Upload
gynx
View
218
Download
0
Embed Size (px)
Citation preview
8/9/2019 WP_Friebe_ACLs1
1/19
Expert Reference Series of White Papers
1-800-COURSES www.globalknowledge.com
Access Control Lists(ACLs)
8/9/2019 WP_Friebe_ACLs1
2/19
Copyright 2009 Global Knowledge Training LLC. All rights reserved. 2
Access Control Lists (ACLs)Al Friebe, Global Knowledge Instructor
IntroductionIn this white paper, well take a look at access control lists, often referred to as access lists or ACLs (sometimespronounced ackels). In Cisco IOS, ACLs are used for many things, including but not limited to:
Filteringdatapackets(rewalling)
ControllingTelnetorSSHaccesstoarouterorswitch
Filteringroutingprotocols
SpecifyingQualityofService(QoS)
Controllingencryption
ControllingNAT(NetworkAddressTranslation)
ControllingDial-on-Demand
Theideaofanaccesslistisstraightforward:itpermitssomethings,anddeniesothers.WhatexactlyisbeingpermittedordeniedvariesaccordingtotheapplicationoftheACL.Althoughaccesslistsforotherprotocols(suchasIPX,AppleTalk,MACaddresses,etc.)exist,wellbefocusingonIPaccesslists.Ingeneral,onlyroutersandmulti-layerswitchesunderstandIPaccesslists(butsomeLayer-2switchesareACL-awaretosomeextent).
IP Access ListsForexample,letssaythattrafcoriginatingfromahostwithIPaddress192.168.1.1shouldbepermittedtoleavetheFastEthernet0/0interface.AnACLthatwouldaccomplishthiswouldbe:
Router#congure terminal
Router(cong)#access-list 1 permit 192.168.1.1
TheACLresidesintherunningconfg, and can be seen with the command show access-lists.Therearevari-ous options for this command, including show ip access-lists, show access-lists X where X is the ACLidentier,etc.
TheACLcreatedaboveisnowresidentinmemory,butwillnottakeeffectuntilitisplacedintoserviceinsomemanner.ToplaceitoutboundontheFastEthernet0/0interface,thecommandswouldbe:
Router(cong)#interface fastethernet0/0
Router(cong-if)#ip access-group 1 out
8/9/2019 WP_Friebe_ACLs1
3/19
Copyright 2009 Global Knowledge Training LLC. All rights reserved. 3
Toseetheaccessliststhatareoutgoingorinboundonaninterface,usethecommandshow ip interace.Notethattheipisrequired(ifyoudontspecifytheprotocol,itwontshowyoutheACLinformation).Thiscom-mand also has options, such as the particular interface youre interested in, such as sh ip int 0/0.
Asusual,commandscanbeabbreviated,sotocreateandapplytheACL,youcouldsimplydo:
Router#conf t
Router(cong)#access-l 1 per 192.168.1.1
Router(cong)#int f0/0
Router(cong-if)#ip access-g 1 o
Findsomeshortcutsthatworkforyou,andthenusethem!
IntheACLwecreatedabove,wehaveexplicitlypermittedtrafcoriginatingfromthehostwithIPaddress192.168.1.1,butwhataboutothertrafc?Thedefaultbehaviorofanaccesslististodenyalltrafcthatisnotreferencedbythelist.Inotherwords,itsasifthereisadenyeverythingelseatthebottomofthelist.ThisismuchbetterthanhavingtodenyeveryotherIPaddress,ofwhichthereareoverfourbillionpossibilities!
Itscommonlydesiredtopermitand/ordenymultiplehostsinasinglelist.Whatifwewanttopermitmorehosts?Simplyaddmorelinestothelist.Thiscanbeaccomplishedbygoingbackintoglobalconfg mode andaddingthelines.Buildingonthesinglelinelistfromabove,letsaddlinestoACL1toalsopermitpacketsfromthehostswithaddresses192.168.1.2and192.168.1.3.
Router#conf t
Router(cong)#access-list 1 permit 192.168.1.2
Router(cong)#access-list 1 permit 192.168.1.3
IfweexamineACL1with show access-list,wellseethatitnowcontainsthreelines,for192.168.1.1,2,and3.ItsimportanttorealizethatbecausethesameACLnumberwasusedforeachline,alllinesbelongtothatac-cesslist(ACL1,inthiscase).Notethatifthelistisineffectontheinterfacewhileweareeditingit,thechangestake effect immediately (this can be dangerous, as well discuss in the future).
LetscreateanotherACL,thisonedenyingtrafcfromthehostswithaddresses10.1.1.1,10.1.1.2,and10.1.1.3,andpermittingallotheraddresses.SincethisisaseparateACL,welluseaccesslistnumber2:
Router#conf t
Router(cong)#access-list 2 deny 10.1.1.1
Router(cong)#access-list 2 deny 10.1.1.2Router(cong)#access-list 2 deny 10.1.1.3
Thelistwevejustcreatedwilldenytrafcfromthespeciedhosts,butwhatabouttrafcfromotherhosts?RememberthatACLsdenyalltrafcthattheydontexplicitlypermit,asiftherewasadenyeverythingelseat
8/9/2019 WP_Friebe_ACLs1
4/19
Copyright 2009 Global Knowledge Training LLC. All rights reserved. 4
the bottom. In other words, this list denies alltrafc!Obviously,weneedtopermittrafcfromtheotherhosts,butitwouldbeunreasonabletolistthebillionsofthemindividually.Instead,wecanusetheany keyword, thus:
Router(cong)#access-list 2 permit any
HINT:An ACL that contains only deny statements is either incomplete, or wrong!
