Archive for the Access Control Lists Category

ACL or Access Control Lists – fun fun fun!

Posted in Access Control Lists on July 18, 2008 by itdaddy

Practice Your Placement of ACLs (Standard and Extended)

ACLs are used to control traffic by filtering packets and eliminating unwanted traffic on a network. Another important consideration of when ACLs are implemented is the placement of the access list. The ACL should be placed where it has the greatest impact on increased efficiency. The general rule is to put the extended ACLs as close as possible to the source of the traffic that is denied. Standard ACLs do not specify destination addresses, so they should be placed as close to the destination as possible. For example, a standard ACL should be placed on Fa0/0 of Router D to prevent traffic from Router A.

Administrators can only place access lists on devices that they control.

A standard ACL should be placed close to the destination. First, have the students decide which router is closest to the destination and then pick which interface is the closest to the destination. An ACL can be applied to any of the interfaces, but if an ACL is applied to the wrong interface a negative result is possible. The extended ACL should be placed closest to the source. Have the students decide which router is closest and then choose the correct interface. The in or out commands also need to be correct or the ACL will not work. Students commonly forget to apply the ACL or filter in the wrong direction.
 where to place extended and standard ACLs

 
 
 
This page will explain where an ACL should be placed. The placement of ACLs is an important consideration.

Proper ACL placement will filter traffic and make the network more efficient. The ACL should be placed where it has the greatest impact on efficiency.

In Figure  the administrator wants to deny Telnet or FTP traffic from the Router A Ethernet LAN segment to the switched Ethernet LAN Fa0/1 on Router D. At the same time, other traffic must be permitted. There are several ways to do this. The recommended solution is an extended ACL that specifies both source and destination addresses. Place this extended ACL in Router A. Then, packets do not cross the Router A Ethernet segment or the serial interfaces of Routers B and C, and do not enter Router D. Traffic with different source and destination addresses will still be permitted.

The general rule is to put the extended ACLs as close as possible to the source of the traffic denied. Standard ACLs do not specify destination addresses, so they should be placed as close to the destination as possible. For example, a standard ACL should be placed on Fa0/0 of Router D to prevent traffic from Router A.

Administrators can only place access lists on devices that they control. Therefore access list placement must be determined in the context of where the network administrator’s control extends.

The Interactive Media Activity will teach students where to place ACLs.

The next page will discuss firewalls.
 

 

 

 

 

 

 

 

 

Click on this link to practice your ACL placements; cool

——————————————
ACLs or Access Control Lists
——————————————

Topics covered:

-ACL logic and implicit deny
-Standard ACL and Remarks
-Extended ACL
-Named ACL
-Host and Any
-Order in the ACL lines
-Telent Access (access-class) ACL
-Common port numbers Review
-Route Summarization (RIP, EIGRP)

————————
Types of ACLs are:
————————
– Standard  (1-99; 1300 – 1999)

– Extended (100-199; 2000 – 2699)

– named (same as above)

————————–
————————–

wild card example:

196.17.100.0 /24 = 196.17.100.0 0.0.0.255
access-list 5 permit 172.12.12.0 0.0.0.255
(config-if)#ip access-group 5 (in/out)
 

show access-list

access-list 5 remark block 172.12.12.0
Wild Cards in:

EIGRP
OSPF
Access-list

Subnet Mask in:
ip route
ip address
Examples of access-list with masks and wild card masks:
access-list 6 permit 10.1.1.1 0.0.0.0    host wild mask
access-list 6 permit host 10.1.1.1       same thing
access-list 15 permit any
access-list 15 permit 0.0.0.0 255.255.255.255 same thing as any
broadcast:    255.255.255.255
wild card:     0.  0.   0.  0
subnets mask: 255.255.255.255
How to get wild card mask?:
Given:

broadcast:   255.255.255.255
subnet mask: 255.255.255.248

wild card:   0.0.0.7

———————–
standard access-list
———————–

access-list 15 deny 172.18.18.0 0.0.0.255
access-list 15 permit any

any    =  0.0.0.0    255.255.255.255

—————————————-
Extended Access-list
—————————————-

100-199
2000-2699
                        (source)                 (destination)
access-list 150 deny ip 172.50.50.0 0.0.0.255 172.50.100.0 0.0.0.255

—————————————-
Note: both source and destination ip address must match for it to filter packet.
access-list 150 deny 172.50.50.0 0.0.0.255 172.50.100.0 0.0.0.255
access-list 150 permit any any
————–
2 rule list
————–

– 1 for in
– 1 for out

only!

example:

if
ip access-group 150 in
ip access-group 150 out

———————————-
show commands
———————————-
show ip interface serial 0 L2
show access-llist
show ip interface
———————————-

access-list 160 permit ip any any
show ip interface
———————————–

 

————————————–
Named access-list
————————————–
100-199
2000-2699

————————
Types of ACLs are:
————————
– Standard  (1-99; 1300 – 1999)

– Extended (100-199; 2000 – 2699)

– named (same as above)

————————–
commands
————————–

wild card example:

196.17.100.0 /24 = 196.17.100.0 0.0.0.255
access-list 5 permit 172.12.12.0 0.0.0.255
(config-if)#ip access-group 5 (in/out)
 

show access-list

access-list 5 remark block 172.12.12.0
Wild Cards in:

EIGRP
OSPF
Access-list

Subnet Mask in:
ip route
ip address
Examples of access-list with masks and wild card masks:
access-list 6 permit 10.1.1.1 0.0.0.0    host wild mask
access-list 6 permit host 10.1.1.1       same thing
access-list 15 permit any
access-list 15 permit 0.0.0.0 255.255.255.255 same thing as any
broadcast:    255.255.255.255
wild card:     0.  0.   0.  0
subnets mask: 255.255.255.255
How to get wild card mask?:
Given:

broadcast:   255.255.255.255
subnet mask: 255.255.255.248

wild card:   0.0.0.7

———————–
standard access-list
———————–

access-list 15 deny 172.18.18.0 0.0.0.255
access-list 15 permit any

any    =  0.0.0.0    255.255.255.255

—————————————-
Extended Access-list
—————————————-

100-199
2000-2699
                        (source)                 (destination)
access-list 150 deny ip 172.50.50.0 0.0.0.255 172.50.100.0 0.0.0.255

—————————————-
Note: both source and destination ip address must match for it to filter packet.
access-list 150 deny 172.50.50.0 0.0.0.255 172.50.100.0 0.0.0.255
access-list 150 permit any any
————–
2 rule list
————–

– 1 for in
– 1 for out

only!

example:

if
ip access-group 150 in
ip access-group 150 out

———————————-
show commands
———————————-
show ip interface serial 0 L2
show access-llist
show ip interface
———————————-

access-list 160 permit ip any any
show ip interface
———————————–

 

————————————–
Named access-list
————————————–
100-199
2000-2699

R1(config)#ip acces-list extended (name)

R1(config-ext-nacl)#ip access-list extended No_traffic_56
R1(config-ext-nacl)#deny ip 175.56.56.0 0.0.0.0255 any
R1(config-ext-nacl)#permit ip any any
——————————————-
 Reason to place Extended and Standard ACL
——————————————-
Standard:
Place ACL closest to the destination device
why?:

Extended:
Place ACL closest to the source device as possible
why?:

———————-
outbound – applied after packet sent through router.

inbound  – applied before packet enter router engine.