Implementing Traffic Filtering with ACLs

Size: px

Start display at page:

Download "Implementing Traffic Filtering with ACLs"

Anabel Berry
6 years ago
Views:

1 Implementing Traffic Filtering with ACLs Managing Network Device Security 2013 Cisco Systems, Inc. ICND1 3-36

2 How can you restrict Internet access for PC2? 2013 Cisco Systems, Inc. ICND1 3-37

3 ACL operation outbound 2013 Cisco Systems, Inc. ICND1 3-38

4 Applies ACL 1 on the interface as an outbound filter: Branch(config-if)#ip access-group 1 out Applies ACL 2 on the interface as an inbound filter: Branch(config-if)#ip access-group 2 in Important: Only one ACL per protocol, per direction, and per interface is allowed Cisco Systems, Inc. ICND1 3-39

Example: Deny Internet access for a specific host (10.1.1.101). Allow all other LAN hosts to access the Internet. Branch(config)#access-list 1 deny 10.1.1.101 Branch(config)#access-list 1 permit 10.

5 Example: Deny Internet access for a specific host ( ). Allow all other LAN hosts to access the Internet. Branch(config)#access-list 1 deny Branch(config)#access-list 1 permit Branch(config)#interface GigabitEthernet 0/1 Branch(config-if)#ip access-group 1 out 2013 Cisco Systems, Inc. ICND1 3-40

6 How can you prevent PC2 from accessing only a specific server on the Internet? How can you allow other users only web access? 2013 Cisco Systems, Inc. ICND1 3-41

7 Testing packets with extended IPv4 ACLs 2013 Cisco Systems, Inc. ICND1 3-42

8 Branch(config)#access-list 110 deny ip host host Branch(config)#access-list 110 permit tcp any eq 80 The number 110 is chosen to define an ACL as an extended ACL. The first statement matches IP traffic between two specific hosts and denies it. The second statement matches HTTP TCP traffic from network /24. The operator eq (equal) is used to match TCP port 80. The implicit deny statement is present at the end of the ACL Branch(config-if)#ip access-group 110 in An extended ACL is activated on the interface in the same way as a standard ACL Cisco Systems, Inc. ICND1 3-43

9 The ACL configuration mode is used to configure a named ACL. Branch(config)#ip access-list extended WEB_ONLY Branch(config-ext-nacl)#permit tcp any eq www Branch(config-ext-nacl)#20 permit tcp any eq 443 The alphanumeric name string (WEB_ONLY in the example) must be unique. If sequence numbers are not configured, they are generated automatically, starting at 10 and incrementing by 10. The no 10 command removes the specific test that is numbered with 10 from the named ACL. Branch(config-if)#ip access-group WEB_ONLY in Named ACLs are activated on an interface with the same command as numbered ACLs Cisco Systems, Inc. ICND1 3-44

10 Edit an ACL in the access-list configuration mode to deny web access for host : Branch#show access-lists Extended IP access list WEB_ONLY 10 permit tcp any eq www 20 permit tcp any eq 443 Branch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Branch(config)#ip access-list extended WEB_ONLY Branch(config-ext-nacl)#5 deny ip host any Branch(config-ext-nacl)#end Branch#show access-lists Extended IP access list WEB_ONLY 5 deny ip host any 10 permit tcp any eq www 20 permit tcp any eq Cisco Systems, Inc. ICND1 3-45

11 These guidelines are recommended: The type of ACL, standard or extended, determines what is filtered. Only one ACL per interface, per protocol, and per direction is allowed. The most specific statement should be at the top of an ACL. The most general statement should be at the bottom of an ACL. The last ACL test is always an implicit deny everything else statement, so every list needs at least one permit statement. When placing an ACL in a network, follow these guidelines: Place extended ACLs close to the source. Place standard ACLs close to the destination. An ACL can filter traffic going through the router or traffic to and from the router, depending on how it is applied Cisco Systems, Inc. ICND1 3-46

12 Branch#show access-lists Displays the content of ACLs Branch#show access-lists Standard IP access list SALES 10 deny , wildcard bits permit permit permit Extended IP access list ENG 10 permit tcp host any eq telnet (25 matches) 20 permit tcp host any eq ftp 30 permit tcp host any eq ftp-data 2013 Cisco Systems, Inc. ICND1 3-47

13 Branch#show ip interface GigabitEthernet 0/0 GigabitEthernet0/0 is up, line protocol is up Internet address is /24 Broadcast address is Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is WEB_ONLY Proxy ARP is enabled Local Proxy ARP is disabled <text omitted> Shows whether an ACL is applied to an interface 2013 Cisco Systems, Inc. ICND1 3-48

14 Host has no connectivity with Branch#show access-lists 10 Standard IP access list permit , wildcard bits Cisco Systems, Inc. ICND1 3-49

15 Host has no connectivity with Branch#show access-lists 10 Standard IP access list deny , wildcard bits permit permit any 2013 Cisco Systems, Inc. ICND1 3-50

16 Users from the network cannot open a TFTP session to Branch#show access-lists 120 Extended IP access list deny tcp any eq telnet 20 deny tcp any eq smtp 30 permit tcp any any 2013 Cisco Systems, Inc. ICND1 3-51

17 Users from the network can use Telnet to connect to , but this connection should not be allowed. Branch#show access-lists 130 Extended IP access list deny tcp any eq telnet any 20 deny tcp any eq smtp 30 permit ip any any 2013 Cisco Systems, Inc. ICND1 3-52

18 Host can use Telnet to connect to , but this connection should not be allowed. Branch#show access-lists 140 Extended IP access list deny tcp host any eq telnet 20 deny tcp any eq smtp 30 permit ip any any 2013 Cisco Systems, Inc. ICND1 3-53

19 Host can use Telnet to connect to , but this connection should not be allowed. Branch#show access-lists 150 Extended IP access list deny tcp host any eq telnet 20 permit ip any any Branch#show running-config interface Serial 0/0/0 interface Serial0/0/0 ip address ip access-group 150 in <output omitted> 2013 Cisco Systems, Inc. ICND1 3-54

Host 10.10.1.1 can use Telnet to connect into the Branch router IP address, but this connection should not be allowed.

20 Host can use Telnet to connect into the Branch router IP address, but this connection should not be allowed. Branch#show access-lists 160 Extended IP access list deny tcp any host eq telnet 20 permit ip any any 2013 Cisco Systems, Inc. ICND1 3-55

21 ACLs that are used for traffic filtering can operate in the inbound or outbound direction. One ACL per protocol, per direction, per interface is supported. Extended ACLs are used to filter traffic based on source and destination IP addresses, protocol, and port numbers. Numbered, extended ACLs use numbers from 100 to 199 and from 2000 to Cisco Systems, Inc. ICND1 3-56

22 Access-list configuration mode allows adding, modifying, and deleting individual statements from an ACL. Place more specific statements at the top of an ACL and more general ones at the bottom. Use the show access-lists verification command to troubleshoot common ACL configuration errors Cisco Systems, Inc. ICND1 3-57

23 2013 Cisco Systems, Inc. ICND1 3-58

2002, Cisco Systems, Inc. All rights reserved.

2002, Cisco Systems, Inc. All rights reserved. Configuring IP Access Lists 2002, Cisco Systems, Inc. All All rights reserved. ICND v2.0 6-2 2 Objectives Upon completing this lesson, you will be able to: