•Instructor Materials Chapter 7: Access Control Lists CCNA Routing and Switching Routing and Switching Essentials v6.0 Cisco Networking Academy Program Routing and Switching Essentials v6.0 Chapter 7: Access Control Lists ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §This PowerPoint deck is divided in two parts: §Instructor Planning Guide •Information to help you become familiar with the chapter •Teaching aids §Instructor Class Presentation •Optional slides that you can use in the classroom •Begins on slide # 12 § §Note: Remove the Planning Guide from this presentation before sharing with anyone. Instructor Materials – Chapter 7 Planning Guide ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Chapter 7: Access Control Lists Routing and Switching Essentials 6.0 Planning Guide Cisco Networking Academy Program Routing and Switching Essentials v6.0 Chapter 7: Access Control Lists ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential •What activities are associated with this chapter? • • • Chapter 7: Activities Page # Activity Type Activity Name Optional? 7.1.1.4 Packet Tracer ACL Demonstration Recommended 7.1.2.6 Interactive Activity Determine the Correct Wildcard Mask Recommended 7.1.2.7 Interactive Activity Determine the Permit or Deny Recommended 7.1.3.3 Interactive Activity ACL Operation Recommended 7.2.1.5 Interactive Activity Configuring Standard IPv4 ACLs Recommended 7.2.1.6 Packet Tracer Configuring Numbered Standard IPv4 ACLs Recommended 7.2.1.7 Packet Tracer Configuring Named Standard IPv4 ACLs Recommended 7.2.2.6 Lab Configuring and Modifying Standard IPv4 ACLs Optional 7.2.3.1 Syntax Checker Secure VTY Lines with a Standard IPv4 ACL Recommended 7.2.3.3 Packet Tracer Configuring an IPv4 ACL on VTY Lines Recommended ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential •What activities are associated with this chapter? • • • Chapter 7: Activities (Cont.) Page # Activity Type Activity Name Optional? 7.2.3.4 Lab Configuring and Verifying VTY Restrictions Optional 7.3.2.4 Packet Tracer Troubleshooting Standard IPv4 ACLs Recommended 7.4.1.1 Activity FTP Denied Optional 7.4.1.2 Packet Tracer Skills Integration Challenge Recommended ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §Students should complete Chapter 7, “Assessment” after completing Chapter 7. §Quizzes, labs, Packet Tracers and other activities can be used to informally assess student progress. Chapter 7: Assessment ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential •Prior to teaching Chapter 7, the instructor should: §Complete Chapter 7, “Assessment.” §The objectives of this chapter are: •Explain how ACLs filter traffic. •Explain how ACLs use wildcard masks. •Explain how to create ACLs. •Explain how to place ACLs. •Configure standard IPv4 ACLs to filter traffic to meet networking requirements. •Use sequence numbers to edit existing standard IPv4 ACLs. •Configure a standard ACL to secure VTY access. •Explain how a router processes packets when an ACL is applied. •Troubleshoot common standard IPv4 ACL errors using CLI commands. • § § Chapter 7: Best Practices ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §The best way to learn access lists are to configure them and troubleshoot. Make this chapter as hands-on as possible. §Provide lots of examples and ask students to determine what will happen based on how the access-lists are configured. For example: •What are each of these access-lists doing? •Are they configured in the direction and on the right interface? •Which devices are affected? §It is important to mention to students that routers do not apply ACLs on themselves, therefore, any traffic that originates on the router will not apply the ACLs on that traffic. §7.1.1.2 •Standard ACLs only filter at Layer 3. Extended ACLs filter at Layers 3 and Layer 4. •Extended ACLs are beyond the scope of this course. § § Chapter 7: Best Practices (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §7.1.2.2 •Work through lots of examples of ACL wildcard masking. §7.2.2.1 •Mention to students that when using the no access-list command, different IOS software releases behave differently. •If the ACL that has been deleted is still applied to an interface, some IOS versions act as if no ACL is protecting your network while others deny all traffic. •It is good practice to remove the reference to the access list from the interface before modifying the access list. •If there is an error in the new list, disable it and troubleshoot the problem so you can correct the issue without the ACL configured. §7.2.2.3 •Discuss best practices for numbering ACLs and