Lecture 03: ACL & Network Management
HKUSPACE CCIT ENA
Syllabus inspired by Cisco Networking Academy CCNA v7.0 (ENSA)
Module Objectives
Copyright By PowCoder代写 加微信 powcoder
Topic Title
Topic Objective
Purpose of ACLs
Explain how ACLs filter traffic.
Wildcard Masks in ACLs
Explain how ACLs use wildcard masks.
Guidelines for ACL Creation
Explain how to create ACLs.
Types of IPv4 ACLs Topic Title
Compare standard and extended IPv4 ACLs.
Topic Objective
Configure Standard IPv4 ACLs
Configure standard IPv4 ACLs to filter traffic to meet networking requirements.
Modify IPv4 ACLs
Use sequence numbers to edit existing standard IPv4 ACLs.
Secure VTY Ports with a Standard IPv4 ACL
Configure a standard ACL to secure VTY access.
Configure Extended IPv4 ACLs Topic Title
Configure extended IPv4 ACLs to filter traffic according to networking
Topic Objective
requirements.
Device Discovery with CDP
Use CDP to map a network topology.
Device Discovery with LLDP
Use LLDP to map a network topology.
Implement NTP between an NTP client and NTP server.
Explain how SNMP operates.
Explain syslog operation. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Purpose of ACLs What is an ACL?
An ACL is a series of IOS commands that are used to filter packets based on information found in the packet header. By default, a router does not have any ACLs configured. When an ACL is applied to an interface, the router performs the additional task of evaluating all network packets as they pass through the interface to determine if the packet can be forwarded.
• An ACL uses a sequential list of permit or deny statements, known as access control entries (ACEs).
Note: ACEs are also commonly called ACL statements.
• When network traffic passes through an interface configured with an ACL, the router compares the information within the packet against each ACE, in sequential order, to determine if the packet matches one of the ACEs. This process is called packet filtering.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Purpose of ACLs
What is an ACL? (Cont.)
Several tasks performed by routers require the use of ACLs to identify traffic:
• Limit network traffic to increase network performance
• Provide traffic flow control
• Provide a basic level of security for network access
• Filter traffic based on traffic type
• Screen hosts to permit or deny access to network services
• Provide priority to certain classes of network traffic
© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 4
Purpose of ACLs Packet Filtering
Packet filtering controls access to a network by analyzing the incoming and/or outgoing packets and forwarding them or discarding them based on given criteria.
Packet filtering can occur at Layer 3 or Layer 4.
Cisco routers support two types of ACLs:
Standard ACLs – ACLs only filter at Layer 3 using the source IPv4 address only.
Extended ACLs – ACLs filter at Layer 3 using the source and / or destination IPv4 address. They can also filter at Layer 4 using TCP, UDP ports, and optional protocol type information for finer control.
Purpose of ACLs ACL Operation
• ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router.
• ACLs can be configured to apply to inbound traffic and outbound traffic.
Note: ACLs do not act on packets that originate from the router itself.
• An inbound ACL filters packets before they are routed to the outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded.
• An outbound ACL filters packets after being routed, regardless of the inbound interface.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 5
Purpose of ACLs
ACL Operation (Cont.)
When an ACL is applied to an interface, it follows a specific operating procedure. Here are the operational steps used when traffic has entered a router interface with an inbound standard IPv4 ACL configured:
1. The router extracts the source IPv4 address from the packet header.
2. The router starts at the top of the ACL and compares the source IPv4 address to each ACE in a
sequential order.
3. When a match is made, the router carries out the instruction, either permitting or denying the packet, and the remaining ACEs in the ACL, if any, are not analyzed.
4. If the source IPv4 address does not match any ACEs in the ACL, the packet is discarded because there is an implicit deny ACE automatically applied to all ACLs.
The last ACE statement of an ACL is always an implicit deny that blocks all traffic. It is hidden and not displayed in the configuration.
