1 / 36

Access Control Lists and W ildcard Masks

Access Control Lists and W ildcard Masks. Cisco Semester 2. Access Lists. Lists of conditions that control access both to and from network segments Can cause the router to analyze every packet crossing an interface in the specified direction and take action accordingly.

lael
Download Presentation

Access Control Lists and W ildcard Masks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Access Control Listsand Wildcard Masks Cisco Semester 2

  2. Access Lists • Lists of conditions that control access both to and from network segments • Can cause the router to analyze every packet crossing an interface in the specified direction and take action accordingly

  3. Rules a packet follows when it’s being compared with an ACL • Always compared with each line of the ACL in sequential order (line 1, 2, 3…) • Compared only till a match is made • There is an implicit “deny” at the end of each ACL • If a packet does not match up to any lines in the ACL, it’ll be discarded

  4. Standard ACLs • Use only the source IP address in an IP packet • Permits or denies an entire suit of protocols • You create a standard IP ACL by using the access list numbers 1-99 • Example: • RouterA(config)# access-list 10 deny host 172.16.30.2 Or • RouterA(config)# access-list 10 deny 172.16.30.2

  5. ACL guidelines • You can only assign one ACL per interface, per protocol, or per direction • (only one inbound ACL and one outbound ACL per interface) • Organize your access lists so that the more specific tests are at the top of the access list • Anytime a new list is added to the ACL, it will be placed at the bottom of the list • You cannot remove one line from an ACL. • If you try it, it will remove the entire list. The only exception is when using named ACLs

  6. ACL guidelines (cont.) • Unless your ACL ends with a permit any command, all packets will be discarded if they do not meet any of the lists’ tests • Every list should have at least one permit statement, or you might as well shut the interface down. • Create access lists and then apply them to an interface.

  7. ACL guidelines (cont.) • Access lists are designed to filter traffic going through the router. • They will not filter traffic originated from the router • Place IP standard access lists as close to the destination as possible • Place IP extended access lists as close to the source as possible

  8. Wildcards Masks • Wildcards are used with the host or network address to tell the router a range of available address to filter • To specify a host – 172.16.30.5 0.0.0.0 (the four zeros represent each octet of the address). Whenever a zero is present, it means that octet in the address must match exactly.

  9. Wildcards Masks • To specify that an octet can be any value, the value of 255 is used • 172.16.30.0 0.0.0.255 • This tells the router to match up the first 3 octets exactly, but the 4th octet can be any value

  10. The “Wildcard Mask” Explained • The “wildcard mask” has no functional relationship with the subnet mask. • However, in many cases the subnet mask can be used to derive the wildcard mask. • For example, you want to filter traffic from all hosts on the 192.168.1.0/24 subnet. • The subnet mask is 255.255.255.0 • To find the wildcard mask, take the inverse of the subnet mask. • The wildcard mask is 0.0.0.255.

  11. In our example, we use all “1s” in the last octet of the wildcard mask for each source-prefix. The subnet mask for each LAN has all “0s” in the last octet. A “1” means ignore this bit position in the packet’s source IP address. Example of source-wildcard

  12. The “Wildcard Mask” at the Bit Level • The router reads the source IP address of a packet. • For each bit position, the router checks the wildcard mask. • If “0”, the router checks the bit value of the Source IP address with the bit value of the Source Prefix for a “Match”. • If “1”, the router ignores that bit position.

  13. The last statement in all ACLs is an implied “deny any”. If a packet does not match any statements in the ACL, it is denied. The Last ACL Statement: “Deny Any”

  14. Apply the ACL • An ACL cannot filter traffic until it has been applied to an interface. • This is a security feature of the IOS. • You can safely write ACL statements without having the statements take an immediate affect on traffic. • The command syntax is the same for both Standard and Extended IP ACLs.