leaving room for edits/additions • Chapter 7: Best Practices (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §For additional help with teaching strategies, including lesson plans, analogies for difficult concepts, and discussion topics, visit the CCNA Community at: https://www.netacad.com/group/communities/community-home §Best practices from around the world for teaching CCNA Routing and Switching. https://www.netacad.com/group/communities/ccna §If you have lesson plans or resources that you would like to share, upload them to the CCNA Community in order to help other instructors. §Students can enroll in Introduction to Packet Tracer (self-paced) Chapter 7: Additional Help Chapter 7: Access Control Lists CCNA Routing and Switching Routing and Switching Essentials v6.0 Cisco Networking Academy Program Routing and Switching Essentials v6.0 Chapter 7: Access Control Lists ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §7.1 ACL Operation •Explain the purpose and operation of ACLs in small to medium-sized business networks. •Explain how ACLs filter traffic. •Explain how ACLs use wildcard masks. •Explain how to create ACLs. •Explain how to place ACLs. §7.2 Standard IPv4 ACLs •Configure standard IPv4 ACLs to filter traffic in a small to medium-sized business network. •Configure standard IPv4 ACLs to filter traffic to meet networking requirements. •Use sequence numbers to edit existing standard IPv4 ACLs. •Configure a standard ACL to secure VTY access. Chapter 7 - Sections & Objectives Cisco Networking Academy Program Routing and Switching Essentials v6.0 Chapter 7: Access Control Lists ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §7.3 Troubleshoot ACLs •Troubleshoot IPv4 ACL issues. •Explain how a router processes packets when an ACL is applied. •Troubleshoot common standard IPv4 ACL errors using CLI commands. • Chapter 7 - Sections & Objectives (Cont.) Cisco Networking Academy Program Routing and Switching Essentials v6.0 Chapter 7: Access Control Lists ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7.1 ACL Operation 7- Access Control Lists 7.1 – IOS Bootcamp ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Purpose of ACLs What is an ACL? §An ACL is a series of IOS commands that control whether a router forwards or drops packets based on information found in the packet header. ACLs are not configured by default on a router. §ACL's can perform the following tasks: •Limit network traffic to increase network performance. For example, video traffic could be blocked if it's not permitted. •Provide traffic flow control. ACLs can help verify routing updates are from a known source. •ACLs provide security for network access and can block a host or a network. •Filter traffic based on traffic type such as Telnet traffic. •Screen hosts to permit or deny access to network services such as FTP or HTTP. • • • • • • • • 7.1 – ACL Operation 7.1.1 – Purpose of ACLs 7.1.1.1 – What is an ACL? ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Purpose of ACLs Packet Filtering §An ACL is a sequential list of permit or deny statements, known as access control entries (ACEs). •ACEs are commonly called ACL statements. §When network traffic passes through an interface configured with an ACL, the router compares the information within the packet against each ACE, in sequential order, to determine if the packet matches one of the ACEs. This is referred to as packet filtering. §Packet Filtering: •Can analyze incoming and/or outgoing packets. •Can occur at Layer 3 or Layer 4. §The last statement of an ACL is always an implicit deny. This is automatically inserted at the end of each ACL and blocks all traffic. Because of this, all ACLs should have at least one permit statement. • § • • • • • • • • 7.1 – ACL Operation 7.1.1 – Purpose of ACLs 7.1.1.2 – Packet Filtering ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Purpose of ACLs ACL Operation §ACLs do not act on packets that originate from the router itself. •ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. §ACLs can be configured to apply to inbound traffic and outbound traffic: •Inbound ACLs – Incoming packets are processed before they are routed to the outbound interface. •Outbound ACLs – Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL. § • § • • • • • • • • 7.1 – ACL Operation 7.1.1 – Purpose of ACLs 7.1.1.3 – ACL Operation ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Purpose of ACLs Packet Tracer – ACL Demonstration §In this Packet Tracer activity, you will observe how an ACL can be used to prevent a ping from reaching hosts on a network. §After removing the ACL