Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 8: Access Control Lists, image, image, image, image, image, image,…
Module 8: Access Control Lists
8.0 Introduction
8.0.1 Why Should I Take this Module?
The guard will not raise the gate to let you in to the community until someone confirms that you are on an approved visitor list.
8.0.2 What Will I Learn in this Module?
Wildcard Masking
Configure ACLS
Modify ACLs
Implement ACLS
8.1 Introduction to Access Control Lists
8.1.1 What is an ACL?
Traffic entering a router interface is routed solely based on information within the routing table.
8.1.2 Packet Filtering
Packet filtering controls access to a network by analyzing the incoming and/or outgoing packets and forwarding them or discarding them based on given criteria. Packet filtering can occur at Layer 3 or Layer 4, as shown in the figure.
8.1.3 Numbered and Named ACLs
ACLs number 1 to 99, or 1300 to 1999 are standard ACLs while ACLs number 100 to 199, or 2000 to 2699 are extended ACLs, as shown in the output.
8.1.4 ACL Operation
ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router.
8.2 Wildcard Masking
8.2.1 Wildcard Mask Overview
A wildcard mask is similar to a subnet mask in that it uses the ANDing process to identify which bits in an IPv4 address to match.
8.2.2 Wildcard Mask Types
the wildcard mask is used to filter traffic for one host, one subnet, and a range IPv4 addresses.
Wildcard to Match a Host
The wildcard mask is used to match a specific host IPv4 address. Assume ACL 10 needs an ACE that only permits the host with IPv4 address 192.168.1.1. Recall that “0” equals a match and “1” equals ignore.
Wildcard Mask to Match an IPv4 Subnet
ACL 10 needs an ACE that permits all hosts in the 192.168.1.0/24 network. The wildcard mask 0.0.0.255 stipulates that the very first three octets must match exactly but the fourth octet does not.
Wildcard Mask to Match an IPv4 Address Range
ACL 10 needs an ACE that permits all hosts in the 192.168.16.0/24, 192.168.17.0/24, …, 192.168.31.0/24 networks. The wildcard mask 0.0.15.255 would correctly filter that range of addresses.
8.2.4 Wildcard Mask Keywords
To simplify this task, the Cisco IOS provides two keywords to identify the most common uses of wildcard masking.
Host
This keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address bits must match to filter just one host address.
Any
This keyword substitutes for the 255.255.255.255 mask. This mask says to ignore the entire IPv4 address or to accept any addresses.
8.3 Configure ACLs
8.3.1 Create an ACL
All access control lists (ACLs) must be planned. However, this is especially true for ACLs requiring multiple access control entries (ACEs).
8.3.2 Numbered Standard IPv4 ACL Syntax
Router(config)# access-list access-list-number {deny | permit | remark text} source [source-wildcard] [log]
8.3.3 Named Standard IPv4 ACL Syntax
Router(config)# ip access-list standard access-list-name
8.3.4 Numbered Extended IPv4 ACL Syntax
Router(config-if)# ip access-group {access-list-number | access-list-name} {in | out}
8.4 Modify ACLs
8.4.1 Two Methods to Modify an ACL
ACLs with multiple ACEs can be complex to configure. Sometimes the configured ACE does not yield the expected behaviors.
8.4.2 Text Editor Method
ACLs with multiple ACEs should be created in a text editor.
8.4.3 Sequence Number Method
These numbers are listed in the show access-lists command. The show running-config command does not display sequence numbers.
8.5 Implement ACLs
8.5.1 ACL Configuration Guidelines
An ACL is made up of one or more access control entries (ACEs) or statements.
8.5.2 Apply an ACL
After creating an ACL, the administrator can apply it in a number of different ways. The following shows the command syntax to apply an ACL to an interface or to the vty lines.
8.5.3 Where to Place ACLs
Extended ACLs should be located as close as possible to the source of the traffic to be filtered. This way, undesirable traffic is denied close to the source network without crossing the network infrastructure.
8.5.4 Standard ACL Placement Example
The administrator wants to prevent traffic originating in the 192.168.10.0/24 network from reaching the 192.168.30.0/24 network.
8.6 Mitigate Attacks with ACLs
8.6.1 Mitigate Spoofing Attacks
ACLs can be used to mitigate many network threats, such as IP address spoofing and denial of service (DoS) attacks. Most DoS attacks use some type of spoofing.
8.6.2 Permit Necessary Traffic through a Firewall
An effective strategy for mitigating attacks is to explicitly permit only certain types of traffic through a firewall.
8.6.3 Mitigate ICMP Attacks
Hackers can use Internet Control Message Protocol (ICMP) echo packets (pings) to discover subnets and hosts on a protected network and to generate DoS flood attacks.
8.6.4 Mitigate SNMP Attacks
Management protocols, such as SNMP, are useful for remote monitoring and management of networked devices.
8.7 IPv6 ACLs
8.7.1 IPv6 ACL Overview
IPv4 will not disappear overnight. IPv4 will coexist with IPv6 and then gradually be replaced by IPv6.
8.7.2 IPv6 ACL Syntax
To configure an IPv6 ACL, use the ipv6 access-list command to enter into IPv6 ACL configuration mode. Next, use the syntax shown in the figure to configure each access list entry to specifically permit or deny traffic.
8.7.3 Configure IPv6 ACLs
The IPv6 Neighbor Discovery Protocol (NDP) requires the use of the IPv6 network layer to send neighbor advertisements (NAs) and neighbor solicitations (NSs).
