5 ACLs

5.0 Introduction

5.0.1 Introduction

Page 1:
Network security is a huge subject, and much of it is far beyond the scope of this course. However, one of the most important skills a network administrator needs is mastery of access control lists (ACLs). Administrators use ACLs to stop traffic or permit only specified traffic while stopping all other traffic on their networks. This chapter includes an opportunity to develop your mastery of ACLs with a series of lessons, activities, and lab exercises.

Network designers use firewalls to protect networks from unauthorized use. Firewalls are hardware or software solutions that enforce network security policies. Consider a lock on a door to a room inside a building. The lock only allows authorized users with a key or access card to pass through the door. Similarly, a firewall filters unauthorized or potentially dangerous packets from entering the network. On a Cisco router, you can configure a simple firewall that provides basic traffic filtering capabilities using ACLs.

An ACL is a sequential list of permit or deny statements that apply to addresses or upper-layer protocols. ACLs provide a powerful way to control traffic into and out of your network. You can configure ACLs for all routed network protocols.

The most important reason to configure ACLs is to provide security for your network. This chapter explains how to use standard and extended ACLs as part of a security solution and teaches you how to configure them on a Cisco router. Included are tips, considerations, recommendations, and general guidelines on how to use ACLs.

5.0.1 - Chapter Introduction
The diagram depicts the chapter objectives:
- Explain how ACL's are used to secure a medium-size enterprise branch office network, including the concept of packet filtering, the purpose of ACL's, how ACL's are used to control access, and the types of Cisco ACL's.
- Configure standard ACL's in a medium-size enterprise branch office network, including defining filtering criteria, configuring standard ACL's to filter traffic, and applying standard ACL's to router interfaces.
- Configure extended ACL's in a medium-size enterprise branch office network, including configuring extended ACL's and named ACL's, configuring filters, verifying and monitoring ACL's, and troubleshooting extended ACL issues.
- Describe complex ACL's in a medium-size enterprise branch office network, including configuring dynamic, reflexive, and timed ACL's, verifying and troubleshooting complex ACL's, and explaining relevant caveats.

5.1 Using ACLs to Secure Networks

5.1.1 A TCP Conversation

Page 1:
ACLs enable you to control traffic into and out of your network. This control can be as simple as permitting or denying network hosts or addresses. However, ACLs can also be configured to control network traffic based on the TCP port being used. To understand how an ACL works with TCP, let us look at the dialogue that occurs during a TCP conversation when you download a webpage to your computer.

When you request data from a web server, IP takes care of the communication between the PC and the server. TCP takes care of the communication between your web browser (application) and the network server software. When you send an e-mail, look at a webpage, or download a file, TCP is responsible for breaking data down into packets for IP before they are sent, and for assembling the data from the packets when they arrive. The TCP process is very much like a conversation in which two nodes on a network agree to pass data between one another.

Recall that TCP provides a connection-oriented, reliable, byte stream service. The term connection-oriented means that the two applications using TCP must establish a TCP connection with each other before they can exchange data. TCP is a full-duplex protocol, meaning that each TCP connection supports a pair of byte streams, each stream flowing in one direction. TCP includes a flow-control mechanism for each byte stream that allows the receiver to limit how much data the sender can transmit. TCP also implements a congestion-control mechanism.

Click the play button in the figure to view the animation.

The animation shows how a TCP/IP conversation takes place. TCP packets are marked with flags that denote their purpose: a SYN starts (synchronizes) the session; an ACK is an acknowledgment that an expected packet was received, and a FIN finishes the session. A SYN/ACK acknowledges that the transfer is synchronized. TCP data segments include the higher level protocol needed to direct the application data to the correct application.

Click the TCP/UDP Port Numbers button In the figure.

The TCP data segment also identifies the port matching the requested service. For example, HTTP is port 80, SMTP is port 25, and FTP is port 20 and port 21. The figure shows examples of UDP and TCP ports.

Click the buttons in the figure to explore TCP/UDP ports.

5.1.1 - A TCP Conversation
The animation depicts a TCP conversation and TCP/UDP port number ranges.

A TCP conversation:
In the animation, a client PC initiates a TCP conversation with a server. As the animation progresses, arrows pass between the client and server illustrating the process.
A TCP SYN packet is initially sent from the client PC to the server. The conversation goes as follows:

Client PC: "Let's talk." - TCP SYN packet
Server: "Sure, let's talk." - TCP SYN/ACK packet
Client PC: "Great, we have a connection." - TCP ACK packet
Client PC: "I need you to send me some data." - TCP data segment
Server: "Thanks, I received your request." - TCP ACK packet
Server: "Here is the data you want." - TCP data segments
Client PC: "Thanks. I received my data." - TCP ACK packet
Server: "I am finished and have no more data to send." - TCP FIN/ACK packet
Client PC: "I am finished as well. Thanks." - TCP FIN/ACK packet

TCP/UDP Port Numbers:
Port Number Range: 0 to 1023
Port Group: Well Known (common) Ports
Well Known TCP Port examples:
- 21 - FTP
- 23 - Telnet
- 25 - SMTP
- 80 - HTTP
- 110 - POP3
- 194 - Internet Relay Chat (I RC)
- 443 - Secure HTTP (HTTPS)
Well Known UDP Port examples:
- 69 - TFTP
- 520 - RIP
Well Known TCP/UDP Common Port examples:
- 53 - DNS
- 161 - SNMP
- 531 - A O L Instant Messenger, I RC

Port Number Range: 1024 to 49151
Port Group: Registered Ports
Registered TCP Port examples:
- 1863 - MSN Messenger
- 8008 - Alternate HTTP
- 8080 - Alternate HTTP

Registered UDP Port examples:
- 1812 - RADIUS Authentication Protocol
- 2000 - Cisco SCCP (V o IP)
- 5004 - RTP (Voice and Video Transport Protocol)
- 5060 - SIP (V o IP)

Registered TCP/UDP Common Port examples:
- 1433 - MSSQL
- 2948 - WAP (MMS)

Port Number Range: 49152 to 65535
Port Group: Private and Dynamic Ports

5.1.2 Packet Filtering

Page 1:
Packet filtering, sometimes called static packet filtering, controls access to a network by analyzing the incoming and outgoing packets and passing or halting them based on stated criteria.

A router acts as a packet filter when it forwards or denies packets according to filtering rules. When a packet arrives at the packet-filtering router, the router extracts certain information from the packet header and makes decisions according to the filter rules as to whether the packet can pass through or be discarded. Packet filtering works at the Network layer of the Open Systems Interconnection (OSI) model, or the Internet layer of TCP/IP.

As a Layer 3 device, a packet-filtering router uses rules to determine whether to permit or deny traffic based on source and destination IP addresses, source port and destination port, and the protocol of the packet. These rules are defined using access control lists or ACLs.

Recall that an ACL is a sequential list of permit or deny statements that apply to IP addresses or upper-layer protocols. The ACL can extract the following information from the packet header, test it against its rules, and make "allow" or "deny" decisions based on:

Source IP address
Destination IP address
ICMP message type

The ACL can also extract upper layer information and test it against its rules. Upper layer information includes:

TCP/UDP source port
TCP/UDP destination port

Click the buttons in the figure for an overview of how an ACL allows or denies a packet. Although the animations display packet filtering occurring at Layer 3, it should be noted that filtering could also occur at Layer 4.

5.1.2 - Packet Filtering
The animation depicts packet filtering and the Open Systems Interconnection (O S I) model. Packet filtering works at the Network Layer (Layer 3) of the O S I model or at the Internet Layer of TCP/IP.

The animation shows what happens to a packet when it is allowed and when it is denied.

Allowed:
As the animation progresses, an unknown packet comes from the Physical Layer and travels up though the Data Link Layer to the Network Layer. The packet passes the test and is allowed to travel from the Network Layer, down to the Data Link Layer, then to the Physical Layer and continues on its way.

Denied:
As the animation progresses, an unknown packet comes from the Physical Layer and travels up though the Data Link Layer to the Network Layer. The packet fails the test, so it is prevented from passing, and the packet is discarded.

Page 2:
Packet Filtering Example

To understand the concept of how a router uses packet filtering, imagine that a guard has been posted at a locked door. The guard's instructions are to allow only people whose names appear on a list to pass through the door. The guard is filtering people based on the criterion of having their names on the authorized list.

For example, you could say, "Only permit web access to users from network A. Deny web access to users from network B, but permit them to have all other access." Refer to the figure to examine the decision path the packet filter uses to accomplish this task.

For this scenario, the packet filter looks at each packet as follows:

If the packet is a TCP SYN from network A using port 80, it is allowed to pass. All other access is denied to those users.
If the packet is a TCP SYN from network B using port 80, it is blocked. However, all other access is permitted.

This is just a simple example. You can configure multiple rules to further permit or deny services to specific users. You can also filter packets at the port level using an extended ACL, which is covered in Section 3.

5.1.2 - Packet Filtering
The diagram depicts a packet filtering example using a flowchart. A frame with an IP packet encapsulated inside is shown. The packet filter looks at each packet. If the packet is from network A using port 80, it is allowed to pass. All other access is denied to those users. If the packet is from network B using port 80, it is blocked. However, all other access is permitted.

5.1.3 What is an ACL?

Page 1:
An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header. ACLs are among the most commonly used objects in Cisco IOS software. ACLs are also used for selecting types of traffic to be analyzed, forwarded, or processed in other ways.

As each packet comes through an interface with an associated ACL, the ACL is checked from top to bottom, one line at a time, looking for a pattern matching the incoming packet. The ACL enforces one or more corporate security policies by applying a permit or deny rule to determine the fate of the packet. ACLs can be configured to control access to a network or subnet.

By default, a router does not have any ACLs configured and therefore does not filter traffic. Traffic that enters the router is routed according to the routing table. If you do not use ACLs on the router, all packets that can be routed through the router pass through the router to the next network segment.

Here are some guidelines for using ACLs:

Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet.
Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network.
Configure ACLs on border routers-routers situated at the edges of your networks. This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network.
Configure ACLs for each network protocol configured on the border router interfaces. You can configure ACLs on an interface to filter inbound traffic, outbound traffic, or both.

Click the ACLs on a Router button in the figure.

The Three Ps

A general rule for applying ACLs on a router can be recalled by remembering the three Ps. You can configure one ACL per protocol, per direction, per interface:

One ACL per protocol-To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface.
One ACL per direction-ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic.
One ACL per interface-ACLs control traffic for an interface, for example, Fast Ethernet 0/0.

Writing ACLs can be a challenging and complex task. Every interface can have multiple protocols and directions defined. The router in the example has two interfaces configured for IP: AppleTalk and IPX. This router could possibly require 12 separate ACLs: one ACL for each protocol, times two for each direction, times two for the number of ports.

ACLs perform the following tasks:

Limit network traffic to increase network performance. For example, if corporate policy does not allow video traffic on the network, ACLs that block video traffic could be configured and applied. This would greatly reduce the network load and increase network performance.
Provide traffic flow control. ACLs can restrict the delivery of routing updates. If updates are not required because of network conditions, bandwidth is preserved.
Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For example, access to the Human Resources network can be restricted to select users.
Decide which types of traffic to forward or block at the router interfaces. For example, an ACL can permit e-mail traffic, but block all Telnet traffic.
Control which areas a client can access on a network.
Screen hosts to permit or deny access to network services. ACLs can permit or deny a user to access file types, such as FTP or HTTP.

ACLs inspect network packets based on criteria, such as source address, destination address, protocols, and port numbers. In addition to either permitting or denying traffic, an ACL can classify traffic to enable priority processing down the line. This capability is similar to having a VIP pass at a concert or sporting event. The VIP pass gives selected guests privileges not offered to general admission ticket holders, such as being able to enter a restricted area and be escorted to their box seats.

5.1.3 - What Is an ACL?
The diagram depicts ACL's in a network and an explanation of what an ACL is. Some characteristics and rules for applying ACL's on a router are provided.

What is an ACL?
Network Topology:
There are three LAN's with switches S1, S2, and S3. PC1, PC2, and PC3 are interconnected by routers R1, R2, and R3.
- PC1 is connected to switch S1, which is connected to router R1 on its FA0/0 interface.
- PC2 is connected to switch S2, which is connected to router R1 on its FA0/1 interface.
- PC3 is connected to switch S3, which is connected to router R3 on its FA0/0 interface.
- Router R1 S0/0/0 WAN interface is connected to router R2 S0/0/0.
- Router R3 S0/0/0 WAN interface is connected to router R2 S0/0/1.
- Router R2 S0/0/2 serial interface is connected to the Internet cloud.
- Router R3 S0/0/1 serial interface is connected to the HR subnet 172.17.0.0/20.

An ACL applied to R1 FA0/0 states: No video to S1, and no access to S2 for S1.
An ACL applied to R3 FA0/0 states: No updates, no FTP, and no Web.
An ACL applied to R3 S0/0/0 states: HR access.
An ACL applied to R2 S0/0/2 states: Allow e-mail and deny Telnet.

ACL's on a Router:
A router is shown, and an explanation of interfaces, protocols, and direction is presented. Protocols listed are IP, IPX, and AppleTalk, although IPX and AppleTalk are rarely used in today's enterprise networks. The diagram text states: With two interfaces and three protocols running, this router could have a total of 12 separate ACL's applied.

The three P's for using ACL's:
You can only have one ACL per protocol, per interface, and per direction.
One ACL per protocol (for example, IP or IPX).
One ACL per interface (for example, FastEthernet0/0).
One ACL per direction (for example, IN or OUT).

5.1.4 ACL Operation

Page 1:
How ACLs Work

ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. ACLs do not act on packets that originate from the router itself.

ACLs are configured either to apply to inbound traffic or to apply to outbound traffic.

Inbound ACLs-Incoming packets are processed before they are routed to the outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. If the packet is permitted by the tests, it is then processed for routing.
Outbound ACLs-Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL.

ACL statements operate in sequential order. They evaluate packets against the ACL, from the top down, one statement at a time.

The figure shows the logic for an inbound ACL. If a packet header and an ACL statement match, the rest of the statements in the list are skipped, and the packet is permitted or denied as determined by the matched statement. If a packet header does not match an ACL statement, the packet is tested against the next statement in the list. This matching process continues until the end of the list is reached.

