Professional Documents
Culture Documents
Access Control Lists (ACLs)
Access Control Lists (ACLs)
172.16.3.0
172.16.4.0
e0
e1
s0
Non-172.16.0.0
Module 11
Access Control
04/27/15
server
172.16.4.13
Page 1
CCNA2 Routing
172.16.2.0
Computer
Module 11
Access Control
172.16.4.0
e0
e1
172.16.2.2
172.16.3.1
s0
172.16.3.0
s1
172.16.3.2
Computer
172.16.4.3
Server
172.16.4.2
04/27/15
Page 2
CCNA2 Routing
Module 11
04/27/15
Page 3
CCNA2 Routing
Module 11
04/27/15
Page 4
CCNA2 Routing
Module 11
Standard:
Interface Fa 0/0/0
ip access-group 1 out
________________________________________________________________
Extended:
Interface Fa 0/0/0
ip access-group 101 in
04/27/15
Page 5
CCNA2 Routing
Module 11
04/27/15
Page 6
CCNA2 Routing
04/27/15
Module 11
Page 7
CCNA2 Routing
Extended ACLs
04/27/15
Module 11
Page 8
CCNA2 Routing
Named ACLs
04/27/15
Module 11
Page 9
CCNA2 Routing
Placing ACLs
Module 11
04/27/15
Page 10
CCNA2 Routing
Firewalls
Module 11
04/27/15
Page 11
CCNA2 Routing
04/27/15
Module 11
Page 12
CCNA2 Routing
Summary
04/27/15
Module 11
Page 13
CCNA2 Routing
Module 11
04/27/15
Page 14
CCNA2 Routing
DETAIL
Module 11
04/27/15
Page 15
CCNA2 Routing
Module 11
destination address
2.
source address
3.
protocol
4.
port number
Each ACL statement is checked in a sequential order (first to last) and when
there is a match, no more statements are checked.
If the results are no matches, then the packet (by default) is discarded.
Adding addition ACL statements to the end of an existing list is just a matter of
adding the new statement. BUT, if
deleting an existing ACL statement causes the entire access list to be deleted.
04/27/15
Page 16
CCNA2 Routing
Module 11
2)
3)
4)
1)
04/27/15
Page 17
CCNA2 Routing
Module 11
04/27/15
Page 18
CCNA2 Routing
Module 11
04/27/15
Page 19
CCNA2 Routing
Module 11
04/27/15
Page 20
CCNA2 Routing
Module 11
04/27/15
Page 21
CCNA2 Routing
Wildcard
Module 11
NOTE!!!
Do NOT think subnet mask that is a totally different
meaning not related to the WILDCARD
04/27/15
Page 22
CCNA2 Routing
Module 11
Abbreviations
255.255.255.255
Address
Wildcard
04/27/15
Page 23
CCNA2 Routing
Abbreviations
Module 11
04/27/15
Page 24
CCNA2 Routing
Standard ACLs
Module 11
Criteria:
block all traffic from a network
allow all traffic from a network
deny entire protocol suits
Standard ACLs only check the source address.
Router(config)# access-list <ACL number> { deny | permit } source [ source wildcard] [log]
04/27/15
Page 25
CCNA2 Routing
Standard ACLs
Module 11
Permits all traffic from 172.16.0.0 and sends messages to the console every
time the access list is executed.
04/27/15
Page 26
CCNA2 Routing
Standard ACLs
Module 11
04/27/15
Page 27
CCNA2 Routing
Standard ACLs
Module 11
04/27/15
Page 28
CCNA2 Routing
Standard ACLs
Module 11
04/27/15
Page 29
CCNA2 Routing
Standard ACLs
Module 11
04/27/15
Page 30
CCNA2 Routing
Standard ACLs
Module 11
show ip access-list
Shows only the IP access lists configured on the router
show ip interface
Shows which interfaces have access lists set (containing an accessgroup).
