FILTERING TRAFFIC USING ACCESS CONTROL LIST

FILTERING TRAFFIC USING ACCESS CONTROL LIST
FILTERING TRAFFIC USING
ACCESS CONTROL LIST
Introducing Routing and Switching in the Enterprise – Chapter 8
Copyleft 2012 Vincenzo Bruno (www.vincenzobruno.it)
Released under Creative Commons License 3.0 By-Sa
Cisco name, logo and materials are Copyright Cisco Systems Inc. 1
Overview
Packet filtering
●
Packet filtering can be simple or complex, denying or permitting traffic
based on:
●
Source IP address
●
Destination IP address
●
MAC addresses
●
Protocols
●
Application type
Configure Named ACLs (NACLs)
●
●
●
Cisco IOS versions 11.2 and higher can create Named ACLs
(NACLs).
In an NACL, a descriptive name replaces the numerical ranges
required for Standard and Extended ACLs.
Named ACLs offer all the functionality and advantages of Standard
and Extended ACLs;
●
●
●
The name given to an ACL is unique. Using capital letters in the
name makes it easier to recognize in router command output and
troubleshooting.
A Named ACL is created with the command:
●
●
Only the syntax for creating them is different.
ip access-list {standard | extended} name
After issuing this command, the router switches to NACL
configuration subcommand mode
Access Contro List
●
●
The primary use of ACLs is to identify the types of packets to
accept or deny.
ACLs identify traffic for multiple uses such as:
●
●
Specifying internal hosts for NAT
Identifying or classifying traffic for advanced features such as QoS
and queuing
●
Restricting the contents of routing updates
●
Limiting debug output
●
Controlling virtual terminal access to routers
Types of ACLs
●
Standard ACLs
●
●
●
●
●
●
Filter based on the source IP address of a packet.
Standard ACLs permit or deny based on the entire protocol, such as IP, so all
services from that host are denied.
Useful for allowing all services from a specific user, or LAN, access through a
router while denying other IP addresses access.
The identification number can range from 1 to 99 and from 1300 to 1999.
Extended ACLs
●
Filter also on the destination IP address, protocol, and port numbers.
●
They are more specific and provide greater control.
●
Theidentification number can range from 100 to 199 and from 2000 to 2699
Named ACLs
●
●
Named ACLs (NACLs) are either Standard or Extended format that are referenced
by a descriptive name rather than a number.
When configuring named ACLs, the router IOS uses a NACL subcommand mode.
ACL processing
●
Access control lists consist of one or more statements.
●
Each statement either permits or denies traffic.
●
●
●
●
●
●
Traffic is compared to each statement in the ACL sequentially until a
match is found or until there are no more statements.
The last statement of an ACL is always a not displayed implicit deny.
After creating an access control list, apply it to an interface for it to
become effective.
The ACL targets traffic that is either inbound or outbound through the
interface.
The inbound or outbound direction is always from the perspective of
the router.
An ACL applied outbound to an interface has no effect on traffic
inbound on that same interface.
Exercise
Wildcard mask
●
●
Blocking multiple addresses or ranges of addresses requires
using either multiple statements or a wildcard mask.
A wildcard mask uses 0s to indicate the portion of an IP
address that must match exactly
A wildcard mask of
0.0.0.0 requires an
exact match on all 32
bits of the IP address.
This mask equates to
the use of the host
parameter.
Example
Configuring ACLs
●
To filter a single host use :
●
R1(config)#access­list 9 deny 192.168.15.99 0.0.0.0
or
●
●
R1(config)#access­list 9 deny host 192.168.15.99
To filter all hosts, use wildcard mask of 255.255.255.255 or the any
parameter.
●
R1(config)#access­list 9 permit 0.0.0.0 255.255.255.255
or
●
●
R1(config)#access­list 9 permit any
Consider the following example that denies a specific host and permits
all others:
●
R1(config)#access­list 9 deny host 192.168.15.99
●
R1(config)#access­list 9 permit any
Filter subnet traffic
●
●
●
If 3 bits are used for subnetting the 192.168.77.0 network, the
subnet mask is 255.255.255.224
Subtracting the subnet mask from the all 255s mask results in a
wildcard mask of 0.0.0.31
To permit the hosts on the 192.168.77.32 subnet, the ACL
statement is:
●
access-list 44 permit 192.168.77.32 0.0.0.31
Filter subnet traffic
Exercises
Planning ACL placement
●
●
Plan the creation and placement of access control lists to
maximize performance and availability.
