1 Lecture #5 Access Control Lists (ACLs) Asst.Prof. Dr.Anan Phonphoem Department of Computer...
-
Upload
lionel-johnston -
Category
Documents
-
view
215 -
download
1
Transcript of 1 Lecture #5 Access Control Lists (ACLs) Asst.Prof. Dr.Anan Phonphoem Department of Computer...
1
Lecture #5 Access Control Lists (ACLs)
Asst.Prof. Dr.Anan Phonphoem
Department of Computer Engineering,
Faculty of Engineering, Kasetsart University,
Bangkok, Thailand
2
Overview
ACL fundamentals ACL operations Types of ACLs (Standard / Extended) Implementing ACLs
3
Access Control Lists (ACLs)
List of conditions to test the traffic Router can permit or deny( like a filter) Provides Security Bandwidth Management Come in two Types
STANDARD and EXTENDED
4
What is ACL?
A List of Criteria to which all Packets are compared. Is this Packet from Network 10.5.2.0
Yes - Forward the Packet No - Check with Next Statement
Is this a Telnet Protocol Packet from 25.25.0.0 Yes - Forward the Packet No - Check Next Statement
Deny All Other Traffic
5
ACL Operations
Packets are compared to Each Statement in an Access-list SEQUENTIALLY- From the Top Down.
The sooner a decision is made the better. Well written Access-lists take care of the most
abundant type of traffic first. All Access-lists End with an Implicit Deny All
statement
6
ACL operations
7
ACL numbers
8
Standard ACL
Are given a # from 1-99 Filtering based only on Source Address Should be applied closest to the Destination
9
Extended ACL
Are given a # from 100-199 Much more flexible and complex Can filter based on:
Source address Destination address Session Layer Protocol (ICMP, TCP, UDP..) Port Number (80 http, 23 telnet…)
Should be applied closest to the Source
10
Implementing ACLs
Step 1 - Create the Access-list Step 2 -Apply the Access-list to an Interface
Must be in interface config mode (config-if)# IP access-group # in/out (routers point of
view)
11
Standard ACL format
# 1-99
permit/deny switch the packet or drop it
sourceIP source IP address to which the packet should be compared. Can also use ANY
wildcard (inverse mask)
see next slides
access-list # permit/deny sourceIP wildcard
12
Wildcard Mark
Allows you to indicate a host, subnet, network or range of IP addresses
The two binary values in the wildcard have different meanings: 0 = Must Match Exactly 1 = Ignore
13
Wildcard Mark
14
Wildcard Example
Network Wildcard 172.16.10.0 0.0.0.255 Result: Match the first three octets exactly but
ignore the last octet. 172.16.10.0 thru 172.16.10.255 is a match
since the last octet does not matter.
15
Implementing ACLs
Remember the Implicit Deny All at the end of each access-list.
Two Approaches: 1. List the traffic you know you want to permit
Deny all other traffic 2. List the traffic you want to deny
Permit all other traffic (permit any)
16
Standard ACL
17
Standard ACL example (I)
A(config)#access-list 5 deny 172.22.5.2 0.0.0.0
A(config)#access-list 5 deny 172.22.5.3 0.0.0.0
A(config)#access-list 5 permit any
So what does this access list do?
•Deny any host 172.22.5.2•Deny any host 172.22.5.3•All other traffic can go
18
Standard ACL example (II)
A(config)#access-list 5 deny 172.22.5.2 0.0.0.0
A(config)#access-list 5 deny 172.22.5.3 0.0.0.0
A(config)#access-list 5 permit any
A(config)#access-list 5 deny 172.22.5.4 0.0.0.0
Why does the last line have no affect? How could you correct this situation?
19
Extended ACL
20
Placing ACLs
Standard : Closed to sourceExtended: Closed to destination
21
Firewall
DMZ
External Internal
22
Restricted ACL access
23
Verifying ACLs
show ip interface show access-listsShow running-config
24
Implementing ACLs Tips
You cannot selectively add or remove statements from an Access-list
Typically modifications are made in a text editor and then pasted to the router as a new access-list. The new access list is then applied and the old one removed
Document your Access-list After each line indicate exactly what that line is
supposed to do.
25
Implementing ACLs Tips
Verifying Your Access-list Show Access-lists Show IP Interfaces
Revisit your access-list after a few days Routers keep track of the number of packets
that match each statement in an access-list Use this information to reorder your access-list
and thus improve it efficiency Never remove an access-list that is applied to
a port - this can crash a router.
26
Summary
Are Created and then Applied to an interface Are Implemented Sequentially- Top Down End with an implicit Deny ALL statement #1-99 Standard and # 100-199 Extended Standard - source address only Extended - source, destination, protocol, port
27
References
C.Dodge slide in Cisco Website Cisco curriculum materials