If a packet does not match any of the access control entries in an ACL then it matches an Implicit Deny ACE that is present at the bottom in all ACLs. The Implicit Deny ACE is a deny all statement that denies all packets. In case this behavior is not required and packets that do not match any ACE must be forwarded, an ACE must be specified at the bottom of ACL that permits all packets. This type of ACE is known as explicit permit.
A. Access Control List is a multipurpose tool that is typically used as filtering tool. ACLs can be used for
- Filtering traffic entering and existing an interface Controlling access to VTY lines
- Route update filtering
- As a traffic classification tool when used with QoS
- Dial-on-demand routing (DDR) with ISDN
- Restricting output of debug commands
Types of Access List
There are two types of IP Access Lists
1. Standard ACL
Traffic is filtered based on source address of the IP packet. Since only the source address is matched, therefore, standard ACLs are efficient in filtering traffic closet to the destination
2. Extended
Traffic can be filtered based on source address as well as destination address and other filed in IP header including source and destination protocol and port number, ToS and IP Precedence bits and TCP flags, TTL value
Numbered and Named ACLsC
An ACL can be identified as either named or numbered.
Numbered standard ACLs range 1-to-99 and 1300-to-1999 and extended ACL ranges from 100-to-199 and 2000-to-2699
ACL Rule
Only one ACL per interface, per protocol, per direction is allowed Inbound packets are always processed by an ACL (if applied) before being routed. Outbound packets are routed before processed by an ACL (if applied) ACLs are processed in sequential order, therefore most specific trafficmatch must occur in the beginning of the ACL
Wildcard Mask
Address filtering uses wildcard masking indicate whether to check or ignore corresponding IP address bit when comparing address bits in an ACL entry
Wildcard masks are sometimes referred as an inverted mask because 1 and 0 means the opposite of subnet mask.
Wildcard mask bit 0 means check the corresponding bit and 1 means ignore the corresponding bit
ACL Syntax
An ACL is implemented in two steps:define an ACL with “access-list” or “ip access-list” commandapply the ACL under specific interface in the required direction with “ip access-group” command
STEP-1: Define an ACLStandard ACL: Access-list acl-number {permit|deny} {host|source source-wildcard|any}
Extended ACL:access-list acl-number {permit|deny} protocol source wildcard [operator [port]] destination wildcard [operator [port]] [precedence precedence] [tos tos]
Named Standard ACL:ip access-list standard name {permit|deny} {source [source-wildcard] | any} [log
Named Extended ACL:ip access-list extended name {permit|deny} protocol source wildcard [operator [port]] destination wildcard [operator [port]] [precedence precedence] [tos tos]
STEP-2: Apply the ACLinterface <interface-id> ip access-group {number|name} {in|out}
Configuration Example: Standard ACL
Requirement: Web-Server 10.1.1.10 behind R2 should not be accessible by hosts 192.168.1.10 & 11
Router R2:
access-list 10 deny host 192.168.1.10
access-list 10 deny host 192.168.1.11
access-list 10 permit any
!
interface serial0/0
ip address 172.16.12.2 255.255.255.0
ip access-group 10 in
Configuration Example: Extended ACL
Requirement: Any access on port 80 should not be allowed from host 192.168.1.10 and 11 to web-server
10.1.1.10. Other hosts on the 192.168.1.0/24 network should be allowed access the web server only on
port 80
Router R1:
access-list 101 deny tcp host 192.168.1.10 host 10.1.1.10 eq 80
access-list 101 deny tcp host 192.168.1.11 host 10.1.1.10 eq 80
access-list 101 permit tcp 192.168.1.0 0.0.0.255 host 10.1.1.10 eq 80
!
interface fastethernet0/0
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
Configuration Example: Named Extended ACL
Requirement: Only 192.168.1.10 should be allowed access to web-server 10.1.1.10 on port 80 and 3389.
Other hosts should be allowed access only on port 8080.
Router R1:
ip access-list extended web-server-acl
permit tcp host 192.168.1.10 host 10.1.1.1 eq 80
permit tcp host 192.168.1.10 host 10.1.1.1 eq 3389
permit tcp any host 10.1.1.10 eq 8080
!
interface fastethernet0/0
ip address 192.168.1.1 255.255.255.0
ip access-group web-server-acl in
Troubleshooting Command
1. show running-configuration | include access-list
2. show access-list [name | number]
No comments:
Post a Comment