A final implied statement covers all packets for which conditions did not test true. This final test condition matches all other packets and results in a "deny" instruction. Instead of proceeding into or out of an interface, the router drops all of these remaining packets. This final statement is often referred to as the "implicit deny any statement" or the "deny all traffic" statement. Because of this statement, an ACL should have at least one permit statement in it; otherwise, the ACL blocks all traffic.

You can apply an ACL to multiple interfaces. However, there can be only one ACL per protocol, per direction, and per interface.

Click the Outbound ACLs button in the figure.

The figure shows the logic for an outbound ACL. Before a packet is forwarded to an outbound interface, the router checks the routing table to see if the packet is routable. If the packet is not routable, it is dropped. Next, the router checks to see whether the outbound interface is grouped to an ACL. Examples of outbound ACL operation are as follows:

If the outbound interface is not grouped to an outbound ACL, the packet is sent directly to the outbound interface.
If the outbound interface is grouped to an outbound ACL, the packet is not sent out on the outbound interface until it is tested by the combination of ACL statements that are associated with that interface. Based on the ACL tests, the packet is permitted or denied.

For outbound lists, "to permit" means to send the packet to the output buffer, and "to deny" means to discard the packet.

5.1.4 - ACL Operation
The diagram depicts flowcharts that illustrate how inbound and outbound ACL's work.

Inbound ACL's:
- A block labeled "Packets to interfaces in the access group" starts the flowchart.
- The packet then goes through a series of tests to see if it matches those tests.
- If the packet does not match the first test, it goes to the second test.
- If it fails to match any of the tests, it is implicitly denied and discarded.
- If it matches one of the tests, the next decision is whether it is to be permitted or denied.
- If permitted, the packet is allowed to pass to the destination interface.
- If denied, the packet is discarded.

Outbound ACL's:
- An arrow labeled "Inbound Interface Packets" starts the flowchart.
- A decision is made based on whether there is a routing table entry for the destination address.
- If there is an entry, the packet is forwarded to the outbound interface.
- If there is no entry, the packet is discarded.
- If there is no ACL on the outbound interface, the packet is sent to its destination.
- If there is an ACL on the outbound interface, the packet goes through a series of tests to see if it matches those tests.
- If it fails to match any of the tests, it is implicitly denied and discarded.
- If it matches one of the tests, the next decision is whether it is to be permitted or denied.
- If permitted, the packet is allowed to pass trough the outbound interface.
- If denied, the packet is discarded.

Page 2:
ACL and Routing and ACL Processes on a Router

The figure shows the logic of routing and ACL processes on a router. When a packet arrives at a router interface, the router process is the same, whether ACLs are used or not. As a frame enters an interface, the router checks to see whether the destination Layer 2 address matches its own or if the frame is a broadcast frame.

If the frame address is accepted, the frame information is stripped off and the router checks for an ACL on the inbound interface. If an ACL exists, the packet is now tested against the statements in the list.

If the packet matches a statement, the packet is either accepted or rejected. If the packet is accepted in the interface, it is then checked against routing table entries to determine the destination interface and switched to that interface.

Next, the router checks whether the destination interface has an ACL. If an ACL exists, the packet is tested against the statements in the list.

If the packet matches a statement, it is either accepted or rejected.

If there is no ACL or the packet is accepted, the packet is encapsulated in the new Layer 2 protocol and forwarded out the interface to the next device.

The Implied "Deny All Traffic" Criteria Statement

At the end of every access list is an implied "deny all traffic" criteria statement. It is also sometimes referred to as the "implicit deny any" statement. Therefore, if a packet does not match any of the ACL entries, it is automatically blocked. The implied "deny all traffic" is the default behavior of ACLs and cannot be changed.

There is a key caveat associated with this "deny all" behavior: For most protocols, if you define an inbound access list for traffic filtering, you should include explicit access list criteria statements to permit routing updates. If you do not, you might effectively lose communication from the interface when routing updates are blocked by the implicit "deny all traffic" statement at the end of the access list.

5.1.4 - ACL Operation
The diagram depicts a flowchart that merges the inbound and outbound flowcharts previously described and conveys similar information.

5.1.5 Types of Cisco ACLs

Page 1:
There are two types of Cisco ACLs, standard and extended.

Standard ACLs

Standard ACLs allow you to permit or deny traffic from source IP addresses. The destination of the packet and the ports involved do not matter. The example allows all traffic from network 192.168.30.0/24 network. Because of the implied "deny any" at the end, all other traffic is blocked with this ACL. Standard ACLs are created in global configuration mode.

Click the Extended ACL button in the figure.

Extended ACLs

Extended ACLs filter IP packets based on several attributes, for example, protocol type, source and destination IP address, destination IP address, source TCP or UDP ports, destination TCP or UDP ports, and optional protocol type information for finer granularity of control. In the figure, ACL 103 permits traffic originating from any address on the 192.168.30.0/24 network to any destination host port 80 (HTTP). Extended ACLs are created in global configuration mode.

The commands for ACLs are explained in the next few topics.

5.1.5 - Types of Cisco ACL's
The diagram depicts information on the two types of Cisco ACL's, standard and extended.

Standard ACL's:
Standard ACL's filter IP packets based on the source address only.
Example: access-list 10 permit 192.168.30.0 0.0.0.255

Extended ACL's:
Extended ACL's filter IP packets based on several attributes, including the following:
- source and destination IP addresses
- source and destination TCP or UDP ports
- protocol type (IP, ICMP, UDP, TCP, or protocol number)
Example: access-list 103 permit tcp 192.168.30.0 0.0.0.255 any e q 80

5.1.6 How a Standard ACL Works

Page 1:
A standard ACL is a sequential collection of permit and deny conditions that apply to IP addresses. The destination of the packet and the ports involved are not covered.

The decision process is mapped in the figure. Cisco IOS software tests addresses against the conditions one by one. The first match determines whether the software accepts or rejects the address. Because the software stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the address is rejected.

The two main tasks involved in using ACLs are as follows:

Step 1. Create an access list by specifying an access list number or name and access conditions.

Step 2. Apply the ACL to interfaces or terminal lines.

5.1.6 - How a Standard ACL Works
The diagram depicts a flowchart that illustrates how a standard ACL works.

The decision points along the "YES" path of the flowchart are as follows:
- Is this an IP packet?
- Is there a standard ACL on this interface?
- Does the source address match the ACL list entry?
- If yes, permit or deny?
- If deny, discard packet.
- If permit, is the destination IP address in the routing table?
- If no, discard packet.
- If yes, send to outgoing interface.

If the answer to each of the decisions is "Yes" or "Permit," the packet is sent to the outgoing interface.

5.1.7 Numbering and Naming ACLs

Page 1:
Using numbered ACLs is an effective method for determining the ACL type on smaller networks with more homogeneously defined traffic. However, a number does not inform you of the purpose of the ACL. For this reason, starting with Cisco IOS Release 11.2, you can use a name to identify a Cisco ACL.

The figure summarizes the rule to designate numbered ACLs and named ACLs.

Regarding numbered ACLs, in case you are wondering why numbers 200 to 1299 are skipped, it is because those numbers are used by other protocols. This course focuses only on IP ACLs. For example, numbers 600 to 699 are used by AppleTalk, and numbers 800 to 899 are used by IPX.

5.1.7 - Numbering and Naming ACL's
The diagram depicts information regarding numbered and named ACL's.

Numbered ACL:
You assign a number based on which protocol you want filtered:
- (1 to 99) and (1300 to 1999): Standard IP ACL
- (100 to 199) and (2000 to 2699): Extended IP ACL

Named ACL:
You assign a name by providing the name of the ACL:
- Names can contain alphanumeric characters.
- It is suggested that the name be written in capital letters.
- Names cannot contain spaces or punctuation and must begin with a letter.
- You can add or delete entries within the ACL.

5.1.8 Where to Place ACLs

Page 1:
The proper placement of an ACL to filter undesirable traffic makes the network operate more efficiently. ACLs can act as firewalls to filter packets and eliminate unwanted traffic. Where you place ACLs can reduce unnecessary traffic. For example, traffic that will be denied at a remote destination should not use network resources along the route to that destination.

Every ACL should be placed where it has the greatest impact on efficiency. The basic rules are:

Locate extended ACLs as close as possible to the source of the traffic denied. This way, undesirable traffic is filtered without crossing the network infrastructure.
Because standard ACLs do not specify destination addresses, place them as close to the destination as possible.

Let us consider an example of where to place ACLs in our network. The interface and network location is based on what you want the ACL to do.

In the figure, the administrator wants to prevent traffic originating in the 192.168.10.0/24 network from getting to the 192.168.30.0/24 network. An ACL on the outbound interface of R1 denies R1 the ability to send traffic to other places as well. The solution is to place a standard ACL on the inbound interface of R3 to stop all traffic from the source address192.168.10.0/24. A standard ACL meets the needs because it is only concerned with source IP addresses.

Click the Extended ACL button in the figure.

Consider that administrators can only place ACLs on devices that they control. Therefore, placement must be determined in the context of where the control of the network administrator extends. In this figure, the administrator of the 192.168.10.0/24 and 192.168.11.0/24 networks (referred to as Ten and Eleven, respectively, in this example) wants to deny Telnet and FTP traffic from Eleven to the 192.168.30.0/24 network (Thirty, in this example). At the same time, other traffic must be permitted to leave Ten.

There are several ways to do this. An extended ACL on R3 blocking Telnet and FTP from Eleven would accomplish the task, but the administrator does not control R3. That solution also still allows unwanted traffic to cross the entire network, only to be blocked at the destination. This affects overall network efficiency.

One solution is to use an outbound extended ACL that specifies both source and destination addresses (Eleven and Thirty, respectively), and says, "Telnet and FTP traffic from Eleven is not allowed to go to Thirty." Place this extended ACL on the outbound S0/0/0 port of R1.

A disadvantage of this solution is that traffic from Ten would also be subject to some processing by the ACL, even though Telnet and FTP traffic is allowed.

The better solution is to move closer to the source and place an extended ACL on the inbound Fa0/2 interface of R1. This ensures that packets from Eleven do not enter R1, and subsequently cannot cross over into Ten, or even enter R2 or R3. Traffic with other destination addresses and ports is still permitted through R1.

5.1.8 - Where to Place ACL's
The diagram depicts a network and the placement of standard and extended ACL's.

Network Topology:
There are three LAN's with switches S1, S2, and S3. PC1, PC2, and PC3 are interconnected by routers R1, R2, and R3. The R1 LAN is 192.168.10.0/24, and the R3 LAN is 192.168.30.0/24.
- PC1 is connected to switch S1, which is connected to router R1 on its FA0/1 interface.
- PC2 is connected to switch S2, which is connected to router R2 on its FA0/2 interface.
- PC3 is connected to switch S3, which is connected to router R3 on its FA0/1 interface.
- Router R1 S0/0/0 WAN interface is connected to router R2 S0/0/0.
- Router R3 S0/0/1 WAN interface is connected to router R2 S0/0/1.

Standard ACL:
A bubble points to R3 interface S0/0/1 that states: Standard ACL 99 to block any traffic from R1.

Extended ACL:
A bubble points to R1 interface FA0/2 that states: Extended ACL 102 to stop Telnet and FTP traffic from leaving this network.

5.1.9 General Guidelines for Creating ACLs

Page 1:
ACL Best Practices

Using ACLs requires attention to detail and great care. Mistakes can be costly in terms of downtime, troubleshooting efforts, and poor network service. Before starting to configure an ACL, basic planning is required. The figure presents guidelines that form the basis of an ACL best practices list.

5.1.9 - General Guidelines for Creating ACL's
The diagram depicts ACL best practices with guidelines and benefits.

Guideline: Base your ACL's on the security policy of the organization.
Benefit: Ensures that you implement organizational security guidelines.

Guideline: Prepare a description of what you want your ACL's to do.
Benefit: Helps you avoid inadvertently creating potential access problems.

Guideline: Use a text editor to create, edit, and save ACL's.
Benefit: Helps you create a library of reusable ACL's.

Guideline: Test your ACL's on a development network before implementing them on a production network.
Benefit: Helps you avoid costly errors.

Page 2:

5.1.9 - General Guidelines for Creating ACL's
The diagram depicts multiple activities.

Activity One:
In this activity, you select the appropriate word or phrase to fill in the BLANK and complete the sentence. Not all words are used, and some words may be used more than once.

Sentences:
One. An Access Control List (ACL) is a router configuration script that controls whether a router will BLANK or BLANK packets based on criteria found in the packet header.

Two. ACL's are often used in BLANK routers that are positioned between your internal network and an external network.

Three. A router with three active interfaces and two network protocols (IP and IPX) can have as many as BLANK active ACL's.

Four. For inbound ACL's, incoming packets are processed BLANK they are routed to an outbound interface.

Five. For outbound ACL's, incoming packets are processed BLANK they are routed to an outbound interface.

Six. At the end of every access list is an implied BLANK all traffic criteria statement. Therefore, if a packet does not match any of your criteria statements, the packet will be BLANK.

Words:
A.twelve
B.six
C.while
D.permit
E.before
F.blocked
G.allowed
H.deny
I.firewall
J.after
K.three

Activity Two:
In this activity, you indicate whether the statement applies to standard or extended ACL's or both.

Statements:
Can filter traffic based on the source IP address.
Can filter traffic based on the destination IP address.
Can filter traffic based on the protocol type.
Uses numbers 1 to 99.
Uses numbers 100 to 199.
Uses numbers 1300 to1999.
Can use a name instead of a number.

Activity Three:
In this activity, you evaluate the network policies and diagram to determine the best placement for one standard ACL and one extended ACL.

Network Policies:
Policy 1: Use a standard ACL to stop the 192.168.10.0/24 network from accessing the Internet through the ISP.

Policy 2: Use an extended ACL to stop the 192.168.30.0/24 network from accessing the Web /TFTP server.

Network Topology:
There are three LAN's with switches S1, S2, and S3. PC1, PC2, and PC3 are interconnected by routers R1, R2, and R3.

