© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 2 Objectives  Explain how ACLs are used to secure a medium-size Enterprise branch office network.  Configure standard ACLs in a medium-size Enterprise branch office network.  Configure extended ACLs in a medium-size Enterprise branch office network.  Describe complex ACLs in a medium-size Enterprise branch office network.  Implement, verify and troubleshoot ACLs in an enterprise network environment.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 3 Security in the Campus Model  Core: not here. Fastest part of the network, implementing security here would slow it down. Besides, traffic has already got into the network.  Access switches: switch ports set to specific VLANs. Port security: disable port if too many MAC addresses.  Access routers: let traffic in/out from outside the network. Good place to enforce security  Inter-VLAN routers or L3 switches: allows traffic to cross between VLANs. Good place to enforce security

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 4 Routers Inspect Packet Fields  Routers already inspect the destination IP address of a packet to determine how to route it and may drop the packet if there is no route We add a security mechanism: Access Control Lists (ACLs) ACL: a set of rules that inspect some fields in a packet. If the packet matches the rule, we can choose to keep the packet or drop the packet

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 5 Explain How ACLs are Used to Secure a Medium-Size Enterprise Branch Office Network  What steps occur in a complete TCP conversation?

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 6 What Fields Can Be Inspected?  IP Source address  IP Destination address  Layer 4 protocol, e.g. TCP, IP, ICMP  Layer 4 source port  Layer 4 destination port, e.g. port 80 for the web  If the packet is start of a connection (SYN) or not  NOTE: traffic is bi-directional. Port 80 might be the destination port in one direction, but the source port in the other direction

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 7 Explain How ACLs are Used to Secure a Medium-Size Enterprise Branch Office Network  Explain how a packet filter allows or blocks traffic

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 8 Where Can ACL Rules be Applied?  A group of rules (tests, entries) form an Access Control List  An ACL can be applied to a router interface in-bound As soon as traffic arrives, before it is routed  An ACL can be applied to a router interface out-bound As packets are queued for retransmission On each interface, we can have two ACLs: One in-bound and one out-bound

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 9 Example Location of ACLs on Router Interfaces

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 10 Rules in an Access Control List  Each rule (test, entry) is applied. If no match, move to next  If match, obey the permit or deny operation  If no rule matches drop the packet

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 11 Standard and Extended ACLs  A standard ACL has rules that only match the source IP address and wildcard. Example:  An extended ACL has rules that match destination IP, L4 protocol and source & destination ports.  Wildcard: inverse of netmask. Think of it as a range.  means 30.0 up to

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 12 Naming or Numbering an ACL  ACLs can be numbered or named  Standard ACLs: name or number from 1 to 99  Extended ACLs: name or number from 100 to 199

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 13 Where to Place ACLs: Rule of Thumb  Extended: as close to the traffic source as possible  Standard: as close to the destination as possible

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 14 ACL Best Practices  ACLs implement your organisation’s security policy  Often unreadable, so give each one a description  Fiddly to edit, so use a text editor  Will cause havoc when mistakes made, so always test them on a development network before you put them into production

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 15 ACLs: Rule Order is Important  We want to block all of /24 from coming into our LAN, but we want to let in. access-list 10 deny access-list 10 permit  This in fact will also block And it will block all traffic: implict deny all rule at the bottom  Reorder the rules:  access-list 10 permit  access-list 10 deny  access-list 10 permit

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 16 Special Shorthand Keywords  “host X” matches a single host address  “any” matches all IP addresses  We can rewrite the ACL on the previous slide:  access-list 10 remark Let Sandeep’s PC in to the LAN  access-list 10 permit host  access-list 10 remark But stop the rest of subnet 5.0  access-list 10 deny  access-list 10 remark All other traffic can come in  access-list 10 permit any

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 17 Standard ACL Command Syntax

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 18 Applying an ACL to an Interface  Once we have an ACL, we have to apply it to a specific interface an in a specific direction interface fa0/0 ip access-group 10 out

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 19 Editing ACLs: The Easy Way  Show the entries for a specific ACL from the running configuration  Copy theminto a text file  Edit the text file  Do “no access-list 10” to remove the ACL from the router  Paste the corrected ruleset back into the router

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 20 Named ACLs  Named ACLs are good as they help to document the purpose of the ACL

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 21 Is My ACL Working?  How do I know if my ACL is working? Has it permitted or denied any traffic? Which rules are being used?

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 22 Extended ACLs: More Power  Src/dest IP, L4 protocol, src/dest ports

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 23 Extended ACLs  Operators to test if ports match, don’t match or are in a specific range; if pkt starts connection of part of an established connection

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 24 Configure Extended ACLs in a Medium- Size Enterprise Branch Office Network  Describe how to apply an extended ACL to an interface

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 25 Configure Extended ACLs in a Medium- Size Enterprise Branch Office Network  Describe how to create named extended ACLs

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 26 Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network  List the three types of complex ACLs

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 27 Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network  Explain how and when to use dynamic ACLs

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 28 Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network  Explain how and when to use reflexive ACLs

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 29 Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network  Explain how and when to use time-based ACLs

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 30 Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network  Describe how to troubleshoot common ACL problems

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 31 Implement, Verify and Troubleshoot ACLs in an Enterprise Network Environment  Create, place and verify a standard/ extended ACL and verify its placement.  Verify ACL’s functionality and troubleshoot as needed.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 32 Summary  An Access List (ACL) is: A series of permit and deny statements that are used to filter traffic  Standard ACL –Identified by numbers and –Filter traffic based on source IP address  Extended ACL –Identified by number & –Filter traffic based on Source IP address Destination IP address Protocol Port number

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 33 Summary  Named ACL –Used with IOS 11.2 and above –Can be used for either standard or extended ACL  ACL’s use Wildcard Masks (WCM) –Described as the inverse of a subnet mask Reason –0  check the bit –1  ignore the bit

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 34 Summary  Implementing ACLs –1 st create the ACL –2 nd place the ACL on an interface Standard ACL are placed nearest the destination Extended ACL are placed nearest the source  Use the following commands for verifying & troubleshooting an ACL –Show access-list –Show interfaces –Show run

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 35 Summary  Complex ACL –Dynamic ACL –Reflexive ACL –Time based ACL

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 36