from the configuration, the pings will be successful. § • § • • • • • • • • 7.1 – ACL Operation 7.1.1 – Purpose of ACLs 7.1.1.4 – Packet Tracer – ACL Demonstration ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Wildcard Masks in ACLs Introducing ACL Wildcard Masking §IPv4 ACEs require the use of wildcard masks. §A wildcard mask is a string of 32 binary digits (1s and 0s) used by the router to determine which bits of the address to examine for a match. §Wildcard masks are often referred to as an inverse mask since unlike a subnet mask where a binary 1 is a match, a binary 0 is a match with wildcard masks. For example: § § § § • § • • • • • • • • 7.1 – ACL Operation 7.1.2 – Wildcard Masks in ACLs 7.1.2.1 - Introducing ACL Wildcard Masking ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Wildcard Masks in ACLs Wildcard Mask Examples §Calculating the wildcard mask to match IPV4 subnets takes practice. In the first to the left: •Example 1: The wildcard mask stipulates that every bit in the IPv4 192.168.1.1 address must match exactly. •Example 2: The wildcard mask stipulates that anything will match. •Example 3: The wildcard mask stipulates that any host within the 192.168.1.0/24 network will match. • § § § § • § • • • • • • • • 7.1 – ACL Operation 7.1.2 – Wildcard Masks in ACLs 7.1.2.2 - Wildcard Mask Examples ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Wildcard Masks in ACLs Calculating the Wildcard Mask §Calculating wildcard mask examples: •Example 1: Assume you want to permit access to all users in the 192.168.3.0 network with the subnet mask of 255.255.255.0. Subtract the subnet from 255.255.255.255 and the result is: 0.0.0.255. •Example 2: Assume you want to permit network access for the 14 users in the subnet 192.168.3.32/28 with the subnet mask of 255.255.255.240. After subtracting the subnet maks from 255.255.255.255, the result is 0.0.0.15. •Example 3: Assume you want to match only networks 192.168.10.0 and 192.168.11.0 with the subnet mask of 255.255.254.0. After subtracting the subnet mask from 255.255.255.255, the result is 0.0.1.255. • • § • § § § § • § • • • • • • • • 7.1 – ACL Operation 7.1.2 – Wildcard Masks in ACLs 7.1.2.3 - Calculating the Wildcard Mask ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Wildcard Masks in ACLs Wildcard Mask Keywords §To make wildcard masks easier to read, the keywords host and any can help identify the most common uses of wildcard masking. •host substitutes for the 0.0.0.0 mask •any substitutes for the 255.255.255.255 mask §If you would like to match the 192.169.10.10 address, you could use 192.168.10.10 0.0.0.0 or, you can use: host 192.168.10.10 §In Example 2, instead of entering 0.0.0.0 255.255.255.255, you can use the keyword any by itself. • § § § § • § • • • • • • • • 7.1 – ACL Operation 7.1.2 – Wildcard Masks in ACLs 7.1.2.4 - Wildcard Mask Keywords ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Wildcard Masks in ACLs Wildcard Mask Keyword Examples §Example 1 in the figure demonstrates how to use the any keyword to substitute the IPv4 address 0.0.0.0 with a wildcard mask of 255.255.255.255. §Example 2 demonstrates how to use the host keyword to substitute for the wildcard mask when identifying a single host. • § § § § • § • • • • • • • • 7.1 – ACL Operation 7.1.2 – Wildcard Masks in ACLs 7.1.2.5 - Wildcard Mask Keyword Examples ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Guidelines for ACL Creation General Guidelines for Creating ACLs §Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet. §Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network. §Configure ACLs on border routers such as those situated at the edge of your network. This will provide a basic buffer from the outside network that is less controlled. §Configure ACLs for each network protocol configured on the border router interfaces. • § § § § • § • • • • • • • • 7.1 – ACL Operation 7.1.3 – Guidelines for ACL Creation 7.1.3.1 - General guidelines for Creating ACLs ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Guidelines for ACL Creation ACL Best Practices §Using ACLs requires significant attention to detail. Mistakes can be very costly in terms of downtime, troubleshooting efforts, and poor network performance. • § § § § • § • • • • • • • • 7.1 – ACL Operation 7.1.3 – Guidelines for ACL Creation 7.1.3.2 - ACL Best Practices ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Guidelines for ACL Creation General Guidelines for Creating ACLs §The proper placement of an ACL can make the network operate more efficiently. For example, and ACL can be placed to reduce unnecessary