From Mycomputer Notes

Revision as of 18:59, 10 September 2006 (edit) Admin (Talk | contribs) (→Extended ACLs) ← Previous diff		Revision as of 19:00, 10 September 2006 (edit) (undo) Admin (Talk | contribs) (→Extended ACLs) Next diff →
Line 112:		Line 112:
	The syntax for the extended ACL statement can get very long and often will wrap in the terminal window.		The syntax for the extended ACL statement can get very long and often will wrap in the terminal window.
-	[[Image:Extended param.JPG|frame|Parametrers of Extended ACLs]]	+	{|
-	[[Image:acl_extended.JPG]]	+	|-
		+	|[[Image:Extended param.JPG|frame|Parametrers of Extended ACLs]]
		+	|-
		+	|[[Image:acl_extended.JPG|frame|Extendend ACL Rules]]
		+	|}
	=Wildcard Mask=		=Wildcard Mask=

---

Revision as of 19:00, 10 September 2006

Routers provide basic traffic filtering capabilities, such as blocking Internet traffic, with access control lists (ACLs). An ACL is a sequential collection of permit or deny statements that apply to addresses or upper-layer protocols.

ACLs are lists of instructions you apply to a router's interface. These lists tell the router what kinds of packets to accept and what kinds of packets to deny. Acceptance and denial can be based on certain specifications;

• Source address
• Destination address
• Port number

An ACL can be created for all Routed Protocols Routed Protocols to filter packets as the packets pass through a router. ACLs can be configured at the router to control access to a network or subnet. ACLs filter network traffic by controlling whether routed packets are forwarded or blocked at the router's interfaces. The router examines each packet to determine whether to forward or drop it, based on the conditions specified in the ACL (source address, the destination address, upper-layer protocol, or other information.) ACLs must be defined on a per-protocol basis. In other words, you must define an ACL for every protocol enabled on an interface if you want to control traffic flow for that interface

Contents 1 How ACL Works? 2 Creating ACLs 2.1 Verifying ACLs 2.2 Standard ACLs 2.3 Extended ACLs 3 Wildcard Mask 3.1 Wildcard Any Command 3.2 Wildcard Host Command

How ACL Works?

An ACL are a group of statements that defines how packets;

• Enter inbound interfaces
• Relay through the router
• Exit outbound interfaces of the router.

ACL Process Flow

ACL statements operate in sequential, logical order. If a condition match is true, the packet is permitted or denied and the rest of the ACL statements are not checked. If all the ACL statements are unmatched, an implicit "deny any" statement is imposed. This means that even though you will not see the "deny any" as the last line of an ACL, it is there. If the frame entering the router interface matchsthe first test, a packet is denied access to the destination. It is discarded and dropped into the bit bucket, and it is not exposed to any ACL tests that follow. If the packet does not match conditions of the first test, it drops to the next statement in the ACL

ACL Flowchart test matching

Creating ACLs

ACL is created in the global configuratin mode. When ACLs are configured on a router, each ACL must have a unique identification number assigned to it. This number identifies the type of access list created and must fall within the specific range of numbers that is valid for that type of list.

After the above commands have been entered the type of ACL (standard/extended) needs to be specified; then the Admin enters the access-list statement using the keyword access-list followed by the proper parameters. The next step is to assigned the ACL to the proper interface. ACL Definition:

STEP 1
<Router>enable
<Router#>configure terminal
<Router config>#access-list <access_list_number>
{permit | deny } <test_condition>

STEP 2 (apply the ACL to the interface by using access group commands)
<Router (config-if)># {protocol} access-group access_list_number

Use the following rules to create and apply access lists

• There should be one access list per protocol per direction.
• Standard access lists should be applied closest to the destination.
• Extended access lists should be applied closest to the source.
• The inbound or outbound interface should be referenced as if looking at the port from inside the router.
• Statements are processed sequentially from the top of the list to the bottom until a match is found. If no match is found then the packet is denied, and discarded.
• There is an implicit deny any at the end of all access lists. This will not appear in the configuration listing.
• Access list entries should filter in the order from specific to general. Specific hosts should be denied first, and groups or general filters should come last.
• The match condition is examined first. The permit or deny is examined only if the match is true.
• Never work with an access list that is actively applied.
• A text editor should be used to create comments that outline the logic. Then fill in the statements that perform the logic.
• New lines are always added to the end of the access list. A no access-list x command will remove the whole list. It is not possible to selectively add and remove lines with numbered ACLs
• An IP access list will send an ICMP host unreachable message to the sender of the rejected packet and will discard the packet in the bit bucket.
• An access list should be removed carefully. If an access list that is applied to a production interface is removed, some versions of IOS will apply a default deny any to the interface and all traffic will be halted.
• Outbound filters do not affect traffic that originates from the local router.

Verifying ACLs

The Router IOS has some show commands that can be used to verify the content and placement of ACLs on a router.

• show ip interface
• show access-lists
• show running-config

Show ip interface command

Displays IP interface information and indicates whether any ACLs are assigned to the interface.

