ENSA_Module_5_ACL_IPv4_Conf.pdf

Full Transcript

17/08/2022

Module 5: ACLs for IPv4
Configuration
Enterprise Networking, Security,
and Automation v7.0 (ENSA)

1

OFFICIAL

Module Objectives
Module Title: ACLs for IPv4 Configuration

Module Objective: Implement IPv4 ACLs to filter traffic and secure administrative access.

Topic Title Topic Objective
Configure Standard IPv4 ACLs Configure standard IPv4 ACLs to filter traffic to meet
networking requirements.
Modify IPv4 ACLs Use sequence numbers to edit existing standard IPv4
ACLs.
Secure VTY Ports with a Standard IPv4 ACL Configure a standard ACL to secure VTY access.

Configure Extended IPv4 ACLs Configure extended IPv4 ACLs to filter traffic
according to networking requirements.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

OFFICIAL

2

1
 17/08/2022

5.1 Configure Standard IPv4
ACLs

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

3

OFFICIAL
Configure Standard IPv4 ACLs
Create an ACL
All access control lists (ACLs) must be planned. When configuring a complex ACL, it is
suggested that you:
Use a text editor and write out the specifics of the policy to be implemented.
Add the IOS configuration commands to accomplish those tasks.
Include remarks to document the ACL.
Copy and paste the commands onto the device.
Always thoroughly test an ACL to ensure that it correctly applies the desired policy.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

OFFICIAL

4

2
 17/08/2022

OFFICIAL
Configure Standard IPv4 ACLs
Numbered Standard IPv4 ACL Syntax
To create a numbered standard ACL, use the access-list command.

Parameter Description
access-list-number Number range is 1 to 99 or 1300 to 1999
deny Denies access if the condition is matched
permit Permits access if the condition is matched
remark text (Optional) text entry for documentation purposes
source Identifies the source network or host address to filter
source-wildcard (Optional) 32-bit wildcard mask that is applied to the source
log (Optional) Generates and sends an informational message when the ACE is matched

Note: Use the no access-list access-list-number global configuration command to remove a numbered standard ACL.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

OFFICIAL

5

OFFICIAL
Configure Standard IPv4 ACLs
Named Standard IPv4 ACL Syntax
To create a named standard ACL, use the ip access-list standard command.
ACL names are alphanumeric, case sensitive, and must be unique.
Capitalizing ACL names is not required but makes them stand out when viewing the
running-config output.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6

OFFICIAL

6

3
 17/08/2022

OFFICIAL
Configure Standard IPv4 ACLs
Apply a Standard IPv4 ACL
After a standard IPv4 ACL is configured, it must be linked to an interface or feature.
The ip access-group command is used to bind a numbered or named standard IPv4
ACL to an interface.
To remove an ACL from an interface, first enter the no ip access-group interface
configuration command.

the interfaces cant have 2 inbound or outbound, it could be one inbound or one outbound. Also they
can have 2 interfacs to each access

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

OFFICIAL

7

OFFICIAL
Configure Standard IPv4 ACLs
Numbered Standard ACL Example
The example ACL
permits traffic
from host
192.168.10.10
and all hosts on
the
192.168.20.0/24
network out
interface serial
0/1/0 on router
R1.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

OFFICIAL

8

4
 17/08/2022

OFFICIAL
Configure Standard IPv4 ACLs
Numbered Standard ACL Example (Cont.)
Use the show running-config command to review the ACL in the configuration.
Use the show ip interface command to verify the ACL is applied to the interface.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9

OFFICIAL

9

OFFICIAL
Configure Standard IPv4 ACLs
Named Standard ACL Example
The example ACL permits traffic
from host 192.168.10.10 and all
hosts on the 192.168.20.0/24
network out interface serial 0/1/0 on
router R1.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10

OFFICIAL

10

5
 17/08/2022

OFFICIAL
Configure Standard IPv4 ACLs
Named Standard ACL Example (Cont.)
Use the show access-list
command to review the ACL
in the configuration.
Use the show ip interface
command to verify the ACL is
applied to the interface.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11

OFFICIAL

11

OFFICIAL
Configure Standard IPv4 ACLs
Packet Tracer – Configure Numbered Standard IPv4 ACLs
In this Packet Tracer, you will complete the following objectives:
Plan an ACL Implementation.
Configure, Apply, and Verify a Standard ACL.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12

OFFICIAL

12

6
 17/08/2022

OFFICIAL
Configure Standard IPv4 ACLs
Packet Tracer – Configure Named Standard IPv4 ACLs
In this Packet Tracer, you will complete the following objectives:
Configure and Apply a Named Standard ACL.
Verify the ACL Implementation.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13