traffic. §Every ACL should be placed where it has the greatest impact on efficiency. •Extended ACLs – Configure extended ACLs as close as possible to the source of the traffic to be filtered. This will prevent undesirable traffic as close to the source without it crossing the network infrastructure. •Standard ACLs – Since standard ACLs do not specify destination addresses, they should be configured as close to the destination as possible. § § § § • § • • • • • • • • 7.1 – ACL Operation 7.1.4 – Guidelines for ACL Placement 7.1.4.1 – Where to Place ACLs ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Guidelines for ACL Creation Standard ACL Placement §This example demonstrates the proper placement of the standard ACL that is configured to block traffic from the 192.168.10.0/24 network to the 192.168.30.0/24 network. §There are two possible places to configure the access-list on R3. §If the access-list is applied to the S0/0/1 interface, it will block traffic to the 192.168.30.0/24 network, but also, going to the 192.168.31.0/24 network. §The best place to apply the access list is on R3’s G0/0 interface. The access-list list should be applied to traffic exiting the G0/0 interface. Packets from 192.168.10.0/24 can still reach 192.168.31.0/24. § § § • § • • • • • • • • 7.1 – ACL Operation 7.1.4 – Guidelines for ACL Placement 7.1.4.2 – Standard ACL Placement ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7.2 Standard IPv4 ACLs 7- Access Control Lists 7.2 – Standard IPv4 ACLs ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure Standard IPv4 ACLs Numbered Standard IPv4 ACL Syntax §The access-list global configuration command defines a standard ACL with a number in the range of 1 through 99. §The full syntax of the standard ACL command is as follows: Router(config)# access-list access-list-number { deny | permit | remark } source [ source-wildcard ][ log ] To remove the ACL, the global configuration no access-list command is used. Use the show access-list command to verify the removal of the ACL. • § • • 7.2 – Standard IPv4 ACLs 7.2.1 – Configure Standard IPv4 ACLs 7.2.1.1 – Numbered Standard IPv4 ACL Examples ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure Standard IPv4 ACLs Applying Standard IPv4 ACLs to Interfaces §After a standard IPv4 ACL is configured, it is linked to an interface using the ip access-group command in interface configuration mode: Router(config-if)# ip access-group { access-list-number | access-list-name } { in | out } §To remove an ACL from an interface, first enter the no ip access-group command on the interface, and then enter the global no access-list command to remove the entire ACL. • § • • 7.2 – Standard IPv4 ACLs 7.2.1 – Configure Standard IPv4 ACLs 7.2.1.2 – Applying Standard IPv4 ACLs to Interfaces ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure Standard IPv4 ACLs Numbered Standard IPv4 ACL Examples §The figure to the left shows an example of an ACL that permits traffic from a specific subnet but denies traffic from a specific host on that subnet. •The no access-list 1 command deletes the previous version of ACL 1. •The next ACL statement denies the host 192.168.10.10. •What is another way to write this command without using host? •All other hosts on the 192.168.10.0/24 network are then permitted. •There is an implicit deny statement that matches every other network. •Next, the ACL is reapplied to the interface in an outbound direction. • • • • 7.2 – Standard IPv4 ACLs 7.2.1 – Configure Standard IPv4 ACLs 7.2.1.3 – Numbered Standard IPv4 ACL Examples ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure Standard IPv4 ACLs Numbered Standard IPv4 ACL Examples (Cont.) §This next example demonstrates an ACL that denies a specific host but will permit all other traffic. •The first ACL statement deletes the previous version of ACL 1. •The next command, with the deny keyword, will deny traffic from the PC1 host that is located at 192.168.10.10. •The access-list 1 permit any statement will permit all other hosts. •This ACL is applied to interface G0/0 in the inbound direction since it only affects the 192.168.10.0/24 LAN. • § • • • 7.2 – Standard IPv4 ACLs 7.2.1 – Configure Standard IPv4 ACLs 7.2.1.3 – Numbered Standard IPv4 ACL Examples ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure Standard IPv4 ACLs Named Standard IPv4 ACL Syntax §Identifying an ACL with a name rather than with a number makes it easier to understand its function. §The example to the left shows how to configured a named standard access list. Notice how the commands are slightly different: •Use the ip access-list