Any Questions?

1
Any Questions?
2
Chapter 6 IP Access Control Lists

• Standard IP Access Control Lists
• Extended IP Access Control Lists
• Advances in Managing ACL Configuration
• Miscellaneous ACL Topics

3
Do I know this?
Go through the Quiz- 5 minutes
4

• 1. Barney is a host with IP address 10.1.1.1 in
  subnet 10.1.1.0/24. Which of the following are
  things that a standard IP ACL could be configured
  to do?
• a. Match the exact source IP address
• b. Match IP addresses 10.1.1.1 through 10.1.1.4
  with one access-list command without matching
  other IP addresses
• c. Match all IP addresses in Barneys subnet with
  one access-list command without matching other IP
  addresses
• d. Match only the packets destination IP address

5

• 1. Barney is a host with IP address 10.1.1.1 in
  subnet 10.1.1.0/24. Which of the following are
  things that a standard IP ACL could be configured
  to do?
• a. Match the exact source IP address
• b. Match IP addresses 10.1.1.1 through 10.1.1.4
  with one access-list command without matching
  other IP addresses
• c. Match all IP addresses in Barneys subnet with
  one access-list command without matching other IP
  addresses
• d. Match only the packets destination IP address
• AnswerAC

6

• 2. Which of the following wildcard masks is most
  useful for matching all IP packets in subnet
  10.1.128.0, mask 255.255.255.0?
• a. 0.0.0.0
• b. 0.0.0.31
• c. 0.0.0.240
• d. 0.0.0.255
• e. 0.0.15.0
• f. 0.0.248.255

7

• 2. Which of the following wildcard masks is most
  useful for matching all IP packets in subnet
  10.1.128.0, mask 255.255.255.0?
• a. 0.0.0.0
• b. 0.0.0.31
• c. 0.0.0.240
• d. 0.0.0.255
• e. 0.0.15.0
• f. 0.0.248.255
• Answer D

8

• 3. Which of the following wildcard masks is most
  useful for matching all IP packets in subnet
  10.1.128.0, mask 255.255.240.0?
• a. 0.0.0.0
• b. 0.0.0.31
• c. 0.0.0.240
• d. 0.0.0.255
• e. 0.0.15.255
• f. 0.0.248.255

9

• 3. Which of the following wildcard masks is most
  useful for matching all IP packets in subnet
  10.1.128.0, mask 255.255.240.0?
• a. 0.0.0.0
• b. 0.0.0.31
• c. 0.0.0.240
• d. 0.0.0.255
• e. 0.0.15.255
• f. 0.0.248.255
• Answer E

10

• 4. Which of the following fields cannot be
  compared based on an extended IP ACL?
• a. Protocol
• b. Source IP address
• c. Destination IP address
• d. TOS byte
• e. URL
• f. Filename for FTP transfers

11

• 4. Which of the following fields cannot be
  compared based on an extended IP ACL?
• a. Protocol
• b. Source IP address
• c. Destination IP address
• d. TOS byte
• e. URL
• f. Filename for FTP transfers
• Answer EF

12

• 5. Which of the following access-list commands
  permits traffic that matches packets going from
  host 10.1.1.1 to all web servers whose IP
  addresses begin with 172.16.5?
• a. access-list 101 permit tcp host 10.1.1.1
  172.16.5.0 0.0.0.255 eq www
• b. access-list 1951 permit ip host 10.1.1.1
  172.16.5.0 0.0.0.255 eq www
• c. access-list 2523 permit ip host 10.1.1.1 eq
  www 172.16.5.0 0.0.0.255
• d. access-list 2523 permit tcp host 10.1.1.1 eq
  www 172.16.5.0 0.0.0.255
• e. access-list 2523 permit tcp host 10.1.1.1
  172.16.5.0 0.0.0.255 eq www

