Types of IPv4 ACLs (4.4)This section compares IPv4 standard and extended ACLs. Show Standard and Extended ACLs (4.4.1)The previous sections describe the purpose of ACLs as well as guidelines for ACL creation. This section covers standard and extended ACLs and named and numbered ACLs, and it provides examples of placement of these ACLs. There are two types of IPv4 ACLs:
For example, Example 4-3 shows how to create a standard ACL. In this example, ACL 10 permits hosts on the source network 192.168.10.0/24. Because of the implied “deny any” at the end, all traffic except for traffic coming from the 192.168.10.0/24 network is blocked with this ACL. Example 4-3 Standard ACL ExampleR1(config)# access-list 10 permit 192.168.10.0 0.0.0.255 R1(config)#In Example 4-4, the extended ACL 100 permits traffic originating from any host on the 192.168.10.0/24 network to any IPv4 network if the destination host port is 80 (HTTP). Example 4-4 Extended ACL ExampleR1(config)# access-list 100 permit tcp 192.168.10.0 0.0.0.255 any eq www R1(config)#Notice that the standard ACL 10 is only capable of filtering by source address, while the extended ACL 100 is filtering on the source and destination Layer 3 and Layer 4 protocol (for example, TCP) information. NOTE Full IPv4 ACL configuration is discussed in Chapter 5, “ACLs for IPv4 Configuration.” Numbered and Named ACLs (4.4.2)For IPv4, there are both numbered and named ACLs. Numbered ACLsACLs 1 to 99 and 1300 to 1999 are standard ACLs, while ACLs 100 to 199 and 2000 to 2699 are extended ACLs, as shown in Example 4-5. Example 4-5 Available ACL NumbersR1(config)# access-list ? <1-99> IP standard access list <100-199> IP extended access list <1100-1199> Extended 48-bit MAC address access list <1300-1999> IP standard access list (expanded range) <200-299> Protocol type-code access list <2000-2699> IP extended access list (expanded range) <700-799> 48-bit MAC address access list rate-limit Simple rate-limit specific access list template Enable IP template acls Router(config)# access-listNamed ACLsUsing named ACLs is the preferred method when configuring ACLs. You can name standard and extended ACLs to provide information about the purpose of each ACL. For example, the extended ACL name FTP-FILTER is far easier to identify than the ACL number 100. The ip access-list global configuration command is used to create a named ACL, as shown in Example 4-6. NOTE Numbered ACLs are created using the access-list global configuration command. Example 4-6 Example of a Named ACLR1(config)# ip access-list extended FTP-FILTER R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq ftp R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq ftp-data R1(config-ext-nacl)#The following are the general rules to follow for named ACLs:
Where to Place ACLs (4.4.3)Every ACL should be placed where it has the greatest impact on efficiency. Figure 4-5 illustrates where standard and extended ACLs should be located in an enterprise network. Say that the objective is to prevent traffic originating in the 192.168.10.0/24 network from reaching the 192.168.30.0/24 network. Extended ACLs should be located as close as possible to the source of the traffic to be filtered. This way, undesirable traffic is denied close to the source network, without crossing the network infrastructure. Figure 4-5 Example of Where to Place ACLs Standard ACLs should be located as close to the destination as possible. If a standard ACL were placed at the source of the traffic, the “permit” or “deny” would occur based on the given source address, regardless of the traffic destination. Placement of an ACL and, therefore, the type of ACL used, may also depend on a variety of factors, as listed in Table 4-11. Table 4-11 ACL Placement Factors
Standard ACL Placement Example (4.4.4)Following the guidelines for ACL placement, standard ACLs should be located as close to the destination as possible. In Figure 4-6, the administrator wants to prevent traffic originating in the 192.168.10.0/24 network from reaching the 192.168.30.0/24 network. Figure 4-6 Standard ACL Example Topology Following the basic placement guidelines, the administrator would place a standard ACL on router R3. There are two possible interfaces on R3 to which to apply the standard ACL:
Extended ACL Placement Example (4.4.5)Extended ACLs should be located as close to the source as possible to prevent unwanted traffic from being sent across multiple networks only to be denied when it reaches its destination. However, an organization can only place ACLs on devices that it controls. Therefore, the extended ACL placement must be determined in the context of where organizational control extends. In Figure 4-7, for example, Company A wants to deny Telnet and FTP traffic to Company B’s 192.168.30.0/24 network from its 192.168.11.0/24 network while permitting all other traffic. Figure 4-7 Extended ACL Example Topology There are several ways to accomplish these goals. An extended ACL on R3 would accomplish the task, but the administrator does not control R3. In addition, this solution would allow unwanted traffic to cross the entire network, only to be blocked at the destination, which would affect overall network efficiency. The solution is to place on R1 an extended ACL that specifies both source and destination addresses. There are two possible interfaces on R1 to apply the extended ACL:
CHECK YOUR UNDERSTANDING—GUIDELINES FOR ACL PLACEMENT (4.4.6) Refer to the online course to complete this activity. 8. Summary (4.5) | Next Section Previous Section Standard Access-List
Prerequisite – Access-lists (ACL) Standard Access-list – Features –
Note – Standard Access-list are less used as compared to extended access-list as the entire IP protocol suite will be allowed or denied for the traffic as it can’t distinguish between the different IP protocol traffic. Configuration – Here is a small topology in which there are 3 departments namely sales, finance, and marketing. The sales department has a network of 172.16.40.0/24, the Finance department has a network of 172.16.50.0/24, and the marketing department has a network of 172.16.60.0/24. Now, want to deny connection from the sales department to the finance department and allow others to reach that network. Now, first configuring numbered standard access – list for denying any IP connection from sales to finance department. Here, like extended access-list, you cannot specify the particular IP traffic to be permitted or denied. Also, note that wildcard mask has been used (0.0.0.255 which means Subnet mask 255.255.255.0). 10 is used from the number standard access-list range. Now, as you already know there is an implicit deny at the end of every access list which means that if the traffic doesn’t match any of the rules of the access list then the traffic will be dropped. Now, you have to apply the access list on the interface of the router: As you remember that the standard access-list is generally applied to the destination and here also if you apply access-list close to the destination, it will satisfy our need, therefore, outbound to interface fa0/1 has been applied. Named standard Access-list example – Now, considering the same topology, you will make a named standard access list. By using this command you have made an access-list named blockacl. And then the same configuration you have done in numbered access-list. Standard access-list for Telnet example – Here, in the given figure, you want to deny telnet to the Finance department from any network. Configuring for the same: Article Tags : Computer Networks Practice Tags : Computer Networks Extended Access-List
Prerequisite – Access-lists (ACL), Standard Access-list Extended Access-list – Features –
Configuration – Here is a small topology in which there are 3 departments namely sales, finance, and marketing. The sales department has a network of 172.16.10.40/24, the Finance department has a network of 172.16.50.0/24, and the marketing department has a network of 172.16.60.0/24. Now, we want to deny the FTP connection from the sales department to finance department and deny telnet to the Finance department from both the sales and marketing departments. Now, first configuring numbered extended access – list for denying FTP connection from sales to finance department. Here, we first create a numbered Access-list in which we use 110 (used from extended access-list range) and deny the sales network (172.16.40.0) to make an FTP connection to the finance network (172.16.50.0). Note – Here, as FTP uses TCP and port number 21. Therefore, we have to specify the permit or deny the condition according to the need. Also, after eq, we have to use the port number for the specified application layer protocol. Now, we have to deny telnet connection to finance department from both sales and Marketing department which means no one should telnet to finance department. Configuring for the same. Here, we have used the keyword any which means 0.0.0.0 0.0.0.0 i.e any IP address from any subnet mask. As telnet uses port number 23 therefore, we have to specify the port number 23 after eq. Now, this is the most important part. As we already know there is an implicit deny at the end of every access list which means that if the traffic doesn’t match any of the rules of Access-list then the traffic will be dropped. By specifying any any means that source having any IP address traffic will reach finance department except the traffic which it matches the above rules that we have made. Now, we have to apply the access-list on the interface of the router: As we remember, we have to apply the extended access-list as close as possible to source but here we have applied it to close to the destination because we have to block the traffic from both sales and marketing department, therefore, we have to apply it close to the destination here otherwise we have to make separate access-list for fa0/0 and fa1/0 inbound. Named access-list example – Now, considering the same topology, we will make a named extended access list. By using this command we have made an access-list named blockacl. And then the same configuration we have done in numbered access-list. Article Tags : Computer Networks Practice Tags : Computer Networks |