- PC1 is connected to switch S1, which is connected to router R1 on its FA0/0 interface. This is local network 192.168.10.0/24.
- PC2 is connected to switch S2, which is connected to router R1 on its FA0/1 interface. This is local network 192.168.11.0/24.
- PC3 is connected to switch S3, which is connected to router R3 on its FA0/1 interface. This is local network 192.168.30.0/24.
- Router R1 S0/0/0 WAN interface is connected to router R2 S0/0/0.
- Router R3 S0/0/1 WAN interface is connected to router R2 S0/0/1.
- Router R2 S0/1/0 serial interface is connected to the ISP.
- Router R2 FA0/1 interface is connected to the Web/TFTP server.

Potential placement locations
Select only one location per ACL, standard ACL and extended ACL.
- Router R1 interface FA0/0
- Router R1 interface S0/0/0
- Router R2 interface FA0/1
- Router R2 interface S0/1/0
- Router R3 interface FA0/1
- Router R3 interface S0/0/1

5.2 Configuring Standard ACLs

5.2.1 Entering Criteria Statements

Page 1:
Before beginning to configure a standard ACL, we will review important ACL concepts covered in Section 1.

Recall that when traffic comes into the router, it is compared to ACL statements based on the order that the entries occur in the router. The router continues to process the ACL statements until it has a match. For this reason, you should have the most frequently used ACL entry at the top of the list. If no matches are found when the router reaches the end of the list, the traffic is denied because ACLs have an implied deny for all traffic not meeting any of the tested criteria. A single-entry ACL with only one deny entry has the effect of denying all traffic. You must have at least one permit statement in an ACL or all traffic is blocked.

For example, the two ACLs (101 and 102) in the figure have the same effect. Network 192.168.10.0 would be permitted to access network 192.168.30.0 while 192.168.11.0 would not be allowed.

5.2.1 - Entering Criteria Statements
The diagram depicts entering criteria statements for extended ACL's.

Network Topology:
There are two LAN's with switches S1 and S2. PC1 and PC2 are interconnected by router R1. The S1 LAN is 192.168.10.0/24, and the S2 LAN is 192.168.11.0/24.
- PC1 is connected to switch S1, which is connected to router R1 on its FA0/0 interface.
- PC2 is connected to switch S2, which is connected to router R1 on its FA0/1 interface.

ACL 101:
Access-list 101 permit i p 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255

ACL 102:
Access-list 102 permit i p 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
Access-list 102 deny i p any any

In the above examples, the two ACL's (101 and 102) have the same effect. Network 192.168.10.0 is permitted to access network 192.168.30.0, and 192.168.11.0 is not allowed.

5.2.2 Configuring a Standard ACL

Page 1:
Standard ACL Logic

In the figure, packets that come in Fa0/0 are checked for their source addresses:

access-list 2 deny host 192.168.10.1

access-list 2 permit 192.168.10.0 0.0.0.255

access-list 2 deny 192.168.0.0 0.0.255.255

access-list 2 permit 192.0.0.0 0.255.255.255

If packets are permitted, they are routed through the router to an output interface. If packets are not permitted, they are dropped at the incoming interface.

The diagram depicts a specific standard ACL example and a flowchart indicating the logic that the ACL applies to incoming packets.

Packets that come in FA0/0 are checked for their source addresses using the following ACL statements:

Statement One: access-list 2 deny 192.168.10.1
Effect: If the source address is from host 192.168.10.1, deny the packet. Otherwise, go to the next test statement.

Statement Two: access-list 2 permit 192.168.10.0 0.0.0.255
Effect: If the source address is from network 192.168.10.0, permit the packet. Otherwise, go to the next test statement.

Statement Three: access-list 2 deny 192.168.0.0 0.0.255.255
Effect: If the source address is from network 192.168.0.0, deny the packet. Otherwise, go to the next test statement.

Statement Four: access-list 2 permit 192.0.0.0 0.255.255.255
Effect: If the source address is from network 192.0.0.0, permit the packet. Otherwise, deny the packet (implicit deny).

Page 2:
Configuring Standard ACLs

To configure numbered standard ACLs on a Cisco router, you must first create the standard ACL and then activate the ACL on an interface.

The access-list global configuration command defines a standard ACL with a number in the range of 1 to 99. Cisco IOS Software Release 12.0.1 extended these numbers by allowing 1300 to 1999 to provide a maximum of 799 possible standard ACLs. These additional numbers are referred to as expanded IP ACLs.

The full syntax of the standard ACL command is as follows:

Router(config)#access-list access-list-number [deny | permit | remark] source [source-wildcard] [log]

The full syntax of the standard ACL command to filter a specific host is as follows:

Router(config)#access-list access-list-number [deny | permit] source [log]

The figure provides a detailed explanation of the syntax for a standard ACL.

For example, to create a numbered ACL designated 10 that would permit network 192.168.10.0 /24, you would enter:

R1(config)#access-list 10 permit 192.168.10.0 0.0.0.255

Click the Remove ACL button in the figure.

The no form of this command removes a standard ACL. In the figure, the output of the show access-list command displays the current ACLs configured on router R1.

To remove the ACL, the global configuration no access-list command is used. Issuing the show access-list command confirms that access list 10 has been removed.

Click the Remark button in the figure.

Typically, administrators create ACLs and fully understand each the purpose of each statement within the ACL. However, when an ACL is revisited at a later time, it may no longer as obvious as it once was.

The remark keyword is used for documentation and makes access lists a great deal easier to understand. Each remark is limited to 100 characters. The ACL in the figure, although fairly simple, is used to provide an example. When reviewing the ACL in the configuration, the remark is also displayed.

The next topic explains how to use wildcard masking to identify specific networks and hosts.

5.2.2 - Configuring a Standard ACL
The diagram depicts standard ACL access-list command syntax. Parameters are listed along with a description of what they do. The process of removing an ACL and using the remark command are also covered.

Standard ACL Command Syntax:

The full syntax of the standard ACL command is as follows:

Router(config)#access-list access-list-number [deny | permit | remark] source [source-wildcard] [log]

Parameter: access-list-number
Description: Number of an ACL. This is a decimal number from 1 to 99, or 1300 to 1999 for a standard ACL.

Parameter: deny
Description: Denies access if the conditions are matched.

Parameter: permit
Description: Permits access if the conditions are matched.

Parameter: remark
Description: Adds a remark about entries in an IP access list to make the list easier to understand and scan.

Parameter: source
Description: Number of the network or host from which the packet is being sent. There are two ways to specify the source:
Use a 32-bit quantity in four-part, dotted-decimal format.
Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.55.

Parameter: source-wildcard
Description: (Optional) Wildcard bits to be applied to the source. There are two ways to specify the source-wildcard:
Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.
Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.55.

Parameter: log
Description: (Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. The level of messages logged to the console is controlled by the logging console command.

The message includes the ACL number, whether the packet was permitted or denied, the source address, and the number of packets. The message is generated for the first packet that matches and then at five-minute intervals, including the number of packets permitted or denied in the prior five-minute interval.

Removing an ACL:
R1# show access-list
Standard IP access list 10
10 permit 192.168.10.0
R1#
R1#config t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no access-list 10
R1(config)#exit
R1#
*Oct 25 19:59:41.142: %SYS-5-CONFIG_I: Configured from console by console
R1#show access-list

R1#

Documenting an ACL using the remark command:
R1#config t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#access-list 10 remark Permit hosts from the 192.168.10.0 LAN
R1(config)#access-list 10 permit 192.168.10.0
R1(config)#exit
R1#
*Oct 25 20:12:13.781: %SYS-5-CONFIG_I: Configured from console by console
R1#show run
Building configuration...

output omitted

Access-list 10 remark Permit hosts from the 192.168.10.0 LAN
Access-list 10 permit 192.168.10.0
!
output omitted

5.2.3 ACL Wildcard Masking

Page 1:
Wildcard Masking

ACLs statements include masks, also called wildcard masks. A wildcard mask is a string of binary digits telling the router which parts of the subnet number to look at. Although wildcard masks have no functional relationship with subnet masks, they do provide a similar function. The mask determines how much of an IP source or destination address to apply to the address match. The numbers 1 and 0 in the mask identify how to treat the corresponding IP address bits. However, they are used for different purposes and follow different rules.

Wildcard masks and subnet masks are both 32 bits long and use binary 1s and 0s. Subnet masks use binary 1s and 0s to identify the network, subnet, and host portion of an IP address. Wildcard masks use binary 1s and 0s to filter individual or groups of IP addresses to permit or deny access to resources based on an IP address. By carefully setting wildcard masks, you can permit or deny a single or several IP addresses

Wildcard masks and subnet masks differ in the way they match binary 1s and 0s. Wildcard masks use the following rules to match binary 1s and 0s:

Wildcard mask bit 0 - Match the corresponding bit value in the address
Wildcard mask bit 1 - Ignore the corresponding bit value in the address

The figure explains how different wildcard masks filter IP addresses. As you look at the example, remember that binary 0 signifies a match, and that binary 1 signifies ignore.

Note: Wildcard masks are often referred to as an inverse mask. The reason is that, unlike a subnet mask in which binary 1 is equal to a match and binary 0 is not a match, the reverse is true.

Click the Wildcard Mask Example button in the figure.

Using a Wildcard Mask

The table in the figure shows the results of applying a 0.0.255.255 wildcard mask to a 32-bit IP address. Remember that a binary 0 indicates a value that is matched.

5.2.3 - ACL Wildcard Masking
The diagram depicts examples of wildcard masking for the bits in the fourth octet of an IP address.

Wildcard mask bit 0 - Match the corresponding bit value in the address.
Wildcard mask bit 1 - Ignore the corresponding bit value in the address.

The following examples are shown:

Wildcard mask bits: 00000000
Result: Match all address bits (match all).

Wildcard mask bits: 00111111
Result: Match the first two address bits, and ignore the last six.

Wildcard mask bits: 00001111
Result: Match the first four address bits, and ignore the last four.

Wildcard mask bits: 11111100
Result: Ignore the first six address bits, and match the last two.

Wildcard mask bits: 11111111
Result: Do not check address bits. Ignore all eight bits in octet.

Page 2:
Wildcard Masks to Match IP Subnets

Calculating the wildcard mask can be a little confusing at first. The figure provides three examples of wildcard masks.

The first example the wildcard mask stipulates that every bit in the IP 192.168.1.1must match exactly. The wildcard mask is equivalent to the subnet mask 255.255.255.255.

In the second example, the wildcard mask stipulates that anything will match. The wildcard mask is equivalent to the subnet mask 0.0.0.0.

In the third example, the wildcard mask stipulates that it will match any host within the 192.168.1.0 /24 network. The wildcard mask is equivalent to the subnet mask 255.255.255.0.

These examples were fairly simple and straightforward. However, the calculation of wildcard masks can get a little trickier.

Click the Wildcard Mask 2 button in the figure.

The two examples in the figure are more complicated than the last three you viewed. In example 1, the first two octets and first four bits of the third octet must match exactly. The last four bits in the third octet and the last octet can be any valid number. This results in a mask that checks for 192.168.16.0 to 192.168.31.0

Example 2 shows a wildcard mask that matches the first two octets, and the least significant bit in the third octet. The last octet and the first seven bits in the third octet can be any valid number. The result is a mask that would permit or deny all hosts from odd subnets within the 192.168.0.0 major network.

Calculating wildcard masks can be difficult, but you can do it easily by subtracting the subnet mask from 255.255.255.255.

Click the Example 1 button in the figure.

For example, assume you wanted to permit access to all users in the 192.168.3.0 network. Subtract the subnet mask which is 255.255.255.0 from 255.255.255.255 as indicated in the figure. The solution produces the wildcard mask 0.0.0.255.

Click the Example 2 button in the figure.

Now assume you wanted to permit network access for the 14 users in the subnet 192.168.3.32 /28. The subnet mask for the IP subnet is 255.255.255.240, therefore take the 255.255.255.255 and subtract from the subnet mask 255.255.255.240. The solution this time produces the wildcard mask 0.0.0.15.

Click the Example 3 button in the figure.

In this third example, assume you wanted to match only networks 192.168.10.0 and 192.168.11.0. Again, you take the 255.255.255.255 and subtract the regular subnet mask which in this case would be 255.255.254.0. The result is 0.0.1.255.

Although you could accomplish the same result with two statements such as:

R1(config)# access-list 10 permit 192.168.10.0 0.0.0.255

R1(config)# access-list 10 permit 192.168.11.0 0.0.0.255

It is far more efficient to configure the wildcard mask such as:

R1(config)# access-list 10 permit 192.168.10.0 0.0.1.255

That may not seem more efficient, but when you consider if you wanted to match network 192.168.16.0 to 192.168.31.0 as follows:

R1(config)# access-list 10 permit 192.168.16.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.17.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.18.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.19.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.20.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.21.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.22.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.23.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.24.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.25.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.26.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.27.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.28.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.29.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.30.0 0.0.0.255
R1(config)# access-list 10 permit 192.168.31.0 0.0.0.255

You can see that configuring the following wildcard mask makes it far more efficient:

R1(config)# access-list 10 permit 192.168.16.0 0.0.15.255

5.2.3 - ACL Wildcard Masking
The diagram depicts wildcard mask examples, explains how the mask is applied to an IP address, and how a wildcard mask can be determined from the subnet mask.

Wildcard Mask Group 1 Button:
IP address: 192.168.1.1, Binary 11000000.10101000.00000001.00000001
Wildcard Mask: 0.0.0.0, Binary 00000000.00000000.00000000.00000000
Result: 192.168.1.1, Binary 11000000.10101000.00000001.00000001

IP address: 192.168.1.1, Binary 11000000.10101000.00000001.00000001
Wildcard Mask: 255.255.255.255, Binary 11111111.11111111.11111111.11111111
Result: 0.0.0.0, Binary 00000000.00000000.00000000.00000000

IP address: 192.168.1.1, Binary 11000000.10101000.00000001.00000001
Wildcard Mask: 0.0.0.255, 00000000.00000000.00000000.11111111
Result: 192.168.1.0, Binary 11000000.10101000.00000001.00000000

Wildcard Mask Group 2 Button:
IP address: 192.168.16.0, Binary 11000000.10101000.00010000.00000000
Wildcard Mask: 0.0.15.255, Binary 00000000.00000000.00001111.11111111
Result Range: 192.168.16.0 to 192.168.31.0, Binary 11000000.10101000.00010000.00000000 To 11000000.10101000.00011111.00000000

IP address: 192.168.1.0, Binary 11000000.10101000.00000001 .00000000
Wildcard Mask: 0.0.254.255, Binary 00000000.00000000.11111110.11111111
Result Range: 192.168.1.0, Binary 11000000.10101000.00000001.00000000
Matches all odd numbered subnets in the 192.168.0.0 major network.

