Chapter 10

Chapter 10 Managing Traffic with Access Lists

Objectives • Configure IP standard access lists • Configure IP extended access lists • Configure Named access lists • Monitor & verify access lists

Access Control Lists ACLs are lists of instructions you apply to a router's interface. These lists tell the router what kinds of packets to accept and what kinds of packets to deny. Any traffic going through the interface is tested against certain conditions that are part of the ACL.

Access Lists • Purpose: • Used to permit or deny packets moving through the router • Permit or deny Telnet (VTY) access to or from a router • Other security tools lack the flexibility of basic traffic filtering • Create dial-on demand (DDR) interesting traffic that triggers dialing to a remote location

Reasons to Create ACLs • Limit network traffic and increase network performance. • Provide traffic flow control. • Provide a basic level of security for network access. • Decide which types of traffic are forwarded or blocked at the router interfaces. • (Caution: adding complex access lists to an interface can increase latency.)

Important Rules to Remember • Packets are compared to each line of the assess list in sequential order • Packets are compared with lines of the access list only until a match is made • Once a match is made & acted upon no further comparisons take place • An implicit “deny” is at the end of each access list • If no matches have been made, the packet will be discarded

Important Rules to Remember • If you create a condition statement that permits all traffic, no statements added later will ever be checked. • If you need additional statements in a standard or extended ACL, you must delete the ACL and re-create it with the new condition statements. • This is why it's a good idea to edit a router’s configuration on a PC using a text editor and then TFTP the configuration to the router (or use Notepad and cut and paste).

Packet and Upper Layer Headers • You can create an ACL for each protocol you want to filter for each router interface. • There can be only one access list per protocol per interface. • Cisco IOS ACLs check the packet and upper-layer headers.

What are Access Lists?

Types of Access Lists • Standard Access List • Filter by source IP addresses only • Extended Access List • Filter by: • Source IP • Destination IP • Layer 3 sub-protocols (ICMP, IGMP, etc..) • Layer 4 (TCP, UDP) • Port Number – Application Layer

Application of Access Lists • Inbound Access Lists • Packets are processed before being routed to the outbound interface • Outbound Access Lists • Packets are routed to the outbound interface & then processed through the access list

The Man in the Router Out = Packets leaving the router’s interface(s) and going to the network. In = Packets arriving at the router’s interface(s) from the network.

One access list per interface, per protocol, or per direction More specific tests at the top of the ACL New tests are placed at the bottom of the ACL Individual lines cannot be removed End ACLs with a permit any command Create ACLs & then apply them to an interface ACLs do not filter traffic originated from the router Put Standard ACLs close to the destination Put ExtendedACLs close to the source ACL Guidelines

Standard IP Access Lists Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list ? <1-99> IP standard access list <100-199> IP extended access list <1000-1099> IPX SAP access list <1100-1199> Extended 48-bit MAC address access list <1200-1299> IPX summary address access list <1300-1999> IP standard access list (expanded range) <200-299> Protocol type-code access list <2000-2699> IP extended access list (expanded range) <300-399> DECnet access list <600-699> Appletalk access list <700-799> 48-bit MAC address access list <800-899> IPX standard access list <900-999> IPX extended access list

Standard IP Access Lists • Creating a standard IP access list: Router(config)#access-list 10 ? deny Specify packets to reject permit Specify packets to forward • Permit or deny? Router(config)#access-list 10 deny ? Hostname or A.B.C.D Address to match any any source host host A single host address • Using the host command Router(config)#access-list 10 deny host 172.16.30.2

Classroom Example * Example: say you want to only permit Workstation 2 (*) to access the 223.8.151.0 (yellow) network. access-list 20 permit host 192.5.5.12 ?????

The ip access-group command links an existing access list to an interface. • Only one access list per interface per protocol per direction is allowed. • access-list-number Indicates the number of the access list to be linked to this interface. • in | out Selects whether the access list is applied to the incoming or outgoing interface. If in or out is not specified, out is the default.

Step #1: Create the Access-list Lab-C#config t Lab-C(config)#access-list 10 permit 192.5.5.12 0.0.0.0 Implicit deny any (do not need to add this): access-list 10 deny 0.0.0.0 255.255.255.255 Step #2: Apply the Access-group to interface(s) Lab-C(config)#interface e 0 Lab-C(config-if)#ip access-group 10 Step #3: Verify Lab-C#show ip interface (allows you to view the placement of an access list) Lab-C#show access-lists(display the contents of all ACLs)

NOTE: To remove an access list, first enter the no ip access-group command, including list number,for each interface where the list had been used, then enter the no access-list command (with list number).