13

• 5. Which of the following access-list commands
  permits traffic that matches packets going from
  host 10.1.1.1 to all web servers whose IP
  addresses begin with 172.16.5?
• a. access-list 101 permit tcp host 10.1.1.1
  172.16.5.0 0.0.0.255 eq www
• b. access-list 1951 permit ip host 10.1.1.1
  172.16.5.0 0.0.0.255 eq www
• c. access-list 2523 permit ip host 10.1.1.1 eq
  www 172.16.5.0 0.0.0.255
• d. access-list 2523 permit tcp host 10.1.1.1 eq
  www 172.16.5.0 0.0.0.255
• e. access-list 2523 permit tcp host 10.1.1.1
  172.16.5.0 0.0.0.255 eq www
• Answer AE

14

• 6. Which of the following access-list commands
  permits traffic that matches packets going to any
  web client from all web servers whose IP
  addresses begin with 172.16.5?
• a. access-list 101 permit tcp host 10.1.1.1
  172.16.5.0 0.0.0.255 eq www
• b. access-list 1951 permit ip host 10.1.1.1
  172.16.5.0 0.0.0.255 eq www
• c. access-list 2523 permit tcp any eq www
  172.16.5.0 0.0.0.255
• d. access-list 2523 permit tcp 172.16.5.0
  0.0.0.255 eq www 172.16.5.0 0.0.0.255
• e. access-list 2523 permit tcp 172.16.5.0
  0.0.0.255 eq www any

15

• 6. Which of the following access-list commands
  permits traffic that matches packets going to any
  web client from all web servers whose IP
  addresses begin with 172.16.5?
• a. access-list 101 permit tcp host 10.1.1.1
  172.16.5.0 0.0.0.255 eq www
• b. access-list 1951 permit ip host 10.1.1.1
  172.16.5.0 0.0.0.255 eq www
• c. access-list 2523 permit tcp any eq www
  172.16.5.0 0.0.0.255
• d. access-list 2523 permit tcp 172.16.5.0
  0.0.0.255 eq www 172.16.5.0 0.0.0.255
• e. access-list 2523 permit tcp 172.16.5.0
  0.0.0.255 eq www any
• Answer E

16

• 7. Which of the following fields can be compared
  using a named extended IP ACL but not a numbered
  extended IP ACL?
• a. Protocol
• b. Source IP address
• c. Destination IP address
• d. TOS byte
• e. None of the other answers are correct.

17

• 7. Which of the following fields can be compared
  using a named extended IP ACL but not a numbered
  extended IP ACL?
• a. Protocol
• b. Source IP address
• c. Destination IP address
• d. TOS byte
• e. None of the other answers are correct.
• Answer E

18

• 8. In a router running IOS 12.3, an engineer
  needs to delete the second line in ACL 101, which
  currently has four commands configured. Which of
  the following options could be used?
• a. Delete the entire ACL and reconfigure the
  three ACL statements that should remain in the
  ACL.
• b. Delete one line from the ACL using the no
  access-list... command.
• c. Delete one line from the ACL by entering ACL
  configuration mode for the ACL and then deleting
  only the second line based on its sequence
  number.
• d. Delete the last three lines from the ACL from
  ACL configuration mode, and then add the last two
  statements back into the ACL.

19

• 8. In a router running IOS 12.3, an engineer
  needs to delete the second line in ACL 101, which
  currently has four commands configured. Which of
  the following options could be used?
• a. Delete the entire ACL and reconfigure the
  three ACL statements that should remain in the
  ACL.
• b. Delete one line from the ACL using the no
  access-list... command.
• c. Delete one line from the ACL by entering ACL
  configuration mode for the ACL and then deleting
  only the second line based on its sequence
  number.
• d. Delete the last three lines from the ACL from
  ACL configuration mode, and then add the last two
  statements back into the ACL.
• Answer A C

20

• 9. What general guideline should you follow when
  placing extended IP ACLs?
• a. Perform all filtering on output if at all
  possible.
• b. Put more-general statements early in the ACL.
• c. Filter packets as close to the source as
  possible.
• d. Order the ACL commands based on the source IP
  addresses, lowest to highest, to improve
  performance.