Note: An ACL must have at least one permit statement otherwise all traffic will be denied due to the implicit deny ACE statement.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Wildcard Masks in ACLs Wildcard Mask Overview
A wildcard mask is similar to a subnet mask in that it uses the ANDing process to identify which bits in an IPv4 address to match. Unlike a subnet mask, in which binary 1 is equal to a match and binary 0 is not a match, in a wildcard mask, the reverse is true.
An IPv4 ACE uses a 32-bit wildcard mask to determine which bits of the address to examine for a match.
Wildcard masks use the following rules to match binary 1s and 0s: Wildcard mask bit 0 – Match the corresponding bit value in the address Wildcard mask bit 1 – Ignore the corresponding bit value in the address
© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 8
Wildcard Masks in ACLs
Wildcard Mask Overview (Cont.)
Wildcard Mask
Last Octet (in Binary)
Meaning (0 – match, 1 – ignore)
Match all octets.
•Match the first three octets
•Match the two left most bits of the last octet •Ignore the last 6 bits
•Match the first three octets
•Match the four left most bits of the last octet •Ignore the last 4 bits of the last octet
•Match the first three octets
•Ignore the six left most bits of the last octet •Match the last two bits
•Match the first three octet •Ignore the last octet
Wildcard Masks in ACLs Wildcard Mask Types
Wildcard to Match a Host:
• Assume ACL 10 needs an ACE that only permits the host with IPv4 address 192.168.1.1. Recall that “0” equals a match and “1” equals ignore. To match a specific host IPv4 address, a wildcard mask consisting of all zeroes (i.e., 0.0.0.0) is required.
• When the ACE is processed, the wildcard mask will permit only the 192.168.1.1 address. The resulting ACE in ACL 10 would be access-list 10 permit 192.168.1.1 0.0.0.0.
© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 9
IPv4 address
192.168.1.1
11000000.10101000.00000001.00000001
Wildcard Mask
00000000.00000000.00000000.00000000
Permitted IPv4 Address
192.168.1.1
11000000.10101000.00000001.00000001
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Wildcard Masks in ACLs
Wildcard Mask Types (Cont.)
Wildcard Mask to Match an IPv4 Subnet
• ACL 10 needs an ACE that permits all hosts in the 192.168.1.0/24 network. The wildcard mask 0.0.0.255 stipulates that the very first three octets must match exactly but the fourth octet does not.
• When processed, the wildcard mask 0.0.0.255 permits all hosts in the 192.168.1.0/24 network. The resulting ACE in ACL 10 would be access-list 10 permit 192.168.1.0 0.0.0.255.
IPv4 address
192.168.1.1
11000000.10101000.00000001.00000001
Wildcard Mask
00000000.00000000.00000000.11111111
Permitted IPv4 Address
192.168.1.0/24
11000000.10101000.00000001.00000000
Wildcard Masks in ACLs
Wildcard Mask Types (Cont.)
Wildcard Mask to Match an IPv4 Address Range
• ACL 10 needs an ACE that permits all hosts in the 192.168.16.0/24, 192.168.17.0/24, …, 192.168.31.0/24 networks.
• When processed, the wildcard mask 0.0.15.255 permits all hosts in the 192.168.16.0/24 to 192.168.31.0/24 networks. The resulting ACE in ACL 10 would be access-list 10 permit 192.168.16.0 0.0.15.255.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
IPv4 address
192.168.16.0
11000000.10101000.00010000.00000000
Wildcard Mask
0.0.15.255
00000000.00000000.00001111.11111111
Permitted IPv4 Address
192.168.16.0/24 to 192.168.31.0/24
11000000.10101000.00010000.00000000
11000000.10101000.00011111.00000000
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Wildcard Masks in ACLs
Wildcard Mask Calculation
Calculating wildcard masks can be challenging. One shortcut method is to
subtract the subnet mask from 255.255.255.255. Some examples:
• Assume you wanted an ACE in ACL 10 to permit access to all users in the 192.168.3.0/24 network. To calculate the wildcard mask, subtract the subnet mask (255.255.255.0) from 255.255.255.255. This produces the wildcard mask 0.0.0.255. The ACE would be access-list 10 permit 192.168.3.0 0.0.0.255.
