Wednesday, November 17, 2010

Access List

1 ) standard and extended access list can apply wild card mask
ex : access-list 101 permit  ip 192.168.32.0 0.0.7.255
       access-list 10 permit 192.168.146.0 0.0.1.255
You guys may be noticed that no " ip "word at access-list 10 ( standard acl ) any idea?
Because standard acl can't apply protocol based filtering
at extended acl we can use permit tcp, permit udp , permit ip etc.

2 ) example for extended acl
permit traffic from one network to other network
#access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255
another one this from from specific host to another
# access-list 101 permit tcp host 1.1.1.1 host 2.2.2.2 eq telnet
remember protocols
tcp , upd , ip
and at eq : telnet , domain ( for dns )

one sample one to deny icmp to one network
# access-list 102 deny icmp any host 2.2.2.2

3 ) apply acl close to source.
4 ) points for edit acl
trick 1: don't edit like this
no access-list 101 permit ip host 1.1.1.1 host 2.2.2.2
this will remove all access-list 101

so use below method
Method 1
create ip access-list first itself
# ip access-list extended test
(config-ext-nacl ) # permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255
                         # permit tcp host 2.2.2.2 host 3.3.3.3
this will give
sh accces-list
in exact order
then to edit simply type
# ip access-list extended test
then use
# no permit tcp host 2.2.2.2 host 3.3.3.3
and
to add simply add new rules ( rember those rules will be added at bottom of present rules )

method 2
if we already add acl like this
# access-list 101 permit tcp any any
# access-list 101 permit udp any any
# access-list 101 permit icmp any any

so
check sh access-list
10 permit tcp any any
20 permit udp any any
30 permit icmp any any

this is in increasing order 10, 20, 30
this is the order they added
so to edit

# ip access-list extended 101
5 deny tcp any any eq telnet

then check
sh access-list
5 deny tcp permit any any eq telnet
10
20
30
etc
so what about if it is standard acl

see
# access-list 2 permit 172.16.1.2
# access-list 2 permit 172.16.1.10
# access-list 2 permit 172.16.1.11

we know order is based on first entered. This means accesslist check based on first entered rule first
so 10 ( seq num ) for 172.16.1.2
20 for 172.16.1.10
30 for 172.16.1.11

but sh access-list
30 172.16.1.11
20 172.16.1.10
10 172.16.1.2

this is in the decreasing order of ip addres

note
cisco ios adds entry by decreasing order of ip address , not by sequence number
we can check this by
adding new entries
# ip access-list standard 2
# 25 per 172.16.1.7
# 15 172.16.1.16
as per sequence number
sh acces-list should be
30
25
20
15
10
BUt it wont, it will be like decreasing order of ip addrres
so
15 per 172.16.1.16
30 per 172.16.1.11
20 per 172.16.1.10

next case : see sh access-list
10 per 192.168.100.0
15 per 10.10.10.0 wild card 0.0.0.255
19 per 200.10.1.1    wildcard 0.0.0.255

why?
because fixed ips given priorities than wild card.
 we
can check this via
# ip access-list standard 2
18 permit 172.22.1.1
so
sh access-list
10 per 192.168.100.0
18 per 172.22.1.1
15 per
19 per

to remove accesslist from interface
int f0/0
no ip access-group < acl > in /out
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)