2.2 Extended acl  

Sunday, March 29, 2009

2.2 Extended acl

Standard acl allow all or nothing

To do packet filtering at a finer level of granularity we need a way to extend the standard
acl to include things like protocol , port number , desitination ip

Understanding Tcp and Udp port numbers

> Understanding tcp and udp port numbers is fundamental for using extended acl .

> With tcp a connection is set up, with udp there is no connection set up

> ports are specified as 16 bit numbers

telnet - 23
http - 80
dns - 53

> A set of four values :

source ip address
source port
desitnation ip
destination port
uniquely identify client / server relationships and enable clients and servers to talk to
each other without confusion

> The port numbers below 1024 are called "well known ports " defined by IANA

> Services can live on non standard ports as long as both client and server processes agree
use those ports


policy set 101: http packets to host
policy set 101: ssl packets to host
no other packets

access-list 101 permit tcp eq 80
access-list 101 permit tcp eq 443
access-list 101 deny ip

> Extended acl begin with "access-list" keyword , followed by a number between 100-199 which
is followed by permit/deny . This process is same for standard acl

> Things get different after permit/deny statements , extended acls specifies the "ip"
protocol to which the list applies

> Next we have 2 address/mask paris [which was single in standard acl] . The first pair
define the source and next pair define the desitnation

> The access-list ends with another protocol specifier , the port number ,"eq 80" allow
packets with destination port 80

> To use access-list once the policy set is defined , we must apply against a router
interface .

int fa0/0
ip access-group 101 in/out (depends on the condition and where you are applying)

2.2.1 Some general properties of access-lists

> extended acl lists entry changes / matches against two ip addresses as opposed to one ip
address for standard acl

> Mask of are not optional for extended acl . router assumes if standard acl
leaves off a mask

> Both have a implicit deny

> Ip address , wildcard mask matching and the implicit deny are common to all cisco
access-list structures and are important concepts in understanding acl

2.2.2 Matching ip protocols

other ip protocols can be specified with extended acl

access-list 102 permit 47

> ip protocol 47 is GRE (generic routing encapsulation) protocol. This protocol is used for
non-ip protocols such as novell ipx , apple talk through ip and by pptp , vpn protocol

2.2.3 More on matching protocols part

We have created acl entries that have matched on destination ort of an udp / tcp packet. we
can also match on the source port . This is useful to avoid spoofed packets from entering

ex : ntp uses both source and destination udp port 123 . so writing an acl would look
like this

access-list 102 permit udp eq 123 eq 123

>* The source port is placed after source ip address / mask

> 'eq' key word forces matching packets to have port equal to the specified value

> 'gt' a matching packet must have port value greater than specified value

access-list 103 permit tcp gt 1023 eq 20

for dns server :

access-list 102 permit udp gt 1023 eq 53

2.2.4 Text substitues for commonly used ports and tasks

Certain configs are so common that cisco developed text substitutes instead of port numbers
or address mask pairs

The ip address mask pair -> any -> host

80 -> http
23 -> telnet
123 -> ntp
47 -> gre ( ip protocol)

2.2.5 generic format of extended access-list

access-list [listno] [p/d] [port no] [dest] [protocol] [logging]

the logging key word if present , it turns on a log of all packet information everytime the
access-list entry is applied

Design by Blogger Buster | Distributed by Blogging Tips