Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chap 5 – Access Control Lists Learning Objectives

Published byElwin Parsons Modified over 5 years ago

Similar presentations

Presentation on theme: "Chap 5 – Access Control Lists Learning Objectives"— Presentation transcript:

1 Chap 5 – Access Control Lists Learning Objectives
Explain how ACLs are used to secure a medium-size Enterprise branch office network. Configure standard ACLs in a medium-size Enterprise branch office network. Configure extended ACLs in a medium-size Enterprise branch office network. Describe complex ACLs in a medium-size Enterprise branch office network. Implement, verify and troubleshoot ACLs in an enterprise network environment.

2 Access Control Lists (ACL)
ACLs are lists of conditions used to test network traffic that tries to travel across a router interface. These lists tell the router what types of packets to accept or deny. Acceptance and denial can be based on specified conditions. ACLs enable management of traffic and secure access to and from a network. ACLs can be created for all routed network protocols such as IP and Internetwork Packet Exchange (IPX). ACLs can be configured at the router to control access to a network or subnet. ACLs are lists of instructions applied to a router's interface to tell the router which kind of packets to permit and which kind to deny.

3 Access Control Lists (ACL)
An ACL is a sequential list of permit or deny statements that apply to IP addresses or upper-layer protocols. The ACL can extract the following information from the packet header, test it against its rules, and make "allow" or "deny" decisions based on: Source IP address Destination IP address ICMP message type The ACL can also extract upper layer information and test it against its rules. Upper layer information includes: TCP/UDP source port TCP/UDP destination port Packet filtering, sometimes called static packet filtering, controls access to a network by analysing the incoming and outgoing packets and passing or halting them based on stated criteria. A router acts as a packet filter when it forwards or denies packets according to filtering rules. When a packet arrives at the packet-filtering router, the router extracts certain information from the packet header and makes decisions according to the filter rules as to whether the packet can pass through or be discarded. Packet filtering works at the network layer of the Open Systems Interconnection (OSI) model, or the Internet layer of TCP/IP. As a Layer 3 device, a packet-filtering router uses rules to determine whether to permit or deny traffic based on source and destination IP addresses, source port and destination port, and the protocol of the packet. These rules are defined using access control lists or ACLs.

4 Access Control Lists (ACL)
Limit network traffic and increase network performance. Provide traffic flow control. ACLs can restrict the delivery of routing updates. If updates are not required because of network conditions, bandwidth is preserved. Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. Decide which types of traffic are forwarded or blocked at the router interfaces. ACLs can permit traffic to be routed, but block all Telnet traffic. Control which areas a client can access on a network. ACLs can be used to permit or deny a user to access file types such as FTP or HTTP. ACLs are lists of conditions used to test network traffic that tries to travel across a router interface. These lists tell the router what types of packets to accept or deny. Acceptance and denial can be based on specified conditions. ACLs enable management of traffic and secure access to and from a network. ACLs can be created for all routed network protocols such as IP and Internetwork Packet Exchange (IPX). ACLs can be configured at the router to control access to a network or subnet.

5 Packet Filtering From which network? Asking For port 80? Asking
Frame Header Packet Header Segment Header Data From which network? Asking For port 80? Yes Permit No Deny The IP header of all packets is monitored. Traffic from network is permitted to access HTTP services, but is denied access to anything else. Traffice from network is denied access to HTTP services, but allowed access to anything else. Asking For port 80? Yes Deny No Permit

6 How ACLs Work ACLs must be defined on a per protocol, per direction, or per port basis. To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface. ACLs control traffic in one direction at a time on an interface. ACLs must be defined on a per protocol, per direction, or per port basis. To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface. ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic. Every interface can have multiple protocols and directions defined. If the router has two interfaces configured for IP, AppleTalk, and IPX, 12 separate ACLs would be needed. There would be one ACL for each protocol, times two for each direction, times two for the number of ports.

