한국어

네트워킹

온누리070 플레이스토어 다운로드
    acrobits softphone
     온누리 070 카카오 프러스 친구추가온누리 070 카카오 프러스 친구추가친추
     카카오톡 채팅 상담 카카오톡 채팅 상담카톡
    
     라인상담
     라인으로 공유

     페북공유

   ◎위챗 : speedseoul


  
     PAYPAL
     
     PRICE
     

pixel.gif

    before pay call 0088 from app


http://www.trainsignal.com/blog/access-control-list-implementation-on-cisco-routers



This article is the second part in a series centered in IT Security and focused on access control lists or ACLs. In my previous article on ACL Concepts, we looked at the definition of an ACL, why we use them, when to use them, general types and structure, and general router interface placement. In this article, we will investigate the actual configuration of standard and extended IP ACLs and their placement on Cisco router interfaces. ACL configuration and deployment are an important part of Cisco and other router certifications.

ACLs and Protocols

Internet Protocol version 4 (IPv4) ACLs are the most common types of ACLs in use in the networking world today, but there are several different protocols supported on Cisco routers for ACLs. In addition, each ACL utilizes a name specified by a numeric range as shown in Table 1.

Protocols with Access Lists Specified by Numbers
ProtocolRange
IP1 to 99
Extended IP100 to 199
Ethernet type code200 to 299
Ethernet address700 to 799
Transparent bridging (protocol type)200 to 299
Transparent bridging (vendor code)700 to 799
Extended transparent bridging1100 to 1199
DECnet and extended DECnet300 to 399
XNS400 to 499
Extended XNS500 to 599
AppleTalk600 to 699
Source-route bridging (protocol type)200 to 299
Source-route bridging (vendor code)700 to 799
IPX800 to 899
Extended IPX900 to 999
IPX SAP1000 to 1099
Standard VINES1 to 100
Extended VINES101 to 200
Simple VINES201 to 300

In addition, IPv6 ACLs are not restricted to numerical ranges and can include alpha-numerical characters as well for the name of the list. It may be important to note that other routers like Juniper and Force10 allow for alpha-numeric names in most if not all ACLs, and that the ACL name convention is not a standard applied to all network routers.

Configuration Commands for Creating ACLs

Basing ACL names on the range of numbers may be confusing, but it is best to consider the way that the ACLs are created at the router configure prompt. ACLs are configured based on their protocol first. Some, but not all, ask for standard or extended qualifiers in their statements and then the numeric name is assigned. Here are some examples:

IP access-lists

  • Router (config)# ip access-list standard 6
  • Router (config)# ip access-list extended 185

IPX access-lists

  • Router (config)# ipx access-list standard 810
  • Router (config)# ipx access-list extended 915

VINES access-lists

  • Router (config)# vines access-list 65 —this is a standard vines list
  • Router (config)# vines access-list 140 —this is an extended vines list

Configuring IP Standard ACLs on Cisco routers

Cisco IP Standard ACLs are used to filter traffic based on a single or range of source IP addresses in the IP packet header. Destination addresses are not considered in a standard ACL.

Let’s look at the format of an IP Standard ACL:

access-list [access-list-number] [deny/permit] [source ip address] [ wildcard mask]

Looking at the format, you can see the configuration statement begins with access-list command and the ACL number. In this case, the range for IP Standard ACLs is 1 to 99. You must then declare if this ACL statement will deny or permit the IP addresses that follow. The final two parts of the statement are associated with the source IP address and a wild card mask that determine if the address is a single host or a range of IP addresses. The following an example of a valid IP Standard ACL:

access-list 6 deny 172.16.0.2 0.0.0.0
access-list 6 deny 172.16.1.0 0.0.0.255
access-list 6 permit 172.16.2.0 0.0.0.127
access-list 6 deny any

In the first statement of this ACL, IP traffic from a single host of 172.16.0.2 is denied. The second statement denies a range of IP addresses in the 172.16.1.0 network. The range covers 256 IP addresses, 0 to 255 for that subnet. A shorter range is shown in the third statement, which permits 128 IP addresses from the 172.16.2.0 subnet (0-127). The final statement in the ACL gives an implicit deny to all IP addresses.

