1 Lecture #5 Access Control Lists (ACLs) Asst.Prof. Dr.Anan Phonphoem Department of Computer Engineering, Faculty of Engineering, Kasetsart University,

1

Lecture #5 Access Control Lists (ACLs)

Asst.Prof. Dr.Anan Phonphoem

Department of Computer Engineering,

Faculty of Engineering, Kasetsart University,

Bangkok, Thailand

2

Overview

ACL fundamentals ACL operations Types of ACLs (Standard / Extended) Implementing ACLs

3

Access Control Lists (ACLs)

List of conditions to test the traffic Router can permit or deny( like a filter) Provides Security Bandwidth Management Come in two Types

STANDARD and EXTENDED

4

What is ACL?

A List of Criteria to which all Packets are compared. Is this Packet from Network 10.5.2.0

Yes - Forward the Packet No - Check with Next Statement

Is this a Telnet Protocol Packet from 25.25.0.0 Yes - Forward the Packet No - Check Next Statement

Deny All Other Traffic

5

ACL Operations

Packets are compared to Each Statement in an Access-list SEQUENTIALLY- From the Top Down.

The sooner a decision is made the better. Well written Access-lists take care of the most

abundant type of traffic first. All Access-lists End with an Implicit Deny All

statement

6

ACL operations

7

ACL numbers

8

Standard ACL

Are given a # from 1-99 Filtering based only on Source Address Should be applied closest to the Destination

9

Extended ACL

Are given a # from 100-199 Much more flexible and complex Can filter based on:

Source address Destination address Session Layer Protocol (ICMP, TCP, UDP..) Port Number (80 http, 23 telnet…)

Should be applied closest to the Source

10

Implementing ACLs

Step 1 - Create the Access-list Step 2 -Apply the Access-list to an Interface

Must be in interface config mode (config-if)# IP access-group # in/out (routers point of

view)

11

Standard ACL format

# 1-99

permit/deny switch the packet or drop it

sourceIP source IP address to which the packet should be compared. Can also use ANY

wildcard (inverse mask)

see next slides

access-list # permit/deny sourceIP wildcard

12

Wildcard Mark

Allows you to indicate a host, subnet, network or range of IP addresses

The two binary values in the wildcard have different meanings: 0 = Must Match Exactly 1 = Ignore

13

Wildcard Mark

14

Wildcard Example

Network Wildcard 172.16.10.0 0.0.0.255 Result: Match the first three octets exactly but

ignore the last octet. 172.16.10.0 thru 172.16.10.255 is a match

since the last octet does not matter.

15

Implementing ACLs

Remember the Implicit Deny All at the end of each access-list.

Two Approaches: 1. List the traffic you know you want to permit

Deny all other traffic 2. List the traffic you want to deny

Permit all other traffic (permit any)

16

Standard ACL

17

Standard ACL example (I)

A(config)#access-list 5 deny 172.22.5.2 0.0.0.0

A(config)#access-list 5 deny 172.22.5.3 0.0.0.0

A(config)#access-list 5 permit any

So what does this access list do?

•Deny any host 172.22.5.2•Deny any host 172.22.5.3•All other traffic can go

18

Standard ACL example (II)

A(config)#access-list 5 deny 172.22.5.2 0.0.0.0

A(config)#access-list 5 deny 172.22.5.3 0.0.0.0

A(config)#access-list 5 permit any

A(config)#access-list 5 deny 172.22.5.4 0.0.0.0

Why does the last line have no affect? How could you correct this situation?

19

Extended ACL

20

Placing ACLs

Standard : Closed to sourceExtended: Closed to destination

21

Firewall

DMZ

External Internal

22

Restricted ACL access

23

Verifying ACLs

show ip interface show access-listsShow running-config

24

Implementing ACLs Tips

You cannot selectively add or remove statements from an Access-list

Typically modifications are made in a text editor and then pasted to the router as a new access-list. The new access list is then applied and the old one removed

Document your Access-list After each line indicate exactly what that line is

supposed to do.

25

Implementing ACLs Tips

Verifying Your Access-list Show Access-lists Show IP Interfaces

Revisit your access-list after a few days Routers keep track of the number of packets

that match each statement in an access-list Use this information to reorder your access-list

and thus improve it efficiency Never remove an access-list that is applied to

a port - this can crash a router.

26

Summary

Are Created and then Applied to an interface Are Implemented Sequentially- Top Down End with an implicit Deny ALL statement #1-99 Standard and # 100-199 Extended Standard - source address only Extended - source, destination, protocol, port

27

References

C.Dodge slide in Cisco Website Cisco curriculum materials