7 How ACLs Work ACL statements operate in sequential, logical order, from top to bottom. If a condition is matched, the packet is permitted or denied and the rest of the ACL isn’t checked. An implicit deny any statement is at end of all lists by default. This last line "deny any" is not visible but it will not allow any unmatched packets to be permitted. Route packet to outbound interface ACL on interface? Yes No ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. ACLs do not act on packets that originate from the router itself. ACLs are configured either to apply to inbound traffic or to apply to outbound traffic. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. ACL statements operate in sequential order. They evaluate packets against the ACL, from the top down, one statement at a time. If a packet header and an ACL statement match, the rest of the statements in the list are skipped, and the packet is permitted or denied as determined by the matched statement. If a packet header does not match an ACL statement, the packet is tested against the next statement in the list. This matching process continues until the end of the list is reached. A final implied statement covers all packets for which conditions did not test true. This final test condition matches all other packets and results in a "deny" instruction. Instead of proceeding into or out of an interface, the router drops all of these remaining packets. This final statement is often referred to as the "implicit deny any statement" or the "deny all traffic" statement. Because of this statement, an ACL should have at least one permit statement in it; otherwise, the ACL blocks all traffic. Frame arrives at inbound interface Yes ACL on interface? No L2 address match? Default Deny Any matches? Yes No Yes No Any matches? Default Deny Permit? No Yes Yes Permit? Yes Forward packet No

8 Standard ACLs Standard ACLs allow you to permit or deny traffic from source IP addresses. The destination of the packet and the ports involved do not matter. The example allows all traffic from network /24 network. Because of the implied deny any at the end, all other traffic is blocked with this ACL. Standard ACLs are created in global configuration mode.

9 Standard ACLs Extended ACLs filter IP packets based on several attributes, for example, protocol type, source IP address, destination IP address, source TCP or UDP ports, destination TCP or UDP ports, and optional protocol type information for finer granularity of control. In the example, ACL 103 permits traffic originating from any address on the /24 network to any destination host port 80 (HTTP). Extended ACLs are created in global configuration mode.

10 Numbering & Naming ACLs
Numbered ACLs - Assign a number based on which protocol is to be filtered filtered: (1 to 99) and (1300 to 1999): Standard IP ACL (100 to 199) and (2000 to 2699): Extended IP ACL Named ACLs - assign a name by providing the name of the ACL: Names can contain alphanumeric characters. Recommended that the name be written in CAPITAL LETTERS. Names cannot contain spaces or punctuation and mustbegin with a letter. Possible to add or delete entries within the ACL. Using numbered ACLs is an effective method for determining the ACL type on smaller networks with more homogeneously defined traffic. However, a number does not inform you of the purpose of the ACL. For this reason, starting with Cisco IOS Release 11.2, names can be used to identify a Cisco ACL. Regarding numbered ACLs, in case you are wondering why numbers 200 to 1299 are skipped, it is because those numbers are used by other protocols. For example, numbers 600 to 699 are used by AppleTalk, and numbers 800 to 899 are used by IPX. This course focuses only on IP ACLs.

11 ACL Placement Standard ACLs should be placed close to the destination.
Required to deny Telnet or FTP traffic from the Router A Ethernet LAN segment to the switched Ethernet LAN Fa0/1 on Router D. At the same time, other traffic must be permitted. There are several ways to do this. The recommended solution is an extended ACL that specifies both source and destination addresses. Place this extended ACL in Router A. Then, packets do not cross the Router A Ethernet segment or the serial interfaces of Routers B and C, and do not enter Router D. Traffic with different source and destination addresses will still be permitted. The general rule is to put the extended ACLs as close as possible to the source of the traffic denied. Standard ACLs do not specify destination addresses, so they should be placed as close to the destination as possible. For example, a standard ACL should be placed on Fa0/0 of Router D to prevent traffic from Router A. Standard ACLs should be placed close to the destination. Extended ACLs should be placed close to the source.

12 ACL Best Practice Using ACLs requires attention to detail and great care. Mistakes can be costly in terms of downtime, troubleshooting efforts, and poor network service. Before starting to configure an ACL, basic planning is required: Base ACLs on the security policy of the organisation. Prepare a description of what ACLs are required to do. Use a text editor to create, edit and save ACLs. Test ACLs on a development network before implementing them on a production network.

