Any Questions?. Chapter 6 IP Access Control Lists Standard IP Access Control Lists Extended IP...
-
Upload
kyler-turnley -
Category
Documents
-
view
274 -
download
0
Transcript of Any Questions?. Chapter 6 IP Access Control Lists Standard IP Access Control Lists Extended IP...
Any Questions?
Chapter 6 IP Access Control Lists
• Standard IP Access Control Lists
• Extended IP Access Control Lists
• Advances in Managing ACL Configuration
• Miscellaneous ACL Topics
Do I know this?
Go through the Quiz-
5 minutes
1. Barney is a host with IP address 10.1.1.1 in subnet 10.1.1.0/24. Which of the following are things that a standard IP ACL could be configured to do?
a. Match the exact source IP addressb. Match IP addresses 10.1.1.1 through 10.1.1.4 with one
access-list command without matching other IP addresses
c. Match all IP addresses in Barney’s subnet with one access-list command without matching other IP addresses
d. Match only the packet’s destination IP address
1. Barney is a host with IP address 10.1.1.1 in subnet 10.1.1.0/24. Which of the following are things that a standard IP ACL could be configured to do?
a. Match the exact source IP addressb. Match IP addresses 10.1.1.1 through 10.1.1.4 with one
access-list command without matching other IP addresses
c. Match all IP addresses in Barney’s subnet with one access-list command without matching other IP addresses
d. Match only the packet’s destination IP addressAnswer:A&C
2. Which of the following wildcard masks is most useful for matching all IP packets in subnet 10.1.128.0, mask 255.255.255.0?
a. 0.0.0.0b. 0.0.0.31c. 0.0.0.240d. 0.0.0.255e. 0.0.15.0f. 0.0.248.255
2. Which of the following wildcard masks is most useful for matching all IP packets in subnet 10.1.128.0, mask 255.255.255.0?
a. 0.0.0.0b. 0.0.0.31c. 0.0.0.240d. 0.0.0.255e. 0.0.15.0f. 0.0.248.255Answer: D
3. Which of the following wildcard masks is most useful for matching all IP packets in subnet 10.1.128.0, mask 255.255.240.0?
a. 0.0.0.0b. 0.0.0.31c. 0.0.0.240d. 0.0.0.255e. 0.0.15.255f. 0.0.248.255
3. Which of the following wildcard masks is most useful for matching all IP packets in subnet 10.1.128.0, mask 255.255.240.0?
a. 0.0.0.0b. 0.0.0.31c. 0.0.0.240d. 0.0.0.255e. 0.0.15.255f. 0.0.248.255Answer: E
4. Which of the following fields cannot be compared based on an extended IP ACL?
a. Protocol
b. Source IP address
c. Destination IP address
d. TOS byte
e. URL
f. Filename for FTP transfers
4. Which of the following fields cannot be compared based on an extended IP ACL?
a. Protocol
b. Source IP address
c. Destination IP address
d. TOS byte
e. URL
f. Filename for FTP transfers
Answer: E&F
5. Which of the following access-list commands permits traffic that matches packets going from host 10.1.1.1 to all web servers whose IP addresses begin with 172.16.5?
a. access-list 101 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
b. access-list 1951 permit ip host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
c. access-list 2523 permit ip host 10.1.1.1 eq www 172.16.5.0 0.0.0.255
d. access-list 2523 permit tcp host 10.1.1.1 eq www 172.16.5.0 0.0.0.255
e. access-list 2523 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
5. Which of the following access-list commands permits traffic that matches packets going from host 10.1.1.1 to all web servers whose IP addresses begin with 172.16.5?
a. access-list 101 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
b. access-list 1951 permit ip host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
c. access-list 2523 permit ip host 10.1.1.1 eq www 172.16.5.0 0.0.0.255
d. access-list 2523 permit tcp host 10.1.1.1 eq www 172.16.5.0 0.0.0.255
e. access-list 2523 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
Answer: A&E
6. Which of the following access-list commands permits traffic that matches packets going to any web client from all web servers whose IP addresses begin with 172.16.5?