OurACL2willnowdenytrafcfromthe10.1.1.1,2and3hosts,butpermittrafcsourcedfromanyotherhost.Again,aswithACL1,thelistdoesntactuallytakeeffectuntilitisplacedineffect.LetsplaceitinboundonSerial2/1.
Router(cong)#int s2/1
Router(cong-if)#ip access-group 2 in
As before, we can see the list with sh access-l 2, and see its application on the interface with sh ip int s2/1.
Tosummarizethebasicsofaccesslists,ACLs Arecreatedinglobalconfg mode
Endwithanimplicitdenyany(whichcanbeoverridden)
Mustbeplacedintoservicesomewheretohaveanyeffect
Thus,thecommands
Router#conf t
Router(cong)#access-list 3 deny 172.16.1.1
Router(cong)#access-list 3 deny 172.16.1.2
Router(cong)#access-list 3 deny 172.16.1.3Router(cong)#access-list 3 permit any
Router(cong)#interface g1/2
Router(cong-if)#ip access-group 3 out
willcreateanACL3(denyingtrafcfromhosts172.16.1,2and3,whilepermittingallothertrafc),andplaceitinserviceontheGigEthernet1/2interfaceintheoutbounddirection.
Wildcard Mask (WCM)AnACLplacedinboundonarouterinterfacewillcontrolthetrafcthatsallowedtoentertherouterviathatinterface.Youwouldthink,therefore,thatanACLplacedoutboundonarouterinterface(suchasACL3above)wouldlikewisecontrolthetrafcthatsallowedtoleavetherouterviathatinterface.Thisisalsotrue,exceptfortrafcthatwasgeneratedbytherouteritself.Inotherwords,anoutboundACLwillaffectonlytrafcat-tempting to transittherouter,nottrafcoriginatedby the router.
8/9/2019 WP_Friebe_ACLs1
5/19
Copyright 2009 Global Knowledge Training LLC. All rights reserved. 5
Letslookatanotherexample.Inthiscase,wedliketouseACL4inboundontheSerial1/1interfacetopermittrafcfromallhostsonthe192.168.1.0network,anddenyallothertrafc.Wecouldstartasbefore:
Router#conf t
Router(cong)#access-list 4 permit 192.168.1.1
Router(cong)#access-list 4 permit 192.168.1.2
Butwait,theClassCnetwork192.168.1.0covers254hosts(192.168.1.1through192.168.1.254),whichwouldrequire254linesintheACL.Obviouslylistingeachhostaddressonebyoneisanon-scalablesolution(andimaginewhatwouldhappenwithaClassBoraClassAnetwork).Whatweneedisasystemtoshortenthelist.Suchasystemexists,anditmakesuseofawildcardmask.TherulesforIPv4wildcardmasksaresimple.
Wildcardmasksare32bitslong(justlikeIPv4addresses).
A0bitinaWCMmeansmatchthe corresponding address bit.
A1bitinaWCMmeansignorethe corresponding address bit.
WCMsarerepresentedindotted-decimal(justlikeIPv4addresses).
WCMsfollowaddresses.
Okay,letsuseaWCMtosolveourexample.Whatwewantistomatchtherstthreeoctets(the192.168.1part),andignorethefourthoctet.Thus,wecouldmatchtheentire192.168.1.0networklikethis:
Router(cong)#access-list 4 permit 192.168.1.0 0.0.0.255
Howdoesitwork?InACL4,youseethatthereisanaddress(192.168.1.0),followedbyawildcardmask(0.0.0.255).Therstoctetofthedotted-decimalWCMisa0,whichrepresentseightbinary0s.Sincea0inaWCMmeansmatch,theseeight0sintheWCMmeanmatchtherstoctetoftheaddress(the192part).
Likewise,thesecondandthirdoctetsoftheWCMarealso0s,meaningthatthesecondandthirdoctetsoftheaddress(168and1,respectively)mustbematchedexactly.Finally,thefourthoctetoftheWCMisa255,whichisall1sinbinary.Sincea1meansignore,theACLignorestheentirelastoctetoftheaddress,meaningthatitcouldhaveanyvalue(0through255).Sincethiscoverstherangeoflegalhostaddressesonnetwork192.168.1.0,itmeetstherequirementsstatedabove.
TheonlythinglefttodoistoplacetheACLinserviceontheinterface.
Router(cong)#int serial 1/1
Router(cong-if)#ip access-group 4 in
Thoseofuswhoareparticularlygeeky,mighthavenoticedthatthepermitstatementabovenotonlyper-mitstherangeoflegalhosts,italsopermitsthereservedaddressesof192.168.1.0and192.168.1.255(thenet-workandbroadcastaddresses).Sincethoseaddresseswillneverbeassignedtohosts,thisisntanoperationalproblem.Andonemorething,youllrecallthatthedefaultsubnetmaskforaClassCnetworkis255.255.255.0.Ifwesimplyipthebitsofthesubnetmask(0sbecome1s,1sbecome0s),wedhave0.0.0.255,whichisthewildcardmaskwewant.Moreonthislater!
8/9/2019 WP_Friebe_ACLs1
6/19
Copyright 2009 Global Knowledge Training LLC. All rights reserved. 6
Notethatwecanalsorepresentthepermit anyattheendofACL3as:
Router(cong)#access-list 3 permit 0.0.0.0 255.255.255.255
Whilethisissyntacticallycorrect,ifyoutypeitintoarouter,IOSwilldisplayitaspermit any (which is easierto read), so thats the way you might as well enter it.
