Exam: 640-802
Exam Objective: Configure and apply ACLs based on network filtering requirements
Contents
- Introduction
- Technology Background
- Lab Scenario
- Lab Objectives
- Lab Solution
Introduction
Access lists (ACLs) filter network traffic by controlling whether routed packets are forwarded or blocked at the router's interfaces. The router examines each packet to determine whether to forward or drop the packet, based on the criteria you specified within the access lists.Access list criteria could be the source address of the traffic, the destination address of the traffic, the upper-layer protocol, or other information.
Access lists are used in many other situations which do not deal with blocking packets. An example would be using Access List to determine which route will be advertised by a routing protocol.
Technology Background
Access lists are created using a series of statements called Access Control Entries (ACEs). Each ACE is a condition describing a network, or a host, or a protocol or a port or a combination of any of them.Before we get into types of Access Lists and their creation, there are some ground rules we need to know well about what happens when a packet arrives at an interface or is about to leave an interface and an ACL is applied to it:
- The Packet will be checked against the ACEs sequentially starting from the top.
- It will be compared with ACEs until a match is found. The action specified with the first ACE which matches will be taken and no further ACEs will be checked
- There is an implicit deny any the end. This means if the packet does not match any of the ACEs then it will be discarded.
- Standard Access Lists: These use only the source IP address in an IP packet as the condition to match a packet. This means that standard access lists will permit or deny all traffic from any host/network. They do not differentiate between type of traffic.
- Extended Access Lists: Extended access lists can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. They can evaluate source and destination IP addresses, the protocol field in the Network layer header, and the port number at the Transport layer header. This gives us more control more what kind of traffic is permitted or denied.
Access Lists are created using the following syntax:
- Standard Access List : access-list <1-99|1300-1999> <permit|deny> <address|host|any> <wildcard-mask>
Numbers are used to identify ACLs. Standard access list use the 1-99 and 1300-1999 range.
permit or deny states the action to take if a packet matches the condition
We can permit or deny based on an address/mask (example 1), or a single IP address (host) (example 2) or any traffic (example 3).
We will discuss wildcard masks shortly.
Example 1:
access-list 1 permit 192.168.1.0 0.0.0.255
Example 2:
access-list 2 deny host 192.168.1.1
Example 3:
access-list 3 permit any
- Extended Access List: access-list <100-199 | 2000-2699> <permit|deny> <protocol> <source address> <source mask> < source port> <destination address> <destination mask> <destination port>
Extended ACLs use the numbers 100-199 and
2000-2699. In addition to the standard ACL options, we have the option
to specify the destination address, Layer 4 protocol or IP and source
and destination ports.
Example 1:
To block telnet traffic from any host to any host we will use the following Access List:
access-list 100 deny tcp any any eq 23
Note that eq stands for equal. We can use gt (greater than) and lt (less than) to specify port numbers.
Example 2:
To block traffic all IP traffic from the host 192.168.1.10 to network 10.1.1.0/24, we will use the following ACL:
access-list 101 deny ip host 192.168.1.10 10.1.1.0 0.0.0.255
Note that we have used a deny ACE. If this
is the only ACE in the ACL, we will need to add an explicit permit
statement in the end or else no traffic will be allowed due to the
implicit deny.
Masks are used with IP addresses in IP ACLs to specify what should be
permitted and denied. Masks in order to configure IP addresses on
interfaces start with 255 and have the large values on the left side,
for example, IP address 209.165.202.129 with a 255.255.255.224 mask.
Masks for IP ACLs are the reverse, for example, mask 0.0.0.255. This is
sometimes called an inverse mask or a wildcard mask. When the value of
the mask is broken down into binary (0s and 1s), the results determine
which address bits are to be considered in processing the traffic. A 0
indicates that the address bits must be considered (exact match); a 1 in
the mask is a "don't care".This table further explains the concept.
| Mask Example | |
| network address (traffic that is to be processed) | 10.1.1.0 |
| mask | 0.0.0.255 |
| network address (binary) | 00001010.00000001.00000001.00000000 |
| mask (binary) | 00000000.00000000.00000000.11111111 |
Subtract the normal mask from 255.255.255.255 in order to determine the ACL inverse mask. In this example, the inverse mask is determined for network address 172.16.1.0 with a normal mask of 255.255.255.0.
- 255.255.255.255 - 255.255.255.0 (normal mask) = 0.0.0.255 (inverse mask)
- The source/source-wildcard of 0.0.0.0/255.255.255.255 means "any".
- The source/wildcard of 10.1.1.2/0.0.0.0 is the same as "host 10.1.1.2".
ip access-group <access-list> <in|out>
Example:
ip access-ground 101 in
We can use the following commands to verify Access Lists:
- show access-lists - Will show all access-lists configured on the router and the count of packets which were denied or permitted through each ACE
- show interfaces - Will show will ACL is applied in which directions on Interfaces.
