domenica, Dicembre 22, 2024

IP Access lists

markoer
markoerhttp://www.linkedin.com/in/marcoermini
Trentatre anni, perito informatico, professionista da dieci nel mondo ICT, possiede varie certificazioni - nel mondo Cisco è CCNA da Dicembre. Lavora nel mondo Unix, Cisco ed Oracle per una delle maggiori telco a Düsseldorf (Germania) come deployment leader e responsabile della sicurezza. E' generalmente entusiasta di condividere le sue conoscenze e la sua visione del mondo con altri tecnici.

ACL (Access Control List) can be used for:

  • Packet security/filtering
  • Defining “interesting” traffic for dial on demand routing (DDR) – only trigger dial line up in case of “interesting” traffic
  • QoS – not in CCNA but in CCVP, CCIP and CCNP
  • NAT
  • Control routing advertisement, through filtering routing updates

Creation – types of ACLs

  • Standard IP ACLs
  • Only source IP address
  • Predefined ranges: 1-99, 1300-1999

rt# configure terminal
rt(config)# access list acl# permit|deny host

rt(config)# access list 10 deny 172.16.0.15
rt(config)# access list 10 permit any

rt(config)# access list 20 deny 10.0.0.55 0.0.0.0
rt(config)# access list 10 permit 10.0.0.0 0.255.255.255

Extended IP ACLs

  • Filtering possible based on source host, destination host, protocol, source port, destination port, ICMP type of message if protocol is ICMP
  • Predefined ranges: 100-199, 2000-2699
rt# configure terminal
rt(config)# access list acl# permit|deny [ip|tcp|udp]
[host] [source][/source][/source] [wildcard]
[host] [destination] [wildcard]
[eq|gt|lt|range port] [icmp-protocol]
  • The followings are the same (specify host or a full comprehensive wildcard):
rt(config)# access list 100 deny tcp host 172.16.0.15 host 172.16.0.1
rt(config)# access list 100 deny tcp 172.16.0.15 0.255.255.255 host
172.16.0.1
  • Forbids 172.16.0.1 to telnet to any host in the network 172.17.0.0/16:
rt(config)# access list 200 deny ip host 172.16.0.1 172.17.0.0 0.0.255.255
eq 23

Named ACLs

  • Using names instead of numbers – more clarity
rt(config)# access list extended magnolia
rt(config-ext-nacl)# deny tcp host 172.16.0.15 host 172.16.0.1
rt(config-ext-nacl)# permit ip any any

Apply ACLs on interfaces or lines

In case of interfaces:

router(config)# ip access-group acl# [in/out]

Examples:

router(config)# interface e1
router(config-if)# ip access-group 1		(apply ACL)
router(config-if)# ip access-group 1 out
router(config-if)# no ip access-group 1		(remove ACL)
router(config-if)# ip access-group magnolia in	(named ACL)

In case of console lines:

router(config)# access-class acl# [in/out]

On console lines, ACLs should always be applied inbound, or strange things can happen.

Examples:

router(config)# line vty 0 4
router(config-line)# access-class 1 in		(apply ACL to line console)

Wildcard masks

  • They define how much of an address needs to be looked at in order for there to be a match.
  • Not a netmask.
rt(config)# access list 3 deny 10.0.0.55 0.0.0.0	(match the host exactly)
rt(config)# access list 3 deny 10.0.0.0 0.255.255.255 (match the whole subnet)

Rule of thumb in creating/applying ACLs

  • Standard ACLs must be as close as possible to the destination (since we can only specify the source)
  • Extended ACLS should stay as close as possible to the source
  • Use a text editor
  • Only named ACLs allow removal of a specific statement

Troubleshoot

  • show ip interface – tells if an ACL is applied to that interface, and the direction (in/out)
  • show acls – shows configured ACLs in the router
  • show ip acls – shows only IP ACLs in the router
  • show access list – like above
  • With ACLs order is important – order of ACLs is the order in which the router will process them
  • Always look at the end for a permit any. By default, an ACL will deny all, if this is not specified.

Articoli correlati

Noleggia una Tesla per il tuo evento ICT!

Categorie