a. access-list 101 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
b. access-list 1951 permit ip host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
c. access-list 2523 permit tcp any eq www 172.16.5.0 0.0.0.255
d. access-list 2523 permit tcp 172.16.5.0 0.0.0.255 eq www 172.16.5.0 0.0.0.255
e. access-list 2523 permit tcp 172.16.5.0 0.0.0.255 eq www any
6. Which of the following access-list commands permits traffic that matches packets going to any web client from all web servers whose IP addresses begin with 172.16.5?
a. access-list 101 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
b. access-list 1951 permit ip host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
c. access-list 2523 permit tcp any eq www 172.16.5.0 0.0.0.255
d. access-list 2523 permit tcp 172.16.5.0 0.0.0.255 eq www 172.16.5.0 0.0.0.255
e. access-list 2523 permit tcp 172.16.5.0 0.0.0.255 eq www any
Answer: E
7. Which of the following fields can be compared using a named extended IP ACL but not a numbered extended IP ACL?
a. Protocol
b. Source IP address
c. Destination IP address
d. TOS byte
e. None of the other answers are correct.
7. Which of the following fields can be compared using a named extended IP ACL but not a numbered extended IP ACL?
a. Protocol
b. Source IP address
c. Destination IP address
d. TOS byte
e. None of the other answers are correct.
Answer: E
8. In a router running IOS 12.3, an engineer needs to delete the second line in ACL 101, which currently has four commands configured. Which of the following options could be used?
a. Delete the entire ACL and reconfigure the three ACL statements that should remain in the ACL.
b. Delete one line from the ACL using the no access-list... command.
c. Delete one line from the ACL by entering ACL configuration mode for the ACL and then deleting only the second line based on its sequence number.
d. Delete the last three lines from the ACL from ACL configuration mode, and then add the last two statements back into the ACL.
8. In a router running IOS 12.3, an engineer needs to delete the second line in ACL 101, which currently has four commands configured. Which of the following options could be used?
a. Delete the entire ACL and reconfigure the three ACL statements that should remain in the ACL.
b. Delete one line from the ACL using the no access-list... command.
c. Delete one line from the ACL by entering ACL configuration mode for the ACL and then deleting only the second line based on its sequence number.
d. Delete the last three lines from the ACL from ACL configuration mode, and then add the last two statements back into the ACL.
Answer: A & C
9. What general guideline should you follow when placing extended IP ACLs?
a. Perform all filtering on output if at all possible.b. Put more-general statements early in the ACL.c. Filter packets as close to the source as
possible.d. Order the ACL commands based on the source
IP addresses, lowest to highest, to improve performance.
9. What general guideline should you follow when placing extended IP ACLs?
a. Perform all filtering on output if at all possible.b. Put more-general statements early in the ACL.c. Filter packets as close to the source as
possible.d. Order the ACL commands based on the source
IP addresses, lowest to highest, to improve performance.
Answer: C
10. Which of the following tools requires the end user to telnet to a router to gain access to hosts on the other side of the router?
a. Named ACLsb. Reflexive ACLsc. Dynamic ACLsd. Time-based ACLsAnswer: C
Any Questions?
ACL History
• Original Support for Numbered ACLS– We will learn this first
• Then support for named ACLS– Also cover this– IOS 11.2
• Now support for Sequence numbers for ACLS– WAY easier– IOS 12.3
Pg 231
Access Control Lists
• Allow a router to drop packets based on certain criteria– You build a list with multiple lines– Each line is one of the rules to check
• Filter router updates• Match packets for
– Priority– QOS– VPN
Pg 232
ACLs Questions
• Which packets to filter• Where to filter them
Pg 232
Where to filter
Pg 233
Key ACL ideas
• Packets can be filtered as they enter an interface, before the routing decision.
• Packets can be filtered before they exit an interface, after the routing decision.
• Deny is the term used in Cisco IOS software to imply that the packet will be filtered.
• Permit is the term used in Cisco IOS software to imply that the packet will not be filtered.
• The filtering logic is configured in the access list.• At the end of every access list is an implied “deny all
traffic” statement. Therefore, if a packet does not match any of your access list statements, it is blocked.
Pg 233
Any Questions?
ACL Logic
• Matching– Examine packets to match against ACL
statements
• Action– Permit of deny
Pg 234
ACL Logic-KEY IDEA
1. The matching parameters of the access-list statement are compared to the packet.
2. If a match is made, the action defined in this access-list statement (permit or deny) is performed.
3. If a match is not made in Step 2, repeat Steps 1 and 2 using each successive statement in the ACL until a match is made.