21

• 9. What general guideline should you follow when
  placing extended IP ACLs?
• a. Perform all filtering on output if at all
  possible.
• b. Put more-general statements early in the ACL.
• c. Filter packets as close to the source as
  possible.
• d. Order the ACL commands based on the source IP
  addresses, lowest to highest, to improve
  performance.
• Answer C

22

• 10. Which of the following tools requires the end
  user to telnet to a router to gain access to
  hosts on the other side of the router?
• a. Named ACLs
• b. Reflexive ACLs
• c. Dynamic ACLs
• d. Time-based ACLs
• Answer C

23
Any Questions?
24
ACL History

• Original Support for Numbered ACLS
• We will learn this first
• Then support for named ACLS
• Also cover this
• IOS 11.2
• Now support for Sequence numbers for ACLS
• WAY easier
• IOS 12.3

Pg 231
25
Access Control Lists

• Allow a router to drop packets based on certain
  criteria
• You build a list with multiple lines
• Each line is one of the rules to check
• Filter router updates
• Match packets for
• Priority
• QOS
• VPN

Pg 232
26
ACLs Questions

• Which packets to filter
• Where to filter them

Pg 232
27
Where to filter
Pg 233
28
Key ACL ideas

• Packets can be filtered as they enter an
  interface, before the routing decision.
• Packets can be filtered before they exit an
  interface, after the routing decision.
• Deny is the term used in Cisco IOS software to
  imply that the packet will be filtered.
• Permit is the term used in Cisco IOS software to
  imply that the packet will not be filtered.
• The filtering logic is configured in the access
  list.
• At the end of every access list is an implied
  deny all traffic statement. Therefore, if a
  packet does not match any of your access list
  statements, it is blocked.

Pg 233
29
Any Questions?
30
ACL Logic

• Matching
• Examine packets to match against ACL statements
• Action
• Permit of deny

Pg 234
31
ACL Logic-KEY IDEA

1. The matching parameters of the access-list
   statement are compared to the packet.
2. If a match is made, the action defined in this
   access-list statement (permit or deny) is
   performed.
3. If a match is not made in Step 2, repeat Steps 1
   and 2 using each successive statement in the ACL
   until a match is made.
4. If no match is made with an entry in the access
   list, the deny action is performed.

Pg 234
32
Wildcard Masks

• ACLs can match based on IP addresses
• Standard ACLs only on source address
• Wildcards let you specify a range of addresses in
  a single statement
• Stop all hosts on a subnet
• Logic
• 0 in mask says compare
• 1 in mask says it doesnt matter
• Can add the mask to the original address

Pg 235
33
Mask Examples
Wildcard Mas Binary Version of the Mask Description
0.0.0.0 00000000.00000000.00000000.00000000 The entire IP address must match.
0.0.0.255 00000000.00000000.00000000.11111111 Just the first 24 bits must match.
0.0.255.255 00000000.00000000.11111111.11111111 Just the first 16 bits must match.
0.255.255.255 00000000.11111111.11111111.11111111 Just the first 8 bits must match.
255.255.255.255 11111111.11111111.11111111.11111111 Automatically considered to match any and all addresses.
0.0.15.255 00000000.00000000.00001111.11111111 Just the first 20 bits must match.
0.0.3.255 00000000.00000000.00000011.11111111 Just the first 22 bits must match.
Pg 235
34
Figure out Wildcard masks

• Use the subnet number as the address value in the
  access-list command.
• Use a wildcard mask found by subtracting the
  subnet mask from 255.255.255.255.
• Example-To match all hosts in subnet 172.16.8.0
  255.255.252.0

Pg 237
35
Any Questions?
36
ACL Command

• Step 1 Use the address in the access-list command
  as if it were a subnet number.
• Step 2 Use the number found by subtracting the
  wildcard mask from 255.255.255.255 as a subnet
  mask.
• Step 3 Treat the values from the first two steps
  as a subnet number and subnet mask, and find the
  broadcast address for the subnet. The ACL matches
  the range of addresses between the subnet number
  and broadcast address, inclusively.
• Access-list 1 permit 172.16.200.0 0.0.7.255

