Chapter 10

Managing Traffic with Access Lists

Objectives
On completion of this chapter, you will be able to perform the following tasks: Describe the differences between standard and extended ACLs Explain the rules for placement of ACLs Create and apply named ACLs Use ACLs to restrict virtual terminal access

What are ACLs

What are ACLs

ACLs are lists of conditions that are applied to traffic traveling across a router's interface. These lists tell the router what kinds of packets to accept and what kinds of packets to deny. Acceptance and denial can be based on specified conditions. ACLs can be created for all routed network protocols to filter packets, such a IP, IPX.

ACLs can be configured at the router to control access to a network or subnet.

ACLs check the packet and header

How ACLs control traffic flow

IP IPX Apple Talk

IP IPX Apple Talk

One list, per port, per direction, per protocol

The primary reasons to create ACLs

Limit network traffic and increase network performance. Provide a basic level of security for network access. Decide which types of traffic are forwarded or blocked at the router interfaces. Allow an administrator to control what areas a client can access on a network. Screen certain hosts to either allow or deny access to part of a network

How the ACL work: order of ACL statements

ACL and Routing process in a router

Layer2 Address match No Yes No ACLs on Interface? Yes Statement List Match? No Default Deny Yes Permit packet? Yes Route Packet to Outbound interface

Default Deny Yes Send To the device Yes No Permit packet? Statement Yes List Match? ACLs on Interface?

No

Creating ACLs: Step 1

Router (config)#

access-list access-list-number { permit | deny } {test-conditions}

Defines an ACL Alert an ACL use no access-list access-list-number Description

ACL command

access-list
access-list-number Permit Deny test-conditions

defines an access list

protocol-dependent ACL number defines a statement to allow traffic defines a statement to disallow traffic ACL test conditions

ACL numbers

Creating ACLs: Step 2

Router (config-if)#

{protocol} access-group access-list-number {in/out}

Applies access list to interface
ACL command protocol access-group Description a protocol specified for the interface any packets that pass the ACL test conditions can be permitted to use any interface in the access group of interfaces the ACL identified by this ACL number to be associated to this interface Direction of ACL

access-list-number

In/Out

These basic rules should be followed

One access list per protocol per direction. Standard access lists should be applied closest to the destination. Extended access lists should be applied closest to the source. Use the inbound or outbound interface reference as if looking at the port from inside the router. Statements are processed sequentially from the top of list to the bottom until a match is found, if no match is found then the packet is denied.

There is an implicit deny at the end of all access lists.

These basic rules should be followed

New lines are always added to the end of the access list.

A no access-list x command will remove the whole list.

It is not possible to selectively add and remove lines with numbered ACLs. Care should be used when removing an access list. If the access list is applied to a production interface and the access list is removed, depending on the version of the IOS, there may be a default deny any applied to the interface, and all traffic will be halted.

Wildcard Mask

The function of a wildcard mask

A wildcard mask is a 32-bit quantity that is divided into four octets, with each octet containing 8 bits. A wildcard mask bit 0 means "check the corresponding bit value. A wildcard mask bit 1 means "do not check (ignore) that corresponding bit value".

Subnet mask and wildcard mask

Range of host Subnet mask Wildcard mask

-Bit 1 : check
-Bit 0 : ignore
11111110 254 11111100

-Bit 1 : ignore
-Bit 0 : check
00000001 1 00000011

2 4 8 16

252
11111000 248 11110000 240

3
00000111 7 00001111 15

32
64 128 256

11100000
224 11000000 192 10000000 128 00000000 0

00011111
31 0011111 1 63 0111111 1 127 11111111 255

Common Wildcard mask

Range of host
2 4 8 16 32 64 128 256

Subnet mask
192.168.1.2 255.255.255.254 192.168.1.8 255.255.255.252 192.168.1.16 255.255.255.248 192.168.1.16 255.255.255.240 192.168.1.0 255.255.255.224 192.168.1.128 255.255.255.192 192.168.1.0 255.255.255.128 192.168.1.0 255.255.255.0

