Access Lists

Access Control Lists
(Beyond Standard and Extended)
www.ine.com
Course Prerequisites and Assumptions
Prerequisite = CCNA ACL Videos

ACLs are used as a classification tool by many
different featuresthis course will concentrate on
using ACLs purely for packet filtering.
Copyright www.INE.com
Agenda
Using L4/ L5 Extensions in Access-Lists

Reflexive Access-Lists
Dynamic Access-Lists
Using Object-Groups with ACLs
Time-Based Access-Lists
Access-List Logging Options
Review Quiz #1
Shown below are some examples of the first few IOS
commands to configure various access-lists.

Which of these, if completed, will only allow matching on
the source IP address of a packet?
A access-list 85 permit ..
B access-list 100 permit ..
C access-list 156 permit ..
D access-list 1450 permit ..
E access-list 2420 permit ..
Review Quiz #2
Given the following access-list and topology, which of the statements are true?
access-list 1 permit 150.75.1.0 255.255.254.254
interface FastEthernet0/0
ip access-group 1 in
None of these PCs will be able to reach the server.
B
C
All of these PCs will be able to reach the server.
D
E
Only PC-A and PC-B will be able to reach the server.
Only PC-A and PC-C will be able to reach the server.
Only PC-B will be able to reach the server.
Review Quiz #3
The three IP addreses below share some common bits. Create a

named, standard access-list called, INE that contains only a single
ACE which will permit any packet from these source addresses and
any other addresses matching only these common bits:
21.45.0.242
88.243.0.138
178.101.0.135
Using L4/ L5 extensions in ACLs
www.ine.com
Accessing Layer-4/ 5 ACL Options

Extended ACLs provide ability to match on Layer-4 and/ or
Layer-5 information.
Must supply TCP or UDP keywords as top-level
protocol.
Only L3 options
are available.
L3-L5 options
are available.
Matching on TCP/ UDP Port Numbers
Session-Layer Port Numbers may be matched

in a variety of ways:
eq 23 (matching on an exact port number that equals the supplied
value)
lt 1000 (matching on any value less than the supplied value).
gt 500 (matching on any value greater than the supplied value).
neq 20 (matching on any value not equal to the supplied value).
range 100-200 (matching on any value in the supplied range of
values).
How would you do this?

Network Engineers within the Corporate Intranet should be
able to open TCP sessions to devices within the Testing Lab.

Deny any devices from within lab from initiating outbound
TCP sessions to the Corporate Intranet.
200.1.x.x /16
Corporate Intranet
Fast0/0
200.1.199.1 /30
Testing Lab

When TCP segments are received on Fast0/ 0 as a response
from sessions initiated from within the Corporate Intranet,
what will they all have in common?
TCP Flags=Sync
TCP Flags=Sync+ACK
TCP Flags=ACK
200.1.x.x /16
All Subsequent Permitted Traffic
TCP Flags=ACK
TCP Flags=Reset
Corporate Intranet
Fast0/0
200.1.199.1 /30
Testing Lab
Solution #1
RouterA(config)#access-list 101 permit tcp any any ack
RouterA(config)#access-list 101 permit tcp any any rst
RouterA(config)#interface FastEthernet0/ 0
RouterA(config)#ip access-group 101 in
200.1.x.x /16
All Permitted Traffic
TCP Flags=ACK
TCP Flags=Reset
Corporate Intranet
A
Fast0/0
200.1.199.1 /30
Testing Lab
Solution #2
RouterA(config)#access-list 101 permit tcp any any est ablished
RouterA(config)#ip access-group 101 in
200.1.x.x /16
All Permitted Traffic
TCP Flags=ACK
TCP Flags=Reset
Corporate Intranet
A
Fast0/0
200.1.199.1 /30
Testing Lab
Reflexive Access-Lists
(IP Session Filtering)
www.ine.com

Network Engineers within the Corporate Intranet should be
able to transmit any type of data to devices within the

Testing Lab.
If the Testing Lab is compromised, deny any devices from
within lab from initiating outbound sessions to the
200.1.x.x /16
Corporate Intranet.
Corporate Intranet
Fast0/0
200.1.199.1 /30
Testing Lab
The Solution Reflexive Access Lists
Reflexive ACLs monitor for permitted, outgoing data of any type.

Reflexive ACLs create a mirror-image of transmitted traffic which will be
permitted upon return.
Reflexive entries expire after configurable
timeout value.
ICMP Echo-Response from 200.1.1.1 to 200.2.1.1 (IP Protocol = 1)
2
1
Permit from 200.1.1.1 to 200.2.1.1

(IP Protocol = 1)
ICMP Echo-Request from 200.2.1.1 to 200.1.1.1 (IP Protocol = 1)
200.2.1.1
Corporate Intranet
Fast0/0
200.1.199.1 /30
200.1.1.1/30
Testing Lab
Reflexive ACL Configuration (1)

Create a Named, Extended ACL for monitoring egress traffic
from trusted sources.
Can be
any name.
RouterA(config)#ip access-list extended EGRESS