Pg 237-238
37
Standard ACL configuration

• Memorize syntax (it is not easy)
• access-list access-list-number deny permit
  source source-wildcard
• Think about which is the source machine!
• Dont forget the deny all at the end
• default

Pg 238
38
ACL Logic

• Step 1 Plan the location (router and interface)
  and direction (in or out) on that interface
• a. Standard ACLs should be placed near to the
  destination of the packets so that it does not
  unintentionally discard packets that should not
  be discarded.
• b. Because standard ACLs can only match a
  packets source IP address, identify the source
  IP addresses of packets as they go in the
  direction that the ACL is examining.
• Step 2 Configure one or more access-list global
  configuration commands to create the ACL, keeping
  the following in mind
• a. The list is searched sequentially, using
  first-match logic. In other words, when a packet
  matches one of the access-list statements, the
  search is over, even if the packet would match
  subsequent statements.
• b. The default action, if a packet does not match
  any of the access-list commands, is to deny
  (discard) the packet.
• Step 3 Enable the ACL on the chosen router
  interface, in the correct direction, using the ip
  access-group number in out interface
  subcommand.

Pg 239
39
ACL Example

• interface Ethernet0
• ip address 172.16.1.1 255.255.255.0
• ip access-group 1 out
• !
• access-list 1 remark stop all traffic whose
  source IP is Bob
• access-list 1 deny 172.16.3.10 0.0.0.0
• access-list 1 permit 0.0.0.0 255.255.255.255
• Created access-list by adding statement
• Add access-list to interface in or out

Pg 240
40
Example
Yosemite config interface serial 0 ip
access-group 3 out ! access-list 3 deny host
10.1.2.1 access-list 3 permit any Seville
Configuration interface serial 1 ip access-group
4 out ! access-list 4 deny 10.1.3.0
0.0.0.255 access-list 4 permit any
Pg 242
41
Any Questions?
42
Extended ACL concepts
Pg 244
43
Extended IP ACLS

• Can match on more fields

Type of Access List What Can Be Matched
Both standard and extended ACLs Source IP address Portions of the source IP address using a wildcard mask
Only extended ACLs Destination IP address Portions of the destination IP address using a wildcard mask Protocol type (TCP, UDP, ICMP, IGRP, IGMP, and others) Source port Destination port All TCP flows except the first IP TOS IP precedence
Pg 245
44
Examples
Pg 246
45
ACLS and Port numbers

• The access-list command must use protocol keyword
  tcp to be able to match TCP ports and the udp
  keyword to be able to match UDP ports. The ip
  keyword does not allow for matching the port
  numbers.
• The source port and destination port parameters
  on the access-list command are positional. In
  other words, their location in the command
  determines if the parameter examines the source
  or destination port.
• Remember that ACLs can match packets sent to a
  server by comparing the destination port to the
  well-known port number. However, ACLs need to
  match the source port for packets sent by the
  server.
• It is useful to memorize the most popular TCP and
  UDP applications, and their wellknown ports, as
  listed in Table 6-5, as shown later in this
  chapter.

Pg 246
46
ACLs in Use

• Connecting to a server
• Think about addressing and traffic flow
• access-list 101 permit tcp 172.16.1.0 0.0.0.255
  172.16.3.0 0.0.0.255 eq 21
• Notice location of eq

Pg 247
47
ACL in use

• Connection from server
• access-list 101 permit tcp 172.16.3.0 0.0.0.255
  eq 21 172.16.1.0 0.0.0.255
• Notice location of eq

Pg 248
48
Extended ACL commands
Command Configuration Mode and Description
access-list access-list-number deny permit protocol source source-wildcard destination destination-wildcard log log-input Global command for extended numbered access lists. Use a number between 100 and 199 or 2000 and 2699, inclusive.
access-list access-list-number deny permit tcp udp source source-wildcard operator port estination destination-wildcard operator port established log A version of the access-list command with TCPspecific parameters.
Pg 249
49
Extended ACL hints

• Extended ACLs should be placed as close as
  possible to the source of the packets to be
  filtered, because extended ACLs can be configured
  so that they do not discard packets that should
  not be discarded. So filtering close to the
  source of the packets saves some bandwidth.
• All fields in one access-list command must match
  a packet for the packet to be considered to match
  that access-list statement.
• The extended access-list command uses numbers
  between 100199 and 20002699, with no number
  being inherently better than another.

