Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
An access list is essentially a list of conditions that categorize packets. They can be really helpful
when you need to exercise control over network traffic. An access list would be your tool of
choice for decision making in these situations.
One of the most common and easiest to understand uses of access lists is filtering
unwanted packets when implementing security policies. For example, you can set them up
to make very specific decisions about regulating traffic patterns so that they’ll allow only
certain hosts to access web resources on the Internet while restricting others. With the right
combination of access lists, network managers arm themselves with the power to enforce
nearly any security policy they can invent.
Access lists can even be used in situations that don’t necessarily involve blocking packets.
For example, you can use them to control which networks will or won’t be advertised by
dynamic routing protocols. How you configure the access list is the same. The difference here
is simply how you apply it—to a routing protocol instead of an interface. When you apply an
4.17 Implement basic router security 279
access list in this way, it’s called a distribute list, and it doesn’t stop routing advertisements,
it just controls their content. You can also use access lists to categorize packets for queuing or
QoS-type services and for controlling which types of traffic can activate an ISDN link.
Creating access lists is really a lot like programming a series of if-then statements—if a
given condition is met, then a given action is taken. If the specific condition isn’t met, nothing
happens and the next statement is evaluated. Access-list statements are basically packet filters
that packets are compared against, categorized by, and acted upon accordingly. Once the lists
are built, they can be applied to either inbound or outbound traffic on any interface. Applying
an access list causes the router to analyze every packet crossing that interface in the specified
direction and take the appropriate action.
There are a few important rules that a packet follows when it’s being compared with an
access list:
It’s always compared with each line of the access list in sequential order—that is, it’ll
always start with the first line of the access list, then go to line 2, then line 3, and so on.
It’s compared with lines of the access list only until a match is made. Once the packet
matches the condition on a line of the access list, the packet is acted upon and no further
comparisons take place.
There is an implicit “deny” at the end of each access list—this means that if a packet doesn’t
match the condition on any of the lines in the access list, the packet will be discarded.
Each of these rules has some powerful implications when filtering IP packets with access
lists, so keep in mind that creating effective access lists truly takes some practice.
There are two main types of access lists:
Standard access lists These use only the source IP address in an IP packet as the condition
test. All decisions are made based on the source IP address. This means that standard access
lists basically permit or deny an entire suite of protocols. They don’t distinguish among any
of the many types of IP traffic such as web, Telnet, UDP, and so on.
Extended access lists Extended access lists can evaluate many of the other fields in the layer 3
and layer 4 headers of an IP packet. They can evaluate source and destination IP addresses, the
protocol field in the Network layer header, and the port number at the Transport layer header.
This gives extended access lists the ability to make much more granular decisions when controlling
traffic.
Named access lists Hey, wait a minute—I said there were two types of access lists but listed
three! Well, technically there really are only two since named access lists are either standard or
extended and not actually a new type. I’m just distinguishing them because they’re created and
referred to differently than standard and extended access lists, but they’re functionally the same.
Once you create an access list, it’s not really going to do anything until you apply it. Yes,
they’re there on the router, but they’re inactive until you tell that router what to do with them.
To use an access list as a packet filter, you need to apply it to an interface on the router where
you want the traffic filtered. And you’ve got to specify which direction of traffic you want the
access list applied to. There’s a good reason for this—you may want different controls in place
for traffic leaving your enterprise destined for the Internet than you’d want for traffic coming
280 Chapter 4 Configure, verify, and troubleshoot basic router operation
into your enterprise from the Internet. So, by specifying the direction of traffic, you can—and
frequently you’ll need to—use different access lists for inbound and outbound traffic on a
single interface:
Inbound access lists When an access list is applied to inbound packets on an interface, those
packets are processed through the access list before being routed to the outbound interface.
Any packets that are denied won’t be routed because they’re discarded before the routing process
is invoked.
Outbound access lists When an access list is applied to outbound packets on an interface,
those packets are routed to the outbound interface and then processed through the access list
before being queued.
There are some general access-list guidelines that should be followed when you’re creating
and implementing access lists on a router:
You can assign only one access list per interface per protocol per direction. This means
that when creating IP access lists, you can have only one inbound access list and one outbound
access list per interface.
When you consider the implications of the implicit deny at the end of any
access list, it makes sense that you can’t have multiple access lists applied
on the same interface in the same direction for the same protocol. That’s
because any packets that don’t match some condition in the first access list
would be denied, and there wouldn’t be any packets left over to compare
against a second access list.
Organize your access lists so that the more specific tests are at the top of the access list.
Anytime a new entry is added to the access list, it will be placed at the bottom of the list.
Using a text editor for access lists is highly suggested.
You cannot remove one line from an access list. If you try to do this, you will remove the
entire list. It is best to copy the access list to a text editor before trying to edit the list. The
only exception is when using named access lists.
Unless your access list ends with a permit any command, all packets will be discarded
if they do not meet any of the list’s tests. Every list should have at least one permit statement
or it will deny all traffic.
Create access lists and then apply them to an interface. Any access list applied to an interface
without an access list present will not filter traffic.
Access lists are designed to filter traffic going through the router. They will not filter traffic
that has originated from the router.
Place IP standard access lists as close to the destination as possible. This is the reason we
don’t really want to use standard access lists in our networks. You cannot put a standard
access list close to the source host or network because you can only filter based on source
address and nothing would be forwarded.
4.17 Implement basic router security 281
Place IP extended access lists as close to the source as possible. Since extended access lists
can filter on very specific addresses and protocols, you don’t want your traffic to traverse
the entire network and then be denied. By placing this list as close to the source address
as possible, you can filter traffic before it uses up your precious bandwidth.
Exam Objectives
Remember the standard and extended IP access-list number ranges. The numbered ranges
you can use to configure a standard IP access list are 1–99 and 1300–1999. The numbered
ranges for an extended IP access list are 100–199 and 2000–2699.
Understand the term “implicit deny.” At the end of every access list is an implicit deny.
What this means is that if a packet does not match any of the lines in the access list, then it will
be discarded. Also, if you have nothing but deny statements in your list, then the list will not
permit any packets.
Understand the standard IP access-list configuration command. To configure a standard
IP access list, use the access-list numbers 1–99 or 1300–1999 in global configuration mode.
Choose permit or deny, then choose the source IP address you want to filter on using one of
the three techniques covered earlier.
Understand the extended IP access-list configuration command. To configure an extended
IP access list, use the access-list numbers 100–199 or 2000–2699 in global configuration
mode. Choose permit or deny, the Network layer protocol field, the source IP address you
want to filter on, the destination address you want to filter on, and finally the Transport layer
port number (if selected).
No comments:
Post a Comment