4. If no match is made with an entry in the access list, the deny action is performed.
Pg 234
Wildcard Masks
• ACLs can match based on IP addresses– Standard ACLs only on source address
• Wildcards let you specify a range of addresses in a single statement– Stop all hosts on a subnet
• Logic– 0 in mask says compare– 1 in mask says it doesn’t matter– Can add the mask to the original address
Pg 235
Mask Examples
Pg 235
Wildcard Mas Binary Version of the Mask Description
0.0.0.0 00000000.00000000.00000000.00000000 The entire IP address must match.
0.0.0.255 00000000.00000000.00000000.11111111 Just the first 24 bits must match.
0.0.255.255 00000000.00000000.11111111.11111111 Just the first 16 bits must match.
0.255.255.255 00000000.11111111.11111111.11111111 Just the first 8 bits must match.
255.255.255.255 11111111.11111111.11111111.11111111 Automatically considered to match any and all addresses.
0.0.15.255 00000000.00000000.00001111.11111111 Just the first 20 bits must match.
0.0.3.255 00000000.00000000.00000011.11111111 Just the first 22 bits must match.
Figure out Wildcard masks
• Use the subnet number as the address value in the access-list command.
• Use a wildcard mask found by subtracting the subnet mask from 255.255.255.255.
• Example-To match all hosts in subnet 172.16.8.0 255.255.252.0
Pg 237
Any Questions?
ACL Command
• Step 1 Use the address in the access-list command as if it were a subnet number.
• Step 2 Use the number found by subtracting the wildcard mask from 255.255.255.255 as a subnet mask.
• Step 3 Treat the values from the first two steps as a subnet number and subnet mask, and find the broadcast address for the subnet. The ACL matches the range of addresses between the subnet number and broadcast address, inclusively.– Access-list 1 permit 172.16.200.0 0.0.7.255
Pg 237-238
Standard ACL configuration
• Memorize syntax (it is not easy)– access-list access-list-number {deny |
permit} source [source-wildcard]
• Think about which is the source machine!
• Don’t forget the deny all at the end– default
Pg 238
ACL LogicStep 1 Plan the location (router and interface) and direction (in or out)
on that interface:a. Standard ACLs should be placed near to the destination of the packets
so that it does not unintentionally discard packets that should not be discarded.
b. Because standard ACLs can only match a packet’s source IP address, identify the source IP addresses of packets as they go in the direction that the ACL is examining.
Step 2 Configure one or more access-list global configuration commands to create the ACL, keeping the following in mind:a. The list is searched sequentially, using first-match logic. In other words,
when a packet matches one of the access-list statements, the search is over, even if the packet would match subsequent statements.
b. The default action, if a packet does not match any of the access-list commands, is to deny (discard) the packet.
Step 3 Enable the ACL on the chosen router interface, in the correct direction, using the ip access-group number {in | out} interface subcommand.
Pg 239
ACL Example– interface Ethernet0
– ip address 172.16.1.1 255.255.255.0
– ip access-group 1 out
– !
– access-list 1 remark stop all traffic whose source IP is Bob
– access-list 1 deny 172.16.3.10 0.0.0.0
– access-list 1 permit 0.0.0.0 255.255.255.255
• Created access-list by adding statement• Add access-list to interface in or out
Pg 240
Example
Pg 242
Yosemite configinterface serial 0ip access-group 3 out!access-list 3 deny host 10.1.2.1access-list 3 permit any
Seville Configurationinterface serial 1ip access-group 4 out!access-list 4 deny 10.1.3.0 0.0.0.255access-list 4 permit any
Any Questions?
Extended ACL concepts
Pg 244
Extended IP ACLS
• Can match on more fields
Pg 245
Type of Access List What Can Be Matched
Both standard andextended ACLs
Source IP address Portions of the source IP address using a wildcard mask
Only extended ACLs Destination IP address Portions of the destination IP address using a wildcard
mask Protocol type (TCP, UDP, ICMP, IGRP, IGMP, and others) Source port Destination port All TCP flows except the first IP TOS IP precedence
Examples
Pg 246
ACLS and Port numbers• The access-list command must use protocol keyword tcp to be
able to match TCP ports and the udp keyword to be able to match UDP ports. The ip keyword does not allow for matching the port numbers.