show running-config
Shows the routers entire configuration
Perrine modified by Brierley
04/27/15
Page 31
CCNA2 Routing
Module 11
Standard ACLs
172.16.3.0
172.16.4.0
e0
e1
s0
Non-172.16.0.0
server
172.16.4.13
R(config)# Interface e0
R(config-if)# ip access-group 1 out
R(config)# Interface e1
R(config-if)# ip access-group 1 out
R(config)# access-list 1 permit 172.16.0.0 0.0.255.255
04/27/15
Page 32
CCNA2 Routing
Module 11
Standard ACLs
172.16.4.0
e0
e1
s0
R(config)# Interface e0
Non-172.16.0.0
server
172.16.4.13
04/27/15
nonPage 33
CCNA2 Routing
Module 11
Standard ACLs
172.16.3.0
172.16.4.0
e0
e1
s0
Non-172.16.0.0
server
172.16.4.13
R(config)# Interface e0
R(config-if)# ip access-group 1 out
R(config)# access-list 1 deny 172.16.4.13 0.0.0.0
R(config)# access-list 1 permit any
04/27/15
Page 34
CCNA2 Routing
Module 11
Standard ACLs
172.16.3.0
172.16.4.0
e0
e1
s0
Non-172.16.0.0
server
172.16.4.13
R(config)# Interface e0
R(config-if)# ip access-group 1 out
R(config)# access-list 1 deny 172.16.4.13 0.0.0.0
R(config)# access-list 1 permit any
Denies traffic from a specific device, 172.16.4.13 & allows all other traffic thru e0 to
network 172.16.3.0.
Perrine modified by Brierley
04/27/15
Page 35
CCNA2 Routing
Module 11
Standard ACLs
172.16.3.0
172.16.4.0
e0
e1
s0
Non-172.16.0.0
server
172.16.4.13
Interface e0
ip access-group 1 out
access-list 1 deny 172.16.4.0 0.0.0.255
access-list 1 permit any
04/27/15
Page 36
CCNA2 Routing
Module 11
Standard ACLs
172.16.3.0
172.16.4.0
e0
e1
s0
Non-172.16.0.0
server
172.16.4.13
Interface e0
ip access-group 1 out
access-list 1 deny 172.16.4.0 0.0.0.255
access-list 1 permit any
Denies traffic from the subnet, 172.16.4.0 & allows all other traffic thru e0 to
network 172.16.3.0.
Perrine modified by Brierley
04/27/15
Page 37
CCNA2 Routing
Extended ACLs
Module 11
Criteria:
checks both the packets source & destination addresses
check for specific protocol
check for specific port numbers
permit or denied applications pings, telnets, FTP, etc.
ACL values range between 100 199 (for IP)
04/27/15
Page 38
CCNA2 Routing
Extended ACLs
Module 11
IP Protocol
20
21
23
Telnet [TCP]
25
53
69
TFTP [UDP]
80
HTTP [TCP]
04/27/15
Page 39
CCNA2 Routing
Module 11
Extended ACLs
ACL number
100 199
permit | deny
Packet is allowed or blocked
protocol
IP, TCP, UDP, ICMP, GRE or IGRP
04/27/15
Page 40
CCNA2 Routing
Extended ACLs
Module 11
operator
lt, gt, eq, neq
Operand
Port number
established
Allows TCP traffic to pass if the packet uses an established connection ( for example, has
ACK bits set ).
04/27/15
Page 41
CCNA2 Routing
Extended ACLs
Module 11
04/27/15
Page 42
CCNA2 Routing
Module 11
Extended ACLs
172.16.3.0
172.16.4.0
e0
e1
s0
Non-172.16.0.0
server
172.16.4.13
Interface e0
ip access-group 101
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
access-list 101 permit ip any any
04/27/15
Page 43
CCNA2 Routing
Module 11
Extended ACLs
172.16.3.0
172.16.4.0
e0
e1
s0
Non-172.16.0.0
server
172.16.4.13
Interface e0
ip access-group 101
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
access-list 101 permit ip any any
Blocks FTP traffic from all hosts on 172.16.4.0 to any device on 172.16.3.0 & allows
all other traffic.
Perrine modified by Brierley
04/27/15
Page 44
CCNA2 Routing
Module 11
Extended ACLs
172.16.3.0
172.16.4.0
e0
e1
s0
Non-172.16.0.0
server
172.16.4.13
Interface e0
ip access-group 101
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 23
access-list 101 permit ip any any
04/27/15
Page 45
CCNA2 Routing
Module 11
Extended ACLs
172.16.3.0
172.16.4.0
e0
e1
s0
Non-172.16.0.0
server
172.16.4.13
Interface e0
ip access-group 101
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 23
access-list 101 permit ip any any
Denies only telnet traffic from 172.16.4.0 to 172.16.3.0 network, and permits all
other traffic thru e0 to any address.
Perrine modified by Brierley
04/27/15
Page 46
CCNA2 Routing
Module 11
NOTE:
Standard ACL numbers: 1-99;
1300-1999
04/27/15
2000-2699
Page 47
CCNA2 Routing
Standard/Extended ACL
Module 11
You can not add ACL statements into the body of the access-list
(ONLY at the end of the list).
Otherwise the access list must be deleted first, and then rewritten.
Therefore it is prudent to write your access-list in text format using
notepad, and then transfer it to your router.
