Post on 02-Jun-2018
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
1/86
Rick Graziani graziani@cabrillo.edu 1
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
2/86
Part 1: ACL Fundamentals
CCNA 2 version 3.1
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
3/86
Qu son los ACLs?
An access list is a sequential series of commands or filters. These lists tell the router what types of packets to:
Aceptar (accept) o
Denegar (deny)
La aceptacin y rechazo se pueden basar en ciertascondiciones especficas
Los ACLs se aplican en las interfaces del router.
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
4/86
What are ACLs?
El router examina cada paquete para determinar si lo enviahacia adelante o lo elimina, basado en las condicionesespecificadas en el ACL.
Algunos criterios de desicin del ACL son:
Direccin IP origen Direccin IP destino
Protocolos UDP o TCP
Upper-layer (TCP/UDP) port numbers
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
5/86
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
6/86
Cmo trabajan los ACL?
An ACL is a group of statements that define whether packets areaccepted or rejected coming into an interface or leaving an interface.
ACL statements operate in sequential, logical order. If a condition match is true, the packet is permitted or denied and the
rest of the ACL statements are not checked.
If all the ACL statements are unmatched, an implicit " deny any"statement is placed at the end of the list by default. (not visible)
When first learning how to create ACLs, it is a good idea to add theimplicit denyat the end of ACLs to reinforce the dynamic
presence of the command line.
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
7/86Rick Graziani graziani@cabrillo.edu 7
Una ACL por protocolo: Para controlar el flujo de trfico de una interfaz, se debe
definir una ACL para cada protocolo habilitado en la
interfaz.
Una ACL por direccin: Las ACL controlan el trfico en una direccin a la vez de
una interfaz. Deben crearse dos ACL por separado para
controlar el trfico entrante y saliente.
Una ACL por interfaz: Las ACL controlan el trfico para una interfaz, por ejemplo,
Fast Ethernet 0/0.
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
8/86
How ACLs work
Access list statementsoperate in sequential, logicalorder.
They evaluate packets from the top down.
Once there is an access list statement match, the packet
skips the rest of the statements. If a condition match is true, the packet is permitted or
denied.
There can be only one access list per protocolper
interface. There is an implicit deny any at the end of every access
list.
ACLs do not block packets that originate within the
router. (ie. pings, telnets, etc.)
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
9/86
Two types of ACLs
1. ACL Estndar - Standard IP ACLs
Slo puede filtrar la direccin IP Origen
Se coloca lo mas cerca posible al destino
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
10/86
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
11/86Rick Graziani graziani@cabrillo.edu 11
Tipos de ACL: Intervalos
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
12/86
Creating Standard ACLs2 Steps
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
13/86
Creating ACLs2 Steps
(Standard IP)
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
14/86Rick Graziani graziani@cabrillo.edu 14
Ubicacin de las ACL
Las reglas bsicas son:
Ubicar lasACL extendidaslo ms cerca posible del origendel trfico denegado. De esta manera, el trfico no
deseado se filtra sin atravesar la infraestructura de red.
Como lasACL estndarno especifican las direcciones dedestino, colquelas lo ms cerca del destino posible.
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
15/86
Ejemplo1
Task:
Permit only the host 172.16.30.2 from exiting the Salesnetwork.
Deny all other hosts on the Sales network from leaving
the 172.16.30.0/24 network.
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0.1 .1 .1
.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
16/86
Learn by example!
RouterB(config)#access-list 10 permit 172.16.30.2
Implicit deny any-do not need to add this, discussed later
RouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0
.1 .1 .1
.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
Step 1ACL statements Implicit deny any, which is automatically added.
(Standard IP)
Test Condition
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
17/86
From Cisco Web Site
Applying ACLs
You can define ACLs without applying them. However, the ACLs will have no effect until they are applied to the router's
interface.
It is a good practice to apply the Standard ACLs on the interface closest to thedestinationof the traffic and Extended ACLs on the interface closest to thesource.
Defining In, Out, Source, and Destination
Out- Traffic that has already been routed by the router and is leaving theinterface
In- Traffic that is arriving on the interface and which will be routed router.