Show access-lists command

Displays the contents of all ACLs on the router. To see a specific list, add the ACL name or number as an option for this command.

Show running-config command

Will also reveal the access lists on a router and the interface assignment information.

Standard ACLs

Standard ACLs check the source address of IP packets that are routed. The ACL will either permit or deny access for an entire protocol suite, based on the network, subnet, and host addresses. For example, packets that come in a particular Interface are checked for their source addresses and protocols. If they are permitted, the packets are routed through the router to an output interface. If they are not permitted, they are dropped at the incoming interface.

The full syntax of the standard ACL command is as follows:

Router(config)#access-listaccess-list-number 
deny permit 
remark source [source-wildcard][log]

E.I.

access list 2 deny 172.16.1.1
access-list 2 permit 172.16.1.0  0.0.0.255
access-list 2 deny 172.16.0.0  0.0.255.255
access-list 2 permit 172.0.0.0 0.255.255.255

ACL Parameters Description

Rules of Standard ACLs

Extended ACLs

Extended ACLs are used more often than standard ACLs because they provide a greater range of control. Extended ACLs check the source and destination packet addresses and can also check for protocols and port numbers. Access can be permitted or denied based on:

• Packet Origination OR Destination.
• Protocol Type
• Port Address.

For a single ACL, multiple statements may be configured. Each statement should have the same access list number, to relate the statements to the same ACL. There can be as many condition statements as needed, limited only by the available router memory.

access-list 114 permit tcp 172.16.6.0  0.0.0.255 any eq telnet
access-list 114 permit tcp 172.16.6.6  0.0.0.255 any eq ftp
access-list 114 permit tcp 172.16.6.6  0.0.0.255 any eq ftp-data

The syntax for the extended ACL statement can get very long and often will wrap in the terminal window.

Parametrers of Extended ACLs

Extendend ACL Rules

Wildcard Mask

A wildcard mask is a 32-bit quantity that is divided into four octets, with each octet containing 8 bits. A wildcard mask bit 0 means "check the corresponding bit value" and a wildcard mask bit 1 means "do not check (ignore) that corresponding bit value". A wildcard mask is paired with an IP address. The numbers one and zero are used to identify how to treat the corresponding IP address bits. ACLs use wildcard masking to identify a single or multiple addresses for permit or deny tests. Say you want to test a (Class B)IP address for subnets that will be permitted, the IP wildcard mask bits to permit all packets from any host in the 172.30.16.0 (00010000) to 172.30.31.0 (0001111) subnets.

To begin, the wildcard mask checks the first two octets (172.30), using corresponding zero bits in the wildcard mask. Because there is no interest in individual host addresses (a host ID does not have .00 at the end of the address), the wildcard mask ignores the final octet, using corresponding one bits in the wildcard mask.

In the third octet, the wildcard mask is 15 (00001111), and the IP address is 16 (00010000). The first four zeros in the wildcard mask tell the router to match the first four bits of the IP address (0001). Because the last four bits are ignored, all numbers in the range of 16 (00010000) to 31 (00011111) will match because they begin in the pattern 0001. For the final (least-significant) four bits in this octet, the wildcard mask ignores the value because in these positions, the address value can be binary zero or binary one, and the corresponding wildcard bits are ones. In this example, the address 172.30.16.0 with the wildcard mask 0.0.15.255 matches subnets 172.30.16.0 to 172.30.31.0. The wildcard mask does not match any other subnets.

Wildcard Any Command

Working with a binary representation on a wildcard mask can be repetative, there are some key word on a router IOS that will help the administrator gain some time. One of the keyworkds is ANY. The ANY command will be used when the administrator will specified that any destination IP address will be permitted. To indicate any IP address, you would enter 0.0.0.0; then, to indicate that the ACL should ignore (that is, allow without checking) any value, the corresponding wildcard mask bits for this address would be all ones (that is, 255.255.255.255). You can use the abbreviation ANY to communicate this same test condition to Cisco IOS ACL software. Instead of typing 0.0.0.0 255.255.255.255, you can use the word ANY by itself as the keyword. For example, instead of using this:

Router(config)# access-list1 permit 0.0.0.0 255.255.255.255 
you can use this:
Router(config)# access-list1 permit any

Wildcard Host Command

A second common condition where Cisco IOS permits an abbreviation in the ACL wildcard mask is when you want to match all the bits of an entire IP host address. For example, say you want to specify that a specific IP host address will be permitted in an ACL test. To indicate a host IP address, you would enter the full address (for example, 172.30.16.29); then, to indicate that the ACL should check all the bits in the address, the corresponding wildcard mask bits for this address would be all zeros (that is, 0.0.0.0). You can use the abbreviation HOST to communicate this same test condition to Cisco IOS ACL software. In the example, instead of typing 172.30.16.29 0.0.0.0, you can use the word host in front of the address.For example, instead of using this:

Router(config)# access-list1 permit 172.30.16.29 0.0.0.0
you can use this:
Router(config)# access-list1 permit host 172.30.16.29