CCNA4 – Chapter 5
* Router and ACL
- By default, a router does not have any ACLs configured and therefore does not filter traffic.
–Traffic that enters the router is routed according to the routing table.
* ACL
- An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header.
–As each packet comes through an interface with an associated ACL, the ACL is checked from top to bottom, one line at a time, looking for a pattern matching the incoming packet.
•[Tony]: It stops when it finds a matching statement.
–The ACL applying a permit or deny rule to determine the fate of the packet.
•[Tony]: If ACL cannot find a matching statement from the list, the default action is denying the traffic.
–ACLs can be configured to control access to a network or subnet.
•[Tony]: It can control into and out of the network, or subnet, or, single host.
* Filter traffic
- ACLs inspect network packets based on criteria, such as source address, destination address, protocols, and port numbers.
- A final implied (IMPLICIT) statement covers all packets for which conditions did not test true.
* ACL: The Three Ps
–One ACL per protocol - An ACL must be defined for each protocol enabled on the interface.
–One ACL per direction - ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic.
–One ACL per interface - ACLs control traffic for an interface, for example, Fast Ethernet 0/0.
* 2 Types of Cisco ACLs: standard and extended
- Standard ACLs
–Standard ACLs allow you to permit or deny traffic from source IP addresses.
–The destination of the packet and the ports involved do not matter.
–The example allows all traffic from network 192.168.30.0/24 network.
•Because of the implied "deny any" at the end, all other traffic is blocked with this ACL.
- Extended ACLs
–Extended ACLs filter IP packets based on several attributes, for example, protocol type, source and IP address, destination IP address, source TCP or UDP ports, destination TCP or UDP ports, and optional protocol type information for finer granularity of control.
–In the figure, ACL 103 permits traffic originating from any address on the 192.168.30.0/24 network to any destination host port 80 (HTTP).
* Where to Place ACLs
- The basic rules are:
–Locate extended ACLs as close as possible to the source of the traffic denied. This way, undesirable traffic is filtered without crossing the network infrastructure.
–Because standard ACLs do not specify destination addresses, place them as close to the destination as possible.
* ACL Wildcard Masking
- ACLs statements include wildcard masks.
–A wildcard mask is a string of binary digits telling the router which parts of the subnet number to look at.
–The numbers 1 and 0 in the mask identify how to treat the corresponding IP address bits.
- Wildcard mask bit 0 - Match the corresponding bit value in the address
- Wildcard mask bit 1 - Ignore the corresponding bit value in the address
* Configuring Standard ACLs
- You will not be asked to create ACL, but you need to be able to read the ACL that are created for the question and be able to answer that are the effect of the ACL.
- In the standard ACL statement, if there is no wildcard mask specified, default mask of 0.0.0.0 is used.
–Router(config)#access-list 1 permit 171.69.2.88
- Example: use an ACL to permit a single network.
–This ACL allows only traffic from source network 192.168.10.0 to be forwarded out on S0/0/0. Traffic from networks other than 192.168.10.0 is blocked.
* Configuring Extended ACLs
- You will not be asked to create ACL, but you need to be able to read the ACL that are created for the question and be able to answer that are the effect of the ACL.
- The procedural steps for configuring extended ACLs are the same as for standard ACLs
–first create the extended ACL
–then activate it on an interface.
* Extended ACLs: establishedoptions (use the same graphic listed above)
–ACL 104 applies to traffic coming into the network.
•ACL 104 blocking all incoming traffic, except for the established connections.
•HTTP establishes connections starting with the request and then exchange of ACK, FIN, and SYN messages.
•A match occurs if the TCP datagram has the ACK or reset (RST) bits set, which indicates that the packet belongs to an existing connection.
•This parameter allows responses to traffic that originates from the 192.168.10.0 /24 network to return to s0/0/0.
* Named ACLs
- Naming an ACL makes it easier to understand.
–For example, an ACL to deny FTP could be called NO_FTP.
- You can use the remark keyword to include comments about entries in any ACL (standard, extended, named, …).
–The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters.
- Reflexive ACLs can be defined only with extended named IP ACLs.
–They cannot be defined with numbered or standard named ACLs or with other protocol ACLs.
- Starting with Cisco IOS 12.3, named IP ACLs allow you to delete individual entries in a specific ACL.
- You can use sequence numbers to insert statements anywhere in the named ACL.
* Dynamic ACLs
–Dynamic ACLs are dependent on Telnet connectivity, authentication (local or remote), and extended ACLs.
–Dynamic ACL configuration starts with the application of an extended ACL to block traffic through the router. Users who want to traverse the router are blocked by the extended ACL until they use Telnet to connect to the router and are authenticated.
–The Telnet connection is then dropped, and a single-entry dynamic ACL is added to the extended ACL that exists.
–This permits traffic for a particular period; idle and absolute timeouts are possible.
* Reflexive ACLs
- Network administrators use reflexive ACLs to allow IP traffic for sessions originating from their network while denying IP traffic for sessions originating outside the network.
* Time-based ACLs
- Time-based ACLs are similar to extended ACLs in function, but they allow for access control based on time.
–To implement time-based ACLs, you create a time range that defines specific times of the day and week.
–You identify the time range with a name and then refer to it by a function. The time restrictions are imposed on the function itself.