• The source port and destination port parameters on the access-list command are positional. In other words, their location in the command determines if the parameter examines the source or destination port.
• Remember that ACLs can match packets sent to a server by comparing the destination port to the well-known port number. However, ACLs need to match the source port for packets sent by the server.
• It is useful to memorize the most popular TCP and UDP applications, and their wellknown ports, as listed in Table 6-5, as shown later in this chapter.
Pg 246
ACLs in Use
• Connecting to a server– Think about addressing and traffic flow
access-list 101 permit tcp 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
– Notice location of eq
Pg 247
ACL in use
• Connection from server• access-list 101 permit tcp 172.16.3.0 0.0.0.255 eq 21 172.16.1.0 0.0.0.255
– Notice location of eq
Pg 248
Extended ACL commands
Pg 249
Command Configuration Mode andDescription
access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [log | log-input]
Global command for extended numbered access lists. Use a number between 100 and 199 or 2000 and 2699, inclusive.
access-list access-list-number {deny | permit} {tcp | udp} source source-wildcard [operator [port]] estination destination-wildcard [operator [port]] [established] [log]
A version of the access-list command with TCPspecific parameters.
Extended ACL hints
• Extended ACLs should be placed as close as possible to the source of the packets to be filtered, because extended ACLs can be configured so that they do not discard packets that should not be discarded. So filtering close to the source of the packets saves some bandwidth.
• All fields in one access-list command must match a packet for the packet to be considered to match that access-list statement.
• The extended access-list command uses numbers between 100–199 and 2000–2699, with no number being inherently better than another.
Pg 249
Extended ACL Operators
Pg 250
Operator in the access-list Command
Meaning
Eq Equal to
Neq Not equal to
Lt Less than
Gt Greater than
Range Range of port numbers
Extended ACL example
Pg 250
interface Serial0ip address 172.16.12.1 255.255.255.0ip access-group 101 in!interface Serial1ip address 172.16.13.1 255.255.255.0ip access-group 101 in!access-list 101 remark Stop Bob to FTP servers, and Larry to Server1 webaccess-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftpaccess-list 101 deny tcp host 172.16.2.10 host 172.16.1.100 eq wwwaccess-list 101 permit ip any any
Any Questions?
Advanced ACL management
• Named ACL an ACL Sequence numbers– No new filtering features– Management simplified
Pg 253
Named ACLs
• New in 11.2
• Use names instead of numbers– Easier for us to remember
• Allow deletion of a single line if there is a mistake– With traditional ACL config, you have to start
over• This feature possible on regular ACLS since 12.3
Pg 253
Configuration Changes
• Global command enters a sub-command structure– Router(config)#ip access-list extended barney– Router(config-ext-nacl)#permit tcp host
10.1.1.2 eq www any
• When a match statement is deleted, only that line is deleted
Pg 254
Configuration• Enter configuration commands, one per line. End with Ctrl-Z.• Router(config)#ip access-list extended barney• Router(config-ext-nacl)#permit tcp host 10.1.1.2 eq www any• Router(config-ext-nacl)#deny udp host 10.1.1.1 10.1.2.0 0.0.0.255• Router(config-ext-nacl)#deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255• ! The next statement is purposefully wrong so that the process of changing• ! the list can be seen.• Router(config-ext-nacl)#deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255• Router(config-ext-nacl)#deny ip host 10.1.1.130 host 10.1.3.2• Router(config-ext-nacl)#deny ip host 10.1.1.28 host 10.1.3.2• Router(config-ext-nacl)#permit ip any any• Router(config-ext-nacl)#interface serial1• Router(config-if)#ip access-group barney out• Router(config-if)#^Z• Router#show running-config• Building configuration...