Wildcard Mask Calculation:

Example One:
To permit access to all users in the 192.168.3.0 network with a subnet mask of 255.255.255.0, take the subnet mask 255.255.255.0 and subtract it from 255.255.255.255. The solution produces the wildcard mask 0.0.0.255.

Example Two:
The subnet mask for the IP subnet is 255.255.255.240. To permit network access for the 14 users in the subnet 192.168.3.32/28, take 255.255.255.255 and subtract the subnet mask 255.255.255.240. The solution produces the wildcard mask 0.0.0.15.

Example Three:
To match only networks 192.168.10.0 and 192.168.11.0, take 255.255.255.255 and subtract the regular subnet mask of 255.255.254.0. The resulting wildcard mask is 0.0.1.255.

Page 3:
Wildcard Bit Mask Keywords

Working with decimal representations of binary wildcard mask bits can be tedious. To simplify this task, the keywords host and any help identify the most common uses of wildcard masking. These keywords eliminate entering wildcard masks when identifying a specific host or network. They also make it easier to read an ACL by providing visual clues as to the source or destination of the criteria.

The host option substitutes for the 0.0.0.0 mask. This mask states that all IP address bits must match or only one host is matched.
The any option substitutes for the IP address and 255.255.255.255 mask. This mask says to ignore the entire IP address or to accept any addresses.

Example 1: Wildcard Masking Process with a Single IP Address

In the example, instead of entering 192.168.10.10 0.0.0.0, you can use host 192.168.10.10.

Example 2: Wildcard Masking Process with a Match Any IP Address

In the example, instead of entering 0.0.0.0 255.255.255.255, you can use the keyword any by itself.

5.2.3 - ACL Wildcard Masking
The diagram depicts wildcard bit mask keyword abbreviations and examples.

Example 1: Wildcard Masking Process with a Single IP Address
Instead of entering 192.168.10.10 0.0.0.0, you can use host 192.168.10.10.
- 192.168.10.10 0.0.0.0 matches all the address bits.
- Abbreviate this wildcard mask using the IP address preceded by the keyword host (host 192.168.10.10).

Example 2: Wildcard Masking Process with a Match Any IP Address
Instead of entering 0.0.0.0 255.255.255.255, you can use the keyword any by itself.
- 0.0.0.0 255.255.255.255 ignores all address bits.
- Abbreviate expression with the keyword any.

Page 4:
The any and host Keywords

In this figure, we have two examples. Example 1 is displaying how to use the any option to substitute 0.0.0.0 for the IP address with a wildcard mask of 255.255.255.255.

Example 2 is displaying how to use the host option to substitute the wildcard mask.

5.2.3 - ACL Wildcard Masking
The diagram depicts examples of ACL commands using the any and host keywords. The following is the format of using optional keywords in an ACL statement.

Example 1:
R1(config)#access-list 1 permit 0.0.0.0 255.255.255.255
R1(config)#access-list 1 permit any

Example 2:
R1(config)#access-list 1 permit 192.168.10.10 0.0.0.0
R1(config)#access-list 1 permit host 192.168.10.10

5.2.4 Applying Standard ACLs to Interfaces

Page 1:
Standard ACL Configuration Procedures

After a standard ACL is configured, it is linked to an interface using the ip access-group command:

Router(config-if)#ip access-group {access-list-number | access-list-name} {in | out}

To remove an ACL from an interface, first enter the no ip access-group command on the interface, and then enter the global no access-list command to remove the entire ACL.

The figure lists the steps and syntax to configure and apply a numbered standard ACL on a router.

Click the Example 1 button in the figure for an example of an ACL to permit a single network.

This ACL allows only traffic from source network 192.168.10.0 to be forwarded out on S0/0/0. Traffic from networks other than 192.168.10.0 is blocked.

The first line identifies the ACL as access list 1. It permits traffic that matches the selected parameters. In this case, the IP address and wildcard mask identifying the source network is 192.168.10.0 0.0.0.255. Recall that there is an unseen implicit deny all statement that is equivalent to adding the line access-list 1 deny 0.0.0.0 255.255.255.255.

The ip access-group 1 out interface configuration command links and ties ACL 1 to the Serial 0/0/0 interface as an outbound filter.

Therefore, ACL 1 only permits hosts from the 192.168.10.0 /24 network to exit router R1. It denies any other network including the 192.168.11.0 network.

Click the Example 2 button in the figure for an example of an ACL that denies a specific host.

This ACL replaces the previous example, but also blocks traffic from a specific address. The first command deletes the previous version of ACL 1. The next ACL statement, denies the PC1 host located at 192.168.10.10. Every other host on the 192.168.10.0 /24 network is permitted. Again the implicit deny statement matches every other network.

The ACL is again reapplied to interface S0/0/0 in an outbound direction.

Click the Example 3 button in the figure for an example of an ACL that denies a specific host and permits a number of subnets.

This ACL replaces the previous example but still blocks traffic from the host PC1. It also permits all other LAN traffic to exit from router R1.

The first two commands are the same as the previous example. The first command deletes the previous version of ACL 1 and the next ACL statement denies the PC1 host located at 192.168.10.10.

The third line is new and permits all hosts from the 192.168.x.x /16 networks. This now means that all hosts from the 192.168.10.0 /24 network still match but now the hosts from the 192.168.11.0 network also match.

The ACL is again reapplied to interface S0/0/0 in an outbound direction. Therefore, both LANs attached to router R1 may exit the S0/0/0 interface with the exception of the PC1 host.

5.2.4 - Applying Standard ACL's to Interfaces
The diagram depicts standard ACL configuration procedures and topology examples where they are applied.

Syntax:
Step 1. Use the access-list global configuration command to create an entry in a standard IPv4 ACL.
R1(config)#access-list 1 permit 192.168.10.0 0.0.0.255

Enter the global no access-list command to remove the entire ACL. The example statement matches any address that starts with 192.168.10.x. Use the remark option to add a description to your ACL.

Step 2. Use the interface configuration command to select an interface to which to apply the ACL.

R1(config)#interface FastEthernet 0/0

Step 3. Use the i p access-group interface configuration command to activate the existing ACL on an interface.

R1(config-i f)#i p access-group 1 out

To remove an IP ACL from an interface, enter the no i p access-group command on the interface. The above example activates the standard IPv4 ACL 1 on the interface as an outbound filter.

Network Topology:
There are two LAN's with switches S1 and S2. PC1 and PC2 are interconnected by router R1. The S1 LAN is 192.168.10.0/24, and the S2 LAN is 192.168.11.0/24.
- PC1 with IP address 192.168.10.10/24 is connected to switch S1, which is connected to router R1 on its FA0/0 interface.
- PC2 with IP address 192.168.10.10/24 is connected to switch S2, which is connected to router R1 on its FA0/1 interface.
- R1 interface S0/0/0 is connected to network 10.1.1.0/30.

Example 1:
This ACL permits a single network. It allows only traffic from source network 192.168.10.0 to be forwarded out on S0/0/0. Traffic from networks other than 192.168.10.0 is blocked.

R1(config)#access-list 1 permit 192.168.10.0 0.0.0.255
R1(config)#interface s0/0/0
R1(config-i f)#i p access-group 1 out

Example 2:
This ACL permits a single network and denies a specific host.

R1(config)#no access-list 1
R1(config)#access-list 1 deny 192.168.10.10 0.0.0.0
R1(config)#access-list 1 permit 192.168.10.0 0.0.0.255
R1(config)#interface S0/0/0
R1(config)#i p access-group 1 out

Example 3:
This ACL denies a specific subnet and blocks traffic from the host PC1. It also permits all other LAN traffic to exit from router R1.

R1(config)#no access-list 1
R1(config)#access-list 1 deny 192.168.10.10 0.0.0.0
R1(config)#access-list 1 permit 192.168.0.0 0.0.255.255
R1(config)#interface S0/0/0
R1(config)#i p access-group 1 out

Page 2:
Using an ACL to Control VTY Access

Cisco recommends using SSH for administrative connections to routers and switches. If the Cisco IOS software image on your router does not support SSH, you can partially improve the security of administrative lines by restricting VTY access. Restricting VTY access is a technique that allows you to define which IP addresses are allowed Telnet access to the router EXEC process. You can control which administrative workstation or network manages your router with an ACL and an access-class statement to your VTY lines. You can also use this technique with SSH to further improve administrative access security.

The access-class command in line configuration mode restricts incoming and outgoing connections between a particular VTY (into a Cisco device) and the addresses in an access list.

Standard and extended access lists apply to packets that travel through a router. They are not designed to block packets that originate within the router. An outbound Telnet extended ACL does not prevent router-initiated Telnet sessions, by default.

Filtering Telnet traffic is typically considered an extended IP ACL function because it filters a higher level protocol. However, because you are using the access-class command to filter incoming or outgoing Telnet sessions by source address and apply filtering to VTY lines, you can use standard ACL statements to control VTY access.

The command syntax of the access-class command is:

access-class access-list-number {in [vrf-also] | out}

The parameter in restricts incoming connections between a particular Cisco device and the addresses in the access list, while the parameter out restricts outgoing connections between a particular Cisco device and the addresses in the access list.

An example allowing VTY 0 and 4 is shown in the figure. For example, the ACL in the figure is configured to permit networks 192.168.10.0 and 192.168.11.0 access to VTYs 0 - 4. All other networks are denied access to the VTYs.

The following should be considered when configuring access lists on VTYs:

Identical restrictions should be set on all the VTYs, because a user can attempt to connect to any of them.

5.2.4 - Applying Standard ACL's to Interfaces
The diagram depicts using an ACL to control v t y access. A PC is connected to a cloud, which is connected to a router with physical port FastEthernet 0/0 and virtual ports (v t y 0 to 4) labeled. The following commands are used to create an ACL and apply it to the V T Y ports.

R1(config)#access-list 21 permit 192.168.10.0 0.0.0.255
R1(config)#access-list 21 permit 192.168.11.0 0.0.0.255
R1(config)#access-list 21 deny any

R1(config)#line v t y 0 4
R1(config-line)#login
R1(config-line)#password secret
R1(config-line)#access-class 21 in

5.2.5 Editing Numbered ACLs

Page 1:
Editing Numbered ACLs

When configuring an ACL, the statements are added in the order that they are entered at the end of the ACL. However, there is no built-in editing feature that allows you to edit a change in an ACL. You cannot selectively insert or delete lines.

It is strongly recommended that any ACL be constructed in a text editor such as Microsoft Notepad. This allows you to create or edit the ACL and then paste it onto the router. For an existing ACL, you could use the show running-config command to display the ACL, copy and paste it into the text editor, make the necessary changes, and reload it.

For example, assume that the host IP address in the figure was incorrectly entered. Instead of the 192.168.10.100 host, it should have been the 192.168.10.11 host. Here are the steps to edit and correct ACL 20:

Step 1. Display the ACL using the show running-config command. The example in the figure uses the include keyword to display only the ACL statements.

Step 2. Highlight the ACL, copy it, and then paste it into Microsoft Notepad. Edit the list as required. Once the ACL is correctly displayed in Microsoft Notepad, highlight it and copy it.

Step 3. In global configuration mode, disable the access list using the no access-list 20 command. Otherwise, the new statements would be appended to the existing ACL. Then paste the new ACL into the configuration of the router.

It should be mentioned that when using the no access-list command, no ACL is protecting your network. Also, be aware that if you make an error in the new list, you have to disable it and troubleshoot the problem. In that case, again, your network has no ACL during the correction process.

5.2.5 - Editing Numbered ACL's
The diagram depicts editing numbered ACL's by removing and recreating them.
Step 1.
R1#show running-config | include access-list
access-list 20 permit 192.168.10.100
access-list 20 deny 192.168.10.0 0.0.0.255

Step 2.
access-list 20 permit 192.168.10.11
access-list 20 deny 192.168.10.0 0.0.0.255

Step 3.
R1#config t
Enter configuration commands, one per line. End with CTRL/Z.
R1(config)#no access-list 20
R1(config)#access-list 20 permit 192.168.10.11
R1(config)#access-list 20 deny 192.168.10.0 0.0.0.255

Page 2:
Commenting ACLs

You can use the remark keyword to include comments (remarks) about entries in any IP standard or extended ACL. The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters.

The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark so that it is clear which remark describes which permit or deny statement. For example, it would be confusing to have some remarks before the associated permit or deny statements and some remarks after.

To include a comment for IP numbered standard or extended ACLs, use the access-list access-list number remark remark global configuration command. To remove the remark, use the no form of this command.

In the first example, the standard ACL allows access to the workstation that belongs to Jones, and denies access to the workstation that belongs to Smith.

For an entry in a named ACL, use the remark configuration command. To remove the remark, use the no form of this command. The second example shows an extended named ACL. Recall from the earlier definition of extended ACLs that they are used to control specific port numbers or services. In the second example, the remark says that the workstation for Jones is not allowed to use outbound Telnet.

5.2.5 - Editing Numbered ACL's
The diagram depicts commenting ACL's using the remark command.

Example 1:
R1(config)#access-list 1 remark Permit only Jones workstation through
R1(config)#access-list 1 permit 192.168.10.13
R1(config)#access-list 1 remark Do not allow Smith through
R1(config)#access-list 1 deny 192.168.10.14

Example 2:
R1(config)#i p access-list extended TELNETTING
R1(config-e x t-n a c l)#remark Do not allow Jones workstation to Telnet
R1(config-e x t-n a c l)#deny tcp host 192.168.10.13 any e q telnet

5.2.6 Creating Standard Named ACLs

Page 1:
Naming an ACL makes it easier to understand its function. For example, an ACL to deny FTP could be called NO_FTP. When you identify your ACL with a name instead of with a number, the configuration mode and command syntax are slightly different.

