네트워킹

오늘:
2,000
어제:
2,481
전체:
2,777,426

고객센타 : 070-7752-2000
팩스 : 070-7752-2001
휴대폰 : 010-9513-0019
email : voipkorea@yahoo.co.kr

국민은행
(주)제이에스솔루션
047101-04-155519

Flag Counter
■ 무료 : 유선 집전화 휴대폰 ( 한국 미국 중국 카나다) ↔ (국내 해외 여행자 상사 주재원 유학생) / 가입무 무제한무료■

http://www.trainsignal.com/blog/access-control-list-implementation-on-cisco-routers



This article is the second part in a series centered in IT Security and focused on access control lists or ACLs. In my previous article on ACL Concepts, we looked at the definition of an ACL, why we use them, when to use them, general types and structure, and general router interface placement. In this article, we will investigate the actual configuration of standard and extended IP ACLs and their placement on Cisco router interfaces. ACL configuration and deployment are an important part of Cisco and other router certifications.

ACLs and Protocols

Internet Protocol version 4 (IPv4) ACLs are the most common types of ACLs in use in the networking world today, but there are several different protocols supported on Cisco routers for ACLs. In addition, each ACL utilizes a name specified by a numeric range as shown in Table 1.

Protocols with Access Lists Specified by Numbers
ProtocolRange
IP1 to 99
Extended IP100 to 199
Ethernet type code200 to 299
Ethernet address700 to 799
Transparent bridging (protocol type)200 to 299
Transparent bridging (vendor code)700 to 799
Extended transparent bridging1100 to 1199
DECnet and extended DECnet300 to 399
XNS400 to 499
Extended XNS500 to 599
AppleTalk600 to 699
Source-route bridging (protocol type)200 to 299
Source-route bridging (vendor code)700 to 799
IPX800 to 899
Extended IPX900 to 999
IPX SAP1000 to 1099
Standard VINES1 to 100
Extended VINES101 to 200
Simple VINES201 to 300

In addition, IPv6 ACLs are not restricted to numerical ranges and can include alpha-numerical characters as well for the name of the list. It may be important to note that other routers like Juniper and Force10 allow for alpha-numeric names in most if not all ACLs, and that the ACL name convention is not a standard applied to all network routers.

Configuration Commands for Creating ACLs

Basing ACL names on the range of numbers may be confusing, but it is best to consider the way that the ACLs are created at the router configure prompt. ACLs are configured based on their protocol first. Some, but not all, ask for standard or extended qualifiers in their statements and then the numeric name is assigned. Here are some examples:

IP access-lists

  • Router (config)# ip access-list standard 6
  • Router (config)# ip access-list extended 185

IPX access-lists

  • Router (config)# ipx access-list standard 810
  • Router (config)# ipx access-list extended 915

VINES access-lists

  • Router (config)# vines access-list 65 —this is a standard vines list
  • Router (config)# vines access-list 140 —this is an extended vines list

Configuring IP Standard ACLs on Cisco routers

Cisco IP Standard ACLs are used to filter traffic based on a single or range of source IP addresses in the IP packet header. Destination addresses are not considered in a standard ACL.

Let’s look at the format of an IP Standard ACL:

access-list [access-list-number] [deny/permit] [source ip address] [ wildcard mask]

Looking at the format, you can see the configuration statement begins with access-list command and the ACL number. In this case, the range for IP Standard ACLs is 1 to 99. You must then declare if this ACL statement will deny or permit the IP addresses that follow. The final two parts of the statement are associated with the source IP address and a wild card mask that determine if the address is a single host or a range of IP addresses. The following an example of a valid IP Standard ACL:

access-list 6 deny 172.16.0.2 0.0.0.0
access-list 6 deny 172.16.1.0 0.0.0.255
access-list 6 permit 172.16.2.0 0.0.0.127
access-list 6 deny any

In the first statement of this ACL, IP traffic from a single host of 172.16.0.2 is denied. The second statement denies a range of IP addresses in the 172.16.1.0 network. The range covers 256 IP addresses, 0 to 255 for that subnet. A shorter range is shown in the third statement, which permits 128 IP addresses from the 172.16.2.0 subnet (0-127). The final statement in the ACL gives an implicit deny to all IP addresses.