Planning involves the following steps:
●
Determine the traffic filtering requirements
●
Decide which type of ACL best suits the requirements
●
Determine the router and the interface on which to apply the ACL
●
Determine in which direction to filter traffic
Placing Standard ACL
Placing Extended ACL
Rules for placing ACLs
●
Standard ACLs only filter based on the source address
●
●
●
●
Will filter all traffic with regard to the source of the traffic.
With routes to multiple networks, a standard ACL placed too close
to the source may unintentionally block traffic that should be
permitted.
Therefore, it is important to place standard ACLs as close to
the destination as possible.
Extended ACLs offer more control than Standard ACLs.
●
They filter on source and destination addresses.
●
Place an Extended ACL close to the source address.
●
By looking at both the source and destination address, the ACL
blocks packets intended for a specific destination network
before they leave the source router
Determine Router and Interface
for ACL
●
●
●
●
Place ACLs on routers in either the Access or Distribution
Layer
Selection of the appropriate interface depends on the filtering
requirements, the ACL type, and the location of the
designated router.
It is best to filter traffic before it advances onto a lower
bandwidth serial link.
The interface selection is usually obvious once the router is
chosen.
Determine Direction to Filter
Traffic
●
●
●
●
●
●
Visualize the traffic flow from the perspective of the router.
Inbound traffic is traffic that is coming into a router interface
from outside.
The router compares the incoming packet to the ACL before
looking up the destination network in the routing table.
Packets discarded at this point save the overhead of routing
lookups
Outbound traffic is inside the router and leaves through an
interface.
For an outbound packet, the router has already done a routing
table lookup and has switched the packet to the correct
interface
Configure the ACL
●
●
●
After capturing the requirements, planning the access control list,
and determining the location, configure the ACL.
Each ACL requires a unique identifier. This identifier can be
either a number or a descriptive name.
In numbered access control lists, the number identifies the type
of ACL created:
●
●
●
●
Standard IP ACLs have numbers in the ranges from 1 to 99 and
from 1300 to 1999
Extended IP ACLs have numbers in the ranges from 100 to 199
and from 2000 to 2699
The limit for any one router interface is one ACL per protocol
per direction.
If a router is running IP exclusively, each interface handles a
maximum of two ACLs: one inbound and one outbound
Syntax for the Standard ACL
●
The syntax for the Standard ACL statement is:
●
●
●
●
Since every packet is compared to every ACL statement until a
match is found, the order that statements are placed within the
ACL can effect the latency introduced.
Therefore, order the statements so that the more common
conditions appear in the ACL before the less common ones
Document the function of each section or statement of the
ACL using the remark command:
●
●
access-list [access-list-number] [deny|permit] [source address]
[source-wildcard][log]
access-list [list number] remark [text]
To delete an ACL, use the command:
●
no access-list [list number]
ACL Application
●
Assign an ACL to one or more interfaces, specifying either
inbound traffic or outbound traffic
●
●
●
●
●
R2(config-if)#ip access-group access-list-number [in | out]
The following commands place access-list 5 on the R2 Fa0/0
interface filtering inbound traffic:
●
R2(config)#interface fastethernet 0/0
●
R2(config-if)#ip access-group 5 in
The default direction for an ACL applied to an interface is out
Even though out is the default, it is very important to specify the
direction to avoid confusion and to ensure that traffic filters in the
correct direction.
To remove an ACL from an interface while leaving the ACL
intact, use:
●
no ip access-group interface
Show commands
●
show ip interface
●
●
show access-lists [access list number]
●
●
●
●
Displays IP interface information and indicates any assigned
ACLs.
Displays the contents of all ACLs on the router.
It also displays the number of matches for each permit or
deny statement since application of the ACL.
To see a specific list, add the ACL name or number as an option
for this command.
show running-config
●
Displays all configured ACLs on a router, even if they are not
currently applied to an interface.
