- ACLs on Cisco.com
- Configuring Commonly Used IP ACLs @ cisco.com
ACL – Access Control List
ACLs are a Layer 3 / 4 defense mechanism. ACLs are applied on routers and other Layer 3 devices.
Definitions:
inbound ['ɪnbaund] - going inward, incoming (прибывающий)By default, a router does not have any ACLs configured and therefore does not filter traffic.
outbound ['autbaund] - outward bound; headed away (отправляемый)
At the end of every access list is an implied "deny all" traffic criteria statement.
Therefore, if a packet does not match any of the ACL entries, it is automatically blocked.
The implied "deny all traffic" is the default behavior of ACLs and cannot be changed.
ACLs are applied:
1. Per interface - ACLs control traffic for an interface, for example, Fast Ethernet 0/0
2. Per direction - Two separate ACLs must be created to control inbound and outbound traffic.
3. Per routed protocol - an ACL must be defined for each protocol enabled on the interface
Two general types of ACLs:
1. Standard (San Diego) [1-99, 1300, 1999]- allow you to permit or deny traffic ONLY from source IP addresses (no destination or port based filtering)
2. Extended (España) [100-199, 2000-2699] - allow you to filter traffic based on protocol, source, destination, and port.
Two implementation methods:
1. Numbered (cannot delete without deleting all ACLs)
2. Named (can delete individual ACLs)
Note: When writing ACLs they are written top down, therefore adding ACLs later result in new ACLs being applied to the bottom of the list.
Applying ACLs based on type:
1. Standard ACLs should be applied as close to the destination as possible (San Diego)
2. Extended ACLs should be applied as close to the source as possible (España)
ACL Identification
1-99 Standart IP (source only)ACL Configuration
100-199 Extended IP (source, destination, port, protocol)
1300-1999 Standart IP (source only) expanded range
2000-26999 Extended IP (source, destination, port, protocol) expanded range
600-999 Appletalk, Ethernet address, IPX
Standard
access-list [access-list-number] [deny|permit|remark] [source-ip-address] [wildcard mask (optional)] [log (optional)]The remark keyword is used for documentation and makes access lists a great deal easier to understand. Each remark is limited to 100 characters.
ex: R1(config)#access-list 10 permit 192.168.10.0 0.0.0.255
The log keyword - (Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)
A wildcard mask is a string of binary digits telling the router which parts of the subnet number to look at:
- Wildcard mask bit 0 - Match (permit) the corresponding bit value in the address
- Wildcard mask bit 1 - Ignore the corresponding bit value in the address
ex: wildcard mask 0.0.0.0 (host) - match any
R1(config)#access-list 1 permit 192.168.10.10 0.0.0.0
=
R1(config)#access-list 1 permit host 192.168.10.10
wildcard mask 255.255.255.255 (any) - every bit in the IP must match exactly
R1(config)#access-list 1 permit 0.0.0.0 255.255.255.255
=
R1(config)#access-list 1 permit any
Calculating wildcard masks can be difficult, but you can do it easily by subtracting the subnet mask from 255.255.255.255.
wildcard mask 0.0.0.7 :
The last 3 bits of a given IP address will be ignored.
The first 29 bits of a given IP address will be checked. |
Extended
access-list [access-list-number] [deny|permit] [protocol: ip, tcp, udp, icmp,…] [source-ip-address] [wildcard mask] [destination-ip-address] [wildcard mask] [eq, neq, gt, lt (optional)] [port] [established - tcp only]After you have created the actual access list you need to apply it to an interface by direction.
Establised - It will permit any TCP traffic that originated from network 172.22.10.0/24 to return inbound on the S0/0/0 interface (Internet).
Example:
int s0/0Apply ACL:
ip access-group Students out
[pro] access-group [name/num of ACL] [in|out]
- on interface : ip access-group [ACL number|name] [in|out]
- on vty: access-class [ACL number|name] [in|out]
Special Words and Situations
• any = 0.0.0.0 255.255.255.255
• host = [host IP address] 0.0.0.0
• implicit deny any or deny any any on the end of all ACLs
• access-list [access-list-number] remark [remark]
• ip access-list [standard | extended] [name of ACL]
• logical port comparisons can be {eq, neq, gt, lt}
Optional L4 Source/Destination port [eq|lt|gt|neq] number where:
eq is equal to the port number.
lt is less than the port number.
gt is greater the port number.
neq is not equal to the port number.
number is the destination port number.
Enter a number from 1 to 65535.
Enter a number from 1 to 65535.
ICMP recomendations
Allow ICMP types on Inbound
Type 0 — Echo Reply - Allows users to ping external hosts.
Type 3 Unreachable (have multiple codes) - Unreachable messages are generated for packets that are administratively denied by an ACL.
Type 4 — Source Quench (Deprecated) - Requests the sender to decrease the traffic rate of messages.
Allow ICMP types on OutAs a rule, block all other ICMP message types outbound.
Type 8 — Echo (Echo request) - Allows users to ping external hosts.
Type 12 — Parameter problem - Informs the host of packet header problems.
Type 3 (destination unreachable), code 4 (fragmentation needed but don't-fragment bit set) Packet too big - Required for packet maximum transmission unit (MTU) discovery.
Type 4 — Source quench - Throttles down traffic when necessary.
Named ACL:
R1(config)# ip acces-list [standard|extended] nameDynamic ACLs
Dynamic ACLs have the following security benefits over standard and static extended ACLs:
• Use of a challenge mechanism to authenticate individual users.
• Simplified management in large internetworks.
• In many cases, reduction of the amount of router processing that is required for ACLs.
• Reduction of the opportunity for network break-ins by network hackers.
• Creation of dynamic user access through a firewall, without compromising other configured security restrictions.
Reflexive ACLs
Permit session start only from inside (blocking from outside)
• Can only be used in named IP ACLs.
• Better than using the established command
• Work with UDP and ICMP also (established does not)
Config: any reflect TCPTRAFFIC
evaluate TCPTRAFFIC
Time Based ACLs
Time based ACLs are out of the scope of this course but they do exist. You can specify the time of day a specific network has access to resources.
show access-list vs show ip access-list
Can anyone tell me if there is a difference between show access-lists vs show ip access-lists? I tried running both commands in PacketTracer and they gave both the same results.
- There may be more than just IPv4 access-lists on the router. If so, the command show access-lists would show them all, including IPX or other types that may exist.
- To see the IPv6 ACLs, we would use "show ipv6 access-list"
R1#show access-list
MPLS access list 2700
10 permit any 399 any any
IPX sap access list 1000
permit FFFFFFFF 0
Extended IP access list 100
10 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255
IPv6 access list MY-IPV6-List
permit ipv6 2001:12::/64 any sequence 10
R1#show ip access-list
Extended IP access list 100
10 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255
R1#show ipv6 access-list
IPv6 access list MY-IPV6-List
permit ipv6 2001:12::/64 any sequence 10
R1#show ipx access-list
IPX sap access list 1000
permit FFFFFFFF 0
No comments :
Post a Comment