Monday 8 June 2015

CCENT ACL


ACL :

Named , Numbered 
 
Standard , Extended 
 

Standard :
1 – 99
1300- 1999

Extended:
100 – 199
2000 – 2699

Standard ACL filter only Source address.
Extended ACL filter Source address,Destination
               address,Protocol,Port number.

ACL Rules:
1.Only one ACL per interface, per protocol , per direction.
Means one inbound and one outbound ACL per interface.
2.More specific rules at top.
3.New entry to list is placed at the bottom of the list.
4.Removing a line from ACL , only possible with named ACL.
5.Explicit deny at end , hence have one permit statement.
6.ACL without statement applied to an interface will not work.
7.ACL filter traffic going through a Router not originating 
    from the Router.
8.Place IP standard ACL as close to destination as possible.
9.Place IP extended ACLas close to source as possible.


ACL:

Standard ACL :


Router(config)#access-list 10 deny 192.168.3.3 0.0.0.0
Router(config)#int g0/0
Router(config-if)#ip access-group 10 out


Extended ACL:

Router(config)#access-list 100 deny tcp any host 192.168.10.200 eq 23
Router(config)#int g0/0
Router(config-if)#ip access-group 100 out

Note : can put eq 23 or eq telnet , eq 80 or eq www , eq 21 or eq ftp

Named ACL :


Router(config)#ip access-list ?
extended Extended Access List
standard Standard Access List
Router(config)#ip access-list standard ?
<1-99> Standard IP access-list number
WORD Access-list name
Router(config)#ip access-list standard jedi
Router(config-std-nacl)#deny 192.168.4.4
Router(config-std-nacl)#exit
Router(config)#int g0/0
Router(config-if)#ip access-group ?
<1-199> IP access list (standard or extended)
WORD Access-list name
Router(config-if)#ip access-group jedi ?
in inbound packets
out outbound packets
Router(config-if)#ip access-group jedi out ?
<cr>
Router(config-if)#ip access-group jedi out


Editing Named ACL,removing specific lines:
Step 1 : Create the Named ACL
Router(config)#ip access-list extended FTP-FILTER
Router(config-ext-nacl)#?
<1-2147483647> Sequence Number
default Set a command to its defaults
deny Specify packets to reject
exit Exit from access-list configuration mode
no Negate a command or set its defaults
permit Specify packets to forward
remark Access list entry comment

Router(config-ext-nacl)#1 deny tcp 192.168.1.2 0.0.0.0 host 192.168.3.3 range 20 21
Router(config-ext-nacl)#2 deny tcp 192.168.1.3 0.0.0.0 host 192.168.3.2 eq 80
Router(config-ext-nacl)#permit ip any any
Router(config-ext-nacl)#end

[Note the Numbers in red ,sequence numbers, which are used to edit ]

Step 2 : Delete the sequence number
Router(config)#ip access-list extended FTP-FILTER
Router(config-ext-nacl)#no 2


Filtering Telnet SSH Access:

Example 1:

access-list 1 permit host 10.0.0.55
line vty 0 4
access-class 1 in

Example 2: (some hosts SSH access and some telnet)

access-list 100 permit tcp host 10.0.0.5 any eq 22
access-list 100 permit tcp host 10.0.0.5 any eq 23
line vty 0 4
access-class 100 in

Log
Log option

Remark:
Router(config)#access-list 10 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
Router(config)#access-list 10 remark ?
LINE Comment up to 100 characters
Router(config)#access-list 10 remark LINE ?
<cr>
Router(config)#access-list 10 remark LINE block IP
Router(config)#access-list 100 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
Router(config)#access-list 100 remark ?
LINE Comment up to 100 characters
Router(config)#access-list 100 remark BLOCK TELNET
Router(config)#access-list 10 remark block IP
Router(config)#

More ACL examples:

Wild card Mask.
Example 1.

















