Please enable JavaScript.
Coggle requires JavaScript to display documents.
Chapter 7: Access Control Lists (7.1 ACL Operation (Wildcard masks in ACLs…
Chapter 7: Access Control Lists
7.1 ACL Operation
Purpose of ACLs
What is an ACL?
An ACL is a series of IOS commands that control whether a router forwards or drops packets based on information found in the packet header.
Packet Filtering
Packet filtering controls access to a network by analyzing the incoming and outgoing packets and forwarding them or discarding them based on given criteria.
Packet filtering controls access to a network by analyzing the incoming and outgoing packets and forwarding them or discarding them based on given criteria.
An ACL is a sequential list of permit or deny statements, known as access control entries (ACEs). ACEs are also commonly called ACL statements.
A router configured with a standard IPv4 ACL extracts the source IPv4 address from the packet header. The router starts at the top of the ACL and compares the address to each ACE sequentially.
The last statement of an ACL is always an implicit deny. This statement is automatically inserted at the end of each ACL even though it is not physically present.
ACL Operation
ACLs do not act on packets that originate from the router itself.
ACLs can be configured to apply to inbound traffic and outbound traffic.
Inbound ACLs
- Incoming packets are processed before they are routed to the outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. If the packet is permitted by the ACL, it is then processed for routing. Inbound ACLs are best used to filter packets when the network attached to an inbound interface is the only source of packets that need to be examined.
Outbound ACLs
- Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL. Outbound ACLs are best used when the same filter will be applied to packets coming from multiple inbound interfaces before exiting the same outbound interface.
ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router
Wildcard masks in ACLs
Introducing ACL Wildcard Masking
IPv4 ACEs include the use of wildcard masks. A wildcard mask is a string of 32 binary digits used by the router to determine which bits of the address to examine for a match.
Subnet masks use binary 1s and 0s to identify the network, subnet, and host portion of an IPv4 address. Wildcard masks use binary 1s and 0s to filter individual IPv4 addresses or groups of IPv4 addresses to permit or deny access to resources.
Wildcard masks and subnet masks differ in the way they match binary 1s and 0s.
Wildcard mask bit 0 - Match the corresponding bit value in the address.
Wildcard mask bit 1 - Ignore the corresponding bit value in the address.
Wildcard Mask Examples
Wildcard Masks to Match IPv4 Subnets
the wildcard mask stipulates that every bit in the IPv4 192.168.1.1 must match exactly.
the wildcard mask stipulates that anything will match.
the wildcard mask stipulates that any host within the 192.168.1.0/24 network will match.
Wildcard Masks to Match Ranges
The first two octets and first four bits of the third octet must match exactly. The last four bits in the third octet and the last octet can be any valid number. This results in a mask that checks for the range of networks 192.168.16.0 to 192.168.31.0.
a wildcard mask that matches the first two octets, and the least significant bit in the third octet. The last octet and the first seven bits in the third octet can be any valid number. The result is a mask that would permit or deny all hosts from odd subnets from the 192.168.0.0 major network.
Calculating the Wildcard Mask
assume you wanted to permit access to all users in the 192.168.3.0 network. Because the subnet mask is 255.255.255.0, you could take the 255.255.255.255 and subtract the subnet mask 255.255.255.0. The solution produces the wildcard mask 0.0.0.255.
assume you wanted to permit network access for the 14 users in the subnet 192.168.3.32/28. The subnet mask for the IPv4 subnet is 255.255.255.240, therefore take 255.255.255.255 and subtract the subnet mask 255.255.255.240. The solution this time produces the wildcard mask 0.0.0.15.
assume you wanted to match only networks 192.168.10.0 and 192.168.11.0. Again, you take the 255.255.255.255 and subtract the regular subnet mask which in this case would be 255.255.254.0. The result is 0.0.1.255.
Wildcard Mask Keywords
The host keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address bits must match to filter just one host address.
The keywords host and any help identify the most common uses of wildcard masking. These keywords eliminate entering wildcard masks when identifying a specific host or an entire network. These keywords also make it easier to read an ACL by providing visual clues as to the source or destination of the criteria
The any option substitutes for the IPv4 address and 255.255.255.255 mask. This mask says to ignore the entire IPv4 address or to accept any addresses.
Guidelines for ACL creation
General Guidelines for Creating ACLs
Writing ACLs can be a complex task. For every interface there may be multiple policies needed to manage the type of traffic allowed to enter or exit that interface
Guidelines for ACL placement
Where to Place ACLs
Extended ACLs
- Locate extended ACLs as close as possible to the source of the traffic to be filtered. This way, undesirable traffic is denied close to the source network without crossing the network infrastructure.
Standard ACLs
- Because standard ACLs do not specify destination addresses, place them as close to the destination as possible. Placing a standard ACL at the source of the traffic will effectively prevent that traffic from reaching any other networks through the interface where the ACL is applied.
The proper placement of an ACL can make the network operate more efficiently. An ACL can be placed to reduce unnecessary traffic.
The extent of the network administrator’s control
- Placement of the ACL can depend on whether or not the network administrator has control of both the source and destination networks.
Bandwidth of the networks involved
- Filtering unwanted traffic at the source prevents transmission of the traffic before it consumes bandwidth on the path to a destination. This is especially important in low bandwidth networks.
Ease of configuration
- If a network administrator wants to deny traffic coming from several networks, one option is to use a single standard ACL on the router closest to the destination. The disadvantage is that traffic from these networks will use bandwidth unnecessarily. An extended ACL could be used on each router where the traffic originated. This will save bandwidth by filtering the traffic at the source but requires creating extended ACLs on multiple routers.
7.2 Standard IPv4 ACLs
Configure Standard IPv4 ACLs
Numbered Standard IPv4 ACL Syntax
To use numbered standard ACLs on a Cisco router, first create the standard ACL and then activate the ACL on an interface.
The access-list global configuration command defines a standard ACL with a number in the range of 1 through 99. Cisco IOS Software Release 12.0.1 extended these numbers by allowing 1300 to 1999 to be used for standard ACLs. This allows for a maximum of 798 possible standard ACLs. These additional numbers are referred to as expanded IPv4 ACLs.
To remove the ACL, the global configuration no access-list command is used. Issuing the show access-list command confirms that access list 10 has been removed.
Applying Standard IPv4 ACLs to Interfaces
To remove an ACL from an interface, first enter the no ip access-group command on the interface, and then enter the global no access-list command to remove the entire ACL.
After a standard IPv4 ACL is configured, it is linked to an interface using the ip access-group command in interface configuration mode:
Router(config-if)# ip access-group { access-list-number | access-list-name } { in | out }
Named Standard IPv4 ACL Syntax
Naming an ACL makes it easier to understand its function. When you identify your ACL with a name instead of with a number, the configuration mode and command syntax are slightly different.
Numbered ACLs use the global configuration command access-list, whereas named IPv4 ACLs use the ip access-list command.
Capitalizing ACL names is not required, but makes them stand out when viewing the running-config output. It also makes it less likely that you will accidentally create two different ACLs with the same name but with different uses of capitalization.
Modify IPv4 ACLs
Method 1 - Use a Text Editor
Create or edit the ACL and then paste it into the router interface. For an existing ACL, you can use the show running-config command to display the ACL, copy and paste it into the text editor, make the necessary changes, and paste it back in to the router interface.
Method 2 - Use Sequence Numbers
Statements cannot be overwritten using the same sequence number as an existing statement. The current statement must be deleted first, and then the new one can be added.
Editing Standard Named ACLs
sequence numbers were used to edit a standard numbered IPv4 ACL. By referring to the statement sequence numbers, individual statements can easily be inserted or deleted. This method can also be used to edit standard named ACLs.
In named access list configuration mode, use the no sequence-number command to quickly delete individual statements.