Nowthatwehaveaneatmethodofrepresentinglargeblocksofaddresses,letswriteandapplyanACLthatwill denypacketssentfromhostswithprivateaddresses,andpermitpackets from hosts with public address-es.Therstquestion,then,iswhataretheprivateandpublicaddresses?
PerRFC1918,theprivateaddressrangesare:
ClassA10.0.0.0/8
ClassB172.16.0.0/12
ClassC192.168.0.0/16
EverythingelseintheClassA,B,andCrangesispublic.Thus,weneedanACLthatdeniestheabove-listedaddressranges,andpermitseverythingelse.LetsuseACL5,andplaceitonSerial0/0.123(aFrameRelaysubinterface)outbound.Welltakeitonelineatatime.First,letshandlenetwork10.0.0.0,aClassAnetwork.Sincewereinterestedinmatchingthenetworkportion(therstoctet),andignoringthehostportion(thelast3octets),thewildcardmaskshouldbe0.255.255.255.Thus,therstlineinACL5is:
Router(cong)#access-list 5 deny 10.0.0.0 0.255.255.255
Next,welllookatthesecondline,whichinvolvestheClassBaddressspace172.16.0.0/12.Notethatthemaskhereisa/12,notthedefaultClassBmaskof/16.Asyoumayrecallfromroutesummarization,moving4bitstotheleft(from16to12)resultsinablockof16(24)networks.Therefore,thisaddressspaceencompassesthe
172.16.0.0through172.31.0.0networks.Wecouldlistthese16networksindividually,thus:
Router(cong)#access-list 5 deny 172.16.0.0 0.0.255.255
Router(cong)#access-list 5 deny 172.17.0.0 0.0.255.255
(12 more lines for 18 through 29 go here)
Router(cong)#access-list 5 deny 172.30.0.0 0.0.255.255
Router(cong)#access-list 5 deny 172.31.0.0 0.0.255.255
Notethatthewildcardmaskoneachlineis0.0.255.255becausewecareaboutthersttwooctets(thenet-work portion) but not about the last two (the host portion).
Thereis,however,amoreelegantway.Infact,wecancovertheClassBprivatenetworksinoneline.SincethemaskontheClassBaddressspaceisa/12,itmeansthatweonlycareabouttherst12bitsoftheaddressspace,andcanignorethelast20(remember,thereareatotalof32bitsinanaddress).Sincea0inaWCMmeans matchthecorrespondingaddressbit,anda1meansignore,theWCMinbinarywouldbetwelve0s,followedbytwenty1s,thus:
8/9/2019 WP_Friebe_ACLs1
7/19
Copyright 2009 Global Knowledge Training LLC. All rights reserved. 7
00000000.00001111.11111111.11111111
Thiscanberepresentedindotted-decimalas0.15.255.255,whichistheformatwewantforawildcardmask.AnothermethodfordeterminingtheWCMistonotethata/12(themaskspeciedwiththeaddressspace)is255.240.0.0,andifwesimplyipthebits,weget0.15.255.255,whichisexactlytheWCMweneed.Aneasy
waytoipthebitsistojustsubtracteachoctetofamask(255.240.0.0)from255: Firstoctet:255255=0
Secondoctet:255240=15
Thirdoctet:2550=255
Fourthoctet:2550=255
Sincetheaddressspacebeginswith172.16.0.0,andtheWCMis0.15.255.255,thesecondlineoftheACLshould be:
Router(cong)#access-list 5 deny 172.16.0.0 0.15.255.255
Next,weneedtotakecareoftheClassCaddressspace.Noticethatthemaskspeciedisa/16.SincethedefaultmaskforaClassCis/24,and/16is8bitstotheleftofthat,thisrepresentsablockof256(28) Class Cnetworks(thosestartingwith192.168).SimilartowhatwedidwiththeClassBblock,wecanjustipthebitsofthesummarymask(/16,or255.255.0.0)toget0.0.255.255,whichisthewildcardmaskweneed(matchtherst2octetsof192.168,andignorethelast2).Sincetheaddressspacestartswith192.168.0.0,thethirdlineofACL5shouldbe:
Router(cong)#access-list 5 deny 192.168.0.0 0.0.255.255
WhatwehaveatthispointisanACLthatdeniestheprivateaddressspace,butwhataboutthepublicad-dresses?RememberthatACLsactasiftheyhaveadeny any atthebottom.Wewanttopermiteverythingthat
wasntdenied,soweneedtonishtheACLwithapermit any line:Router(cong)#access-list 5 permit any
Altogether then, the list is:
Router(cong)#access-list 5 deny 10.0.0.0 0.255.255.255
Router(cong)#access-list 5 deny 172.16.0.0 0.15.255.255
Router(cong)#access-list 5 deny 192.168.0.0 0.0.255.255
Router(cong)#access-list 5 permit any
Now,ofcourse,wehavetoinvokeitontheinterface:Router(cong)#interface s0/0.123
Router(cong-subif)#ip access-group 5 out
8/9/2019 WP_Friebe_ACLs1
8/19
Copyright 2009 Global Knowledge Training LLC. All rights reserved. 8
Keyword Host ACLAsourrstexample,wellwriteanACL6thatpermitspacketssourcedbythehostwithIPaddress192.168.100.123,thus:
Router(cong)#access-list 6 permit 192.168.100.123
Wecouldalsodothisusingawildcardmask(WCM).
