7/29/2019 2-ch11_ACLintro

1/34

CISCO NETWORKING ACADEMY

Chabot College

ELEC 99.08

Access Control Lists - Introduction

7/29/2019 2-ch11_ACLintro

2/34

CISCO NETWORKING ACADEMY

ACL Topics

Function of ACLs

ACL Types & Syntax

Wildcard Bitmasks

Placement of ACLs

Commands

7/29/2019 2-ch11_ACLintro

3/34

CISCO NETWORKING ACADEMY

Typical Functions

Security

Firewalling

7/29/2019 2-ch11_ACLintro

4/34

CISCO NETWORKING ACADEMY

Types

Standard

Extended

7/29/2019 2-ch11_ACLintro

5/34

CISCO NETWORKING ACADEMY

Standard ACLs

Use rules based only the packets

source address

1-99

7/29/2019 2-ch11_ACLintro

6/34

CISCO NETWORKING ACADEMY

Extended ACLs

Provide more precise (finer tuned)

packet selection based on:

Source and destination addresses

Protocols

Port numbers

100-199

7/29/2019 2-ch11_ACLintro

7/34CISCO NETWORKING ACADEMY

Steps to Configure ACLs

1) Create ACL (global config mode) The list may contain many rules, each on one line.

The list is identified by a number or name.

2) Apply to an interface (interface config mode)

7/29/2019 2-ch11_ACLintro

8/34CISCO NETWORKING ACADEMY

How do ACLs work?

Processing occurs line by line from top to

bottom of the list.

Each line tests a packet for a match. If there is a match, a permit or deny

rule is applied.

When a match occurs, no further rulesare checked.

Invisible last line of an ACL is an implicit

deny any.

7/29/2019 2-ch11_ACLintro

9/34CISCO NETWORKING ACADEMY

How do ACLs work?

ACL example:

oak#sh ru

oak#...

oak#access-list 10 deny 192.168.1.0 0.0.0.255

oak#access-list 10 permit any

oak#access-list 10 deny any (implicit)

oak#...

7/29/2019 2-ch11_ACLintro

10/34CISCO NETWORKING ACADEMY

How does a Standard ACL

work? Permits or denies if source IP address

is matched:

Permit packet is allowed

Deny packet is dropped

Implicit DenyIf a packets address does

not match an earlier statement, an implicitdeny any occurs at the end of every ACLand the packet is dropped.

7/29/2019 2-ch11_ACLintro

11/34CISCO NETWORKING ACADEMY

Wildcard Masks

Are used to specify (by bits) the part of

the ip address to be matched.

Looks like a subnet mask but it its not!

Example:

172.16.0.0 0.0.255.255

The network address to be matched The wildcard bitmask

7/29/2019 2-ch11_ACLintro

12/34CISCO NETWORKING ACADEMY

Wildcard Masks

Specify the part of the ip address to be

matched.

Use 0s to match,1s to ignore.(Reverse of subnet masks!)

In the example below, only the 1st

2 octets will be examined for a match:172.16.0.0 0.0.255.255

Match this part of the address This is the wildcard bitmask

7/29/2019 2-ch11_ACLintro

13/34CISCO NETWORKING ACADEMY

Wildcard Masks

10101100 00010000 00000000 00000000172 16 0 0Address

WildcardMask

11111111

Ignore

1111111100000000

2552550 0

Check fora match

00000000

172.16.0.0 0.0.255.255wildcard bitmaskaddress to match

7/29/2019 2-ch11_ACLintro

14/34CISCO NETWORKING ACADEMY

Wildcard Masks

In this example, which octets will be

examined for a match?

172.16.5.0 0.0.0.255

7/29/2019 2-ch11_ACLintro

15/34CISCO NETWORKING ACADEMY

Wildcard Masks

In this example, which octets will be

examined for a match?

172.16.5.0 0.0.0.255

The first 3:

172.16.5.0 0.0.0.255

Match this part of the address

7/29/2019 2-ch11_ACLintro

16/34CISCO NETWORKING ACADEMY

Wildcard Masks

In this example, which octets will be

examined for a match?

172.16.5.2 0.0.0.0

7/29/2019 2-ch11_ACLintro

17/34CISCO NETWORKING ACADEMY

Wildcard Masks

In this example, which octets will be

examined for a match?

