Cybersecurity Essentials - Module 14 Cheat Sheet

# Module 14: Access Control Lists :::success Here is a cheat sheet generated from the course content using ChatGPT. It recaps the main concepts of each module, definitions and examples. At the end of (almost) each part, you will find a link to online related flashcards. ::: ### 14.1 Introduction to Access Control Lists (ACLs) --- #### **14.1.1 What is an ACL?** **Definition:** An ACL is a sequential list of permit or deny statements (Access Control Entries or ACEs) that filters packets based on header information. Routers evaluate packets against ACLs to decide if they should be forwarded or discarded. **Key Features:** - ACLs filter traffic by inspecting the packet header. - ACLs are applied to router interfaces to control network traffic. - Packet filtering compares the packet against ACEs sequentially. **Common Uses of ACLs:** 1. **Limit Network Traffic:** Block video traffic to reduce network load. 2. **Traffic Flow Control:** Restrict routing protocol traffic to specific links. 3. **Basic Security:** Limit access to sensitive networks (e.g., HR). 4. **Traffic Filtering:** Allow email but block Telnet traffic. 5. **Access to Services:** Control user access to FTP or HTTP services. 6. **Traffic Prioritization:** Use ACLs with QoS to prioritize voice traffic. --- #### **14.1.2 Packet Filtering** **Definition:** Packet filtering allows or denies traffic based on Layer 3 (Network) and Layer 4 (Transport) header information. ![image](https://hackmd.io/_uploads/rJMP6KINJe.png) **Types of ACLs:** 1. **Standard ACLs:** - Filter traffic based only on **source IPv4 address**. - Operate at **Layer 3**. 2. **Extended ACLs:** - Filter traffic based on **source and/or destination IPv4 address**, **TCP/UDP ports**, and **protocol types**. - Operate at **Layers 3 and 4** for finer control. --- #### **14.1.3 Numbered and Named ACLs** **Numbered ACLs:** - Standard ACLs: Numbers **1-99** and **1300-1999**. - Extended ACLs: Numbers **100-199** and **2000-2699**. **Named ACLs:** - Allow meaningful names instead of numbers (e.g., **FTP-FILTER**). - **Advantages:** - Easier to identify the ACL’s purpose. - Entries can be added or removed dynamically. - Names should be **capitalized**, alphanumeric, and contain no spaces or punctuation. **Example of Named ACL Configuration:** ```plaintext R1(config)# ip access-list extended FTP-FILTER R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq ftp R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq ftp-data ``` --- #### **14.1.4 ACL Operation** **Traffic Filtering Directions:** 1. **Inbound ACLs:** - Filters packets **before routing**. - Efficient for discarding unwanted traffic early. - Best for filtering packets from a specific source network. 2. **Outbound ACLs:** - Filters packets **after routing**. - Useful for applying the same filter to multiple inbound interfaces. **Operating Procedure for Inbound Standard ACLs:** 1. Extract the **source IPv4 address** from the packet header. 2. Compare the address to each ACE in sequential order. 3. **Permit or deny** the packet based on the first match. 4. If no match is found, apply the **implicit deny** rule and discard the packet. **Key Points:** - **Implicit Deny:** Every ACL ends with a hidden **deny all traffic** rule. - An ACL must have at least **one permit statement**, or all traffic will be denied. >[!Warning]Recap >An ACL is a series of IOS commands that are used to filter packets based on information found in the packet header. By default, a router does not have any ACLs configured. An ACL uses a sequential list of permit or deny statements, known as ACEs. The packet filtering process occurs when network traffic passes through an interface configured with an ACL, and the router compares the information within the packet against each ACE, in sequential order, to determine if the packet matches one of the ACEs. Packet filtering can occur at Layer 3 or Layer 4. Cisco routers support Standard ACLs and Extended ACLs. ACLs number 1 to 99, or 1300 to 1999 are standard ACLs while ACLs number 100 to 199, or 2000 to 2699 are extended ACLs. Named ACLs are the preferred method to use when configuring ACLs. The name provides information about the purpose of the ACL. ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. ### 14.2 Wildcard Masking --- #### **14.2.1 Wildcard Mask Overview** **Definition:** A wildcard mask is a 32-bit number used in Access Control Lists (ACLs) to specify which bits of an IPv4 address to match. It differs from subnet masks: - **Wildcard Mask 0:** Match the corresponding bit in the address. - **Wildcard Mask 1:** Ignore the corresponding bit in the address. **Key Features:** - Used for traffic filtering and OSPF configurations. - Works via an ANDing process but reverses the matching logic compared to subnet masks. --- #### **14.2.2 Wildcard Mask Types** **Examples of Wildcard Mask Usage in ACLs:** 1. **Wildcard Mask to Match a Host:** - Wildcard mask: `0.0.0.0` - Matches an exact IPv4 address. - Example: ```plaintext access-list 10 permit 192.168.1.1 0.0.0.0 ``` 2. **Wildcard Mask to Match a Subnet:** - Wildcard mask: `0.0.0.255` - Matches a subnet (e.g., `/24`). - Example: ```plaintext access-list 10 permit 192.168.1.0 0.0.0.255 ``` 3. **Wildcard Mask to Match a Range of Addresses:** - Wildcard mask: `0.0.15.255` - Matches a range of subnets (e.g., `192.168.16.0/24` to `192.168.31.0/24`). - Example: ```plaintext access-list 10 permit 192.168.16.0 0.0.15.255 ``` --- #### **14.2.3 Wildcard Mask Calculation** **Shortcut:** Subtract the subnet mask from `255.255.255.255`. **Examples:** 1. **Permit Subnet `192.168.3.0/24`:** - Subnet mask: `255.255.255.0` - Wildcard mask: `255.255.255.255 - 255.255.255.0 = 0.0.0.255` - ACE: ```plaintext access-list 10 permit 192.168.3.0 0.0.0.255 ``` 2. **Permit Subnet `192.168.3.32/28`:** - Subnet mask: `255.255.255.240` - Wildcard mask: `255.255.255.255 - 255.255.255.240 = 0.0.0.15` - ACE: ```plaintext access-list 10 permit 192.168.3.32 0.0.0.15 ``` 3. **Permit Range `192.168.10.0/23`:** - Subnet mask: `255.255.254.0` - Wildcard mask: `255.255.255.255 - 255.255.254.0 = 0.0.1.255` - ACE: ```plaintext access-list 10 permit 192.168.10.0 0.0.1.255 ``` --- #### **14.2.4 Wildcard Mask Keywords** To simplify configuration, use **keywords** instead of wildcard masks. 1. **`host`:** Matches a single host address (`0.0.0.0`). Example: ```plaintext access-list 10 permit host 192.168.10.10 ``` 2. **`any`:** Matches all addresses (`255.255.255.255`). Example: ```plaintext access-list 11 permit any ``` **Comparison:** | **Wildcard Mask** | **Keyword** | |------------------------|-------------| | `0.0.0.0` | `host` | | `255.255.255.255` | `any` | :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/8-2-5-check-your-understanding-wildcard-masks-in-acls-answers.html). ::: >[!Warning]Recap >An IPv4 ACE uses a 32-bit wildcard mask to determine which bits of the address to examine for a match. Wildcard masks are also used by the OSPF routing protocol. A wildcard mask is similar to a subnet mask in that it uses the ANDing process to identify which bits in an IPv4 address to match. However, they differ in the way they match binary 1s and 0s. Unlike a subnet mask, in which binary 1 is equal to a match and binary 0 is not a match, in a wildcard mask, the reverse is true. One shortcut method to calculate wildcard masks is to subtract the subnet mask from 255.255.255.255. The Cisco IOS provides two keywords, host and any, to simplify the most common uses of wildcard masking. Keywords reduce ACL keystrokes and make it easier to read the ACE. ### 14.3 Configure ACLs --- #### **14.3.1 Creating ACLs** **Purpose** An ACL filters traffic on routers by permitting or denying specific packets based on set conditions. Use careful planning and documentation for complex ACLs to avoid network disruptions. **Key Steps** 1. Draft policies in a text editor. 