Router(cong)#access-list 6 permit 192.168.100.123 0.0.0.0
Rememberthata0inawildcardmaskbitpositionspeciesamatchinthatbitoftheaddress.Thus,amaskofall0sindotted-decimal(whichrepresents32binary0s)meansmatchallbitsoftheaddressexactly.Ifyouomitthewildcardmask(asintherstexample),aWCMofall0sisassumed,thusthetwoversionsofACL6arefunc-tionallyequivalent.
Interestingly enough, we can also write this ACL line a third way, by using the keyword host:
Router(cong)#access-list 6 permit host 192.168.100.123
Notethatwhenusingthismethod,thekeywordhostisplacedbeforethe address, and that no wildcard maskisused.ThustherearethreefunctionallyequivalentmethodsforspecifyingasinglehostaddressinanACL,andthe router doesnt care which one you use.
Specifytheaddress,withoutaWCM
Specifytheaddress,followedbyaWCMofallzeros
Precedetheaddressbythekeywordhost,withnoWCMused
InastandardACL(thetypeweveexaminedsofar),Igenerallyusetherstoption,becauseitsbrief,concise,
andspecic(inotherwords,easytotypeandread).Thesecondoptiongainsusnothing,soIneveruseit.Thethird option is also commonly used.
ACL for vty LinesNow,letsputourACLtowork.Thistime,though,insteadofusingittocontroluserdataowingthrougharoutersinterfaces,welluseittoenforcesecurityonarouter(oranIOS-basedswitch).Todothis,insteadofplacingtheACLinservicebyusingtheip access-group command on an interface, well use the access-classcommandonthevty(virtualterminal)lines,likethis:
Router(cong)#line vty 0 4
Router(cong-line)#access-class 6 in
RememberthatinboundTelnetsessionsareviathevtylines.WhattheabovecommandsdoisplaceACL6inuseinboundonthevtylines,whichhastheeffectofconstraininginboundTelnettrafctohostspermittedbyACL6(inthiscase,thehostwithaddress192.168.100.123only).NotethatthisACLonlyaffectsTelnettrafctargetedto this router. It has noeffectontrafcowingthroughtherouter.
8/9/2019 WP_Friebe_ACLs1
9/19
Copyright 2009 Global Knowledge Training LLC. All rights reserved. 9
Ofcourse,youcanalsobuildmoresophisticatedACLsusingwildcardmasks,andusethemtocontrolvtyaccess.Anexamplewouldbe:
Router(cong)#access-list 7 deny 10.0.0.0 0.255.255.255
Router(cong)#access-list 7 deny 172.16.0.0 0.0.15.255
Router(cong)#access-list 7 deny 192.168.0.0 0.0.255.255
Router(cong)#access-list 7 permit any
Router(cong)#line vty 0 4
Router(cong-line)#access-class 7 in
ACL7wouldpermitanypublicaddresstoTelnettothisrouter,butblockattemptsatTelnetfromanyprivatead-dress.NotethatweareplacingtheACL inboundonthevtylines,whichcontrolsTelnetaccesstotherouter.IfyouplacetheACLinserviceoutboundonthevtylines,itwillaffecttheroutersbeingusedasthemiddlemaninastringofTelnetsessions.Forexample,letssaythatR1wantstoTelnettoR2.TheabilityofR1todothisiscontrolledbyR2sinboundvtyACL.IfthereisnoinboundvtyACLonR2,thenanyhostcanfreelyTelnetintoR2(assumingthatR2svtypasswordisknown,ofcourse).
Now,assumingthatR1hasusedTelnettoaccessR2,theabilityofR1tothenTelnetonwardfromR2toanotherhostwouldbecontrolledbyR2soutboundvtyACL.IfthereisnooutboundvtyACLonR2,thenR1couldfreelyTelnettoanyotherhostviaR2(assumingthatthetargethostsTelnetpasswordisknown).
NotethatwhentheACLisusedinboundonthevtylines,theACLspeciessourceaddresses(fromwhichhostsareinboundTelnetintoourrouterallowed).WhentheACLisused outboundonthevtylines,theACLspeciesdestinationaddresses(towhichhostsareoutboundTelnetsessionsallowed).ThelatterisanunusualusageofastandardIPACL,whichnormallyspeciessourceaddressesonly.
Okay,nowitsQuizTime:Letssupposethatthefollowingcommandsareplacedonourrouter.Whateffectdotheyhave?
Router(cong)#access-list 8 permit 172.16.1.1
Router(cong)#access-list 9 permit 10.1.2.3
Router(cong)#line vty 0 4
Router(cong-line)#access-class 8 in
Router(cong-line)#access-class 9 out
SinceACL8isplacedinboundonthevtylines,itcontrolswhichhostscanTelnetintoourrouter.Inthiscase,onlythehostwithaddress172.16.1.1willsucceed(dontforgetabouttheimplicitdenyanyatthebottomof
theACL).Now,assumingthatithasestablishedaTelnetsessionwithourrouter,towherecoulditTelnetfromourrouter?ThatscontrolledbyACL9,whichisineffectoutboundonthevtylines.BecauseofACL9,ifhost172.16.1.1accessesourrouterbyTelnet,itcanonlystartTelnetsessionswithhost10.1.2.3whileusingourrouter as the middleman (again, dont forget the implicit deny at the end).
8/9/2019 WP_Friebe_ACLs1
10/19
Copyright 2009 Global Knowledge Training LLC. All rights reserved. 10
Notethathost172.16.1.1(oranyotherhost)canstillTelnetthroughourroutertoanywhere.TheACLsplacedonourroutersvtylinesareonlycontrollingTelnetsessionsforwhichourrouterisanendpoint.Inotherwords,the access-class statementsonthevtylineshaveabsolutely no effecton data passing through our router,butonlyonTelnetsessionsterminatingat(orstartingfrom)ourrouter(orswitch).
