ACL: Cisco IOS Access Control Lists
Today I will tell you how to filter traffic on the network using access control lists. Consider how they work accordingly, what they are, what they are intended for. Later I will show how they are configured in Cisco IOS and lay out an archive with laboratory work to consolidate your knowledge.
ACL (Access Control List) is a set of text expressions that allow something or forbid something. Typically, an ACL allows or denies IP packets, but among other things, it can look inside the IP packet, view the packet type, TCP and UDP ports. Also, ACL exists for various network protocols (IP, IPX, AppleTalk, and so on). Basically, the use of access lists is considered from the point of view of packet filtering, that is, packet filtering is necessary in situations where you have equipment on the border of the Internet and your private network and need to filter out unnecessary traffic.
You place ACLs on the inbound direction and block redundant traffic.
The functional ACL is to classify traffic, you need to check it first, and then do something with it depending on where the ACL is applied. ACL is used everywhere, for example:
To use ACLs for all of these components, you need to understand how they work. And first of all we will deal with packet filtering. In relation to packet filtering, ACLs are placed on interfaces, they themselves are created independently, and only then they are screwed to the interface. As soon as you screwed it to the interface, the router begins to view traffic. The router treats traffic as inbound and outbound. The traffic that enters the router is called inbound, the one that goes out of it is outgoing. Accordingly, ACLs are placed on the inbound or outbound direction.
From your private network, a packet arrives at the fa0 / 1 interface of the router, the router checks whether there is an ACL on the interface or not, if it exists, then further processing is carried out according to the rules of the access list strictly in the order in which the expressions are written if the access list allows the packet, then in this case the router sends the packet to the provider via the fa0 / 0 interface, if the access list does not allow the packet to pass, the packet is destroyed. If there is no access list, the packet flies by without any restrictions. Before sending the packet to the provider, the router also checks the fa0 / 0 interface for an outgoing ACL. The point is that the ACL can be attached to the interface as inbound or outbound. For example, we have an ACL with the rule to prevent all nodes on the Internet from sending packets to our network.
So which interface to attach this ACL to? If we attach the fa0 / 1 ACL as outgoing, this will not be entirely true, although the ACL will work. The router receives an echo request for some node in the private network, it checks if the interface fa0 / 0 has ACL, it does not exist, then it checks the interface fa0 / 1, there is an ACL on this interface, it is configured as outgoing, everything is correct does not penetrate the network, and is destroyed by the router. But if we attach the ACL behind the fa0 / 0 interface as incoming, the packet will be destroyed as soon as it arrives at the router. The latter solution is correct, since the router is less burdening its computing resources. Extended ACLs should be placed as close as possible to the source, standard ones as close as possible to the receiver . This is necessary in order not to chase packets across the entire network in vain.
')
The ACL itself is a set of text expressions in which it is written to permit (permit) or deny (prohibit), and processing is carried out strictly in the order in which the expressions are specified. Accordingly, when a packet hits the interface, it is checked for the first condition; if the first condition matches the packet, its further processing stops. The package will either go on or be destroyed.
Once again, if the packet matches the condition, then it is not processed further . If the first condition does not match, the second condition is processed, if it coincides, processing stops, if not, the third condition is processed and so on until all conditions are checked, if none of the conditions match, the packet is simply destroyed . Remember, at each end of the list there is an implicit deny any (to ban all traffic). Be very careful with these rules, which I outlined, because configuration errors often happen.
ACLs are divided into two types:
Denoted access lists either numbers or symbolic names. ACLs are also used for different network protocols. We, in turn, will work with IP. They are designated as follows, numbered access lists:
Character ACLs are also divided into standard and extended. Extended recalls can check much more than the standard ones, but they also work more slowly, since you have to look inside the package, in contrast to the standard ones, where we look only at the Source Address field. When creating an ACL, each entry in the access list is designated by a sequence number, by default within ten (10, 20, 30, etc.). Due to this, you can delete a specific entry and insert another one in its place, but this feature appeared in Cisco IOS 12.3, before 12.3 you had to delete the ACL, and then re-create it completely. You cannot place more than 1 access list per interface, per protocol, per direction . I explain: if we have a router and it has an interface, we can place only one access list in the inbound direction for the IP protocol, for example at number 10. Another rule for the routers themselves, the ACL does not affect traffic generated by the router itself .