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0.1 .1 .1
.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
18/86
CASO 1: Aplicando en la interfase Ethernet
RouterB(config)#access-list 10 permit 172.16.30.2 0.0.0.0
Implicit deny any-do not need to add this, discussed later
RouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255
RouterB(config)# interface e 0
RouterB(config-if)# ip access-group 10 in
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0.1 .1 .1
.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
Step 2Apply to an interface(s)
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
19/86
RouterB(config)#access-list 10 permit 172.16.30.2 0.0.0.0
Implicit deny any-do not need to add this, discussed later
RouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255
RouterB(config)# interface s 0
RouterB(config-if)# ip access-group 10 out
RouterB(config)# interface s 1
RouterB(config-if)# ip access-group 10 out
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0.1 .1 .1.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
Step 2Or the outgoing interfaces Which is preferable and why?
CASO 2: Aplicando en las interfases Seriales
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
20/86
RouterB(config)#access-list 10 permit 172.16.30.2 0.0.0.0
Implicit deny any-do not need to add this, discussed later
RouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255
RouterB(config)# interface s 0
RouterB(config-if)# ip access-group 10 out
RouterB(config)# interface s 1
RouterB(config-if)# ip access-group 10 out
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0.1 .1 .1
.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
Because of the implicit deny any, this has an adverse affect of also denying
packets from Administration from reaching Engineering, and denying packets from
Engineering from reaching Administration.
CASO 2: Aplicando en las interfases Seriales
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
21/86
ACL: La mejor opcin
RouterB(config)#access-list 10 permit 172.16.30.2 0.0.0.0
Implicit deny any-do not need to add this, discussed later
RouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255
RouterB(config)# interface e 0
RouterB(config-if)# ip access-group 10 in
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0.1 .1 .1
.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
Preferred, this access list will work to all existing and new interfaces on RouterB.
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
22/86
Ejemplo 2
Task:
Permit only the hosts 172.16.30.2, 172.16.30.3,172.16.30.4, 172.16.30.5 from exiting the Sales
network.
Deny all other hosts on the Sales network from leaving
the 172.16.30.0/24 network.
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0.1 .1 .1
.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
23/86
RouterB(config)#access-list 10 permit 172.16.30.2 0.0.0.0
RouterB(config)#access-list 10 permit 172.16.30.3 0.0.0.0
RouterB(config)#access-list 10 permit 172.16.30.4 0.0.0.0
RouterB(config)#access-list 10 permit 172.16.30.5 0.0.0.0
Implicit deny any-do not need to add this, discussed later
RouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255
RouterB(config)# interface e 0
RouterB(config-if)# ip access-group 10 in
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0.1 .1 .1
.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
Once a condition is met, all other statements are ignored, so the implicit
deny anyonly applies to not-matched packets.
Ejemplo 2
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
24/86
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
25/86
Example 3
Task:
Deny only the host 172.16.30.2 from exiting the Salesnetwork.
Permit all other hosts on the Sales network to leave the
172.16.30.0/24 network.
Keyword any can be used to represent all IP Addresses.
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0.1 .1 .1
.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
Ejemplo 3
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
26/86
Example 3
RouterB(config)#access-list 10 deny 172.16.30.2 0.0.0.0
RouterB(config)#access-list 10 permit any
Implicit deny any-do not need to add this, discussed later
RouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255
RouterB(config)# interface e 0
RouterB(config-if)# ip access-group 10 in
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0.1 .1 .1
.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
Order matters! What if these two statements were reversed? Does the
impl ic i t deny anyever get a match? No, the permit any will cover all other
packets.
Ejemplo 3
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
27/86
Example 3
RouterB(config)#access-list 10 permit any
RouterB(config)#access-list 10 deny 172.16.30.2 0.0.0.0
Implicit deny any-do not need to add this, discussed later
RouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255
RouterB(config)# interface e 0
RouterB(config-if)# ip access-group 10 in
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0
.1 .1 .1
.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
El orden importa: In this case all packets would be permitted, because all packets
would match the first access list statement. Once a condition is met, all other
statements are ignored. The second access list statement and the implicit deny any
would never be used. This would not do what we want.
Ejemplo 3
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
28/86
Note on inbound access lists
When an access lists applied to an inbound interface, the packets arechecked against the access list before any routing table lookupprocess occurs.