NOTE: ACL Statement flow

It is crucial that you understand how ACLs are parsed for matches when compared with an IP packet. All comparisons start at the top of the list and work down. Once a match is made, the traffic is either permitted or denied and then comparison stops. You must be careful in the placement of your ACLs

Configuring IP Extended ACLs on Cisco Routers

Cisco IP Extended ACLs are more complex than the Standard versions. The IP Extended ACL adds the ability to filter on destination IP address and includes some additional layer 3 and layer 4 protocol support, in particular TCP, UDP, and ICMP. This additional functionality makes IP Extended ACLs very powerful tools for IT security and network professionals. Let’s take a look at the format of the IP Extended ACL:

access-list [access-list-number] [deny/permit] [protocol] [source ip address] [ wildcard mask] [source port] [destination ip address] [wildcard mask] [destination port] [statement flag]

As you can see from this format, IP Extended ACL statements can become rather long, but are very effective in filtering specific types of traffic based on address and ports. Below are a few examples of IP Extended ACL statements:

access-list 165 deny ip 172.16.1.0 0.0.0.255 172.16.5.0 0.0.0.255 log
access-list 165 deny ip 172.16.1.0 0.0.0.255 host 172.16.4.1 log
access-list 165 permit tcp 172.16.3.0 0.0.0.255 eq 80 any log
access-list 165 deny udp 172.16.6.0 0.0.0.127 172.16.5.0 0.0.0.31 eq 53 log
access-list 165 permit icmp any any host-unreachable
access-list 165 deny ip any any

What do we see happening in this IP Extended ACL? The first statement denies IP traffic from the 172.16.1.0 subnet to the entire 172.16.5.0 destination subnet and logs any matches in the router log. The second statement is similar, but denies traffic from the 172.16.1.0 subnet to a single host 172.16.4.1. It is important to note the difference that IP Extended ACLs use for identifying a single host compared to an IP Standard ACL. Single hosts in the Extended version utilize the host identifier before the IP address and no wildcard mask is required.

The next statements in the ACL show how TCP, UDP, and ICMP can be utilized in these ACLs. The third statement permits TCP traffic from the 172.16.3.0 subnet with a source port of 80 to any destination IP and then logs the traffic matches. Continuing down the list, the next statement denies the UDP traffic from the first 128 IP addresses in the 172.16.6.0 subnet to the 32 IP addresses in the 172.16.5.0 subnet with a destination port of 53, and then logs any matches.

These two statements utilize ports for both TCP and UDP as part of their match criteria. Cisco and other routers can associate well known ports for these protocols to acronyms for familiarity. In the TCP statement, port 80 is associated with HTTP traffic. A Cisco ACL would accept 80 or http in the ACL as a valid port. The UDP statement uses port 53, which is for DNS. Most routers will automatically translate the port number to these acronyms for you and you can see them in the ACL list when you perform a show ip access-list or show running config command.

The next statement is slightly different. This statement permits icmp traffic, which is associated with network ping. The statement allows ICMP traffic from any source and to any destination, but uses the flag host-unreachable. This flag identifies ICMP traffic that is replied from a ping request, that the target host cannot be contacted. The final statement in the list is an implicit deny of all traffic that was not matched in previous ACL statements.

Implementation of ACLs on a router interface

Now that we have seen the structure of these ACLs, we need to be able configure them to a router interface. To configure the ACL to the interface, you must enter that interface’s configuration mode on the router. The command to associate an IP ACL to an interface is in the following format:

ip access-group [access-list-number] [in/out]

Note the difference in the statement as the command is ip access-group not access-list as in the ACL configuration. Let’s look at a quick example of assigning an ACL to interface FastEthernet 0/0 on a Cisco router.

Router#config t
Router (config)#interface Fast Ethernet0/0
Router (config-if)#ip access-group 165 in

This example configures the IP Extended ACL 165 to the interface and places it in on the ingress side of the interface. To place the ACL on the egress side, the final flag at the end would be changed to out.

