2-ch11_aclintro
TRANSCRIPT
-
7/29/2019 2-ch11_ACLintro
1/34
CISCO NETWORKING ACADEMY
Chabot College
ELEC 99.08
Access Control Lists - Introduction
-
7/29/2019 2-ch11_ACLintro
2/34
CISCO NETWORKING ACADEMY
ACL Topics
Function of ACLs
ACL Types & Syntax
Wildcard Bitmasks
Placement of ACLs
Commands
-
7/29/2019 2-ch11_ACLintro
3/34
CISCO NETWORKING ACADEMY
Typical Functions
Security
Firewalling
-
7/29/2019 2-ch11_ACLintro
4/34
CISCO NETWORKING ACADEMY
Types
Standard
Extended
-
7/29/2019 2-ch11_ACLintro
5/34
CISCO NETWORKING ACADEMY
Standard ACLs
Use rules based only the packets
source address
1-99
-
7/29/2019 2-ch11_ACLintro
6/34
CISCO NETWORKING ACADEMY
Extended ACLs
Provide more precise (finer tuned)
packet selection based on:
Source and destination addresses
Protocols
Port numbers
100-199
-
7/29/2019 2-ch11_ACLintro
7/34CISCO NETWORKING ACADEMY
Steps to Configure ACLs
1) Create ACL (global config mode) The list may contain many rules, each on one line.
The list is identified by a number or name.
2) Apply to an interface (interface config mode)
-
7/29/2019 2-ch11_ACLintro
8/34CISCO NETWORKING ACADEMY
How do ACLs work?
Processing occurs line by line from top to
bottom of the list.
Each line tests a packet for a match. If there is a match, a permit or deny
rule is applied.
When a match occurs, no further rulesare checked.
Invisible last line of an ACL is an implicit
deny any.
-
7/29/2019 2-ch11_ACLintro
9/34CISCO NETWORKING ACADEMY
How do ACLs work?
ACL example:
oak#sh ru
oak#...
oak#access-list 10 deny 192.168.1.0 0.0.0.255
oak#access-list 10 permit any
oak#access-list 10 deny any (implicit)
oak#...
-
7/29/2019 2-ch11_ACLintro
10/34CISCO NETWORKING ACADEMY
How does a Standard ACL
work? Permits or denies if source IP address
is matched:
Permit packet is allowed
Deny packet is dropped
Implicit DenyIf a packets address does
not match an earlier statement, an implicitdeny any occurs at the end of every ACLand the packet is dropped.
-
7/29/2019 2-ch11_ACLintro
11/34CISCO NETWORKING ACADEMY
Wildcard Masks
Are used to specify (by bits) the part of
the ip address to be matched.
Looks like a subnet mask but it its not!
Example:
172.16.0.0 0.0.255.255
The network address to be matched The wildcard bitmask
-
7/29/2019 2-ch11_ACLintro
12/34CISCO NETWORKING ACADEMY
Wildcard Masks
Specify the part of the ip address to be
matched.
Use 0s to match,1s to ignore.(Reverse of subnet masks!)
In the example below, only the 1st
2 octets will be examined for a match:172.16.0.0 0.0.255.255
Match this part of the address This is the wildcard bitmask
-
7/29/2019 2-ch11_ACLintro
13/34CISCO NETWORKING ACADEMY
Wildcard Masks
10101100 00010000 00000000 00000000172 16 0 0Address
WildcardMask
11111111
Ignore
1111111100000000
2552550 0
Check fora match
00000000
172.16.0.0 0.0.255.255wildcard bitmaskaddress to match
-
7/29/2019 2-ch11_ACLintro
14/34CISCO NETWORKING ACADEMY
Wildcard Masks
In this example, which octets will be
examined for a match?
172.16.5.0 0.0.0.255
-
7/29/2019 2-ch11_ACLintro
15/34CISCO NETWORKING ACADEMY
Wildcard Masks
In this example, which octets will be
examined for a match?
172.16.5.0 0.0.0.255
The first 3:
172.16.5.0 0.0.0.255
Match this part of the address
-
7/29/2019 2-ch11_ACLintro
16/34CISCO NETWORKING ACADEMY
Wildcard Masks
In this example, which octets will be
examined for a match?
172.16.5.2 0.0.0.0
-
7/29/2019 2-ch11_ACLintro
17/34CISCO NETWORKING ACADEMY
Wildcard Masks
In this example, which octets will be
examined for a match?
