Please enable JavaScript.

Coggle requires JavaScript to display documents.

Module 8: Access Control Lists - Coggle Diagram

- - - - ACLs can be used to mitigate many network threats, such as IP address spoofing and denial of service (DoS) attacks. Most DoS attacks use some type of spoofing. IP address spoofing overrides the normal packet creation process by inserting a custom IP header with a different source IP address. Attackers can hide their identity by spoofing the source IP address.
        
        For example, in the figure the S0/0/0 interface is attached to the internet and should never accept inbound packets from the following addresses
        
        All zeros addresses
        
        R1(config)# access-list 150 deny ip host 0.0.0.0 any
        
        Broadcast addresses
        
        R1(config)# access-list 150 deny ip 10.0.0.0 0.255.255.255 any
        
        Local host addresses (127.0.0.0/8)
        
        R1(config)# access-list 150 deny ip 127.0.0.0 0.255.255.255 any
        
        Automatic Private IP Addressing (APIPA) addresses (169.254.0.0/16)
        
        R1(config)# access-list 150 deny ip 172.16.0.0 0.15.255.255 any
        
        Reserved private addresses (RFC 1918)
        
        R1(config)# access-list 150 deny ip 192.168.0.0 0.0.255.255 any
        
        IP multicast address range (224.0.0.0/4)
        
        R1(config)# access-list 150 deny ip 224.0.0.0 15.255.255.255 any
  - - - Several ICMP messages are recommended for proper network operation and should be allowed into the internal network:
        
        Echo reply - Allows users to ping external hosts.
        
        Source quench - Requests that the sender decrease the traffic rate of messages.
        
        Unreachable - Generated for packets that are administratively denied by an ACL.
      - Several ICMP messages are required for proper network operation and should be allowed to exit the network:
        
        Echo - Allows users to ping external hosts.
        
        Parameter problem - Informs the host of packet header problems.
        
        Packet too big - Enables packet maximum transmission unit (MTU) discovery.
        
        Source quench - Throttles down traffic when necessary.
- - - - Standard ACLs - ACLs only filter at Layer 3 using the source IPv4 address only.
      - Extended ACLs - ACLs filter at Layer 3 using the source and / or destination IPv4 address. They can also filter at Layer 4 using TCP, UDP ports, and optional protocol type information for finer control.
- - - - Router(config)# access-list access-list-number {deny | permit | remark text} source [source-wildcard] [log]
      - Named Standard IPv4 ACL
        
        Router(config)# ip access-list standard access-list-name
        
        Numbered Extended IPv4 ACL
        
        Router(config-if)# ip access-group {access-list-number | access-list-name} {in | out}
        
        Router(config-if)# ip access-group {access-list-number | access-list-name} {in | out}
        
        Protocols and Port Numbers
        
        Protocol options
        
        Port Keyword Options
        
        Protocols and Port Numbers Configuration Examples
        
        Extended ACLs can filter on different port number and port name options. This example configures an extended ACL 100 to filter HTTP traffic. The first ACE uses the www port name. The second ACE uses the port number 80. Both ACEs achieve exactly the same result.
        
        R1(config)# access-list 100 permit tcp any any eq www
        R1(config)# !or...
        R1(config)# access-list 100 permit tcp any any eq 80
        
        Configuring the port number is required when there is not a specific protocol name listed such as SSH (port number 22) or an HTTPS (port number 443), as shown in the next example.
        
        R1(config)# access-list 100 permit tcp any any eq 22
        R1(config)# access-list 100 permit tcp any any eq 443
        
        TCP Established Extended ACL
        
        Named Extended IPv4 ACL Syntax
        
        3 more items...
- - - - Wildcard mask bit 0 - Match the corresponding bit value in the address
        Wildcard mask bit 1 - Ignore the corresponding bit value in the address
  - - - host - This keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address bits must match to filter just one host address.
      - any - This keyword substitutes for the 255.255.255.255 mask. This mask says to ignore the entire IPv4 address or to accept any addresses.