Sunday, 15 July 2018

ACL / Access Control Lists

  • To see existing IP access lists: #show ip access-list
  • To create new ACL:
  • #ip access-list <name> //creates extended ACL
  • #ip access-list standard <name> //creates standard ACL

  • Standard ACL:
  • Here, we cannot specify the destination IP address
  • We can specify only the source IP address
  • #ip access-list standard test1
  • (test1)#permit 10.10.10.10 0.0.0.0  //ip and wildcard
  • (test2)#deny any any
  • //The sequence matters. If we had used deny first, then, the deny rule itself matches, so it won’t go to the permit. Note: deny is an implicit rule. SO, no need to configure that on any ACL

  • To apply the IP address, we should use on the specific interface
  • If we don’t even want the packet to enter the switch and not use that switch, use the ingress interface. This is recommended as we prefer to do so near the source
  • If we have another path via the switch and want the packet to take that, then, use this ACL on the not-used interface
  • #int et 2/1
  • #ip access-group test in //ACL is configured for the packet and doesn’t allow the IP address ‘in’
  • We can see it in the counters of ACL using #show ip access-list test2

  • Extended ACL:
  • #ip access-list test2
  • (test2)#permit ? //we can even specify higher layer protocols like TCP, UDP, OSPF, IP, ICMP, etc…
  • test1)#permit tcp 10.10.10.3/32 host 10.10.10.4 eq ssh
  • //Source IP for which TCP ACL is being configured
  • //host tells us that the ACL is for a single destination host
  • //Next we give the destination IP
  • //eq is for telling which port number. We can either use the port number itself or tell the name of protocol. Eg) ssh
  • Note: deny is an implicit rule. So, no need to configure that on any ACL
  • The above ACL will work if the protocol is TCP and the Source and destination IP are matching and blocks ssh
  • Now, try to ssh from 1st switch to 3rd switch
  • We configured ssh on 2nd switch’s  egress port using:

#int et 14/1

#ip access-group test2 out

  • We can see that only ssh will work, ping and all won’t work.
  • We can see it in the counters of ACL using #show ip access-list test2

  • Resequence: We can go into an ACL and use resequence command to resequence the ACL options
  • We should optimize ACLs as TCAMs are expensive
  • For example, Requirements: All VLANs should be able to communicate with each other but not to gateway.
  • If we have 4 VLANs, then, if we give 4 ACLs; then, it is not optimal
  • 10.10.0.X                 //vlan 10 IP
  • 10.10.10.X                 //vlan 20 IP
  • 10.10.20.X                 //vlan 30 IP
  • 10.10.30.X                 //vlan 40 IP
  • So, we can use IP address and wildcard masks carefully.
  • #deny 10.10.10.254 10.10.(00011110)b.0  →
  •  #deny ip any 10.10.10.254 10.10.30.0
  • Also, we have implicit deny, so we need to give #permit ip any any
  • Thus, ACL summarization is important
  • Now, to deny all odd IP address only:
  • #deny <ip address> 10.10.10.0 0.0.0.254  //this wildcard applies only to all odd IP addresses
  • Now to match only 4,8,16,32,64,128 IP address:
  • Wildcard is X.X.X.(1111 1100)b
  • See this:

2 comments:

  1. I am glad that I came here and discovered lots of valuable data from your article. It is a beneficial and convenient article for us to increase knowledge.Arista Networks Houston Thanks for sharing an article like this.

    ReplyDelete
  2. Anyone looking for Experience Certificate Providers in Delhi, India with Complete Documents So Dreamsoft Consultancy is the Best Place.Further Details Here- 9599119376 or Visit Website- https://experiencecertificates.com/experience-certificate-provider-in-delhi.html

    ReplyDelete