Today we will start learning ACL, this topic will take 2 video tutorials. We will look at the configuration of a standard ACL, and in the next video tutorial I will talk about an extended list.
In this lesson, we will cover 3 topics. The first is what an ACL is, the second is what is the difference between a standard and an extended access list, and at the end of the lesson, as a lab, we will look at setting up a standard ACL and troubleshooting possible problems.
So what is an ACL? If you studied the course from the very first video tutorial, then remember how we organized communication between various network devices.
We also studied static routing over various protocols to gain skills in organizing communication between devices and networks. Now we have reached the training stage, where we should take care of ensuring traffic control, that is, to prevent "bad guys" or unauthorized users from penetrating the network. For example, this may involve people from the SALES sales department, which is depicted in this diagram. Here we also show the financial department ACCOUNTS, the management department MANAGEMENT and the server room SERVER ROOM.
Now, a sales department might have a hundred employees, and we don't want any of them to be able to get to the server room over the network. An exception is made for the sales manager who works at the Laptop2 computer - he can have access to the server room. A new employee working at Laptop3 computer should not have such access, that is, if the traffic from his computer reaches the R2 router, it should be dropped.
The role of an ACL is to filter traffic according to the specified filtering options. They include the source IP address, the destination IP address, the protocol, the number of ports, and other parameters that allow you to identify the traffic and take some action with it.
So, ACL is a layer 3 filtering mechanism of the OSI model. This means that this mechanism is used in routers. The main criterion for filtering is the identification of the data stream. For example, if we want to block the guy with Laptop3 from accessing the server, we first need to identify his traffic. This traffic moves in the direction of Laptop-Switch2-R2-R1-Switch1-Server1 through the corresponding interfaces of network devices, while the G0 / 0 interfaces of the routers have nothing to do with it.
To identify traffic, we must identify its path. By doing this, we can decide exactly where to install the filter. Don't worry about the filters themselves, we'll discuss them in the next lesson, for now we need to understand the principle of which interface to apply the filter to.
If we look at the router, we can see that every time traffic moves, there is an interface where the data flow enters, and an interface through which this flow comes out.
There are actually 3 interfaces: the input interface, the output interface, and the router's own interface. Just remember that filtering can only be applied to the ingress or egress interface.
The principle of operation of ACL is similar to a pass to an event that can only be attended by those guests whose name is on the list of invited persons. An ACL is a list of qualification parameters that are used to identify traffic. For example, this list indicates that any traffic from the IP address 192.168.1.10 is allowed, while traffic from all other addresses is denied. As I said, this list can be applied to both the input and output interfaces.
There are 2 types of ACLs: standard and extended. A standard ACL has an identifier from 1 to 99, or from 1300 to 1999. These are simply list names that do not take precedence over each other as the numbering increases. In addition to the number, the ACL can be given a custom name. Extended ACLs are numbered 100 to 199 or 2000 to 2699 and may also have a name.
In a standard ACL, the classification is based on the source IP address of the traffic. Therefore, when using such a list, you cannot restrict traffic directed to any source, you can only block traffic originating from some device.
The extended ACL classifies traffic by source IP address, destination IP address, protocol in use, and port number. For example, you can block only FTP traffic, or only HTTP traffic. Today we will look at the standard ACL, and we will devote the next video tutorial to extended lists.
As I said, ACL is a list of conditions. After you have applied this list to an incoming or outgoing interface of the router, the router checks the traffic against this list, and if it matches the conditions set out in the list, it decides whether to allow or deny this traffic. Often people find it difficult to determine the input and output interfaces of the router, although there is nothing complicated here. When we talk about the incoming interface, this means that only incoming traffic will be controlled on this port, and the router will not apply restrictions on outgoing traffic. Similarly, if we are talking about an egress interface, this means that all rules will apply only to outgoing traffic, while incoming traffic on this port will be accepted without restrictions. For example, if the router has 2 ports: f0/0 and f0/1, then the ACL will only apply to traffic entering interface f0/0, or only traffic originating from interface f0/1. Traffic entering interface f0/1 or outgoing port f0/0 will not be affected by the list.
Therefore, do not be confused by the incoming or outgoing direction of the interface, it depends on the direction of movement of a particular traffic. So, after the router has checked the traffic for matching the conditions of the ACL, it can make only two decisions: let the traffic through or reject it. For example, you can allow traffic destined for 180.160.1.30 and deny traffic destined for 192.168.1.10. Each list can contain many conditions, but each of these conditions must allow or deny.
Suppose we have a list:
Deny _______
Allow ________
Allow ________
Deny _________.
First, the router will check the traffic for a match with the first condition, if it does not match, with the second condition. If the traffic matches the third condition, the router will stop checking and will not compare it with the rest of the conditions in the list. It will perform the βallowβ action and move on to checking the next portion of traffic.
In case you didnβt set a rule for any packet and the traffic went through all the lines of the list without falling under any of the conditions, it is destroyed, because each ACL by default ends with the deny any command - that is, discard any packet, not falling under any of the rules. This condition takes effect if there is at least one rule in the list, otherwise it has no effect. But if the first line contains the entry deny 192.168.1.30 and the list no longer contains any conditions, then at the end there should be a permit any command, that is, allow any traffic other than that prohibited by the rule. You must take this into account so that you do not make mistakes when setting up the ACL.
I want you to remember the basic rule of forming the ASL list: place the standard ASL as close as possible to the destination, i.e. to the traffic recipient, and the extended ASL as close as possible to the source, i.e. to the traffic sender. These are Cisco recommendations, but in practice there are situations when it makes more sense to place a standard ACL near the traffic source. But if you come across a question on the exam about the rules for placing ACLs, follow the recommendations of Cisco and answer unequivocally: standard is closer to the destination, extended is closer to the source.