172.16.5.2 0.0.0.0
All 4 octets:
172.16.5.2 0.0.0.0
Match the entire address(permit or deny this specific host)
-
7/29/2019 2-ch11_ACLintro
18/34CISCO NETWORKING ACADEMY
Wildcard Masks
In Cisco 2, we will work only with
wildcard bitmasks that are 0 or 255 for
an entire octet. In Cisco 3, youll work with masks
where the change from 0 to 1 does not
fall on an octet boundary: e.g. 0.0.15.255
-
7/29/2019 2-ch11_ACLintro
19/34CISCO NETWORKING ACADEMY
Keyword: any
Identical statements
access-list 22 permit 0.0.0.0 255.255.255.255
access-list 22 permit any
-
7/29/2019 2-ch11_ACLintro
20/34CISCO NETWORKING ACADEMY
Keyword: host
Identical statements
Access-list 23 permit 172.16.1.1 0.0.0.0
Access-list 23 permit host 172.16.1.1
-
7/29/2019 2-ch11_ACLintro
21/34CISCO NETWORKING ACADEMY
Standard IP ACL command
access-listACL-number{permit |deny}source-ip-addresswildcard-mask
ACL number: 1-99 Global Config mode
-
7/29/2019 2-ch11_ACLintro
22/34CISCO NETWORKING ACADEMY
Standard ACL Example
To permit all packets from the network
number 172.16.0.0
access-list 20 permit 172.16.0.0 0.0.255.255
-
7/29/2019 2-ch11_ACLintro
23/34
CISCO NETWORKING ACADEMY
Standard ACL Example
To permit traffic from the host
172.16.1.1 only
access-list 20 permit 172.16.1.1 0.0.0.0OR
access-list 20 permit host 172.16.1.1
-
7/29/2019 2-ch11_ACLintro
24/34
CISCO NETWORKING ACADEMY
Standard ACL Example
To permit traffic from any source address.
access-list 20 permit 0.0.0.0 255.255.255.255
OR
access-list 20 permit any
-
7/29/2019 2-ch11_ACLintro
25/34
CISCO NETWORKING ACADEMY
How does an Extended ACL
work? Permits or denies if all conditions match:
Source Address
Destination Address
Protocol
Port No. or Protocol Options
-
7/29/2019 2-ch11_ACLintro
26/34
CISCO NETWORKING ACADEMY
Extended IP ACL command
access-listACL-number{permit|deny}protocol source-ip-address source-wildcard-
mask destination-ip-addressdestination-wildcard-maskeqport-number
ACL number: 100-199
Global Config mode
-
7/29/2019 2-ch11_ACLintro
27/34
CISCO NETWORKING ACADEMY
Extended ACL Example
To permit traffic from the network 192.168.1.0 to
the host 192.168.3.10 only on telnet:
access-list 101 permit tcp 192.168.1.0 0.0.0.255
192.168.3.10 0.0.0.0 eq telnet
More about extended ACLs later...
-
7/29/2019 2-ch11_ACLintro
28/34
CISCO NETWORKING ACADEMY
Major differences
Standard ACL
Use only source address
Requires fewer CPU cycles. Place as close to destination as possible.
(because they can only check source address)
Extended ACL
Uses source, destination, protocol, port
Requires more CPU cycles.
Place as close to source as possible.
(This stops undesired traffic early.)
-
7/29/2019 2-ch11_ACLintro
29/34
CISCO NETWORKING ACADEMY
Command to apply IP ACL
ip access-groupACL-number{in |out}
Interface Config mode
The group of rules in the list is applied to theinterface being configured.
Use in and out as if looking at the interface
from inside the router.
-
7/29/2019 2-ch11_ACLintro
30/34
CISCO NETWORKING ACADEMY
Do I place an ACL in?
In
Coming into the router.
Requires less CPU processing becauseevery packet bypasses processing before
it is routed.
Filtering decision is made prior to therouting table.
-
7/29/2019 2-ch11_ACLintro
31/34
CISCO NETWORKING ACADEMY
Do I place an ACL out?
Out
Going out of the router.
Routing decision has been made and thepacket is switched to the proper outbound
interface before it is tested against theaccess list.
ACLs are outbound unless otherwise
specified.
-
7/29/2019 2-ch11_ACLintro
32/34
CISCO NETWORKING ACADEMY
ACL Configuration Example
oak(config)#access-list 10 permit 192.168.1.0 0.0.0.255
oak(config)#access-list 10 permit 192.168.2.10 0.0.0.0
oak(config)#int e0oak(config-if)#ip-access group 10 out
oak(config-if)#^z
fre
hay
oak
192.168.3.0
E0
S0
S1S0
S1
What will this list do?
E0E0
192.168.2.0
192.168.1.0
192.168.1.10 192.168.2.10 192.168.3.10
-
7/29/2019 2-ch11_ACLintro
33/34
CISCO NETWORKING ACADEMY
ACL Configuration Example
oak(config)#access-list 10 permit any
oak(config)#access-list 10 deny 192.168.2.10 0.0.0.0
oak(config)#int e0oak(config-if)#ip-access group 10 out
oak(config-if)#^z
fre
hay
oak
192.168.3.0
E0
S0
S1S0
S1
Whats the problem here?
E0E0
192.168.2.0
192.168.1.0
192.168.1.10 192.168.2.10 192.168.3.10
-
7/29/2019 2-ch11_ACLintro
34/34
Commands to show ACLs
show access-lists
Privileged exec mode
Displays the ACLs on the router.show ip interface
Privileged exec mode
Shows which ACLs are set on that interface.