command to create a named ACL. Names are alphanumeric, case sensitive, and must be unique. •Use permit or deny statements as needed. You can also use the remark command to add comments. •Apply the ACL to an interface using the ip access-group name command. • • • § § § § • • • 7.2 – Standard IPv4 ACLs 7.2.1 – Configure Standard IPv4 ACLs 7.2.1.4 – Named Standard IPv4 ACL Syntax ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure Standard IPv4 ACLs Packet Tracer – Configuring Numbered Standard IPv4 ACLs §This Packet Tracer Activity will allow you to practice defining filtering criteria and configuring standard ACLs in a preconfigured network. §Verification of the configured and applied ACLs will also be required. § • § § § § • • • 7.2 – Standard IPv4 ACLs 7.2.1 – Configure Standard IPv4 ACLs 7.2.1.6 – Packet Tracer – Configuring Numbered Standard IPv4 ACLs ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure Standard IPv4 ACLs Packet Tracer – Configuring Named Standard IPv4 ACLs §This Packet Tracer activity will require you to configure a standard named ACL. §You will be required to test the ACL after applying it to the appropriate interface. § • § § § § • • • 7.2 – Standard IPv4 ACLs 7.2.1 – Configure Standard IPv4 ACLs 7.2.1.7 – Packet Tracer – Configuring Named Standard IPv4 ACLs ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Modify IPv4 ACLs Method 1 – Use a Text Editor §It is sometimes easier to create and edit ACLs in a text editor such as Microsoft Notepad rather making changes directly on the router. §For an existing ACL, use the show running-config command to display the ACL, copy and paste it into the text editor, make the necessary changes, and then paste it back in to the router interface. §It is important to note that when using the no access-list command, different IOS software releases act differently. •If the ACL that has been deleted is still applied to the interface, some IOS versions act as if no ACL is protecting your network while others deny all traffic. • • • § § § § • • • 7.2 – Standard IPv4 ACLs 7.2.2 – Modify IPv4 ACLs 7.2.2.1 – Method 1 – Use a Text Editor ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Modify IPv4 ACLs Method 2 – Use Sequence Numbers §The figure to the left demonstrates the steps used to make changes to a numbered ACL using sequence numbers. §Step 1 identifies the problem. The deny 192.168.10.99 statement is incorrect. The host to deny should be 192.168.10.10 §To make the edit, Step 2 shows how to go into standard access-list 1 and make the change. The misconfigured statement had to be deleted with the no command: no 10 §Once it was deleted, the new statement with the correct host was added: 10 deny host 192.168.10.10 • § § § § • • • 7.2 – Standard IPv4 ACLs 7.2.2 – Modify IPv4 ACLs 7.2.2.2 – Method 2 – Use Sequence Numbers ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Modify IPv4 ACLs Editing Standard Named ACLs §By referring to statement sequence numbers, individual statements can be easily inserted or deleted. §The figure to the left shows an example of how to insert a line into a named ACL. §By numbering it 15, it will place the command in between statement 10 and 20. §Please notice that when the ACL was originally created, the network administrator spaced each command by 10 which left room for edits and additions. § § § • • • §The no sequence-number named ACL command is used to delete individual statements. § § § § • • 7.2 – Standard IPv4 ACLs 7.2.2 – Modify IPv4 ACLs 7.2.2.3 – Editing Standard Named ACLs ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Modify IPv4 ACLs Verifying ACLs §Use the show ip interface command to verify that the ACL is applied to the correct interface. §The output will display the name of the access list and the direction in which it was applied to the interface. §Use the show access-lists command to display the access-lists configured on the router. §Notice how the sequence is displayed out of order for the NO_ACCESS access list. This will be discussed later in this section. • § § § § • • • 7.2 – Standard IPv4 ACLs 7.2.2 – Modify IPv4 ACLs 7.2.2.4 – Verifying ACLs ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Modify IPv4 ACLs ACL Statistics §The show access-lists command can be used to display matched statistics after an ACL has been applied to an interface and some testing has occurred. §When traffic is generated that should match an ACL statement, the matches shown in the show access-lists command output should increase. §Recall that every ACL has an implicit deny any as the last statement. The statistics for this implicit command