InadditiontocontrollingTelnetaccess(TCPport23),access-classstatementsonvtylinesalsoaffectSSHses-sions(SSHistheencryptedversionofTelnet,anditusesTCPport22).Finally,rememberthatACLscanbeusedtocontrolTelnetorSSHaccesstoandfromIOS-basedswitches,aswell.
Sowhyuseaccess-classonthevtylines?
ItallowsyoutoeasilycontrolTelnetand/orSSHsessionstoarouterorswitch.
Itcoversallofthedatainterfaces(andalargeswitchcouldhavehundredsofdatainterfaces).
ItaffectsonlyTelnetandSSHtrafctargetingourrouterorswitch,nottrafctraversingourrouterorswitch.
ItusesstandardACLs,whichareeasiertowritethanextendedACLs.
Thatmakesthevtyaccess-classstatementaslicksolution.Letsmoveon;theresstillalotmoretodowithaccess-lists.
Additional Tips and Tricks for Standard IP ACLsThistimewelllookatadditionaltipsandtrickswhenusingstandardIPACLs.LetssupposethatweregivenACL10(thelineshavebeenlabeledAthroughEtofacilitatetheupcomingdiscussion):
A.access-list10permit10.1.2.3
B.access-list10deny10.1.2.00.0.0.255
C.access-list10permit10.1.0.00.0.255.255D.access-list10deny10.0.0.00.255.255.255
E.access-list10permitany
BasedonACL10,whatwillhappentopacketsthataresourcedfromthefollowingaddresses?
1)10.1.2.4
2)172.16.1.1
3)10.1.3.3
4)10.1.2.3
5)10.2.2.3
Herearetheresults:
Packet#1:DeniedbylineB
Packet#2:PermittedbylineE
8/9/2019 WP_Friebe_ACLs1
11/19
Copyright 2009 Global Knowledge Training LLC. All rights reserved. 11
Packet#3:PermittedbylineC
Packet#4:PermittedbylineA
Packet#5:DeniedbylineD
Whyispacket#1denied,althoughitmatchessomepermitsinACL10?Remember,accesslistsaretop-down,
rst-match.SincelineBisthetop-mostmatchforpacket#1,thepacketisdenied.Becauseofthis,theorderofthelinesinanACLcanbecritical.Forexample,letssaythatweswaplinesBandCinACL10,toobtainACL11:
(A)access-list11permit10.1.2.3
(B)access-list11permit10.1.0.00.0.255.255
(C)access-list11deny10.1.2.00.0.0.255
(D)access-list11deny10.0.0.00.255.255.255
(E)access-list11permitany
Nowwhathappenstopacket#1?UnlikeACL10,withACL11packet#1ispermitted(bylineB).Infact,any
10.1.0.0/16addresswillbepermittedbylineB,andwillnevermakeittolineC.Forthatreason,ACL11,al-thoughsyntacticallycorrect,islogicallyinconsistent.TheoldprogrammersruleofGarbagein,garbageoutapplies to ACLs as well.
ACL EditingTheACLeditingcapabilitiesdependontheIOSversion.UnderolderIOS(early12andbefore),allyoucoulddowith a numbered ACL was:
Addlinestothebottom(append)
DeletetheentireACL
Whatyoucouldntdowasaddlinesanywhereotherthanatthebottom,ordeleteindividuallines.Ifyouwantedtodomoreextensiveediting,youhadtodeletethelist,andthenrecreateit.WithcurrentIOS(12.4),youcanaddlineswhereveryoulikeortothebottom,anddeleteindividuallinesaswellastheentireACL.
YouaccesstheenhancededitingcapabilitiesviasequencenumbersthatIOSautomaticallyaddstothelines.Youcan see the sequence numbers with show access-list.Forexample,givenACL11above,wewouldsee:
Router#show access-list
Standard IP access list 11
10 permit 10.1.2.3
20 permit 10.1.0.0, wildcard bits 0.0.255.25530 deny 10.1.2.0, wildcard bits 0.0.0.255
40 deny 10.0.0.0, wildcard bits 0.255.255.255
50 permit any
8/9/2019 WP_Friebe_ACLs1
12/19
Copyright 2009 Global Knowledge Training LLC. All rights reserved. 12
Usingtheper-linesequencenumbers,youcanmakethechangesyoudesire.
