Presentation is loading. Please wait.

Presentation is loading. Please wait.

Any Questions?. Chapter 6 IP Access Control Lists Standard IP Access Control Lists Extended IP Access Control Lists Advances in Managing ACL Configuration.

Similar presentations


Presentation on theme: "Any Questions?. Chapter 6 IP Access Control Lists Standard IP Access Control Lists Extended IP Access Control Lists Advances in Managing ACL Configuration."— Presentation transcript:

1 Any Questions?

2 Chapter 6 IP Access Control Lists Standard IP Access Control Lists Extended IP Access Control Lists Advances in Managing ACL Configuration Miscellaneous ACL Topics

3 Do I know this? Go through the Quiz- 5 minutes

4 1. Barney is a host with IP address in subnet /24. Which of the following are things that a standard IP ACL could be configured to do? a. Match the exact source IP address b. Match IP addresses through with one access-list command without matching other IP addresses c. Match all IP addresses in Barneys subnet with one access-list command without matching other IP addresses d. Match only the packets destination IP address

5 1. Barney is a host with IP address in subnet /24. Which of the following are things that a standard IP ACL could be configured to do? a. Match the exact source IP address b. Match IP addresses through with one access-list command without matching other IP addresses c. Match all IP addresses in Barneys subnet with one access-list command without matching other IP addresses d. Match only the packets destination IP address Answer:A&C

6 2. Which of the following wildcard masks is most useful for matching all IP packets in subnet , mask ? a b c d e f

7 2. Which of the following wildcard masks is most useful for matching all IP packets in subnet , mask ? a b c d e f Answer: D

8 3. Which of the following wildcard masks is most useful for matching all IP packets in subnet , mask ? a b c d e f

9 3. Which of the following wildcard masks is most useful for matching all IP packets in subnet , mask ? a b c d e f Answer: E

10 4. Which of the following fields cannot be compared based on an extended IP ACL? a. Protocol b. Source IP address c. Destination IP address d. TOS byte e. URL f. Filename for FTP transfers

11 4. Which of the following fields cannot be compared based on an extended IP ACL? a. Protocol b. Source IP address c. Destination IP address d. TOS byte e. URL f. Filename for FTP transfers Answer: E&F

12 5. Which of the following access-list commands permits traffic that matches packets going from host to all web servers whose IP addresses begin with ? a. access-list 101 permit tcp host eq www b. access-list 1951 permit ip host eq www c. access-list 2523 permit ip host eq www d. access-list 2523 permit tcp host eq www e. access-list 2523 permit tcp host eq www

13 5. Which of the following access-list commands permits traffic that matches packets going from host to all web servers whose IP addresses begin with ? a. access-list 101 permit tcp host eq www b. access-list 1951 permit ip host eq www c. access-list 2523 permit ip host eq www d. access-list 2523 permit tcp host eq www e. access-list 2523 permit tcp host eq www Answer: A&E

14 6. Which of the following access-list commands permits traffic that matches packets going to any web client from all web servers whose IP addresses begin with ? a. access-list 101 permit tcp host eq www b. access-list 1951 permit ip host eq www c. access-list 2523 permit tcp any eq www d. access-list 2523 permit tcp eq www e. access-list 2523 permit tcp eq www any

15 6. Which of the following access-list commands permits traffic that matches packets going to any web client from all web servers whose IP addresses begin with ? a. access-list 101 permit tcp host eq www b. access-list 1951 permit ip host eq www c. access-list 2523 permit tcp any eq www d. access-list 2523 permit tcp eq www e. access-list 2523 permit tcp eq www any Answer: E

16 7. Which of the following fields can be compared using a named extended IP ACL but not a numbered extended IP ACL? a. Protocol b. Source IP address c. Destination IP address d. TOS byte e. None of the other answers are correct.

17 7. Which of the following fields can be compared using a named extended IP ACL but not a numbered extended IP ACL? a. Protocol b. Source IP address c. Destination IP address d. TOS byte e. None of the other answers are correct. Answer: E

18 8. In a router running IOS 12.3, an engineer needs to delete the second line in ACL 101, which currently has four commands configured. Which of the following options could be used? a. Delete the entire ACL and reconfigure the three ACL statements that should remain in the ACL. b. Delete one line from the ACL using the no access-list... command. c. Delete one line from the ACL by entering ACL configuration mode for the ACL and then deleting only the second line based on its sequence number. d. Delete the last three lines from the ACL from ACL configuration mode, and then add the last two statements back into the ACL.