What Have We Learned?

In this article, we covered the configuration of both IP Standard and Extended ACLs and how to assign them to a Cisco router interface. These topics are extremely important to understand for network security and for the Cisco network certification exams. This brief introduction to IP ACLs can start you on the journey to better understanding of this topic, but in-depth Cisco networking training can provide you with the tools you need to grasp these concepts and master them.

In future articles, we will look at ACL tips and best practices that will provide real world examples and valuable information for achieving your certification.

More Related Posts

  1. Cisco Routers – What to Know BEFORE You Buy
  2. Quality of Service Configuration Basics for Cisco Professionals
  3. Switchport Security Configuration
  4. How to Configure DHCP on Cisco IOS Devices
  5. How To Back Up and Restore Configuration on CISCO Devices

Discussion

조회 수 :
186930
등록일 :
2013.08.02
11:03:07 (*.251.139.102)
엮인글 :
http://webs.co.kr/index.php?document_srl=23658&act=trackback&key=75e
게시글 주소 :
http://webs.co.kr/index.php?document_srl=23658
List of Articles
번호 제목 글쓴이 날짜 조회 수
34 a b c class Subnet Mask Cheat Sheet admin 2019-10-16 19871
33 Apple 소프트웨어 제품에서 사용하는 TCP 및 UDP 포트 admin 2019-04-19 27760
32 windows linux whois ip domain 도메인 아이피 소유자 확인 명령어 admin 2019-02-16 136778
31 route 및 iptables를 이용한 리눅스 특정 IP 접속 차단하는 법 admin 2018-04-15 21673
30 IPv6와 IPv4의 차이점 기존의 IPv4의 문제점 admin 2018-04-15 18279
29 사례를 통해 알아가는 실전 패킷분석 A 기업의 UDP 트래픽 급증의 원인은 admin 2018-04-15 13439
28 리눅스 linux 현재 사용중인 랜카드 트래픽 대역폭 확인 프로그램 nload admin 2017-11-04 32857
27 whois site ip owner check admin 2015-08-03 19185
26 TCP flag(URG, ACK, PSH, RST, SYN, FIN) admin 2014-04-05 87600
25 ping 핑 에 의한 패킷 전송 10 단계 그림으로 설명 file admin 2014-02-13 35761
24 Cisco - CCNP, CCIE - QoS. Quality Of Service admin 2013-08-29 75137
» Securing Networks Access List Implementation on Cisco Routers admin 2013-08-02 186930
22 Analyzing High CPU Utilization Issues on Cisco Catalyst 6500 Series admin 2013-08-01 34362
21 ping 설명 ICMP Internet Control Message Protocol 설명 여러가지 admin 2013-05-09 127832
20 네트웍을 공부하려고 하는분 네이버 네트워크 전문가 따라 잡기 카페 admin 2013-04-20 79656
19 List of TCP and UDP port numbers admin 2013-04-16 78027
18 3com tftp damon program 3cdv2r10 file admin 2013-03-17 30889
17 VLAN Tagging - Understanding VLANs Ethernet Frames admin 2013-03-11 97677
16 Cisco Catalyst Fixed Configuration Layer 2 and Layer 3 Switches admin 2013-01-30 51148
15 Quality of Service Guide - QOS admin 2012-01-06 72934
14 IP Precedence, TOS & DSCP admin 2012-01-06 82649
13 [Cisco] NAT Config 해설 admin 2011-12-19 279519
12 트래픽관리를 위한 MRTG 서버구축 admin 2011-12-16 39748
11 Brocade FastIron GS Series manuall file admin 2011-12-16 132566
10 CAT.6 UTP 케이블링 작업 요령 file admin 2011-12-16 39815
9 윈도우에서 특정아이피 차단 설정 하기 admin 2011-12-16 43488
8 GRE Tunnel /VPN admin 2011-12-16 33887
7 VLAN과 TRUNK admin 2011-12-16 31158
6 와룡의 네트워크 카페에서 라우팅 ,스위칭공부 admin 2011-12-16 36219
5 방화벽 자료 admin 2011-12-16 31001