IP Access Control Lists (ACL) - Information...
Transcript of IP Access Control Lists (ACL) - Information...
1 © 2002, Cisco Systems, Inc. All rights reserved.
IP Access Control Lists (ACL)
© 2002, Cisco Systems, Inc. All rights reserved. 2 2 2
Module Objectives
• Identify the types of IP Access Control Lists.
• Describe typical uses for IP Access Lists.
• Understand Access List-related terms and concepts.
• Given a specific criteria, select the type and placement of Access Lists for best results.
Upon completion, you will be able to:
© 2002, Cisco Systems, Inc. All rights reserved. 3 3 3
What Are IP Access Control Lists?
• A Cisco IOS feature.
• Sequential list of “permit” or “deny” statements, which block or permit routed traffic.
• Used with: Interfaces
VTYs
Routing Protocols
© 2002, Cisco Systems, Inc. All rights reserved. 4 4 4
What Problems do Access Control Lists Solve?
• Block Unwanted Traffic – inbound or outbound
Basic network security
Bandwidth control
Enforce network policy
Control routes sent,
received, and/or
redistributed
• Permit the Good Stuff
– The good side of the list shown above
• Control Access to IOS-based devices
– Block &/or permit VTY (telnet) from certain nodes/networks
– Block &/or permit telnet to other devices (out from a VTY)
Start telnet
Exec
session
on VTY
Attempted
telnet to R2
Telnet from VTY to R2 blocked!
R2
R1
!
© 2002, Cisco Systems, Inc. All rights reserved. 5 5 5
• Identify or classify traffic for advanced features
–Congestion Avoidance
Setting IP Precedence (for Voice or Video)
– Congestion Management
Queuing Types
– Network Address Translation (NAT)
– Dialing (and disconnect) Criteria Voice Traffic
Gets Priority
(delay sensitive)
Data traffic
handles delays better
What Problems do Access Control Lists Solve?
© 2002, Cisco Systems, Inc. All rights reserved. 6 6 6
Types of IP ACLs
Most Common (90%):
• Standard ACLs
• Extended ACLs
Less Common:
• Lock and Key (dynamic ACLs)
• Reflexive ACLs
• Time-based ACLs using time ranges
• Commented IP ACL entries
• Context-based ACL
• Authentication proxy
• Named ACLs
• Turbo ACLs
• Distributed time-based ACLs
© 2002, Cisco Systems, Inc. All rights reserved. 7 7 7
Standard IP ACL Syntax
• Numbered 1 – 99
• Only look at the IP Source Address
• Easiest to Configure
• Good for blocking traffic close to destination
access-list access-list-number {permit|deny} {host | source source-wildcard | any}
Note: You cannot delete lines of a numbered access list. You must first remove the entire access list.
© 2002, Cisco Systems, Inc. All rights reserved. 9 9 9
Applying Access Lists
Interface:
Router (config-if)# ip access-group {access-list-number} {in | out}
© 2002, Cisco Systems, Inc. All rights reserved. 10 10 10
Access List Overview
• Access Lists could be:
Inbound: Check the filter condition before Routing table lookup
Outbound: Checks the filter condition after Routing table lookup
• To Configure Access List, we use Wildcard Masks:
Wildcard is the reverse of subnet mask
Wildcard masks can be discontiguous (subnet masks can’t)
0 bit => must match bits in address
1 bit => don’t care. No need to match.
Address Wildcard Mask Match Condition
0.0.0.0 255.255.255.255 All addresses will match ACL condition
131.54.0.0/16 0.0.255.255 Network 131.54.0.0 is permitted/denied
131.22.5.2/16 0.0.0.0 Only host 131.22.5.2 is permitted/denied
131.111.0.8 0.0.0.7 Only subnet 131.111.0.8/29 is permitted/denied
131.111.8.8 0.0.0.7 Only subnet 131.111.8.8/29 is permitted/denied
131.111.8.16 0.0.0.3 Only subnet 131.111.8.16/30 is permitted/denied
© 2002, Cisco Systems, Inc. All rights reserved. 11 11 11
Wildcard Masks vs. Subnet Masks
• This statement…
• access-list 9 permit 10.1.2.0 0.0.0.255
•
• … uses a wildcard mask, which permits any host in the range of 10.1.2.0 network.
Type: Contiguous
or not?: Zero (0) means…
One (1) means
… Examples:
Wildcard
Not required.