Wildcard mask
192.168.1.2 0. 0 . 0 .1 192.168.1.8 0. 0 . 0 .3 192.168.1.16 0. 0 . 0 .7 192.168.1.16 0. 0 . 0 .15 192.168.1.0 0. 0 . 0 .31 192.168.1.128 0. 0 . 0 .63 192.168.1.0 0. 0 . 0 .127 192.168.1.0 0. 0 . 0 .255

Wildcard any

Any = 0.0.0.0 255.255.255.255

Wildcard host

Host 172.30.16.29 = 172.30.16.29 0.0.0.0

Verifying ACLs: show ip interface

Verifying ACLs: show access-lists

Verifying ACLs: show running-config

STANDARD ACLs

Standard ACLs: Overview

How the Standard ACL work?

No
Is this an IP packet

No Yes
Is there a Standard access list On this interface

Yes

Does source Yes Address match ACL List entry

Permit or Deny condition

Permit Route Packet

to proper outbound interface

No
Move to next statement

Deny

No

Is This the Last entry in the ACL

Yes

Send Destination Not found message

Standard ACL commands

Router (config)# access-list access-list-number {deny | permit} source [source-wildcard] [log] Router (config-if)#

ip access-group access-list-number { in | out }

Access list number: 1 99

Commands:

Router# show access-lists

Standard IP Access List Example 1

Permit my network only.

Standard IP Access List Example 2

Deny a specific host.

Standard IP Access List Example 3

Deny a specific subnet.

EXTENDED ACLs

Extended ACLs: Overview

How the Extended ACL work?

No
Is there an ACL on This interface

No
Yes
Does source address Match ACL list entry

Yes

Does destination address match ACL list entry

Permit

Yes

Does Protocol and Port match

Yes

Permit or Deny condition

Route Packet to proper outbound interface

No

Deny

Move to next statement

No

Is This the Last entry in the ACL

Yes

Send Destination Not found message

Extended ACL commands

Router (config)# access-list access-list-number {permit | deny}

protocol source [source-mask destination

destination-mask operator operand] [established]

Router (config-if)# ip access-group access-list-number { in | out }
Access list number: 100 199 Commands:
Router# show access-lists

Reserved port numbers

Extended Access List Example 1

Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0. Permit all other traffic.

Extended Access List Example 2

Deny only Telnet from subnet 172.16.4.0 out of E0. Permit all other traffic.

Name ACLs: Overview

Intuitively identify an ACL using an alphanumeric name. Named ACLs provide the ability to modify ACLs without deleting and then reconfiguring them. Considerations:

IP named ACLs were introduced in Cisco IOS Software Release 11.2. Only allow for statements to be inserted at the end of a list. You cannot use the same name for multiple ACLs. In addition, ACLs of different types cannot have the same name.

Name ACL commands

Router (config)#

ip access-list {standard | extended} name

Router(config {std- | ext-}nacl)#

deny {source [source-wildcard] | any} permit {source [source-wildcard] | any}

Router(config-if)#

ip access-group name {in | out}

Router#

show access-lists

Name ACL examples

Basic Security Cisco Router with Access List

Filtering vty Access to a Router

Five virtual terminal lines (0 through 4).

Filter addresses that can access into the routers vty ports.
Filter vty access out from the router.

How to Control vty Access

Set up an IP address filter with a standard access list statement. Use line configuration mode to filter access with the access-class command.

Set identical restrictions on every vty.

vty Commands

Router(config)#line vty {vty# | vty-range}

Enters configuration mode for a vty or vty range

Router(config-line)#access-class access-list-number {in | out}

Restricts incoming or outgoing vty connections for address in the access list

Restricting virtual terminal access

Physical port FastEthernet0/0

0 1 2 3 4
Virtual port (VTY 0-4)