13 Configuring Standard ACLs
/24 /24 R1 /24 Fa0/0 Fa0/1 PC1 /24 Fa0/1 Fa0/1 PC2 /24 Fa0/2 Fa0/2 Both ACLs have the same effect, due to the implicit deny at the end of all ACLs: For example, the two ACLs (101 and 102) in the slide have the same effect. Network would be permitted to access network while would not be allowed.

14 Creating Standard ACLs
access-list # permit/deny source IP wildcard Standard access lists allow filtering based on the source address only. Each list can contain multiple lines, filtering a range of source addresses. Each line will be carried out in the order in which it is entered – entries cannot be reordered! A standard access list line is built as follows: Prefixed by <access-list> and the ID number for the access list (1-99). Action – permit or deny. Source IP address. Wildcard mask. Remember that each access list ends with an implicit deny! To apply access list, enter configuration mode on the required interface and use the <access-group> command followed by the access list ID and the direction of traffic on which the ACL will act. To delete:

15 Standard ACL access-list 2 deny 192.168.10.1
Packet Header Segment Header Data Standard ACL access-list 2 deny access-list 2 permit access-list 2 deny access-list 2 permit Asking for ? Yes Deny Asking for ? No Yes Permit Asking for ? No Yes Deny Put most specific statement (ie an individual host) first in the access list, and gradually widen the range of addresses being checked. If too wide an address were used first, e.g , then would be permitted, instead of being denied. Asking for ? No Yes Permit No Implicit Deny

16 Verify Standard ACLs The remark keyword is used for documentation and makes access lists a great deal easier to understand. Each remark is limited to 100 characters. When reviewing the ACL in the configuration, the remark is also displayed.

17 Wildcard Masks ACLs statements include masks, also called wildcard masks. The mask determines how much of an IP source or destination address to apply to the address match. The numbers 1 and 0 in the mask identify how to treat the corresponding IP address bits. They are different to subnet masks, and follow different rules. Wildcard masks and subnet masks are both 32 bits long and use binary 1s and 0s. Subnet masks use binary 1s and 0s to identify the network, subnet, and host portion of an IP address. Wildcard masks use binary 1s and 0s to filter individual or groups of IP addresses to permit or deny access to resources based on an IP address. By carefully setting wildcard masks, you can permit or deny a single or several IP addresses

18 Wildcards (Inverse Mask)
Allows you to indicate a host, subnet, network or range of IP addresses. The two binary values in the wildcard have different meanings: 0 = Must Match Exactly 1 = Ignore

19 Range of matching addresses:
Wildcard Masks Source IP Wildcard Source IP Wildcard Must match Must match Must match Must match Range of matching addresses: only

20 Range of matching addresses:
Wildcard Masks Source IP Wildcard Source IP Wildcard Must match Must match Must match Don’t Care Range of matching addresses: to

21 Range of matching addresses:
Wildcard Masks Source IP Wildcard Source IP Wildcard Must match Must match Don’t Care Don’t Care Range of matching addresses: to

22 ACL Example 1 Standard Access List Format:
access-list # permit/deny source IP wildcard A(config)#access-list 5 deny A(config)#access-list 5 deny A(config)#access-list 5 permit any So what does this access list do? The first line will deny only packets from source IP address – the wildcard means that the ACL must check every bit of the IP address for an exact match. The second line will deny only packets from source IP address – the wildcard will again force the ACL to check for an exact match. The third line defeats the implicit deny, thus letting all other packets pass. If a single host is being matched, the wildcard can be dropped, as follows: Access-list 5 deny host Access-list 5 deny

23 ACL Example 2 Sample: A(config)#access-list 5 deny 172.22.5.2 0.0.0.0
A(config)#access-list 5 permit any What happens if you now type in the following: A(config)#access-list 5 deny ? ‘ ’ performs the same function as prefixing the IP address with ‘host’ – ie the filter action will be applied to a specific address. The additional line will be added after the ‘permit all’, therefore it will be ignored.

