ACL Basics
Think of an ACL as a bouncer at a nightclub. An incoming packet will be matched against a guest list, and if its IP address is not on the list, it doesn't get to go into (or come out of) the router's interface. Or if the packet is on a "banned" list, it doesn't get to pass either.
Standard ACLs
Standard access lists can only look at the source IP address of incoming or outgoing packets. A packet comes along with a source IP address of 10.4.56.21, the router looks at the access list, and sees that addresses in that range are permitted, so let's it through. Like a bouncer, if the address were not explicitly permitted, then it would be denied. So this access list would effectively block all traffic except for packets with that one source IP address.
Extended ACLs
These types of access lists can look at the protocol (such as IP, TCP, and UDP), the source and destination IP addresses, and the source and destination port numbers. So there are many options for filtering packets here, such as filtering out all HTTP traffic by denying anything with a destination port of 80.
Numbered vs Named ACLs
Access lists, both standard and extended, can be either numbered or named. With numbered access lists, each permit or deny statement is created in the order you want, and then cannot be removed. The only way to remove a statement is to delete the whole access list and start fresh. However, with named access lists, you will enter your statements in a sub-prompt and can use line numbers to re-order, delete them, and so on.
Wild Card Masks
ACLs use wild cards to allow you to filter based on a range of IP addresses. The "masked out" part is the part you don't care about, like saying "anything here." In other words, the wild card. A wild card mask is simply an inverted subnet mask, so make sure you understand subnet masks before trying to understand wildcards.
Here is an example. Let's say you want to deny all traffic from, not just a single IP address, but an entire subnetwork. The network 192.168.1.64/26. This would include IP addresses 192.168.1.64 to 192.168.1.126. So your subnet mask is 255.255.255.192. Your wildcard mask will be the inverse of this mask. The easiest way to get this is to find the block size of the subnet (remember your subnetting?), which is 64, and then subtract one from the block size: 63. So the wildcard mask is 0.0.0.63. So to block all IP addresses in that range, you would use 192.168.1.64 0.0.0.63. If you convert the wildcard to bits, it will be 00000000.00000000.00000000.00111111, which tells the access list that you don't care what the last six bits are. Those first 26 bits are all you need the list to look at.
ACL Configuration
Numbered Standard Access Lists
First, the command "access-list", followed by the number. This number can be from 1 to 99, or from 1300 to 1999. Then you either permit or deny, followed by the source IP address that you want to permit or deny. Finally, the wild card mask. Then you can create the next permit or deny statement.
After you have created your access list, you need to apply it to an interface, and tell it whether to apply the list for outgoing or incoming packets.
Named Standard Access Lists
The first command is "ip access-list standard", followed by the name you want to give it (which can include numbers if you like). Then you press ENTER, which brings you into the access list sub-prompt. Within this sub prompt you begin entering your permit and deny statements, or removing them if necessary. You can start each one with a line number if you want (typically 10, 20, etc to allow you to insert statements in between them later if you decide). Finally, type "exit" to exit the sub prompt.
Then you just need to apply it to the interface and tell it to match either incoming or outgoing packets, as above.
Numbered Extended Access Lists
As above, you simply use the command "access-list" followed by a number, but for it to be an extended ACL the number must be from 100 to 199, or from 2000 to 2699. This is followed by a "permit" or "deny" statement, and then the protocol you want the list to be concerned with, such as IP or TCP. Next is the source IP address and port, followed by the destination IP address and port. For port numbers, you can use several operators such as "eq 80" to mean "if the port number equals 80", or "new 80" to mean "if the port number is anything other than 80. Other operators include "lt" for "less than", and "gt" for "greater than". Instead of port numbers, you can also use protocols. For example, instead of saying "eq 80", you could use "eq HTTP." As with all the others, you must then apply it to the interface you want.
Named Standard Access Lists
The first command is "ip access-list extended", followed by the name you want to give the list. Then press ENTER, which brings you to the ACL configuration sub-prompt. Now enter your statements beginning with a line number if you like (if not, it just puts the permit/deny statement at the end of the ACL), followed by "permit" or "deny", followed by the protocol (IP, TCP, UDP), followed by the source IP address and port, and the destination IP address and port. Finally, apply it to the interface you want.
Example 1: Numbered Standard Access List
1. Create an access list numbered "47" that will permit any traffic from subnetwork 10.22.32.0/19, and deny traffic from anywhere else:
access-list 47 permit 10.22.32.0 0.0.31.2552. Apply this access list to all incoming traffic on port fa0/0 on the router:
interface fa0/0Example 2: Named Standard Access List
ip access-group 47 in
1. Create an access list named "MyACL", which will begin the sub-prompt:
ip access-list standard MyACL2. In the sub-prompt, begin entering the permit/deny statements:
10 permit 10.22.32.0 0.0.31.25520 deny 192.168.1.0 0.0.0.2553. Apply the access list to interface fa0/0:
interface fa0/0ip access-group MyACL outExample 3: Numbered Extended Access List
1. Create the numbered access list statement, denying packets bound for an HTTP server by denying all packets with a destination port of 80:
access-list 147 deny tcp 10.22.32.0 0.0.31.255 192.168.1.1 0.0.0.0 eq 802. Apply the list to packings coming into interface s0/1
interface s0/1Example 4: Named Extended Access List
ip access-group 147 in
1. Create a named list called "MyACL", which will also enter you into the ACL sub-prompt:
ip access-list extended MyACL2. Within the sub-prompt, begin entering permit and deny statements, using line numbers. If line numbers had not been used, new statements would have just been placed at the end of the list. We want to permit all traffic from network 10.22.32.0/19, and deny all (note the word "any" to substitute 0.0.0.0 255.255.255.255) FTP traffic to the FTP server. Note that we could also use "eq 21":
10 permit ip 10.22.32.0 0.0.31.255 65.32.10.1 0.0.0.03. Finally, apply the access list to the Fast Ethernet interface 1/2, for packets going out:
20 deny tcp any 192.168.3.102 eq ftp
interface fa1/2Verifying Access Control Lists
ip access-group MyACL out
You can look to see which ACLs exist on a router by using the "show run" command, or by using the "show ip access-list" command.
No comments:
Post a Comment