IPv4 ACLs
6.3.a Standard
Using the above topology, we will use standard ACLs to block (1-99) traffic. Using the implicit “deny” at the end of the ACL will reduce the amount of ACLs needed.
On R1:
interface GigabitEthernet1/0 ip address 10.0.0.1 255.255.255.0 ip access-group 1 out negotiation auto ! interface GigabitEthernet2/0 ip address 10.0.1.1 255.255.255.0 ip access-group 2 out negotiation auto ! access-list 1 permit 192.168.122.0 0.0.0.255 log access-list 2 permit 10.0.2.0 0.0.0.255 log !
To verify use pings, and extended pings:
BANKING> ping 10.0.0.2 *10.0.1.1 icmp_seq=1 ttl=255 time=9.955 ms (ICMP type:3, code:13, Communication administratively prohibited) *10.0.1.1 icmp_seq=2 ttl=255 time=3.232 ms (ICMP type:3, code:13, Communication administratively prohibited) *10.0.1.1 icmp_seq=3 ttl=255 time=2.574 ms (ICMP type:3, code:13, Communication administratively prohibited) *10.0.1.1 icmp_seq=4 ttl=255 time=2.354 ms (ICMP type:3, code:13, Communication administratively prohibited) *10.0.1.1 icmp_seq=5 ttl=255 time=1.745 ms (ICMP type:3, code:13, Communication administratively prohibited) DEVOPS> ping 10.0.0.2 *10.0.2.1 icmp_seq=1 ttl=255 time=9.813 ms (ICMP type:3, code:13, Communication administratively prohibited) *10.0.2.1 icmp_seq=2 ttl=255 time=2.622 ms (ICMP type:3, code:13, Communication administratively prohibited) *10.0.2.1 icmp_seq=3 ttl=255 time=11.419 ms (ICMP type:3, code:13, Communication administratively prohibited) *10.0.2.1 icmp_seq=4 ttl=255 time=10.533 ms (ICMP type:3, code:13, Communication administratively prohibited) *10.0.2.1 icmp_seq=5 ttl=255 time=2.351 ms (ICMP type:3, code:13, Communication administratively prohibited) router#ping Protocol [ip]: Target IP address: 10.0.0.2 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: GigabitEthernet0/0 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds: Packet sent with a source address of 192.168.122.180 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 4/266/1040 ms router#
6.3.b Extended
Extended access list are in the range <100-199>.
Extended commands allow us to match on the destination address as well as the protocol.
<0-255> An IP protocol number ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol ip Any Internet Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling object-group Service object group ospf OSPF routing protocol pcp Payload Compression Protocol pim Protocol Independent Multicast tcp Transmission Control Protocol udp User Datagram Protocol
interface GigabitEthernet1/0 ip address 10.0.0.1 255.255.255.0 ip access-group 100 out negotiation auto ! interface GigabitEthernet2/0 ip address 10.0.1.1 255.255.255.0 ip access-group 101 out negotiation auto ! access-list 100 permit ip 192.168.122.0 0.0.0.255 host 10.0.0.2 log access-list 101 permit ip 10.0.2.0 0.0.0.255 host 10.0.1.2 log
6.3.c Named
Using named ACLs is the same as the above, except individual sequences can be entered:
<1-2147483647> Sequence Number default Set a command to its defaults deny Specify packets to reject dynamic Specify a DYNAMIC list of PERMITs or DENYs evaluate Evaluate an access list exit Exit from access-list configuration mode no Negate a command or set its defaults permit Specify packets to forward remark Access list entry comment
router(config)#ip access-list extended RULE1 router(config-ext-nacl)#1 permit ip 192.168.122.0 0.0.0.255 host 10.0.0.2 log router(config)#ip access-list extended RULE2 router(config-ext-nacl)#1 permit ip 10.0.2.0 0.0.0.255 host 10.0.1.2 log
Then you can delete in individual sequence numbers:
router(config)#ip access-list extended RULE1 router(config-ext-nacl)#no ? <1-2147483647> Sequence Number deny Specify packets to reject dynamic Specify a DYNAMIC list of PERMITs or DENYs evaluate Evaluate an access list permit Specify packets to forward remark Access list entry comment router(config-ext-nacl)#no 1
IPv6 ACLs
According to Cisco: “With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs.”
Here is the topology:
Here are the ACLs:
interface GigabitEthernet0/0 ip address dhcp duplex full speed 1000 media-type gbic negotiation auto ipv6 address 2001:DB8:4::/48 eui-64 ! interface GigabitEthernet1/0 no ip address negotiation auto ipv6 address 2001:DB8:1::/48 eui-64 ipv6 traffic-filter RULE1 out ! interface GigabitEthernet2/0 no ip address negotiation auto ipv6 address 2001:DB8:2::/48 eui-64 ipv6 traffic-filter RULE2 out ! interface GigabitEthernet3/0 no ip address negotiation auto ipv6 address 2001:DB8:3::/48 eui-64 ! ipv6 access-list RULE1 permit ipv6 2001:DB8:4::/48 2001:DB8:1::/48 log ! ipv6 access-list RULE2 permit ipv6 2001:DB8:3::/48 2001:DB8:2::/48 log ! control-plane
The steps to verify are as above. Adding the log keyword helps by showing when the ACL is triggered:
router# *Dec 9 09:25:43.011: %IPV6_ACL-6-ACCESSLOGDP: list RULE2/10 permitted icmpv6 2001:DB8:3::1 -> 2001:DB8:2::1 (128/0), 1 packet
Ping commands will also return “prohibited” when attempting to reach ACL restricted subnets:
DEVOPS> ping 2001:db8:1::1 *2001:db8:3:0:c801:12ff:fe77:54 icmp6_seq=1 ttl=64 time=18.509 ms (ICMP type:1, code:1, Communication with destination administratively prohibited) *2001:db8:3:0:c801:12ff:fe77:54 icmp6_seq=2 ttl=64 time=9.367 ms (ICMP type:1, code:1, Communication with destination administratively prohibited) *2001:db8:3:0:c801:12ff:fe77:54 icmp6_seq=3 ttl=64 time=9.834 ms (ICMP type:1, code:1, Communication with destination administratively prohibited) *2001:db8:3:0:c801:12ff:fe77:54 icmp6_seq=4 ttl=64 time=9.151 ms (ICMP type:1, code:1, Communication with destination administratively prohibited) *2001:db8:3:0:c801:12ff:fe77:54 icmp6_seq=5 ttl=64 time=9.522 ms (ICMP type:1, code:1, Communication with destination administratively prohibited)
Leave a comment