We will see how outbound access listwork in a moment, but they areapplied after the forwarding decision is made, after the routing tablelookup process takes place and an exit interface is determined.
Once a packet is denied by an ACL, the router sends an ICMPDestination Unreachable message, with the code value set toAdministratively Prohibited to the source of the packet.
RouterB(config)#access-list 10 deny 172.16.30.2 0.0.0.0
RouterB(config)#access-list 10 permit any
Implicit deny any(do not need to add this, discussed later):
RouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255
RouterB(config)# interface e 0
RouterB(config-if)# ip access-group 10 in
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
29/86
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
30/86
Time for Wildcard Masks!
A wildcard maskis a 32-bit quantity that is divided into four octets. A wildcard mask is paired with an IP address. The numbers one and zero in the mask are used to identify how to
treat the corresponding IP address bits.
The term wildcard masking is a nickname for the ACL mask-bitmatching process and comes from of an analogy of a wildcard thatmatches any other card in the game of poker.
Wildcard masks have no functional relationship with subnet masks. They are used for different purposes and follow different rules.
Subnet masks start from the left side of an IP address and worktowards the right to extend the network field by borrowing bits from thehost field.
Wildcard masks are designed to filter individual or groups of IPaddresses permitting or denying access to resources based on the
address.
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
31/86
Wildcard Masks!
Trying to figure out how wildcard masks work by relatingthem to subnet masking will only confuse the entire matter.
The only similarity between a wildcard mask and a subnet
mask is that they are both thirty-two bits long and use ones
and zeros for the mask.
This is not entirely true.
Although it is very important that you understand how awildcard mask works, it can also be thought as an inverse
subnet mask.
We will see examples in a moment
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
32/86
Wildcard Masks!
Wildcard masking used to identify how to treat the corresponding IP address bits.
0- checkthe corresponding bit value. 1- do not check(ignore) that corresponding bit value.
A zeroin a bit position of the access list mask indicates that the correspondingbit in the address must be checked and must match for condition to be true.
A onein a bit position of the access list mask indicates the corresponding bit inthe address is not interesting, does not need to match, and can be ignored.
10101100.00010000.00000000.00000000
00000000.00000000.11111111.11111111
------------------------------------
10101100.00010000.any value.any value
A Match Matching packets will look like this
Test Condition
The packet
Test
Conditon
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
33/86
Wildcard Masks!
0- checkthe corresponding bit value.
1- do not check(ignore) that corresponding bit value.
10101100.00010000.00000000.00000000
00000000.00000000.11111111.11111111
------------------------------------
10101100.00010000.any value.any value
A Match
Must Match No Match Necessary
Resulting in the bits that must match or doesnt matter.
Matching packets will look like this.
Test Condition
Test
Conditon
The packet
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
34/86
Ejemplo 4Usando Wildcard Masks
Task:
Want RouterA to permit entire sales network and justthe 172.16.50.2 station.
Deny all other traffic from entering Administrative
network.
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0.1 .1 .1.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
35/86
Example 4Using Wildcard Masks
172.16.30.0 0.0.0.255
0 check - make sure first octet is 172 0 check - make sure second octet is 16 0 check - make sure third octet is 30 255 - dont check (permitany fourth octet)
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0.1 .1 .1.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
RouterA(config)#access-list 11 permit 172.16.30.0 0.0.0.255
RouterA(config)#access-list 11 permit 172.16.50.2 0.0.0.0
172.16.50.2 0.0.0.0
0 check - make sure first octet is 172 0 check - make sure second octet is 16 0 check - make sure third octet is 50 0 check - make sure fourth octet is 2
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
36/86
Example 4Using Wildcard Masks
172.16.30.0 10101100 . 00010000 . 00011110 . 00000000
0.0.0.255 00000000 . 00000000 . 00000000 . 11111111
-----------------------------------------
172.16.30.0 10101100 . 00010000 . 00011110 . 00000000
172.16.30.1 10101100 . 00010000 . 00011110 . 00000001
... (through)
172.16.30.255 10101100 . 00010000 . 00011110 . 11111111
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0.1 .1 .1.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
RouterA(config)#access-list 11 permit 172.16.30.0 0.0.0.255
0 = check, we want this to match, 1 = dont check (dont care)
Test
Conditon
The
packet(s)
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
37/86
Example 4Using Wildcard Masks
172.16.50.2 10101100 . 00010000 . 00110010 . 00000010
0.0.0.0 00000000 . 00000000 . 00000000 . 00000000
-----------------------------------------
172.16.50.2 10101100 . 00010000 . 00110010 . 00000010
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0.1 .1 .1.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
RouterA(config)#access-list 11 permit 172.16.50.2 0.0.0.0
0 = check, we want this to match, 1 = dont check (dont care)
Test
Conditon
The
packet(s)
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
38/86
Example 4Using Wildcard Masks
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0.1 .1 .1.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
RouterA(config)#access-list 11 permit 172.16.30.0 0.0.0.255
RouterA(config)#access-list 11 permit 172.16.50.2 0.0.0.0
RouterA(config)# interface e 0
RouterA(config-if)#ip access-group 11 out
Dont forget to apply the access-list to an interface.