• Assume you wanted an ACE in ACL 10 to permit network access for the 14 users in the subnet 192.168.3.32/28. Subtract the subnet (i.e., 255.255.255.240) from 255.255.255.255. This produces the wildcard mask 0.0.0.15. The ACE would
be access-list 10 permit 192.168.3.32 0.0.0.15.
• Assume you needed an ACE in ACL 10 to permit only networks 192.168.10.0 and 192.168.11.0. These two networks could be summarized as 192.168.10.0/23 which is a subnet mask of 255.255.254.0. Subtract 255.255.254.0 subnet mask from 255.255.255.255. This produces the wildcard mask 0.0.1.255. The ACE would
be access-list 10 permit 192.168.10.0 0.0.1.255.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Wildcard Masks in ACLs Wildcard Mask Keywords
The Cisco IOS provides two keywords to identify the most common uses of wildcard masking. The two keywords are:
• host – This keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address bits must match to filter just one host address.
• any – This keyword substitutes for the 255.255.255.255 mask. This mask says to ignore the entire IPv4 address or to accept any addresses.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Guidelines for ACL Creation
Limited Number of ACLs per Interface
There is a limit on the number of ACLs that can be applied on a router interface. For example, a dual-stacked (i.e, IPv4 and IPv6) router interface can have up to four ACLs applied, as shown in the figure.
Specifically, a router interface can have:
• One outbound IPv4 ACL.
• One inbound IPv4 ACL.
• One inbound IPv6 ACL.
• One outbound IPv6 ACL.
Note: ACLs do not have to be configured in both directions. The number of ACLs and their direction applied to the interface will depend on the security policy of the organization.
Guidelines for ACL Creation ACL Best Practices
© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 15
Using ACLs requires attention to detail and great care. Mistakes can be costly in terms of downtime, troubleshooting efforts, and poor network service. Basic planning is required before configuring an ACL.
Base ACLs on the organizational security policies.
This will ensure you implement organizational security guidelines.
Write out what you want the ACL to do.
This will help you avoid inadvertently creating potential access problems.
Use a text editor to create, edit, and save all of your ACLs.
This will help you create a library of reusable ACLs.
Document the ACLs using the remark command.
This will help you (and others) understand the purpose of an ACE.
Test the ACLs on a development network before implementing them on a production network.
This will help you avoid costly errors.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Types of IPv4 ACLs
Standard and Extended ACLs
There are two types of IPv4 ACLs:
• Standard ACLs – These permit or deny packets based only on the source IPv4 address.
• Extended ACLs – These permit or deny packets based on the source IPv4 address and destination IPv4 address, protocol type, source and destination TCP or UDP ports and more.
Types of IPv4 ACLs
Numbered and Named ACLs
Numbered ACLs
• ACLs numbered 1-99, or 1300-1999 are standard ACLs, while ACLs numbered 100- 199, or 2000-2699 are extended ACLs.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
R1(config)# access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list <1300-1999> IP standard access list (expanded range) <200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range) <700-799> 48-bit MAC address access list
rate-limit Simple rate-limit specific access list template Enable IP template acls
Router(config)# access-list
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Types of IPv4 ACLs
Numbered and Named ACLs (Cont.)
Named ACLs
• Named ACLs are the preferred method to use when configuring ACLs. Specifically, standard and extended ACLs can be named to provide information about the purpose of the ACL. For example, naming an extended ACL FTP-FILTER is far better than having a numbered ACL 100.
• The ip access-list global configuration command is used to create a named ACL, as shown in the following example.
R1(config)# ip access-list extended FTP-FILTER
R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq ftp R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq ftp-data R1(config-ext-nacl)#
Types of IPv4 ACLs
Where to Place ACLs
• Every ACL should be placed where it has the greatest impact on efficiency.
• Extended ACLs should be located as close as possible to the source of the traffic to be filtered.
• Standard ACLs should be located as close to the destination as possible.
© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 19
© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 20
Types of IPv4 ACLs
Where to Place ACLs (Cont.)
