Professional Documents
Culture Documents
Acl
Acl
Acl
Manage IP traffic as network access grows Filter packets as they pass through the router
ACLs
Different access list for Telnet When configuring ISDN you need to use access list Implicit deny at bottom All restricted statements should be on first There are two types
Standard Extended
Network
192.168.12.2
N1
192.168.12.0
N2
192.168.12.3
N3
192.168.34.0
N4
N5
192.168.56.0
N6
Standard Checks source address Permits or denies entire protocol suite Extended Checks source and destination address Generally permits or denies specific protocols
Standard IP lists (1-99) test conditions of all IP packets from source addresses. Extended IP lists (100-199) test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports. Standard IP lists (1300-1999) (expanded range). Extended IP lists (2000-2699) (expanded range).
Standard ACLs
The full syntax of the standard ACL command is: Router(config)#access-list access-list-number {deny | permit} source [source-wildcard ] The no form of this command is used to remove a standard ACL. This is the syntax: Router(config)#no access-list access-list-number
Wildcard Mask
Access-list 99 permit 192.168.1.1 wildcard mask All 32 bits of an IP Address can be filtered Wildcard inverse mask 0=must match 1= ignore MASK (192.168.1.1) 0.0.0.0 (host) 0.0.0.255 0.0.255.255 0.255.255.255 255.255.255.255 Matching IP 192.168.1.1 192.168.1.0-255 192.168.0-255.0-255 192.0-255.0-255.0-255 0-255.0-255.0-255.0-255 (any)
Reading an ACL
1. First Hit or Best Fit? Access-list 99 deny host 192.168.1.1 0.0.0.0 access-list 99 permit any 255.255.255.255 Access-list 99 permit 192.168.1.0 0.0.0.255 Access-list 99 deny host 192.168.1.1 access-list 99 permit any Access-list 99 deny host 192.168.1.1 Implicit deny at the end of every ACL
2.
3.
Creating ACLs
ACLs are created in the global configuration mode. There are many different types of ACLs including standard, extended, IPX, AppleTalk, and others. When configuring ACLs on a router, each ACL must be uniquely identified by assigning a number to it. This number identifies the type of access list created and must fall within the specific range of numbers that is valid for that type of list. Since IP is by far the most popular routed protocol, addition ACL numbers have been added to newer router IOSs. Standard IP: 1300-1999 Extended IP: 20002699
{ in | out }
E0
192.168.0.33 255.255.255.240
A
192.168.0.18 255.255.255.248
S0 192.168.0.17 255.255.255.248
S0
192.168.0.6 255.255.255.252
S1
S0
192.168.0.10 255.255.255.252
E0
B
192.168.0.34 255.255.255.240
E0
192.168.0.33 255.255.255.240
A
192.168.0.18 255.255.255.248
S0 192.168.0.17 255.255.255.248
S0
192.168.0.6 255.255.255.252
S1
S0
192.168.0.10 255.255.255.252
E0
B
192.168.0.34 255.255.255.240
Extended ACLs
Extended ACLs are used more often than standard ACLs because they provide a greater range of control. Extended ACLs check the source and destination packet addresses as well as being able to check for protocols and port numbers. At the end of the extended ACL statement, additional precision is gained from a field that specifies the optional Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port number. Logical operations may be specified such as, equal (eq), not equal (neq), greater than (gt), and less than (lt), that the extended ACL will perform on specific protocols. Extended ACLs use an access-list-number in the range 100 to 199 (also from 2000 to 2699 in recent IOS).
Configuration
Access-list acl# {permit/Deny}
Protocol
OSPF EIGRP ICMP TCP UDP
IP
Operator
eq gt lt neq
B
Fa0/1
200.0.0.17 255.255.255.240 200.0.0.18 255.255.255.240
S0
192.168.0.6 255.255.255.252
S1
S0
192.168.0.10 255.255.255.252
E0 192.168.0.17 255.255.255.248
S0
E0
192.168.0.33 255.255.255.240
192.168.0.34 255.255.255.240
A
192.168.0.18 255.255.255.248
192.168.0.34 should be denied FTP of 192.168.0.18 On Router R1 Config# Access-list 100 deny tcp 192.168.0.34 0.0.0.0 192.168.0.18 0.0.0.0 eq 21 Config# access-list 100 permit IP any any Config#int s0 Config-if# ip access-group 100 IN
192.168.0.18 should be denied website of 192.168.0.34 On Router R3 Config# Access-list 100 deny tcp 192.168. 0.18 0.0.0.0 192.168.0.34 0.0.0.0 eq 80 Config# access-list 100 permit IP any any Config#int s0 Config-if# ip access-group 100 IN
Deny FTP
access-list 101 deny tcp any any eq 21 access-list 101 permit ip any any
or
access-list 101 deny tcp any any eq ftp access-list 101 permit ip any any
Rules
For extended access list apply near to the source For standard access list apply near to the destination
Named ACLs
IP named ACLs were introduced in Cisco IOS Software Release 11.2, allowing standard and extended ACLs to be given names instead of numbers.
Named ACLs are not compatible with Cisco IOS releases prior to Release 11.2. The same name may not be used for multiple ACLs.
Named ACLs
Numbered Access list did not give you any hint, What is filtered Named ACLs are both basic and advanced filtering tool Name cannot start with a number or ! Cannot have space in the name Should not have ? Character anywhere in the name Name is case sensitive