create ACLs, it is a good idea to add the
implicit deny at the end of ACLs to reinforce the
dynamic presence of the command line.
Content 11.1
Access Control List Fundamentals 11.1.3
Creating ACLs ACLs are created in the global configuration
mode. There are many different types of ACLs including
standard, extended, IPX, AppleTalk, and others. When
configuring ACLs on a router, each ACL must be uniquely
identified by assigning a number to it. This number identifies
the type of access list created and must fall within the
specific range of numbers that is valid for that type of list.
After the proper command mode is entered and the list type
number is decided upon, the user enters the access list
statements using the keyword access-list, followed by
the proper parameters. Creating the access list is the first
half of using them on a router. The second half of the process
is assigning them to the proper interface. ACLs are assigned to
one or more interfaces and can filter inbound traffic or
outbound traffic by using the access-group command. The
access-group command is issued in the interface
configuration mode. When assigning an ACL to an interface
inbound or outbound placement should be specified. The filter
direction can be set to check packets that are traveling into
or out of an interface. When determining if the ACL is
addressing inbound or outbound traffic, the network
administrator needs to look at at the interfaces from inside
the router. This is a very important concept. Traffic coming in
from an interface is filtered by an inbound access list,
traffic going out an interface is filtered by the outbound
access list. After creating a numbered ACL, it must be assigned
to an interface. To alter an ACL containing numbered ACL
statements, all the statements in the numbered ACL must be
deleted by using the command no access-list
list-number. These basic rules should be followed when
creating and applying access lists: - One access list
per protocol per direction.
- Standard access lists
should be applied closest to the destination.
- Extended
access lists should be applied closest to the source.
- Use the inbound or outbound interface reference as if
looking at the port from inside the router.
- Statements
are processed sequentially from the top of list to the bottom
until a match is found, if no match is found then the packet is
denied.
- There is an implicit deny at the end of all
access lists. This will not appear in the configuration
listing.
- Access list entries should filter in the
order from specific to general. Specific hosts should be denied
first, and groups or general filters should come last.
- The match condition is examined first. The permit or deny
is examined ONLY if the match is true.
- Never work with
an access list that is actively applied.
- Use a text
editor to create comments outlining the logic, then, fill in
the statements that perform the logic.
- New lines are
always added to the end of the access list. A no
access-list x command will remove the whole list. It
is not possible to selectively add and remove lines with
numbered ACLs.
- An IP access list will send an ICMP
host unreachable message to the sender of the rejected packet
and will discard the packet in the bit bucket.
- Care
should be used when removing an access list. If the access list
is applied to a production interface and the access list is
removed, depending on the version of the IOS, there may be a
default deny any applied to the interface, and all traffic will
be halted.
- Outbound filters do not affect traffic
originating from the local router.
Lab
Activity e-Lab Activity: Creating ACLs In this lab, the
students will explore the syntax for creating standard and
extended access-lists. Interactive Media Activity Drag
and Drop: Creating ACLs After completing this activity, the
student will be able to create ACLs. Web Links ACL
http://www.foothilltech.org/tsharif/ apjohns0_Ch06__
ACLs%5B1%5D.ppt
Content 11.1 Access Control
List Fundamentals 11.1.4 The function of a
wildcard mask A wildcard mask is a 32-bit quantity that is
divided into four octets. A wildcard mask is paired with an IP
address. The numbers one and zero in the mask are used to
identify how to treat the corresponding IP address bits. The
term wildcard masking is a nickname for the ACL mask-bit
matching process and comes from of an analogy of a wildcard
that matches any other card in the game of poker. Wildcard
masks have no functional relationship with subnet masks. They
are used for different purposes and follow different rules.
Subnet masks start from the left side of an IP address and work
towards the right to extend the network field by borrowing bits
from the host field. Wildcard masks are designed to filter
individual or groups of IP addresses permitting or denying
access to resources based on the address. Trying to figure out
how wildcard masks work by relating them to subnet masking will
only confuse the entire matter. The only similarity between a
wildcard mask and a subnet mask is that they are both
thirty-two bits long and use ones and zeros for the
mask.Another issue is that the ones and zeros mean something
different in a wildcard mask as opposed to a subnet mask. In
order to eliminate confusion, X’s will be substituted for the
1’s in the wildcard masks in the graphics. This mask would be
written as 0.0.255.255. A zero means let the value through to
be checked, the X’s (1’s) mean block the value from being
compared. In the wildcard mask process, the IP address in the
access-list statement has the wildcard mask applied to it. This
creates the match value, which is used to compare and see if a
packet should be processed by this ACL statement, or sent to
the next statement to be checked. The second part of the ACL
process is that any IP address that is checked by a particular
ACL statement will have the wildcard mask of that statement
applied to it. The result of the IP address and the wildcard
mask must equal the match value of the ACL. This process is
illustrated in the animation. There are two special keywords
that are used in ACLs, the any and host options.
Simply put, the any option substitutes 0.0.0.0 for the
IP address and 255.255.255.255 for the wildcard mask. This
option will match any address that it is compared against. The
host option substitutes for the 0.0.0.0 mask. This mask
requires that all bits of the ACL address and the packet
address match. This option will match just one address. Web
Links ACL http://www.foothilltech.org/tsharif/
apjohns0_Ch06__ ACLs%5B1%5D.ppt
Content
11.1 Access Control List Fundamentals
11.1.5 Verifying ACLs There are many
show commands that will verify the content and placement
of ACLs on the router.The show ip interface command
displays IP interface information and indicates whether any
ACLs are set. The show access-lists command displays the
contents of all ACLs on the router. To see a specific list, add
the ACL name or number as an option for this command. The
show running-config command will also reveal the access
lists on a router and the interface assignment information.
These show commands will verify the list contents and
placement. It is also a good practice to test the access lists
with sample traffic to ensure that the access list logic is
correct. Lab Activity e-Lab Activity: Verifying ACLs In
this lab, the students will verify configured access-lists on
the router. Web Links show ip interface EXEC
Command http://www.cisco.com/en/US/products/sw/
iosswrel/ps1835/ products_command_reference_
chapter09186a0080087387.html#1020817
Content 11.2
Access Control Lists (ACLs) 11.2.1 Standard
ACLs Standard ACLs check the source address of IP packets
that are routed. The comparison will result in either permit or