Lab Scenario
We need some security added to our network shown in Figure 1. Your task is to configure the network such that:- HTTP and ICMP traffic should not be allowed from 172.16.0.0/24 and 172.17.0.0/24 networks to Server1 and Server 2. This configuration needs to be done at RouterA
- Only hosts 172.16.1.1 and 172.16.1.2 can access server Server1 from the 172.16.1.0/24 network. This configuration needs to be done at RouterB
- Only hosts 172.17.1.10 and 172.17.1.11 can access server Server2 from the 172.16.1.0/24 network. This configuration needs to be done at RouterC
Figure 1
Lab Objectives
- Create an Access List denying TCP/80 and ICMP traffic from 172.16.0.0/24 and 172.17.0.0/24 to Server1 and Server2. Apply on RouterA fa0/1
- Create an Access List permitting ip traffic from host 172.16.1.1 and 172.16.1.2 to Server1 and Server2. All other traffic to Server1 and Server2 should be blocked. Apply this ACL on fa0/0 on RouterB
- Create an Access List permitting ip traffic from host 172.17.1.10 and 172.17.1.11 to Server1 and Server2. All other traffic to Server1 and Server2 should be blocked. Apply this ACL on fa0/0 on RouterC
Lab Solution
The first task requires us to stop HTTP and ICMP traffic from coming to Server1 and Server2 by applying an ACL on RouterA. We will need to deny these traffic and then add an explicit permit in the end:RouterA(config)#access-list 101 deny tcp 172.16.0.0 0.0.255.255 host 192.168.1.1 eq 80
RouterA(config)#access-list 101 deny icmp 172.16.0.0 0.0.255.255 host 192.168.1.1
RouterA(config)#access-list 101 deny tcp 172.16.0.0 0.0.255.255 host 192.168.1.2 eq 80
RouterA(config)#access-list 101 deny icmp 172.16.0.0 0.0.255.255 host 192.168.1.2
RouterA(config)#access-list 101 deny tcp 172.17.0.0 0.0.255.255 host 192.168.1.1 eq 80
RouterA(config)#access-list 101 deny icmp 172.17.0.0 0.0.255.255 host 192.168.1.1
RouterA(config)#access-list 101 deny tcp 172.17.0.0 0.0.255.255 host 192.168.1.2 eq 80
RouterA(config)#access-list 101 deny icmp 172.17.0.0 0.0.255.255 host 192.168.1.2
RouterA(config)#access-list 101 permit ip any any
RouterA(config)#interface fa0/1
RouterA(config-if)#ip access-group 101 in
The Second task requires us to ensure that only the given hosts are able to access Server1 and Server2 by applying an ACL on RouterB. We first permit the given hosts and then deny all ip traffic destined to the Servers. In the end an explicit permit will be needed:
RouterB(config)#access-list 101 permit ip host 172.16.1.1 host 192.168.1.1
RouterB(config)#access-list 101 permit ip host 172.16.1.1 host 192.168.1.2
RouterB(config)#access-list 101 permit ip host 172.16.1.2 host 192.168.1.1
RouterB(config)#access-list 101 permit ip host 172.16.1.2 host 192.168.1.2
RouterB(config)#access-list 101 deny ip any host 192.168.1.1
RouterB(config)#access-list 101 deny ip any host 192.168.1.2
RouterB(config)#access-list 101 permit ip any any
RouterB(config)#interface fa0/0
RouterB(config-if)#ip access-group 101 in
The Last task also requires us to ensure that certain hosts are able to get to the Servers from RouterC:
RouterC(config)#access-list 101 permit ip host 172.17.1.10 host 192.168.1.1
RouterC(config)#access-list 101 permit ip host 172.17.1.10 host 192.168.1.2
RouterC(config)#access-list 101 permit ip host 172.17.1.11 host 192.168.1.1
RouterC(config)#access-list 101 permit ip host 172.16.1.11 host 192.168.1.2
RouterC(config)#access-list 101 deny ip any host 192.168.1.1
RouterC(config)#access-list 101 deny ip any host 192.168.1.2
RouterC(config)#access-list 101 permit ip any any
RouterC(config)#interface fa0/0
RouterC(config-if)#ip access-group 101 in
To verify this lab try to ping 192.168.1.1 from RouterB's fa0/0 interface. No ICMP reply should be received. The output will be similar to the one given below:
RouterB#ping 192.168.1.1 source fa0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
.....
Success rate is 0 percent (0/5)
References:
Configuring IP Access Lists
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#standacl