The figure shows the steps to create a standard named ACL.

Step 1. Starting from the global configuration mode, use the ip access-list command to create a named ACL. ACL names are alphanumeric, must be unique and must not begin with a number.

Step 2. From the named ACL configuration mode, use the permit or deny statements to specify one or more conditions for determining if a packet is forwarded or dropped.

Step 3. Return to privileged EXEC mode with the end command.

Click the Example button in the figure.

In the figure, the screen output shows the commands used to configure a standard named ACL on router R1, interface Fa0/0 that denies host 192.168.11.10 access to the 192.168.10.0 network.

Capitalizing ACL names is not required, but makes them stand out when viewing the running-config output.

5.2.6 - Creating Standard Named ACL's
The diagram depicts standard ACL configuration procedures and topology examples.

Syntax:
Router(config)#i p access-list [standard | extended] name

- Alphanumeric name string must be unique and cannot begin with a number.

Router(config-std-n a c l)# [permit | deny | remark] {source [source-wildcard]} [log]

- If not configured, sequence numbers are generated automatically, starting at 10 and incrementing by 10.
- No sequence number removes the specific test from the named ACL.

Router(config-i f)#i p access-group name [in | out]

- Activates the named IP ACL on an interface.

Example:
Network Topology:
There are two LAN's with switches S1 and S2. PC1 and PC2 are interconnected by router R1. The S1 LAN is 192.168.10.0/24, and the S2 LAN is 192.168.11.0/24.
- PC1 with IP address 192.168.10.10/24 is connected to switch S1, which is connected to router R1 on its FA0/0 interface.
- PC2 with IP address 192.168.11.10/24 is connected to switch S2, which is connected to router R1 on its FA0/1 interface.
- R1 interface S0/0/0 is connected to network 10.1.1.0/30.

Commands to configure and apply a standard named ACL:
R1(config)#i p access-list standard No_ACCESS
R1(config-std-n a c l)#deny host 192.168.11.10
R1(config-std-n a c l)#permit 192.168.11.0 0.0.0.255
R1(config-std-n a c l)#interface FA0/0
R1(config-i f)#i p access-group No_ACCESS out

5.2.7 Monitoring and Verifying ACLs

Page 1:
When you finish an ACL configuration, use Cisco IOS show commands to verify the configuration. In the figure the top example shows the Cisco IOS syntax to display the contents of all ACLs. The bottom example shows the result of issuing the show access-lists command on router R1. The capitalized ACL names, SALES and ENG stand out in the screen output.

Recall why you started configuring ACLs in the first place; you wanted to implement your organization's security policies. Now that you have verified that the ACLs are configured as you intended, the next step is to confirm that the ACLs work as planned.

The guidelines discussed earlier in this section, suggest that you configure ACLs on a test network and then implement the tested ACLs on the production network. Though a discussion on how to prepare an ACL test scenario is beyond the scope of this course, you need to know that confirming your ACLs work as planned can be a complex and time consuming process.

5.2.7 - Monitoring and Verifying ACL's
The diagram depicts monitoring and verifying ACL's using the show access-lists command.

R1#show access-lists {access-list-number|name}

R1#show access-lists
Standard IP access list SALES
10 deny 10.1.1.0 0.0.0.255
20 permit 10.3.3.1
30 permit 10.4.4.1
40 permit 10.5.5.1
Extended IP access list ENG
10 permit tcp host 192.168.10.2 any e q telnet (25 matches)
20 permit tcp host 192.168.10.2 any e q ftp
30 permit tcp host 192.168.10.2 any e q ftp-data

5.2.8 Editing Named ACLs

Page 1:
Named ACLs have a big advantage over numbered ACLs in that they are easier to edit. Starting with Cisco IOS Software Release 12.3, named IP ACLs allow you to delete individual entries in a specific ACL. You can use sequence numbers to insert statements anywhere in the named ACL. If you are using an earlier Cisco IOS software version, you can add statements only at the bottom of the named ACL. Because you can delete individual entries, you can modify your ACL without having to delete and then reconfigure the entire ACL.

The example in the figure shows an ACL applied to the S0/0/0 interface of R1. It restricted access to the web server. Looking at this example, you can see two things you have not yet seen in this course:

Click the Router Output button in the figure.

In the first show command output, you can see that the ACL named WEBSERVER has three numbered lines indicating access rules for the webserver.
To grant another workstation access in the list only requires inserting a numbered line. In the example, the workstation with the IP address 192.168.11.10 is being added.
The final show command output verifies that the new workstation is now allowed access.

5.2.8 - Editing Named ACL's
The diagram depicts the process of adding a line to a named ACL.

Network Topology:
There are two LAN's with switches S1 and S2. PC1 and PC2 are interconnected by router R1. The S1 LAN is 192.168.10.0/24, and the S2 LAN is 192.168.11.0/24.
- PC1 with IP address 192.168.10.10/24 is connected to switch S1, which is connected to router R1 on its FA0/0 interface.
- PC2 with IP address 192.168.11.10/24 is connected to switch S2, which is connected to router R1 on its FA0/1 interface.
- R1 interface S0/0/0 is connected to network 10.1.1.0/30.

R1#show access-lists
Standard IP access list WEBSERVER
10 permit 192.168.10.10
20 deny 192.168.10.0, wildcard bits 0.0.0.255
30 deny 192.168.11.0, wildcard bits 0.0.0.255
R1#config t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#i p access-list standard WEBSERVER
R1(config-std-n a c l)#15 permit host 192.168.11.10
R1(config-std-n a c l)#end
R1#
*Nov 1 19:20:57.591: %SYS-5-CONFIG_I: Configured from console by console
R1#show access-lists
Standard IP access list WEBSERVER
10 permit 192.168.10.10
15 permit 192.168.11.10
20 deny 192.168.10.0, wildcard bits 0.0.0.255
30 deny 192.168.11.0, wildcard bits 0.0.0.255
R1#

Page 2:
Standard ACLs are router configuration scripts that control whether a router permits or denies packets based on the source address. This activity focuses on defining filtering criteria, configuring standard ACLs, applying ACLs to router interfaces, and verifying and testing the ACL implementation.

Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.

5.2.8 - Editing Named ACL's
Link to Packet Tracer Exploration: Configuring Standard ACL's

5.3 Configuring Extended ACLs

5.3.1 Extended ACLs

Page 1:
Testing Packets with Extended ACLs

For more precise traffic-filtering control, you can use extended ACLs numbered 100 to 199 and 2000 to 2699 providing a total of 800 possible extended ACLs. Extended ACLs can also be named.

Extended ACLs are used more often than standard ACLs because they provide a greater range of control and, therefore, add to your security solution. Like standard ACLs, extended ACLs check the source packet addresses, but they also check the destination address, protocols and port numbers (or services). This gives a greater range of criteria on which to base the ACL. For example, an extended ACL can simultaneously allow e-mail traffic from a network to a specific destination while denying file transfers and web browsing.

The figure shows the logical decision path used by an extended ACL built to filter on source and destination addresses, and protocol and port numbers. In this example, the ACL first filters on the source address, then on the port and protocol of the source. It then filters on the destination address, then on the port and protocol of the destination, and makes a final permit-deny decision.

Recall that entries in ACLs are processed one after the other, so a 'No' decision does not necessarily equal a 'Deny'. As you go through the logical decision path, note that a 'No' means go to the next entry until all the entries have been tested. Only when all the entries have been processed is the 'Permit' or 'Deny' decision finalized.

The next page provides an example of an extended ACL.

5.3.1 - Extended ACL's
The diagram depicts a flowchart on testing packets with extended ACL's. The decision points along the "YES" path of the flowchart are as follows:
- Is there an ACL on this interface?
- If yes, does the source address match the ACL list entry?
- If yes, do the protocol and port match?
- If yes, does the destination address match the ACL entry?
- If yes, do the protocol and port match?
- If yes, permit or deny?
- If deny, discard packet.
- If permit, is the destination IP address in the routing table?
- If no, discard packet.
- If yes, send to outgoing interface.

If the answer to each of the decisions is "yes" or "permit," the packet is sent to the outgoing interface.

Page 2:
Testing for Ports and Services

The ability to filter on protocol and port number allows you to build very specific extended ACLs. Using the appropriate port number, you can specify an application by configuring either the port number or the name of a well-known port.

The figure shows some examples of how an administrator specifies a TCP or UDP port number by placing it at the end of the extended ACL statement. Logical operations can be used, such as equal (eq), not equal (neq), greater than (gt), and less than (lt).

Click the Ports button in the figure.

The figure shows how to generate a list of port numbers and keywords you can use while building an ACL using the R1(config)#access-list 101 permit tcp any eq ? command.

5.3.1 - Extended ACL's
The diagram depicts extended ACL examples that test for ports and services.

Examples:
Using port numbers:
Access-list 114 permit tcp 192.168.20.0 0.0.0.255 any e q 23
Access-list 114 permit tcp 192.168.20.0 0.0.0.255 any e q 21
Access-list 114 permit tcp 192.168.20.0 0.0.0.255 any e q 20

Using keywords:
Access-list 114 permit tcp 192.168.20.0 0.0.0.255 any e q telnet
Access-list 114 permit tcp 192.168.20.0 0.0.0.255 any e q ftp
Access-list 114 permit tcp 192.168.20.0 0.0.0.255 any e q ftp-data

Ports:
A list of port numbers and alphabetic protocol abbreviations is displayed using the following command:

R1(config)#access-list 101 deny tcp any e q ?

5.3.2 Configuring Extended ACLs

Page 1:
The procedural steps for configuring extended ACLs are the same as for standard ACLs, you first create the extended ACL and then activate it on an interface. However, the command syntax and parameters are more complex to support the additional features provided by extended ACLs.

The figure shows the common command syntax for extended ACLs. The scrolling field provides details for the keywords and parameters. As you work through this chapter, there are explanations and examples that will further your comprehension.

Click the Configuring Extended ACLs button in the figure.

The figure shows an example of how you might create an extended ACL specific to your network needs. In this example, the network administrator needs to restrict Internet access to allow only website browsing. ACL 103 applies to traffic leaving the 192.168.10.0 network, and ACL 104 to traffic coming into the network.

ACL 103 accomplishes the first part of the requirement. It allows traffic coming from any address on the 192.168.10.0 network to go to any destination, subject to the limitation that traffic goes to ports 80 (HTTP) and 443 (HTTPS) only.

The nature of HTTP requires that traffic flow back into the network, but the network administrator wants to restrict that traffic to HTTP exchanges from requested websites. The security solution must deny any other traffic coming into the network. ACL 104 does that by blocking all incoming traffic, except for the established connections. HTTP establishes connections starting with the original request and then through the exchange of ACK, FIN, and SYN messages.

Notice that the example uses the established parameter.

This parameter allows responses to traffic that originates from the 192.168.10.0 /24 network to return inbound on the s0/0/0. A match occurs if the TCP datagram has the ACK or reset (RST) bits set, which indicates that the packet belongs to an existing connection. With the established parameter, the router will allow only the established traffic to come back in and block all other traffic.

5.3.2 - Configuring Extended ACL's
The diagram depicts extended ACL access-list command syntax. Parameters are listed along with a description of what they do. An example of an extended ACL application is also shown.

Extended ACL Command Syntax:

The full syntax of the extended ACL command is as follows:

Access-list access-list-number {deny | permit | remark} protocol source [source-wildcard] [operator operand] ]port port-number or name] destination [destination-wildcard] [operator operand] [port port-number or name] [established]

Parameter: access-list-number
Description: Identifies the access list using a number in the range of 100 to 199 for an extended IP ACL, and 2000 to 2699 for expanded IP ACL's.

Parameter: deny
Description: Denies access if the conditions are matched.

Parameter: permit
Description: Permits access if the conditions are matched.

Parameter: remark
Description: Indicates whether this entry allows or blocks the specified address. Could also be used to enter a remark.

Parameter: protocol
Description: Name or number of an Internet protocol. Common keywords include icmp, i p, TCP, or UDP. To match any Internet protocol, including ICMP, TCP, and UDP, use the i p keyword.

Parameter: source
Description: Number of the network or host from which the packet is being sent.

Parameter: source-wildcard
Description: Wildcard bits to be applied to the source.

Parameter: destination
Description: Number of the network or host to which the packet is being sent.

Parameter: destination-wildcard
Description: Wildcard bits to be applied to the destination.

Parameter: operator
Description: (Optional) Compares source or destination ports. Possible operands include l t (less than), g t (greater than), e q (equal), n e q (not equal), and range (inclusive range).

Parameter: port
Description: (Optional) The decimal number or name of a TCP or UDP port.

Parameter: established
Description: (Optional) For the TCP protocol only. Indicates an established connection.

Configuring Extended ACL's:

Network Topology:
Two LAN's, 192.168.10.0/24 and 192.168.11.0/24, are attached to routers R1 and R3, respectively. R1 and R3 are interconnected by router R2.
Router R2 has a L o 0 interface simulating the ISP.

R1(config)#access-list 103 permit tcp 192.168.10.0 0.0.0.255 any e q 80
R1(config)#access-list 103 permit tcp 192.168.10.0 0.0.0.255 any e q 443
R1(config)#access-list 104 permit tcp any 192.168.10.0 0.0.0.255 established

ACL 103 allows to ports 80 and 443.
ACL 104 allows established HTTP and HTTPS replies.

5.3.3 Applying Extended ACLs to Interfaces

Page 1:
Let us learn how to configure an extended access list by building on the previous example. Recall that we want to allow users to browse both insecure and secure websites. First consider whether the traffic you want to filter is going in or out. Trying to access websites on the Internet is traffic going out. Receiving e-mails from the Internet is traffic coming into the business. However, when considering how to apply an ACL to an interface, in and out take on different meanings depending on the point of view.

In the example in the figure, R1 has two interfaces. It has a serial port, S0/0/0, and a Fast Ethernet port, Fa0/0. The Internet traffic coming in is going in the S0/0/0 interface, but is going out the Fa0/0 interface to reach PC1. The example applies the ACL to the serial interface in both directions.