OFFICIAL

13

5.2 Modify IPv4 ACLs

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14

14

7
 17/08/2022

OFFICIAL
Modify IPv4 ACLs
Two Methods to Modify an ACL
After an ACL is configured, it may need to be modified. ACLs with multiple ACEs can be
complex to configure. Sometimes the configured ACE does not yield the expected
behaviors.
There are two methods to use when modifying an ACL:
Use a text editor.
Use sequence numbers.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

OFFICIAL

15

OFFICIAL
Modify IPv4 ACLs
Text Editor Method
ACLs with multiple ACEs should be created in a text editor. This allows you to plan the
required ACEs, create the ACL, and then paste it into the router interface. It also simplifies
the tasks to edit and fix an ACL.
To correct an error in an ACL:
Copy the ACL from the running configuration and paste it into the text editor.
Make the necessary edits or changes.
Remove the previously configured ACL on the router.
Copy and paste the edited ACL back to the router.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16

OFFICIAL

16

8
 17/08/2022

OFFICIAL
Modify IPv4 ACLs
Sequence Number Method
An ACL ACE can be deleted or added using
the ACL sequence numbers.
Use the ip access-list standard
command to edit an ACL.
Statements cannot be overwritten using
an existing sequence number. The
current statement must be deleted first
with the no 10 command. Then the
correct ACE can be added using
sequence number.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17

OFFICIAL

17

OFFICIAL
Modify IPv4 ACLs
Modify a Named ACL Example
Named ACLs can also use sequence numbers to delete and add ACEs. In the example
an ACE is added to deny hosts 192.168.10.11.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18

OFFICIAL

18

9
 17/08/2022

OFFICIAL
Modify IPv4 ACLs
ACL Statistics
The show access-lists command in the example shows statistics for each statement that
has been matched.
The deny ACE has been matched 20 times and the permit ACE has been matched 64 times.
Note that the implied deny any statement does not display any statistics. To track how many implicit
denied packets have been matched, you must manually configure the deny any command.
Use the clear access-list counters command to clear the ACL statistics.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19

OFFICIAL

19

OFFICIAL
Modify IPv4 ACLs
Packet Tracer – Configure and Modify Standard IPv4 ACLs
In this Packet Tracer, you will complete the following objectives:
Configure Devices and Verify Connectivity.
Configure and Verify Standard Numbered and Named ACLs.
Modify a Standard ACL.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20

OFFICIAL

20

10
 17/08/2022

5.3 Secure VTY Ports with a
Standard IPv4 ACL

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21

21

OFFICIAL
Secure VTY Ports with a Standard IPv4 ACL
The access-class Command
A standard ACL can secure remote administrative access to a device using the vty lines
by implementing the following two steps:
Create an ACL to identify which administrative hosts should be allowed remote access.
Apply the ACL to incoming traffic on the vty lines.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22

OFFICIAL

22

11
 17/08/2022

OFFICIAL
Secure VTY Ports with a Standard IPv4 ACL
Secure VTY Access Example
This example demonstrates how to configure an ACL to filter vty traffic.
First, a local database entry for a user ADMIN and password class is configured.
The vty lines on R1 are configured to use the local database for authentication, permit
SSH traffic, and use the ADMIN-HOST ACL to restrict traffic.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23

OFFICIAL

23

OFFICIAL
Secure VTY Ports with a Standard IPv4 ACL
Verify the VTY Port is Secured
After an ACL to restrict access to the vty lines is configured, it is important to verify it
works as expected.

To verify the ACL statistics, issue the show access-lists command.
The match in the permit line of the output is a result of a successful SSH connection by
host with IP address 192.168.10.10.
The match in the deny statement is due to the failed attempt to create a SSH
connection from a device on another network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24

OFFICIAL

24

12
 17/08/2022

5.4 Configure Extended IPv4
ACLs

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25

25

OFFICIAL
Configure Extended IPv4 ACLs
Extended ACLs
Extended ACLs provide a greater degree of control. They can filter on source
address, destination address, protocol (i.e., IP, TCP, UDP, ICMP), and port
number.

Extended ACLs can be created as:
Numbered Extended ACL - Created using the access-list access-list-number global
configuration command.
Named Extended ACL - Created using the ip access-list extended access-list-
name.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26

OFFICIAL

26

13
 17/08/2022

OFFICIAL
Configure Extended IPv4 ACLs
Protocols and Ports Protocol Options

Extended ACLs
can filter on
internet
protocols and
ports. Use the
? to get help
when entering
a complex
ACE. The four
highlighted
protocols are
the most
popular
options.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27

OFFICIAL

27

OFFICIAL
Configure Extended IPv4 ACLs
Protocols and Ports (Cont.)
Selecting a
protocol
influences port
options. Many
TCP port
options are
available, as
shown in the
output.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28

OFFICIAL

28

14
 17/08/2022

OFFICIAL
Configure Extended IPv4 ACLs
Protocols and Port Numbers Configuration Examples
Extended ACLs can filter on different port number and port name options.

