Read an Excerpt
Chapter 15: Access Control Lists—Managing Network Traffic and ResourcesIn the last chapters, we've looked at techniques for configuring routers to provide con-nectivity and access within our Internetwork. Probably as important is how we secure this same Internetwork and control access of individuals and networks that have no business being there or that present a risk to the network. Network operating systems provide a level of control and security with user-level security and passwords on devices; of course, physically securing key components to the extent possible is still our first responsibility.
Routers provide another tool that allows data filtering and allows or denies access based on a predefined list of criteria. At the heart of this filtering is a router feature called access control lists (ACLs) or often just access lists. Access lists can block a single host's access to a resource, or it can selectively provide filtering to a variety of IP resources. Access lists are a starting point for adding security and traffic management to your network, but they cannot protect your network by themselves. Devices like firewalls and proxy servers, as well as password management, physical security, and solid administrative policies, should be used to augment them.
ACLs are powerful tools but are understood fully by few people; take the time necessary to master the skills involved. Proficiency in building and debugging access lists is one of the skills that can distinguish you from the masses.
NOTE: ACLs use a feature called wildcard masks that will be considerably easier to understand if you have mastered IP addressing and subnet masks. If you are not comfortable with subnet masks, you might want to review this topic first—or at least review it if you get stuck.
Access Control Lists (ACLs)ACLs are a series of sequentially processed permit or deny statements that can be used to filter data traffic for many purposes. Each ACL statement includes a criterion definition that is used to determine whether the permit or deny statement is implemented. This criterion could be as simple as a source address for the packet, or it could be an elaborate combination based on data frame segments such as the source address, destination address, protocol used by the source and/or destination, and/or the TCP/UDP port number used. Since version 12.0, such criteria can also be time and date sensitive.
With skill, planning, and practice we should be able to define very specific limited criteria. For example, we can block all access to a network by a host or group of hosts based exclusively on their source address. Or, we could choose to limit Web browsing to selected servers during certain hours while still allowing unlimited FTP and e-mail access.
We have examples of similar processes in our noncomputer lives. Filing income taxes in the United States is one example. If you look at the "Who must file?" information on the cover of any of the tax-form instructions, you will see a list of conditions. If you meet any one of the conditions, you must file a report. Each condition is very specific; if you match one or more criteria, you are in. In Washington State, a jury summons has a short access list that asks four questions. If you answer no to any one, you are excluded from the pool. Your desire or interest in participating is not one of the questions.
Why Use ACLsWe will start by looking at ACLs from the perspective of limiting access to an interface and therefore resources beyond that interface. This is probably the most common type of ACL and is often where users are first introduced to the concepts and technology. As you continue in the field, you will discover that some form of access list is used for many other things. Some of the uses for ACLs include:
- Managing routing traffic ACLs can be used to filter routing updates. They can
block entire protocols from updating over an interface, or they can selectively filter
the contents of a routing update limiting information about certain networks.
- Adjusting the routing metric ACLs can be used to adjust the routing metric for
particular routes, thereby changing the likelihood that a route will be used.
- Determining "interesting" traffic In Dial on Demand Routing (DDR) ACLs are used
to determine what is "interesting" traffic that will cause a modem or ISDN device to
open a connection with another device. This interesting traffic could be defined by
an ACL as a protocol-like IP, or it could be a specific application, such as e-mail. The
designated interesting traffic will cause the link to open and remain open as long as
interesting traffic is present. This can greatly reduce the use and cost of metered services.
- Defining traffic ACLS can be used to define the traffic that another command will
use. For example the debug IP packet command monitors all IP traffic on the device.
If a reference to an ACL is added, then the ACL can specify which IP traffic to monitor.
- Priority queuing ACLs can be used to create priority queuing for processing packets,
thereby giving preference to certain types of traffic based on protocol or application.
- Limiting access ACLs can provide the base-level security for network resources by limiting access to parts of the network. This security aspect could apply to keeping outside hosts out of the network entirely or preventing certain network hosts from accessing specific network segments. An ACL applied to the interface connecting the network to the Internet might block all access into the network that does not originate from within the network. This allows local users to browse the Internet but does not allow outsiders to initiate a connection into your network.
Keep in mind that, like all good things, access lists can be overused, and they can be used incorrectly, causing more harm to the network's performance than you might imagine. Since ACLs have to be processed by the CPU on every packet, good minimalist design is essential to accomplish the goal while preserving router resources. A poorly designed access list can hurt network performance and still fail to meet the original objective.
Note that devices like the Catalyst 6500 process ACLs in hardware, and therefore, the device incurs no loss of performance whatsoever.
ACLs and Network ProtocolsACLs are network-protocol specific. Each upper-level protocol (IP, IPX, AppleTalk) has its own access list structures and options, but if you understand one, you should not have a difficult time with another. Just as running multiple protocols requires more resources, such as memory and CPU usage, multiple access lists will affect those same resources. Some protocols, like IPX, refer to ACLs as filters, particularly in output displays such as show IPX interfaces.
ACLs are numbered or named. If numbered, the number indicates the protocol used; if named, the ACL explicitly identifies the protocol supported. It is possible to have multiple ACLs per protocol on a particular router, each with its own unique number or name. In the case of IP and IPX ACLs, it is possible to apply up to two ACLs on a particular interface: one inbound and one outbound. With other protocols, you apply only one ACL to an interface, which filters both inbound and outbound packets.
For the CCNA exam, you will need to be familiar with the basics of IP access lists, so we will concentrate on those. But in the initial discussions of general topics, such as naming and numbering access lists, we will discuss IP and IPX together. As we develop our skills, we will concentrate on IP features.
Access List BasicsThere are two types of access lists: standard and extended. Standard access lists are the simpler of the two and use only the source addresses as the criteria to make decisions about whether a packet will be permitted or denied access. Extended access lists do exactly what the name implies: They extend the capabilities of the access list by using several criteria in the decision process.
We will start our coverage by looking at some access list basics that apply to both standard and extended lists. We will then look at the specifics of the standard access list and move on to the more complex extended lists. Much of the basic "why" and "how" of access lists will be covered in this section or in the next section, where we expand on the standard list. Subsequent sections will cover extend lists.
Access List NumberingInitially, access lists were numbered to allow multiple lines to be grouped together even if they were entered at different times. The number also created a short and specific reference to the list that could be used when the list was implemented. Each access list must have a unique number, and all lines within the access list must use that same number. Figure 15-1 shows our test lab from Chapters 12-14 with a host added to the Ethernet LAN of router A. The next few paragraphs describe a simple standard access to prevent that host from reaching the Ethernet LAN on router X, 192.168.5.0.
The following lines show a simple two-line standard access list that prevents a particular host, 192.168.1.10, from accessing any devices on the 192.168.5.0 network. Both lines were created in global configuration mode and are the appropriate lines from the show run output....