2. Write ACL commands using IOS syntax. 3. Add **remarks** for documentation (optional). 4. Copy and paste commands onto the router. 5. Test ACLs thoroughly. --- #### **14.3.2 Numbered Standard IPv4 ACL Syntax** **Command Syntax** `access-list <access-list-number> {deny | permit | remark text} <source> [source-wildcard] [log]` **Description** | Parameter | Description | |------------------------|--------------------------------------------------------------------------------------------------------------| | **access-list-number** | Decimal ACL number. Range: 1–99 or 1300–1999. | | **deny** | Blocks traffic matching the condition. | | **permit** | Allows traffic matching the condition. | | **remark text** | (Optional) Adds comments for documentation. Limited to 100 characters. | | **source** | IP address, `host` keyword, or `any`. Identifies the source to filter. | | **source-wildcard** | (Optional) Wildcard mask for the source. Default: `0.0.0.0`. | | **log** | (Optional) Logs information about matched packets. | --- #### **14.3.3 Named Standard IPv4 ACL Syntax** **Command Syntax** `ip access-list standard <access-list-name>` **Description** | Parameter | Description | |-----------------|----------------------------------------------------------------------------------------------------------| | **access-list-name** | Alphanumeric name for the ACL. Names are case-sensitive and must be unique. Recommended: Use ALL CAPS. | | **deny** | Blocks traffic matching the condition. | | **permit** | Allows traffic matching the condition. | | **remark** | (Optional) Comments for documentation. | --- #### **14.3.4 Numbered Extended IPv4 ACL Syntax** **Command Syntax** `access-list <access-list-number> {deny | permit | remark text} <protocol> <source> <source-wildcard> [operator {port}] <destination> <destination-wildcard> [operator {port}] [established] [log]` **Description** | Parameter | Description | |-------------------------|---------------------------------------------------------------------------------------------------------------------| | **access-list-number** | Decimal ACL number. Range: 100–199 or 2000–2699. | | **deny** | Blocks traffic matching the condition. | | **permit** | Allows traffic matching the condition. | | **remark text** | (Optional) Adds comments for documentation. | | **protocol** | Specifies the protocol (e.g., `ip`, `tcp`, `udp`, `icmp`). | | **source** | IP address, `host` keyword, or `any`. Identifies the source to filter. | | **source-wildcard** | (Optional) Wildcard mask for the source. Default: `0.0.0.0`. | | **operator {port}** | (Optional) Compares source or destination ports. Options: `eq`, `lt`, `gt`, `neq`. | | **destination** | IP address, `host` keyword, or `any`. Identifies the destination to filter. | | **destination-wildcard**| (Optional) Wildcard mask for the destination. | | **established** | (Optional) Permits return traffic with ACK or RST flags. Used for basic stateful filtering. | | **log** | (Optional) Logs information about matched packets. | --- #### **14.3.5 Named Extended IPv4 ACL Syntax** **Command Syntax** `ip access-list extended <access-list-name>` **Description** | Parameter | Description | |-------------------------|---------------------------------------------------------------------------------------------------------------------| | **access-list-name** | Alphanumeric name for the ACL. Names are case-sensitive and must be unique. Recommended: Use ALL CAPS. | | **deny** | Blocks traffic matching the condition. | | **permit** | Allows traffic matching the condition. | | **remark** | (Optional) Comments for documentation. | --- #### **14.3.6 Protocols and Port Numbers** **Supported Protocols** | Protocol | Description | |----------|------------------------------------------| | `ip` | Matches all IP protocols. | | `tcp` | Transmission Control Protocol. | | `udp` | User Datagram Protocol. | | `icmp` | Internet Control Message