24 ACL Example 3 31 in binary is 0 0 0 1 1 1 1 1 Source IP Wildcard
31 in binary is 3rd octet = 10 = All packets are compared to this value and the mask ’31’ So the first three bits must be 0’s and the last 5 bits do not matter. So acceptable values are through Must match don’t care

25 ACL Example 4 The hosts on subnet /27 are to be split, with the lower half denied access to a router. Write the required access list. /27 has an increment size of 32 The first address in the 2nd half of the subnet = = 48 Compare last address from 1st half with 1st address in 2nd half in binary: 47 = /27 = 224 = , therefore increment =32 48 = All numbers between 32 and 47 have bit 16 = 0 All numbers after 47 have bit 16 = 1

26 ACL Example 4 47 = 48 = Wildcard Mask = 15 Access-list 20 deny End result, work out the number of hosts in the subnet (=30) and divide by 2 (=15).

27 ACL Example 5 The hosts on subnet /28 are to be split, with the upper half denied access to a router. Write the required access list. /28 has an increment size of 16 The first address in the 2nd half of the subnet = 64+8 = 72 Compare last address from 1st half with 1st address in 2nd half in binary: 64 = /28 = 240 = , therefore increment =16 72 = All numbers between 64 and 71 have bit 8 = 0 All numbers after 72 have bit 8 = 1

28 ACL Example 5 64 = 72 = Wildcard Mask = 7 Access-list 20 permit End result, work out the number of hosts in the subnet (=14) and divide by 2 (=7).

29 ACL Example 6 Permit network access for the 14 users in the subnet /28. Subtract the subnet mask of the network from : Access-list 20 permit

30 Wildcard Mask Keywords
The keywords host and any help identify the most common uses of wildcard masking, eliminating the need to enter wildcard masks when identifying a specific host or network. The host option substitutes for the mask: Instead of entering , use host The any option substitutes for the IP address and mask: instead of entering , can use the keyword any by itself.

31 Applying Standard ACLs
/30 S0/0/0 /24 R1 /24 Fa0/0 Fa0/1 PC1 /24 Fa0/1 Fa0/1 PC2 /24 Fa0/2 Fa0/2 After a standard ACL is configured, it is linked to an interface using the ip access-group command: After a standard ACL is configured, it is linked to an interface using the ip access-group command: Router(config-if)#ip access-group {access-list-number | access-list-name} {in | out} To remove an ACL from an interface, first enter the no ip access-group command on the interface, and then enter the global no access-list command to remove the entire ACL. Direction refers to the direction in which packets must be are flowing in order for the ACL to check them.

32 Standard ACLs to Control VTY Access
/30 S0/0/0 /24 R1 /24 Fa0/0 Fa0/1 PC1 /24 Fa0/1 Fa0/1 PC2 /24 Fa0/2 Fa0/2 Restricting VTY access allows the definition of which IP addresses are allowed Telnet access to the router EXEC process. This technique can be used with with SSH to further improve administrative access security. The access-class command in line configuration mode restricts incoming and outgoing connections between a particular VTY (into a Cisco device) and the addresses in an access list. Standard and extended access lists apply to packets that travel through a router. They are not designed to block packets that originate within the router. An outbound Telnet extended ACL does not prevent router-initiated Telnet sessions, by default. The parameter ‘in’ restricts incoming connections between a particular Cisco device and the addresses in the access list, while the parameter ‘out’ restricts outgoing connections between a particular Cisco device and the addresses in the access list. The following should be considered when configuring access lists on VTYs: Only numbered access lists can be applied to VTYs. Identical restrictions should be set on all the VTYs, because a user can attempt to connect to any of them.

33 Editing Numbered ACLs When configuring an ACL, the statements are added in the order that they are entered at the end of the ACL. However, there is no built-in editing feature that allows you to edit a change in an ACL - selectively inserting or deleting lines is not possible. Therefore, any ACL is best constructed in a text editor such as MS Notepad, allowing the ACL to be edited and then pasted into the router as follows: Display the ACL using the sh run command. Highlight the ACL, copy it, and then paste it into MS Notepad. Edit the list as required. Once the ACL is correctly displayed in MS Notepad, highlight it and copy it. In global configuration mode, remove the old access list using the no access-list command. Then paste the new ACL into the configuration of the router.