will not be displayed. However, if this command is configured manually, the results will be displayed. §The clear access-list counters command can be used to clear the counters for testing purposes. • § § § § • • • 7.2 – Standard IPv4 ACLs 7.2.2 – Modify IPv4 ACLs 7.2.2.5 – ACL Statistics ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Modify IPv4 ACLs Lab – Configuring and Modifying Standard IPv4 ACLs §This lab will require you to set up and configure devices to match the topology provided in the lab. §Configuration, modification, and testing of standard and named ACLs is also required. § § § § • • • 7.2 – Standard IPv4 ACLs 7.2.2 – Modify IPv4 ACLs 7.2.2.6 – Lab – Configuring and Modifying Standard IPv4 ACLs ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Securing VTY ports with a Standard IPv4 ACL The access-class Command §Administrative VTY access to Cisco devices should be restricted to help improve security. §Restricting VTY access is a technique that allows you define which IP addresses are allowed remote access to the router EXEC process. §The access-class command configured in line configuration mode will restrict incoming and outgoing connections between a particular VTY (into a Cisco device) and the addresses in an access list. §Router(config-line)# access-class access-list-number {in [vrf-also ] | out } § § § • • • 7.2 – Standard IPv4 ACLs 7.2.3 – Securing VTY ports with a Standard IPv4 ACL 7.2.3.1 – The access-class Command ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Securing VTY ports with a Standard IPv4 ACL Verifying the VTY Port is Secured §Verification of the ACL configuration used to restrict VTY access is important. §The figure to the left shows two devices trying to ssh into two different devices. §The show access-lists command output shows the results after the SSH attempts by PC1 and PC2. §Notice the match results in the permit and the deny statements. § § § § • • • 7.2 – Standard IPv4 ACLs 7.2.3 – Securing VTY ports with a Standard IPv4 ACL 7.2.3.2 – Verifying the VTY Port is Secured ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Securing VTY ports with a Standard IPv4 ACL Packet Tracer – Configuring an IPv4 ACL on VTY Lines §This Packet Tracer activity will require you to configure and apply an ACL that allows PC access to the Telnet lines on the router, but will deny all other source IP addresses. § § § § § • • • 7.2 – Standard IPv4 ACLs 7.2.3 – Securing VTY ports with a Standard IPv4 ACL 7.2.3.3 – Packet Tracer – Configuring an IPv4 ACL on VTY Lines ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Securing VTY ports with a Standard IPv4 ACL Lab – Configuring and Verifying VTY Restrictions §This Lab will require the configuring and verification of VTY restrictions. §Only certain IP addresses will be allowed access to the vty lines on the router. §It is important to ensure that only administrator PCs have permission to telnet or SSH into the router. § § § § § • • • 7.2 – Standard IPv4 ACLs 7.2.3 – Securing VTY ports with a Standard IPv4 ACL 7.2.3.4 – Lab - Configuring and Verifying VTY Restrictions ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7.3 Troubleshoot ACLs 7- Access Control Lists 7.3 – Troubleshoot ACLs ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Processing Packets with ACLs The Implicit Deny Any §A single-entry ACL with only one deny entry has the effect of denying all traffic. §At least one permit ACE must be configured in an ACL or all traffic will be blocked. §Study the two ACLs in the figure to the left. •Will the results be the same or different? § § § § • • • 7.3 – Troubleshoot ACLs 7.3.1 – Processing Packets with ACLs 7.3.1.1 – The Implicit Deny Any ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Processing Packets with ACLs The Order of ACEs in an ACL §The order in which ACEs are configured are important since ACEs are processed sequentially. §The figure to the left demonstrates a conflict between two statements since they are in the wrong order. •The first deny statement blocks everything in the 192.168.10.0/24 network. •However, the second permit statement is attempting to allow host 192.168.10.10 through. •This statement is rejected since it is a subset of the previous statement. •Reversing the order of these two statements will solve the problem. § § § • • • 7.3 – Troubleshoot ACLs 7.3.1 – Processing Packets with ACLs 7.3.1.2 – The Order of ACEs in an ACL ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Processing Packets with ACLs Cisco IOS Reorders Standard ACLs §Note the order in which the access-list statements were entered during