Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
Understanding the uses of access control lists (ACL) enables you to determine how to
implement them on your Cisco network. ACLs can provide an important network security
feature and filter packets on inbound and outbound router interfaces.
This section describes some of the applications for ACLs on Cisco networks, identifies the
different types of ACLs that can be implemented, and explains how Cisco IOS Software
processes ACLs.
206 Chapter 6: Managing Traffic with Access Control Lists
Understanding ACLs
To be able to configure and implement ACLs, you need to understand the capacity in which they
are used. Cisco devices use ACLs in two primary functions: classification and filtering. The
following explains each of these functions:
■ Classification: Routers also use ACLs to identify particular traffic. After an ACL has
identified and classified traffic, you can configure the router with instructions on how to
handle that traffic. For example, you can use an ACL to identify the executive subnet as the
traffic source and then give that traffic priority over other types of traffic on a congested WAN
link.
■ Filtering: As the number of router connections to outside networks increase and the use of
the Internet increases, access control presents new challenges. Network administrators face
the dilemma of how to deny unwanted traffic while allowing appropriate access. For example,
you can use an ACL as a filter to keep the rest of your network from accessing sensitive data
on the finance subnet.
Through classification and filtering, ACLs provide a powerful toolset in Cisco IOS. Consider the
network diagram in Figure 6-1. Using ACLs, administrators have the tools to block traffic from
the Internet, provide controlled access to manage Cisco IOS devices, and provide address
translation for private addresses such as the 172.16.0.0 network.
Figure 6-1 ACLs Provide Control
Filtering is the function of ACLs that people identify most readily. ACLs offer an important tool
for controlling traffic on the network. Packet filtering helps control packet movement through the
Internet
172.17.0.0
172.16.0.0
Administrator
Console
Access Control List Operation 207
network. Figure 6-2 shows an example of ACLs filtering traffic transmission in and out of a
physical interface or to the Telnet session of a Cisco IOS device.
Figure 6-2 ACL Filtering
Cisco provides ACLs to permit or deny the following:
■ The crossing of packets to or from specified router interfaces and traffic going through the
router
■ Telnet traffic into or out of the router vty ports for router administration
By default, all IP traffic is permitted in and out of all the router interfaces.
When the router discards packets, some protocols return a special packet to notify the sender that
the destination is unreachable. For the IP protocol, an ACL discard results in a “Destination
unreachable (U.U.U.)” response to a ping and an “Administratively prohibited (!A * !A)”
response to a traceroute.
IP ACLs can classify and differentiate traffic. Classification enables you to assign special handling
for traffic that is defined in an ACL, such as the following:
■ Identify the type of traffic to be encrypted across a virtual private network (VPN) connection.
■ Identify the routes that are to be redistributed from one routing protocol to another.
■ Use with route filtering to identify which routes are to be included in the routing updates
between routers.
■ Use with policy-based routing to identify the type of traffic that is to be routed across a
designated link.
■ Use with Network Address Translation (NAT) to identify which addresses are to be translated.
Transmission of Packets on an Interface
Virtual Terminal Line Access (IP)
X
208 Chapter 6: Managing Traffic with Access Control Lists
■ Use with quality of service (QoS) to identify which packets should be scheduled in a given
queue during times of congestion.
Figure 6-3 shows some examples of using ACLs for traffic classification, such as which traffic to
encrypt across the VPN, which routes should be redistributed between Open Shortest Path First
(OSPF) and Enhanced Interior Gateway Routing Protocol (EIGRP), and which addresses to
translate using NAT.
Figure 6-3 ACLs Identify Traffic
ACL Operation
ACLs express the set of rules that give added control for packets that enter inbound interfaces,
packets that relay through the router, and packets that exit outbound interfaces of the router. ACLs
do not act on packets that originate from the router. Instead, ACLs are statements that specify
conditions of how the router handles the traffic flow through specified interfaces.
ACLs operate in two ways:
■ Inbound ACLs: Incoming packets are processed before they are routed to an outbound
interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the
packet will be discarded after it is denied by the filtering tests. If the packet is permitted by
the tests, it is processed for routing.
■ Outbound ACLs: Incoming packets are routed to the outbound interface and then processed
through the outbound ACL.
