Transcript Semester 3 Chapter 6

Semester 3 Chapter 6
ACLs
Overview
• Router can provide basic traffic filtering
capability
• Access Control Lists can prevent packets
from passing through the interface
– Sequential collection of permit or deny
statements
– Can be applied IN or OUT of interface port
– Can apply to addresses or upper-layer protocols
WHAT ARE ACLs?
• List of instructions applied to a router
interface
– Tells what kinds of packets to accept
– Tells what kinds of packets to deny
• Two Types – Standard and Extended
– IP Standard use source address only
– IP Extended use destination address, upperlayer protocols, port numbers
WHAT ARE ACLs Continued
• Can be created for all routed protocols
• Control access to a network or subnetwork
• Examined by router as packet comes in or
goes out a port
• Must be defined on a per/protocol basis
– IPX, IP, Appletalk
• Would require three access list statements
Why Create ACLs?
• Act as a firewall to provide a level of
security
• Prioritize packets based on protocol
(queuing)
• Limit network traffic
– Limit information about specific networks from
propagating
• Can block traffic at LAN interface
HOW ACLs WORK
• A group of statements that:
– Define entry into or out of an interface
– Relay through the router
• Executed in the order entered into CLI
• Applied as a GROUP against interface
– Specify IN or OUT of interface
• A NO Access-list statement eliminates all
with the same number
HOW ACCESS LISTS WORK
CONTINUED
• There is an implicit DENY ALL at the end of an
Access List
– To PERMIT ALL requires a statement
• Access-List number identifies Routing Protocol
and Extended/Standard
• Access-List statements should be tested with trial
data to ensure they work as planned
• LOG at the end of a statement will show packets
denied
Important Helps
• Since they are executed sequentially in
order entered into the Configuration File
• And Since all Access-List statements are
deleted with one command
• ENTER ACCESS LISTS INTO TEXT
EDITOR AND COPY/PASTE TO
ROUTER
Flowchart ACL Test Matching
Process
• Each packet is compared to access-list statements
in sequential order
• When there is a match, the appropriate action is
taken
• When there is no match, the next statement in the
list is compared to the packet
• All statements are compared against each packet
until a match is found
• No match, the implicit DENY ALL will be used
Creating ACLs
•
•
•
•
•
Use GLOBAL configuration mode
Specify an ACL number (1-99 for IP standard)
Create in order indicated by flowchart logic
Select appropriate IP protocol to check
Group ACL LIST statements to Interface
– Can be assigned to one or more interfaces
– Outbound checking is more efficient than inbound
– Can assign only one IN and one OUT per interface (IP)
ACL Numbers
•
•
•
•
•
•
1-99
Standard IP
100-199 Extended IP
800-899 Standard Novell
900-999 Extended Novell
1000-1099
Novell SAP
Appletalk, DecNet, and Xerox are between
Sample ACL Statements
• Access-list 1 deny 142.14.0.0 0.0.255.255
• Access-list 1 permit any
• Access-list 101 deny tcp 142.14.0.0
– 0.0.255.255 142.15.0.0 0.0.255.255 eq 21
• Access-list 101 permit ip any any
–
–
–
–
0.0.255.255 is a wildcard mask
Tcp is upper-layer protocol
21 is a port number
Any any means any source and any destination address
Wild Cards??
• Wildcards are used to identify ranges of addresses
to be Permitted or denied
• Wildcard masks resemble subnet masks and are
related but are quite different
• Represented by decimal equivalent of 4 octet ip
address
–
–
–
–
0 means check bit
1 means ignore bit
255 means ignore every bit in the octet
0 means check every bit in the octet
Wild Card Mask
• Important because
– Can limit router work
• 255 means router can ignore that octet
• Careful construction can permit or deny subgroups
–
–
–
–
Odd numbered hosts
Even numbered hosts
Upper half of address range
Lower half of address range
Relation to Subnetmask
• Important when you want to deny an entire subnet
or part of a subnet
• Subnet mask is 255.255.240.0 or you have an IP
address with a CIDR of 20
– This means 20 ones in subnet mask
– Class B network with 4 borrowed bits for SN
– To deny a subnet, you would want to match first 4 bits
in subnet number and all network bits
• 00000000.00000000.00001111.11111111
• Subnet mask is 0.0.15.255 to deny all hosts
• Statement would be deny ip 129.1.32.0 0.0.15.255
The HOST command
• You can use the HOST command when a
specific address is to be checked (a single
host)
– Access-list 1 permit 172.20.16.29 0.0.0.0
– Or Access-list 1 permit host 172.20.16.29
The ANY Command
• The any command permits any IP number to
be routed
• Access-list 1 permit 0.0.0.0
255.255.255.255 is same as
• Access-list 1 permit any
How to Write an Access List
• Determine what traffic you want to block
(deny)
• Determine what traffic you want to let in
(permit)
• Determine if there is any precedence
• Flow Chart the sequence
• Write the appropriate statements