172.16.5.2 0.0.0.0

All 4 octets:

172.16.5.2 0.0.0.0

Match the entire address(permit or deny this specific host)

7/29/2019 2-ch11_ACLintro

18/34CISCO NETWORKING ACADEMY

Wildcard Masks

In Cisco 2, we will work only with

wildcard bitmasks that are 0 or 255 for

an entire octet. In Cisco 3, youll work with masks

where the change from 0 to 1 does not

fall on an octet boundary: e.g. 0.0.15.255

7/29/2019 2-ch11_ACLintro

19/34CISCO NETWORKING ACADEMY

Keyword: any

Identical statements

access-list 22 permit 0.0.0.0 255.255.255.255

access-list 22 permit any

7/29/2019 2-ch11_ACLintro

20/34CISCO NETWORKING ACADEMY

Keyword: host

Identical statements

Access-list 23 permit 172.16.1.1 0.0.0.0

Access-list 23 permit host 172.16.1.1

7/29/2019 2-ch11_ACLintro

21/34CISCO NETWORKING ACADEMY

Standard IP ACL command

access-listACL-number{permit |deny}source-ip-addresswildcard-mask

ACL number: 1-99 Global Config mode

7/29/2019 2-ch11_ACLintro

22/34CISCO NETWORKING ACADEMY

Standard ACL Example

To permit all packets from the network

number 172.16.0.0

access-list 20 permit 172.16.0.0 0.0.255.255

7/29/2019 2-ch11_ACLintro

23/34

CISCO NETWORKING ACADEMY

Standard ACL Example

To permit traffic from the host

172.16.1.1 only

access-list 20 permit 172.16.1.1 0.0.0.0OR

access-list 20 permit host 172.16.1.1

7/29/2019 2-ch11_ACLintro

24/34

CISCO NETWORKING ACADEMY

Standard ACL Example

To permit traffic from any source address.

access-list 20 permit 0.0.0.0 255.255.255.255

OR

access-list 20 permit any

7/29/2019 2-ch11_ACLintro

25/34

CISCO NETWORKING ACADEMY

How does an Extended ACL

work? Permits or denies if all conditions match:

Source Address

Destination Address

Protocol

Port No. or Protocol Options

7/29/2019 2-ch11_ACLintro

26/34

CISCO NETWORKING ACADEMY

Extended IP ACL command

access-listACL-number{permit|deny}protocol source-ip-address source-wildcard-

mask destination-ip-addressdestination-wildcard-maskeqport-number

ACL number: 100-199

Global Config mode

7/29/2019 2-ch11_ACLintro

27/34

CISCO NETWORKING ACADEMY

Extended ACL Example

To permit traffic from the network 192.168.1.0 to

the host 192.168.3.10 only on telnet:

access-list 101 permit tcp 192.168.1.0 0.0.0.255

192.168.3.10 0.0.0.0 eq telnet

More about extended ACLs later...

7/29/2019 2-ch11_ACLintro

28/34

CISCO NETWORKING ACADEMY

Major differences

Standard ACL

Use only source address

Requires fewer CPU cycles. Place as close to destination as possible.

(because they can only check source address)

Extended ACL

Uses source, destination, protocol, port

Requires more CPU cycles.

Place as close to source as possible.

(This stops undesired traffic early.)

7/29/2019 2-ch11_ACLintro

29/34

CISCO NETWORKING ACADEMY

Command to apply IP ACL

ip access-groupACL-number{in |out}

Interface Config mode

The group of rules in the list is applied to theinterface being configured.

Use in and out as if looking at the interface

from inside the router.

7/29/2019 2-ch11_ACLintro

30/34

CISCO NETWORKING ACADEMY

Do I place an ACL in?

In

Coming into the router.

Requires less CPU processing becauseevery packet bypasses processing before

it is routed.

Filtering decision is made prior to therouting table.

7/29/2019 2-ch11_ACLintro

31/34

CISCO NETWORKING ACADEMY

Do I place an ACL out?

Out

Going out of the router.

Routing decision has been made and thepacket is switched to the proper outbound

interface before it is tested against theaccess list.

ACLs are outbound unless otherwise

specified.

7/29/2019 2-ch11_ACLintro

32/34

CISCO NETWORKING ACADEMY

ACL Configuration Example

oak(config)#access-list 10 permit 192.168.1.0 0.0.0.255

oak(config)#access-list 10 permit 192.168.2.10 0.0.0.0

oak(config)#int e0oak(config-if)#ip-access group 10 out

oak(config-if)#^z

fre

hay

oak

192.168.3.0

E0

S0

S1S0

S1

What will this list do?

E0E0

192.168.2.0

192.168.1.0

192.168.1.10 192.168.2.10 192.168.3.10

7/29/2019 2-ch11_ACLintro

33/34

CISCO NETWORKING ACADEMY

ACL Configuration Example

oak(config)#access-list 10 permit any

oak(config)#access-list 10 deny 192.168.2.10 0.0.0.0

oak(config)#int e0oak(config-if)#ip-access group 10 out

oak(config-if)#^z

fre

hay

oak

192.168.3.0

E0

S0

S1S0

S1

Whats the problem here?

E0E0

192.168.2.0

192.168.1.0

192.168.1.10 192.168.2.10 192.168.3.10

7/29/2019 2-ch11_ACLintro

34/34

Commands to show ACLs

show access-lists

Privileged exec mode

Displays the ACLs on the router.show ip interface

Privileged exec mode

Shows which ACLs are set on that interface.