Named ACLsAnotherenhancedcapability,namedACLs,wasintroducedwithIOS12.Letstakealookatcreatinganamed
standard ACL.Router#conf t
Router(cong)# ip access-list standard Block_RFC1918
Router(cong-std-nacl)#
Notethatthepromptnowreadsconfg-std-nacl,meaningthatwereconguringastandardnamedACL(withthecase-sensitivenameBlock_RFC1918).Nowletsaddsomelinestothelist:
Router(cong-std-nacl)#deny 10.0.0.0 0.255.255.255
Router(cong-std-nacl)#deny 172.16.0 0.15.255.255
Router(cong-std-nacl)#deny 192.168.0.0 0.0.255.255
Router(cong-std-nacl)#permit any
YoumightrecognizethisasalistthatdeniestheRFC1918privateaddresses,andpermitsthepublicaddresses.LikenumberedACLs,anamedACLmustbeplacedinservicetohaveanyeffect,andthatsdoneexactlyasitisforanumberedlist.Forexample,tocontrolthedataowingoutboundthroughFastEthernet0/0:
Router(cong)#interface fa0/0
Router(cong-if)#ip access-group Block_RFC1918 out
YoucanalsouseanamedstandardACLtocontrolTelnetand/orSSHaccess:
Router(cong)#line vty 0 4Router(cong-line)#ip access-group Block_RFC1918
AswiththenumberedACLs,namedACLsareassignedper-linesequencenumbersthatfacilitateediting.Youcanalso use the named ACL editor to create and edit numbered ACLs. Just use the number of the ACL as the name:
Router(cong)# ip access-list standard 12
Router(cong-std-nacl)#
Onemorething-withbothnamedandnumberedACLs,youcanaddremarks.YouaddaremarktoanumberedACL like this:
Router(cong)#access-list 13 remark This is my workstation
Router(cong)#access-list 13 permit 10.1.2.3
8/9/2019 WP_Friebe_ACLs1
13/19
Copyright 2009 Global Knowledge Training LLC. All rights reserved. 13
Similarly, to add a remark to a named ACL, you would do:
Router(cong)# ip access-list standard Permit_Me
Router(cong-std-nacl)#remark This is my workstation
Router(cong-std-nacl)#permit 10.1.2.3
YoucanhavemultipleremarkswithinanumberedornamedACL.Notethatwhiletheremarksdontappearwithshowaccess-list,theydoappearwithshow run and show start.
Differences between Standard and Extended ACLsHavingdiscussedgeneralACLrulesandsyntax,letsnowturntothedifferencesbetweenstandardandextend-edACLs.Asyoumightrecall,numberedACLsfallintoseveralranges.
199:StandardIP
100199:ExtendedIP
13001999:StandardIP(expandedrange)
20002699:ExtendedIP(expandedrange)
Otherrangesforotherprotocols
Originally,therangesforstandardandextendedIPACLswere1-99and100-199,respectively,butnowthatACLsareusedforsomanythings,ahundredorsoofeachmightnotbeenough.Forthisreason,theexpandedrangeswereintroduced.Therearenowatotalof699standard,and700extendednumberedIPACLsavailable.
So,asidefromthedifferentnumericalrangesinvolved,whatarethedifferencesbetweenastandardandanex-tendedACL?Inadditiontolteringbysourceaddress(whichisallthatastandardIPACLcando),anextendedIPACLallowsustolterbasedon:
Destinationaddress
Transportlayerprotocols
Portnumbers
Otheroptions
Toseewhatthismeans,letslookatanexampleofanextendedIPACL.
access-list 101 permit tcp host 1.2.3.4 host 5.6.7.8 eq tel-
net
ACL101permitsonlyTelnettrafc(TCPport23)originatingfromsource1.2.3.4andtargetinghost5.6.7.8,anddeniesallothertrafc(theimplicitdenyanyalsoappliestoextendedACLs).Notethatthesourceaddressisgivenrst(alongwitheitherthekeywordhostorawildcardmask),followedbythedestinationaddress(alsowitheitherthekeywordhostoraWCM).YoucouldalsowriteACL101usingwildcardmasks,likethis:
8/9/2019 WP_Friebe_ACLs1
14/19
Copyright 2009 Global Knowledge Training LLC. All rights reserved. 14
access-list 101 permit tcp 1.2.3.4 0.0.0.0 5.6.7.8 0.0.0.0eq telnet
Thetwochoicesarefunctionallyequivalent,butformosthumanstheWCMformatishardertoreadthanthatusing keyword host,soIpersonallyavoidthe0.0.0.0WCM.Notethat,unlikeastandardACL,whenspecify-
inganaddressinanextendedACL,eitherthekeywordhostorawildcardmaskmustbeused.AttemptingtowriteACL101likethiswouldresultinasyntaxerror:
access-list 101 permit tcp 1.2.3.4 5.6.7.8 eq telnet
HeresanotherexampleofasyntacticallycorrectextendedIPACL.
access-list 102 deny udp 172.16.0.0 0.0.255.255 192.168.1.00.0.0.255 eq tftp
access-list 102 permit ip any any
ACL102deniesTFTPtrafc(andonlyTFTPtrafc)fromanyhostonthe172.16.0.0networkgoingtoanyhost
onthe192.168.1.0network,andpermitseverythingelse.Notethatapermit anyinanextendedACLmustspecify the protocol (ip, meaning anything in the IP suite), and both the source and destination addresses (anyany).
Using Port NumbersBytheway,inourextendedACLswevebeenusingkeywordsforthecommonportnumbers(Telnet=23,TFTP=69,etc),butyoucanalsousetheportnumbers,whichmeansthatACL102couldalsobewrittenlikethis:
access-list 102 deny udp 172.16.0.0 0.0.255.255 192.168.1.00.0.0.255 eq 69
access-list 102 permit ip any any
Togetalistofthekeywordsforcommonlyusedports,youcanusethequestionmark,likethis(notethespaceinbetweentheWCMandthe?):
access-list 102 deny udp 172.16.0.0 0.0.255.255 192.168.1.00.0.0.255 eq ?
Also, in addition to eq(equal-to),youcanalsospecifygt(greater-than),lt(less-than),andotheroptions.Youcanalsousethequestionmarktoviewthese.
