Configuraing Standard ACLs


To configure numbered standard ACLs on a Cisco router, you must first create the standard ACL and then activate the ACL on an interface.
wait
The access-list global configuration command defines a standard ACL with a number in the range of 1 to 99. Cisco IOS Software Release 12.0.1 extended these numbers by allowing 1300 to 1999 to provide a maximum of 798 possible standard ACLs. These additional numbers are referred to as expanded IP ACLs.
The full syntax of the standard ACL command is as follows:
Router(config)#access-listaccess-list-numberdenypermit remarksource [source-wildcard] [log]
For example, to create a numbered ACL designated 10 that would permit network 192.168.10.0 /24, you would enter:
R1(config)# access-list 10 permit 192.168.10.0
To remove the ACL, the global configuration no access-list command is used. Issuing the show access-list command confirms that access list 10 has been removed.
Typically, administrators create ACLs and fully understand each the purpose of each statement within the ACL. However, when an ACL is revisited at a later time, it may no longer as obvious as it once was.
The remark keyword is used for documentation and makes access lists a great deal easier to understand. Each remark is limited to 100 characters. The ACL in the figure, although fairly simple, is used to provide an example. When reviewing the ACL in the configuration, the remark is also displayed.
The next topic explains how to use wildcard masking to identify specific networks and hosts.

Wildcard Masking
ACLs statements include masks, also called wildcard masks. A wildcard mask is a string of binary digits telling the router which parts of the subnet number to look at. Although wildcard masks have no functional relationship with subnet masks, they do provide a similar function. The mask determines how much of an IP source or destination address to apply to the address match. The numbers 1 and 0 in the mask identify how to treat the corresponding IP address bits. However, they are used for different purposes and follow different rules.
Wildcard masks and subnet masks are both 32 bits long and use binary 1s and 0s. Subnet masks use binary 1s and 0s to identify the network, subnet, and host portion of an IP address. Wildcard masks use binary 1s and 0s to filter individual or groups of IP addresses to permit or deny access to resources based on an IP address. By carefully setting wildcard masks, you can permit or deny a single or several IP addresses
Wildcard masks and subnet masks differ in the way they match binary 1s and 0s. Wildcard masks use the following rules to match binary 1s and 0s:
Wildcard mask bit 0 - Match the corresponding bit value in the address
Wildcard mask bit 1 - Ignore the corresponding bit value in the address
Note: Wildcard masks are often referred to as an inverse mask. The reason is that, unlike a subnet mask in which binary 1 is equal to a match and binary 0 is not a match, the reverse is true.

Wildcard Masks to Match IP Subnets
Calculating the wildcard mask can be a little confusing at first.
The first example the wildcard mask stipulates that every bit in the IP 192.168.1.1must match exactly. The wildcard mask is equivalent to the subnet mask 255.255.255.255.
In the second example, the wildcard mask stipulates that anything will match. The wildcard mask is equivalent to the subnet mask 0.0.0.0.
In the third example, the wildcard mask stipulates that it will match any host within the 192.168.1.0 /24 network. The wildcard mask is equivalent to the subnet mask 255.255.255.0.
These examples were fairly simple and straightforward. However, the calculation of wildcard masks can get a little trickier.
Assume you wanted to permit access to all users in the 192.168.3.0 network. Because the subnet mask is 255.255.255.0, you could take the 255.255.255.255 and subtract from the subnet mask 255.255.255.0 as is indicated in the figure. The solution produces the wildcard mask 0.0.0.255.
Now assume you wanted to permit network access for the 14 users in the subnet 192.168.3.32 /28. The subnet mask for the IP subnet is 255.255.255.240, therefore take the 255.255.255.255 and subtract from the subnet mask 255.255.255.240. The solution this time produces the wildcard mask 0.0.0.15.
Although you could accomplish the same result with two statements such as:

R1(config)# access-list 10 permit 192.168.10.0
R1(config)# access-list 10 permit 192.168.11.0
It is far more efficient to configure the wildcard mask such as:
R1(config)# access-list 10 permit 192.168.10.0 0.0.3.255
That may not seem more efficient, but when you consider if you wanted to match network 192.168.16.0 to 192.168.31.0 as follows:
R1(config)# access-list 10 permit 192.168.16.0
R1(config)# access-list 10 permit 192.168.17.0
R1(config)# access-list 10 permit 192.168.18.0
R1(config)# access-list 10 permit 192.168.19.0
R1(config)# access-list 10 permit 192.168.20.0
R1(config)# access-list 10 permit 192.168.21.0
R1(config)# access-list 10 permit 192.168.22.0
R1(config)# access-list 10 permit 192.168.23.0
R1(config)# access-list 10 permit 192.168.24.0
R1(config)# access-list 10 permit 192.168.25.0
R1(config)# access-list 10 permit 192.168.26.0
R1(config)# access-list 10 permit 192.168.27.0
R1(config)# access-list 10 permit 192.168.28.0
R1(config)# access-list 10 permit 192.168.29.0
R1(config)# access-list 10 permit 192.168.30.0
R1(config)# access-list 10 permit 192.168.31.0
You can see that configuring the following wildcard mask makes it far more efficient:
R1(config)# access-list 10 permit 192.168.16.0 0.0.15.255