Figure 6-4 shows an example of an outbound ACL.
EIGRP OSPF
VPN
NAT
Access Control List Operation 209
Figure 6-4 Outbound ACL Operation
When a packet enters an interface, the router checks the routing table to see if the packet is
routable. If the packet is not routable, it is dropped.
Next, the router checks to see whether the destination interface is grouped to an ACL. If the
destination interface is not grouped to an ACL, the packet can be sent to the output buffer.
Examples of outbound ACL operations are as follows:
■ If the outbound interface is S0, which has not been grouped to an outbound ACL, the packet
is sent to S0 directly.
■ If the outbound interface is S1, which has been grouped to an outbound ACL, the packet is
not sent out on S1 until it is tested by the combination of ACL statements that are associated
with that interface. Based on the ACL tests, the packet is permitted or denied.
For outbound lists, “to permit” means to send the packet to the output buffer, and “to deny” means
to discard the packet.
With an inbound ACL, when a packet enters an interface, the router checks to see whether the
source interface is grouped to an ACL. If the source interface is not grouped to an ACL, the router
checks the routing table to see if the packet is routable. If the packet is not routable, the router
drops the packet. Examples of inbound ACL operations are as follows:
Routing
Table
Entry?
Choose
Outbound
Interface
Inbound
Interface
Packets
Outbound
Interfaces
Packet
S0
Packet
S1
Packet
Discard
Bucket
Discard Packet
Notify Sender
Y
N
N
N
Y
Y
Test
ACL
Statements
Permit?
ACL?
210 Chapter 6: Managing Traffic with Access Control Lists
■ If the inbound interface is S0, which has not been grouped to an inbound ACL, the packet is
processed normally, and the router checks to see whether the packet is routable.
■ If the inbound interface is S1, which has been grouped to an inbound ACL, the packet is not
processed, and the routing table is not consulted until it is tested by the combination of ACL
statements that are associated with that interface. Based on the ACL tests, the packet is
permitted or denied.
For inbound lists, “to permit” means to continue to process the packet after receiving it on an
inbound interface, and “to deny” means to discard the packet.
ACL statements operate in sequential, logical order. They evaluate packets from the top down, one
statement at a time. If a packet header and an ACL statement match, the rest of the statements in
the list are skipped, and the packet is permitted or denied as determined by the matched statement.
If a packet header does not match an ACL statement, the packet is tested against the next statement
in the list. This matching process continues until the end of the list is reached. Figure 6-5 shows
the logical flow of statement evaluation.
Figure 6-5 ACL Evaluation
N
N
Match
Last
Test?
Match
Last
Test?
Match
Last
Test?
Packet
Discard
Bucket
Packets to Interface or
Interfaces in the Access Group
If No Match,
Deny All
Interface or
Interfaces
Implicit
Deny
Destination
Y Y
Y Y
Y Y
N
Deny
Deny
Deny Permit
Deny
Permit
Permit
Access Control List Operation 211
A final implied statement covers all packets for which conditions did not test true. This final test
condition matches all other packets and results in a “deny” instruction. Instead of proceeding into
or out of an interface, the router drops all of these remaining packets. This final statement is often
referred to as the “implicit deny any statement.” Because of this statement, an ACL should have at
least one permit statement in it; otherwise, the ACL blocks all traffic. This implicit deny all will
not show up in the router configuration. In many of the examples in this text, it will be added as a
reminder.
You can apply an ACL to multiple interfaces. However, only one ACL can exist per protocol, per
direction, and per interface.
Types of ACLs
IPv4 ACLs come in various types. These differing ACLs are used depending on the functionality
required. The types of ACLs can be classified as follows:
■ Standard ACLs: Standard IP ACLs check the source addresses of packets that can be routed.
The result either permits or denies the output for an entire protocol suite, based on the source
network, subnet, or host IP address.
■ Extended ACLs: Extended IP ACLs check both the source and destination packet addresses.
They can also check for specific protocols, port numbers, and other parameters, which allow
administrators more flexibility and control.
You can use two methods to identify standard and extended ACLs:
■ Numbered ACLs use a number for identification.
■ Named ACLs use a descriptive name or number for identification.
No comments:
Post a Comment