Access Control Lists (ACLs)
Access control lists (ACLs) are set of rules which allows you to permit or deny packets based on source and destination IP address, IP protocol information, or TCP or UDP protocol information. You can configure the following types of ACLs:• Standard – Permits or denies packets based on source IP address. Valid standard ACL IDs are 1 – 99
• Extended – Permits or denies packets based on source and destination IP address and also based on IP protocol information. Valid extended ACL IDs are a number from 100 – 199
Access-lists use wildcard masks to match traffic.Access control lists (ACLs) can be used for two purposes on Cisco devices:
• To filter traffic
• To identify traffic
When filtering traffic, access lists are applied on interfaces. As a packet passes through a router, the top line of the rule list is checked first, and the router continues to go down the list until a match is made. Once a match is made, the packet is either permitted or denied.
NOTE : There is an implicit ‘deny all’ at the end of all access lists. We cant delete it.So an access lists that contain only deny statements will prevent all traffic.If you want ACL to allow traffic there must be a permit statement
Access lists are applied either inbound (packets received on an interface, before routing), or outbound (packets leaving an interface, after routing). Only one access list per interface, per protocol, per direction is allowed.
Even filtering traffic is the primary use of access lists, there are several instances when it is necessary to identify traffic using ACLs, including:
• Identifying interesting traffic to bring up an ISDN link or VPN tunnel
• Identifying routes to filter or allow in routing updates
• Identifying traffic for QoS purposes
Types of Access List
There are two categories of access lists:
Numbered ACL .it is the basic one.You cannot remove individual lines from a numbered access list. The entire access list must be deleted and recreated. All new entries to a numbered access list are added to the bottom. Best practice is to use a text editor to manage your access-lists.
There are two common types of numbered access lists:
- IP standard access lists
- IP extended access lists
There are two common types of named access lists:
- IP standard named access lists
- IP extended named access lists
we can use an example of 172.16.10.1 .As we want to block a specific address(host) in a network, we can use wildcard mask "0.0.0.0" .all octet in wildcard mask set to "0" means every octet must be matched.
There are actually two ways we can match a host:
• Using a wildcard mask "0.0.0.0" – 172.16.10.1 0.0.0.0
• Using the keyword “host” – host 172.16.10.1
Above method is use to match exactly a host.So how what we do to match the all address ?
There are actually two ways we can match all addresses:
• Using a wildcard mask "255.255.255.255" - 0.0.0.0 255.255.255.255
• Using the keyword “any” – any source or destination
Standard IP Access List
Syntax
access-list [1-99] [permit | deny] [source address] [wildcard mask]Standard IP access-lists are based upon the source host or network IP address, and should be placed closest to the destination network. Range of standard access list is from 1-99
Example
Qn : Block network 172.20.0.0 from accessing the 172.19.0.0 network
Note : Access list must be created on the router which is close to destination
- Router(config)# access-list 20 deny 172.20.0.0 0.0.255.255
- Router(config)# access-list 20 permit any
- First line deny all hosts on the 172.20.x.x network.
- The second line uses a keyword of "any", which will match (permit) any other address.
Creating a access-list wont do anything it the network.It must be applied on an interface.To apply this access list, we would configure the following on Router:
To view all IP access lists configured on the router:
- Router(config)# int s0
- Router(config-if)# ip access-group 20 in
Router# show ip access-listTo view what interface an access-list is configured on:
Extended IP Access List
- Router# show ip interface
- Router# show running-config
Syntax
access-list [100-199] [permit | deny] [protocol] [source address] [wildcard mask] [destination address] [wildcard mask] [operator] [port]Extended IP access-lists block based upon the source IP address, destination IP address, and TCP or UDP port number. Extended access-lists should be placed closest to the source network.
Example :
- access-list 100 deny tcp host 1.1.1.1 host 2.2.2.2 eq 23
- access-list 100 deny tcp 3.3.3.0 0.0.0.255 any eq 80
- access-list 100 permit ip any any
- The first line deny host 1.1.1.1 from accessing host 2.2.2.2 via telnet (port 23)
- The second line deny http (eq port 80)access of 3.3.3.0 network
- The third line allows all other traffic
In the above example we used eq port 80 to block http.Click here to view the list of common ports used
- int fa 0/0
- ip access-group 100 in
We can use several other operators for port numbers:
- eq Matches a specific port
- gt Matches all ports greater than the port specified
- lt Matches all ports less than the port specified
- neq Matches all ports except for the port specified
- range Match a specific inclusive range of ports
Router(config)# access-list 101 permit tcp any host 172.16.10.10 gt 100The following will match all ports less than 1024:
Router(config)# access-list 101 permit tcp any host 172.16.10.10 lt 1024The following will match all ports that do not equal 443:
Router(config)# access-list 101 permit tcp any host 172.16.10.10 neq 443The following will match all ports between 80 and 88:
Router(config)# access-list 101 permit tcp any host 172.16.10.10 range 80 88Named Access Lists
Named access lists provide us with two advantages over numbered access lists. First, we can apply an identifiable name to an access list, for documentation purposes. Second, we can remove individual lines in a named access-list, which is not possible with numbered access lists.
Please note, though we can remove individual lines in a named access list, we cannot insert individual lines into that named access list. New entries are always placed at the bottom of a named access list
To create a standard named access list, the syntax would be as follows:
To create an extended named access list, the syntax would be as follows:
- Router(config)# ip access-list standard NAME
- Router(config-std-nacl)# deny 172.18.0.0 0.0.255.255
- Router(config-std-nacl)# permit any
Troubleshooting
- Router(config)# ip access-list extended NAME
- Router(config-ext-nacl)# permit tcp 172.18.0.0 0.0.255.255 host 172.16.10.10 eq 80
- Router(config-ext-nacl)# deny ip 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255
- Router(config-ext-nacl)# permit ip any any
GNS3 Labs :
- show access-lists [<number> | <name>]
- show ip access-lists [<number> | <name>]
- show ip access-lists interface <interface>
- show ip access-lists dynamic
- show ip interface [<interface>]
No comments:
Post a Comment