Академический Документы
Профессиональный Документы
Культура Документы
is course. However, one of the most important skills a network administrator nee
ds is mastery of access control lists (ACLs). Administrators use ACLs to stop tr
affic or permit only specified traffic while stopping all other traffic on their
networks. This chapter includes an opportunity to develop your mastery of ACLs
with a series of lessons, activities, and lab exercises.
Network designers use firewalls to protect networks from unauthorized use. Firew
alls are hardware or software solutions that enforce network security policies.
Consider a lock on a door to a room inside a building. The lock only allows auth
orized users with a key or access card to pass through the door. Similarly, a fi
rewall filters unauthorized or potentially dangerous packets from entering the n
etwork. On a Cisco router, you can configure a simple firewall that provides bas
ic traffic filtering capabilities using ACLs.
An ACL is a sequential list of permit or deny statements that apply to addresses
or upper-layer protocols. ACLs provide a powerful way to control traffic into a
nd out of your network. You can configure ACLs for all routed network protocols.
The most important reason to configure ACLs is to provide security for your netw
ork. This chapter explains how to use standard and extended ACLs as part of a se
curity solution and teaches you how to configure them on a Cisco router. Include
d are tips, considerations, recommendations, and general guidelines on how to us
e ACLs.
ACLs enable you to control traffic into and out of your network. This control ca
n be as simple as permitting or denying network hosts or addresses. However, ACL
s can also be configured to control network traffic based on the TCP port being
used. To understand how an ACL works with TCP, let us look at the dialogue that
occurs during a TCP conversation when you download a webpage to your computer.
When you request data from a web server, IP takes care of the communication betw
een the PC and the server. TCP takes care of the communication between your web
browser (application) and the network server software. When you send an e-mail,
look at a webpage, or download a file, TCP is responsible for breaking data down
into packets for IP before they are sent, and for assembling the data from the
packets when they arrive. The TCP process is very much like a conversation in wh
ich two nodes on a network agree to pass data between one another.
Recall that TCP provides a connection-oriented, reliable, byte stream service. T
he term connection-oriented means that the two applications using TCP must estab
lish a TCP connection with each other before they can exchange data. TCP is a fu
ll-duplex protocol, meaning that each TCP connection supports a pair of byte str
eams, each stream flowing in one direction. TCP includes a flow-control mechanis
m for each byte stream that allows the receiver to limit how much data the sende
r can transmit. TCP also implements a congestion-control mechanism.
The ACL can also extract upper layer information and test it against its rules.
Upper layer information includes:
TCP/UDP source port
TCP/UDP destination port
This is just a simple example. You can configure multiple rules to further permi
t or deny services to specific users. You can also filter packets at the port le
vel using an extended ACL, which is covered in Section 3.
The Three Ps
A general rule for applying ACLs on a router can be recalled by remembering the
three Ps. You can configure one ACL per protocol, per direction, per interface:
One ACL per protocol-To control traffic flow on an interface, an ACL must be def
ined for each protocol enabled on the interface.
One ACL per direction-ACLs control traffic in one direction at a time on an inte
rface. Two separate ACLs must be created to control inbound and outbound traffic
.
One ACL per interface-ACLs control traffic for an interface, for example, Fast E
thernet 0/0.
Writing ACLs can be a challenging and complex task. Every interface can have mul
tiple protocols and directions defined. The router in the example has two interf
aces configured for IP: AppleTalk and IPX. This router could possibly require 12
separate ACLs-one ACL for each protocol, times two for each direction, times tw
o for the number of ports.
ACLs perform the following tasks:
Limit network traffic to increase network performance. For example, if corporate
policy does not allow video traffic on the network, ACLs that block video traff
ic could be configured and applied. This would greatly reduce the network load a
nd increase network performance.
Provide traffic flow control. ACLs can restrict the delivery of routing updates.
If updates are not required because of network conditions, bandwidth is preserv
ed.
Provide a basic level of security for network access. ACLs can allow one host to
access a part of the network and prevent another host from accessing the same a
rea. For example, access to the Human Resources network can be restricted to sel
ect users.
Decide which types of traffic to forward or block at the router interfaces. For
example, an ACL can permit e-mail traffic, but block all Telnet traffic.
Control which areas a client can access on a network.
Screen hosts to permit or deny access to network services. ACLs can permit or de
ny a user to access file types, such as FTP or HTTP.
ACLs inspect network packets based on criteria, such as source address, destinat
ion address, protocols, and port numbers. In addition to either permitting or de
nying traffic, an ACL can classify traffic to enable priority processing down th
e line. This capability is similar to having a VIP pass at a concert or sporting
event. The VIP pass gives selected guests privileges not offered to general adm
ission ticket holders, such as being able to enter a restricted area and be esco
rted to their box seats.
ACL statements operate in sequential order. They evaluate packets against the AC
L, from the top down, one statement at a time.
The figure shows the logic for an inbound ACL. If a packet header and an ACL sta
tement match, the rest of the statements in the list are skipped, and the packet
is permitted or denied as determined by the matched statement. If a packet head
er does not match an ACL statement, the packet is tested against the next statem
ent in the list. This matching process continues until the end of the list is re
ached.
A final implied statement covers all packets for which conditions did not test t
rue. This final test condition matches all other packets and results in a "deny"
instruction. Instead of proceeding into or out of an interface, the router drop
s all of these remaining packets. This final statement is often referred to as t
he "implicit deny any statement" or the "deny all traffic" statement. Because of
this statement, an ACL should have at least one permit statement in it; otherwi
se, the ACL blocks all traffic.
You can apply an ACL to multiple interfaces. However, there can be only one ACL
per protocol, per direction, and per interface.
The figure shows the logic for an oubound ACL. Before a packet is forwarded to a
n outbound interface, the router checks the routing table to see if the packet i
s routable. If the packet is not routable, it is dropped. Next, the router check
s to see whether the outbound interface is grouped to an ACL. If the outbound in
terface is not grouped to an ACL, the packet can be sent to the output buffer. E
xamples of outbound ACL operation are as follows:
If the outbound interface is not grouped to an outbound ACL, the packet is sent
directly to the outbound interface.
If the outbound interface is grouped to an outbound ACL, the packet is not sent
out on the outbound interface until it is tested by the combination of ACL state
ments that are associated with that interface. Based on the ACL tests, the packe
t is permitted or denied.
For outbound lists, "to permit" means to send the packet to the output buffer, a
nd "to deny" means to discard the packet.
Extended ACLs
Extended ACLs filter IP packets based on several attributes, for example, protoc
ol type, source and IP address, destination IP address, source TCP or UDP ports,
destination TCP or UDP ports, and optional protocol type information for finer
granularity of control. In the figure, ACL 103 permits traffic originating from
any address on the 192.168.30.0/24 network to any destination host port 80 (HTTP
). Extended ACLs are created in global configuration mode.
The commands for ACLs are explained in the next few topics.
A standard ACL is a sequential collection of permit and deny conditions that app
ly to IP addresses. The destination of the packet and the ports involved are not
covered.
The decision process is mapped in the figure. Cisco IOS software tests addresses
against the conditions one by one. The first match determines whether the softw
are accepts or rejects the address. Because the software stops testing condition
s after the first match, the order of the conditions is critical. If no conditio
ns match, the address is rejected.
The two main tasks involved in using ACLs are as follows:
Step 1. Create an access list by specifying an access list number or name and ac
cess conditions.
Step 2. Apply the ACL to interfaces or terminal lines.