Access List configuration
Basing ACL names on the range
of numbers may be confusing, but it is best to consider the way that the ACLs
are created at the router configure prompt. ACLs are configured based on their
protocol first. Some, but not all, ask for standard or extended qualifiers in
their statements and then the numeric name is assigned. Here are some examples:
IP access-lists
·
Router (config)# ip access-list
standard 6
·
Router (config)# ip access-list
extended 185
IPX access-lists
·
Router (config)# ipx
access-list standard 810
·
Router (config)# ipx
access-list extended 915
VINES access-lists
·
Router (config)# vines
access-list 65 —this is a standard vines list
·
Router (config)# vines
access-list 140 —this is an extended vines list
Configuring IP
Standard ACLs on Cisco routers
Cisco IP Standard ACLs are used
to filter traffic based on a single or range of source IP addresses in the IP
packet header. Destination addresses are not considered in a standard ACL.
Let’s look at the format of an
IP Standard ACL:
access-list [access-list-number] [deny/permit] [source ip
address] [ wildcard mask]
Looking at the format, you can
see the configuration statement begins with access-list command and the ACL
number. In this case, the range for IP Standard ACLs is 1 to 99. You must then
declare if this ACL statement will deny or permit the IP addresses that follow.
The final two parts of the statement are associated with the source IP address
and a wild card mask that determine if the address is a single host or a range
of IP addresses. The following an example of a valid IP Standard ACL:
access-list 6 deny 172.16.0.2 0.0.0.0
access-list 6 deny 172.16.1.0 0.0.0.255
access-list 6 permit 172.16.2.0 0.0.0.127
access-list 6 deny any
access-list 6 deny 172.16.1.0 0.0.0.255
access-list 6 permit 172.16.2.0 0.0.0.127
access-list 6 deny any
In the first statement of this
ACL, IP traffic from a single host of 172.16.0.2 is denied. The second
statement denies a range of IP addresses in the 172.16.1.0 network. The range
covers 256 IP addresses, 0 to 255 for that subnet. A shorter range is shown in
the third statement, which permits 128 IP addresses from the 172.16.2.0 subnet
(0-127). The final statement in the ACL gives an implicit deny to all IP
addresses.
NOTE: ACL Statement
flow
It is crucial that you
understand how ACLs are parsed for matches when compared with an IP packet. All
comparisons start at the top of the list and work down. Once a match is made,
the traffic is either permitted or denied and then comparison stops. You must
be careful in the placement of your ACLs
Configuring IP
Extended ACLs on Cisco Routers
Cisco IP Extended ACLs are more
complex than the Standard versions. The IP Extended ACL adds the ability to
filter on destination IP address and includes some additional layer 3 and layer
4 protocol support, in particular TCP, UDP, and ICMP. This additional
functionality makes IP Extended ACLs very powerful tools for IT security and
network professionals. Let’s take a look at the format of the IP Extended ACL:
access-list [access-list-number] [deny/permit] [protocol]
[source ip address] [ wildcard mask] [source port] [destination ip address]
[wildcard mask] [destination port] [statement flag]
As you can see from this
format, IP Extended ACL statements can become rather long, but are very
effective in filtering specific types of traffic based on address and ports.
Below are a few examples of IP Extended ACL statements:
access-list 165 deny ip 172.16.1.0 0.0.0.255 172.16.5.0
0.0.0.255 log
access-list 165 deny ip 172.16.1.0 0.0.0.255 host 172.16.4.1 log
access-list 165 permit tcp 172.16.3.0 0.0.0.255 eq 80 any log
access-list 165 deny udp 172.16.6.0 0.0.0.127 172.16.5.0 0.0.0.31 eq 53 log
access-list 165 permit icmp any any host-unreachable
access-list 165 deny ip any any
access-list 165 deny ip 172.16.1.0 0.0.0.255 host 172.16.4.1 log
access-list 165 permit tcp 172.16.3.0 0.0.0.255 eq 80 any log
access-list 165 deny udp 172.16.6.0 0.0.0.127 172.16.5.0 0.0.0.31 eq 53 log
access-list 165 permit icmp any any host-unreachable
access-list 165 deny ip any any
What do we see happening in
this IP Extended ACL? The first statement denies IP traffic from the 172.16.1.0
subnet to the entire 172.16.5.0 destination subnet and logs any matches in the
router log. The second statement is similar, but denies traffic from the
172.16.1.0 subnet to a single host 172.16.4.1. It is important to note the
difference that IP Extended ACLs use for identifying a single host compared to
an IP Standard ACL. Single hosts in the Extended version utilize the host
identifier before the IP address and no wildcard mask is required.
The next statements in the ACL
show how TCP, UDP, and ICMP can be utilized in these ACLs. The third statement
permits TCP traffic from the 172.16.3.0 subnet with a source port of 80 to any
destination IP and then logs the traffic matches. Continuing down the list, the
next statement denies the UDP traffic from the first 128 IP addresses in the
172.16.6.0 subnet to the 32 IP addresses in the 172.16.5.0 subnet with a
destination port of 53, and then logs any matches.
These two statements utilize
ports for both TCP and UDP as part of their match criteria. Cisco and other
routers can associate well known ports for these protocols to acronyms for
familiarity. In the TCP statement, port 80 is associated with HTTP traffic. A
Cisco ACL would accept 80 or http in the ACL as a valid port. The UDP statement
uses port 53, which is for DNS. Most routers will automatically translate the
port number to these acronyms for you and you can see them in the ACL list when
you perform a show ip access-list or show running
config command.
The next statement is slightly
different. This statement permits icmp traffic, which is associated with
network ping. The statement allows ICMP traffic from any source and to any
destination, but uses the flag host-unreachable. This flag identifies ICMP
traffic that is replied from a ping request, that the target host cannot be
contacted. The final statement in the list is an implicit deny of all traffic
that was not matched in previous ACL statements.
Implementation of ACLs
on a router interface
Now that we have seen the
structure of these ACLs, we need to be able configure them to a router
interface. To configure the ACL to the interface, you must enter that
interface’s configuration mode on the router. The command to associate an IP
ACL to an interface is in the following format:
ip access-group [access-list-number] [in/out]
Note the difference in the
statement as the command is ip access-group not access-list as in the ACL configuration. Let’s
look at a quick example of assigning an ACL to interface FastEthernet 0/0 on a
Cisco router.
Router#config t
Router (config)#interface Fast Ethernet0/0
Router (config-if)#ip access-group 165 in
Router (config)#interface Fast Ethernet0/0
Router (config-if)#ip access-group 165 in
This example configures the IP
Extended ACL 165 to the interface and places it in on the ingress side of the
interface. To place the ACL on the egress side, the final flag at the end would
be changed to out.
No comments:
Post a Comment