19 8. In a router running IOS 12.3, an engineer needs to delete the second line in ACL 101, which currently has four commands configured. Which of the following options could be used? a. Delete the entire ACL and reconfigure the three ACL statements that should remain in the ACL. b. Delete one line from the ACL using the no access-list... command. c. Delete one line from the ACL by entering ACL configuration mode for the ACL and then deleting only the second line based on its sequence number. d. Delete the last three lines from the ACL from ACL configuration mode, and then add the last two statements back into the ACL. Answer: A & C

20 9. What general guideline should you follow when placing extended IP ACLs? a. Perform all filtering on output if at all possible. b. Put more-general statements early in the ACL. c. Filter packets as close to the source as possible. d. Order the ACL commands based on the source IP addresses, lowest to highest, to improve performance.

21 9. What general guideline should you follow when placing extended IP ACLs? a. Perform all filtering on output if at all possible. b. Put more-general statements early in the ACL. c. Filter packets as close to the source as possible. d. Order the ACL commands based on the source IP addresses, lowest to highest, to improve performance. Answer: C

22 10. Which of the following tools requires the end user to telnet to a router to gain access to hosts on the other side of the router? a. Named ACLs b. Reflexive ACLs c. Dynamic ACLs d. Time-based ACLs Answer: C

23 Any Questions?

24 ACL History Original Support for Numbered ACLS –We will learn this first Then support for named ACLS –Also cover this –IOS 11.2 Now support for Sequence numbers for ACLS –WAY easier –IOS 12.3 Pg 231

25 Access Control Lists Allow a router to drop packets based on certain criteria –You build a list with multiple lines –Each line is one of the rules to check Filter router updates Match packets for –Priority –QOS –VPN Pg 232

26 ACLs Questions Which packets to filter Where to filter them Pg 232

27 Where to filter Pg 233

28 Key ACL ideas Packets can be filtered as they enter an interface, before the routing decision. Packets can be filtered before they exit an interface, after the routing decision. Deny is the term used in Cisco IOS software to imply that the packet will be filtered. Permit is the term used in Cisco IOS software to imply that the packet will not be filtered. The filtering logic is configured in the access list. At the end of every access list is an implied deny all traffic statement. Therefore, if a packet does not match any of your access list statements, it is blocked. Pg 233

29 Any Questions?

30 ACL Logic Matching –Examine packets to match against ACL statements Action –Permit of deny Pg 234

31 ACL Logic-KEY IDEA 1.The matching parameters of the access-list statement are compared to the packet. 2.If a match is made, the action defined in this access-list statement (permit or deny) is performed. 3.If a match is not made in Step 2, repeat Steps 1 and 2 using each successive statement in the ACL until a match is made. 4.If no match is made with an entry in the access list, the deny action is performed. Pg 234

32 Wildcard Masks ACLs can match based on IP addresses –Standard ACLs only on source address Wildcards let you specify a range of addresses in a single statement –Stop all hosts on a subnet Logic –0 in mask says compare –1 in mask says it doesnt matter –Can add the mask to the original address Pg 235

33 Mask Examples Pg 235 Wildcard Mas Binary Version of the MaskDescription The entire IP address must match Just the first 24 bits must match Just the first 16 bits must match Just the first 8 bits must match Automatically considered to match any and all addresses Just the first 20 bits must match Just the first 22 bits must match.

34 Figure out Wildcard masks Use the subnet number as the address value in the access-list command. Use a wildcard mask found by subtracting the subnet mask from Example-To match all hosts in subnet Pg 237

35 Any Questions?

36 ACL Command Step 1 Use the address in the access-list command as if it were a subnet number. Step 2 Use the number found by subtracting the wildcard mask from as a subnet mask. Step 3 Treat the values from the first two steps as a subnet number and subnet mask, and find the broadcast address for the subnet. The ACL matches the range of addresses between the subnet number and broadcast address, inclusively. –Access-list 1 permit Pg

37 Standard ACL configuration Memorize syntax (it is not easy) –access-list access-list-number {deny | permit} source [source-wildcard] Think about which is the source machine! Dont forget the deny all at the end –default Pg 238