NOTE: ACL Statement flow

It is crucial that you understand how ACLs are parsed for matches when compared with an IP packet. All comparisons start at the top of the list and work down. Once a match is made, the traffic is either permitted or denied and then comparison stops. You must be careful in the placement of your ACLs

Configuring IP Extended ACLs on Cisco Routers

Cisco IP Extended ACLs are more complex than the Standard versions. The IP Extended ACL adds the ability to filter on destination IP address and includes some additional layer 3 and layer 4 protocol support, in particular TCP, UDP, and ICMP. This additional functionality makes IP Extended ACLs very powerful tools for IT security and network professionals. Let’s take a look at the format of the IP Extended ACL:

access-list [access-list-number] [deny/permit] [protocol] [source ip address] [ wildcard mask] [source port] [destination ip address] [wildcard mask] [destination port] [statement flag]

As you can see from this format, IP Extended ACL statements can become rather long, but are very effective in filtering specific types of traffic based on address and ports. Below are a few examples of IP Extended ACL statements:

access-list 165 deny ip 172.16.1.0 0.0.0.255 172.16.5.0 0.0.0.255 log
access-list 165 deny ip 172.16.1.0 0.0.0.255 host 172.16.4.1 log
access-list 165 permit tcp 172.16.3.0 0.0.0.255 eq 80 any log
access-list 165 deny udp 172.16.6.0 0.0.0.127 172.16.5.0 0.0.0.31 eq 53 log
access-list 165 permit icmp any any host-unreachable
access-list 165 deny ip any any

What do we see happening in this IP Extended ACL? The first statement denies IP traffic from the 172.16.1.0 subnet to the entire 172.16.5.0 destination subnet and logs any matches in the router log. The second statement is similar, but denies traffic from the 172.16.1.0 subnet to a single host 172.16.4.1. It is important to note the difference that IP Extended ACLs use for identifying a single host compared to an IP Standard ACL. Single hosts in the Extended version utilize the host identifier before the IP address and no wildcard mask is required.

The next statements in the ACL show how TCP, UDP, and ICMP can be utilized in these ACLs. The third statement permits TCP traffic from the 172.16.3.0 subnet with a source port of 80 to any destination IP and then logs the traffic matches. Continuing down the list, the next statement denies the UDP traffic from the first 128 IP addresses in the 172.16.6.0 subnet to the 32 IP addresses in the 172.16.5.0 subnet with a destination port of 53, and then logs any matches.

These two statements utilize ports for both TCP and UDP as part of their match criteria. Cisco and other routers can associate well known ports for these protocols to acronyms for familiarity. In the TCP statement, port 80 is associated with HTTP traffic. A Cisco ACL would accept 80 or http in the ACL as a valid port. The UDP statement uses port 53, which is for DNS. Most routers will automatically translate the port number to these acronyms for you and you can see them in the ACL list when you perform a show ip access-list or show running config command.

The next statement is slightly different. This statement permits icmp traffic, which is associated with network ping. The statement allows ICMP traffic from any source and to any destination, but uses the flag host-unreachable. This flag identifies ICMP traffic that is replied from a ping request, that the target host cannot be contacted. The final statement in the list is an implicit deny of all traffic that was not matched in previous ACL statements.

Implementation of ACLs on a router interface

Now that we have seen the structure of these ACLs, we need to be able configure them to a router interface. To configure the ACL to the interface, you must enter that interface’s configuration mode on the router. The command to associate an IP ACL to an interface is in the following format:

ip access-group [access-list-number] [in/out]

Note the difference in the statement as the command is ip access-group not access-list as in the ACL configuration. Let’s look at a quick example of assigning an ACL to interface FastEthernet 0/0 on a Cisco router.

Router#config t
Router (config)#interface Fast Ethernet0/0
Router (config-if)#ip access-group 165 in

This example configures the IP Extended ACL 165 to the interface and places it in on the ingress side of the interface. To place the ACL on the egress side, the final flag at the end would be changed to out.

What Have We Learned?

In this article, we covered the configuration of both IP Standard and Extended ACLs and how to assign them to a Cisco router interface. These topics are extremely important to understand for network security and for the Cisco network certification exams. This brief introduction to IP ACLs can start you on the journey to better understanding of this topic, but in-depth Cisco networking training can provide you with the tools you need to grasp these concepts and master them.

In future articles, we will look at ACL tips and best practices that will provide real world examples and valuable information for achieving your certification.

More Related Posts

  1. Cisco Routers – What to Know BEFORE You Buy
  2. Quality of Service Configuration Basics for Cisco Professionals
  3. Switchport Security Configuration
  4. How to Configure DHCP on Cisco IOS Devices
  5. How To Back Up and Restore Configuration on CISCO Devices

