Vous êtes sur la page 1sur 10

Access Control List & its Types

Access Control List (ACLs) can be used for two purposes:


1. To filter traffic
2. To identity traffic
Access lists are set of rules, organized in a rule table. Each rules or line in an access-list provides a
condition, either permit or deny.

Uses of access lists are filtering unwanted packets when implementing security policies.
Access lists can be used to permit or deny packets moving through the router, permit or deny Telnet
access to or from a router.
When we apply an access list on an interface it doesnt stop routing advertisements, it just controls their
content. Once lists are built, they can be applied to either inbound or outbound traffic on any interface.
There are a few important rules that a packet follows when its being compared with an access list1. Its always compared with each line of the access list in sequential order-i.e.; its always start
with the first line of the access-list, then go to line 2, then line 3, and so on.

Access Control List & its Types


2. Its compared with lines of the access list only until a match is made. Once the packet matches
the condition on a line of the access list, the packet is acted upon, and no further comparisons
take place.
3. There is an implicit deny at the end of each access-list this means that if a packet doesnt
match the condition on any of the lines in the access list, the packet will be discarded.

Data Flow Diagram of ACL


When activating an ACL on an interface, you must specify in which direction the traffic should be
filtered:

Inbound Access Lists


When an access list is applied to inbound packets on an interface, those packets are processed through
the access list before being routed to the outbound interface. Any packet that are denied wont be
routed because theyre discarded before the routing process is invoked.

Outbound Access Lists


When an access list is applied to outbound packets on an interface, those packets are routed to the
outbound interface and then processed through the access list before being queued.

Access Control List & its Types


Universal fact about Access control list:
1.
2.
3.
4.
5.
6.
7.
8.

ACLs come in two varieties: Numbered and Named.


Each of these references to ACLs supports two types of filtering: standard and extended.
Standard IP ACLs can filter only on the source IP address inside a packet.
Whereas an extended IP ACLs can filter on the source and destination IP addresses in the packet.
There are two actions an ACL can take: permit or deny.
Statements are processed top-down.
Once a match is found, no further statements are processedtherefore, order is important.
If no match is found, the imaginary implicit deny statement at the end of the ACL drops the
packet.
9. An ACL should have at least one permit statement; otherwise, all traffic will be dropped because
of the hidden implicit deny statement at the end of every ACL.

Access List Ranges


Type

Range

IP Standard

199

IP Extended

100199

IP Standard Expanded Range

13001999

IP Extended Expanded Range

20002699

Placement of ACLs
1. Standard ACLs should be placed as close to the destination devices as possible.
2. Extended ACLs should be placed as close to the source devices as possible.
There are some general access-lists guidelines:
1. We can assign only one access list per interface, per protocol, per direction. This means that
when creating IP access lists, we can only have one inbound access list and one outbound access
list per interface.
2. Organize your access lists so that the more specific tests are at the top of the access list.
3. Any time a new entry is added to the access list, it will be placed at the bottom of the list. Using a
text editor for access lists is highly suggested.
4. You cannot remove one line from an access list. If you try to do this, you will remove the entire
list. It is best to copy the access list to a text editor before trying to edit the list. The only
exception is when using named access list.

Access Control List & its Types


5. Unless your access list ends with a permit any command, all packets will be discarded if they do
not meet any of the lists. Every list should have at least one permit statement, or it will deny all
traffic.
6. Create access lists and then apply them to an interface. Without applying on any interface access
list wont work.
7. Access lists are designed to filter traffic going through the router. They will not filter traffic that
has originated from the router.
8. Place IP standard access lists as close to the destination as possible. This is the reason we dont
really want to use standard access list in our networks. We cannot put a standard access list
close to the source host or network because we can only filter based on source address and
nothing would be forwarded.
9. Place Ip extended access lists as close to the source as possible. Since extended access lists can
filter on very specific addresses and protocols, you dont want your traffic to traverse the entire
network and then be denied. By placing this list as close to the source address as possible, you
can filter traffic before it uses up your precious bandwidth.
There are two types of access lists

Standard Access List


These use only the source IP address in an IP packet as the condition test. All decisions are made based
on source IP address. This means that standard access lists basically permit or deny an entire suite of
protocols. They dont distinguish between any of the many of IP traffic such as WWW, Telnet and UDP
etc.
You are telling the router that you want to create a standard IP access list, so the router will expect
syntax specifying only the source IP address in the test lines.
Router (config)#access-list 10 ?
Deny Specify packets to reject
Permit Specify packets to forward
Router (config)#access-list 10 deny ?
Hostname or A.B.C.D Address to match
Any

any source host

Host

A single host addresses

The next step requires a more detailed explanation. There are three options available. You can use the
any parameter to permit or deny any host or network. You can use an IP address to specify either a
single host or range of them. Or you can use the host command to specify a specific host only. The any