Wildcard mask is used to filter addresses in ACLs. This is a reverse mask. Take the template expression: 255.255.255.255 and subtract the usual mask from the template.
255.255.255.255-255.255.255.0, we get a mask 0.0.0.255, which is the usual mask 255.255.255.0, only 0.0.0.255 is a WildCard mask.
Allows you to do the following, for example, you have a router that is connected to a server and we need to close access to it from the outside world, but at the same time there are several people who can connect to the server.
We set up a dynamic access list, attach it to the incoming direction, and then people who need to connect, connect via Telnet to this device, as a result, the dynamic ACL opens the way to the server, and a person can go, say, through HTTP to get to the server. By default, after 10 minutes this pass closes and the user is forced to perform Telnet again in order to connect to the device.
Here the situation is slightly different when a node on the local network sends a TCP request to the Internet, we must have an open passage for the TCP response to come to establish a connection. If there is no aisle, we will not be able to establish a connection, and now intruders can use this aisle, for example, penetrate the network. Reflexive ACLs work in this way, deny any access is blocked, but another special ACL is formed that can read user session parameters that are generated from the local network and open a passage to deny any for them, the result is that they cannot be installed from the Internet compound. And at the session generated from the local network will receive answers.
Regular ACL, but with a time limit, you can enter a special schedule that activates a particular access list entry. And to make such a focus, for example, we write an access list, in which we prohibit HTTP access during the working day and hang it on the router interface, that is, employees of the enterprise have come to work, they close HTTP access, the working day has ended, HTTP access is opened ,
please, if you want - sit on the Internet.
The ACLs themselves are created separately, that is, it’s just a certain list that is created in the global config, then it is assigned to the interface and only then it starts working. It is necessary to remember some points in order to properly configure access lists:
R # show access-lists {ACL number | name} - look at the information on the access list.
R # show access-lists - we look at all the access lists on the router.
We see that we have two ACLs (standard and advanced) called nick and nick5. The first list allows host 172.16.1.1 to access over IP (this means that all protocols running over IP are allowed) to host 10.0.0.5. All other traffic is denied by the deny ip any any command. Next to this condition in our example, writes (16 match (es)). This shows that 16 packets fell under this condition.
The second ACL allows traffic from any source on the 172.16.0.0/16 network.
I collected labs for Packet Tracer from Chapter 5 of the CCNA 4 ACL course. If you have a desire to consolidate knowledge in practice, please - link , mirror - FTP . The size is 865.14 KB.
CCNA Exploration: Accessing the WAN (5 chapter)
Introduction
ACL (Access Control List) is a set of text expressions that allow something or forbid something. Typically, an ACL allows or denies IP packets, but among other things, it can look inside the IP packet, view the packet type, TCP and UDP ports. Also, ACL exists for various network protocols (IP, IPX, AppleTalk, and so on). Basically, the use of access lists is considered from the point of view of packet filtering, that is, packet filtering is necessary in situations where you have equipment on the border of the Internet and your private network and need to filter out unnecessary traffic.
You place ACLs on the inbound direction and block redundant traffic.
Theory
The functional ACL is to classify traffic, you need to check it first, and then do something with it depending on where the ACL is applied. ACL is used everywhere, for example:
- On the interface: packet filtering
- On the telnet line: access restrictions to the router
- VPN: what traffic should be encrypted
- QoS: which traffic should be prioritized
- NAT: what addresses to broadcast
To use ACLs for all of these components, you need to understand how they work. And first of all we will deal with packet filtering. In relation to packet filtering, ACLs are placed on interfaces, they themselves are created independently, and only then they are screwed to the interface. As soon as you screwed it to the interface, the router begins to view traffic. The router treats traffic as inbound and outbound. The traffic that enters the router is called inbound, the one that goes out of it is outgoing. Accordingly, ACLs are placed on the inbound or outbound direction.