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
39/86
Example 4Using Wildcard Masks
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0.1 .1 .1.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
RouterA(config)#access-list 11 permit 172.16.30.0 0.0.0.255
RouterA(config)#access-list 11 permit 172.16.50.2 0.0.0.0RouterA(config)#access-list 11 deny 0.0.0.0 255.255.255.255
RouterA(config)# interface e 0
RouterA(config-if)#ip access-group 11 out
Remember that implicit deny any? Its a good idea for beginners to include
the deny any statement just as a reminder.
E l 4 U i Wild d M k
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
40/86
Example 4Using Wildcard Masks
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0.1 .1 .1.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
RouterA(config)#access-list 11 deny 0.0.0.0 255.255.255.255
0 = check, we want this to match, 1 = dont check (dont care)
0.0.0.0 00000000 . 00000000 . 00000000 . 00000000
255.255.255.255 11111111 . 11111111 . 11111111 . 11111111
-----------------------------------------
0.0.0.0 00000000 . 00000000 . 00000000 . 00000000
0.0.0.1 00000000 . 00000000 . 00000000 . 00000001
... (through)
255.255.255.255 11111111 . 11111111 . 11111111 . 11111111
Test
Conditon
The
packet(s)
k d
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
41/86
any keyword
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0.1 .1 .1.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
RouterA(config)#access-list 11 deny 0.0.0.0 255.255.255.255
Or
RouterA(config)#access-list 11 deny any
any = 0.0.0.0 255.255.255.255
Simply put, the anyoption substitutes 0.0.0.0 for the IP address and255.255.255.255 for the wildcard mask.
This option will match any address that it is compared against.
k d F E l 3
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
42/86
any keyword From Example 3
Previous example:
Deny only the host 172.16.30.2 from exiting the Sales network. Permit all other hosts on the Sales network to leave the 172.16.30.0/24
network.
Keyword any can be used to represent all IP Addresses.
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0.1 .1 .1.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
RouterB(config)#access-list 10 deny 172.16.30.2
RouterB(config)#access-list 10 permit any
or
RouterB(config)#access-list 10 permit 0.0.0.0 255.255.255.255
A t b t tb d li t
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
43/86
A note about outbound access lists
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0.1 .1 .1.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
RouterA(config)#access-list 11 permit 172.16.30.0 0.0.0.255
RouterA(config)#access-list 11 permit 172.16.50.2 0.0.0.0
RouterA(config)#access-list 11 deny 0.0.0.0 255.255.255.255
RouterA(config)# interface e 0
RouterA(config-if)#ip access-group 11 out
This will deny packets from 172.16.30.0/24 from reaching all devices in the
172.16.10.0/24 Administration LAN, except RouterAs Ethernet 0 interface, of
172.16.10.1. The access list will need to be applied on Router As Serial 0
interface for it to be denied on RouterAs Ethernet 0 interface. A better
soluton is to use an Extended Access list. (coming)
Denied
Denied
But can
reachthis
interface
ACL h t ti
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
44/86
ACL: host option
RouterB(config)#access-list 10 permit 192.168.1.100 0.0.0.0
RouterB(config)#access-list 10 permit host 192.168.1.100
Permit the following hosts:
Network/Subnet Mask Address/Wildcard Mask
A. 172.16.10.100 172.16.10.100 0.0.0.0
B. 192.168.1.100 192.168.1.100 0.0.0.0
The hostoption substitutes for the 0.0.0.0 mask.