Factors Influencing ACL Placement
Explanation
The extent of organizational control
Placement of the ACL can depend on whether or not the organization has control of both the source and destination networks.
Bandwidth of the networks involved
It may be desirable to filter unwanted traffic at the source to prevent transmission of bandwidth-consuming traffic.
Ease of configuration
•It may be easier to implement an ACL at the destination, but traffic will use bandwidth unnecessarily.
•An extended ACL could be used on each router where the traffic originated. This would save bandwidth by filtering the traffic at the source, but it would require creating extended ACLs on multiple routers.
Configure Standard IPv4 ACLs Create an ACL
All access control lists (ACLs) must be planned. When configuring a complex ACL, it is suggested that you:
• Use a text editor and write out the specifics of the policy to be implemented.
• Add the IOS configuration commands to accomplish those tasks.
• Include remarks to document the ACL.
• Copy and paste the commands onto the device.
• Always thoroughly test an ACL to ensure that it correctly applies the desired policy.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Configure Standard IPv4 ACLs
Numbered Standard IPv4 ACL Syntax
To create a numbered standard ACL, use the access-list command.
Description
access-list-number
Number range is 1 to 99 or 1300 to 1999
Denies access if the condition is matched
Permits access if the condition is matched
remark text
(Optional) text entry for documentation purposes
Identifies the source network or host address to filter
source-wildcard
(Optional) 32-bit wildcard mask that is applied to the source
(Optional) Generates and sends an informational message when the ACE is matched
Note: Use the no access-list access-list-number global configuration command to remove a numbered standard ACL.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Configure Standard IPv4 ACLs
Named Standard IPv4 ACL Syntax
To create a named standard ACL, use the ip access-list standard command.
• ACL names are alphanumeric, case sensitive, and must be unique.
• Capitalizing ACL names is not required but makes them stand out when viewing the running-config output.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Configure Standard IPv4 ACLs
Apply a Standard IPv4 ACL
After a standard IPv4 ACL is configured, it must be linked to an interface or feature.
• The ip access-group command is used to bind a numbered or named standard IPv4 ACL to an interface.
• To remove an ACL from an interface, first enter the no ip access-group interface configuration command.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Modify IPv4 ACLs ACL Statistics
The show access-lists command in the example shows statistics for each statement that
has been matched.
• The deny ACE has been matched 20 times and the permit ACE has been matched 64 times.
• Note that the implied deny any statement does not display any statistics. To track how many implicit denied packets have been matched, you must manually configure the deny any command.
• Use the clear access-list counters command to clear the ACL statistics.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Secure VTY Ports with a Standard IPv4 ACL The access-class Command
A standard ACL can secure remote administrative access to a device using the vty lines by implementing the following two steps:
• Create an ACL to identify which administrative hosts should be allowed remote access.
• Apply the ACL to incoming traffic on the vty lines.
Secure VTY Ports with a Standard IPv4 ACL Verify the VTY Port is Secured
After an ACL to restrict access to the vty lines is configured, it is important to verify it works as expected.
To verify the ACL statistics, issue the show access-lists command.
• The match in the permit line of the output is a result of a successful SSH connection by
host with IP address 192.168.10.10.
• The match in the deny statement is due to the failed attempt to create a SSH connection from a device on another network.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 27
Configure Extended IPv4 ACLs Extended ACLs
Extended ACLs provide a greater degree of control. They can filter on source address, destination address, protocol (i.e., IP, TCP, UDP, ICMP), and port number.
Extended ACLs can be created as:
• Numbered Extended ACL – Created using the access-list access-list-number global configuration command.
• Named Extended ACL – Created using the ip access-list extended access-list- name.
Configure Extended IPv4 ACLs Protocols and Ports
© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 29
Protocol Options
© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 30
Configure Extended IPv4 ACLs
Protocols and Port Numbers Configuration Examples
Extended ACLs can filter on different port number and port name options.
This example configures an extended ACL 100 to filter HTTP traffic. The first ACE uses the www port name. The second ACE uses the port number 80. Both ACEs achieve exactly the same result.
Configuring the port
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com