Match, must match address bits. Ignore
access-list 9 permit
10.1.2.0 0.0.0.255
Subnet Yes, must
be. Ignore Match
IP address
10.1.2.0
255.255.255.0
© 2002, Cisco Systems, Inc. All rights reserved. 12 12 12
Extended IP ACL Syntax
access-list access-list-number {permit|deny} protocol {host | source source-wildcard | any} {host | destination destination-wildcard | any} [precedence precedence name or #]
• Numbered 100 – 199
• Looks both the IP source address and destination address
• Checks many IP and upper layer header fields
• Good for blocking traffic anywhere
© 2002, Cisco Systems, Inc. All rights reserved. 14 14 14
Applying Access Lists
Interfaces:
Router (config-if)# ip access-group {access-list-number} {in | out}
EXAMPLE
router(config)#access-list 10 deny 172.16.40.0 0.0.0.255
router(config)#access-list 10 permit any
router(config)#interface fa0/1
Router(config-if)#ip access-group 10 out
© 2002, Cisco Systems, Inc. All rights reserved. 15 15 15
ACL Guidelines
• Use Standard Access lists when filtering near destination:
• Use Extended Access lists when filtering near Source, and/or need to specify protocol, ports, etc.
• Create ACL first, then Apply to interface
• Invest time to plan your ACL…consider CPU of Routers
• Carefully place…consider bandwidth, etc.
• Remember the implicit “deny all” at end of ACL
• No editing or re-ordering of numbered ACLs (other than adding lines at end)
© 2002, Cisco Systems, Inc. All rights reserved. 18 18 18
Which IP Protocols Are Supported?
Router(config)#access-list 111 permit ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
igrp Cisco's IGRP routing protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
Arrows indicate those protocols ACLs are used for most often
21 © 2002, Cisco Systems, Inc. All rights reserved.
Implementing Security with ACLs
© 2002, Cisco Systems, Inc. All rights reserved. 22 22 22
Access Lists Overview
• Used to block or permit only certain traffic
• Standard Access List for IP (1-99) & (1300-1999)
Blocks only Source Addresses
• Extended Access for IP (100-199) & (2000-2699)
Source and Destination Address, ICMP, TCP, UDP, Ports, etc.
• IPX Standard Access List (800-899)
• IPX Extended Access List (900-999)
S1
.5 .6
200.1.1.0/30
S0
200.1.1.4/30 200.1.1.32/28
.9
.1
200.1.1.16/28
.17 E0
S0
E0
200.1.1.8/29 .10
.34
ACME
Company
Network:
200.1.1.0/24
Deny packets from network 192.1.1.0/29 R1
R2
Internet
© 2002, Cisco Systems, Inc. All rights reserved. 23 23 23
Two Basic Steps
• Define the Access Control List, then…
• Apply it to an interface
Router(config)# access-list 8 permit 131.108.7.0 0.0.0.3
Router(config)# access-list 8 permit 131.108.2.0 0.0.0.255
(access-list 8 deny any)
Router(config)# interface s0
Router(config-if)# ip access-group 8 in
© 2002, Cisco Systems, Inc. All rights reserved. 24 24 24
Access List Rules
Access Lists do nothing until applied
Question: How many access-lists could be applied if you had both IP and IPX configured on a single Ethernet interface? ______
• Only one ACL can be applied…
• Per protocol (IP, IPX, etc.)
• Per direction
• Per interface
Four
• ACLs are processed “top-down”
• First match for a given packet used, no further processing (until another packet arrives)
© 2002, Cisco Systems, Inc. All rights reserved. 25 25 25
Creating and Applying ACLs
Things to keep in mind
• Processed “Top Down”
• Implicit “Deny Any” at end
access-list 1 permit 131.108.7.8 0.0.0.7
access-list 1 permit 131.108.2.0 0.0.0.255
(access-list 1 deny any)
interface s0
ip access-group 1 in
R1 .2
s1
.5 .6
200.1.1.4/30 s0
.33
200.1.1.4/30
200.1.1.32/28
.9
Internet .1
200.1.1.16/28
.17
e1
e0
R2 S0
e0
200.1.1.8/29 .10
SOHO Net:
131.108.7.8/29
Branch Office
Network:
131.108.2.0/24
ACME
Company
Network:
200.1.1.0/24
.34
© 2002, Cisco Systems, Inc. All rights reserved. 26 26 26
Exercise: Hacker Attack!