From your private network, a packet arrives at the fa0 / 1 interface of the router, the router checks whether there is an ACL on the interface or not, if it exists, then further processing is carried out according to the rules of the access list strictly in the order in which the expressions are written if the access list allows the packet, then in this case the router sends the packet to the provider via the fa0 / 0 interface, if the access list does not allow the packet to pass, the packet is destroyed. If there is no access list, the packet flies by without any restrictions. Before sending the packet to the provider, the router also checks the fa0 / 0 interface for an outgoing ACL. The point is that the ACL can be attached to the interface as inbound or outbound. For example, we have an ACL with the rule to prevent all nodes on the Internet from sending packets to our network.
So which interface to attach this ACL to? If we attach the fa0 / 1 ACL as outgoing, this will not be entirely true, although the ACL will work. The router receives an echo request for some node in the private network, it checks if the interface fa0 / 0 has ACL, it does not exist, then it checks the interface fa0 / 1, there is an ACL on this interface, it is configured as outgoing, everything is correct does not penetrate the network, and is destroyed by the router. But if we attach the ACL behind the fa0 / 0 interface as incoming, the packet will be destroyed as soon as it arrives at the router. The latter solution is correct, since the router is less burdening its computing resources. Extended ACLs should be placed as close as possible to the source, standard ones as close as possible to the receiver . This is necessary in order not to chase packets across the entire network in vain.
')
The ACL itself is a set of text expressions in which it is written to permit (permit) or deny (prohibit), and processing is carried out strictly in the order in which the expressions are specified. Accordingly, when a packet hits the interface, it is checked for the first condition; if the first condition matches the packet, its further processing stops. The package will either go on or be destroyed.
Once again, if the packet matches the condition, then it is not processed further . If the first condition does not match, the second condition is processed, if it coincides, processing stops, if not, the third condition is processed and so on until all conditions are checked, if none of the conditions match, the packet is simply destroyed . Remember, at each end of the list there is an implicit deny any (to ban all traffic). Be very careful with these rules, which I outlined, because configuration errors often happen.
ACLs are divided into two types:
- Standard: can check only source addresses
- Extended (Extended): can check addresses of sources, as well as addresses of recipients, in the case of IP, another type of protocol and TCP / UDP ports
Denoted access lists either numbers or symbolic names. ACLs are also used for different network protocols. We, in turn, will work with IP. They are designated as follows, numbered access lists:
- Standard: 1 to 99
- Extended: 100 to 199
Character ACLs are also divided into standard and extended. Extended recalls can check much more than the standard ones, but they also work more slowly, since you have to look inside the package, in contrast to the standard ones, where we look only at the Source Address field. When creating an ACL, each entry in the access list is designated by a sequence number, by default within ten (10, 20, 30, etc.). Due to this, you can delete a specific entry and insert another one in its place, but this feature appeared in Cisco IOS 12.3, before 12.3 you had to delete the ACL, and then re-create it completely. You cannot place more than 1 access list per interface, per protocol, per direction . I explain: if we have a router and it has an interface, we can place only one access list in the inbound direction for the IP protocol, for example at number 10. Another rule for the routers themselves, the ACL does not affect traffic generated by the router itself .
Wildcard mask is used to filter addresses in ACLs. This is a reverse mask. Take the template expression: 255.255.255.255 and subtract the usual mask from the template.
255.255.255.255-255.255.255.0, we get a mask 0.0.0.255, which is the usual mask 255.255.255.0, only 0.0.0.255 is a WildCard mask.
ACL Types
Dynamic (Dynamic ACL)
Allows you to do the following, for example, you have a router that is connected to a server and we need to close access to it from the outside world, but at the same time there are several people who can connect to the server.
