In Cisco IOS; you can create an ACL in 2 ways.. Result is same..
- Globally in line
- NACL mode
There are 2 types of ACLs
(1) Standard ACLs
- Number can be 1-99 or 1300-1999 or Can be given a Name instead
- Based only on source IP
- Applied near to destination
(2) Extended ACLs
- Number can be 101-199 or 2000-2699 or Can be given a Name instead
- Based on source IP, Destination IP, Service (protocol), Port Number
- Applied near to source
Referring the above diagram; which the routing is configured correctly, let's configure ACLs..
Standard ACL
Let's assume that 10.1.10.0/24 must not access the server 10.1.30.30, but all other subnets must be able to..
Globally in line mode Syntax;
R(config)#access-list <number> <permit/deny> <source IP address> <wild card mask>
NACL mode Syntax;
R(config)#ip access-list <standard> <number/name>
R(config-std-nacl)#<permit/deny> <source IP address> <wild card mask>
Here are some different ways to configure it..
Via Globally in line mode;
R2(config)#access-list 10 deny 10.1.10.0 0.0.0.255
R2(config)#access-list 10 permit any
Via NACL mode;
R2(config)#ip access-list standard 10
R2(config-std-nacl)#deny 10.1.10.0 0.0.0.255
R2(config-std-nacl)#permit any
You can configure it with a name in NACL mode too..
R2(config)#ip access-list standard TEST
R2(config-std-nacl)#deny 10.1.10.0 0.0.0.255
R2(config-std-nacl)#permit any
Note:-
There is an implicit deny (deny any) at the end of every ACL to block everything.. So if you configure an ACL with a deny statement for a specific traffic, you should permit all other traffic at the end by the last line.
You should apply a Standard ACL near the destination because it is only capturing traffic based on source IP. If it is applied near the source it will apply for all the traffic coming from that source and block everything at the 1st hop..
Here let's apply it on the e0/1 interface of R2 for outbound traffic..
Syntax;
R(config)#int e0/1
R(config-if)#ip access-group <number> <in/out>
Here is the actual command;
R2(config)#int e0/1
R2(config-if)#ip access-group 10 out
Now the ACL is configured and AG is applied.. The traffic will be filtered as intended..
Extended ACL
Let's assume that only http traffic from 10.1.20.0/24 must access the server 10.1.30.30 and all other traffic must be blocked..
Globally in line mode Syntax;
R(config)#access-list <number> <permit/deny> <protocol> <source IP address> <source wild card mask> <source port number> <destination IP address> <destination wild card mask> <destination port number>
NACL mode Syntax;
R(config)#ip access-list <extended> <number/name>
R(config-ext-nacl)#<protocol> <source IP address> <source wild card mask> <source port number> <destination IP address> <destination wild card mask> <destination port number>
Here are some different ways to configure it..
Via Globally in line mode;
R1(config)#access-list 100 permit tcp 10.1.20.0 0.0.0.255 host 10.1.30.30 eq 80
I have ignored source port number as it is irrelevant, but put the destination port as 80 for http (web) traffic and I have used host instead of wildcard mask because I am restricting access to the exact IP (single host) of the server. Every other traffic will be denied by the implicit deny at the end of the ACL. If you configured an Extended ACL by a deny statement, and you want to allow other all traffic, you should type permit ip any any as the last line.
Via NACL mode;
R1(config)#ip access-list extended 100
R1(config-ext-nacl)#permit tcp 10.1.20.0 0.0.0.255 host 10.1.30.30 eq 80
You can configure it with a name in NACL mode too..
R1(config)#ip access-list standard TEST
R1(config-ext-nacl)#permit tcp 10.1.20.0 0.0.0.255 host 10.1.30.30 eq 80
You can apply an Extended ACL anywhere but as a best practice it is better to apply it near to source. It will reduce unnecessary packets flowing through the network.
Here let's apply it on the e0/2 interface of R1 for inbound traffic..
Syntax is same as in standard ACLs..
Syntax;
R(config)#int e0/2
R(config-if)#ip access-group <number> <in/out>
Here is the actual command;
R(config)#int e0/2
R(config-if)#ip access-group 100 in
Cisco IOS will say "!A" in Traceroute output when it hits an ACL..
You should apply a Standard ACL near the destination because it is only capturing traffic based on source IP. If it is applied near the source it will apply for all the traffic coming from that source and block everything at the 1st hop..
Here let's apply it on the e0/1 interface of R2 for outbound traffic..
Syntax;
R(config)#int e0/1
R(config-if)#ip access-group <number> <in/out>
Here is the actual command;
R2(config)#int e0/1
R2(config-if)#ip access-group 10 out
Now the ACL is configured and AG is applied.. The traffic will be filtered as intended..
Extended ACL
Let's assume that only http traffic from 10.1.20.0/24 must access the server 10.1.30.30 and all other traffic must be blocked..
Globally in line mode Syntax;
R(config)#access-list <number> <permit/deny> <protocol> <source IP address> <source wild card mask> <source port number> <destination IP address> <destination wild card mask> <destination port number>
NACL mode Syntax;
R(config)#ip access-list <extended> <number/name>
R(config-ext-nacl)#<protocol> <source IP address> <source wild card mask> <source port number> <destination IP address> <destination wild card mask> <destination port number>
Here are some different ways to configure it..
Via Globally in line mode;
R1(config)#access-list 100 permit tcp 10.1.20.0 0.0.0.255 host 10.1.30.30 eq 80
I have ignored source port number as it is irrelevant, but put the destination port as 80 for http (web) traffic and I have used host instead of wildcard mask because I am restricting access to the exact IP (single host) of the server. Every other traffic will be denied by the implicit deny at the end of the ACL. If you configured an Extended ACL by a deny statement, and you want to allow other all traffic, you should type permit ip any any as the last line.
Via NACL mode;
R1(config)#ip access-list extended 100
R1(config-ext-nacl)#permit tcp 10.1.20.0 0.0.0.255 host 10.1.30.30 eq 80
You can configure it with a name in NACL mode too..
R1(config)#ip access-list standard TEST
R1(config-ext-nacl)#permit tcp 10.1.20.0 0.0.0.255 host 10.1.30.30 eq 80
You can apply an Extended ACL anywhere but as a best practice it is better to apply it near to source. It will reduce unnecessary packets flowing through the network.
Here let's apply it on the e0/2 interface of R1 for inbound traffic..
Syntax is same as in standard ACLs..
Syntax;
R(config)#int e0/2
R(config-if)#ip access-group <number> <in/out>
Here is the actual command;
R(config)#int e0/2
R(config-if)#ip access-group 100 in
Note:-
Windows PC will say "Destination net unreachable" in Ping / Tracert output when it hits an ACL..
Cisco IOS will say "!A" in Traceroute output when it hits an ACL..
Note:-
ACLs will not work for the traffic originated by the router itself. It will only capture the traffic which are in transit.. Also in NACL mode you can insert new lines using sequence numbers..
No comments:
Post a Comment