34 Creating Named ACLs /30 S0/0/0 /24 R1 /24 Fa0/0 Fa0/1 PC1 /24 Fa0/1 Fa0/1 PC2 /24 Fa0/2 Fa0/2 Naming an ACL makes it easier to understand its function. Named ACLs have a different configuration mode and command syntax: Named ACLs were introduced in Cisco IOS Software Release Named ACLs allow standard and extended ACLs to be given names instead of numbers. The following are advantages that are provided by a named access list: Alphanumeric names can be used to identify ACLs. The IOS does not limit the number of named ACLs that can be configured. Named ACLs provide the ability to modify ACLs without deletion and reconfiguration. However, a named access list will only allow for statements to be inserted at the end of a list. It is a good idea to use a text editor to create named ACLs. Consider the following before implementing named ACLs: 1. Named ACLs are not compatible with Cisco IOS releases prior to Release 11.2. 2 The same name may not be used for multiple ACLs. A named ACL is created with the ip access-list command. This places the user in the ACL configuration mode.

35 Verifying ACLs There are many show commands that will verify
the content and placement of ACLs on the router: show ip interface show access-lists show access-list <ACL-number> show running-config show ip interface command displays IP interface information and indicates whether any ACLs are assigned to the interface. show access-lists command displays the contents of all ACLs on the router. To see a specific list, add the ACL name or number as an option for this command. The show running-config command will also reveal the access lists on a router and the interface assignment information.

36 Editing Named ACLs Use of sequence
/30 S0/0/0 /24 R1 /24 Fa0/0 Fa0/1 PC1 /24 Fa0/1 Fa0/1 PC2 /24 Fa0/2 Fa0/2 Use of sequence numbers allows lines to be added and removed from named ACLs Named ACLs have a big advantage over numbered ACLs in that they are easier to edit. Starting with Cisco IOS Software Release 12.3, named IP ACLs allow the deletion of individual entries in a specific ACL. Sequence numbers allow the insertion of statements anywhere in the named ACL. Earlier Cisco IOS software versions do not permit sequence numbers, therefore additional statements are added to the bottom of a named ACL.

37 Extended ACLs Extended ACLs are used more often than standard ACLs because they provide a greater range of control and, therefore, add additional security. Like standard ACLs, extended ACLs check the source packet addresses, but they also check the destination address, protocols and port numbers (or services).

38 Extended ACLs At the end of the extended ACL statement, an administrator can specify a TCP or UDP port number. Using Port Numbers: The ability to filter on protocol and port number allows you to build very specific extended ACLs. Using the appropriate port number, you can specify an application by configuring either the port number or the name of a well-known port. The slide shows some examples of how an administrator specifies a TCP or UDP port number by placing it at the end of the extended ACL statement. Logical operations can be used, such as equal (eq), not equal (neq), greater than (gt), and less than (lt). Using Keywords:

39 Extended ACLs Use the ‘?’ to display a list of layer-4 protocols and their associated port numbers

40 Creating Extended ACLs
/27 ISP R2 S0/0/1 /30 S0/0/0 /30 S0/0/1 /30 R1 R3 /24 /24 Fa0/0 Fa0/0 In this example, the network administrator needs to restrict Internet access to allow only website browsing. ACL 103 applies to traffic leaving the network, and ACL 104 to traffic coming into the network. ACL 103 allows traffic coming from any address on the network to go to any destination, subject to the limitation that traffic goes to ports 80 (HTTP) and 443 (HTTPS) only. The nature of HTTP requires that traffic flow back into the network, but the network administrator wants to restrict that traffic to HTTP exchanges from requested websites. The security solution must deny any other traffic coming into the network. ACL 104 does that by blocking all incoming traffic, except for the established connections. HTTP establishes connections starting with the original request and then through the exchange of ACK, FIN, and SYN messages. The established parameter allows responses to traffic that originates from the /24 network to return inbound on s0/0/0. A match occurs if the TCP datagram has the ACK or reset (RST) bits set, which indicates that the packet belongs to an existing connection. Administrator needs to restrict Internet access to allow only website browsing. ACL 103 applies to traffic leaving the network, and ACL 104 to traffic coming into the network.