RouterA(config-ext-nacl)#permit ip any any reflect M irror
200.1.x.x /16
Corporate Intranet
Fast0/0
200.1.199.1 /30
Testing Lab

Create a Named, Extended ACL for monitoring ingress
traffic from untrusted sources.
Can be
any name.
RouterA(config)#ip access-list extended INGRESS

Name must match the name
RouterA(config-ext-nacl)#evaluate M irror
previously supplied after reflect
keyword.
200.1.x.x /16
Corporate Intranet
Fast0/0
200.1.199.1 /30
Testing Lab

Apply both ACLs to interface facing untrusted networks.
RouterA(config)#ip access-list extended EGRESS
RouterA(config-ext-nacl)#permit ip any any reflect M irror
RouterA(config)#ip access-list extended INGRESS
RouterA(config-ext-nacl)#evaluate M irror
RouterA(config-if)#ip access-group EGRESS out
RouterA(config-if)#ip access-group INGRESS in
Corporate Intranet
A
Fast0/0
200.1.199.1 /30
200.1.x.x /16
Testing Lab
Reflexive ACL Timeout Values
Reflexive ACLs have timeout values.

A.
B.
C.
D.
Graceful TCP Close (2-segments seen with FIN flags): Timeout=5-secs

TCP Reset: Timeout = immediate
TCP packets no longer seen? Timeout = 300-seconds
UDP, ICMP and all others? Timeout = 300-seconds after last packet seen.
Changing the timeout value.

Values for A and B above cannot be changed.
Values for C and D above can be changed per ACE or
globally.
Configuring Timeout Values
Modifying Global Reflexive ACL Timeout value.

Modifying Reflexive Timeout within ACE entries.
Monitoring Reflexive ACLs
Before the dynamic entry is created by the

reflexive ACL:
After the Reflexive ACL entry is created:
Dynamic Access Lists

Lock and Key
www.ine.com
The Objective
Youve hired a contractor for the next 3-months to work on

Project-X.
This project requires that the contractor be allowed access to
certain devices/ subnetsbut not others.
Access should be denied after 5-minutes of inactivity, or an
absolute timeout of 15-minutes.
Internet
Project-X Temporary
Contractor
Fast0/0
Corporate Intranet
Solution #1
Every authentication request offloaded to a central

authentication database.
Might require manual configuration of each device.
Internet
Project-X Temporary
Contractor
Fast0/0
Authentication
Server
Solution #2 Dynamic ACLs

1. User must first telnet to router.
2. After successful authentication, Telnet session closed and
3.
dynamic ACL created on interface.

Dynamic ACL removed from interface after configurable,
absolute-timeout (or idle-timeout) value.
2
Ill allow that user to

access those resources
for 5-minutes!
1
15-minutes are up! User

is no longer allowed!
Dynamic ACL Configuration (1)

username bob password 0 projX
username bob autocommand access-enable timeout 5
Or
Line vty 0 4
autocommand access-enable timeout 5

access-list 101 dynamic Project timeout 15 permit ip any 2.4.0.0 0.0.0.255
access-list 101 permit tcp any host 1.1.1.1 eq telnet
!
line vty 0 4
Named ACLs can also be used.
login local

interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.252
ip access-group 101 in
!
interface FastEthernet0/ 1
ip address 1.2.1.1 255.255.255.252
!
Monitoring Dynamic ACLs
Before the Dynamic ACL is applied
After successful authentication
Clearing Dynamic ACL Entries
If you ever need to manually delete a Dynamic

ACL entry:
Extending Dynamic ACL Entries

IOS command allows users to extend the life of
their Dynamic ACE by an additional 6-minutes;
Dynamic ACL Rules
Cannot be used to provide different access rights

to different users.
Dynamic ACLs may use either an idle-timeout or
absolute-timeout value.
autocommand access-enable may be configured
either;
At the username level
Within the VTY line
Object Groups in IOS
www.ine.com
Object Groups
<output ommitted>
Originally designed for Cisco ASA Firewalls

Command Syntax slightly different on IOS Routers than
ASA Firewalls
Object Groups simplify ACL management by grouping
similar objects together.
E.g. Public_W eb_Servers Group
Allows for more modular changes
A change to an Object Group dynamically affects all ACEs referencing that group.
Types of Object Groups in Routers
Cisco routers provide two types of Object Groups:

Network Group: For defining IP Address-related objects
Service Group: For defining Protocols and Ports
Simplification with Object Groups (1)
From this
200.0.0.1
200.0.0.2
x.x.x.x
OK!!
10.0.0.100
OK!!
NO!!
10.0.0.101
Simplification with Object Groups (2)
To this
200.0.0.1
200.0.0.2
x.x.x.x
OK!!
10.0.0.100
OK!!
NO!!
10.0.0.101
Time-Based Access-Lists
www.ine.com
The Objective
Employees should NOT be allowed to surf the

Internet during work hours.
Internet
Fast0/0
2.2.x.x /16
Corporate Intranet
The Solution: Time-Based ACLs
Time-Based ACLs activate ACEs during times you

define.
Times defined within a global Time-range
May be periodic or absolute.
Internet
Fast0/0
2.2.x.x /16
Corporate Intranet
Time-Based ACL Configuration (1)
Ensure your router/ switch has an accurate clock:

Create a global time-range:
Decide on either absolute or periodic

Complete the command by defining the time interval (s)
Apply the time-range to your ACL
Monitoring Time-Based ACLs
Access-List Logging
www.ine.com
Logging
ACE entries can be appended with Logging-related
keywords
Access-list x .log
Access-list x ..log-input
Logging allows for Syslogs to be displayed providing hit
counts and evidence of ACL activity.