Wildcard Bit Mask Keywords
Working with decimal representations of binary wildcard mask bits can be tedious. To simplify this task, the keywords host and any help identify the most common uses of wildcard masking. These keywords eliminate entering wildcard masks when identifying a specific host or network. They also make it easier to read an ACL by providing visual clues as to the source or destination of the criteria.
The host option substitutes for the 0.0.0.0 mask. This mask states that all IP address bits must match or only one host is matched.
The any option substitutes for the IP address and 255.255.255.255 mask. This mask says to ignore the entire IP address or to accept any addresses.
Example 1: Wildcard Masking Process with a Single IP Address
In the example, instead of entering 192.168.10.10 0.0.0.0, you can use host 192.168.10.10.
Example 2: Wildcard Masking Process with a Match Any IP Address
In the example, instead of entering 0.0.0.0 255.255.255.255, you can use the keyword any by itself.

Applying Standard ACLs to Interface:
After a standard ACL is configured, it is linked to an interface using the ip access-group command:
Router(config-if)#ip access-group {access-list-number | access-list-name} {in | out}
To remove an ACL from an interface, first enter the no ip access-group command on the interface, and then enter the global no access-list command to remove the entire ACL.
This ACL allows only traffic from source network 192.168.10.0 to be forwarded out on S0/0/0. Traffic from networks other than 192.168.10.0 is blocked.
The first line identifies the ACL as access list 1. It permits traffic that matches the selected parameters. In this case, the IP address and wildcard mask identifying the source network is 192.168.10.0 0.0.0.255. Recall that there is an unseen implicit deny all statement that is equivalent to adding the line access-list 1 deny 0.0.0.0 255.255.255.255.
The ip access-group 1 out interface configuration command links and ties ACL 1 to the Serial 0/0/0 interface as an outbound filter.
Therefore, ACL 1 only permits hosts from the 192.168.10.0 /24 network to exit router R1. It denies any other network including the 192.168.11.0 network.
This ACL replaces the previous example, but also blocks traffic from a specific address. The first command deletes the previous version of ACL 1. The next ACL statement, denies the PC1 host located at 192.168.10.10. Every other host on the 192.168.10.0 /24 network is permitted. Again the implicit deny statement matches every other network.
The ACL is again reapplied to interface S0/0/0 in an outbound direction.
This ACL replaces the previous example but still blocks traffic from the host PC1. It also permits all other LAN traffic to exit from router R1.
The first two commands are the same as the previous example. The first command deletes the previous version of ACL 1 and the next ACL statement denies the PC1 host located at 192.168.10.10.
The third line is new and permits all hosts from the 192.168.x.x /16 networks. This now means that all hosts from the 192.168.10.0 /24 network still match but now the hosts from the 192.168.11.0 network also match.
The ACL is again reapplied to interface S0/0/0 in an outbound direction. Therefore, both LANs attached to router R1 may exit the S0/0/0 interface with the exception of the PC1 host.

Using an ACL to Control VTY Access
Cisco recommends using SSH for administrative connections to routers and switches. If the Cisco IOS software image on your router does not support SSH, you can partially improve the security of administrative lines by restricting VTY access. Restricting VTY access is a technique that allows you to define which IP addresses are allowed Telnet access to the router EXEC process. You can control which administrative workstation or network manages your router with an ACL and an access-class statement to your VTY lines. You can also use this technique with SSH to further improve administrative access security.
The access-class command in line configuration mode restricts incoming and outgoing connections between a particular VTY (into a Cisco device) and the addresses in an access list.
Standard and extended access lists apply to packets that travel through a router. They are not designed to block packets that originate within the router. An outbound Telnet extended ACL does not prevent router-initiated Telnet sessions, by default.
Filtering Telnet traffic is typically considered an extended IP ACL function because it filters a higher level protocol. However, because you are using the access-class command to filter incoming or outgoing Telnet sessions by source address and apply filtering to VTY lines, you can use standard ACL statements to control VTY access.

