Vous êtes sur la page 1sur 58

Access Lists

Shariaty@gmail.com
www.alishariaty.ir

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Contents

Part I Access Lists Basic Concepts


Part II Standard Access Lists
Part III Extended Access Lists
Part IV Named Base Access Lists
Part V Access Class

Estimated time
03:00:00

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Part I
Access Lists Basic
Concepts

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Access Lists Basic Concepts
Network Filtering

Network Filtering is the process of network services


access limitation.

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Access Lists Basic Concepts
Network Filtering

Where to implement the filtering ?


On which router ?
On which interface ?
On what direction ?

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Access Lists Basic Concepts
Network Filtering
Examples

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Access Lists Basic Concepts
Network Filtering
Examples

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Access Lists Basic Concepts
Network Filtering
Examples

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Access Lists Basic Concepts
Features

Each scenario will be implemented by a single


access list.

Each access list is a combination of several rules


(with the same access list number)

Each rule in an access list is pointing to a single


traffic.

With permit or deny keyword , we separate the


allowed traffic from unhallowed.

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Access Lists Basic Concepts
Features

The last rule in every access list is implicitly deny all


the traffics. (we may change the policy with adding
the last line of access-list 101 permit ip any any)

We will assign an access list to an interface and a


district direction:

Router(conf)# Interface fastethernet 0/1


Router(conf-if)# Ip access-group 101 {in|out}

An access list is just useful when is implemented on


an interface , otherwise it will not do anything.

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Access Lists Basic Concepts
Features

It is important how to organize the rules.

Example
Access-list 101 deny ip 192.168.1.0 0.0.0.255 any
Access-list 101 permit ip any any
Or
Access-list 101 permit ip any any
Access-list 101 deny ip 192.168.1.0 0.0.0.255 any

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Access Lists Basic Concepts
Features

When an access list is applied on a router , It will


only process and filter the traffic passing the router. It
means the packets that have been generated by the
router (source IP address of the router) Or the
packets that has been terminated in that router
(destination IP address of the router) , will not be
processed. Some packets like OSPF , EIGRP , SSH ,
Telnet , ICMP ,

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Access Lists Basic Concepts
Access List Types

Standard Numbered ACLs (1-99)


Extended Numbered ACLs (100-199)
Additional ACL Numbers
(1300-1999 standard, 2000-2699 extended)
Named ACLs (Standard & Extended)

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Access Lists Basic Concepts
Access List Types

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Q. Which of the following answers lists a valid
number that can be used with standard numbered
IP ACLs? (Choose two answers.)

a. 1987
b. 2187
c. 187
d. 87

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Part II
Standard Access
Lists

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Standard Access Lists

These access list are not widely use for filtering.


These access list are for categorizing the traffic.
(e.g in NAT , PBR , )
Filtering just based on the source IP.

Note
This access list should be implemented as near as the
destination. (because if you deny a source , it will be
denied to all the destinations)

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Standard Access Lists

How to write a standard access list?


Router(conf)# Access-list <Number> {permit|deny} <source-ip-addreess>
<wild-mask>

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Standard Access Lists

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Standard Access Lists

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Standard Access Lists
Example

Access-list 1 permit 192.168.1.10 0.0.0.0


Access-list 1 deny 192.168.1.0 0.0.0.15
Access-list 1 permit 192.168.1.0 0.0.0.255
Access-list 1 deny 0.0.0.0 255.255.255.255 (no need)

Or

Access-list 1 permit host 192.168.1.10


Access-list 1 deny 192.168.1.0 0.0.0.15
Access-list 1 permit 192.168.1.0 0.0.0.255
Access-list 1 deny any (no need)

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Standard Access Lists

PC1 should have access to server.


PC2 should not.

