Create New Article

Wiki Search

 
 
Google
Personal tools

IP Access Control List Security

From Proprofs

IP Access Control List Security

You are here: Home > Schools > Cisco > CCNA Certification > Wiki Home >CCNA Wiki


Cisco CCNA ICND Study Guide

By Cbrzana

Table Of Contents


IP Access Control List Security

Access Control Lists (ACLs): cause a router to discard some packets based on criteria defined by the network engineer.

  • Prevent hackers
  • Prevent employees from using parts of the system
  • Filter routing updates
  • Match packets for VPN tunneling
  • Match packets for implementing QoS features

IP Standard ACL Concepts

ACL is applied on an interface, either as it is entering or as it is leaving an interface.

(Inbound or Outbound packets)

Deny: the packet will be filtered

Allow: the packet will be not be filtered

-> At the end of every access list, there is an implied "Deny All Access" list. If a packet does not match any access list statement, the packet will be filtered.

If multiple rules in the Access List

1. Matching parameters of access-list are compared to the packet.

2. Is a match made, the action defined in the access-list statement is performed.

3. If a match is not made, repeat steps 1-2 until a match is made.

4. If no match is made, the deny action is performed.


Wilcard Masks

Access Lists match packets by looking at the IP, TCP, and UDP headers of the packet. Standard Access lists only look at the Source IP Address

Wilcard masks define the portion of the IP packet that should be examined.
* 0 = match those bits
* 1 = ignore those bits

Wildcard Masks


Examples

Wildcard Mask Description
0.0.0.0 The entire IP address must match.
0.0.0.255 The first 3 octets must match
0.0.255.255 The first 2 octets must match
0.0.15.255 The first 20 bits must match.

To match all hosts in a single subnet: Subtract the subnet mask from 255.255.255.255


Standard IP Access List Configuration

Command Description
permit} source
[source-wildcard] [log]
Global command for standard number access lists.
access-list access-list-number remark text
Remark that comments what the list does
name [in | out]}
Interface subcommand that enable access lists
name [in | out]
Line subcommand to enable standard or extended access lists

Show Commands

show ip interface

show access-lists [access list number/name]

show ip access-list [access list number/name]


Configuration to Deny 1 Specific User
interface Ethernet0
ip address [address][subnet mask]
ip access-group 1 out

access-list 1 remark stop all traffic whose source ID is this user
access-list 1 deny [ip address][wildcard mask]


Explanation of Commands

* Standard Access list can be in the range of 1-99, or 1300-1999
* access-list commands are the global access list
* Then, to enable on specific interface, use ip-access group command
Remember, access list referenced from top to bottom, so it looks for a specific IP to filter, and then allows all IP addresses (Wildcard of 255.255.255.255)

** Note **

If you run show run config, would say "deny host x" and "permit any"

Extended IP Access Control Lists


The one key difference is the variety of fields in the packet that can be compared for matching by extended access lists.

Image:Extended-acl.GIF

* Note *


If TCP/UDP used, can filter on Source/Destination Port

Access-list Statement What it Matches
access-list 101 deny ip any host 10.1.1.1 Any IP packet, any source IP address, with a destination IP address of 10.1.1.1
access-list 101 deny tcp any gt 1023 host 10.1.1.1 eq 23 Packets with a TCP header, any source IP address, with a source port greater than (gt) 1023. Packet must have a destination of 10.1.1.1 and a destination port of 23.
access-list 101 deny tcp any host 10.1.1.1 eq 23 The same as above, but any source port (it is omitted)
access-list 101 deny tcp any host 10.1.1.1 eq telnet Telnet used rather than port number
access-list 101 deny udp 1.0.0.0 0.255.255.255 lt 1023 any A packet with a source in network 1.0.0.0, using UDP with a source port less than (lt) 1023, with any destination IP address.

Sequence options follow:

[protocol type] [source IP] [source port] [destination IP] [destination port]


Extended IP ACL Configuration

Command Configuration Mode and Description
permit} protocol source source-wildcard destination destination-wildcard [log | log-input] Global command for extended numbered access lists. Number between 100-199 and 2000-2699.
name [in | out]] Interface subcommand to enable access lists
access-list access list # remark text Create comment about what ACL does
name [in | out] Line subcommand for standard/extended access lists.


'Show Commands'

Command Description
show ip interfaces [type number] References access lists enabled on the interface
access-list-name] Shows details of access lists for all protocols
access-list-name] Show IP access lists

Extended Access List Range: 100 to 199, or 2000 to 2699

Cisco recommends you locate Extended ACL as close to the source as possible.


Misc ACL Topics


Named ACLs: Identifies ACLs using names, can delete individual lines in a named IP access list.
* Use a global command that places the user in a named IP access list submode
* When named matching statement is deleted, only that line is deleted
* With numbered lists, the deletion of any statement in the list deletes all statements in the list

Command to create ACL: ip access-list extended [ACL name]
Command to delete line: no deny ip [source] [destination] [wildcard]

Controlling Telnet with ACLs: Can control who can telnet to/from a router

line vty 0 4
login
password cisco
access-class 3 in

access-list 3 permit 10.1.1.0 0.0.0.255



ACL Implementation Considerations

1. Create ACLs using text editor outside the router, and copy/paste into configuration. This makes fixing typos easier, allows for a backup of configuration, which makes adding/deleting from them easier.

2. Place extended ACLs as close to the source of the packet as possible to discard packets quickly.

3. Place standard ACLs as close to the packet's destination as possible, because standard ACLs often discard packets that you do not want discarded when they are placed close to the source.

4. Place more-specific statements early in the ACL.

5. Disable an ACL from its interface (no ip access-group) before making changes to it.


<<                              Table Of Contents                              

Top 5 Contributors to this article

UsersArticle Contributions
james 4 contribs

 
   
Home  |  Site Map  |  Contact
Copyright © 2005-2014 ProProfs.com - Privacy & Terms