Access Control List & its Types


command is pretty obvious any source address matches the statement, so every packet compared
against this line will match. The host command is relatively simple.
Router (config)#access-list 10 deny host 172.168.30.2
This tells the list to deny any packets from host 172.16.30.2. The default parameter is host. In other
words if you type access-list 10 deny 172.16.30.2 the router assumes you mean host 172.16.30.2
But theres another way to specify either a particular host or a range of hosts you can use wild card
masking.
Wild cards are used with access lists to specify an individual host, a network or a certain range of a
network or networks. Some of the different block sizes available are 64,32,16,8 and 4.
Wild cards are used with the host or network address to tell the router a range of available addresses to
filter. To specify a host, the address would look like this.
172.16.30.5

0.0.0.0

The four zeros represent each octet of the address. Whenever a zero is present, it means that octet in
the address must match exactly. To specify that an octet can be any value, the value of 255 is used. As
an example heres how a /24 subnet is specified with a wildcard:
172.16.30.0

0.0.0.255

This tells the router to match up the first three octets exactly, but the fourth octet can be any value.
Lets say that you want to block access to part of network that is range from 172.16.8.0 through
172.16.15.0.
That is a bloc size of 8. Your network number would be 172.16.8.0, and the wild card would be
0.0.7.255. Woh!
What is that ? The 7.255 is what the router uses to determine the block size. The network and wild card
tell the router to start at 172.16.8.0 and go up a block size of eight addresses to network 172.16.15.0
Router (config)#access-list 10 deny 172.16.10.0 0.0.0.255
The following example tells the router to match first three octets exactly but that the fourth octet can
be anything.
Router (config)#access-list 10 deny 172.16.0.0 0.0.255.255
This example tells the router to match the first two octets and that the last two octets can be any value.
Router (config)#access-list 10 deny 172.16.16.0 0.0.3.255

Access Control List & its Types


The above configuration tells the router to start at network 172.16.16.0 and use a block size of 4. The
range would them be 172.16.16.0 through 172.16.19.0.
Router (config)#access-list 10 deny 172.16.16.0 0.0.7.255
The example below shows an access list starting at 172.16.16.0 and going up a block size of 8 to
172.16.23.0
Access-list 10 deny 172.16.32.0 0.0.15.255
This example starts at network 172.16.32.0 and goes up a block size of 16 to 172.16.47.0
Router (config)#access-list 10 deny 172.16.64.0 0.0 63.255
This example starts at network 172.16.64.0 and goes up a block size of 64 to 172.16.127.0
Router (config)#access-list 10 deny 192.168.160.0 0.0.31.255
This example starts at network 192.168.160.0 and goes up a block size of 32 to 192.168.191.255.
Block size range
0 to 7, 8 to 15, 16 to 23, 0 to 31, 32 to 63, 64 to 95
The command any is the same thing as writing our the wild card
0.0.0.0 255.255.255.255

Extended Access List


Extended Access Lists can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP
packet. They can evaluate source and destination IP addresses, the protocol field in the Network layer
header, and port number at the Transport layer header. This gives extended access lists the ability to
make much more granular decisions when controlling traffic.
By using extended access lists, you can effectively allow users access to a physical LAN and stops them
from accessing specific hosts or even specific services on those hosts.
Router (config) #access-list 110 deny tcp ?
Router (config) #access-list 110 deny tcp any host 172.16.30.2 ?
Router (config) #access-list 110 deny tcp any host 172.16.30.2 eq ?
You can choose a port number or use the application or protocol name. At this point, lets block Telnet
(Port -23) to host 172.16.30.2 only. If the users want to FTP, fine, thats allowed. The log command is

Access Control List & its Types


used to log message every time the access list is hit. This can be an extremely cool way to monitor
inappropriate access attempts.
Router (config) #access-list 110 deny tcp any host 172.16.30.2 eq 23 log
You need to keep in mind that the next line is an implicit deny any by default. If you apply this access list
to an interface, you might as well just shut the interface down, since by default there is an implicit deny
all at the end of every access list youve got to follow up the access list with the following command.
Router (config) #access-list 110 permit ip any any
Once the access list is created, you need to apply it to an interface
Router (config-if) #ip access-group in
Router (config-if) #ip access-group out