The command syntax of the access-class command is:
access-classaccess-list-number {in [vrf-also] | out}
The parameter in restricts incoming connections between a particular Cisco device and the addresses in the access list, while the parameter out restricts outgoing connections between a particular Cisco device and the addresses in the access list.
An example allowing VTY 0 and 4 is shown in the figure. For example, the ACL in the figure is configured to permit networks 192.168.10.0 and 192.168.11.0 access to VTYs 0 - 4. All other networks are denied access to the VTYs.
The following should be considered when configuring access lists on VTYs:
Only numbered access lists can be applied to VTYs.
Identical restrictions should be set on all the VTYs, because a user can attempt to connect to any of them.

Editing Numbered ACLs
When configuring an ACL, the statements are added in the order that they are entered at the end of the ACL. However, there is no built-in editing feature that allows you to edit a change in an ACL. You cannot selectively insert or delete lines.
It is strongly recommended that any ACL be constructed in a text editor such as Microsoft Notepad. This allows you to create or edit the ACL and then paste it onto the router. For an existing ACL, you could use the show running-config command to display the ACL, copy and paste it into the text editor, make the necessary changes, and reload it.
For example, assume that the host IP address in the figure was incorrectly entered. Instead of the 192.168.10.100 host, it should have been the 192.168.10.11 host. Here are the steps to edit and correct ACL 20:
Step 1. Display the ACL using the show running-config command. The example in the figure uses the include keyword to display only the ACL statements.
Step 2. Highlight the ACL, copy it, and then paste it into Microsoft Notepad. Edit the list as required. Once the ACL is correctly displayed in Microsoft Notepad, highlight it and copy it.
Step 3. In global configuration mode, disable the access list using the no access-list 20 command. Otherwise, the new statements would be appended to the existing ACL. Then paste the new ACL into the configuration of the router.
It should be mentioned that when using the no access-list command, no ACL is protecting your network. Also, be aware that if you make an error in the new list, you have to disable it and troubleshoot the problem. In that case, again, your network has no ACL during the correction process.

Commenting ACLs
You can use the remark keyword to include comments (remarks) about entries in any IP standard or extended ACL. The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters.
The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark so that it is clear which remark describes which permit or deny statement. For example, it would be confusing to have some remarks before the associated permit or deny statements and some remarks after.
To include a comment for IP numbered standard or extended ACLs, use the access-list access-list number remark remark global configuration command. To remove the remark, use the no form of this command.
In the first example, the standard ACL allows access to the workstation that belongs to Jones, and denies access to the workstation that belongs to Smith.
For an entry in a named ACL, use the remark access-list configuration command. To remove the remark, use the no form of this command. The second example shows an extended named ACL. Recall from the earlier definition of extended ACLs that they are used to control specific port numbers or services. In the second example, the remark says that the subnet for Jones is not allowed to use outbound Telnet.

Creating Standard Named ACLs:
Naming an ACL makes it easier to understand its function. For example, an ACL to deny FTP could be called NO_FTP. When you identify your ACL with a name instead of with a number, the configuration mode and command syntax are slightly different.
Step 1. Starting from the global configuration mode, use the ip access-list command to create a named ACL. ACL names are alphanumeric, must be unique and must not begin with a number.
Step 2. From the named ACL configuration mode, use the permit or denystatements to specify one or more conditions for determining if a packet is forwarded or dropped.
Step 3. Return to privileged EXEC mode with the end command.
Capitalizing ACL names is not required, but makes them stand out when viewing the running-config output.

Monitoring and Verifying ACLs:
When you finish an ACL configuration, use Cisco IOS show commands to verify the configuration. In the figure the top example shows the Cisco IOS syntax to display the contents of all ACLs. The bottom example shows the result of issuing the show access-lists command on router R1. The capitalized ACL names, SALES and ENG stand out in the screen output.
Recall why you started configuring ACLs in the first place; you wanted to implement your organization's security policies. Now that you have verified that the ACLs are configured as you intended, the next step is to confirm that the ACLs work as planned.
The guidelines discussed earlier in this section, suggest that you configure ACLs on a test network and then implement the tested ACLs on the production network. Though a discussion on how to prepare an ACL test scenario is beyond the scope of this course, you need to know that confirming your ACLs work as planned can be a complex and time consuming process.

E
diting Named ACLs:

Named ACLs have a big advantage over numbered ACLs in that they are easier to edit. Starting with Cisco IOS Software Release 12.3, named IP ACLs allow you to delete individual entries in a specific ACL. You can use sequence numbers to insert statements anywhere in the named ACL. If you are using an earlier Cisco IOS software version, you can add statements only at the bottom of the named ACL. Because you can delete individual entries, you can modify your ACL without having to delete and then reconfigure the entire ACL.
The example in the figure shows an ACL applied to the S0/0/0 interface of R1. It restricted access to the web server. Looking at this example, you can see two things you have not yet seen in this course:

0 comments:

Post a Comment

 

NBA Live Streaming. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com | Distributed by Blogger Templates Blog