Letssaythatwewanttopermittrafconlytohostsonnetwork10.0.0.0,whiledenyingeverythingelse.Heresa possible solution.
access-list 103 permit ip any 10.0.0.0 0.255.255.255
8/9/2019 WP_Friebe_ACLs1
15/19
Copyright 2009 Global Knowledge Training LLC. All rights reserved. 15
ACL103appliestoanyprotocolintheIPsuite(duetotheip keyword), from any source (keyword any), goingtoanydestinationonthe10.0.0.0network(notetheWCM).Sincenoportorotheroptioninformationwasspecied,theACLappliestoallportsandoptions.
Options
Speakingofoptions,letslookatafewofthose.ICMPhasmanydifferentoptions,oneofthembeingecho usedby the pingapplication.HeresanACLthatwillspecicallydenypings,whilepermittingallothertrafc:
access-list 104 remark This ACL stops pings
access-list 104 deny icmp any any echo
access-list 104 permit ip any any
Ifyoureallywantedtonailthingsdown,youcoulddenynotonlypings(ICMPechoes),butalsotheirreplies(ICMPechoreplies),likethis:
access-list 105 remark This ACL stops pings and replies
access-list 105 deny icmp any any echo
access-list 105 deny icmp any any echo-reply
access-list 105 permit ip any any
AswithstandardIPACLs,youcancreatenamedextendedIPACLs.Forexample,youcouldcreateanamedACLequivalenttoACL105likethis:
Router#conf t
Router(cong)#ip access-list ext stop_ping
Router(cong-ext-nacl)#This ACL stops pings and replies
Router(cong-ext-nacl)#deny icmp any any echo
Router(cong-ext-nacl)#deny icmp any any echo-reply
Router(cong-ext-nacl)#permit ip any any
Finally,youputanextendedIPACLinservicethesamewayyoudoastandardIPACL.Forexample,toputACL105ineffectoutboundontheGigEthernet2/1interface,youwoulddo:
Router#conf t
Router(cong)#int g2/1
Router(cong-if)#ip access-group 105 out
Likewise, to place ACL stop_pinginforceinboundontheSerial1/2interface:Router#conf t
Router(cong)#int s1/2
Router(cong-if)#ip access-group stop_ping in
8/9/2019 WP_Friebe_ACLs1
16/19
Copyright 2009 Global Knowledge Training LLC. All rights reserved. 16
Remember,ACLnamesarecase-sensitive,andtheunderscoreisnotthesameasthedash(hyphen).YouneedtoplaceanACLinserviceusingexactlythesamenameasthatusedtocreateit.
Packet Filtering
WecanuseextendedIPACLstolterpacketsbasedonsourceaddress,destinationaddress,transportlayerprotocols, and other options, as follows:
access-list 106 permit tcp host 1.2.3.4 host 5.6.7.8 eq tel-net
ForapackettobepermittedbyACL106,thefollowingmustbetrue:
ThetransportlayerprotocolisTCP
Thesourceaddressis1.2.3.4
Thedestinationaddressis5.6.7.8
ThedestinationportisTelnet(port23)
Whyisitthedestinationport,andnotthesourceport?Itsbecausetheportspecication(eq telnet) followsthedestinationaddress(5.6.7.8).InACL106,sincethesourceportisunspecied,itcouldbeanything.Whatifinstead we had written the ACL like this:
access-list 107 permit tcp host 1.2.3.4 eq telnet host5.6.7.8
ForapackettobepermittedbyACL107,thefollowingmustbetrue:
ThetransportlayerprotocolisTCP.
Thesourceaddressis1.2.3.4.
ThesourceportisTelnet(port23).
Thedestinationaddressis5.6.7.8.
Thus,usinganextendedIPACLgivesusdirectionalcontrolthatwedonthavewithastandardIPACL.Letslookatanexample:
access-list 108 deny tcp host 1.2.3.4 host 5.6.7.8 eq telnet
access-list 108 permit ip any any
AssumingthatACL108isplacedinservicecorrectly,itwillpreventhost1.2.3.4fromopeningaTelnetsessiontohost5.6.7.8.Thisisbecausewhenhost1.2.3.4(theTelnetclient)sendstheTCPsyntohost5.6.7.8(theTelnetserver),theaddressesmatchthedenyline,asdoesthedestinationportof23(Telnet)andthetransportlayerprotocol(TCP).Thus,thesynpacketisdenied,andtheTCPsessionisneverestablished.
8/9/2019 WP_Friebe_ACLs1
17/19
Copyright 2009 Global Knowledge Training LLC. All rights reserved. 17
WillACL108alsopreventhost5.6.7.8fromopeningaTelnetsessiontohost1.2.3.4?Rememberthatformostapplications,clientportsarechosenrandomlyintherangeof1024andabove.Letssaythatwhenhost5.6.7.8sTelnetclientprocessstarts,theIPstackin5.6.7.8assignsthatprocessaportnumberof2000.Now,when5.6.7.8sendsaTCPsyntohost1.2.3.4(theTelnetserver),eventhoughthedestinationportof23(theserver)matchesthatspeciedbythedenylineofACL108,asdoesthetransportprotocol(TCP),thesourceanddesti-nationaddressesdonotmatch(theaddressesarereversed).Sincethepacketdoesnotmatchthedenyline,its
permittedbythepermitline.Thus5.6.7.8receivesthesynpacket,andtherstphaseoftheTCPthree-wayhandshake is successful.
Next,theTelnetserver(1.2.3.4)willreplytotheclient(5.6.7.8)withasyn ack(thesecondphaseoftheTCPthree-wayhandshake).Forthispacket,theaddressesdomatchthosespeciedbythedenylineofACL108,asdoesthetransportprotocol(TCP),butthedestinationportdoesnt.Remember,theserver(1.2.3.4),usingport23(whichwouldbethesourceport),isreplyingtotheclient(5.6.7.8),atport2000(thedestinationport).Since2000isnotthedestinationportspeciedbythedenylineofACL108,thepacketdoesnotmatchthedeny line,andispermittedbythepermitline.Thus,the syn ackmakesitto5.6.7.8.