This mask requires that all bits of the ACL address and the packet addressmatch.
The host keyword precedes the IP address. This option will match just one address.
172.16.10.100 0.0.0.0 replaced b y host 172.16.10.100
192.168.1.100 0.0.0.0 replaced b y host 192.168.1.100
V if i A Li t
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
45/86
Verifying Access Lists
V if i A Li t
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
46/86
Verifying Access Lists
V if i A Li t
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
47/86
Verifying Access Lists
Note: More than one interface can use the same access-
list.
Filt l t fi T l t
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
48/86
Rick Graziani graziani@cabrillo.edu 48
Filtrar el trfico Telnet
Slo se
pueden
aplicar listas
de acceso
numeradas alas VTY.
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
49/86
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
50/86
Part 2: ACL Operations
CCNA 2 version 3.1
Inbound Standard Access Lists
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
51/86
Inbound Standard Access Lists
With inboundAccess Lists the IOS checks the packets beforeit is sent to theRouting Table Process.
With outboundAccess Lists, the IOS checks the packets afterit is sent to theRouting Table Process, except destined for the routers own interface.
This is because the output interface is not known until the forwarding
decision is made.
Inbound Access Lists
RouterA(config)# interface e 0
RouterA(config-if)#ip access-group 11 in
Standard ACL
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
52/86
Standard ACL
We will see why in a moment.
The full syntaxof the standard ACL command is:
Router(config)#access-listaccess-list-number{deny |permit} source [source-wildcard] [log]
The no formof this command is used to remove a standard ACL. This isthe syntax: (Deletes entire ACL!)
Router(config)#no access-listaccess-list-number
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
53/86
Extended Access Lists
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
54/86
Extended Access Lists
Operator and operandcan also referto ICMP Types and Codes orwhatever the protocolis beingchecked.
If the operator and operandfollowthe source addressit refers to thesource port
If the operator and operandfollowthe destination addressit refers tothe destination port.
Extended Access Lists Examples
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
55/86
Extended Access Lists - Examples
The ip access-groupcommand links an existing extended ACL toan interface. Remember that only one ACL per interface, per direction, per protocol
is allowed. The format of the command is:
Router(config-if)#ip access-group access-list-number{in | out}
port number or protocol name
Ejemplo 1: ACL Extendida
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
56/86
Ejemplo 1: ACL Extendida
Task
What if we wanted Router A to permit only the Engineering workstation172.16.50.2 to be able to access the web server in Administrative
network with the IP address 172.16.10.2 and port address 80.
All other traffic is denied.
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0.1 .1 .1
.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
Port
80
Example 1
Ej l 1 AC E did
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
57/86
Example 1
RouterA(config)#access-list 110 permit tcp host 172.16.50.2host 172.16.10.2 eq 80
RouterA(config)#inter e 0
RouterA(config-if)#ip access-group 110 out
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0.1 .1 .1.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
Port
80
Why is better to place the ACL on RouterA instead of RouterC? Why is the e0 interface used instead of s0 on RouterA?
Well see in a moment!
Ejemplo 1: ACL Extendida
Example 2
Ej l 2 ACL E t did
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
58/86
Example 2
Task
What if we wanted Router A to permit any workstation on the Salesnetwork be able to access the web server in Administrative network
with the IP address 172.16.10.2 and port address 80.
All other traffic is denied.
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0.1 .1 .1.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
Port
80
Ejemplo 2: ACL Extendida
Example 2
Ej l 2 ACL E t did
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
59/86
Example 2
172.16.10.2/24
172.16.10.3/24
172.16.30.2/24
172.16.30.3/24
172.16.50.2/24
172.16.50.3/24
172.16.20.0/24 172.16.40.0/24
e0 e0 e0.1 .1 .1
.1 .1.2 .2
s0 s0 s1 s0
RouterA RouterB RouterC
Administration Sales Engineering
Port
80
RouterA(config)#access-list 110 permit tcp 172.16.30.00.0.0.255 host 172.16.10.2 eq 80
RouterA(config)#inter e 0
RouterA(config-if)#ip access-group 110 out
When configuring access list statements, use the ?to walk yourselfthrough the command!