configuration. §Notice how the order was changed when you enter the show running-config command. §The host statements are listed first, however, not in the order they were entered. §The IOS puts host statements in an order using a special hashing function. The resulting order optimizes the search for a host ACL entry. §The range statements are displayed in the order they were entered. The hashing function is applied to host statements. § § § § • • • 7.3 – Troubleshoot ACLs 7.3.1 – Processing Packets with ACLs 7.3.1.3 – Cisco IOS Reorders Standard ACLs ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Processing Packets with ACLs Routing Processes and ACLs §The figure shows the logic of routing and ACL processes. §When a packet arrives at a router interface, the router process is the same, whether ACLs are configured or not. §After the frame information is stripped off, the router checks for an ACL on the inbound interface. If an ACL exists, the packet is tested against the statements. §If the packet matches a statement, the packet is either permitted or denied. §If the packet is permitted, and after the router processes the packet, the outgoing interface will also be checked for an ACL. § § § § • • • 7.3 – Troubleshoot ACLs 7.3.1 – Processing Packets with ACLs 7.3.1.4 – Routing Processes and ACLs ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Common IPv4 Standard ACL Errors Troubleshooting Standard IPv4 ACLs – Example 1 §The most common errors involving ACLs: •Entering ACEs in the wrong order •Not specifying adequate ACL rules •Applying the ACL using the wrong direction, wrong interface, or wrong source address §In the figure to the left, PC2 should not be able to access the File Server. However, PC1 can not access it either. §The output of the show access-list command shows the one deny statement in the ACL. §The set of commands on the right shows the solution. The permit statement allows other devices to access since the implicit deny was blocking other traffic. § § § § § § • • • 7.3 – Troubleshoot ACLs 7.3.2 – Common IPv4 Standard ACL Errors 7.3.2.1 – Troubleshooting Standard IPv4 ACLs – Example 1 ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Common IPv4 Standard ACL Errors Troubleshooting Standard IPv4 ACLs – Example 2 §The 192.168.11.0/24 network should not be able to access the 192.168.10.0/24 network. §PC2 cannot access PC1 as planned, however, it also cannot access the Internet through R2. §Problem: access-list 20 was applied to G0/1 on an inbound direction §Where should ACL 20 be applied and in which direction? §In order for PC2 to access the Internet, ACL 20 needs to be removed from the G0/1 interface and applied outbound on the G0/0 interface. § § § § • • • 7.3 – Troubleshoot ACLs 7.3.2 – Common IPv4 Standard ACL Errors 7.3.2.2 – Troubleshooting Standard IPv4 ACLs – Example 2 ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Common IPv4 Standard ACL Errors Troubleshooting Standard IPv4 ACLs – Example 3 §Only PC1 should be allowed to SSH to R1. §There is a problem with the config in the figure to the left since PC1 is unable to SSH to R1. §The ACL is permitting the 192.168.10.1 address which is the G0/0 interface. However, the address that should be permitted is the PC1 host address of 192.168.10.10. §The solution is provided below: § § § § § • • • 7.3 – Troubleshoot ACLs 7.3.2 – Common IPv4 Standard ACL Errors 7.3.2.3 – Troubleshooting Standard IPv4 ACLs – Example 3 ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Common IPv4 Standard ACL Errors Packet Tracer – Troubleshooting Standard IPv4 ACLs §This Packet Tracer activity will require the troubleshooting of various IPv4 ACL issues. § • • • 7.3 – Troubleshoot ACLs 7.3.2 – Common IPv4 Standard ACL Errors 7.3.2.4 – Packet Tracer - Troubleshooting Standard IPv4 ACLs ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7.4 Chapter Summary 7 – Access Control Lists 7.4 – Summary ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Securing VTY ports with a Standard IPv4 ACL Packet Tracer – Skills Integration Challenge §This Packet Tracer activity will require you to finish the IP addressing scheme, configure routing, and implement named access control lists. § § § § § • • • 7.4 – Summary 7.4.1 – Conclusion 7.4.1.2 – Packet Tracer – Skills Integration Challenge ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Chapter 7 New Terms and Commands •access control lists (ACLs) •firewalls •access control entries (ACEs) •packet filtering •Standard ACLs •Extended ACLs •implicit deny •Inbound ACLs •Outbound ACLs •wildcard masks •named ACLs •inverse mask • New Terms and Commands