Wildcards • What are they??? • Used with access lists to specify a…. • Host • Network • Part of a network That the access-list pertains to

IP access lists use wildcard masking. • Wildcard masking for IP address bits (0 or 1) used to identify how to treat the corresponding IP address bits. • A wildcard mask bit 0 means “check the corresponding bit value.” • A wildcard mask bit 1 means “do not check (ignore) that corresponding bit value.”

Example • 172.16.30.5 0.0.0.255 • The 0’s tell the router to match the 1st three octets exactly • The 255 tells the router the 4th octet can be any value • This shows how a full subnet (172.16.30.0) is specified An Online Wildcard Calculator

Sample Network What if we wanted Router A to: Permit entire sales network and just the 172.16.50.2 station to get to the Administrative network. /24 /24 /24

Using Wildcard Masks: RouterA(config)# access-list 11 permit 172.16.30.0 0.0.0.255 RouterA(config)# access-list 11 permit 172.16.50.2 0.0.0.0 172.16.30.00.0.0.255 • 0check - make sure first octet is 172 • 0check - make sure second octet is 16 • 0check - make sure third octet is 30 • 255 - don’t check (permit any fourth octet)

RouterA(config)# access-list 11 permit 172.16.50.2 0.0.0.0 172.16.50.20.0.0.0 • 0check - make sure first octet is 172 • 0check - make sure second octet is 16 • 0check - make sure third octet is 50 • 0check - make sure fourth octet is 2

Remember implicit deny any (deny everything else) access-list 11 permit 172.16.30.0 0.0.0.255 access-list 11 permit 172.16.50.2 0.0.0.0 {access-list 11 deny 0.0.0.0 255.255.255.255} When we set the wildcard mask to all 1’s (255.255.255.255) we are saying don’t check any of the bits, it doesn’t matter, and in this case we are denying everything.

Block Sizes 64 32 16 8 4 • Rules: • When specifying a range of addresses, choose the closest block size • Each block size must start at 0 • A ‘0’ in a wildcard means that octet must match exactly • A ‘255’ in a wildcard means that octet can be any value • The command any is the same thing as writing out the wildcard: 0.0.0.0 255.255.255.255

Specifying a Range of Subnets (Remember: specify a range of values in a block size) Requirement: Block access in the range from 172.16.8.0 through 172.16.15.0 = block size 8 Network number = 172.16.8.0 Wildcard = 0.0.7.255 **The wildcard is always one number less than the block size

wildcard matching lists example access-list 1 permit 169.222.30.8 0.0.0.7 0000 1000 0000 0111 0000 1xxx therefore, 169.222.30.8 0.0.0.7 which includes: matches: 0000 1000 = .8 169.222.30.8 0000 1001 = .9 169.222.30.9 0000 1010 = .10 169.222.30.10 0000 1011 = .11 169.222.30.11 0000 1100 = .12 169.222.30.12 0000 1101 = .13 169.222.30.13 0000 1110 = .14 169.222.30.14 0000 1111 - .15 169.222.30.15

Practice • The administrator wants to use IP wildcard masking bits to match subnets 172.30.16.0 to 172.30.31.0 • Answer 0.0.15.255

Examples • RouterA(config)#access-list 10 deny 172.16.10.0 0.0.0.255 • RouterA(config)#access-list 10 deny 172.16.0.0 0.0.255.255 • RouterA(config)#access-list 10 deny 172.16.16.0 0.0.3.255 • RouterA(config)#access-list 10 deny 172.16.16.0 0.0.7.255 • RouterA(config)#access-list 10 deny 172.16.32.0 0.0.31.255 • RouterA(config)#access-list 10 deny 172.16.64.0 0.0.63.255

Examples Acme#config t Acme(config)#access-list 10 deny 172.16.40.0 0.0.0.255 Acme(config)#access-list 10 permit any (permit any ~ Acme(config)#access-list 10 permit 0.0.0.0 255.255.255.255) Acme(config)#int e0 Acme(config-if)#ip access-group 10 out

Controlling VTY (Telnet) Access • Why?? • Without an ACL any user can Telnet into the router via VTY and gain access • Controlling access • Create a standard IP access list • Permitting only the host/hosts authorized to Telnet into the router • Apply the ACL to the VTY line with the access-class command