Router(config)#ip access-list extended jedi
Router(config-ext-nacl)#deny tcp 192.168.1.128 0.0.0.127 host 192.168.3.2 eq 80
[Note this denies IP's above .128 access to the web server on 192.168.3.2]


Example 2:
ip access-list extended light
deny tcp 192.168.1.128 0.0.0.63 host 192.168.3.2 eq ftp
permit ip any any

>>> range .128 to .192 Hosts 129 to 190

only prevents hosts within the subnet .128/64 wildcard is 63
that is hosts from 129 to 191 are prevented .
Hosts below 128 and above 192 are allowed.
In my example I had 3 PC's with IP .130 (blocked), .3 (allowed), .254(allowed)


Example 3 :
ip access-list extended range
deny tcp 192.168.1.0 0.0.0.63 host 192.168.3.2 range 0 79
permit ip any any

extended and named
eq,gt,lt,range etc
log
log-option
established



ACL Applied to InterVLAN subinterfaces:

 Router(config)#int range g0/1.1 - g0/1.3
Router(config-if-range)# ip access-group icmp-block in
 





 
Running configuration :
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.1
 encapsulation dot1Q 1 native
 ip address 192.168.5.1 255.255.255.0
 ip access-group icmp-block in
!
interface GigabitEthernet0/1.2
 encapsulation dot1Q 10
 ip address 192.168.1.1 255.255.255.0
 ip access-group icmp-block in
!
interface GigabitEthernet0/1.3
 encapsulation dot1Q 20
 ip address 192.168.4.1 255.255.255.0
 ip access-group icmp-block in

 router rip
 network 192.168.1.0
 network 192.168.3.0
 network 192.168.4.0
!
ip classless
!
!
ip access-list extended icmp-block
 deny icmp 192.168.4.0 0.0.0.255 host 192.168.2.4
 deny icmp 192.168.5.0 0.0.0.255 host 192.168.2.4
 deny icmp 192.168.1.0 0.0.0.255 host 192.168.2.4
 permit ip any any









Wild Card Masking OSPF and ACL.

Wild card masks are used to filter specific IP subnets.
Wild card masking is easy to understand if one knows
subnetting very well.In fact do not look at wild card 
masks if you do not know subnetting

 Subnet Mask number :    128 64 32 16 8 4 2 1
Wild Card Mask number: 127 63 31 15 7 3 1 0
Wild card mask number is one less than 
subnet mask number.


 Example 1 :

 router ospf 10
network 192.168.1.0 0.0.0.255 area 0

 This is a really simple  example.

 The network number is :  192.168.1.0
The Wild card mask is :  0.0.0.255

 0 - Indicates exact match
255 - Indicates the number can vary.

 In our example 192 should match exactly
as 0 is it's Wild Card Mask.

 The last 0 can vary , as the Wild Card number is 255.
The last number can be 0 to 255.
Though 0 is the network number and 255 broadcast.

 Example 2 : bit more complicated. 


Router(config)#ip access-list extended jedi
Router(config-ext-nacl)#deny tcp 192.168.1.0 0.0.0.127 
                                  host 192.168.3.2 eq 80

 I am using ACL as an example.
IP : 192.168.1.0
(Note rather than 0  any number from 0 to 127 can be used, the Router
 presumes it belong to the .0 or 128 subnet, if 128 or above is used it belongs
 to the next subnet , see below)
Wild card Mask : 0.0.0.127

 This ACL denies http traffic from hosts 192.168.1.1 to 192.168.1.126.
The web page will not open.
Keep in mind .0 is the Network number and .127 is the broadcast number.


Note how the Router subnets internally:
I created this.
Router(config)#ip access-list extended red
Router(config-ext-nacl)#deny tcp 192.168.1.120 0.0.0.127 host 192.168.2.2
Router(config-ext-nacl)#permit ip any any
Router(config-ext-nacl)#end

The Router IOS subnets it to what is below, .120 become .0 the subnet.

 This below is from the sh ru or show running config:
ip access-list extended red
 deny tcp 192.168.1.0 0.0.0.127 host 192.168.2.2
 permit ip any any


Example 3:
ip access-list extended light
deny tcp 192.168.1.128 0.0.0.63 host 192.168.3.2 eq ftp
permit ip any any
>>> range .128 to .192 Hosts 129 to 190
only prevents hosts within the subnet .128/64 wildcard is 63
that is hosts from 129 to 191 are prevented .
Hosts below 128 and above 192 are allowed.
In my example I had 3 PC's with IP .130 (blocked), .3 (allowed), .254(allowed)
Example 3 :
ip access-list extended range
deny tcp 192.168.1.0 0.0.0.63 host 192.168.3.2 range 0 79
permit ip any any
Range is the ports from 0 to 79 

 Wild card masks provides granular filtration, which can be very powerful.
Verification:



show access-list

show access-list 110

show ip access-list

show ip interface

show running-config

show ip interface fa0/1
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)