Now let's look at the syntax of a standard ACL. There are two types of command syntax in the global router configuration mode: classic syntax and modern syntax.
The classic command type is access-list <ACL number> <deny/allow> <criteria>. If you set <ACL number> from 1 to 99, the device will automatically understand that this is a standard ACL, and if from 100 to 199, then it is extended. Since in today's lesson we are considering a standard list, we can use any number from 1 to 99. Then we indicate the action to be taken when the parameters match the following criterion - allow or deny traffic. We will look at the criterion later, as it is also used in modern syntax.
The modern command type is also used in Rx(config) global configuration mode and looks like this: ip access-list standard <ACL number/name>. Here you can use both a number from 1 to 99, and the name of the ACL list, for example, ACL_Networking. This command immediately puts the system into Rx(config-std-nacl) standard mode subcommand mode, where the <deny/allow> <criteria> must already be entered. The modern type of commands has more advantages compared to the classical one.
In the classic list, if you type access-list 10 deny ______, then type the next command of the same kind for another criterion, and as a result you have 100 such commands, then in order to change any of the commands entered, you will need to delete the entire list of access- list 10 with the no access-list 10 command. This will remove all 100 commands because there is no way to edit any single command in this list.
In modern syntax, the command is divided into two lines, the first of which contains the list number. Suppose if you have access-list standard 10 deny ________, access-list standard 20 deny ________, and so on, then you have the ability to insert intermediate lists between them with different criteria, for example, access-list standard 15 deny ________.
Alternatively, you can simply delete the access-list standard 20 lines and retype them with different parameters between the access-list standard 10 and access-list standard 30 lines. Thus, there are various ways to edit the modern ACL syntax.
You need to be very careful with your ACLs. As you know, lists are read from top to bottom. If you place a line at the top with allowing traffic for a particular host, then below you can place a line with a ban on traffic for the entire network that this host belongs to, while both conditions will be checked - traffic to a specific host will be allowed through, and traffic to all other hosts this network to be blocked. Therefore, always place specific entries at the top of the list and general entries at the bottom.
So, after you have created a classic or modern ACL, you must apply it. To do this, go to the settings of a specific interface, for example, f0/0 using the interface <type and slot> command, go to the interface subcommand mode and enter the ip access-group <ACL number/name> command . Pay attention to the difference: when compiling a list, access-list is used, and when applying it, access-group is used. You must specify whether this list will be applied to the incoming interface or the outgoing interface. If the list has a name, such as Networking, the same name is repeated in the apply list command on that interface.
Now let's take a specific task and try to solve it using the example of our network diagram using Packet Tracer. So, we have 4 networks: sales, accounting, management and server.
Challenge #1: All traffic from Sales and Finance to Management and Server should be blocked. The blocking location is the S0/1/0 interface of the R2 router. First we need to make a list that will contain entries like this:
Let's name the list "Management and Server Security ACLs", abbreviated as ACL Secure_Ma_And_Se. This is followed by denying traffic from the finance department network 192.168.1.128/26, denying traffic from the sales department network 192.168.1.0/25 and allowing any other traffic. At the end of the list, it is indicated that it is used for the outgoing interface S0 / 1/0 of router R2. If we do not have a Permit Any entry at the end of the list, then all other traffic will be blocked, because by default, a Deny Any entry is always set at the end of the ACL.
Can I apply this ACL to interface G0/0? Of course, I can, but in this case, only traffic from the accounting department will be blocked, and the traffic of the sales department will not be limited in any way. Similarly, you can apply an ACL to the G0/1 interface, but in this case, traffic from the finance department will not be blocked. Of course, we can create two separate block lists for these interfaces, but it is much more efficient to combine them into one list and apply it to the output interface of router R2 or the input interface S0 / 1/0 of router R1.
Although according to Cisco rules, the standard ACL should be placed as close to the destination as possible, I will still place it closer to the traffic source, because I want to block all outgoing traffic, and it is more expedient to place it closer to the source so that this traffic does not needlessly occupy the network between two routers.
I forgot to tell you about the criteria, so let's quickly go back. You can specify any as a criterion - in this case, any traffic of any device and any network will be denied or allowed. You can also specify a host with its identifier - in this case, the entry will be the IP address of a specific device. Finally, you can specify an entire network, such as 192.168.1.10/24. In this case, /24 will mean the presence of a subnet mask of 255.255.255.0, however, it is impossible to specify the IP address of the subnet mask in the ACL. For this case, the ACL has a concept called Wildcart Mask, or "reverse mask". Therefore, you must provide an IP address and a reverse mask. The reverse mask looks like this: you must subtract the direct subnet mask from the total subnet mask, that is, the number corresponding to the value of the octet in the forward mask is subtracted from 255.
Thus, you should use the 192.168.1.10 0.0.0.255 option as the criteria in the ACL.
How it works? If there is a 0 in the backmask octet, the criterion is considered to match the corresponding octet of the subnet IP address. If there is any number in the backmask octet, the match is not checked. Thus, for a network of 192.168.1.0 and a backmask of 0.0.0.255, all traffic from addresses whose first three octets are equal to 192.168.1., regardless of the value of the fourth octet, will be blocked or allowed depending on the specified action.
Using the reverse mask is not difficult, and we will return to the Wildcart Mask in the next video so that I can explain how to work with it.
28:50 min
Thank you for staying with us. Do you like our articles? Want to see more interesting content? Support us by placing an order or recommending to friends, 30% discount for Habr users on a unique analogue of entry-level servers, which was invented by us for you: (available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only here in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $99! Read about
Source: habr.com