Named ACLs
One of the disadvantages of using IP standard and IP extended ACLs is that you reference them by
number, which is not too descriptive of its use. With a named ACL, this is not the case because you can
name your ACL with a descriptive name. The ACL named DenyMike is a lot more meaningful than an ACL
simply numbered 1. There are both IP standard and IP extended named ACLs.
Another advantage to Named ACLs is that they allow you to remove individual lines out of an ACL. With
numbered ACLs, you cannot delete individual statements. Instead, you will need to delete your existing
access list and re-create the entire list.
Named access list are just another way to create standard and extended list.
Router (config) #ip access-list?
Notice that I started IP access-list, not access-list. This allows me to enter a named access list.
Router (config) #ip access-list standard block sales
Ive specified a standard access list, and then added a name: Block sales. Notice that I couldve used a
number for a standard access list, but intend, I chose to use a descriptive name.
#deny 172.16.40.0 0.0.0.255
#permit any
#exit
#int e1

Access Control List & its Types


#ip access-group block sales out
#exit

Commands used to verify access list configuration:


1. Show Access-list- Display all access lists and their parameters configured on the router. This
command does not show you which interface the list is set on.
2. Show access-list 110- Shows only the parameters for the access list 110. This command does not
show you the interface the list is set on.
3. Show Ip access list- shows only the ip access list configured on the router.
4. Show Ip interface- Shows which interface have access lists set.
5. Show-run-config- shows the access lists and which interface have access lists set.
6. Remarks
The remark keyword is really important because it arms you with the ability to include
comments, or rather remarks, regarding the entries youve made in both your IP standard and
extended ACLs. Even though you have the option of placing your remarks either before or after a
permit or deny statement, I totally recommend that you chose to position them consistently so
you dont get confused about which remark is relevant to which one of your permit or deny
statements.
Router (config) #access-list 110 remark permit Bob from sales only to finance
Router (config) #access-list 110 permit ip host 172.16.40.1 172.16.30.0 0.0.0.255
7. Blocking SNMP Packets
Router (config) #access-list 110 deny udp any any eq snmp
Router (config) #int s0/0
Router (config-if) #access-group 110 in
8. Disabling Echo
Router (config) #no service tcp-small-servers
Router (config) #no service udp-small-servers
9. Turning off BootP and Auto-Config
Router (config) #no ip boot server
Router (config) #no service config

Access Control List & its Types


10. Disabling HTTP Interface
Router (config) #no ip http server
11. Disabling Ip Source Routing
Router (config) #no ip source-route
12. Disabling Proxy ARP
Router (config) #int fa0/0
Router (config-if) #no ip proxy-arp
13. Disabling redirect Message
Router (config) #int s0/0
Router (config-if) #no Ip redirects
14. Disabling the Generation of ICMP Unreachable Messages
Router (config) #int s0/0
Router (config-if) #no ip unreachables
15. Disabling Multicast Route Caching
Router (config) #int s0/0
Router (config-if) #no ip mroute-cache
16. Disabling the Maintenance Operation Protocol (MOP)
Router (config) #int s0/0
Router (config-if) #no mop enabled
17. Turning off the x.25 PAD Service
Router (config) #no service pad
18. Enabling the Nagle TCP congestion Algorithm
Router (config) #service nagle
19. Logging Every Event
Router (config) #logging trap debugging

Access Control List & its Types


Router (config) #logging 192.168.254.251
Router #sh logging
20. Disabling Cisco Discovery Protocol
Router (config) #no cdp run
For interface
Router (config-if) #no cdp enable
21. Disabling the Default Forwarded UDP Protocols When you use the ip helper-address command
as follows on an interface, your router will forward UDP broadcasts to the listed server or
servers:
Router (config) #int fa0/0
Router (config-if) #ip helper-address 192.168.254.251
You would generally use the ip helper-address command when you want to forward DHCP client
requests to a DHCP server. The problem is that not only does this forward port 67 (BOOTP server
request), it forwards seven other ports by default as well. To disable the unused ports, use the
following commands.
Router (config) #no ip forward-protocol udp 69
Router (config) #no ip forward-protocol udp 53
Router (config) #no ip forward-protocol udp 37
Router (config) #no ip forward-protocol udp 137
Router (config) #no ip forward-protocol udp 138
Router (config) #no ip forward-protocol udp 68
Router (config) #no ip forward-protocol udp 49
Now, only the BOOTP server request (67) will be forwarded to the DHCP server. If you want to
forward a certain portsay, TACACS+, for exampleuse the following command:
Router (config) #ip forward-protocol udp 49
22. Ciscos Auto Secure
Router #auto secure