38 ACL Logic Step 1 Plan the location (router and interface) and direction (in or out) on that interface: a. Standard ACLs should be placed near to the destination of the packets so that it does not unintentionally discard packets that should not be discarded. b. Because standard ACLs can only match a packets source IP address, identify the source IP addresses of packets as they go in the direction that the ACL is examining. Step 2 Configure one or more access-list global configuration commands to create the ACL, keeping the following in mind: a. The list is searched sequentially, using first-match logic. In other words, when a packet matches one of the access-list statements, the search is over, even if the packet would match subsequent statements. b. The default action, if a packet does not match any of the access-list commands, is to deny (discard) the packet. Step 3 Enable the ACL on the chosen router interface, in the correct direction, using the ip access-group number {in | out} interface subcommand. Pg 239

39 ACL Example –interface Ethernet0 –ip address –ip access-group 1 out –! –access-list 1 remark stop all traffic whose source IP is Bob –access-list 1 deny –access-list 1 permit Created access-list by adding statement Add access-list to interface in or out Pg 240

40 Example Pg 242 Yosemite config interface serial 0 ip access-group 3 out ! access-list 3 deny host access-list 3 permit any Seville Configuration interface serial 1 ip access-group 4 out ! access-list 4 deny access-list 4 permit any

41 Any Questions?

42 Extended ACL concepts Pg 244

43 Extended IP ACLS Can match on more fields Pg 245 Type of Access ListWhat Can Be Matched Both standard and extended ACLs Source IP address Portions of the source IP address using a wildcard mask Only extended ACLsDestination IP address Portions of the destination IP address using a wildcard mask Protocol type (TCP, UDP, ICMP, IGRP, IGMP, and others) Source port Destination port All TCP flows except the first IP TOS IP precedence

44 Examples Pg 246

45 ACLS and Port numbers The access-list command must use protocol keyword tcp to be able to match TCP ports and the udp keyword to be able to match UDP ports. The ip keyword does not allow for matching the port numbers. The source port and destination port parameters on the access-list command are positional. In other words, their location in the command determines if the parameter examines the source or destination port. Remember that ACLs can match packets sent to a server by comparing the destination port to the well-known port number. However, ACLs need to match the source port for packets sent by the server. It is useful to memorize the most popular TCP and UDP applications, and their wellknown ports, as listed in Table 6-5, as shown later in this chapter. Pg 246

46 ACLs in Use Connecting to a server –Think about addressing and traffic flow access-list 101 permit tcp eq 21 –Notice location of eq Pg 247

47 ACL in use Connection from server access-list 101 permit tcp eq –Notice location of eq Pg 248

48 Extended ACL commands Pg 249 CommandConfiguration Mode and Description access-list access-list-number {deny | permit} protocol source source- wildcard destination destination- wildcard [log | log-input] Global command for extended numbered access lists. Use a number between 100 and 199 or 2000 and 2699, inclusive. access-list access-list-number {deny | permit} {tcp | udp} source source-wildcard [operator [port]] estination destination-wildcard [operator [port]] [established] [log] A version of the access-list command with TCPspecific parameters.

49 Extended ACL hints Extended ACLs should be placed as close as possible to the source of the packets to be filtered, because extended ACLs can be configured so that they do not discard packets that should not be discarded. So filtering close to the source of the packets saves some bandwidth. All fields in one access-list command must match a packet for the packet to be considered to match that access-list statement. The extended access-list command uses numbers between 100–199 and 2000–2699, with no number being inherently better than another. Pg 249

50 Extended ACL Operators Pg 250 Operator in the access-list Command Meaning EqEqual to NeqNot equal to LtLess than GtGreater than RangeRange of port numbers

51 Extended ACL example Pg 250 interface Serial0 ip address ip access-group 101 in ! interface Serial1 ip address ip access-group 101 in ! access-list 101 remark Stop Bob to FTP servers, and Larry to Server1 web access-list 101 deny tcp host eq ftp access-list 101 deny tcp host host eq www access-list 101 permit ip any any

52 Any Questions?

53 Advanced ACL management Named ACL an ACL Sequence numbers –No new filtering features –Management simplified Pg 253

54 Named ACLs New in 11.2 Use names instead of numbers –Easier for us to remember Allow deletion of a single line if there is a mistake –With traditional ACL config, you have to start over This feature possible on regular ACLS since 12.3 Pg 253

55 Configuration Changes Global command enters a sub-command structure –Router(config)#ip access-list extended barney –Router(config-ext-nacl)#permit tcp host eq www any When a match statement is deleted, only that line is deleted Pg 254