Pg 249
50
Extended ACL Operators
Operator in the access-list Command Meaning
Eq Equal to
Neq Not equal to
Lt Less than
Gt Greater than
Range Range of port numbers
Pg 250
51
Extended ACL example
interface Serial0 ip address 172.16.12.1
255.255.255.0 ip access-group 101 in ! interface
Serial1 ip address 172.16.13.1 255.255.255.0 ip
access-group 101 in ! access-list 101 remark Stop
Bob to FTP servers, and Larry to Server1
web access-list 101 deny tcp host 172.16.3.10
172.16.1.0 0.0.0.255 eq ftp access-list 101 deny
tcp host 172.16.2.10 host 172.16.1.100 eq
www access-list 101 permit ip any any
Pg 250
52
Any Questions?
53
Advanced ACL management

• Named ACL an ACL Sequence numbers
• No new filtering features
• Management simplified

Pg 253
54
Named ACLs

• New in 11.2
• Use names instead of numbers
• Easier for us to remember
• Allow deletion of a single line if there is a
  mistake
• With traditional ACL config, you have to start
  over
• This feature possible on regular ACLS since 12.3

Pg 253
55
Configuration Changes

• Global command enters a sub-command structure
• Router(config)ip access-list extended barney
• Router(config-ext-nacl)permit tcp host 10.1.1.2
  eq www any
• When a match statement is deleted, only that line
  is deleted

Pg 254
56
Configuration

• Enter configuration commands, one per line. End
  with Ctrl-Z.
• Router(config)ip access-list extended barney
• Router(config-ext-nacl)permit tcp host 10.1.1.2
  eq www any
• Router(config-ext-nacl)deny udp host 10.1.1.1
  10.1.2.0 0.0.0.255
• Router(config-ext-nacl)deny ip 10.1.3.0
  0.0.0.255 10.1.2.0 0.0.0.255
• ! The next statement is purposefully wrong so
  that the process of changing
• ! the list can be seen.
• Router(config-ext-nacl)deny ip 10.1.2.0
  0.0.0.255 10.2.3.0 0.0.0.255
• Router(config-ext-nacl)deny ip host 10.1.1.130
  host 10.1.3.2
• Router(config-ext-nacl)deny ip host 10.1.1.28
  host 10.1.3.2
• Router(config-ext-nacl)permit ip any any
• Router(config-ext-nacl)interface serial1
• Router(config-if)ip access-group barney out
• Router(config-if)Z
• Routershow running-config
• Building configuration...

Pg 254
57
Named ACL in Running config

• interface serial 1
• ip access-group barney out
• !
• ip access-list extended barney
• permit tcp host 10.1.1.2 eq www any
• deny udp host 10.1.1.1 10.1.2.0 0.0.0.255
• deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255
• deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255
• deny ip host 10.1.1.130 host 10.1.3.2
• deny ip host 10.1.1.28 host 10.1.3.2
• permit ip any any
• Routerconf t

Pg 254
58
Removing a statement

• Router(config)ip access-list extended barney
• Router(config-ext-nacl)no deny ip 10.1.2.0
  0.0.0.255 10.2.3.0 0.0.0.255
• Router(config-ext-nacl)Z
• Routershow access-list
• Extended IP access list barney
• 10 permit tcp host 10.1.1.2 eq www any
• 20 deny udp host 10.1.1.1 10.1.2.0 0.0.0.255
• 30 deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255
• 50 deny ip host 10.1.1.130 host 10.1.3.2
• 60 deny ip host 10.1.1.28 host 10.1.3.2
• 70 permit ip any any

Pg 254
59
ACLs and Sequence Numbers

• An individual ACL permit or deny statement can be
  deleted just by referencing the sequence number,
  without deleting the rest of the ACL.
• Newly added permit and deny commands can be
  configured with a sequence number, dictating the
  location of the statement within the ACL.
• Newly added permit and deny commands can be
  configured without a sequence number, with IOS
  creating a sequence number and placing the
  command at the end of the ACL.