Configure Extended ACLs
ACL Number
Condition
Protocol
Source IP
address or network
Destination
IP Address
or network
Matching
Condition
TCP
application
Editing ACLs
●
With current versions of the IOS, edit numbered and Named ACLs
using the ip access­list command.
●
ACLs display with the lines numbered as 10, 20, 30, and so forth.
●
To see the line numbers, use the command:
●
●
●
show access­lists
To edit an existing line:
●
Remove the line using the no line number command.
●
Re-add the same line using its line number.
To insert a new line between existing lines 20 and 30:
●
Issue the new ACL statement, starting with a number between the two
existing lines, such as 25.
Configure VTY access
●
●
If an ACL is applied to the router vty port that permits only
specific IP addresses
Anyone trying to telnet to the router from an IP address not
permitted in the ACL will be denied access
Follow these guidelines when configuring access lists on VTY lines:
●
●
Apply a numbered ACL, not a Named ACL, to the VTY lines.
Place identical restrictions on all VTY lines, because it is not
possible to control the line on which a user may connect.
Application and port filtering
Two FTP ACL statements can filter into one with the command:
R1(config)#access-list 181 deny tcp any 192.168.77.0 0.0.0.255 range 20 21
Enable established traffic
●
●
●
●
●
ACLs are often created to protect an internal network from
outside sources.
When internal users access external resources, those requested
resources must pass through the ACL
It is possible to create a single statement that permits internal
users to establish a TCP session with external resources.
Once the TCP three-way handshake is accomplished and the
connection is established, all packets sent between the two
devices will be permitted.
To accomplish this, use the keyword: established.
●
●
access-list 101 permit tcp any any established
a statement using the keywords echo-reply and unreachable can
be written to permit ping responses and unreachable messages
NAT/PAT and ACLs
●
●
When using NAT with ACLs, it is important to know how they
interact in the router.
If the packet comes inbound into a NAT outside interface,
the router:
1) Applies the inbound ACL
2) Translates the destination address from outside to inside, or
global to local
3) Routes the packet
●
If the packet goes outbound through a NAT outside interface,
the router:
1) Translates the source address from inside to outside, or local to
global
2) Applies outbound ACL
NAT/PAT and ACLs
●
Plan the ACL so that it filters either the private or public addresses,
depending on the relationship with NAT. If traffic is inbound or
outbound on a NAT outside interface, the addresses to filter are the
public ones. The following example won't work!
Routing between VLANs
●
●
●
●
When routing between VLANs in a network, it is sometimes
necessary to control traffic from one VLAN to another using
ACLs.
Apply ACLs directly to VLAN interfaces or subinterfaces on
a router just as with physical interfaces.
Enterprise networks typically have servers on a different VLAN
than user groups. In such cases, access to the server VLAN
requires filtering.
All rules and guidelines for creation and application are the
same for ACLs on subinterfaces as they are for physical
interfaces.
Logging
●
●
●
●
For additional details on packets permitted or denied, activate a process
called logging.
Logging activates for individual ACL statements.
To activate this feature, add the log option to the end of each ACL
statement to be tracked.
To turn off logging, use:
●
●
To turn off all debugging, use:
●
●
no logging console
undebug all
To turn off specific debugging, such as ip packet, use:
●
no debug ip packet
Remote logging
●
●
●
●
Logging to the console uses router memory, which is a limited
resource.
Instead, configure a router to send logging, sometimes called
syslog messages, to an external server.
This method allows viewing the messages in real time and also
at a later time.
Configurable options include:
●
Providing notification of new messages received
●
Sorting and grouping messages
●
Filtering messages by severity
●
Removal of all or selected messages
Synchronize clocks
●
A sample of the command that specifies the IP address of the
host where the syslog server is installed is:
●
●
●
●
When troubleshooting a problem, always set the service
timestamps for logging. Be sure the router date and time are set
correctly so that log files display the proper time stamp.
Use the show clock command to check the date and time setting.
●
R1>show clock
●
*00:03:45.213 UTC Mon Mar 1 2007
To set the time zone:
●
●
logging 192.168.3.11
R1(config)#clock timezone CST -6
To set the clock:
●
R1#clock set 10:25:00 Sep 10 2007
End of lesson 8
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising