Access Control Lists Written by Bill Reed 03/11/05.

Access Control Lists

Written by Bill Reed 03/11/05



During this presentation we will:•Discuss the usage for ACLs in our networks

•Look at the syntax of the ACL commands

•Examine the application of our ACLs

•Explore the mechanisms behind the wild card mask

•Test our understanding with some exercises



ACL usage

•ACLs are used to regulate traffic that can traverse our networks

•This can be for security reasons such as limiting access to restricted network segments and the systems within them

•ACLs can also be used to filter routing protocol updates on segments where they are unnecessary or undesirable



ACL command syntax

Access-list 101 <condition> <protocol> <Source IP> <source WCM> <dest IP> <dest WCM> <port or service>

Condition = permit or deny

Protocol = IP, ICMP, TCP, UDP

Source IP & WCM = 192.168.0.55 0.0.0.255

Dest IP & WCM = 100.50.50.50 0.255.255.255

Port / Service = 80 or HTTP, 21 or FTP



ACL application rules

•Access control lists are all about matching

•Access control lists are applied in the order that they are written

•Once an ACLs parameters are matched the ACLs condition is applied

•There is an unseen entry created whenever an ACL is compiled called the explicit deny rule

•The explicit deny acts as a catch all at the end of the ACL

•ACLs have restrictions regarding editing



Wild Card Masks

The basic rules for WCMs are very simple

0 = must match

1 = I don’t care

By comparing the individual bits of our WCM with the addresses of the traffic passing through the interface the WCM tries to match the mask with the address

192.168.0.55 11000000 10101000 00000000 00110110

0.0.0.255 00000000 00000000 00000000 11111111



Wild Card Masks

Address in packet =192.168.0.10 11000000 10101000 00000000 00001010

Address in ACL =192.168.0.55 11000000 10101000 00000000 00110110

Wild card mask =0.0.0.255 00000000 00000000 00000000 11111111

0 = must match1 = I don’t care



Wild Card Masks

WCMs can also specify ranges of addresses and individual addresses

Range based WCMs are built on contiguous ones in our binary masks

1, 3, 7, 15, 31, 63 are all acceptable values for our range statements in the WCM

The basic rules still apply 0 = Must match, 1 = I don’t care



Wild Card Masks

Given a mask of 0.0.0.3 3 = 00000011

Remember 1 means I don’t care

Any combination of values in the least significant 2 bits will match the ACL

I.e.: 00 / 01 / 10 / 11

This leads to an octet value of anything between 0 & 3 matching the ACL and the condition being applied



Wild Card Masks

7 = 00000111 values between 0 & 7 will match



What will a WCM of 0.0.0.254 match when applied to an address of 192.168.0.1 ?



Wild Card Masks

Once our ACL is written we only need to apply it to the interface and specify the direction that traffic will be interrogated

We use the command ip access-group and the number of the ACL to apply the command to the interface

On the end of the ACL command statement we specify the direction with the key word in or out



Exercise

Date post:	20-Jan-2016
Category:	Documents
Upload:	letitia-edwards
View:	217 times
Download:	0 times

Access Control Lists Written by Bill Reed 03/11/05.

Documents