Click the Deny FTP button in the figure.

This is an example of denying FTP traffic from subnet 192.168.11.0 going to subnet 192.168.10.0, but permitting all other traffic. Note the use of wildcard masks. Remember that FTP requires ports 20 and 21, therefore you need to specify both eq 20 and eq 21 to deny FTP.

With extended ACLs, you can choose to use port numbers as in the example, or to call out a well-known port by name. In an earlier example of an extended ACL, the statements were written as follows:

access-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq ftp

access-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq ftp-data

Note that for FTP, both ftp and ftp-data need to be mentioned.

Click the Deny Telnet button in the figure.

This example denies Telnet traffic from 192.168.11.0, but allows all other IP traffic from any other source to any destination inbound on Fa0/1. Note the use of the any keywords, meaning from anywhere going to anywhere.

5.3.3 - Applying Extended ACL's to Interfaces
The diagram depicts applying an extended ACL to an interface. Two example ACL's, one that denies FTP and one that denies Telnet, are shown.

Network Topology:
Two LAN's, 192.168.10.0/24 and 192.168.11.0/24, are attached to routers R1 and R3, respectively. R1 and R3 are interconnected by router R2.

- Router R1 S0/0/0 WAN interface is connected to router R2 S0/0/0.
- Router R3 S0/0/1 WAN interface is connected to router R2 S0/0/1.
- Router R2 has a L o 0 interface simulating the ISP.

Applying an ACL:
R1(config)#interface S0/0/0
R1(config-i f)#i p access-group 103 out
R1(config-i f)#i p access-group 104 in

Deny FTP:
R1(config)#access-list 101 deny tcp 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255 e q 21
R1(config)#access-list 101 deny tcp 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255 e q 20
R1(config)#access-list 101 permit i p any any
R1(config)#interface FA0/1
R1(config-i f)#i p access-group 101 in

Deny Telnet:
R1(config)#access-list 101 deny tcp 192.168.11.0 0.0.0.255 any e q 23
R1(config)#access-list 101 permit i p any any

R1(config)#interface FA0/1
R1(config-i f)#i p access-group 101 in

5.3.4 Creating Named Extended ACLs

Page 1:
You can create named extended ACLs in essentially the same way you created named standard ACLs. The commands to create a named ACL are different for standard and extended ACLs.

Beginning in privileged EXEC mode, follow these steps to create an extended ACL using names.

Step 1. Starting in the global configuration mode, use the ip access-list extended name command to define a named extended ACL.

Step 2. In named ACL configuration mode, specify the conditions you want to allow or deny.

Step 3. Return to privileged EXEC mode and verify your ACL with the show access-lists [number | name] command.

Step 4. As an option and recommended step, save your entries in the configuration file with the copy running-config startup-config command.

To remove a named extended ACL, use the no ip access-list extended name global configuration command.

The figure shows the named version of the ACL you created earlier.

5.3.4 - Creating Named Extended ACL's
The diagram depicts an extended named ACL configuration.

Network Topology:
Two LAN's are attached to router R1. The R1 interface S0/0/0 is connected to R2. R2 is connected to the Internet.

R1(config)#i p access-list extended SURFING
(config-e x t-n a c l)#permit tcp 192.168.10.0 0.0.0.255 any e q 80
(config-e x t-n a c l)#permit tcp 192.168.10.0 0.0.0.255 any e q 443
(config)#i p access-list extended BROWSING
(config-e x t-n a c l)#permit tcp any 192.168.10.0 0.0.0.255 established

NACL SURFING allows requests to ports 80 and 443.
NACL BROWSING allows established HTTP and SHTTP replies.

Page 2:
Extended ACLs are router configuration scripts that control whether a router permits or denies packets based on their source or destination address as well as protocols or ports. Extended ACLs provide more flexibility and granularity than standard ACLs. This activity focuses on defining filtering criteria, configuring extended ACLs, applying ACLs to router interfaces, and verifying and testing the ACL implementation.

Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.

5.3.4 - Creating Named Extended ACL's
Link to Packet Tracer Exploration: Configuring Extended ACL's

5.4 Configure Complex ACLs

5.4.1 What are Complex ACLs?

Page 1:
Types of Complex ACLs

Standard and extended ACLs can become the basis for complex ACLs that provide additional functionality. The table in the figure summarizes the three categories of complex ACLs.

5.4.1 - What Are Complex ACL's
The diagram lists the types of complex ACL's.

Complex ACL: Dynamic ACL (lock-and-key)
Description: Users that want to traverse the router are blocked until they use Telnet to connect to the router and are authenticated.

Complex ACL: Reflexive ACL
Description: Allows outbound traffic and limits inbound traffic in response to sessions that originate inside the router.

Complex ACL: Time-based ACL
Description: Allows for access control based on the time of day and week.

5.4.2 Dynamic ACLs

Page 1:
What are Dynamic ACLs?

Lock-and-key is a traffic filtering security feature that uses dynamic ACLs, which are sometimes referred to as lock-and-key ACLs. Lock-and-key is available for IP traffic only. Dynamic ACLs are dependent on Telnet connectivity, authentication (local or remote), and extended ACLs.

Dynamic ACL configuration starts with the application of an extended ACL to block traffic through the router. Users who want to traverse the router are blocked by the extended ACL until they use Telnet to connect to the router and are authenticated. The Telnet connection is then dropped, and a single-entry dynamic ACL is added to the extended ACL that exists. This permits traffic for a particular period; idle and absolute timeouts are possible.

When to Use Dynamic ACLs

Some common reasons to use dynamic ACLs are as follows:

When you want a specific remote user or group of remote users to access a host within your network, connecting from their remote hosts via the Internet. Lock-and-key authenticates the user and then permits limited access through your firewall router for a host or subnet for a finite period.
When you want a subset of hosts on a local network to access a host on a remote network that is protected by a firewall. With lock-and-key, you can enable access to the remote host only for the desired set of local hosts. Lock-and-key requires the users to authenticate through a AAA, TACACS+ server, or other security server before it allows their hosts to access the remote hosts.

Benefits of Dynamic ACLs

Dynamic ACLs have the following security benefits over standard and static extended ACLs:

Use of a challenge mechanism to authenticate individual users.
Simplified management in large internetworks.
In many cases, reduction of the amount of router processing that is required for ACLs.
Reduction of the opportunity for network break-ins by network hackers.
Creation of dynamic user access through a firewall, without compromising other configured security restrictions.

In the figure the user at PC1 is an administrator that requires a back door access to the 192.168.30.0 /24 network located on router R3. A dynamic ACL has been configured to allow FTP and HTTP on router R3 access but only for a limited time.

5.4.2 - Dynamic ACL's
The diagram depicts information about dynamic ACL's.

Network Topology:
Two LAN's are attached to router R1. LAN 192.168.10.10 with PC1 and switch S1 connects to the R1 interface F0/0. PC2 and switch S2 connect to the R1 interface F0/1. The R1 interface S0/0/0 is connected to R2 via a WAN link. R2 is connected to a server. A third LAN, 192.168.30.10 with PC3 and switch S3, is connected to R3, which is also connected to R2 via a WAN link.

Text bubbles are pointing to R3 that state:
1. PC1 uses Telnet to connect R3 and authenticate.
2. Within a given time allowance, PC1 can use FTP or HTTP to connect to R3.

Page 2:
Dynamic ACL Examples

Consider a requirement for a network administrator on PC1 to gain periodic access to the network (192.168.30.0 /24) through router R3. To facilitate this requirement a dynamic ACL is configured on the serial interface S0/0/1 on router R3.

Although a detailed description of the configuration for a dynamic ACL is outside the scope of this course, it is useful to review the configuration steps.

Click the Config button in the figure to view an example of a dynamic ACL configuration.

Roll over each Step in the figure to review the dynamic ACL configuration steps.

5.4.2 - Dynamic ACL's
The diagram depicts examples of dynamic ACL's.

Network Topology: Same as 5.4.2 Diagram 1.

Configuration:
Step 1:
R3(config)#username Student password 0 cisco
Creates a login name and password for authentication.

Step 2:
R3(config)#access-list 101 permit any host 10.2.2.2 e q telnet
R3(config)#access-list 101 dynamic testlist timeout 15 permit i p 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
Allows a user to open a Telnet connection to the router. The dynamic ACL entry is ignored until the lock-and-key is triggered. The window is opened for 15 minutes and then automatically closed, whether it is being used or not.

Step 3:
R3(config)#interface serial 0/0/1
R3(config-i f)#i p access-group 101 in
Applies ACL 101 to interface S0/0/1.

Step 4:
R3(config)#line v t y 0 4
R3(config-line)#login local
R3(config-line)#auto command access-enable host timeout 5
After the user is authenticated using Telnet, the auto command command executes, and the Telnet session terminates. The user can now access network 192.168.30.0. After 5 minutes of inactivity, the window closes.

5.4.3 Reflexive ACLs

Page 1:
What are Reflexive ACLs?

Reflexive ACLs force the reply traffic from the destination of a known recent outbound packet to go to the source of that outbound packet. This adds greater control to what traffic you allow into your network and increases the capabilities of extended access lists.

Network administrators use reflexive ACLs to allow IP traffic for sessions originating from their network while denying IP traffic for sessions originating outside the network. These ACLs allow the router to manage session traffic dynamically. The router examines the outbound traffic and when it sees a new connection, it adds an entry to a temporary ACL to allow replies back in. Reflexive ACLs contain only temporary entries. These entries are automatically created when a new IP session begins, for example, with an outbound packet, and the entries are automatically removed when the session ends.

Reflexive ACLs provide a truer form of session filtering than an extended ACL that uses the established parameter introduced earlier. Although similar in concept to the established parameter, reflexive ACLs also work for UDP and ICMP, which have no ACK or RST bits. The established option also does not work with applications that dynamically alter the source port for the session traffic. The permit established statement only checks ACK and RST bits, not source and destination address.

Reflexive ACLs are not applied directly to an interface but are "nested" within an extended named IP ACL that is applied to the interface.

Reflexive ACLs can be defined only with extended named IP ACLs. They cannot be defined with numbered or standard named ACLs or with other protocol ACLs. Reflexive ACLs can be used with other standard and static extended ACLs.

Benefits of Reflexive ACLs

Reflexive ACLs have the following benefits:

Help secure your network against network hackers and can be included in a firewall defense.
Provide a level of security against spoofing and certain DoS attacks. Reflexive ACLs are much harder to spoof because more filter criteria must match before a packet is permitted through. For example, source and destination addresses and port numbers, not just ACK and RST bits, are checked.
Simple to use and, compared to basic ACLs, provide greater control over which packets enter your network.

5.4.3 - Reflexive ACL's
The diagram depicts reflexive ACL's.

Network Topology:
Two LAN's are attached to router R1. LAN 192.168.10.0/24 with switch S1 connects to the R1 interface F0/0. The R1 interface S0/0/0 is connected to R2 via a WAN link. R2 is connected to the ISP, which is connected to the Internet, an untrusted network. LAN 192.168.10.0/24 is labeled Secure Trusted Network.

A traffic arrow is shown going from the secure trusted network to the external untrusted network and then returning to the secure trusted network. This traffic is labeled "Initiated inside". Another traffic arrow is shown coming from the external untrusted network attempting to enter the secure trusted network. This traffic is labeled "Initiated outside".

Page 2:
Reflexive ACL Example

The figure shows an example for which the administrator needs a reflexive ACL that permits ICMP outbound and inbound traffic, while it permits only TCP traffic that has been initiated from inside the network. Assume that all other traffic will be denied. The reflexive ACL is applied to the outbound interface of R2.

Click the Config button in the figure.

Although the complete configuration for reflexive ACLs is outside the scope of this course, the figure shows an example of the steps that are required to configure a reflexive ACL.

Roll over each Step in the figure to review the reflexive ACL configuration steps.

5.4.3 - Reflexive ACL's
The diagram depicts examples of reflexive ACL's.

Network Topology: Same as 5.4.3 Diagram 1.

Configuration:
Step 1:
R2(config)#i p access-list extended OUTBOUND FILTERS
R2(config-e x t-n a c l)#permit tcp 192.168.0.0 0.0.255.255 any reflect TCP TRAFFIC
R2(config-e x t-n a c l)#permit icmp 192.168.0.0 0.0.255.255 any reflect ICMP TRAFFIC
Causes the router to keep track of traffic that was initiated from inside.

Step 2:
R2(config)#i p access-list extended INBOUND FILTERS
R2(config-e x t-n a c l)#evaluate TCP TRAFFIC
R2(config-e x t-n a c l)#evaluate ICMP TRAFFIC
Creates an inbound policy that requires the router to check incoming traffic to see if it was initiated from inside. It ties the reflexive ACL part of the OUTBOUND FILTERS ACL, called TCP TRAFFIC, to the INBOUND FILTERS ACL.

Step 3:
R2(config)#interface S0/1/0
R2(config-i f)#i p access-group INBOUND FILTERS in
R2(config-i f)#i p access-group OUTBOUND FILTERS out
Applies both an inbound and outbound ACL to the interface.

5.4.4 Time-based ACLs

Page 1:
What are Time-based ACLs?

Time-based ACLs are similar to extended ACLs in function, but they allow for access control based on time. To implement time-based ACLs, you create a time range that defines specific times of the day and week. You identify the time range with a name and then refer to it by a function. The time restrictions are imposed on the function itself.

Time-based ACLs have many benefits, such as:

Offers the network administrator more control over permitting or denying access to resources.
Allows network administrators to control logging messages. ACL entries can log traffic at certain times of the day, but not constantly. Therefore, administrators can simply deny access without analyzing the many logs that are generated during peak hours.

5.4.4 - Time-based ACL's
The diagram depicts time-based ACL's.

Network Topology:
Two LAN's are attached to router R1. LAN 1 with PC1 and switch S1 connects to the R1 interface F0/0. PC2 and switch S2 connect to the R1 interface F0/1. The R1 interface S0/0/0 is connected to R2 via a WAN link. R2 is connected to a server. A third LAN, with PC3 and switch S3, is connected to R3, which is also connected to R2 via a WAN link.