41 Extended ACLs - Established
Allow access to traffic that originated in the network only Allow external network testing WAN In Out A(config)#access-list 101 Permit TCP Any Any Established A(config)#access-list 101 Permit ICMP Any Any Echo-Reply A(config)#access-list 101 Permit ICMP Any Any Unreachable

42 Applying Extended ACLs
/27 ISP R2 S0/0/1 /30 S0/0/0 /30 S0/0/1 /30 R1 R3 /24 /24 Fa0/0 Fa0/0 ACL 103 is allowing internal users to access the Internet – it is applied to the S0/0/0 outbound. ACL 104 is allowing established Internet traffic to enter network – it is applied to S0/0/0 inbound.

43 Applying Extended ACLs
/30 S0/0/0 /24 R1 /24 Fa0/0 Fa0/1 PC1 /24 Fa0/1 Fa0/1 PC2 /24 Fa0/2 Fa0/2 Deny FTP traffic from subnet going to subnet , but permitting all other traffic. FTP requires ports 20 and 21, therefore y both eq 20 and eq 21 must be specified to deny FTP With extended ACLs, you can choose to use port numbers as in the example, or to call out a well-known port by name: access-list 101 deny tcp eq ftp access-list 101 deny tcp eq ftp-data

44 Applying Extended ACLs
/30 S0/0/0 /24 R1 /24 Fa0/0 Fa0/1 PC1 /24 Fa0/1 Fa0/1 PC2 /24 Fa0/2 Fa0/2 Deny Telnet traffic from leaving interface Fa0/0, but allow all other IP traffic from any other source to any destination out Fa0/0. Note the use of the any keywords, meaning from anywhere going to anywhere.

45 Named Extended ACLs S0/1/0 /27 ISP R2 S0/0/1 /30 S0/0/0 /30 S0/0/1 /30 R1 R3 /24 /24 Fa0/0 Fa0/0 To remove a named extended ACL, use the no ip access-list extended name global configuration command. Named extended ACLs are created in essentially the same way as named standard ACLs:

46 Complex ACLs Dynamic ACLs (lock-and-key) - Users that want to traverse the router are blocked until they use Telnet to connect to the router and are authenticated. Reflexive ACLs - Allows outbound traffic and limits inbound traffic in response to sessions that originate inside the router. Time-based ACLs - Allows for access control based on the time of day and week

47 Dynamic ACLs Dynamic ACLs have the following security benefits over
standard and static extended ACLs: Use of a challenge mechanism to authenticate individual users Simplified management in large internetworks In many cases, reduction of the amount of router processing that is required for ACLs Reduction of the opportunity for network break-ins by network hackers Creation of dynamic user access through a firewall, without compromising other configured security restrictions Lock-and-key is a traffic filtering security feature that uses dynamic ACLs, which are sometimes referred to as lock-and-key ACLs. Lock-and-key is available for IP traffic only. Dynamic ACLs are dependent on Telnet connectivity, authentication (local or remote), and extended ACLs. Dynamic ACL configuration starts with the application of an extended ACL to block traffic through the router. Users who want to traverse the router are blocked by the extended ACL until they use Telnet to connect to the router and are authenticated. The Telnet connection is then dropped, and a single-entry dynamic ACL is added to the extended ACL that exists. This permits traffic for a particular period; idle and absolute timeouts are possible.

48 Dynamic ACLs S0/1/0 /27 ISP R2 S0/0/1 /30 S0/0/0 /30 S0/0/1 /30 PC1 /24 PC2 /24 R1 R3 Fa0/0 Fa0/0 Lock-and-key is a traffic filtering security feature that uses dynamic ACLs, which are sometimes referred to as lock-and-key ACLs. Lock-and-key is available for IP traffic only. Dynamic ACLs are dependent on Telnet connectivity, authentication (local or remote), and extended ACLs. Dynamic ACL configuration starts with the application of an extended ACL to block traffic through the router. Users who want to traverse the router are blocked by the extended ACL until they use Telnet to connect to the router and are authenticated. The Telnet connection is then dropped, and a single-entry dynamic ACL is added to the extended ACL that exists. This permits traffic for a particular period; idle and absolute timeouts are possible. PC1 is an administrator that requires a back door access to the /24 network located on router R3. A dynamic ACL has been configured to allow FTP and HTTP on router R3 access but only for a limited time.

