© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 2 Objectives Explain how ACLs are used to secure a medium-size Enterprise branch office network. Configure standard ACLs in a medium-size Enterprise branch office network. Configure extended ACLs in a medium-size Enterprise branch office network. Describe complex ACLs in a medium-size Enterprise branch office network. Implement, verify and troubleshoot ACLs in an enterprise network environment.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 3 Security in the Campus Model Core: not here. Fastest part of the network, implementing security here would slow it down. Besides, traffic has already got into the network. Access switches: switch ports set to specific VLANs. Port security: disable port if too many MAC addresses. Access routers: let traffic in/out from outside the network. Good place to enforce security Inter-VLAN routers or L3 switches: allows traffic to cross between VLANs. Good place to enforce security
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 4 Routers Inspect Packet Fields Routers already inspect the destination IP address of a packet to determine how to route it and may drop the packet if there is no route We add a security mechanism: Access Control Lists (ACLs) ACL: a set of rules that inspect some fields in a packet. If the packet matches the rule, we can choose to keep the packet or drop the packet
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 5 Explain How ACLs are Used to Secure a Medium-Size Enterprise Branch Office Network What steps occur in a complete TCP conversation?
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 6 What Fields Can Be Inspected? IP Source address IP Destination address Layer 4 protocol, e.g. TCP, IP, ICMP Layer 4 source port Layer 4 destination port, e.g. port 80 for the web If the packet is start of a connection (SYN) or not NOTE: traffic is bi-directional. Port 80 might be the destination port in one direction, but the source port in the other direction
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 7 Explain How ACLs are Used to Secure a Medium-Size Enterprise Branch Office Network Explain how a packet filter allows or blocks traffic
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 8 Where Can ACL Rules be Applied? A group of rules (tests, entries) form an Access Control List An ACL can be applied to a router interface in-bound As soon as traffic arrives, before it is routed An ACL can be applied to a router interface out-bound As packets are queued for retransmission On each interface, we can have two ACLs: One in-bound and one out-bound
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 9 Example Location of ACLs on Router Interfaces
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 10 Rules in an Access Control List Each rule (test, entry) is applied. If no match, move to next If match, obey the permit or deny operation If no rule matches drop the packet
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 11 Standard and Extended ACLs A standard ACL has rules that only match the source IP address and wildcard. Example: An extended ACL has rules that match destination IP, L4 protocol and source & destination ports. Wildcard: inverse of netmask. Think of it as a range. means 30.0 up to
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 12 Naming or Numbering an ACL ACLs can be numbered or named Standard ACLs: name or number from 1 to 99 Extended ACLs: name or number from 100 to 199
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 13 Where to Place ACLs: Rule of Thumb Extended: as close to the traffic source as possible Standard: as close to the destination as possible
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 14 ACL Best Practices ACLs implement your organisation’s security policy Often unreadable, so give each one a description Fiddly to edit, so use a text editor Will cause havoc when mistakes made, so always test them on a development network before you put them into production
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 15 ACLs: Rule Order is Important We want to block all of /24 from coming into our LAN, but we want to let in. access-list 10 deny access-list 10 permit This in fact will also block And it will block all traffic: implict deny all rule at the bottom Reorder the rules: access-list 10 permit access-list 10 deny access-list 10 permit
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 16 Special Shorthand Keywords “host X” matches a single host address “any” matches all IP addresses We can rewrite the ACL on the previous slide: access-list 10 remark Let Sandeep’s PC in to the LAN access-list 10 permit host access-list 10 remark But stop the rest of subnet 5.0 access-list 10 deny access-list 10 remark All other traffic can come in access-list 10 permit any
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 17 Standard ACL Command Syntax
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 18 Applying an ACL to an Interface Once we have an ACL, we have to apply it to a specific interface an in a specific direction interface fa0/0 ip access-group 10 out
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 19 Editing ACLs: The Easy Way Show the entries for a specific ACL from the running configuration Copy theminto a text file Edit the text file Do “no access-list 10” to remove the ACL from the router Paste the corrected ruleset back into the router
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 20 Named ACLs Named ACLs are good as they help to document the purpose of the ACL
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 21 Is My ACL Working? How do I know if my ACL is working? Has it permitted or denied any traffic? Which rules are being used?
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 22 Extended ACLs: More Power Src/dest IP, L4 protocol, src/dest ports
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 23 Extended ACLs Operators to test if ports match, don’t match or are in a specific range; if pkt starts connection of part of an established connection
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 24 Configure Extended ACLs in a Medium- Size Enterprise Branch Office Network Describe how to apply an extended ACL to an interface
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 25 Configure Extended ACLs in a Medium- Size Enterprise Branch Office Network Describe how to create named extended ACLs
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 26 Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network List the three types of complex ACLs
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 27 Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network Explain how and when to use dynamic ACLs
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 28 Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network Explain how and when to use reflexive ACLs
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 29 Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network Explain how and when to use time-based ACLs
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 30 Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network Describe how to troubleshoot common ACL problems
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 31 Implement, Verify and Troubleshoot ACLs in an Enterprise Network Environment Create, place and verify a standard/ extended ACL and verify its placement. Verify ACL’s functionality and troubleshoot as needed.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 32 Summary An Access List (ACL) is: A series of permit and deny statements that are used to filter traffic Standard ACL –Identified by numbers and –Filter traffic based on source IP address Extended ACL –Identified by number & –Filter traffic based on Source IP address Destination IP address Protocol Port number
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 33 Summary Named ACL –Used with IOS 11.2 and above –Can be used for either standard or extended ACL ACL’s use Wildcard Masks (WCM) –Described as the inverse of a subnet mask Reason –0 check the bit –1 ignore the bit
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 34 Summary Implementing ACLs –1 st create the ACL –2 nd place the ACL on an interface Standard ACL are placed nearest the destination Extended ACL are placed nearest the source Use the following commands for verifying & troubleshooting an ACL –Show access-list –Show interfaces –Show run
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 35 Summary Complex ACL –Dynamic ACL –Reflexive ACL –Time based ACL
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 36