A clock is shown with the time of 7:00 p.m. The connection from S1 to R1 has a red X on it indicating that access to R1 is not allowed at this time.

Time-based ACL's allow for access control based on the time of day and week.

Page 2:
Time Based ACL Example

Although the complete configuration details for time-based ACLs are outside the scope of this course, the following example shows the steps that are required. In the example, a Telnet connection is permitted from the inside network to the outside network on Monday, Wednesday, and Friday during business hours.

Click the Config button in the figure.

Step 1. Define the time range to implement the ACL and give it a name-EVERYOTHERDAY, in this case.

Step 2. Apply the time range to the ACL.

Step 3. Apply the ACL to the interface.

The time range relies on the router system clock. The feature works best with Network Time Protocol (NTP) synchronization, but the router clock can be used.

5.4.4 - Time-based ACL's
The diagram depicts examples of time-based ACL's.

Network Topology:
Same as Diagram 1.

Configuration:
Step 1:
R1(config)#time-range EVERY OTHER DAY
R1(config-time-range)#periodic Monday Wednesday Friday 8:00 to 17:00
First, define the time range to implement the ACL and give it a name. This examples uses EVERY OTHER DAY.

Step 2:
R1(config)#access-list 101 permit tcp 192.168.10.0 0.0.0.255 any e q telnet time-range EVERY OTHER DAY
Apply the time range to the ACL.

Step 3:
R1(config)#interface s0/0/0
R1(config-i f)#i p access-group 101 out
Apply the ACL to the interface.

5.4.5 Troubleshooting Common ACL Errors

Page 1:
Using the show commands described earlier reveals most of the more common ACL errors before they cause problems in your network. Hopefully, you are using a good test procedure to protect your network for errors during the development stage of your ACL implementation.

When you look at an ACL, check it against the rules you learned regarding how to build ACLs correctly. Most errors occur because these basic rules are ignored. In fact, the most common errors are entering ACL statements in the wrong order and not applying adequate criteria to your rules.

Let us look at a series of common problems and the solutions. Click each example as you read these explanations.

Click the Error # 1 button in the figure.

Host 192.168.10.10 has no connectivity with 192.168.30.12. Can you see the error in the output of the show access-lists command?

Solution - Look at the order of the ACL statements. Host 192.168.10.10 has no telnet connectivity with 192.168.30.12 because of the order of rule 10 in the access list. Because the router processes ACLs from the top down, statement 10 denies host 192.168.10.10, so statement 20 does not get processed. Statements 10 and 20 should be reversed. The last line allows all other non-TCP traffic that falls under IP (ICMP, UDP, and so on).

Click the Error # 2 button in the figure.

The 192.168.10.0 /24 network cannot use TFTP to connect to the 192.168.30.0 /24 network. Can you see the error in the output of the show access-lists command?

Solution - The 192.168.10.0 /24 network cannot use TFTP to connect to the 192.168.30.0 /24 network because TFTP uses the transport protocol UDP. Statement 30 in access list 120 allows all other TCP traffic. Because TFTP uses UDP, it is implicitly denied. Statement 30 should be ip any any.

This ACL works whether it is applied to Fa0/0 of R1 or S0/0/1of R3, or S0/0/0 or R2 in the incoming direction. However, based on the rule about placing extended ACLs closest to the source, the best option is on Fa0/0 of R1 because it allows undesirable traffic to be filtered without crossing the network infrastructure.

Click the Error # 3 button in the figure.

The 192.168.10.0 /24 network can use Telnet to connect to 192.168.30.0 /24, but this connection should not be allowed. Analyze the output from the show access-lists command and see whether you can find a solution. Where would you apply this ACL?

Solution - The 192.168.10.0 /24 network can use Telnet to connect to the 192.168.30.0 /24 network, because the Telnet port number in statement 10 of access list 130 is listed in the wrong position. Statement 10 currently denies any source with a port number that is equal to Telnet trying to establish a connection to any IP address. If you want to deny Telnet traffic inbound on S0/0/1, you should deny the destination port number that is equal to Telnet, for example, deny tcp any any eq telnet.

Click the Error # 4 button in the figure.

Host 192.168.10.10 can use Telnet to connect to 192.168.30.12, but this connection should not be allowed. Analyze the output from the show access-lists command.

Solution - Host 192.168.10.10 can use Telnet to connect to 192.168.30.12 because there are no rules that deny host 192.168.10.10 or its network as the source. Statement 10 of access list 140 denies the router interface from which traffic would be departing. However, as these packets depart the router, they have a source address of 192.168.10.10 and not the address of the router interface.

As in the solution for Error 2, this ACL should be applied to Fa0/0 of R1 in the incoming direction.

Click the Error # 5 button in the figure.

Host 192.168.30.12 can use Telnet to connect to 192.168.10.10, but this connection should not be allowed. Look at the output from the show access-lists command and find the error.

Solution - Host 192.168.30.12 can use Telnet to connect to 192.168.10.10 because the direction in which access list 150 is applied to an interface on R2 is incorrect. Statement 10 denies the source address of 192.168.30.12, but that address would only be the source if the traffic were outbound on S0/0/0, or inbound on S0/0/1.

5.4.5 - Troubleshooting Command ACL Errors
The diagram depicts troubleshooting common ACL errors.

Network Topology:
Two LAN's are attached to router R1. LAN 1 with PC1 (IP address 192.168.10.10) and switch S1 connects to the R1 interface F0/0. PC2 and switch S2 connect to the R1 interface F0/1. The R1 interface S0/0/0 is connected to the R2 interface S0/0/0 via a WAN link. R2 is connected to a server. A third LAN, with PC3 (IP address 192.168.10.10) and switch S3, is connected to R3. R3 S0/0/1 is connected to R2 S0/0/1 via a WAN link.

Error #1:
Host 192.168.10.10 has no connectivity with 192.168.30.12.

Commands for R3:
#show access-list 110
Extended IP access list 110
10 deny tcp 192168.10.0 0.0.0.255 any
20 permit tcp 192.168.10.0 0.0.0.255 any e q telnet
30 permit i p any any

Error #2:
The 192.168.10.0/24 network cannot use TFTP to connect to 192.168.30.0/24.

Commands for R1:
#show access-lists 120
Extended IP access list 120
10 deny tcp 192.168.10.0 0.0.255.255 any e q telnet
20 deny tcp 192.168.10.0 0.0.0.255 host 10.100.100.1 e q smtp
30 permit tcp any any

Error #3:
The 192.168.10.0/24 network can use Telnet to connect to 192.168.30.0/24, but this connection should not be allowed.

Commands for R1:
#show access-lists 130
Extended IP access list 130
10 deny tcp any e q telnet any
20 deny tcp 192.168.1.0 0.0.0.255 host 192.168.30.0 e q smtp
30 permit i p any any

Error #4:
Host 192.168.10.10 can use Telnet to connect to 192.168.30.12, but this connection should not be allowed.

Commands for R1:
#show access-lists 140
Extended IP access list 140
10 deny tcp host 192.168.10.1 any e q telnet
20 deny tcp 192.168.1.0 0.0.0.255 host 10.100.100.1 e q smtp
30 permit i p any any

Error #5:
Host 192.168.30.12 can use Telnet to connect to 192.168.10.10, but this connection should not be allowed.

Commands for R1:
#show access-lists 150
Extended IP access list 150
10 deny tcp host 192.168.30.12 any e q telnet
20 permit i p any any

Page 2:

5.4.5 - Troubleshooting Command ACL Errors
The diagram depicts multiple activities.

Activity 1:

In this activity, you arrange the steps in the correct sequence for a dynamic ACL. A dynamic ACL is a Cisco I O S feature that allows users to open up a temporary hole in any existing ACL.

Network Topology:
The user at the PC with IP address 192.168.10.10/24 is connected to router R1. The R1 interface S0/0/0 (IP address 10.1.1.1/30) is connected to the R2 firewall interface S0/0/0 via a WAN link. R2 FA0/0 (IP address 192.168.20.20/24) is connected to a server at IP address 192.168.20.254/24.

- The user first telnets to the router and authenticates.
- If successful, the Telnet session ends, and the hole is created.
- When the hole is open, the user has access to services that are otherwise denied.
- An idle timeout or absolute timeout can be configured on the router.
- In this example, user Hannah opens a hole in the firewall on router R2. Arrange the following steps in the correct sequence.

Open Telnet session from 192.168.10.10
Username, Password please
User is Hannah, pass is it's a secret
Hannah is a valid user
Close Telnet session
Firewall Hole is Now Open!!
Permit 192.168.10.10 to any IP until timeout exceeded

Activity 2:
In this activity, you complete the following steps to allow Hannah access to the TFTP server through a dynamic ACL.

Note: You may wish to contact your instructor for assistance with this activity

Step 1: Configure a password for Hannah to use when telnetting to R2.

Step 2: Configure a dynamic ACL named LET ME IN to permit access for Hannah's IP address.

Step 3: Apply LET ME IN to interface S0/0/0.

Step 4: Configure the Telnet lines for login and auto-command timeout.

Arrange these command parts to fill in the blanks and complete the dynamic ACL configuration above.

R2(config)#BLANK BLANK
R2(config)#BLANK BLANK BLANK
R2(config)#BLANK BLANK BLANK
R2(config)#BLANK
R2(config-i f)#BLANK
R2(config-i f)#BLANK
R2(config-line)#BLANK
R2(config-line)#BLANK

Command Part Answers:
timeout 90
e q telnet
Permit i p
login local
access-list 101 dynamic LET ME IN
autocommand access-enable host timeout 2
host 192.168.10.10
host 192.168.20.254
Username Hannah password its a secret
i p access-group 101 in
interface s0/0/0
access-list 101 permit tcp
host 192.168.10.10
host 10.1.1.2
line v t y 0 5

Activity 3:
In this activity, you complete the commands necessary to configure a reflexive ACL. Reflexive ACL's generate a new, temporary entry that permit traffic to enter your network if the traffic is part of a session initiated by an internal source.

The reflexive ACL method is much harder to spook because more filter criteria must be matched before a packet is permitted through.

Reflexive ACL's can filter IP traffic regardless of whether that traffic uses TCP, UDP, or any other Internet protocol. Source addresses, destination addresses, and port numbers are checked.

Use the extended named ACL options reflect and evaluate to configure a reflexive ACL.

Use the following command parts to fill in the blanks and complete the reflexive ACL configuration above.

R2(config)#i p access-list extended FILTER_OUT
R2(config-e x t-n a c l)#BLANK
R2(config-e x t-n a c l)#exit
R2(config)#i p access-list extended FILTER_IN
R2(config-e x t-n a c l)#BLANK BLANK
R2(config-e x t-n a c l)#exit
R2(config)#interface s0/1/0
R2(config-i f)#BLANK out
R2(config-i f)#BLANK in

Command Part Answers:
i p access-group FILTER_IN
permit i p any any
Evaluate
ip access-group FILTER_OUT
Reflect GOOD GUYS
GOOD GUYS

Activity 4:
In this activity, you complete the commands necessary to configure a time-based ACL. Time-based ACL's are similar to extended ACL's in function, but they allow for access control based on time.

To implement time-based ACL's, you create a time range that defines specific times of the day and week.

You identify the time range with a name and then refer to it in a named ACL.

Configure R2 to block Web traffic out to the Internet during business hours from 7:00 AM to 6:00 PM (18:00) on weekdays.

Use the following command parts to fill in the blanks and complete the time-based ACL configuration above.

R2(config)#BLANK
R2(config-time-range)#BLANK
R2(config-e x t-n a c l)#BLANK
R2(config)#BLANK
R2(config-e x t-n a c l)#BLANK BLANK
R2(config-e x t-n a c l)#BLANK
R2(config-e x t-n a c l)#exit
R2(config)#interface s0/1/0
R2(config-i f)#BLANK

Command Part Answers:
time-range NO_WEB
permit i p any any
Time-range NO_WEB
i p access-list extended WEB_ACCESS
Periodic weekdays 7:00 to 18:00
i p access-group WEB_ACCESS out
deny tcp any any e q 80

5.5 Chapter Labs

5.5.1 Basic Access Control Lists

Page 1:
An essential part of network security is being able to control what kind of traffic is being permitted to reach your network, and where that traffic is coming from. This lab will teach how to configure basic and extended access control lists to accomplish this goal.

5.5.1 - Basic Access Control Lists
Link to Hands-on Lab: Basic Access Control Lists

Page 2:
This activity is a variation of Lab 5.5.1. Packet Tracer may not support all the tasks specified in the hands-on lab. This activity should not be considered equivalent to completing the hands-on lab. Packet Tracer is not a substitute for a hands-on lab experience with real equipment.

Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.

5.5.1 - Basic Access Control Lists
Link to Packet Tracer Exploration: Basic Access Control Lists

5.5.2 Access Control Lists Challenge

Page 1:
In the Basic Access Control List lab you configured for the first time basic and extended access control lists as a network security measure. In this lab try to set up as much network security as possible without referring back to the Basic lab. This will allow you to gauge how much you learned in the Basic lab. Where necessary check your work using either the Basic lab or the answer key provided by your instructor.

5.5.2 - Access Control Lists Challenge
Link to Hands-on Lab: Access Control Lists Challenge

Page 2:
This activity is a variation of Lab 5.5.2. Packet Tracer may not support all the tasks specified in the hands-on lab. This activity should not be considered equivalent to completing the hands-on lab. Packet Tracer is not a substitute for a hands-on lab experience with real equipment.

Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.

5.5.2 - Access Control Lists Challenge
Link to Packet Tracer Exploration: Challenge Access Control Lists

5.5.3 Troubleshooting Access Control Lists

Page 1:
You work for a regional service provider that has recently experienced several security breaches. Your department has been asked to secure customer edge routers so that only the local management PCs are able to access VTY lines. To address this issue, you will configure ACLs on R2 so that networks directly connected to R3 cannot communicate to networks directly connected to R1, but still allow all other traffic.