When5.6.7.8thensends1.2.3.4anack(tocompletethethree-wayhandshake),thispacketispermittedaswell,andtheTelnetsessionhasbeensuccessfullyestablished.Thus,anextendedIPACLgivesusdirectionalcontrol,whichisbothgoodandbad.Itsgood,becauseitgivesusmoreexibility,butitsbadbecausetodenytrafcinbothdirections,wehavetoexplicitlydenythetrafcinbothdirections.Inotherwords,toblockTelnetbi-direc-tionallybetween1.2.3.4and5.6.7.8,butpermiteverythingelse,wecoulddothis:
access-list 109 deny tcp host 1.2.3.4 host 5.6.7.8 eq telnet
access-list 109 deny tcp host 1.2.3.4 eq telnet host 5.6.7.8
access-list 109 permit ip any any
Whenblockingparticularprotocols,becarefultopermiteverythingyouintendtopermit.WhatdoesACL110permit?
access-list 110 deny tcp host 1.2.3.4 host 5.6.7.8 eq telnet
access-list 110 deny tcp host 1.2.3.4 eq telnet host 5.6.7.8
access-list 110 permit tcp any any
ACL110permitsanyTCPtrafcthatisntTelnet,butitdoesntpermitTFTPorVoIP(whichuseUDP)orping(whichusesICMP).Ifyoumeantopermitip(theentireprotocolsuite),thenthatswhatyouhavetosay.Andrememberthatinadditiontospecifyinganexactport(eq), you can also use lt, gt, or a range(less-than,greater-than,orarangeorportsnumbers,respectively).
Similarly,whatifwewanttoblockpings(ICMPechoes)fromhost1.2.3.4tothe10.0.0network?Wecoulddo:access-list 111 deny icmp host 1.2.3.4 10.0.0.00.255.255.255 echo
access-list 111 permit ip any any
8/9/2019 WP_Friebe_ACLs1
18/19
Copyright 2009 Global Knowledge Training LLC. All rights reserved. 18
NotethatalthoughACL111willpreventhost1.2.3.4fromsuccessfullypinginghostsonthe10.0.0.0network,itwillpermitnetwork10.0.0.0hoststopinghost1.2.3.4.Toblockpingsinbothdirections,youcouldalsodenyICMPechoreplies,likethis:
access-list 112 deny icmp host 1.2.3.4 10.0.0.0
0.255.255.255 echo
access-list 112 deny icmp host 1.2.3.4 10.0.0.00.255.255.255 echo-reply
access-list 112 permit ip any any
WhatotheroptionsareavailablewithextendedIPACLs?Asyoumightrecall,bothstandardandextendedIPACLsnowcountthenumberofmatchesoneachline,andthiscanbeviewedwithshow access-lists.Thisal-lows you to monitor who is doing what, or, in the case of a deny, who is attempting to do what.
WithextendedIPACLs,youcangoonestepfurther,andhavetheACLdisplayconsolemessageswhenmatchesoccur.ThisisaccomplishedbyappendingthekeywordlogtolinesoftheACL,likethis:
access-list 113 deny tcp host 1.2.3.4 host 5.6.7.8 eq telnetlog
access-list 113 deny tcp host 1.2.3.4 eq telnet host 5.6.7.8
log
access-list 113 permit ip any any
NotethatinACL113,wedidntaddthelogoptiontothepermit,becausewearentinterestedinthenon-Telnettrafc,anddontwanttoseemessagesregardingthat.
TherearemanyotherthingsthatcanbedonewithextendedIPACLs.ConsulttheCiscodocsforexamples,and
dontforgettousethe?tocheckforavailablekeywordsandoptionswithyourparticularversionofIOS.
Learn MoreLearnmoreabouthowyoucanimproveproductivity,enhanceefciency,andsharpenyourcompetitiveedge.CheckoutthefollowingGlobalKnowledgecourses:
ICND1InterconnectingCiscoNetworkDevices1
ICND2InterconnectingCiscoNetworkDevices2
CCNABootCamp
Formoreinformationortoregister,visitwww.globalknowledge.com or call 1-800-COURSES to speak with asalesrepresentative.
Ourcoursesandenhanced,hands-onlabsofferpracticalskillsandtipsthatyoucanimmediatelyputtouse.Ourexpertinstructorsdrawupontheirexperiencestohelpyouunderstandkeyconceptsandhowtoapplythemto
8/9/2019 WP_Friebe_ACLs1
19/19
Copyright 2009 Global Knowledge Training LLC. All rights reserved. 19
yourspecicworksituation.Choosefromourmorethan700courses,deliveredthroughClassrooms,e-Learning,andOn-sitesessions,tomeetyourITandmanagementtrainingneeds.
About the Author
AlFriebeisaCiscoCertiedSystemsInstructor(CCSI)whohasbeenteachingnetworkingclassessince1995.Inthepast,hehasservedasGlobalKnowledgesCourseDirectorforBGPandBSCI,andheistheauthorofGlobalKnowledgescurrentICND2labs.HispreviousexperienceincludesinstructordutyintheU.S.NavysNuclearPowerSchool,radiochemistry,softwareengineering,andnetworkmanagement.HiscerticationsincludeCCDA,CCDP,CCNA,CCNP,A+andothers.