We set up a dynamic access list, attach it to the incoming direction, and then people who need to connect, connect via Telnet to this device, as a result, the dynamic ACL opens the way to the server, and a person can go, say, through HTTP to get to the server. By default, after 10 minutes this pass closes and the user is forced to perform Telnet again in order to connect to the device.
Reflexive (Reflexive ACL)
Here the situation is slightly different when a node on the local network sends a TCP request to the Internet, we must have an open passage for the TCP response to come to establish a connection. If there is no aisle, we will not be able to establish a connection, and now intruders can use this aisle, for example, penetrate the network. Reflexive ACLs work in this way, deny any access is blocked, but another special ACL is formed that can read user session parameters that are generated from the local network and open a passage to deny any for them, the result is that they cannot be installed from the Internet compound. And at the session generated from the local network will receive answers.
Time Limit (Time-based ACL)
Regular ACL, but with a time limit, you can enter a special schedule that activates a particular access list entry. And to make such a focus, for example, we write an access list, in which we prohibit HTTP access during the working day and hang it on the router interface, that is, employees of the enterprise have come to work, they close HTTP access, the working day has ended, HTTP access is opened ,
please, if you want - sit on the Internet.
Customization
The ACLs themselves are created separately, that is, it’s just a certain list that is created in the global config, then it is assigned to the interface and only then it starts working. It is necessary to remember some points in order to properly configure access lists:
- Processing is carried out strictly in the order in which the conditions are written
- If the package matches the condition, then it is not processed further
- At the end of each access list is an implicit deny any (deny all)
- Extended ACLs should be placed as close as possible to the source, standard ones as close as possible to the receiver.
- You cannot place more than 1 access list per interface, per protocol, per direction
- ACL does not affect traffic generated by the router itself.
- Use wildcard mask to filter addresses.
Standard access list
Router(config)# access-list < 1 99> {permit | deny | remark} {address | any | host} [source-wildcard] [log]- permit: allow
- deny: ban
- remark: access list comment
- address: prohibit or allow network
- any: enable or disable everything
- host: allow or deny host
- source-wildcard: wildcard network mask
- log: enable logging packets passing through this ACL entry
Extended Access List
Router(config)# access-list < 100 199> {permit | deny | remark} protocol source [source-wildcard] [ operator operand] [ port < > [established]- protocol source: which protocol will we allow or close (ICMP, TCP, UDP, IP, OSPF, etc.)
- deny: ban
- operator:
ABCD - the address of the recipient
any - any end host
eq - only packets on this port
gt - only packages with a large port number
host - the only final host
lt - only packets with a lower port number
neq - only packets not on this port number
range - range of ports - port: port number (TCP or UDP), you can specify the name
- established: enable TCP segments that are part of an existing TCP session
Attached to the interface
Router(config-if)# ip access-group < ACL> {in | out}- in: inbound direction
- out: outgoing direction
Named Access Lists
Router(config)# ip access-list {standard | extended} {< ACL> | < ACL>}Router(config-ext-nacl)# {default | deny | exit | no | permit | remark}- standard: standard ACL
- extended: extended ACL
- default: set command to default
Restricting access to the router
R(config)# line vty 0 4 - switch to the virtual line setup mode.R(config-line)# password <>
R(config-line)# login
R(config-line)# access-class 21 in R(config-line)# password <>