Pg 254
Named ACL in Running config• interface serial 1• ip access-group barney out• !• ip access-list extended barney• permit tcp host 10.1.1.2 eq www any• deny udp host 10.1.1.1 10.1.2.0 0.0.0.255• deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255• deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255• deny ip host 10.1.1.130 host 10.1.3.2• deny ip host 10.1.1.28 host 10.1.3.2• permit ip any any• Router#conf t
Pg 254
Removing a statement• Router(config)#ip access-list extended barney• Router(config-ext-nacl)#no deny ip 10.1.2.0 0.0.0.255
10.2.3.0 0.0.0.255• Router(config-ext-nacl)#^Z• Router#show access-list• Extended IP access list barney• 10 permit tcp host 10.1.1.2 eq www any• 20 deny udp host 10.1.1.1 10.1.2.0 0.0.0.255• 30 deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255• 50 deny ip host 10.1.1.130 host 10.1.3.2• 60 deny ip host 10.1.1.28 host 10.1.3.2• 70 permit ip any any
Pg 254
ACLs and Sequence Numbers
• An individual ACL permit or deny statement can be deleted just by referencing the sequence number, without deleting the rest of the ACL.
• Newly added permit and deny commands can be configured with a sequence number, dictating the location of the statement within the ACL.
• Newly added permit and deny commands can be configured without a sequence number, with IOS creating a sequence number and placing the command at the end of the ACL.
Pg 256
ACL Sequence Number example! Step 1: The 3-line Standard Numbered IP ACL is configured.
R1#configure terminalEnter configuration commands, one per line. End with Ctrl-Z.R1(config)#ip access-list standard 24R1(config-std-nacl)#permit 10.1.1.0 0.0.0.255R1(config-std-nacl)#permit 10.1.2.0 0.0.0.255R1(config-std-nacl)#permit 10.1.3.0 0.0.0.255
! Step 2: Displaying the ACL’s contents, without leaving configuration mode.
R1(config-std-nacl)#do show ip access-list 24Standard IP access list 2410 permit 10.1.1.0, wildcard bits 0.0.0.25520 permit 10.1.2.0, wildcard bits 0.0.0.25530 permit 10.1.3.0, wildcard bits 0.0.0.255
Pg 257
Sequenced ACL management! Step 3: Still in ACL 24 configuration mode, the line with sequence number 20 is
deleted.R1(config-std-nacl)#no 20
! Step 4: Displaying the ACL’s contents again, without leaving configuration mode.! Note that line number 20 is no longer listed.
R1(config-std-nacl)#do show ip access-list 24Standard IP access list 2410 permit 10.1.1.0, wildcard bits 0.0.0.25530 permit 10.1.3.0, wildcard bits 0.0.0.255! Step 5: Inserting a new first line in the ACL.
R1(config-std-nacl)#5 deny 10.1.1.1! Step 6: Displaying the ACL’s contents one last time, with the new statement
(sequence! number 5) listed first.
R1(config-std-nacl)#do show ip access-list 24Standard IP access list 2435 deny 10.1.1.110 permit 10.1.1.0, wildcard bits 0.0.0.25530 permit 10.1.3.0, wildcard bits 0.0.0.255 Pg 257
Misc ACL Topics
• Control Telnet and SSH with ACL– Assign an ACL to the vty lines
line vty 0 4
login
password cisco
access-class 3 in
!
! Next command is a global command
access-list 3 permit 10.1.1.0 0.0.0.255
Pg 259
ACL considerations• Create your ACLs using a text editor outside the router,
and copy and paste the configurations into the router. (Even with the ability to delete and insert lines into an ACL, creating the commands in an editor will still likely be an easier process.)
• Place extended ACLs as close as possible to the source of the packet to discard the packets quickly.
• Place standard ACLs as close as possible to the packet’s destination, because standard ACLs often discard packets that you do not want discarded when they are placed close to the source.
• Place more-specific statements early in the ACL.• Disable an ACL from its interface (using the no ip
access-group command) before making changes to the ACL.
Pg 260
Any Questions?
Reflexive ACLS
• Allow an ACL to add statements when a communication session is started
Pg 263
Dynamic ACLS
• Force authentication and then dyanmically change the ACL
• Step 1 The user connects to the router using Telnet.• Step 2 The user supplies a username/password, which
the router compares to a list, authenticating the user.• Step 3 After authentication, the router dynamically adds
an entry to the beginning of the ACL, permitting traffic sourced by the authenticated host.
• Step 4 Packets sent by the permitted host go through the router to the server.
Pg 264
Time Based
• ACL only works during certain times of day
Pg 264
Any Questions?