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Standard Access Lists

R2(config)# access-list 1 permit 192.168.1.100

R2(config)# interface fastEthernet 0/0


R2(config-if)# ip access-group 1 out

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Q. Which of the following access-list commands
matches all packets in the range of addresses in
subnet 172.16.5.0/25?

a. access-list 1 permit 172.16.0.5 0.0.255.0


b. access-list 1 permit 172.16.4.0 0.0.1.255
c. access-list 1 permit 172.16.5.0
d. access-list 1 permit 172.16.5.0 0.0.0.128

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Part III
Extended Access
Lists

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Extended Access Lists

Filtering based on
Source IP address
Destination IP address
Source port
Destination port
Protocol (e.g. IP , TCP , UDP , ICMP , )

Note
IP is covering all of the protocols in the example above.

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Extended Access Lists

How to write an extended access list?

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Extended Access Lists

How to write an extended access list?

Router(conf)# Access-list <number> {permit|deny} {IP|ICMP} <Source-


IP> <Wild-mask> <Destination-IP> <Wild-Mask>

Router(conf)# Access-list <number> {permit|deny} {TCP|UDP} <Source-


IP> <Wild-mask> operators <Source-port> <Destination-IP> <Wild-
Mask> operators <Destination-port>

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Extended Access Lists
Operators

Eq
Neq
Gt
Lt
Range

Examples
Eq 80 = web
Eq 25 = SMTP
Neq 80 = all the trafics exept web
Gt 1024 = all the random ports
Lt 1024 = all the standard ports
Range 20 23 = SSH , FTP , Telnet

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Extended Access Lists
Popular Applications and Their Well-Known Port
Numbers

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Extended Access Lists
Popular Applications and Their Well-Known Port
Numbers

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Extended Access Lists

Note
Source IP and destination IP is mandatory , if you
are not interested use the any key word.
If the source and the destination port is not
important , just avoid writing it.

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Extended Access Lists
Examples
Filtering Packets Based on Destination Port

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Extended Access Lists
Examples
Filtering Packets Based on Source Port

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Extended Access Lists
Example Extended access-list Commands and Logic
Explanations

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Extended Access Lists
Standard and extended access list problems

ACL numbering is not understandable.


It not possible to delete a rule , by this , all the rules
will be deleted.
When you add a new rule , it will be added at the
end of the list.

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Extended Access Lists
Standard and extended access list problems
Solution 1

Deactivate the ACL on the interface.


Copy the ACL from running configuration
into a note pad.
Do the changes necessary in the note pad.
Delete the access list.
Copy commands from the note pad.
Apply the access list.

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Extended Access Lists
Standard and extended access list problems
Solution 2

Name based access lists.

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Extended Access Lists

PC1 should have access pinging the server , PC2 should not.
PC1 should have access to FTP service of the server , PC2 should not.
PC2 should have access to web service of the server , PC1 should not.

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Extended Access Lists
R2(config)#access-list 101 permit icmp host 192.168.1.100 host 192.168.2.100
R2(config)#access-list 101 permit tcp host 192.168.1.100 any eq ftp
R2(config)#access-list 101 permit tcp host 192.168.1.101 host 192.168.2.10 eq www
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip access-group 101 out

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Q. Which of the following fields cannot be compared
based on an extended IP ACL? (Choose two answers.)

e. Protocol
f. Source IP address
g. Destination IP address
h. Destination Port address
i. URL

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Q. Which of the following access-list commands
permits packets going from host 10.1.1.1 to all web
servers whose IP addresses begin with 172.16.5?
(Choose two answers.)

a. access-list 101 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www


b. access-list 1951 permit ip host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
c. access-list 2523 permit ip host 10.1.1.1 eq www 172.16.5.0 0.0.0.255
d. access-list 2523 permit tcp host 10.1.1.1 eq www 172.16.5.0 0.0.0.255
e. access-list 2523 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Part IV
Named Base
Access Lists

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Name Based Access List (IP access list)
Named ACL Versus Numbered ACL Configuration

Router(conf)# IP access-list <Extended|Standard> <Name>


Then enters the ACL context

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Name Based Access List (IP access list)

How to write a named base access list?