5.5.3 - Troubleshooting Access Control Lists
Link to Hands-on Lab: Troubleshooting Access Control Lists

5.6 Chapter Summary

5.6.1 Summary

Page 1:
An ACL is a router configuration script that uses packet filtering to control whether a router permits or denies packets to pass based on criteria found in the packet header. ACLs are also used for selecting types of traffic to be analyzed, forwarded, or processed in other ways. ACLs are among the most commonly used objects in Cisco IOS software.

There are different types of ACLs - standard, extended, named and numbered. In this chapter you learned the purpose of each of these ACL types and where they need to be placed in your network. You learned to configure ACLs on inbound and outbound interfaces. Special ACL types, dynamic, reflexive, and timed ACLs, were described. Guidelines and best practices for developing functional and effective ACLs were highlighted.

With the knowledge and skills you learned in this chapter you can now confidently, but with care, configure standard, extended, and complex ACLs, and verify and troubleshoot those configurations.

5.6.1 - Summary and Review
In this chapter, you have learned to:
- Explain how ACL's are used to secure a medium-size enterprise branch office network, including the concept of packet filtering, the purpose of ACL's, how ACL's are used to control access, and the types of Cisco ACL's.
- Configure standard ACL's in a medium-size enterprise branch office network, including defining filtering criteria, configuring standard ACL's to filter traffic, and applying standard ACL's to router interfaces.
- Configure extended ACL's in a medium-size enterprise branch office network, including configuring extended ACL's and named ACL's, configuring filters, verifying and monitoring ACL's, and troubleshooting extended ACL issues.
- Describe complex ACL's in a medium-size enterprise branch office network, including configuring dynamic, reflexive, and timed ACL's, verifying and troubleshooting complex ACL's, and explaining relevant caveats.

Page 2:

5.6.1 - Summary and Review
This is a review and is not a quiz. Questions and answers are provided.
Question One. List the three "P" rule associated with access control lists.
Answer:
One ACL per protocol
- To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface.
One ACL per direction
- ACL's control traffic in one direction at a time on an interface. Two separate ACL's must be created to control inbound and outbound traffic.
One ACL per interface
- ACL's control traffic for an interface, for example, FastEthernet 0/0.

Question Two. List the two basic rules associated with the placement of standard and extended ACL's.
Answer:
Standard ACL's
- Because standard ACL's do not specify destination addresses, place them as close to the destination as possible.
Extended ACL's
- Locate extended ACL's as close as possible to the source of the traffic denied. This way, undesirable traffic is filtered without crossing the network infrastructure.

Question Three. Refer to the topology description below to answer the question. ACL 10 configured on R1 is designed to block the host at 192.168.10.10 access to the 192.168.11.0 network, but all other hosts on the 192.168.10.0 network should be permitted access. However, the ACL does not accomplish this. Which changes would correct this problem?

Network Topology:
There are two LAN's with switches S1 and S2. PC1 and PC2 are interconnected by router R1. The S1 LAN is 192.168.10.0/24, and the S2 LAN is 192.168.11.0/24.
- PC1 with IP address 192.168.10.10/24 is connected to switch S1, which is connected to router R1 on its FA0/0 interface.
- PC2 with IP address 192.168.10.10/24 is connected to switch S2, which is connected to router R1 on its FA0/1 interface.
- Switch S1 IP address is 192.168.10.2/24.
- Switch S2 IP address is 192.168.11.2/24.
- R1 interface S0/0/0 is connected to network 10.1.1.0/30.

Commands used:
R1(config)#access-list 10 deny host 192.168.10.2
R1(config)#interface FA0/1
R1(config-i f)#i p access-group 10 in

Answer:
On router R1
- The host address was incorrectly specified. It should have been specified as 192.168.10.10.
- Because of the implicit deny statement, the remainder of the subnet was not permitted through. The remainder of the subnet should have been permitted using the access-list 10 permit any command.
- ACL 10 should have been applied to be in an outbound direction on interface FA0/1.

Question Four. Refer to the topology description in question 3 to answer the question. The SURFING ACL should permit only hosts on the 192.168.10.0 network to have Web and secure Web access. The hosts on the 192.168.11.0 network should not be permitted any access. The BROWSING ACL should permit return access only to traffic that originated from the 192.168.10.0 network. However, the ACL's do not accomplish this. Which changes would correct this problem?

Commands used:
R1(config)#access-list extended SURFING
R1(config-e x t-n a c l)#permit tcp 192.168.10.0 0.0.0.255 any e q 23
R1(config-e x t-n a c l)#permit tcp any 192.168.10.0 0.0.0.255
R1(config-e x t-n a c l)#exit
R1(config)#access-list extended BROWSING
R1(config-e x t-n a c l)#permit tcp any 192.168.10.0.0.0.0.255 established
R1(config-e x t-n a c l)#exit
R1(config)#interface FA0/1
R1(config-i f)#i p access-group SURFING in
R1(config-i f)#i p access-group BROWSING out

Answer:
On router R1
- The first permit statement of the SURFING ACL is allowing Telnet access (23). It should permit Web access (80).
- The BROWSING ACL requires the established keyword at the end.
- The ACL's have been applied to the wrong interface. They should have been applied to the serial 0/0/0 interface.
- The directions of the SURFING and BROWSING ACL's should have been reversed.

Question Five. Describe the three types of complex ACL's and their functions.
Answer:
Dynamic (Lock and Key):
- ACL's use an extended ACL to block users from traversing a router until they use Telnet or SSH to connect to the router and are authenticated.
- After being authenticated, specific dynamic ACL entries are activated on the ACL applied to the interface.
- These entries remain active for a specific period and then expire.
- This enables a user to authenticate and access resources that normally would be denied. Dynamic ACL's can be combined with other types of ACL's, such as extended ACL's.
Reflexive:
- Reflexive ACL's automatically create temporary entries based on upper layer session information.
- The entries are automatically deleted when the session ends.
Time-based:
- Time-based ACL's are similar to extended ACL's in function, but allow for access control based on time.
- A time range defines specific times of the day and week in which the ACL's are implemented.

Page 3:
In this activity, you will demonstrate your ability to configure ACLs that enforce five security policies. In addition, you will configure PPP and OSPF routing. The devices are already configured with IP addressing.

Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.

5.6.1 - Summary and Review
Link to Packet Tracer Exploration: Packet Tracer Skills Integration Challenge

5.7 Chapter Quiz

5.7.1 Chapter Quiz

Page 1:

5.7.1 - Chapter Quiz
1. Which two statements correctly describe Cisco access control lists? (Choose two.)
A. Extended ACL's are created in interface configuration mode.
B. Extended ACL's filter traffic based on source and destination IP, port number, and protocol.
C. Standard IP ACL's are numbered 1 to 99, and extended IP ACL's are numbered 100 to 199.
D. Standard ACL's permit or deny traffic to specific IP addresses.
E. Standard ACL's do not permit the use of wildcard masks.

2. Which statement is correct regarding applying an access list to an interface?
A. Access lists are applied in global configuration mode.
B. Named access lists are applied using the ip access-name command.
C. Standard access lists should be applied to an interface as close as possible to the destination.
D. The command for applying access list 101 inbound is ip access-list 101.

3. Which statement is a guideline to be followed when designing access control lists?
A. Since ACL tests are executed in order, they should be organized from the most general condition to the most specific.
B. Since ACL tests are executed in order, they should be organized from the most specific condition to the most general.
C. Since all statements in an ACL are evaluated before they are executed, an explicit deny any statement must be written for an ACL to function properly.
D. Since all statements in an ACL are evaluated before they are executed, an explicit permit any statement must be written in order for an ACL to function properly.

4. Which two solutions can be implemented with ACL's? (Choose two.)
A. Segment the network to increase available bandwidth.
B. Create a firewall on a router to filter inbound traffic from an external network.
C. Control traffic entering or exiting different areas of a local network.
D. Distribute DHCP traffic to allow easier network availability.
E. Allow or deny traffic into the network based on the MAC address.

5. Match the following commands used with ACL's to their descriptions:
Commands:
ANY
show running-config
show access-list
HOST
show i p interface

Descriptions:
Substitutes for the 0.0.0.0 mask.
Indicates whether any ACL's are set on an interface.
Displays the contents of all ACL's on the router.
Represents an IP address and mask pair of 0.0.0.0 255.255.255.255.
Reveals the ACL's and interface assignments on a router.

6. Which IP address and wildcard mask will test for hosts from an entire subnet of network 192.168.12.0 using a 29-bit mask?
A. 192.168.12.56 0.0.0.15
B. 192.168.12.56 0.0.0.8
C. 192.168.12.56 0.0.0.31
D. 192.168.12.84 0.0.0.7
E. 192.168.12.84 0.0.0.3
F. 192.168.12.84 0.0.0.255

7. What kind of access list is created with the command i p access-list standard fastaccess?
A. Turbo ACL
B. Reflexive ACL
C. Named ACL
D. Dynamic ACL

8. Refer to the ACL 101 statements listed below to answer the question. This ACL already exists on the router.

ACL Statements:
Access-list 101 deny tcp any 192.168.1.0 0.0.0.255 eq 8080
Access-list 101 deny tcp any 192.168.1.0 0.0.0.255 eq 80
Access-list 101 deny icmp any 192.168.1.0 0.0.0.255
Access-list 101 deny icmp any 192.168.2.0 0.0.0.255
Access-list 101 permit ip any 192.168.1.0 0.0.0.255
Access-list 101 permit ip any 192.168.2.0 0.0.0.255

Question:
The network administrator wants to insert the command access-list 101 deny tcp any 192.168.1.0 0.0.0.255 eq ftp as the third line in the ACL shown. The network administrator enters the command in global configuration mode on the router. What effect does this have?
A. It inserts the line in the desired position in the ACL.
B. It inserts the line as the first statement in the ACL.
C. It inserts the line as the last statement in the ACL.
D. It deletes the entire list and replaces it with the new line only.

9. Refer to the topology description and ACL statements listed below to answer the question.

Topology Description:
There are two routers, Router1 and Router2.
Router1 is connected to Router2 with a WAN link using Router1's S0/0/0 interface.
Router1 has two LAN's, Networks 192.168.1.0/24 and 192.168.2.0/24 are connected to its Ethernet interfaces.
Router2 has one LAN. Network 192.168.3.0/24 is connected to its Ethernet interface.

ACL Statements:
Router1(config)#access-list 201 deny icmp any 192.168.1.0 0.0.0.255 any
Router1(config)#access-list 201 deny icmp any 192.168.2.0 0.0.0.255 any
Router1(config)#access-list 201 permit any any

Router1(config)#access-list 101 deny tcp any 192.168.1.0 0.0.0.255 eq 8080
Router1(config)#access-list 101 deny tcp any 192.168.1.0 0.0.0.255 eq 80
Router1(config)#access-list 101 deny icmp any 192.168.1.0 0.0.0.255
Router1(config)#access-list 101 deny icmp any 192.168.2.0 0.0.0.255
Router1(config)#access-list 101 permit i p any 192.168.1.0 0.0.0.255
Router1(config)#access-list 101 permit i p any 192.168.2.0 0.0.0.255

Router1(config)#int s0/0/0
Router1(config-i f)#ip access-group 101 in
Router1(config-i f)#ip access-group 201 out

Question:
Which statement correctly describes how Router1 processes packets with the configuration shown?
A. Traffic exiting interface s0/0/0 is filtered by both ACL 101 and ACL 201.
B. If a packet entering interface s0/0/0 matches a condition in ACL 101, the router continues comparing the packet to the rest of the statements in ACL 101 to make sure that no other statements might also apply.
C. Router1 compares packets entering interface s0/0/0 first to all the ACL 101 statements for the IP protocol and then to all the ACL 101 statements for the ICMP protocol.
D. A packet entering interface s0/0/0 is compared to each statement in ACL 101 until one statement matches the packet. Then the router drops or forwards the packet without considering the remaining statements in ACL 101.

10. An administrator wants to implement lock-and-key access to a host within the company network for specific users who are connecting from outside the company network. What type of ACL would best suit the situation?
A. Dynamic
B. Reflexive
C. Extended
D. Time-based

11. What type of ACL should the network administrator implement to limit Internet traffic during peak hours of the day?
A. Dynamic
B. Policy-based
C. Reflexive
D. Time-based

12. Which statement correctly describes a reflexive access list?
A. An ACL that allows IP traffic for sessions originating from inside the network, while denying traffic for sessions originating from the outside.
B. An ACL that controls traffic based on the time.
C. An ACL that uses an extended list to block users from traversing a router until they are authenticated.
D. An ACL that only identifies the source of traffic.

13. Categorize the following descriptions with the appropriate ACL type.
Descriptions:
Only checks source address.
Access list numbers 100 to 199.
Checks protocol and port numbers.
Only permits or denies entire protocols based on the network address.
Access list numbers 1- to 99.
Checks source and destination addresses.

Categories:
Standard IP ACL
Extended IP ACL

14. Assuming the following ACL is correctly applied to a router interface, which two statements describe traffic on the network? (Choose two.)

access-list 199 deny tcp 178.15.0.0 0.0.255.255 any eq 23
access-list 199 permit i p any any

A. All FTP traffic from network 178.15.0.0 will be permitted.
B. All Telnet traffic destined for network 178.15.0.0 will be denied.
C. Telnet and FTP will be permitted from all hosts on network 178.15.0.0 to any destination.
D. Telnet will not be permitted from any hosts on network 178.15.0.0 to any destination.
E. Telnet will not be permitted to any host on network 178.15.0.0 from any destination.

World of Cisco Networking

5 ACLs

5.0 Introduction

5.1 Using ACLs to Secure Networks

5.2 Configuring Standard ACLs

5.3 Configuring Extended ACLs

5.4 Configure Complex ACLs

5.5 Chapter Labs

5.6 Chapter Summary

5.7 Chapter Quiz

Save and Share!

0 comments:

Post a Comment

Labels

Blog Archive

Most visited IT websites

World of Cisco Networking

5 ACLs

5.0 Introduction

5.1 Using ACLs to Secure Networks

5.2 Configuring Standard ACLs

5.3 Configuring Extended ACLs

5.4 Configure Complex ACLs

5.5 Chapter Labs

5.6 Chapter Summary

5.7 Chapter Quiz

Save and Share!

Related Posts :

0 comments:

Post a Comment

Labels

Blog Archive

Most visited IT websites