R(config-line)# login
R(config-line)# access-class 21 in - we configure login and the password, and also we fix the access list with the allowed IP addresses.Dynamic Access Lists
R3(config)# username Student password 0 cisco - we create users for connection through Telnet.R3(config)# access-list 101 permit tcp any host 10.2.2.2 eq telnetR3(config)# access-list 101 dynamic testlist timeout 15 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 - we allow all nodes to connect to the server via Telnet.R3(config)#interface serial 0/0/1
R3(config-if)# ip access-group 101 in R3(config)#interface serial 0/0/1
R3(config-if)# ip access-group 101 in — fix 101 ACLs on the interface in the inbound direction.R3(config)# line vty 0 4
R3(config-line)# login local
R3(config-line)# autocommand access-enable host timeout 5 R3(config)# line vty 0 4
R3(config-line)# login local
R3(config-line)# autocommand access-enable host timeout 5 - as soon as the user is authenticated, the network 192.168.30.0 will be available, after 5 minutes of inactivity, the session is closed.Reflective Access Lists
R2(config)# ip access-list extended OUTBOUNDFILTERS
R2(config-ext-nacl)# permit tcp 192.168.0.0 0.0.255.255 any reflect TCPTRAFFIC
R2(config-ext-nacl)# permit icmp 192.168.0.0 0.0.255.255 any reflect ICMPTRAFFIC R2(config)# ip access-list extended OUTBOUNDFILTERS
R2(config-ext-nacl)# permit tcp 192.168.0.0 0.0.255.255 any reflect TCPTRAFFIC
R2(config-ext-nacl)# permit icmp 192.168.0.0 0.0.255.255 any reflect ICMPTRAFFIC — force the router to monitor traffic that was initiated from within.R2(config)# ip access-list extended INBOUNDFILTERS
R2(config-ext-nacl)# evaluate TCPTRAFFIC
R2(config-ext-nacl)# evaluate ICMPTRAFFIC R2(config)# ip access-list extended INBOUNDFILTERS
R2(config-ext-nacl)# evaluate TCPTRAFFIC
R2(config-ext-nacl)# evaluate ICMPTRAFFIC - create an inbound policy that requires the router to check inbound traffic to see if it is initiated from the inside and link TCPTRAFFIC to INBOUNDFILTERS.R2(config)# interface serial 0/1/0
R2(config-if)# ip access-group INBOUNDFILTERS in
R2(config-if)# ip access-group OUTBOUNDFILTERS out R2(config)# interface serial 0/1/0
R2(config-if)# ip access-group INBOUNDFILTERS in
R2(config-if)# ip access-group OUTBOUNDFILTERS out - we use incoming and outgoing ACL on the interface.Time limit
R1(config)# time-range EVERYOTHERDAY
R1(config-time-range)# periodic Monday Wednesday Friday 8:00 to 17:00 R1(config)# time-range EVERYOTHERDAY
R1(config-time-range)# periodic Monday Wednesday Friday 8:00 to 17:00 - create a list of times in which we add days of the week and time.R1(config)# access-list 101 permit tcp 192.168.10.0 0.0.0.255 any eq telnet time-range EVERYOTHERDAY - apply time-range to ACL.R1(config)#interface s0/0/0
R1(config-if)# ip access-group 101 out R1(config)#interface s0/0/0
R1(config-if)# ip access-group 101 out - we assign ACL to the interface.Problem search
R # show access-lists {ACL number | name} - look at the information on the access list.
R # show access-lists - we look at all the access lists on the router.
Example
Router# show access-lists
Extended IP access list nick
permit ip host 172.168.1.1 host 10.0.0.5
deny ip any any (16 match(es))
Standard IP access list nick5
permit 172.16.0.0 0.0.255.255We see that we have two ACLs (standard and advanced) called nick and nick5. The first list allows host 172.16.1.1 to access over IP (this means that all protocols running over IP are allowed) to host 10.0.0.5. All other traffic is denied by the deny ip any any command. Next to this condition in our example, writes (16 match (es)). This shows that 16 packets fell under this condition.
The second ACL allows traffic from any source on the 172.16.0.0/16 network.
Practice
I collected labs for Packet Tracer from Chapter 5 of the CCNA 4 ACL course. If you have a desire to consolidate knowledge in practice, please - link , mirror - FTP . The size is 865.14 KB.
Literature
CCNA Exploration: Accessing the WAN (5 chapter)
Source: https://habr.com/ru/post/121806/
All Articles