Understanding Access Control Lists | Network Fundamentals Part 14

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
sometimes we need to control or influence traffic that flows through our network maybe we want to restrict access to some sensitive resources or maybe we want to limit the amount of non-business traffic to conserve bandwidth in either case we need to use access control lists also known as ACLs in this video we're going to see what ACLs do and how they configured ACLs are a versatile tool which can be used for many different purposes but while they have many uses the most obvious function is as a packet filter that is to allow or deny traffic packet filters add security to the network perhaps we want to limit the workstations that are allowed to log on to routers or maybe we want to allow only HTTP traffic to a server we can use ACLs in both cases to allow some traffic but to deny others an ACL is really a collection or list of rules each of these rules is called an access control entry or ace and is used to permit or deny traffic each entry in the list is evaluated in order from the top of the list to the bottom every entry contains some match criteria this may include information like source address destination address protocols such as TCP and UDP and port numbers when a packet comes into a router the router will look at this information in the packet header it will compare this against each entry in order to see if it matches any of the rules if the router finds that the packet matches one of these entries it will then look at the action the simplest actions are permit and deny as you would expect if the action is permit the traffic is allowed through if the action is deny the router will block the traffic it's important to understand that each rule is evaluated in order see how there's a number next to each entry that's the sequence number this number determines the order the rule are evaluated in as soon as an incoming packet matches one of these entries the action is applied at this time the router stops evaluating more rules the key point from this is that the first match wins so when you create a CLS it's important to consider the order of the rules otherwise you may not get the results you want but what happens if none of our entry is match incoming traffic there's an invisible rule at the end of the list called the implicit deny when the entry is we've configured don't match the implicit deny entry will drop the traffic is this a good thing yes it is we can't think of every rule to cover every possible scenario aside from making our jobs too hard you would make our ACLs far too complicated so for security if we're not expecting the traffic the router will drop it if you're really observant you may have seen that some of these masks look backward no it's not a mistake and this is not a subnet mask although it does look similar this is a wildcard mask the subnet mask that you're used to uses binary ones and zeros to show which part of an IP address is the network and which part is the host you can check out the how IP addressing works video if you'd like a refresher on this a wild-card mask on the other hand is used to match addresses the zeros refer to the parts of the address that need to match the address in our rule the ones other parts that don't need to match so in the example above the wildcard mask says that we're looking for any IP address that starts with a 1 9 2 1 6 8 10 we're also saying that we don't care what the fourth octet of the IP address is so the address 1 or 2 1 6 8 10.12 will match our rule however 192 168 22.1 will not match this probably raises a question mind why do we bother using wild card masks at all couldn't we just use a subnet mask well a wildcard mask does have an obscure advantage a subnet mask requires all the ones and the zeros to be grouped together a wildcard mask though does not have any such restriction this means that we can perform some advanced matching by mixing up the bits which are turned on or off in the example here the one 92168 part must match as those bits in the mask are set to zero also the dot one at the end needs to match as well but the third octet can be anything at all as this is where the wildcard bits are so one nine two one six eight ten dot one will match but one two one six eight ten dot two will not why would we ever want to do this granted there are rare cases but think of a case where we have several subnets and the router in each one uses the dot one address an ACL like this could be used to allow management traffic to the router but deny it to everything else if you can think of a few examples like this please share them in the comments below this can be a bit tricky to understand so if you're willing try this quiz to test yourself out take a look at our original ACL again for a moment this type of ACL is called an extended ACL this is only one type of ACL there are also several others each of these have a different functionality but as this video is an introduction to ACLs we're going to ignore most of them for now we've seen the extended ACL already the other main one is the standard ACL this is the first one that Cisco created and is much simpler the standard ACL can only match based on source address that's in it can't look at the destination the protocol all the ports used I prefer extended ACLs myself but you will see standard ACS out there one way we can configure ACLs is to give them a number we can figure each entry individually and any entries sharing the same number are part of the same ACL this number also determines if this is a standard or extended ACL as you can see in this table if you're looking at doing an exam I would try to remember these ranges if you can it wouldn't surprise me if you've got a question that related to this aside from picking a number in the right range no particular number is any better than any other number they just simply act as labels to organize the entries into a list the more modern alternative to numbered ACLs is named ACLs in my opinion these are much better every list has a name and acts like a container entries are nested inside the container in addition there's no ranges or numbers to worry about during configuration we simply tell the router if this is a standard or extended ACL this will probably make more sense when we try it in a lab a bit later on we now have a pretty good idea about how ACLs are built and what they can do but on its own an ACL does nothing nothing at all right now the router doesn't know how to use the ACL after all it doesn't know that we want to use it as a packet filter so we need to apply the ACL to one or more of the routers interfaces when we apply an ACL to an interface we also have to