Setting up an access list on a brand new Cisco router, here are a few key points to remember:
- Implicit deny at the end of access lists; you must permit administrative traffic or you will block yourself out of the router
- Order matters, place the most restrictive rules first, or the more restrictive rules will never get a hit
- Issue one access list per direction or interface
- Standard access lists are placed closest to the destination
- Extended access lists closest to the source, purpose being to eliminate undesirable traffic across network
IMPORTANT: Create the ACL before applying to an interface. An empty ACL applied will permit all traffic.
Access Lists inspect criteria for permit or deny rules based on source address, destination address, protocols, and port numbers. They operate on the principle of inbound rules process packets before routing to outbound.
Special handling required to identify
- type of traffic to be encrypted on VPN
- identify a router
- route filtering, which route to include in updates
- policy based routing
- NAT
Checks for the source on entire protocol suite
Standard IP ACL 1 to 99 & 1300 to 1999
Here is an example from Cisco Tests:
access-list 10 deny 172.16.3.10 0.0.0.0
access-list 10 permit any
access-list 10 remark Stop all traffic whose source IP is Bob
Extended Access List
Checks both source and destination address, protocols and port numbers.
Extended IP ACL 100 to 199 & 2000 to 2699
access-list 110 remark Stop Bob to FTP Server and Larry to WWW Server
access-list 110 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp
access-list 110 deny tcp host 172.16.2.10 host 172.16.1.100 eq www
access-list 110 permit ip any any
Dynamic ACL - telnet
Reflexive ACL - allows outbound, limits inbound. These are defined as a extended by named IP ACL not a numbered one like the standard.
Time based ACL - can be used with standard and extended ACL
usage:
ip access-list standard TROUBLEMAKER
permit ....
deny ....
remark .... a good idea to explain what the rule is for!
HOW TO Apply the IP Access List to an Interface
int eth 0
ip access-group TROUBLEMAKER out
show access-lists
no ip access-list extended
access-list resequence
Removing the Access List
conf t
int eth 0
no ip access-group # in
exit
no access-list #
In a lab setup, you'll have to really trust your neighbors not to lock you out.
Use the host keyword when you are specifying a single machine.
host 172.16.10.2 means the same as 172.16.10.2 0.0.0.0
Use the any keyword to specify 0.0.0.0 255.255.255.255 wild card masking.
Use when you don't care about source or destination addresses because you are filtering on other parameters.
me: access-list 1 permit host 10.10.10.8 (need to permit own wokstartion)
buddy1: access-list 1 permit host 10.0.0.101
buddy2: access-list 1 permit host 10.0.0.106
buddy1: access-list 1 permit 30.3.3.0 0.0.0.255
buddy2: access-list 1 permit host 80.8.8.0 255.255.255.255
How to apply the access-list on a vty interface
usage: access-class 1 in
How to create an IP named standard access-list?
usage: ip access-list standard name
syntax:
access-list [number] [permit or deny] [protocol] [source] [destination] [port]
Nice Article! Thanks for sharing with us.
ReplyDeleteBasic IP Traffic Management with Access lists