This example configures an extended ACL 100 to filter HTTP traffic. The first ACE uses
the www port name. The second ACE uses the port number 80. Both ACEs achieve
exactly the same result.

Configuring the port number is required when there is not a specific protocol name listed
such as SSH (port number 22) or an HTTPS (port number 443), as shown in the next
example.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29

OFFICIAL

29

OFFICIAL
Configure Extended IPv4 ACLs
Apply a Numbered Extended IPv4 ACL
In this example, the ACL permits both HTTP and HTTPS traffic from the 192.168.10.0
network to go to any destination.

Extended ACLs can be applied in various locations. However, they are commonly applied
close to the source. Here ACL 110 is applied inbound on the R1 G0/0/0 interface.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30

OFFICIAL

30

15
 17/08/2022

OFFICIAL
Configure Extended IPv4 ACLs
TCP Established Extended ACL
automatic route to coming back
TCP can also perform basic stateful firewall services using the TCP established keyword.
The established keyword enables inside traffic to exit the inside private network and
permits the returning reply traffic to enter the inside private network.
TCP traffic generated by an outside host and attempting to communicate with an
inside host is denied.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31

OFFICIAL

31

OFFICIAL
Configure Extended IPv4 ACLs
TCP Established Extended ACL (Cont.)
ACL 120 is configured to only permit returning web traffic to the inside hosts. The ACL
is then applied outbound on the R1 G0/0/0 interface.
The show access-lists command shows that inside hosts are accessing the secure
web resources from the internet.
Note: A match occurs if the returning TCP segment has the ACK or reset (RST) flag bits set, indicating
that the packet belongs to an existing connection.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32

OFFICIAL

32

16
 17/08/2022

OFFICIAL
Configure Extended IPv4 ACLs
Named Extended IPv4 ACL Syntax
Naming an ACL makes it easier to understand its function. To create a named extended
ACL, use the ip access-list extended configuration command.

In the example, a named extended ACL called NO-FTP-ACCESS is created and the
prompt changed to named extended ACL configuration mode. ACE statements are
entered in the named extended ACL sub configuration mode.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33

OFFICIAL

33

OFFICIAL
Configure Extended IPv4 ACLs
Named Extended IPv4 ACL Example
The topology below is used to demonstrate configuring and applying two named extended
IPv4 ACLs to an interface:
SURFING - This will permit inside HTTP and HTTPS traffic to exit to the internet.
BROWSING - This will only permit returning web traffic to the inside hosts while all other traffic
exiting the R1 G0/0/0 interface is implicitly denied.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34

OFFICIAL

34

17
 17/08/2022

OFFICIAL
Configure Extended IPv4 ACLs
Named Extended IPv4 ACL Example (Cont.)
The SURFING ACL permits
HTTP and HTTPS traffic
from inside users to exit the
G0/0/1 interface connected
to the internet. Web traffic
returning from the internet is
permitted back into the
inside private network by the
BROWSING ACL.
The SURFING ACL is
applied inbound and the
BROWSING ACL is applied
outbound on the R1 G0/0/0
interface.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35

OFFICIAL

35

OFFICIAL
Configure Extended IPv4 ACLs
Named Extended IPv4 ACL Example (Cont.)
The show access-lists command is used to verify the ACL statistics. Notice that the
permit secure HTTPS counters (i.e., eq 443) in the SURFING ACL and the return
established counters in the BROWSING ACL have increased.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36

OFFICIAL

36

18
 17/08/2022

OFFICIAL
Configure Extended IPv4 ACLs
Edit Extended ACLs
An extended ACL can be edited using a text editor when many changes are required. Or,
if the edit applies to one or two ACEs, then sequence numbers can be used.

Example:
The ACE sequence number 10 in the SURFING ACL has an incorrect source IP
networks address.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37

OFFICIAL

37

do sh access-list

OFFICIAL
Configure Extended IPv4 ACLs
Edit Extended ACLs (Cont.)
To correct this error the original statement is removed with the no sequence_#
command and the corrected statement is added replacing the original statement.
The show access-lists command output verifies the configuration change.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38

OFFICIAL

38

19
 17/08/2022

OFFICIAL
Configure Extended IPv4 ACLs
Another Extended IPv4 ACL Example
Two named extended ACLs will be created:
PERMIT-PC1 - This will only permit PC1 TCP access to the internet and deny all other hosts in the
private network.
REPLY-PC1 - This will only permit specified returning TCP traffic to PC1 implicitly deny all other
traffic.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39