apply it in a direction there are two directions called ingress and egress ingress means when traffic is coming into the router the egress is when traffic is leaving the router so when we apply an ACL we apply it to an interface with a direction take note though they can only be one ACL per interface per direction let's run through an example when traffic enters this interface that's the ingress direction the ACL will be evaluated if the ACL allows the traffic it will continue through the router and eventually need to exit from interface gi0 / - that's the egress direction we have no ACL applied here so the traffic will automatically be allowed now what happens if the traffic flows the other way there's no ACL applied to gi0 - in the ingress direction so the packet is allowed the packet will need to leave from the GI 0 1 interface there's no ACL there in the egress direction so the packet will be allowed to leave you can probably see that it is important to understand the path that the packet takes when you're creating your ACLs see how you go with these quiz questions it's time to see this in the lab we're following on from where we left off in the last video with the same topology there are two VLANs 10 and 20 which contain workstations and servers each VLAN uses a different subnet there is a router configured as router on a stick to pass traffic between the two subnets right now all traffic is allowed between the subnets but we want to restrict this a bit so we're going to attempt two goals goal 1 is to block regular HTTP traffic to the servers but allow HTTP traffic any other traffic to the servers should be denied goal 2 is to allow the server but not the workstations to manage the router with SSH nothing should be allowed to manage the router with telnet no other IP traffic to the router should be prevented the starting configuration has already been done so we won't need to worry about that as usual the topology is downloadable from the website and I'll put a link in the description starting at goal number 1 we're going to create a rule to block HTTP traffic to the servers if we use the access list command we can configure a numbered ACL here you can see the different ranges we can use for now only worry about standard and extended if we were to configure access list 1 we get the options for a standard ACL if we try to deny HTTP traffic here you will see that we don't get many options to choose from remember that standard ACLs only match on the source IP address instead let's try to configure an ECL from the extended range see how we now have many more options don't worry too much about all of these just focus on IP TCP and UDP we can use IP to allow or deny any traffic between certain IP addresses TCP and UDP can be used to block or allow specific ports between certain IP addresses in our case we want to block HTTP which uses the TCP protocol the next step is to configure the source address that is where traffic is coming from we want to block all HTTP traffic if we wanted to we could get more specific and only block traffic if it comes from a particular source port but that's not important for our goal so we'll move on to the destination IP address so what destination should we use should we create a separate rule for each of our servers well if you look at the topology you can see that we don't have to as all our servers are in their own subnet can you see now how it's useful to separate our resources by VLAN and subnet now we need the dreaded wildcard mask don't worry it's an easy one we only need to match the one on to 1 6 8 28 part of our address we don't care about the rest so our mask will be 0 0 0 2 5 5 we're at the last part now which is the matching port number there's a few options we could use here the most common option is EQ which means equals we use this when we want to match one specific port some other alternatives include range for matching a range of ports as well as GT and LT to match ports a greater than or less than a particular number we're going to keep it simple and match one single port we could write in 80 as HTTP traffic uses TCP port 80 or we can make use of some of the well-known values that iOS has made available to us at the very bottom of this list you see that WW is useful HTTP traffic it really doesn't matter if you use this list or if you just type the number in they both work and our first entry is done we can check this with show access lists remember to use the do keyword if you want to run this command from within configuration mode we now have one access list number 150 with a single entry this is good but our ACL is not done we now need an entry to allow HTTP so we now repeat the process this time permitting HTTP which uses TCP port 443 and while we're at it we can add a remark to the ACL a remark is just a comment that makes it easier for us to understand what we've configured later looking at the ACLS now we can see that there are two entries the new entry has been added to the bottom of the list the final part of our goal is to block all other traffic to the server's how do we handle this it's actually simpler than you may think although it's not shown as an entry in our list there is that implicit deny rule at the end any traffic that we haven't matched will automatically be blocked in fact we don't really even need a rule to block HTTP although it can be handy as you'll see soon so are we done almost we still need to apply the ACL to an interface in this case GI 0 / 110 for this we need to enter interface configuration mode and enter the IP access group command we give it the ACL number and then we give it a direction this is the ingress and egress directions we were talking about earlier if we want to verify this we can use show IP interface and look for the outgoing and inbound access list entries and it's difficult to test the results of this in a lab but we'll give it a try over on the workstation we can use the Linux command see URL to try to retrieve a web page from the server it immediately fails when using HTTP if we try it again on HTTP it still fails but with a different message this message means that traffic is reaching the server but the server doesn't have a webpage to give back so the ACL is actually allowing HTTP traffic but because this is in a lab it's hard to show that and how about peeing this no longer works as the traffic isn't getting past the packet filter that's because of the implicit deny rule at the end of the ACL I didn't originally intend to block ping but I've done this accidentally this should show that when working with the ACLs it's easy to overlook things like this so it's really important that you test your changes thoroughly let's take another look at the ACL on the