7/27/2019 Lession 8_Access Control Lists

1/29

7/27/2019 Lession 8_Access Control Lists

2/29

2

Limit network traffic to where we define and

increase network performance

Provide a basic level of security for network

access Decide which types of traffic are forwarded or

blocked at router interfaces

7/27/2019 Lession 8_Access Control Lists

3/29

Router can read packets

Packets contain much data

We can choose to act upon this data

Permits us to allow or deny whichever part of

this data we wish

ACLs implement this policy

7/27/2019 Lession 8_Access Control Lists

4/29

4

7/27/2019 Lession 8_Access Control Lists

5/29

Standard

Extended

7/27/2019 Lession 8_Access Control Lists

6/29

Use only the packets source address forcomparison

1-99

7/27/2019 Lession 8_Access Control Lists

7/29

Provide more precise (finer tuned) packetselection based on:

Source and destination addresses

Protocols Port numbers

100-199

7/27/2019 Lession 8_Access Control Lists

8/298

IOS tests the packet against each conditionstatement in the order in which the statementswere created

Note:After a match is found, no more condition

statements are checked If you create a condition statement that permitsall traffic, no statements added later will ever bechecked

If all the ACL statements are unmatched, animplicit "deny any" statement is imposed

7/27/2019 Lession 8_Access Control Lists

9/29

Create ACL in global config

Assign to interface

Decide the direction

In Out

7/27/2019 Lession 8_Access Control Lists

10/29

If source IP address is matched: Permit or deny statement is processed

Permit action in ACL is performed

Deny packet is dropped Implicit DenyIf a packets address does not

match an earlier statement an implicit deny

any occurs at the end of every ACL and the

packet is dropped.

7/27/2019 Lession 8_Access Control Lists

11/29

11

This identifies a host or range of addresses

It is the binary inversion of the subnet mask

i.e. in a class C address range we use the

subnet mask 255.255.255.0

To specify the same range with a wildcard mask

we use 0.0.0.255 (all 1s are now 0s and all 0s

are now 1s)

7/27/2019 Lession 8_Access Control Lists

12/29

access-listaccess-list-number{permit|deny} source-ip-addresswildcard-mask [log]

Log causes each packet that matches this

statement to generate a log entry that isrecorded by the router.

7/27/2019 Lession 8_Access Control Lists

13/29

To permit all packets for the network number172.16.0.0

Access-list 20 permit 172.16.0.0 0.0.255.255

7/27/2019 Lession 8_Access Control Lists

14/29

To permit traffic from the host 172.16.1.1 only Access-list 20 permit 172.16.1.1 0.0.0.0

7/27/2019 Lession 8_Access Control Lists

15/29

To permit traffic from any source address. Access-list 20 permit 0.0.0.0 255.255.255.255

OR

Access-list 20 permit any

7/27/2019 Lession 8_Access Control Lists

16/29

To permit traffic from the subnet 12.16.0.0through 12.31.0.0

Access-list 20 permit 12.16.0.0 0.15.255.255

7/27/2019 Lession 8_Access Control Lists

17/29

Access-list 22 permit 0.0.0.0255.255.255.255

Access-list 22 permit any

7/27/2019 Lession 8_Access Control Lists

18/29

Access-list 23 permit 172.16.1.1 0.0.0.0

Access-list 23 permit host 172.16.1.1

7/27/2019 Lession 8_Access Control Lists

19/29

All conditions must match

Test sequence in this order

Source Address

Destination Address Protocol

Port No. or Protocol Options

Permit or Deny decision

7/27/2019 Lession 8_Access Control Lists

20/29

access-listnumber {permit|deny} protocolsource-ip-addresssource-wildcard-mask

destination-ip-addressdestination-wildcard-

maskeqport-number [log]

7/27/2019 Lession 8_Access Control Lists

21/29

17 March 2009 ITCN21 in

7/27/2019 Lession 8_Access Control Lists

22/29

access-list 101 permit ip 10.1.1.0 0.0.0.255172.16.1.0 0.0.0.255 This command is used to perm it IP traff ic from

10.1.1.0 network to 172.16.1.0 network . A llpackets wi th a sou rce address not in th is

range w il l be rejected. access-list 102 permit ip 10.1.1.0 0.0.0.255

172.16.1.0 0.0.0.255

access-list 102 deny ip any any

This command is used to perm it IP traff ic from10.1.1.0 network to 172.16.1.0 network . Allpackets wi th a sou rce address not in th isrange w il l be rejected.

7/27/2019 Lession 8_Access Control Lists

23/29

access-list 101 permit tcp host 10.1.1.2host 172.16.1.1 eq telnet This command is used to permit Telnet traf f ic

from mach ine 10.1.1.2 to mach ine 172.16.1.1.

access-list 101 permit tcp host 10.1.1.2host 172.16.1.1 This command is used to permi t tcp traf f ic

from 10.1.1.2 ho st mach ine to 172.16.1.1 ho st

machine.

7/27/2019 Lession 8_Access Control Lists

24/29

access-list 101 permit udp host 10.1.1.2host 172.16.1.1 This command is used to permi t udp tra ff ic

from 10.1.1.2 ho st mach ine to 172.16.1.1 ho st

machine. access-list 101 permit ip 10.1.1.0 0.0.0.255

172.16.1.0 0.0.0.255 This command is used to permi t ip t raf f ic f rom

10.1.1.0 network to 172.16.1.0network.

7/27/2019 Lession 8_Access Control Lists

25/29

FTP 21

Telnet 23

SMTP 25

DNS 53 TFTP 69

WWW, HTML 80

POP3 - 110 SNMP - 161

7/27/2019 Lession 8_Access Control Lists

26/29

Standard ACL Use only source address and requires fewer

CPU cycles.

Place as close to destination as possible.

Extended ACL

More flexible and requires more CPU cycles.

Place as close to source as possible. (This

keeps undesired traffic and ICMP messagesaway from the network backbone.)

7/27/2019 Lession 8_Access Control Lists

27/29

27

Imagine you are standing INSIDE the router

The direction of the ACL for an interface will be

the same as our perspective standing INSIDE

the router

7/27/2019 Lession 8_Access Control Lists

28/29

In Requires less CPU processing because every

packet bypasses processing before it is

routed.

Filtering decision is made prior to the routingtable.

7/27/2019 Lession 8_Access Control Lists

29/29

Out Routing decision has been made and the

packet is switched to the proper outbound

interface before it is tested against the access

list. ACLs are outbound unless otherwise

specified.