Pg 256
60
ACL Sequence Number example

• ! Step 1 The 3-line Standard Numbered IP ACL is
  configured.
• R1configure terminal
• Enter configuration commands, one per line. End
  with Ctrl-Z.
• R1(config)ip access-list standard 24
• R1(config-std-nacl)permit 10.1.1.0 0.0.0.255
• R1(config-std-nacl)permit 10.1.2.0 0.0.0.255
• R1(config-std-nacl)permit 10.1.3.0 0.0.0.255
• ! Step 2 Displaying the ACLs contents, without
  leaving configuration mode.
• R1(config-std-nacl)do show ip access-list 24
• Standard IP access list 24
• 10 permit 10.1.1.0, wildcard bits 0.0.0.255
• 20 permit 10.1.2.0, wildcard bits 0.0.0.255
• 30 permit 10.1.3.0, wildcard bits 0.0.0.255

Pg 257
61
Sequenced ACL management

• ! Step 3 Still in ACL 24 configuration mode, the
  line with sequence number 20 is deleted.
• R1(config-std-nacl)no 20
• ! Step 4 Displaying the ACLs contents again,
  without leaving configuration mode.
• ! Note that line number 20 is no longer listed.
• R1(config-std-nacl)do show ip access-list 24
• Standard IP access list 24
• 10 permit 10.1.1.0, wildcard bits 0.0.0.255
• 30 permit 10.1.3.0, wildcard bits 0.0.0.255
• ! Step 5 Inserting a new first line in the ACL.
• R1(config-std-nacl)5 deny 10.1.1.1
• ! Step 6 Displaying the ACLs contents one last
  time, with the new statement (sequence
• ! number 5) listed first.
• R1(config-std-nacl)do show ip access-list 24
• Standard IP access list 24
• 35 deny 10.1.1.1
• 10 permit 10.1.1.0, wildcard bits 0.0.0.255
• 30 permit 10.1.3.0, wildcard bits 0.0.0.255

Pg 257
62
Misc ACL Topics

• Control Telnet and SSH with ACL
• Assign an ACL to the vty lines
• line vty 0 4
• login
• password cisco
• access-class 3 in
• !
• ! Next command is a global command
• access-list 3 permit 10.1.1.0 0.0.0.255

Pg 259
63
ACL considerations

• Create your ACLs using a text editor outside the
  router, and copy and paste the configurations
  into the router. (Even with the ability to delete
  and insert lines into an ACL, creating the
  commands in an editor will still likely be an
  easier process.)
• Place extended ACLs as close as possible to the
  source of the packet to discard the packets
  quickly.
• Place standard ACLs as close as possible to the
  packets destination, because standard ACLs often
  discard packets that you do not want discarded
  when they are placed close to the source.
• Place more-specific statements early in the ACL.
• Disable an ACL from its interface (using the no
  ip access-group command) before making changes to
  the ACL.

Pg 260
64
Any Questions?
65
Reflexive ACLS

• Allow an ACL to add statements when a
  communication session is started

Pg 263
66
Dynamic ACLS

• Force authentication and then dyanmically change
  the ACL
• Step 1 The user connects to the router using
  Telnet.
• Step 2 The user supplies a username/password,
  which the router compares to a list,
  authenticating the user.
• Step 3 After authentication, the router
  dynamically adds an entry to the beginning of the
  ACL, permitting traffic sourced by the
  authenticated host.
• Step 4 Packets sent by the permitted host go
  through the router to the server.

Pg 264
67
Time Based

• ACL only works during certain times of day

Pg 264
68
Any Questions?