Ejemplo 2: ACL Extendida
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
60/86
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
61/86
ACLs con Nombre (Named ACLs)
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
62/86
ACLs con Nombre (Named ACLs)
IP named ACLs were introduced in Cisco IOS Software Release 11.2. Allows standard and extended ACLs to be given names instead of
numbers.
The advantages that a named access list provides are:1. Intuitively identify an ACL using an alphanumeric name.
2. Eliminate the limit of 798 simple and 799 extended ACLs
3. Named ACLs provide the ability to modify ACLs without deleting
and then reconfiguring them.
4. It is important to note that a named access list will allow the
deletion of statements but will only allow for statements to be
inserted at the end of a list.
5. Even with named ACLs it is a good idea to use a text editor to
create them.
ACLs Nombradas
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
63/86
Rick Graziani graziani@cabrillo.edu 63
ACLs Nombradas
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
64/86
Rick Graziani graziani@cabrillo.edu 64
ACLs con Nombre (Named ACLs)
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
65/86
A named ACL is created with the ip access-listcommand.
This places the user in the ACL configuration mode.
ACLs con Nombre (Named ACLs)
Named ACLs
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
66/86
Named ACLs
In ACL configuration mode, specify one or more conditions to bepermitted or denied.
This determines whether the packet is passed or dropped when theACL statement matches.
Named ACLs
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
67/86
Named ACLs
Edicin de Access Lists
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
68/86
Rick Graziani graziani@cabrillo.edu 68
Edicin de Access Lists
Placing ACLs
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
69/86
Placing ACLs
The general rule:
Standard ACLsdo not specify destination addresses, so they shouldbe placed as close to the destination as possible.
Put the extended ACLsas close as possible to the source of the trafficdenied.
Source
10.0.0.0/8Destination 172.16.0.0/16
Placing ACLs
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
70/86
Placing ACLs
If the ACLs are placed in the proper location, not only can traffic befiltered, but it can make the whole network more efficient.
If traffic is going to be filtered, the ACL should be placed where it hasthe greatest impact on increasing efficiency.
Source
10.0.0.0/8Destination 172.16.0.0/16
Placing ACLs Extended Example
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
71/86
Placing ACLs Extended Example
Policy is to deny telnet or FTP Router A LAN to Router D LAN. All other traffic must be permitted.
Several approaches can accomplish this policy. The recommended approach uses an extended ACL specifying bothsource and destination addresses.
deny telnet
deny ftp
permit any Source
10.0.0.0/8Destination 172.16.0.0/16
Placing ACLs Extended Example
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
72/86
Placing ACLs Extended Example
Place this extended ACL in Router A. Then, packets do not cross Router A's Ethernet, do not cross the serial
interfaces of Routers B and C, and do not enter Router D.
Traffic with different source and destination addresses will still be permitted.
deny telnet
deny ftp
permit any
interface fastethernet 0/1
access-group 101 in
access-list 101 deny tcp any 172.16.0.0 0.0.255.255 eq telnet
access-list 101 deny tcp any 172.16.0.0 0.0.255.255 eq ftp
access-list 101 permit ip any any
RouterA
Source
10.0.0.0/8Destination 172.16.0.0/16
Placing ACLs Extended Example
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
73/86
Placing ACLs Extended Example
If thepermit ip any anyis not used, then no traffic is permitted. Be sure topermit ip and not just tcp or all udp traffic will be denied.
deny telnet
deny ftp
permit any
interface fastethernet 0/1
access-group 101 in
access-list 101 deny tcp any 172.16.0.0 0.0.255.255 eq telnet
access-list 101 deny tcp any 172.16.0.0 0.0.255.255 eq ftp
access-list 101 permit ip any any
RouterA
Source
10.0.0.0/8Destination 172.16.0.0/16
Placing ACLsStandard Example
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
74/86
g p
Standard ACLs do not specify destination addresses, so they shouldbe placed as close to the destination as possible.
If a standardACL is put too close to the source, it will not only denythe intended traffic, but all other traffic to all other networks.