49 Reflexive ACLs Reflexive ACLs force the reply traffic from the destination of a known recent outbound packet to go to the source of that outbound packet. Network administrators use reflexive ACLs to allow IP traffic for sessions originating from their network while denying IP traffic for sessions originating outside the network. These ACLs allow the router to manage session traffic dynamically. Reflexive ACLs provide a truer form of session filtering than an extended ACL that uses the established parameter introduced earlier. Although similar in concept to the established parameter, reflexive ACLs also work for UDP and ICMP, which have no ACK or RST bits. Reflexive ACLs force the reply traffic from the destination of a known recent outbound packet to go to the source of that outbound packet. This adds greater control to what traffic you allow into your network and increases the capabilities of extended access lists. Network administrators use reflexive ACLs to allow IP traffic for sessions originating from their network while denying IP traffic for sessions originating outside the network. These ACLs allow the router to manage session traffic dynamically. The router examines the outbound traffic and when it sees a new connection, it adds an entry to a temporary ACL to allow replies back in. Reflexive ACLs contain only temporary entries. These entries are automatically created when a new IP session begins, for example, with an outbound packet, and the entries are automatically removed when the session ends. Reflexive ACLs provide a truer form of session filtering than an extended ACL that uses the established parameter introduced earlier. Although similar in concept to the established parameter, reflexive ACLs also work for UDP andICMP, which have no ACK or RST bits. The established option also does not work with applications that dynamically alter the source port for the session traffic. The permit established statement only checks ACK and RST bits-not source and destination address.

50 Reflexive ACLs Reflexive ACLs have the following benefits:
Help secure networks against network hackers and can be included in a firewall defense. Provide a level of security against spoofing and certain DoS attacks. Reflexive ACLs are much harder to spoof because more filter criteria must match before a packet is permitted through. For example, source and destination addresses and port numbers, not just ACK and RST bits, are checked. Simple to use and, compared to basic ACLs, provide greater control over which packets entering a network.

51 Reflexive ACLs S0/1/0 /27 ISP R2 S0/0/1 /30 S0/0/0 /30 S0/0/1 /30 R1 R3 /24 /24 Fa0/0 Fa0/0 To remove a named extended ACL, use the no ip access-list extended name global configuration command. ACL permits ICMP outbound and inbound traffic, while it permits only TCP traffic that has been initiated from inside the network. All other traffic will be denied.

52 Time-Based ACLs Time-based ACLs are similar to extended ACLs in function, but they allow for access control based on time. To implement time-based ACLs, create a time range that defines specific times of the day and week. Identify the time range with a name and then refer to it by a function. The time restrictions are imposed on the function itself. Time-based ACLs benefits include: Offers the network administrator more control over permitting or denying access to resources. Allows network administrators to control logging messages. ACL entries can log traffic at certain times of the day, but not constantly.

53 Time-Base ACLs S0/1/0 /27 ISP R2 S0/0/1 /30 S0/0/0 /30 S0/0/1 /30 R1 R3 /24 /24 Fa0/0 Fa0/0 To remove a named extended ACL, use the no ip access-list extended name global configuration command. Telnet connection is permitted from /24 to any network on Mon, Weds, and Fri during business hours.

54 Chap 5 – Access Control Lists Learning Objectives
Explain how ACLs are used to secure a medium-size Enterprise branch office network. Configure standard ACLs in a medium-size Enterprise branch office network. Configure extended ACLs in a medium-size Enterprise branch office network. Describe complex ACLs in a medium-size Enterprise branch office network. Implement, verify and troubleshoot ACLs in an enterprise network environment.