  15. Syntax for Applying IP ACLs router(config-if)#ip access-group {access-list-number|name} {in|out} • ACLs are applied to an interface. • The access-list-numberargument refers to the ACL written in global configuration. • Use the name argument to apply a named ACL. • The {in|out} argument specifies what direction the ACL should be applied. • Specifying in means “filter inbound packets”. • Specifying out means “filter outbound packets”.

  16. A common error is to forget the ip portion of the ip access-group command. Remember: routers are capable of routing multiple routed protocols. Don’t Forget the ip Part of the Command!

  17. Standard ACLs do not have a destination argument. Therefore, you place standard ACLs as close to the destination as possible. To see why, ask yourself what would happen to all IP traffic from RTA’s LAN if the ACL was applied as shown? Incorrect Placement of a Standard ACL

  18. In our example, we want to permit all LANs access to the Internet. Therefore, we will apply the ACL to RTA’s E1 interface and specify “out” as the direction. Correct Placement of a Standard ACL

  19. Remember: The last statement the router will apply is a implicit “deny any”. What if you want to write an ACL meant to deny specific types of traffic and permit everything else? Example: Deny RTB and RTC LANs access to RTA’s LAN, but allow all other traffic. Overriding the Implied “Deny Any”

  20. First, deny traffic from the two LANs. Second, permit all other traffic. 0.0.0.0 means “any source address”. 255.255.255.255 means “ignore all bit positions”. Third, apply the ACL to filter traffic going “out” E0. Writing a “permit any” Statement

  21. Instead of typing… permit 0.0.0.0 255.255.255.255 Type… permit any Substituting 0.0.0.0 255.255.255.255

  22. Filtering Traffic From a Single Host • What if a particular user is abusing Internet privileges? • How would you deny that host’s IP address, yet still permit everyone else? • Remember: A wildcard mask tells the router what bits to check.

  23. Example: Deny 192.168.5.65. Source prefix is the source IP address. Wildcard mask is “all 0s”, meaning check every bit position. Why is the deny statement listed first? Writing a “host” Statement

  24. Instead of typing… deny 192.168.5.65 0.0.0.0 Type… deny host 192.168.5.65 Notice the host keyword comes before the source prefix. Substituting the Host Wildcard, 0.0.0.0

  25. Masking Practice • Write an ip mask and wildcard mask to check for all hosts on the network: 192.5.5.0 255.255.255.0 • Answer: 192.5.5.0 0.0.0.255 • Notice that this wildcard mask is a mirror image of the default subnet mask for a Class C address. • WARNING: This is a helpful rule only when looking at whole networks or subnets.

  26. Masking Practice • Write an ip mask and wildcard mask to check for all hosts in the subnet: 192.5.5.32 255.255.255.224 • ANSWER: 192.5.5.32 0.0.0.31 • 0.0.0.31 is the mirror image of 255.255.255.224 • Let’s look at both in binary: • 11111111.11111111.11111111.11100000 (255.255.255.224) • 00000000.00000000.00000000.00011111 (0.0.0.31) • To prove this wildcard mask will work, let’s look at a host address within the .32 subnet--192.5.5.55 • 11000000.00000101.00000101.00110111 (192.5.5.55) host address • 11000000.00000101.00000101.00100000 (192.5.5.32) network address • 00000000.00000000.00000000.00011111 (0.0.0.31) wildcard mask

  27. Masking Practice • Notice in the previous example (repeated below), some bits were colored blue. These bits are the bits that must match. • 11000000.00000101.00000101.00110111 (192.5.5.55) host address • 11000000.00000101.00000101.00100000 (192.5.5.32) network “ • 00000000.00000000.00000000.00011111 (0.0.0.31) wildcard mask • Remember: a “0” bit in the wildcard mask means check the bit; a “1” bit in the wildcard mask means ignore. • The “0”s must match between the address of the packet (192.5.5.55) being filtered and the ip mask configured in the access list (192.5.5.32) • Write an ip mask and wildcard mask for the subnet 192.5.5.64 with a subnet mask of 255.255.255.192? • Answer: 192.5.5.64 0.0.0.63

