Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
Access Lists Types
Access Control Lists (ACLs) are used to control the flow of traffic by filtering specific traffic based on
configuration. Cisco IP ACL’s are divided into two main groups:
Standard ACL – Used to only filter source IP traffic. Best-practice is to be applied close
to the destination.
Extended ACL – Used to filter both sources and destinations as well as specific services (TCP and
UDP ports). Best-practice is to be applied close to the source.
Access List Configuration
In order to configure an access-list it must first be defined and then applied. In order to define a standard
access-list the following command is used:
router(config)#access-list access-list-number {permit | deny} source source-wildcard
When using this command the access-list-number for a standard access-list must be from 1 through 99 or
1300 through 1999. The source parameter specifies a host address or the subnet address of a network.
The source-wildcard parameter can be used to optionally specify a specific subnet using a wildcard mask.
When defining an extended access-list the following command is used:
router(config)#access-list access-list-number {permit | deny} protocol source source-wildcard
destination destination-wildcard operator port
When using this command the access-list-number for a standard access-list must be from 100 through
199 or 2000 through 2699. The protocol parameter is used to specify the protocol which is to be matched.
The source parameter specifies a host address or the subnet address of a network. The source-wildcard
parameter can be used to optionally specify a specific subnet using a wildcard mask. The destination
parameter specifies a host address or the subnet address of a network. The destination-wildcard parameter
can be used to optionally specify a specific subnet using a wildcard mask. The operator parameter can
be optionally used to specify a specific port; it can be lt (less than), gt (greater than), eq (equal), neq (not
equal), and range (inclusive range). The port parameter specifies a specific port; these can be a specific
number or the name of the service.
Another way to configure access lists is using named ACLs. Using this method the access list is configured
a little differently. The commands required to setup an access-list this way are as follows:
router(config)#ip access-list standard name
or
router(config)#ip access-list extended name
These first commands create the access-list itself and enter into the access-list configuration mode.
router(config)#permit source source-wildcard
router(config)#deny source source-wildcard
These two commands are used when in standard access-list configuration mode and are used similarly to
the original access-list commands and parameters.
router(config)#permit protocol source source-wildcard destination destination-wildcard operator port
router(config)#deny protocol source source-wildcard destination destination-wildcard operator port
These two commands are used when in extended access-list configuration and are used similarly to the
original access-list commands and parameters.
In order to display the current access-list configuration, the following command is used:
router#show access-list [access-list-number | access-list-name]
Another feature which is available on some routers is the Turbo ACL feature. Using this feature, ACL
lookups are optimized in such a way that the fewest number of lookups are performed.
The configuration used to implement the Turbo ACL feature on the supported router is as follows:
router(config)#access-list compiled
After the ACLs have been defined with the above commands they must then be applied to a specific
interface or line. When they are applied to an interface or line they are configured with a specific direction
that the access-list will be applied. The two options are as follows:
Inbound (in) – When applying an access-list inbound, all packets which are received on an
interface or line are subject to the access-list configuration.
Outbound (out) – When applying an access-list outbound, all packets which are transmitted on
an interface or line are subject to the access-list configuration.
The configuration that is used to apply the configured access-list is as follows:
router(config-if)#ip access-group {access-list-number | access-list-name} {in | out}
or
router(config-subif)#ip access-group {access-list-number | access-list-name} {in | out}
or
router(config-line)#ip access-class {access-list-number | access-list-name} {in | out}
SDM Access-list Configuration
The other method of configuring ACLs is using the SDM interface. The following figures show the different
screens which are used to configure ACLs.
Figure 11 - Initial SDM Access-list Screen
Figure 12
Access List Caveats
As with all features, there are a number of different caveats which must be considered with designing
ACLs. The specific access-list caveats are as follows:
Implicit Deny.
Standard ACLs are limited to source address matching.
ACLs are evaluated in sequential order.
ACLs are applied directionally.
Modifying a numbered ACL is hard as new statements are automatically added to the end
of the list.
Preventing IP Spoofing
One of the main things that an ACL can prevent is IP spoofing. In order to perform this you must setup two
main ACL statements:
Ensure internal IP addresses are not being used from the outside interface.
Ensure external IP addresses are not being used from the inside interface.
The following is a simple sample network diagram:
In this case you want to restrict any traffic from the 192.168.1.0/24 network coming in the Fa0/1 interface
and restrict any traffic coming from other than the 192.168.1.0/24 networking coming in the F0/0
interface. These can be represented as shown below and is applied inbound on the Fa0/1 interface:
No comments:
Post a Comment