56 Configuration Enter configuration commands, one per line. End with Ctrl-Z. Router(config)#ip access-list extended barney Router(config-ext-nacl)#permit tcp host eq www any Router(config-ext-nacl)#deny udp host Router(config-ext-nacl)#deny ip ! The next statement is purposefully wrong so that the process of changing ! the list can be seen. Router(config-ext-nacl)#deny ip Router(config-ext-nacl)#deny ip host host Router(config-ext-nacl)#deny ip host host Router(config-ext-nacl)#permit ip any any Router(config-ext-nacl)#interface serial1 Router(config-if)#ip access-group barney out Router(config-if)#^Z Router#show running-config Building configuration... Pg 254

57 Named ACL in Running config interface serial 1 ip access-group barney out ! ip access-list extended barney permit tcp host eq www any deny udp host deny ip deny ip deny ip host host deny ip host host permit ip any any Router#conf t Pg 254

58 Removing a statement Router(config)#ip access-list extended barney Router(config-ext-nacl)#no deny ip Router(config-ext-nacl)#^Z Router#show access-list Extended IP access list barney 10 permit tcp host eq www any 20 deny udp host deny ip deny ip host host deny ip host host permit ip any any Pg 254

59 ACLs and Sequence Numbers An individual ACL permit or deny statement can be deleted just by referencing the sequence number, without deleting the rest of the ACL. Newly added permit and deny commands can be configured with a sequence number, dictating the location of the statement within the ACL. Newly added permit and deny commands can be configured without a sequence number, with IOS creating a sequence number and placing the command at the end of the ACL. Pg 256

60 ACL Sequence Number example ! Step 1: The 3-line Standard Numbered IP ACL is configured. R1#configure terminal Enter configuration commands, one per line. End with Ctrl-Z. R1(config)#ip access-list standard 24 R1(config-std-nacl)#permit R1(config-std-nacl)#permit R1(config-std-nacl)#permit ! Step 2: Displaying the ACLs contents, without leaving configuration mode. R1(config-std-nacl)#do show ip access-list 24 Standard IP access list permit , wildcard bits permit , wildcard bits permit , wildcard bits Pg 257

61 Sequenced ACL management ! Step 3: Still in ACL 24 configuration mode, the line with sequence number 20 is deleted. R1(config-std-nacl)#no 20 ! Step 4: Displaying the ACLs contents again, without leaving configuration mode. ! Note that line number 20 is no longer listed. R1(config-std-nacl)#do show ip access-list 24 Standard IP access list permit , wildcard bits permit , wildcard bits ! Step 5: Inserting a new first line in the ACL. R1(config-std-nacl)#5 deny ! Step 6: Displaying the ACLs contents one last time, with the new statement (sequence ! number 5) listed first. R1(config-std-nacl)#do show ip access-list 24 Standard IP access list deny permit , wildcard bits permit , wildcard bits Pg 257

62 Misc ACL Topics Control Telnet and SSH with ACL –Assign an ACL to the vty lines line vty 0 4 login password cisco access-class 3 in ! ! Next command is a global command access-list 3 permit Pg 259

63 ACL considerations Create your ACLs using a text editor outside the router, and copy and paste the configurations into the router. (Even with the ability to delete and insert lines into an ACL, creating the commands in an editor will still likely be an easier process.) Place extended ACLs as close as possible to the source of the packet to discard the packets quickly. Place standard ACLs as close as possible to the packets destination, because standard ACLs often discard packets that you do not want discarded when they are placed close to the source. Place more-specific statements early in the ACL. Disable an ACL from its interface (using the no ip access-group command) before making changes to the ACL. Pg 260

64 Any Questions?

65 Reflexive ACLS Allow an ACL to add statements when a communication session is started Pg 263

66 Dynamic ACLS Force authentication and then dyanmically change the ACL Step 1 The user connects to the router using Telnet. Step 2 The user supplies a username/password, which the router compares to a list, authenticating the user. Step 3 After authentication, the router dynamically adds an entry to the beginning of the ACL, permitting traffic sourced by the authenticated host. Step 4 Packets sent by the permitted host go through the router to the server. Pg 264

67 Time Based ACL only works during certain times of day Pg 264

68 Any Questions?


Download ppt "Any Questions?. Chapter 6 IP Access Control Lists Standard IP Access Control Lists Extended IP Access Control Lists Advances in Managing ACL Configuration."

Similar presentations


Ads by Google