Router(conf)# IP access-list <Extended|Standard> <Name>


Then enters the ACL context

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Name Based Access List (IP access list)
Example
Router(config)# ip access-list extended test
Router(config-ext-nacl)#permit udp any any eq domain
Router(config-ext-nacl)#permit icmp any any
Router(config-ext-nacl)#permit ip any host 192.168.1.150
Router(config-ext-nacl)#permit ip host 192.168.3.10 any
Router(config-ext-nacl)#deny tcp host 192.168.3.12 host 192.168.1.100 eq www
Router(config-ext-nacl)#permit tcp host 192.168.3.13 host 192.168.1.100 eq www
Router(config-ext-nacl)#permit tcp host 192.168.3.11 host 192.168.1.200 eq telnet

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Name Based Access List (IP access list)
Example

Router# show access-list test


Extende IP access-list test
10 permit udp any any eq domain
20 permit icmp any any
30 permit ip any host 192.168.1.150
40 permit ip host 192.168.3.10 any
50 deny tcp host 192.168.3.12 host 192.168.1.100 eq www
60 permit tcp host 192.168.3.13 host 192.168.1.100 eq www
70 permit tcp host 192.168.3.11 host 192.168.1.200 eq telnet

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Name Based Access List (IP access list)
Example

Router(config)# ip access-list extended test


Router(config-ext-nacl)#no 20
Router(config-ext-nacl)#55 permit tcp any any eq ftp

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Name Based Access List (IP access list)
Example

Router# show access-list test


Extende IP access-list test
10 permit udp any any eq domain
30 permit ip any host 192.168.1.150
40 permit ip host 192.168.3.10 any
50 deny tcp host 192.168.3.12 host 192.168.1.100 eq www
55 permit tcp any any eq ftp
60 permit tcp host 192.168.3.13 host 192.168.1.100 eq www
70 permit tcp host 192.168.3.11 host 192.168.1.200 eq telnet

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Name Based Access List (IP access list)

PC1 should have access pinging the server , PC2 should not.
PC1 should have access to FTP service of the server , PC2 should not.
PC2 should have access to web service of the server , PC1 should not.

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Name Based Access List (IP access list)

R2(config)#ip access-list extended cisco


R2(config-ext-nacl)#permit icmp host 192.168.1.100 host 192.168.2.100
R2(config-ext-nacl)#permit tcp host 192.168.1.100 any eq ftp
R2(config-ext-nacl)#permit tcp host 192.168.1.101 any eq www

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Part V
Access Class

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Access Class
Limitation in VTY Lines

ACL it self is not the answer because the packets


that have been generated by the router (source IP
address of the router) Or the packets that has been
terminated in that router (destination IP address of
the router) , will not be processed.

Access class is not applied on the interfaces , they


will be applied directly on the VTY lines.

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Access Class
Limitation in VTY Lines

ACL it self is not the answer because the packets


that have been generated by the router (source IP
address of the router) Or the packets that has been
terminated in that router (destination IP address of
the router) , will not be processed.

Access class is not applied on the interfaces , they


will be applied directly on the VTY lines.

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Access Class
Limitation in VTY Lines
Router(config)# Access-list 1 permit host 192.168.1.100
Router(config)# Access-list 1 permit host 192.168.2.100
Router(config)# Line vty 0 15
Router(config-line)# Access-class 1 in
Router(config-line)# Exit

Note
Destination IP address and
protocols will not be written
in the access-class , because
when it is applied to the VTY
line , it is obvious that it is
even SSH or telnet.

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Name Based Access List (IP access list)

PC1 should have access to telnet the R1, PC2 should not.

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
Name Based Access List (IP access list)
R1(config)#access-list 1 permit 192.168.1.100
R1(config)#enable password cisco

R1(config)#line vty 0 15
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#access-class 1 in

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.
The whole purpose of education
is to turn mirrors into windows.
Sydney J. Harris

Shariaty@gmail.com Copyright 2012 Alishariaty.ir


www.alishariaty.ir All Rights Reserved.