Protocol. | **Port Options** | Operator | Description | |----------|---------------------| | `eq` | Equal to. | | `lt` | Less than. | | `gt` | Greater than. | | `neq` | Not equal to. | **Example Ports** | Port | Description | |----------|---------------------------| | 22 | SSH. | | 80 | HTTP. | | 443 | HTTPS. | --- #### **14.3.7 Examples** **Permit HTTP and HTTPS Traffic** ```plaintext access-list 100 permit tcp any any eq www access-list 100 permit tcp any any eq 443 ``` **Allow Specific Host Traffic** ```plaintext access-list 10 permit host 192.168.1.1 ``` **Block Subnet Traffic** ```plaintext access-list 10 deny 192.168.1.0 0.0.0.255 ``` --- #### **14.3.8 Verifying and Applying ACLs** **Apply ACL to Interface** ```plaintext ip access-group <access-list-number | access-list-name> {in | out} ``` **Show ACL Configuration and Statistics** ```plaintext show access-lists ``` >[!Warning]Recap >When configuring a complex ACL, it is suggested that you use a text editor and write out the specifics of the policy to be implemented, add the IOS configuration commands to accomplish those tasks, include remarks to document the ACL, and copy and paste the commands onto the device. Always thoroughly test an ACL to ensure that it correctly applies the desired policy. To create a numbered standard ACL, use the command `access-list access-list-number {deny | permit | remark text} source [source-wildcard] [log]`. To create a named standard ACL, use the command ip access-list standard access-list-name. ACL names are alphanumeric, case sensitive, and must be unique. The procedural steps for configuring extended ACLs are the same as for standard ACLs. The command to apply an extended IPv4 ACL to an interface is the same as the command used for standard IPv4 ACLs is ip access-group {access-list-number | access-list-name} {in | out}. Extended ACLs can filter on many different types of internet protocols and ports. TCP can also perform basic stateful firewall services using the TCP established keyword. The keyword enables inside traffic to exit the inside private network and permits the returning reply traffic to enter the inside private network. ### **14.4 Named Standard IPv4 ACL Syntax Cheat Sheet** --- #### **14.4.1 Two Methods to Modify an ACL** **Overview** After an ACL is configured, it may require modification to achieve the desired behavior. Modifications can be done using two methods: 1. **Text Editor Method**: Edit and reapply the ACL using an external text editor. 2. **Sequence Number Method**: Modify ACLs directly by deleting or inserting ACEs using sequence numbers. --- #### **14.4.2 Text Editor Method** **Steps** 1. Copy the ACL from the **running configuration** using the command: ```plaintext show run | section access-list ``` 2. Paste the ACL into a text editor and make corrections. 3. Remove the existing ACL from the router: ```plaintext no access-list <access-list-number> ``` 4. Copy the corrected ACL from the text editor and paste it into the router in **global configuration mode**. **Example** Incorrect ACL: ```plaintext access-list 1 deny 19.168.10.10 access-list 1 permit 192.168.10.0 0.0.0.255 ``` Correction Process: ```plaintext R1(config)# no access-list 1 R1(config)# access-list 1 deny 192.168.10.10 R1(config)# access-list 1 permit 192.168.10.0 0.0.0.255 ``` --- #### **14.4.3 Sequence Number Method** **Steps** 1. View the ACL and sequence numbers with the command: ```plaintext show access-lists ``` Example Output: ```plaintext Standard IP access list 1 10 deny 19.168.10.10 20 permit 192.168.10.0, wildcard bits 0.0.0.255 ``` 2. Enter **named ACL configuration mode** to modify the ACL: ```plaintext ip access-list standard <access-list-number> ``` 3. Delete the incorrect ACE using the sequence number: ```plaintext no <sequence-number> ``` 4. Add the corrected ACE with the desired sequence number: ```plaintext <sequence-number> deny host <IP-address> ``` 5. Exit configuration mode and verify the