55 Any Questions?

56 Lab Topology Chapter 5.2.8 – Standard ACLs R2 R3 R1 ISP S0/0/1 DCE
/27 ISP Fa0/1 Fa0/0 /254 S0/1/0 /27 .226 R2 .225 Fa0/0 S0/0/0 S0/0/1 DCE /27 WWW/TFTP /24 .2 .1 Ext Host /27 /30 /30 S0/0/0 DCE S0/0/1 .1 .2 R1 R3 Allow only PC 1 to Telnet to R3 WWW /27 Fa0/0 Fa0/1 The router (R1) connected to the Internet is used to propagate a default route to other routers in the OSPF routing domain. This router is sometimes called the edge, entrance or gateway router. However, in OSPF terminology, the router located between an OSPF routing domain and a non-OSPF network is called the Autonomous System Boundary Router (ASBR). In the topology shown, the Loopback1 (Lo1) represents a link to a non-OSPF network. Fa0/0 /24 /24 /24 The /24 network is allowed access to all locations, except the /24 network. The /24 network is allowed access to all destinations, except to any networks connected to the ISP. The /10 network is allowed access to all destinations. Host is not allowed access outside of the LAN. S1 S2 S3 PC1 PC2 PC3 PC4

57 Lab Topology Chapter 5.3.4 – Extended ACLs R2 R3 R1 ISP S0/0/1 DCE
/27 ISP Fa0/1 Fa0/0 /254 S0/1/0 /27 .226 R2 .225 Fa0/0 S0/0/0 S0/0/1 DCE /27 WWW/TFTP /24 .2 .1 Ext Host /27 /30 /30 Outside hosts are allowed to establish a web session with the internal web server on port 80 only. Only established TCP sessions are allowed in. Only ping replies are allowed through R2. S0/0/0 DCE S0/0/1 WWW /27 .2 R1 .1 R3 All IP addresses of the /24 network are blocked from accessing all IP addresses of the /24 network. The first half of /24 is allowed access to all other destinations. The second half of /24 network is allowed access to the /24 and /24 networks. The second half of /24 is allowed web and ICMP access to all remaining destinations. All other access is implicitly denied. Fa0/0 Fa0/1 The router (R1) connected to the Internet is used to propagate a default route to other routers in the OSPF routing domain. This router is sometimes called the edge, entrance or gateway router. However, in OSPF terminology, the router located between an OSPF routing domain and a non-OSPF network is called the Autonomous System Boundary Router (ASBR). In the topology shown, the Loopback1 (Lo1) represents a link to a non-OSPF network. Fa0/0 /24 /24 /24 For the /24 network, block Telnet access to all locations and TFTP access to the corporate Web/TFTP server at All other access is allowed. For the /24 network, allow TFTP access and web access to the corporate Web/TFTP server at Block all other traffic from the /24 network to the /24 network. All other access is allowed. S1 S2 S3 PC1 PC2 PC3 PC4

58 Chapter 5.2.8 /5.3.4 – Standard/Extended
Lab Topology Chapter /5.3.4 – Standard/Extended ACLs The router (R1) connected to the Internet is used to propagate a default route to other routers in the OSPF routing domain. This router is sometimes called the edge, entrance or gateway router. However, in OSPF terminology, the router located between an OSPF routing domain and a non-OSPF network is called the Autonomous System Boundary Router (ASBR). In the topology shown, the Loopback1 (Lo1) represents a link to a non-OSPF network.

Download ppt "Chap 5 – Access Control Lists Learning Objectives"

Similar presentations

Access Control List (ACL)

Access Control List (ACL)
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.

NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
CCNA 2 v3.1 Module 11.

CCNA 2 v3.1 Module 11.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Access Lists Lists of conditions that control access.

Access Lists Lists of conditions that control access.
Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.

Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen

1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen


Chapter 6: Packet Filtering

Chapter 6: Packet Filtering
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Access Control List ACL. Access Control List ACL.

Access Control List ACL. Access Control List ACL.
Access Control Lists (ACLs)

Access Control Lists (ACLs)
Access Control List (ACL) W.lilakiatsakun. ACL Fundamental ► Introduction to ACLs ► How ACLs work ► Creating ACLs ► The function of a wildcard mask.

Access Control List (ACL) W.lilakiatsakun. ACL Fundamental ► Introduction to ACLs ► How ACLs work ► Creating ACLs ► The function of a wildcard mask.

Similar presentations

Ads by Google