Académique Documents
Professionnel Documents
Culture Documents
1
Introduction
• ACLs enable you to control traffic into and out of your network. This control can
be as simple as permitting or denying network hosts or addresses.
• ACLs can also be configured to control network traffic based on the TCP port
being used.
• The ACL is a sequential list of permit or deny statements that apply to IP addresses or
upper-layer protocols.
• The ACL can extract the following information from the packet header, test it against its
rules, and make "allow" or "deny" decisions based on:
1. Source IP address
2. Destination IP address
3. ICMP message type
• The ACL can also extract upper layer information and test it against its rules. Upper
layer information includes:
1. TCP/UDP source port
2. TCP/UDP destination port
The Three Ps
• ACLs define the set of rules that give added control for packets that enter inbound
interfaces, packets that relay through the router, and packets that exit outbound
interfaces of the router.
• ACLs do not act on packets that originate from the router itself.
• Inbound ACLs -Incoming packets are processed before they are routed to the outbound
interface. An inbound ACL is efficient because it saves the overhead of routing lookups if
the packet is discarded. If the packet is permitted by the tests, it is then processed for
routing.
• Activity 5.1.9.2
• Activity 5.1.9.2
• Activity 5.1.9.2
• A single-entry ACL with only one deny entry has the effect of denying all traffic.
You must have at least one permit statement in an ACL or all traffic is blocked.
• A wildcard mask is a string of binary digits telling the router which parts of the subnet
number to look at.
• Although wildcard masks have no functional relationship with subnet masks, they do
provide a similar function.
– The mask determines how much of an IP source or destination address to apply to
the address match.
– The numbers 1 and 0 in the mask identify how to treat the corresponding IP address
bits.
Học viện mạng Bach Khoa - Website: www.bkacad.com 29
ACL Wildcard Masking
• Subnet masks start from the left side of an IP address and work towards the
right to extend the network field by borrowing bits from the host field.
• Wildcard masks are designed to filter individual or groups of IP addresses
permitting or denying access to resources based on the address.
• Wildcard masks and subnet masks differ in the way they match binary 1s and
0s. Wildcard masks use the following rules to match binary 1s and 0s:
– Wildcard mask bit 0 - Match the corresponding bit value in the address
– Wildcard mask bit 1 - Ignore the corresponding bit value in the address
• For example, assume you wanted to permit access to all users in the
192.168.3.0 network.
– Because the subnet mask is 255.255.255.0, you could take the
255.255.255.255 and subtract from the subnet mask 255.255.255.0 as is
indicated in the figure.
– The solution produces the wildcard mask 0.0.0.255.
Học viện mạng Bach Khoa - Website: www.bkacad.com 33
ACL Wildcard Masking
• To simplify this task, the keywords host and any help identify the most common
uses of wildcard masking.
– The host option substitutes for the 0.0.0.0 mask. This mask states that all
IP address bits must match or only one host is matched.
– The any option substitutes for the IP address and 255.255.255.255 mask.
This mask says to ignore the entire IP address or to accept any addresses.
Học viện mạng Bach Khoa - Website: www.bkacad.com 34
ACL Wildcard Masking
• When configuring an ACL, the statements are added in the order that they are entered at
the end of the ACL.
– There is no built-in editing feature that allows you to edit a change in an ACL.
– You cannot selectively insert or delete lines.
• It is strongly recommended that any ACL be constructed in a text editor such as
Microsoft Notepad.
• Named ACLs have a big advantage over numbered ACLs in that they are easier to edit.
– Starting with Cisco IOS Software Release 12.3, named IP ACLs allow you to delete
individual entries in a specific ACL.
– You can use sequence numbers to insert statements anywhere in the named ACL.
• If you are using an earlier Cisco IOS software version, you can add statements only at
the bottom of the named ACL.
• Extended ACLs are used more often than standard ACLs because they
provide a greater range of control and, therefore, add to your security solution.
• Like standard ACLs, extended ACLs check the source packet addresses, but
they also check the destination address, protocols and port numbers (or
services).
• The nature of HTTP requires that traffic flow back into the network, but the network
administrator wants to restrict that traffic to HTTP exchanges from requested websites.
– The security solution must deny any other traffic coming into the network.
– ACL 104 does that by blocking all incoming traffic, except for the established
connections.
• The established parameter allows responses to traffic that originates from the
192.168.10.0 /24 network to return inbound on the s0/0/0.
– A match occurs if the TCP datagram has the ACK or reset (RST) bits set, which
indicates that the packet belongs to an existing connection.
– Without the established parameter in the ACL statement, clients could send traffic
to a web server, but would not receive traffic from the web server.
Học viện mạng Bach Khoa - Website: www.bkacad.com 50
Applying Extended ACLs to Interfaces
• Remember that FTP requires ports 20 and 21, therefore you need to
specify both eq 20 and eq 21 to deny FTP.
– Network administrators use reflexive ACLs to allow IP traffic for sessions originating
from their network while denying IP traffic for sessions originating outside the network.
• These ACLs allow the router to manage session traffic dynamically.
• The router examines the outbound traffic and when it sees a new connection, it
adds an entry to a temporary ACL to allow replies back in.
– Reflexive ACLs contain only temporary entries. These entries are automatically
created when a new IP session begins, for example, with an outbound packet, and the
entries are automatically removed when the session ends.
• Activity 5.4.5.2
• Activity 5.4.5.2
• Activity 5.4.5.2
• Activity 5.4.5.2