OFFICIAL

39

OFFICIAL
Configure Extended IPv4 ACLs
Another Extended IPv4 ACL Example (Cont.)
The PERMIT-PC1 ACL
permits PC1 (192.168.10.10)
TCP access to the FTP, SSH,
Telnet, DNS , HTTP, and
HTTPS traffic.
The REPLY-PC1 ACL will
permit return traffic to PC1.
The PERMIT-PC1 ACL is
applied inbound and the
REPLY-PC1 ACL applied
outbound on the R1 G0/0/0
interface.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40

OFFICIAL

40

20
 17/08/2022

OFFICIAL
Configure Extended IPv4 ACLs
Verify Extended ACLs
The show ip interface command is used
to verify the ACL on the interface and the
direction in which it was applied.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41

OFFICIAL

41

OFFICIAL
Configure Extended IPv4 ACLs
Verify Extended ACLs (Cont.)
The show access-lists command can be used to confirm that the ACLs work as
expected. The command displays statistic counters that increase whenever an ACE is
matched.
Note: Traffic must be generated to verify the operation of the ACL.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42

OFFICIAL

42

21
 17/08/2022

OFFICIAL
Configure Extended IPv4 ACLs
Verify Extended ACLs (Cont.)
The show running-config command can be used to validate what was configured. The
command also displays configured remarks.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43

OFFICIAL

43

OFFICIAL
Configure Extended IPv4 ACLs
Packet Tracer – Configure Extended IPv4 ACLs - Scenario 1
In this Packet Tracer, you will complete the following objectives:
Configure, Apply, and Verify an Extended Numbered IPv4 ACL.
Configure, Apply, and Verify an Extended Named IPv4 ACL.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44

OFFICIAL

44

22
 17/08/2022

OFFICIAL
Configure Extended IPv4 ACLs
Packet Tracer – Configure Extended IPv4 ACLs - Scenario 2
In this Packet Tracer, you will complete the following objectives:
Configure a Named Extended IPv4 ACL.
Apply and Verify the Extended IPv4 ACL.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45

OFFICIAL

45

5.5 Module Practice and
Quiz

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46

46

23
 17/08/2022

OFFICIAL
Module Practice and Quiz
Packet Tracer – IPv4 ACL Implementation Challenge
In this Packet Tracer, you will complete the following objectives:
Configure a router with standard named ACLs
Configure a router with extended named ACLs
Configure a router with extended ACLs to meet specific communication requirements
Configure an ACL to control access to network device terminal lines
Configure the appropriate router interfaces with ACLs in the appropriate direction
Verify the operation of the configured ACLs

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47

OFFICIAL

47

OFFICIAL
Module Practice and Quiz
Lab – Configure and Verify Extended IPv4 ACLs
In this lab, you will complete the following objectives:

Build the Network and Configure Basic Device Settings
Configure and Verify Extended IPv4 ACLs

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48

OFFICIAL

48

24
 17/08/2022

OFFICIAL
Module Practice and Quiz
What did I learn in this module?
To create a numbered standard ACL, use the use the ip access-list standard access-list-
name global configuration command.
Use the no access-list access-list-number global configuration command to remove a
numbered standard ACL.
Use the show ip interface command to verify if an interface has an ACL applied to it.
To create a named standard ACL, use the ip access-list standard access-list-name global
configuration command.
Use the no ip access-list standard access-list-name global configuration command to
remove a named standard IPv4 ACL.
To bind a numbered or named standard IPv4 ACL to an interface, use the ip access-group
{access-list-number | access-list-name} { in | out } global configuration command.
To remove an ACL from an interface, first enter the no ip access-group interface
configuration command.
To remove the ACL from the router, use the no access-list global configuration command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49

OFFICIAL

49

OFFICIAL
Module Practice and Quiz
What did I learn in this module?
Extended ACLs can filter on source address, destination address, protocol (i.e., IP, TCP, UDP,
ICMP), and port number.
To create a numbered extended ACL, use the Router(config)# access-list access-list-number
{deny | permit | remark text} protocol source source-wildcard [operator [port]] destination
destination-wildcard [operator [port]] [established] [log] global configuration command.
ALCs can also perform basic stateful firewall services using the TCP established keyword.
The show ip interface command is used to verify the ACL on the interface and the direction
in which it was applied.
To modify an ACL, use a text editor or use sequence numbers.
An ACL ACE can also be deleted or added using the ACL sequence numbers.
Sequence numbers are automatically assigned when an ACE is entered.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50

OFFICIAL

50

25
 17/08/2022

Module 5: ACLs for IPv4 Configuration OFFICIAL

New Terms and Commands
numbered extended ACL
named extended ACL
numbered standard ACL
named standard ACL
ip access-list standard
no ip access-list standard
ip access-list extended
ip access-list
ip access-group
show access-lists
clear access-list counters
access-class
established

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51

OFFICIAL

51

52

26