Source
10.0.0.0/8Destination 172.16.0.0/16
deny 10.0.0.0
permit any
interface fastethernet 0/0
access-group 10 in
access-list 10 deny 10.0.0.0 0.255.255.255
access-list 10 permit any
RouterD
Placing ACLsStandard Example
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
75/86
g p
Better to use extended access lists, and place them close to thesource, as this traffic will travel all the way to RouterD before being
denied.
Source
10.0.0.0
deny 10.0.0.0
permit any
interface fastethernet 0/0
access-group 10 in
access-list 10 deny 10.0.0.0 0.255.255.255
access-list 10 permit any
RouterD
Destination 172.16.0.0/16
ACLs Complejas
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
76/86
Rick Graziani graziani@cabrillo.edu 76
ACLs Complejas
Tipos de ACLs complejas
1. ACLs Dinmicas
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
77/86
Rick Graziani graziani@cabrillo.edu 77
1. ACLs Dinmicas
Las ACL dinmicas dependen de la conectividad Telnet,
de la autenticacin (local o remota) y de las ACLextendidas.
Est disponible slo para trfico IP.
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
78/86
Rick Graziani graziani@cabrillo.edu 78
La configuracin de las ACL dinmicas comienza con la
aplicacin de una ACL extendida para bloquear trficoqueatraviesa de router.
Los usuarios que deseen atravesar el router sonbloqueados por la ACL extendida hasta que utilizan Telnet
para conectarse al router y ser autenticados. En ese momento, se interrumpe la conexin a Telnet, y se
agrega una ACL dinmica de nica entrada a la ACL
extendida existente.
Esta entrada permite el trfico por un perodo determinado;es posible que se produzcan errores por inactividad ysuperacin del tiempo de espera
Configuracin de ACLs
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
79/86
Rick Graziani graziani@cabrillo.edu 79
g
Configuracin de ACLs
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
80/86
Rick Graziani graziani@cabrillo.edu 80
g
2. ACLs Reflexivas
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
81/86
Rick Graziani graziani@cabrillo.edu 81
2. ACLs Reflexivas
Los administradores de red utilizan las ACL reflexivas para
permitir el trfico IP en sesiones que se originan en su redy, al mismo tiempo, denegar el trfico IP en sesiones que
se originan fuera de la red.
El router examina el trfico saliente y, cuando ve una
conexin, agrega una entrada a una ACL temporal parapermitir la devolucin de respuestas.
Las ACL reflexivas proporcionan una forma ms exacta defiltrado de sesin que una ACL extendida que utiliza el
parmetro established presentado anteriormente.
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
82/86
Rick Graziani graziani@cabrillo.edu 82
3. ACLs basadas en el tiempo
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
83/86
Rick Graziani graziani@cabrillo.edu 83
Para implementar las ACL basadas en el tiempo, debe
crear un rango horario que defina la hora especfica del day la semana.
Debe identificar el rango de tiempo con un nombre y,luego, remitirse a l mediante una funcin. Las
restricciones temporales son impuestas en la mismafuncin.
Ventajas:
Ofrecen al administrador de red ms control de los
permisos y denegaciones de acceso a los recursos.
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
84/86
Rick Graziani graziani@cabrillo.edu 84
Firewalls
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
85/86
A firewall is an architectural structure that exists between the user andthe outside world to protect the internal network from intruders.
In most circumstances, intruders come from the global Internet and thethousands of remote networks that it interconnects. Typically, a network firewall consists of several different machines that
work together to prevent unwanted and illegal access.
ACLs should be used in firewall routers, which are often positionedbetween the internal network and an external network, such as theInternet.
The firewall router provides a point of isolation so that the rest of theinternal network structure is not affected.
ACLs can be used on a router positioned between the two parts of thenetwork to control traffic entering or exiting a specific part of the
internal network.
Firewalls
8/11/2019 Accessing_WAN_Chapter5-ACL.ppt
86/86
ISPs use ACLs to deny RFC 1918 addresses into their networks asthese are non-routable Internet addresses.
IP packets coming into your network should never have a source
addresses that belong to your network. (This should be applied on allnetwork entrance routers.)
There are several other simple access lists which should be added tonetwork entrance routers.