Friday, May 12, 2017

A Note on Access Control Lists & Access Group Command

Access Control Lists (ACLs) are used to identify and capture a specific traffic, not to filter traffic. Access Group is the command which we apply to an interface to filter the traffic captured by an ACL.. So the application of ACLs are not limited to control access, but can be used in many situations where we need to capture a specific traffic from a flow..





















In Cisco IOS; you can create an ACL in 2 ways.. Result is same..
- Globally in line
- NACL mode

There are 2 types of ACLs

(1) Standard ACLs
- Number can be 1-99 or 1300-1999 or Can be given a Name instead
- Based only on source IP
- Applied near to destination

(2) Extended ACLs
- Number can be 101-199 or 2000-2699 or Can be given a Name instead
- Based on source IP, Destination IP, Service (protocol), Port Number
- Applied near to source

Referring the above diagram; which the routing is configured correctly, let's configure ACLs..

Standard ACL

Let's assume that 10.1.10.0/24 must not access the server 10.1.30.30, but all other subnets must be able to..

Globally in line mode Syntax;
R(config)#access-list <number> <permit/deny> <source IP address> <wild card mask>

NACL mode Syntax;
R(config)#ip access-list <standard> <number/name>
R(config-std-nacl)#<permit/deny> <source IP address> <wild card mask>

Here are some different ways to configure it..

Via Globally in line mode;
R2(config)#access-list 10 deny 10.1.10.0 0.0.0.255
R2(config)#access-list 10 permit any

Via NACL mode;
R2(config)#ip access-list standard 10
R2(config-std-nacl)#deny 10.1.10.0 0.0.0.255
R2(config-std-nacl)#permit any

You can configure it with a name in NACL mode too..
R2(config)#ip access-list standard TEST
R2(config-std-nacl)#deny 10.1.10.0 0.0.0.255
R2(config-std-nacl)#permit any

Note: There is an implicit deny (deny any) at the end of every ACL to block everything.. So if you configure an ACL with a deny statement for a specific traffic, you should permit all other traffic at the end by the last line.

You should apply a Standard ACL near the destination because it is only capturing traffic based on source IP. If it is applied near the source it will apply for all the traffic coming from that source and block everything at the 1st hop..

Here let's apply it on the e0/1 interface of R2 for outbound traffic..

Syntax;
R(config)#int e0/1
R(config-if)#ip access-group <number> <in/out>

Here is the actual command;
R2(config)#int e0/1
R2(config-if)#ip access-group 10 out

Now the ACL is configured and AG is applied.. The traffic will be filtered as intended..

Extended ACL

Let's assume that only http traffic from 10.1.20.0/24 must access the server 10.1.30.30 and all other traffic must be blocked..

Globally in line mode Syntax;
R(config)#access-list <number> <permit/deny> <protocol> <source IP address> <source wild card mask> <source port number> <destination IP address> <destination wild card mask> <destination port number>

NACL mode Syntax;
R(config)#ip access-list <extended> <number/name>
R(config-ext-nacl)#<protocol> <source IP address> <source wild card mask> <source port number> <destination IP address> <destination wild card mask> <destination port number>

Here are some different ways to configure it..

Via Globally in line mode;
R1(config)#access-list 100 permit tcp 10.1.20.0 0.0.0.255 host 10.1.30.30 eq 80

I have ignored source port number as it is irrelevant, but put the destination port as 80 for http (web) traffic and I have used host instead of wildcard mask because I am restricting access to the exact IP (single host) of the server. Every other traffic will be denied by the implicit deny at the end of the ACL. If you configured an Extended ACL by a deny statement, and you want to allow other all traffic, you should type permit ip any any as the last line.

Via NACL mode;
R1(config)#ip access-list extended 100
R1(config-ext-nacl)#permit tcp 10.1.20.0 0.0.0.255 host 10.1.30.30 eq 80

You can configure it with a name in NACL mode too..
R1(config)#ip access-list standard TEST
R1(config-ext-nacl)#permit tcp 10.1.20.0 0.0.0.255 host 10.1.30.30 eq 80

You can apply an Extended ACL anywhere but as a best practice it is better to apply it near to source. It will reduce unnecessary packets flowing through the network.

Here let's apply it on the e0/2 interface of R1 for inbound traffic..
Syntax is same as in standard ACLs..

Syntax;
R(config)#int e0/2
R(config-if)#ip access-group <number> <in/out>

Here is the actual command;
R(config)#int e0/2
R(config-if)#ip access-group 100 in


Note: 
Windows PC will say "Destination net unreachable" in Ping / Tracert output when it hits an ACL..









Cisco IOS will say "!A" in Traceroute output when it hits an ACL..


0 comments to “A Note on Access Control Lists & Access Group Command”

Post a Comment