Example RouterA(config)#access-list 50 permit 172.16.10.3 RouterA(config)#line vty 0 4 RouterA(config-line)#access-class 50 in (implied deny)

Extended IP Access Lists • Allows you to choose... • IP Source Address • IP Destination Address • Protocol • Port number

Extended Access List Configuration

Extended IP Access Lists Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list ? <1-99> IP standard access list <100-199> IP extended access list <1000-1099> IPX SAP access list <1100-1199> Extended 48-bit MAC address access list <1200-1299> IPX summary address access list <1300-1999> IP standard access list (expanded range) <200-299> Protocol type-code access list <2000-2699> IP extended access list (expanded range) <300-399> DECnet access list <600-699> Appletalk access list <700-799> 48-bit MAC address access list <800-899> IPX standard access list <900-999> IPX extended access list

Extended IP ACLs Router(config)#access-list 110 deny ? <0-255> An IP protocol number ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol igrp Cisco's IGRP routing protocol ip Any Internet Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling ospf OSPF routing protocol pcp Payload Compression Protocol tcp Transmission Control Protocol udp User Datagram Protocol Router(config)#access-list 110 deny tcp ? A.B.C.D Source address any Any source host host A single source host

Extended IP ACL Steps #1: Select the access list: RouterA(config)#access-list 110 #2: Decide on deny or permit: RouterA(config)#access-list 110 deny #3: Choose the protocol type: RouterA(config)#access-list 110 deny tcp #4: Choose source IP address of the host or network: RouterA(config)#access-list 110 deny tcp any #5: Choose destination IP address RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 #6: Choose the type of service, port, & logging RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log

Well-Known Port Number (Decimal) & IP Protocol • 20 File Transfer Protocol (FTP) data • 21 FTP program (use both 20 & 21) • 23 Telnet • 25 Simple Mail Transport Protocol (SMTP) • 69 Trivial File Transfer Protocol (TFTP) • 53 Domain Name System (DNS) • 80 Hyper Text Transfer Protocol (http)

Steps (cont.) RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log RouterA(config)#access-list 110 permit ip any 0.0.0.0 255.255.255.255 RouterA(config-if)#ip access-group 110 in or RouterA(config-if)#ip access-group 110 out

Example Acme#config t Acme(config)#access-list 110 deny tcp any host 172.16.10.5 eq 21 Acme(config)#access-list 110 deny tcp any host 172.16.10.5 eq 23 Acme(config)#access-list 110 permit ip any any Acme(config)#int e0 Acme(config-if)#ip access-group 110 out

What if we wanted Router A to permit only the Engineering Workstation to be able to access the web server in Admin with the ip address 172.16.10.2 and port address 80.

RouterA(config)# access-list 110 permit tcp host 172.16.50.2 host 172.16.10.2 eq 80 RouterA(config)#inter e 0 RouterA(config-if)#ip access-group 110 out

Extended Access List Configuration Example 1 Deny FTP, but permit all other traffic from subnet 172.16.4.0 to be forwarded to any other networks or subnetworks via interface E0. Should be two statements, for both 20 and 21. (20=FTP control, 21=FTP data)

Using Named IP Access Lists

This feature allows IP simple and extended access lists to be identified with an alphanumeric string (name) instead of the current numeric representation. • Named IP access lists can be used to delete individual entries from a specific access list. • This enables you to modify your access lists without deleting and then reconfiguring them. router(config)# ip access-list standard george router(config std-george)# permit/deny statements router(config-if)# ip access-group george in|out

Where to Place IP Access Lists

Monitoring IP Access Lists • Display all access lists & their parameters show access-list • Show only the parameters for the access list 110 show access-list 110 • Shows only the IP access lists configured show ip access-list • Shows which interfaces have access lists set show ip interface • Shows the access lists & which interfaces have access lists set show running-config

Monitoring Access Lists The show ip interface command displays IP interface information and indicates whether any access lists are set.

Chapter 10

Chapter 10

Presentation Transcript

Chapter 10

Chapter 10

Chapter 10

Chapter 10

Chapter 10

Chapter 10

Chapter 10

Chapter 10

Chapter 10

CHAPTER 10

CHAPTER 10

Chapter 10

Chapter 10

Chapter 10

Chapter 10

Chapter 10

10~Chapter 10

CHAPTER 10

Chapter 10

Chapter 10

Chapter 10

Chapter 10