  28. Masking Practice • Write an ip mask and wildcard mask for the subnet 172.16.128.0 with a subnet mask of 255.255.128.0? • Answer: 172.16.128.0 0.0.127.255 • Write an ip mask and wildcard mask for the subnet 172.16.16.0 with a subnet mask of 255.255.252.0? • Answer: 172.16.16.0 0.0.3.255 • Write an ip mask and wildcard mask for the subnet 10.0.8.0 with a subnet mask of 255.255.248.0? • Answer: 10.0.8.0 0.0.7.255 • By now, you should have the hang of ip mask and wildcard masks when dealing with a subnet. If not, go back & review.

  29. Wildcards Masks and Ranges • Used with ACLS to specify a host, network, or part of a network. • It’s helpful to understand block sizes • Used to specify a range of addresses. • Some block sizes available • 4 • 8 • 16 • 32 • 64

  30. Wildcards Masks and Ranges • When you need to specify a range of addresses, you choose the closest block size for your needs. • if you need to specify 34 networks, you need a black size of 64 • If you need to specify 18 hosts, you need a block size of 32 • If you only specify two networks, then you can use a block size of 5

  31. Wildcards Masks and Ranges • What if you want to specify only a small range of subnets? - use a block size • Example: block access to part of a network from 172.16.8.0 thru. 172.16.15.0 • Use block size of 8 (0.0.7.255) • Notice that the wildcard is one number less than the block size.

  32. Masking a Host Range • You’ll need to be able to deny a portion of a subnet while permitting another. • To mask a range of host within a subnet, it is often necessary to work on the binary level. • For example, students use the range 192.5.5.0to192.5.5.127 and teachers use the range 192.5.5.128to192.5.5.255. Both groups are on network 192.5.5.0 255.255.255.0 • How do you write an ip mask and wildcard mask to deny one group, yet permit another?

  33. Masking a Host Range • Let’s write the masks for the students. • First, write on the first and last host address in binary. Since the first 3 octets are identical, we can skip those. All their bits must be “0” • First Host’s 4th octet: 00000000 • Last Host’s 4th octet: 01111111 • Second, look for the leading bits that are shared by both (in blue below) • 00000000 • 01111111 • These “bits in common” are to be checked just like the common bits in the 192.5.5 portion of the addresses. Examples: Host Ranges 192.5.5.1 to .127 and .128 to .255

  34. Masking a Host Range • Third, add up the decimal value of the “1” bits in the last host’s address (127) • Finally, determine the ip mask and wildcard mask • The ip mask can be any host address in the range, but convention says use the first one • The wildcard mask is all “0”s for the common bits • 192.5.5.0 0.0.0.127 • What about the teachers? What would be their ip mask and wildcard mask? • 192.5.5.128 (10000000) to 192.5.5.255 (11111111) • Answer: 192.5.5.128 0.0.0.127 • Notice anything? What stayed the same? changed? Examples: Host Ranges 192.5.5.1 to .127 and .128 to .255

  35. Time Savers: the any command • Since ACLs have an implicit “deny any” statement at the end, you must write statements to permit others through. • Using our previous example, if the students are denied access and all others are allowed, you would write two statements: • Lab-A(config)#access-list 1 deny 192.5.5.0 0.0.0.127 • Lab-A(config)#access-list 1 permit 0.0.0.0 255.255.255.255 • Since the last statement is commonly used to override the “deny any,” Cisco gives you an option--the anycommand: • Lab-A(config)#access-list 1 permit any

  36. Time Savers: |the host command • Many times, a network administrator will need to write an ACL to permit a particular host (or deny a host). The statement can be written in two ways. Either... • Lab-A(config)#access-list 1 permit 192.5.5.10 0.0.0.0 • or... • Lab-A(config)#access-list 1 permit host 192.5.5.10

More Related