changes: ```plaintext show access-lists ``` **Example** Incorrect ACL: ```plaintext Standard IP access list 1 10 deny 19.168.10.10 20 permit 192.168.10.0, wildcard bits 0.0.0.255 ``` Correction Process: ```plaintext R1# conf t R1(config)# ip access-list standard 1 R1(config-std-nacl)# no 10 R1(config-std-nacl)# 10 deny host 192.168.10.10 R1(config-std-nacl)# end R1# show access-lists Standard IP access list 1 10 deny 192.168.10.10 20 permit 192.168.10.0, wildcard bits 0.0.0.255 ``` >[!Warning]Recap >ACLs with multiple ACEs should be created in a text editor. This allows you to plan the required ACEs, create the ACL, and then paste it into the router interface, and makes editing the ACL simpler. An ACL ACE can also be deleted or added using the ACL sequence numbers. Sequence numbers are automatically assigned when an ACE is entered. These numbers are listed in the show access-lists command. ### 14.5 Implement ACLs --- #### 14.5.1 ACL Configuration Guidelines Access Control Lists (ACLs) consist of Access Control Entries (ACEs) and follow specific guidelines for configuration and application. The key points include: 1. Create an ACL globally and apply it to an interface or line. 2. Ensure that every ACL ends with an implicit `deny any` or `deny ip any any` statement. 3. Statement order is critical; ACLs are processed in a top-down manner. Once a match is found, further processing stops. 4. Filter traffic starting from the most specific criteria to the most general. 5. Only one ACL can be applied per interface, per protocol, and per direction. 6. Router-generated packets are not filtered by outbound ACLs. 7. Place **standard ACLs** close to the destination. 8. Place **extended ACLs** close to the source. --- #### 14.5.2 Apply an ACL Once created, ACLs can be applied to interfaces or vty lines using the following commands: - **Interface-based ACL application**: ```plaintext Router(config-if)# ip access-group {acl-# | name} {in | out} ``` - **vty lines ACL application**: ```plaintext Router(config-line)# ip access-class {acl-# | name} {in | out} ``` ##### Example: Named Standard ACL on an Interface To block traffic from `192.168.11.10` and allow all other traffic: ```plaintext R1(config)# ip access-list standard NO_ACCESS R1(config-std-nacl)# deny host 192.168.11.10 R1(config-std-nacl)# permit any R1(config-std-nacl)# exit R1(config)# interface g0/0 R1(config-if)# ip access-group NO_ACCESS out ``` ##### Example: Named Extended ACLs To allow only HTTP and HTTPS traffic to leave and permit returning traffic: ```plaintext R1(config)# ip access-list extended SURFING R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 80 R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 443 R1(config-ext-nacl)# exit R1(config)# ip access-list extended BROWSING R1(config-ext-nacl)# permit tcp any 192.168.10.0 0.0.0.255 established R1(config-ext-nacl)# exit R1(config)# interface g0/0 R1(config-if)# ip access-group SURFING in R1(config-if)# ip access-group BROWSING out ``` --- #### 14.5.3 Where to Place ACLs Proper placement of ACLs improves efficiency: 1. **Standard ACLs**: Place close to the destination to filter traffic efficiently. 2. **Extended ACLs**: Place close to the source to prevent unnecessary traffic from traversing the network. ##### Factors Influencing ACL Placement: | **Factors** | **Explanation** | |-----------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------| | **Organizational control** | ACL placement depends on whether the organization has control over both source and destination networks. | | **Bandwidth considerations** | Filtering traffic at the source prevents bandwidth consumption caused by unnecessary traffic transmission. | | **Ease of configuration** | ACLs at the destination are simpler but may use bandwidth unnecessarily. Applying at the source requires configuration on multiple routers. | --- #### 14.5.4 Standard ACL Placement Example **Scenario**: Block traffic from `192.168.10.0/24` to `192.168.30.0/24`: - Apply the standard ACL on R3 at the **G0/0/0 (outbound)** interface to block traffic to the `.30` network only. This ensures `.10` traffic can still access other networks reachable via R3. ```plaintext R3(config)# ip access-list standard BLOCK_30 R3(config-std-nacl)# deny 192.168.10.0 0.0.0.255 R3(config-std-nacl)# permit any R3(config-std-nacl)# exit R3(config)# interface g0/0/0 R3(config-if)# ip access-group BLOCK_30 out ``` --- #### 14.5.7 Extended ACL Placement Example **Scenario**: Block FTP and Telnet traffic from `192.168.11.0/24` to `192.168.30.0/24`: - Apply the extended ACL on R1 **G0/0/1 (inbound)** interface to filter traffic from `.11` before it leaves R1. ```plaintext R1(config)# ip access-list extended BLOCK_FTP_TELNET R1(config-ext-nacl)# deny tcp 192.168.11.0 0.0.0.255 192.168.30.0 0.0.0.255 eq 21 R1(config-ext-nacl)# deny tcp 192.168.11.0 0.0.0.255 192.168.30.0 0.0.0.255 eq 23 R1(config-ext-nacl)# permit ip any any R1(config-ext-nacl)# exit R1(config)# interface g0/0/1 R1(config-if)# ip access-group BLOCK_FTP_TELNET in ``` :::danger **Check Your Understanding #1** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/8-5-8-check-your-understanding-guidelines-for-acl-placement-answers.html). ::: :::danger **Check Your Understanding #2** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/4-5-9-check-your-understanding-configure-standard-acls.html). ::: :::danger **Check Your Understanding #3** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/4-5-10-check-your-understanding-create-an-extended-acl-statement.html). ::: :::danger **Check Your Understanding #4** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/4-5-11-check-your-understanding-evaluate-extended-acls.html). ::: >[!Warning]Recap >When configuring and applying an ACL, be aware of the guidelines summarized in this list: >- Create an ACL globally and then apply it. >- Ensure the last statement is an implicit deny any or deny ip any any. >- Remember that statement order is important because ACLs are processed top-down. >- As soon as a statement is matched the ACL is exited. >- Always filter from the most specific to the most generic. >- For example, deny a specific host and then permit all other hosts. >- Remember that only one ACL is allowed per interface, per protocol, per direction. >- Remember that new statements for an existing ACL are added to the bottom of the ACL by default. >- Remember that router-generated packets are not filtered by outbound ACLs. >- Place standard ACLs as close to the destination as possible. >- Place extended ACLs as close to the source as possible. > >Every ACL should be placed where it is the most efficient. Extended ACLs should be located as close as possible to the source of the traffic to be filtered. Standard ACLs should be located as close to the destination as possible. Factors influencing ACL placement include the extent of organizational control, bandwidth of the networks involved, and ease of configuration. ### 14.6 Mitigate Attacks with ACLs --- #### 14.6.1 Mitigate Spoofing Attacks ACLs can mitigate threats such as IP address spoofing and denial-of-service (DoS) attacks by blocking illegitimate packets. Attackers often spoof source IP addresses to hide their identity. ##### Example: Block Specific Source IP Ranges For an internet-facing interface (S0/0/0), configure ACLs to block known invalid or private source addresses: ```plaintext R1(config)# access-list 150 deny ip host 0.0.0.0 any R1(config)# access-list 150 deny ip 10.0.0.0 0.255.255.255 any R1(config)# access-list 150 deny ip 127.0.0.0 0.255.255.255 any R1(config)# access-list 150 deny ip 172.16.0.0 0.15.255.255 any R1(config)# access-list 150 deny ip 192.168.0.0 0.0.255.255 any R1(config)# access-list 150 deny ip 224.0.0.0 15.255.255.255 any R1(config)# access-list 150 deny ip host 255.255.255.255 any ``` For an internal interface (G0/0), restrict inbound traffic to packets from the internal network: ```plaintext R1(config)# access-list 105 permit ip 192.168.1.0 0.0.0.255 any ``` --- #### 14.6.2 Permit Necessary Traffic through a Firewall An effective firewall strategy involves explicitly allowing only necessary traffic. For example, permitting DNS, SMTP, FTP, and secure remote access while blocking all other traffic. ##### Example: Permit Specific Services For an internet-facing interface (S0/0/0), configure ACLs to allow specific services: ```plaintext R1(config)# access-list 180 permit udp any host 192.168.20.2 eq domain R1(config)# access-list 180 permit tcp any host 192.168.20.2 eq smtp R1(config)# access-list 180 permit tcp any host 192.168.20.2 eq ftp R1(config)# access-list 180 permit tcp host 200.5.5.5 host 10.0.1.1 eq 22 R1(config)# access-list 180 permit udp host 200.5.5.5 host 10.0.1.1 eq syslog R1(config)# access-list 180 permit udp host 200.5.5.5 host 10.0.1.1 eq snmptrap ``` --- #### 14.6.3 Mitigate ICMP Attacks Hackers exploit ICMP for network reconnaissance and DoS attacks. Block unnecessary ICMP messages while permitting essential ones for network functionality. ##### Example: Block Inbound ICMP Messages For the external interface (S0/0/0), block unnecessary ICMP types and permit essential ones: ```plaintext R1(config)# access-list 112 permit icmp any any echo-reply R1(config)# access-list 112 permit icmp any any source-quench R1(config)# access-list 112 permit icmp any any unreachable R1(config)# access-list 112 deny icmp any any R1(config)# access-list 112 permit ip any any ``` ##### Example: Block Outbound ICMP Messages For the internal network (G0/0), restrict ICMP messages: ```plaintext R1(config)# access-list 114 permit icmp 192.168.1.0 0.0.0.255 any echo R1(config)# access-list 114 permit icmp 192.168.1.0 0.0.0.255 any parameter-problem R1(config)# access-list 114 permit icmp 192.168.1.0 0.0.0.255 any packet-too-big R1(config)# access-list 114 permit icmp 192.168.1.0 0.0.0.255 any source-quench R1(config)# access-list 114 deny icmp any any R1(config)# permit ip any any ``` --- #### 14.6.4 Mitigate SNMP Attacks SNMP can be exploited if left unprotected. ACLs can be used to allow SNMP traffic only from authorized sources. However, the best practice is to disable SNMP if it is not required. ##### Example: Disable SNMP To prevent exploitation, disable SNMP services on the router: ```plaintext Router(config)# no snmp-server ``` >[!Warning]Recap >ACLs can be used to mitigate many network threats, such as IP address spoofing and DoS attacks. An effective strategy for mitigating attacks is to explicitly permit only certain types of traffic through a firewall. Both ICMP echo and redirect messages should be blocked inbound by the router. If SNMP is necessary, exploitation of SNMP vulnerabilities can be mitigated by applying interface ACLs to filter SNMP packets from non-authorized systems. Several ICMP messages are recommended for proper network operation and should be allowed into the internal network including echo reply, source quench, and unreachable. Several ICMP messages should be allowed to exit the network including echo, parameter problem, packet too big, and source quench. As a rule, block all other ICMP message types outbound. ### 14.7 IPv6 ACLs --- #### 14.7.1 IPv6 ACL Overview As IPv6 adoption increases, new security threats emerge. Threat actors can exploit vulnerabilities in dual-stack environments (IPv4 and IPv6). For instance, attackers use IPv4 to introduce rogue IPv6 configurations, such as sending malicious Neighbor Discovery Protocol (NDP) messages, which allow them to infiltrate and pivot within a network. Techniques such as IPv6 ACLs can mitigate these risks by filtering traffic at the network edge. ![image](https://hackmd.io/_uploads/HJvUgjLVJe.png) --- #### 14.7.2 IPv6 ACL Syntax IPv6 ACLs are similar to IPv4 extended ACLs, but all IPv6 ACLs must be named and do not have a standard ACL equivalent. IPv6 ACLs support source and destination address filtering, protocol-based filtering, and finer control using upper-layer protocol type information. To create an IPv6 ACL: 1. Enter IPv6 ACL configuration mode: ```plaintext Router(config)# ipv6 access-list <access-list-name> ``` 2. Configure access list entries with the following syntax: ```plaintext Router(config-ipv6-acl)# deny | permit protocol {source-ipv6-prefix / prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix / prefix-length | any | host destination-ipv6-address} [operator [port-number]] [dscp value] [fragments] [log] [log-input] [sequence value] [time-range name] ``` 3. Apply the IPv6 ACL to an interface: ```plaintext Router(config-if)# ipv6 traffic-filter <access-list-name> {in | out} ``` ##### Key Parameters in IPv6 ACLs | **Parameter** | **Description** | |-------------------------------|--------------------------------------------------------------------------------------------------| | **deny | permit** | Specifies whether to deny or permit the packet. | | **protocol** | Name or number of an IPv6 protocol. | | **source-ipv6-prefix / prefix-length** | IPv6 source network or class of networks for filtering. | | **destination-ipv6-address / prefix-length** | IPv6 destination network or class of networks for filtering. | | **any** | Matches all IPv6 addresses (`::/0`). | | **host** | Specifies a single IPv6 address as the source or destination. | | **operator** | Optional; compares ports with `lt` (less than), `gt` (greater than), `eq` (equal), or `neq` (not equal). | | **port-number** | Optional; port number for TCP or UDP. | | **dscp** | Matches DSCP values (0–63). | | **fragments** | Matches non-initial fragmented packets. | | **log | log-input** | Logs information about the matching packet. | | **sequence value** | Specifies the sequence number for the ACL statement (1–4294967295). | | **time-range name** | Specifies a time range to apply to the ACL statement. | --- #### 14.7.3 Configure IPv6 ACLs IPv6 ACLs contain an **implicit `deny ipv6 any any` rule**, meaning any traffic not explicitly permitted is denied. However, IPv6 ACLs also have implicit permit rules for **Neighbor Discovery Protocol (NDP)** traffic, such as neighbor advertisements (NA) and neighbor solicitations (NS). ##### Example: Restrict IPv6 Traffic To configure an IPv6 ACL that permits only traffic from a specific network while denying all others, including explicit NDP rules: 1. Define the ACL: ```plaintext R1(config)# ipv6 access-list LAN_ONLY R1(config-ipv6-acl)# permit ipv6 2001:db8:1:1::/64 any R1(config-ipv6-acl)# permit icmp any any nd-na R1(config-ipv6-acl)# permit icmp any any nd-ns R1(config-ipv6-acl)# deny ipv6 any any ``` 2. Verify the ACL: ```plaintext R1# show ipv6 access-list IPv6 access list LAN_ONLY permit ipv6 2001:DB8:1:1::/64 any sequence 10 permit icmp any any nd-na sequence 20 permit icmp any any nd-ns sequence 30 deny ipv6 any any sequence 40 ``` >[!Warning]Recap >IPv6 has several features that meet modern-day network requirements: IPsec, Mobile IP, RSVP, and address scalability. Dual stack is an integration method in which a device has connectivity to both IPv4 and IPv6 networks. In a dual stack environment devices operate with two IP protocol stacks. Attackers can accomplish stealth attacks that result in trust exploitation by using dual-stacked hosts, rogue NDP messages, and tunneling techniques. To mitigate attacks against IPv6 infrastructures and protocols, the strategy should include filtering at the edge using various techniques, such as IPv6 ACLs. The ACL functionality in IPv6 is similar to ACLs in IPv4. However, there is no equivalent to IPv4 standard ACLs. In addition, all IPv6 ACLs must be configured with a name. IPv6 ACLs allow filtering based on source and destination addresses that are traveling inbound and outbound to a specific interface. They also support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of control, similar to extended ACLs in IPv4.