ACME has big problem. A devious hacker has been detected trying to reach the ACME network. He needs to be denied access of any kind.
What type of Access List would you use? Why?
What will you deny? What will you permit?
Where will you place it?
Which Router?
Which interface?
Which direction?
.2
S1
.5 .6
200.1.1.4/30 S0
.33
200.1.1.4/30
200.1.1.32/28 .9
Internet ACME
Company
Network:
200.1.1.0/24
.1
200.1.1.16/28
.17
E1
E0
Hacker PC:
66.66.66.6/32
.1
.6
S0
E0
200.1.1.8/29 .10
R1 R2
© 2002, Cisco Systems, Inc. All rights reserved. 27 27 27
Exercise: No FTP for Them!
Various Internet users are attempting to open FTP sessions with ACME’s Web server. It’s creating too much load on the server. How would you resolve this problem, while still enabling Internet users access only to ACME’s Web service?
What type of Access List would you use? Why?
What will you deny? What will you permit?
Where will you place it?
Which Router?
Which interface?
Which direction?
R1
200.1.1.8/29
.2
S1
.5 .6
200.1.1.8/30
S0
.33
200.1.1.4/30 200.1.1.32/28
.9 ACME
Company
Network:
200.1.1.0/24
.1
200.1.1.16/28
.17 .10
E1
E0
R2 S0
E0
ACME Web &
FTP server
Internet
© 2002, Cisco Systems, Inc. All rights reserved. 28 28 28
Exercise: New Kid on the Job
A Junior network administrator has responsibility for R2, which is considered low-risk if he screws things up. Set up an ACL to allow him (.34) and his manager (.36) telnet access to R2.
What type of Access List would you use? Why?
What will you deny? What will you permit?
What is the least number of lines with which you could do this?
Where will you place it?
Which Router?
Which “interface”?
Which direction?
R1
200.1.1.8/29
.2
S1
.5 .6
200.1.1.0/30
S0
.33
200.1.1.4/30 200.1.1.32/28
.9
Internet
ACME
Company
Network:
200.1.1.0/24
.1
200.1.1.16/28
.34
.17 .10
E1
E0
R2 S0
E0
.36
© 2002, Cisco Systems, Inc. All rights reserved. 29 29 29
Access List Review
• Access Lists could be
Inbound: Checks the filter condition before Routing table lookup
Outbound: Checks the filter condition after Routing table lookup
• To Configure Access List, we use Wildcard Masks
Wildcard is the reverse of Netmask
0 bit => must match bits in address
1 bit => don’t care. No need to match. Address Wildcard Mask Match Condition
0.0.0.0 255.255.255.255 All addresses will match ACL condition
131.54.0.0/16 0.0.255.255 Network 131.54.0.0
131.22.5.2/16 0.0.0.0 Only host 131.22.5.2 is permitted
131.111.8.0 0.0.0.7 Only subnet 131.111.8.0/29 is permitted
131.111.8.8 0.0.0.7 Only subnet 131.111.8.8/29 is permitted
131.111.8.15 0.0.0.3 Only subnet 131.111.8.15/30 is permitted
© 2002, Cisco Systems, Inc. All rights reserved. 30 30 30
Access-List Example Permit Telnet, FTP, to a Specific Host
R2
131.108.7.0/30
.2
s0
.2
.5
131.108.5.0/24
s0
.1
131.108.3.0/30
131.108.2.0/24
.2
131.108.7.0/30
Config:
access-list 101 deny ip 131.108.7.0 0.0.0.3 any
access-list 101 permit tcp host 131.101.2.5 host 131.108.2.5 eq ftp
access-list 101 permit tcp host 131.101.2.5 host 131.108.2.5 eq telnet
Apply:
interface e0
ip access-group 101 out
Internet
ACL Objective for R2:
1. Deny all outbound traffic from network 131.108.7.0/30 from leaving interface Ethernet 0 on R2
2. Allow a specific host on the Internet (131.101.2.5) to have only FTP and Telnet access to an internal server located at 131.108.2.5.
E0
R1 R1
© 2002, Cisco Systems, Inc. All rights reserved. 31 31 31
Monitoring Access Lists
• Show access list
• Show access list 110
• Show ip access list
• Show ip interface
• Show running config
• Show mac access-group
© 2002, Cisco Systems, Inc. All rights reserved. 32 32 32