04/27/15
Page 48
CCNA2 Routing
Module 11
NOTE:
A NAMED ACL is an alphanumeric string instead of the ACL
number (1 - 199 )
NAMED ACLs are not compatible with Cisco IOS release prior to
Release 11.2
Named ACLs can be used for either standard & extended
You cannot configure the same name for multiple ACLs.
use Name ACL when you want to intuitively identify ACLs
use Name ACL when you have more than 99 standard & 100
extended ACLs have been configured on a router for a given protocol
04/27/15
Page 49
CCNA2 Routing
Module 11
04/27/15
Page 50
CCNA2 Routing
Named ACL
Module 11
A named ACL will allow the deletion of statements, but will only allow
for the statements to be inserted a the end of the list.
04/27/15
Page 51
CCNA2 Routing
Module 11
More Details
Matched value
10101100.00010010.00000100.00000010
04/27/15
Page 52
CCNA2 Routing
Module 11
Match value
10101100.00010010.00000100.00000010
04/27/15
Page 53
CCNA2 Routing
Module 11
Match value
10101100.00010000.00000100.00000010
04/27/15
Page 54
CCNA2 Routing
Module 11
Matched value
10101100.00010000.00000100.00000001
10101100.00010000.00000100.00000100
04/27/15
Page 55
CCNA2 Routing
Module 11
Matched value
10101100.00010000.00000100.00000101
04/27/15
Page 56
CCNA2 Routing
Module 11
One can permit or deny a block of addresses. However, the blocks must be
a power of 2! (Example, 2, 4, 8, 16, 32, 64, 128, etc.)
When you need to specify a range of addresses, you choose the closet
block size for your needs.
You want to block access to part of network that is in the range from
198.16.99.0 through 198.16.99.7. This is a block size of 8. Hence:
198.16.99.0 0.0.0.7
Also in this case for a block of 8, the beginning address must either start at
0, 8, 16, etc.
04/27/15
Page 57
CCNA2 Routing
Module 11
64
What is the access-list for the bottom?
04/27/15
Page 58
CCNA2 Routing
Module 11
04/27/15
Page 59
CCNA2 Routing
Module 11
You can control access via the VTY ports controlling telnet sessions
coming into the router.
You write the ACL as usual, but use access-class to apply it.
As an example:
Router(config t)# access-list 1 permit 172.16.1.0 0.0.0.255
Router(config t)# line vty 0 4
Router(config-line)# login
Router(config-line)# password cisco
Router(config-line)# access-class 1 in
Note: only numbered access lists can be applied to VTY virtual lines!
Perrine modified by Brierley
04/27/15
Page 60
CCNA2 Routing
Module 11
Established option
response
establish
04/27/15
Page 61
CCNA2 Routing
Established option
Module 11
As a practical example:
172.16.3.0
e1
e0
INTERNET
172.16.4.0
172.16.3.13
Allow host 172.16.3.13 with Internet connection, but dont allow the
internet to initialize any sessions.
04/27/15
Page 62
CCNA2 Routing
Established option
Module 11
172.16.3.0
e1
e0
INTERNET
172.16.4.0
172.16.3.13
Router(config)# int e1
Router(config-if)# ip access-group 101 in
Router(config)# access-list 101 permit tcp any 172.16.3.0 0.0.255.255
established
04/27/15
Page 63
CCNA2 Routing
Established option
Module 11
172.16.3.0
e1
e0
INTERNET
172.16.4.0
172.16.3.13
Router(config)# int e1
Router(config-if)# ip access-group 101 in
Router(config)# access-list 101 permit tcp any host 172.16.3.13 eq www established
04/27/15
Page 64
CCNA2 Routing
Established option
Module 11
172.16.3.0
e1
e0
INTERNET
172.16.4.0
172.16.3.13
Note: established argument is limited to tcp which means UDP, ICMP and all
other IP protocols will not match, and will be denied, unless specifically
allowed. Hence
Router(config)# int e1
Router(config-if)# ip access-group 101 in
Router(config)# access-list 101 permit tcp any 172.16.3.0 0.0.0.255 eq www established
Router(config)# access-list 101 permit icmp any any
Router(config)# access-list 101 permit udp any any eq 53
Perrine modified by Brierley
04/27/15
Page 65
CCNA2 Routing
Module 11
ACL Rules:
Standard ACL
Place the ACL as near the destination as possible.
Extended ACL
Put the ACL as close as possible to the source
04/27/15
Page 66
CCNA2 Routing
Module 11
Access Lists
Standard
Extended
End of Session
Perrine modified by Brierley
04/27/15
Page 67