An ACL is a sequential list of permit or deny statements that apply to addresses or upper-layer protocols. ACLs provide a powerful way to control traffic into and out of a network. ACLs can be configured for all routed network protocols.
IP ACL Operation
When configured, ACLs perform the following tasks:
-
Limit network traffic to increase network performance. For example, if corporate policy does not allow video traffic on the network, ACLs that block video traffic could be configured and applied. This would greatly reduce the network load and increase network performance.
-
Provide traffic flow control. ACLs can restrict the delivery of routing updates. If updates are not required because of network conditions, bandwidth is preserved.
-
Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For example, access to the Human Resources network can be restricted to authorized users.
-
Filter traffic based on traffic type. For example, an ACL can permit email traffic, but block all Telnet traffic.
-
Screen hosts to permit or deny access to network services. ACLs can permit or deny a user to access file types, such as FTP or HTTP.
To evaluate network traffic, the ACL extracts the following information from the Layer 3 packet header:
-
Source IP address
-
Destination IP address
-
ICMP message type
The ACL can also extract upper layer information from the Layer 4 header, including:
-
TCP/UDP source port
-
TCP/UDP destination port
Types of ACLs
Standard ACL
Standard ACLs match packets by examining the source IP address field in the IP header of that packet.
Router(config)# access-list {1-99} {permit | deny} source-addr [source-wildcard]
ACL Number: 1-99 or 1300-1999
Operation: permit or deny
Source IP address
Source-wildcard mask
Extended ACL
Extended ACL filter ip packets based on several attributes, including the following:
-
Source and destination IP address
-
Source and destination TCP and UDP ports
-
Protocol type/Protocol number (IP, ICMP, UDP, TCP etc.)
Router(config)# access-list {100-199} {permit | deny} protocol source-addr
[source-wildcard] [operator operand] destination-addr [destination-wildcard]
[operator operand] [established]
ACL Number: 100-199 or 2000-2699
Operation: permit or deny
Protocol type: IP, ICMP, TCP, UDP
Source IP address and source-wildcard mask: determine where traffic originates
Destination IP address and destination-wildcard mask indicate the final destination of the network traffic.
Operator: eq, gt, lt,
Once the standard or extended numbered IP ACL is created, the administrator must apply it to the appropriate interface.
Router(config-if)# ip access-group access-list-number {in | out}
This is the command to apply the ACL to a vty line:
Router(config-line)# access-class access-list-number {in | out}
Named ACL
It is possible to create a named ACL instead of a numbered ACL. Named ACLs must be specified as either standard or extended.
Router(config)# ip access-list [standard | extended] name_of_ACL
Executing this command places a user into sub-configuration mode where permit and deny commands are entered. The permit and deny commands have the same basic syntax as those in the numbered IP ACL commands.
A standard named ACL can use deny and permit statements.
Router(config-std-nacl)# deny {source [source-wildcard] | any}
Router(config-std-nacl)# permit {source [source-wildcard] | any}
An extended named ACL offers additional parameters.
Router(config-ext-nacl)# {permit | deny} protocol source-addr [source-wildcard]
[operator operand] destination-addr [destination-wildcard] [operator operand]
[established]
Advantages for using named ACLs include that an administrator can delete a specific entry in a named ACL by going into ACL sub-configuration mode and prefacing the command with the no parameter.
At the end of an ACL statement, the administrator has the option to configure the log parameter.
R1(config)# access-list 101 permit tcp 192.168.1.0 0.0.0.255 192.168.2.0
0.0.0.255 eq 22 log
If this parameter is configured, the Cisco IOS software compares packets and finds a match to the statement. The router logs it to any enabled logging facility, such as the console, the internal buffer of the router, or a syslog server. Several pieces of information are logged:
■ Action - permit or deny
■ Protocol - TCP, UDP, or ICMP
■ Source and destination addresses
■ For TCP and UDP - source and destination port numbers
■ For ICMP - message types
Log messages are generated on the first packet match and then at five minute intervals after that first packet match.
Several caveats should be considered when working with ACLs:
-
Implicit deny all - All Cisco ACLs end with an implicit "deny all" statement. Even if this statement is not apparent in an ACL, it is there.
-
Standard ACL packet filtering - Standard ACLs are limited to packet filtering based on source addresses only. Extended ACLs might need to be created to fully implement a security policy.
-
Order of statements - ACLs have a policy of first match. When a statement is matched, the list is no longer examined. Certain ACL statements are more specific than others and, therefore, must be placed higher in the ACL. For example, blocking all UDP traffic at the top of the list negates the statement for allowing SNMP packets, which use UDP, that is lower in the list. An administrator must ensure that statements at the top of the ACL do not negate any statements found lower.
-
Directional filtering - Cisco ACLs have a directional filter that determines whether inbound packets (toward the interface) or outbound packets (away from the interface) are examined. An administrator should double-check the direction of data that an ACL is filtering.
-
Modifying ACLs - When a router compares a packet to an ACL, the ACL entries are examined from the top down. When a router locates a statement with matching criteria, the ACL processing stops and the packet is either permitted or denied based on the ACL entry. When new entries are added to an ACL, they are always added to the bottom. This can render new entries unusable if a previous entry is more general. For example, if an ACL has an entry that denies network 172.16.1.0/24 access to a server in one line, but the next line down permits a single host, host 172.16.1.5, access to that same server, that host will still be denied. This is because the router matches packets from 172.16.1.5 to the 172.16.1.0/24 network and denies the traffic without reading the next line. When a new statement renders the ACL unusable, a new ACL must be created with the correct statement ordering. The old ACLshould be deleted, and the new ACL assigned to the router interface. If using Cisco IOS Release 12.3 and later, sequence numbers can be used to ensure that a new statement is being added to the ACL in the correct location. The ACL is processed top-down based on the sequence numbers of the statements (lowest to highest).
-
Special packets - Router-generated packets, such as routing table updates, are not subject to outbound ACL statements on the source router. If the security policy requires filtering these types of packets, inbound ACLs on adjacent routers or other router filter mechanisms using ACLs must do the filtering task.
Access Control List
标签: