Nov 10

ACL (Access Control List) can be used for:

  • Packet security / filtering
  • Defining “interesting” traffic for dial on demand routing (DDR) - only trigger dial-up line in case of “interesting” traffic
  • QoS - not in But in CCVP CCNA, CCIP and CCNP
  • NAT
  • Control routing advertisement, through filtering routing updates


Creation - types of ACLs

  • Standard IP ACLs
  • Only source IP address
  • Predefined ranges: 1-99, 1300-1999

rt # configure terminal
rt (config) # access list ACL # permit | deny hosts
rt (config) # access list 10 deny 172.16.0.15
rt (config) # access list 10 permit any
rt (config) # access list 20 deny 10.0.0.55 0.0.0.0
rt (config) # access list 10 permit 10.0.0.0 0.255.255.255

Extended IP ACLs

  • Possible filtering based on source host, destination host, protocol, source port, destination port, ICMP type of message if protocol is ICMP
  • Predefined ranges: 100-199, 2000-2699

rt # configure terminal
rt (config) # access list ACL # permit | deny [ip | tcp | udp]
[Host]
1
[/source] [/ Source]
[Wildcard]
[Host] [destination] [wildcard]
[Eq | gt | lt | range port] [icmp-protocol]

The followings are the same (Specify host or a full comprehensive wildcard):

rt (config) # access list 100 deny tcp host 172.16.0.15 host 172.16.0.1
rt (config) # access list 100 deny tcp host 172.16.0.15 0.255.255.255
172.16.0.1

Forbids telnet to 172.16.0.1 to Any host in the network 172.17.0.0/16:

rt (config) # access list 200 deny ip host 172.16.0.1 172.17.0.0 0.0.255.255
q 23

Named ACLs

INSTEAD OF names using numbers - more clarity

rt (config) # access list extended rt magnolia (config-ext-NaCl) # deny tcp host 172.16.0.15 host 172.16.0.1 RT (config-ext-NaCl) # permit ip any any

Apply ACLs on interfaces or lines

In the case of interfaces:

Router (config) # ip access-group acl # [in / out]

Examples:
Router (config) # interface e1
Router (config-if) # ip access-group 1 (ACL apply)
Router (config-if) # ip access-group 1 out
Router (config-if) # no ip access-group 1 (remove ACLs)
Router (config-if) # ip access-group in Magnolia (named ACLs)

In Case of console lines:

Router (config) # access-class # acl [in / out]
On console lines, ACLs Should Always Be Applied inbound, or Strange Things Can Happen.

Examples:

Router (config) # Line vty 0 4
Router (config-line) # access-class 1 in (ACLs to apply online console)

Wildcard masks

  • They define how much of an address needs to be Looked at in order for there to be a match.
  • Not a netmask.

rt (config) # access list 3 deny 10.0.0.55 0.0.0.0 (the match host Exactly)
rt (config) # access list 3 deny 10.0.0.0 0.255.255.255 (match the whole subnet)

Rule of thumb in creating / Applying ACLs

  • Standard ACLs must be as close as possible to the destination (since we can only Specify The Source)
  • Should stay extended ACLS as close as possible to the source
  • Use a text editor
  • Only named ACLs allow removal of a specific statement

Troubleshoot

  • show ip interface - Tells if an ACL is Applied to That interface, and the direction (in / out)
  • ACLS show - shows the configured ACLs on routers
  • show ip ACLS - shows only IP ACLs on the router
  • show access list - like above
  • With ACLs order is important - is the order of ACLs Order In Which the router will process them
  • Always look for at the end to permit any. By default, an ACL will deny all, if this is not specified.
Posted in Generic, Security |

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Designed By :Xperwebbuilder.com  All Right Reserved