router do you see how each rule now has one match this is from the traffic that we just generated this is another way to see that our lists are working you'll notice though that there's no match counter for the implicit deny rule this is one reason why sometimes it's useful to create deny rules like we did for HDPE even though we don't seem to need them while we're looking at these rules do you see how each rule starts with a number in this case it's 10 and 20 these are the entries sequence numbers this shows the order of the rules are evaluated in we can give rules sequence numbers if we want but if we don't I Oh s will automatically assign numbers like it has done here now to move on to goal number 2 where we only allow SSH from the servers and not the workstations if we try SSH on the workstation you can see the part of our job is already done the ACL we've already configured is already denying SSH to the router that's the implicit rule once again this will also be blocking pin and telnet to block telnet and allow SSH from the servers we need to create a new ACL which we will apply to interface gi0 slash 1.20 later for some variety we'll configure this one as a named ACL named ACLs are configured with IP access list and there's no need to worry about number ranges here we can just use the extended keyword and now we'll give a name we'll call this one server ACL this brings us to the named ACL sub confirmation mode the nacl in the prompt means named ACL is quite different to when we configured the numbered ACL similar to before where you want to deny telnet traffic from any source however the destination IP address is just a single IP the IP of the router so to simplify things we can use the host keyword as the destination and enter our single IP address this means we don't need to worry about a wildcard mask the rest of the command is just like the one we saw earlier but before we issue the command I would like to show you the optional log keyword that we can put at the end this is used during troubleshooting when we add this keyword the router will create a log entry each time the rule is matched I don't recommend turning us on unless you need it as it decreases the routers performance so I'm gonna leave it turned off for this entry now we can put in a rule to allow SSH to the routers from the servers you might think we're done but there's one more thing to think about our goal said that we need to allow any other IP traffic to the router right now the implicit deny rule is blocking all other traffic so we need to add a rule to allow all other traffic this is a very simple rule that permits IP traffic from anywhere to anywhere and finally we just need to apply this to an interface like we did before have we finished now so close our original ACL is also blocking all other traffic to the router we can easily put in a rule at the end of the list to permit all of the traffic but only to the routers IP from this you can see that we can add more rules to an ACL at any time we want I recommend that you try all of this in a lab yourself whether with a downloadable lab that I provide or with one that you build on your own I would also like to challenge you with these four goals see if you can work out how they're done on your own and if the challenge isn't enough for you test yourself out with these we can't really talk about using ACLs for security without mentioning firewalls if you haven't seen them before I'm sure you've heard of them as a quick summary firewalls are special devices that are built just to filter traffic they definitely do use ACLs to block and allow packets just like we've done here but if regular routers can filter packets why would we need a firewall because firewalls do so much more than just filter packets for one they can do stateful packet filtering which is different to what routers do and they can look at the contents of a packet not just the headers often which one you choose comes down to balance sometimes you'll want to use a firewall for heavy-duty protection like on the edge of your network where your Internet's connected sometimes a simple ACL on the router is more useful like when we blocked SSH from many devices if any of you are feeling adventurous I do have a video on configuring ACLs on the Cisco ASAE firewall it is a bit more advanced but it might help you to see the difference between a simple packet filter and a dedicated firewall I'll put the link in the description so you can check out if you want to when it comes to ACLs the key is to practice them as much as you can the best way to understand them is to use them try leaving some challenges for each other in the comments below on the website or on the cisco network learning forums i hope you've liked this video and i look forward to seeing you in the next one
Info
Channel: Network Direction
Views: 58,186
Rating: 4.940866 out of 5
Keywords: Access control list, access control list, Access control entry, access control, network direction, Network direction, Acl, Ace, Security, Firewall, Packet filter, Qos, Pbr, Wildcard mask, permit, Deny, Match, Ip access-group, Standard, Extended, Implicit deny, Numbered list, Named acl, Ingress, Egress, Stateful, stateless, free ccna, cisco router training, ccna fundamentals, networking tutorial for beginners, network fundamentals, networking fundamentals, networking basics
Id: FxlqSfORZm4
Channel Id: undefined
Length: 22min 38sec (1358 seconds)
Published: Tue Aug 06 2019
Related Videos
What ARP does | Network Fundamentals Part 15
Network Direction
26K
Standard Access Control Lists (ACLs) | Cisco CCNA 200-301
Keith Barker
19K
VLAN Trunk Links | Network Fundamentals Part 13
Network Direction
46K
Networking basics (2020) | What is a switch, router, gateway, subnet, gateway, firewall & DMZ
IT k Funde
1.7M
How Does The James Webb Space Telescope Work? - Smarter Every Day 262
SmarterEveryDay
1.2M
How to Use NAT | Network Fundamentals (Part 21)
Network Direction
22K
Data Center NETWORKS (what do they look like??) // FREE CCNA // EP 7
NetworkChuck
352K
ACL Introduction - Video By Sikandar Shaik || Dual CCIE (RS/SP) # 35012
Sikandar Shaik
85K
Access Control Lists | Cisco CCNA 200-301
CertBros
7.8K
Cabling Devices | Network Fundamentals Part 2
Network Direction
474K
you need to learn Docker RIGHT NOW!! // Docker Containers 101
NetworkChuck
1.1M
One of the Greatest Speeches Ever | Steve Jobs
Motivation Ark
10M
Inside the mind of a master procrastinator | Tim Urban
TED
44M
200-301 CCNA v3.0 | Day 27: ACL Introduction | Free CCNA
NetworKing
176K
Cisco Router Access-Lists Part 1 (Fundamentals): Cisco Router Training 101
soundtraining.net
98K
Subnet Mask - Explained
PowerCert Animated Videos
89K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.