Access Control Lists ACL

1
Access Control Lists (ACL)
2
Access-List Overview

• A Filter through which all traffic must pass
• Used to Permit or Deny Access to Network
• Provides Security
• Bandwidth Management
• Come in two flavors
• STANDARD AND EXTENDED

3
What is an Access-List

• A List of Criteria to which all Packets are
  compared.
• Is this Packet from Network 10.5.2.0
• Yes - Forward the Packet
• No - Check with Next Statement
• Is this a Telnet Protocol Packet from 25.25.0.0
• Yes - Forward the Packet
• No - Check Next Statement
• Deny All Other Traffic

4
How an Access-List Works

• Packets are compared to Each Statement in an
  Access-list SEQUENTIALLY - From
  the Top Down.
• The sooner a decision is made the better.
• Well written Access-lists take care of the most
  abundant type of traffic first.
• All Access-lists End with an Implicit Deny All
  statement

5
Standard Access Lists

• Are given a from 1-99
• Filtering based only on Source Address
• Should be applied closest to the Destination

6
Extended Access-lists

• Are given a from 100-199
• Much more flexible and complex
• Can filter based on
• Source address
• Destination address
• Session Layer Protocol (ICMP, TCP, UDP..)
• Port Number (80 http, 23 telnet)
• Should be applied closest to the Source

7
Two Steps - Create and Apply

• Step 1 - Create the Access-list
• access-list permit/deny source IP wildcard
• - 1-99
• permit/deny - switch the packet or drop it
• source IP - source IP address to which the packet
  should be compared. Can also use ANY
• wildcard - see next page
• Step 2 -Apply the Access-list to an Interface
• Must be in interface config mode (config-if)
• IP access-group in/out (routers point of view)

8
Wildcards

• Allows you to indicate a Range of IP addresses
• Two Values are Used
• 0 Must Match Exactly
• 1 Does Not Matter

9
Wildcard Examples

• Network Wildcard
• 195.34.5.12 0.0.0.0
• Result Match all four octets
• Only 195.34.5.12 is a match
• Could also use host 195.34.5.12 in place of the
  wildcard. Host indicates an exact match is needed.

10
Wildcard Examples

• Network Wildcard
• 172.16.10.0 0.0.0.255
• Result Match the first three octets exactly but
  ignore the last octet.
• 172.16.10.0 thru 172.16.10.255 is a match since
  the last octet does not matter.

11
Implementing Access-lists

• Remember the Implicit Deny All at the end of each
  access-list.
• Two Approaches
• 1. List the traffic you know you want to permit
• Deny all other traffic
• 2. List the traffic you want to deny
• Permit all other traffic (permit any)

12
Implementing Access-lists

• You cannot selectively add or remove statements
  from an Access-list
• Typically modifications are made in a text editor
  and then pasted to the router as a new
  access-list. The new access list is then applied
  and the old one removed
• Document your Access-list
• After each line indicate exactly what that line
  is supposed to do.

13
Implementing Access-lists

• Verifying Your Access-list
• Show Access-lists
• Show IP Interfaces
• Revisit your access-list after a few days
• Routers keep track of the number of packets that
  match each statement in an access-list
• Use this information to reorder your access-list
  and thus improve it efficiency
• Never remove an access-list that is applied to a
  port - this can crash a router.

14
Summary Access-Lists

• Are Created and then Applied to an interface
• Are Implemented Sequentially- Top Down
• End with an implicit Deny ALL statement
• 1-99 Standard and 100-199 Extended
• Standard - source address only
• Extended - source, destination, protocol, port