL

CETTM MTNL


Verifying ACLs

CETTM MTNL


Note: More than one interface can use the same access-list.

Verifying ACLs

CETTM MTNL


References

Books: Hand book on Internetworking by CISCO CCNA Intro & CCNA ICND by Cisco Internetworks

by CISCO CCNA Study guide by Todd Lamle

URLs: http://www.cisco.com http://en.wikipedia.org

CETTM MTNL


BooksHand book on Internetworking by CISCOCCNA Intro & CCNA ICND by Cisco Internetworks by CISCOCCNA Study guide by Todd LamleURLshttp://www.cisco.comhttp://en.wikipedia.org

Slide 1What is an ACL?Slide 3Application of ACLRulesTypesSlide 7Slide 8Slide 9NoteClassification based on directionSteps in ACL processingGuideline 01Guideline 01Guideline 02Guideline 03Guideline 04Guideline 05Guideline 06Guideline 07Guideline 08Slide 22Slide 23Slide 24Standard ACLsSlide 26Extended ACLsSlide 28Slide 29Slide 30IP standard access list example 3Slide 32Slide 33Named ACLsRestricting Virtual Terminal AccessSlide 36Verifying ACLsSlide 38Slide 39Slide 40Slide 41

Documents

Managing Traffic With Access Lists Iccnacl002