Logging forces packets matching ACE entries to be
process-switched = increased CPU load.
Log and Log-Input

Access-list 101 permit icmp any host 22.22.22.22 log
Access-list 101 permit icmp any host 22.22.22.22 log-input
Optional cookie
Access-list 101 xxxxxxxxxxx log-input EmailServer
How often is logging displayed? (1)

Individual ACEs can have the log or log-input
keywords.
When an ACL is applied to an interface, syslogs are
generated:
Once every 5-minutes for packets matching a particular ACE.
If any log-enabled ACE in any ACL on any interface matches a
packet within one second of the initial log message, the match or
matches are counted for five minutes and then reported.
How often is logging displayed? (2)

5-minutes
Syslog for
ACE#1
ACE#1 match #4
ACE#1 match #3
ACE#1 match #2
1-second
ACE#3 match
ACE#2 match
Initial ACE#1 match
Syslog for
ACE#1
Syslog for
ACE#2
Syslog for
ACE#3
Decreasing the Log Interval
If you want logs for ACEs to be displayed

MORE frequently than every 5-minutesit can
be done.
Use cautionthis INCREASES the CPU load.
Save my CPU!!!
Even though logs for individual ACEs are only

displayed every 5-minutesEVERY packet that
matches the ACE must be process-switched.
This can result in heavy CPU load
How to reduce this?
Filtering on log output (1)

ACL syslogs have different identifiers depending on type of
traffic that triggered the log.

When sending ACL Syslogs to logging buffer, one can filter
on these identifiers.

From this (yuck!!)

To this (YAY!!)
Q&A
Copyright INE Inc. All rights reserved.

Access Lists

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Access Lists

Uploaded by

Copyright:

Available Formats

Access Control Lists

(Beyond Standard and Extended)

Course Prerequisites and Assumptions

Prerequisite = CCNA ACL Videos

Using L4/ L5 Extensions in Access-Lists

commands to configure various access-lists.

None of these PCs will be able to reach the server.

All of these PCs will be able to reach the server.

Only PC-A and PC-B will be able to reach the server.

Only PC-A and PC-C will be able to reach the server.

Only PC-B will be able to reach the server.

The three IP addreses below share some common bits. Create a

Using L4/ L5 extensions in ACLs

Accessing Layer-4/ 5 ACL Options

Matching on TCP/ UDP Port Numbers

Session-Layer Port Numbers may be matched

How would you do this?

able to open TCP sessions to devices within the Testing Lab.

How would you do this?

How would you do this?

able to transmit any type of data to devices within the

The Solution Reflexive Access Lists

Reflexive ACLs monitor for permitted, outgoing data of any type.

ICMP Echo-Response from 200.1.1.1 to 200.2.1.1 (IP Protocol = 1)

Permit from 200.1.1.1 to 200.2.1.1

ICMP Echo-Request from 200.2.1.1 to 200.1.1.1 (IP Protocol = 1)

Reflexive ACL Configuration (1)

RouterA(config)#ip access-list extended EGRESS

Reflexive ACL Configuration (2)

RouterA(config)#ip access-list extended INGRESS

Reflexive ACL Configuration (3)

Reflexive ACL Timeout Values

Reflexive ACLs have timeout values.

Graceful TCP Close (2-segments seen with FIN flags): Timeout=5-secs

Changing the timeout value.

Configuring Timeout Values

Modifying Global Reflexive ACL Timeout value.

Monitoring Reflexive ACLs

Before the dynamic entry is created by the

After the Reflexive ACL entry is created:

Dynamic Access Lists

Youve hired a contractor for the next 3-months to work on

Every authentication request offloaded to a central

Solution #2 Dynamic ACLs

dynamic ACL created on interface.

Ill allow that user to

15-minutes are up! User

Dynamic ACL Configuration (1)

Dynamic ACL Configuration (2)

Dynamic ACL Configuration (3)

Monitoring Dynamic ACLs

Before the Dynamic ACL is applied

After successful authentication

Clearing Dynamic ACL Entries

If you ever need to manually delete a Dynamic

Extending Dynamic ACL Entries

Dynamic ACL Rules

Cannot be used to provide different access rights

Object Groups in IOS

Originally designed for Cisco ASA Firewalls

E.g. Public_W eb_Servers Group

Allows for more modular changes

Types of Object Groups in Routers

Cisco routers provide two types of Object Groups: