Monday, May 25, 2015

Configure Cisco Named Extended Access Control List

In this article will demonstrate on extended named access control List (Extended Named ACL).
Access control list is used for filtering unwanted traffic, there are two types of acl :numbered and named acl. numbered access lists are either standard or extended. Also, named access lists are either standard or extended. So, there are four access lists
  1. Numbered standard access list
  2. Numbered extended access list
  3. Named standard access list
  4. Named extended access list

 In this article will cover Named Extended Access List. Extended means it will filter the packet based on the source ip address, destination ip address, protocol, and port. Named  means that the access list is identified by name not by number and has a feature of editing (adding and removing specific lines capability).

Access Control List Rules
1- If you use Numbered (Standard and Extended) and Named (Standard and Extended) Access Lists, the packet is always compared with each line of the access list in sequential order, means If the source packet ip address matches the first line(entry) of the acl, the router will not check  all other entries in the access list. If the source ip address doesn't match the first line of the acl, the router will check the second line and so on. The packet is compared with lines of the access list only until a match is made. Once it matches the condition on a line of the access list, no further comparisons take place.
2- There is an implicit deny at the end of each access list—this means that if a packet doesn't match the condition on any of the lines in the access list, the packet will be discarded.
3- The access list is applied on an interface in a specific direction -Inbound or Outbound. Inbound: The packets will be processed through the acl before routed to the outbound interfaces. Outbound: The packets are routed to the outbound interface, and then processed through the acl.
4- Standard (numbered and named) access control lists filter network traffic by examining the source ip address in a packet (filtering traffic based on the source ip address).
5- The Named Access Lists (Standard and Extended) are editable, means you can insert a line in between the lines or at the top of the entries. Also you can delete specific line. So, there is a capability of modifying the access list(adding a line or deleting specific line).
6- Standard Access Control List is placed as close to destination as possible.
7- Extended Access Control List is placed as close to source as possible.

Extended Named Access Lists
Named Extended Access Control Lists use the following syntax
R(config)# ip access-list extended <access-list-name>
R(config-ext-nacl)<permit/deny> <protocol> < source address> <wildcard mask> <destination address> <wildcard mask><operator> <port>
[protocol]
PROTOCOL
DESCRIPTION
ahp
Authentication Header Protocol
eigrp
Cisco’s EIGRP routing protocol
esp
Encapsulation Security Payload
gre
Cisco’s GRE tunneling
icmp
Internet Control Message Protocol
ip
Any Internet Protocol
ospf
OSPF routing protocol
tcp
Transmission Control Protocol
udp
User Datagram Protocol
[operator]
OPERATOR
DESCRIPTION
dscp
Match packets with given dscp value
eq
Match only packets on a given port number
established
established
gt
Match only packets with a greater port number
lt
Match only packets with a lower port number
neq
Match only packets not on a given port number
precedence
Match packets with given precedence value
range
Match only packets in the range of port numbers
[port]
PORT
DESCRIPTION
Port number
ftp
File Transfer Protocol (21)
pop3
Post Office Protocol v3 (110)
smtp
Simple Mail Transport Protocol (25)
telnet
Telnet (23)
www
World Wide Web (HTTP, 80)


Configuring cisco named extended access control list


Looking at the above diagram, we want preventing network 192.168.10.0/24 from accessing network 192.168.30.0/24 using icmp-echo (ping) and ftp only, and everything else is permitted.
The extended access list is applied as close to source network, and we want preventing network 192.168.10.0/24 (Source) from accessing network 192.168.30.0/24(Destination) using icmp-echo and ftp. That's why i will write the configuration on Router0.

Configuration Steps:
1- Create an access list
1-Router0(config)#ip access-list extended tariq
2-Router0(config-ext-nacl)# deny icmp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 echo
3-Router0(config-ext-nacl)# deny tcp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 eq 21
4-Router0(config-ext-nacl)# permit ip any any
Line 1:creating extended named access list, and tariq is the name of the access-list Line2:denying echo(ping) from the source network 192.168.10.0/24 to the destination network 192.168.30.0/24, echo is an application of the icmp protocol
Line3:denying ftp from the source network 192.168.10.0/24 to the destination network 192.168.30.0/24, ftp uses tcp.
Line4:permitting any protocol (ip means any protocol) from any source network to destination network, this means permitting everything.

2- The access list is applied on an interface in a specific direction: no action (permit or deny)  will be taken until the access list is applied on an interface in a specific direction.
In this example we will apply the acl on the interface f0/0 in inbound direction, means the router interface g0/0 will receive the icmp-echo and ftp packets from network 192.168.10.0/24 that are going to network 192.168.30.0/24 and prevent these packets from being routed to the other interfaces such as s0/0/0. So it blocks network 192.168.10.0/24 from reaching network 192.168.30.0/24 using the icmp-echo(ping) and ftp.
before writing the commands below, host 192.168.10.2 can ping to 192.168.30.2
Router0(config)#int f0/0
Router0(config-if)#ip access-group tariq in
After writing the above commands (applying the acl on the interface), host 192.168.10.2 can't ping to 192.168.30.2

To edit this named access list https://youtu.be/RToV6h2rGeM
To view the configured access list
Router#sh access-lists
Extended IP access list tariq
10 deny icmp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 echo (4 match(es))
20 deny tcp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 eq ftp
30 permit ip any any (4 match(es))




For more details, watch this simple and short video on youtube
http://adf.ly/1Hmo2r
https://youtu.be/Tj6H8pg06f0
To get automatic updates on your facebook, join a facebook group
https://www.facebook.com/groups/netsyshorizon/


No comments:

Post a Comment