Discussion

조회 수 :
17622
등록일 :
2013.08.02
11:03:07 (*.251.139.102)
엮인글 :
http://webs.co.kr/index.php?document_srl=23658&act=trackback&key=116
게시글 주소 :
http://webs.co.kr/index.php?document_srl=23658
List of Articles
번호 제목 글쓴이 날짜 조회 수
54 whois site ip owner check admin 2015-08-03 2232
53 How to reduce DDOS attack admin 2015-06-24 2243
52 Collection of basic Linux Firewall iptables rules all you need admin 2015-06-16 2198
51 TCP flag(URG, ACK, PSH, RST, SYN, FIN) admin 2014-04-05 8847
50 HowTo Disable ipv6 Lenny squeeze admin 2014-02-25 7543
49 ping 핑 에 의한 패킷 전송 10 단계 그림으로 설명 file admin 2014-02-13 9698
48 whois IP Domain admin 2014-02-10 8268
47 Cisco - CCNP, CCIE - QoS. Quality Of Service admin 2013-08-29 9201
46 Easy Steps to Cisco Extended Access List file admin 2013-08-02 9219
» Securing Networks Access List Implementation on Cisco Routers admin 2013-08-02 17622
44 Analyzing High CPU Utilization Issues on Cisco Catalyst 6500 Series admin 2013-08-01 11017
43 Basic Configuration of VLANS, Switchports and InterVLAN Routing admin 2013-08-01 9174
42 다산 스위치 Dasan L3 Switch manuall 및 명령어 v6424 V5424 등 file admin 2013-07-14 18879
41 Intel Network Adapter Drivers for Windows Server 2003*, Final Release file admin 2013-06-22 9733
40 ping 설명 ICMP Internet Control Message Protocol 설명 여러가지 admin 2013-05-09 32459
39 네트웍을 공부하려고 하는분 네이버 네트워크 전문가 따라 잡기 카페 admin 2013-04-20 14686
38 List of TCP and UDP port numbers admin 2013-04-16 29482
37 Juniper QFabric, Junosphere, Automation, and More admin 2013-03-31 11007
36 Cisco ASA Packet Captures for Fun and Profit admin 2013-03-31 9916
35 3com tftp damon program 3cdv2r10 file admin 2013-03-17 10427
34 VLAN Tagging - Understanding VLANs Ethernet Frames admin 2013-03-11 15353
33 Cisco Catalyst Fixed Configuration Layer 2 and Layer 3 Switches admin 2013-01-30 23612
32 Quality of Service Guide - QOS admin 2012-01-06 51264
31 dscp ef admin 2012-01-06 12520
30 DSCP(분화된 서비스 코드 포인트) 개요 admin 2012-01-06 13786
29 IP Precedence, TOS & DSCP admin 2012-01-06 15094
28 컴퓨터 네트워크의 기초 강의 – 네트워크 관련 윈도우 명령어 admin 2012-01-02 12406
27 국내 IPv6 자료 한국 인터넷진흥원 admin 2012-01-02 10617
26 World BGP Report admin 2011-12-28 10785
25 BGP AS4766 Korea Telecom IPv4 Route Propagation file admin 2011-12-28 12279
24 Introduction to MPLS admin 2011-12-25 11024
23 Protocol BGP Lab 1 Part 1 AS Path Local Preference Route Reflectors admin 2011-12-25 11641
22 IPSec Site to Site VPN tunnels admin 2011-12-25 11416
21 CONFIGURING STATIC ROUTING RIP IGRP OSPF ON CISCO ROUTER admin 2011-12-25 11709
20 BGP Study 유튜브 동영상 admin 2011-12-25 11636
19 Question about no ip-directed broadcast admin 2011-12-23 13483
18 IPv6 환경의 보안 위협 및 공격 분석 file admin 2011-12-22 10882
17 [Cisco] NAT Config 해설 admin 2011-12-19 39566
16 자이온의 실전! QoS 강좌 1 admin 2011-12-19 15035
15 3com 스위칭허브 스위칭용량및 속도 총정리 file admin 2011-12-16 16235
14 트래픽관리를 위한 MRTG 서버구축 admin 2011-12-16 14562
13 Brocade FastIron GS Series manuall file admin 2011-12-16 15427
12 CAT.6 UTP 케이블링 작업 요령 file admin 2011-12-16 16303
11 윈도우에서 특정아이피 차단 설정 하기 admin 2011-12-16 17317
10 정의랑의 네트워크이야기 - 네트워크 전반적인 분야 고수 admin 2011-12-16 10786
9 GRE Tunnel /VPN admin 2011-12-16 10825
8 VLAN과 TRUNK admin 2011-12-16 10242
7 와룡의 네트워크 카페에서 라우팅 ,스위칭공부 admin 2011-12-16 11105
6 방화벽 자료 admin 2011-12-16 10825
5 Subnet Mask Cheat Sheet admin 2011-12-16 10434
4 서브넷마스크 와일드마스크 계산기 file admin 2011-12-16 45164
3 KT 보안관제센터 직원들이 네트워크 감시 근무자 모니터 화면 admin 2011-12-16 13518
2 Juniper Training Courses admin 2011-12-16 12795
1 기간망의 네트워크 운용실의 대형 라우터장비 예 admin 2011-12-16 10160