Standard Access List

to create a statement of standard ACL, enter the following command at global configuration level
access-list access-list-number [deny|permit] [remark] source source-wildcard [log]

access-list-number: number of the access list, this can be 1-99 or 1300-1999 (standard ACL)
deny: drop the packet if the condition matches
permit: pass the packet if the condition matches
remark: this is used for documentation, this add a remark about entries in the access-list to make it easier to be read.
source: address of the network or host from which the packet is sent, two ways to specify the source
  • 32bit, four part dotted-decimal format
  • any, don't care about the source address. abbreviation of source and source-wildcard 0.0.0.0 and 255.255.255.255
source-wildcard: wildcard bits for the source address. two ways to specify source-wildcard
  • 32bit, four part dotted-decimal format
  • any, abbreviation of source and source-wildcard 0.0.0.0 and 255.255.255.255
log: logs information about packets that match the entry, logs are sent to the console (level of the details the messages shown in the console is controlled by the "logging console" command)


Removing an ACL
enter the following command at the global configuration level
no access-list access-list-number

access-list-number:number of the access list to be removed, this can be 1-99 or 1300-1999 (standard ACL)


Wildcard Mask
wildcard mask and subnet mask are both 32bits long, subnet mask is used to determine parts of the ip address to be the network id and the host id. wildcard mask is used to filter ip adresses to determine whether to permit or deny the pakcets. subnet mask uses binary 1s to make a match while 0s means not a match. wildcard mask uses binary 1s to ignore the corresponding ip address bit while 0s means that the corresponding bit should match.
example:
00000000 -> all address bit should match
00001111 -> matches first four bits, ignores four last bit
11110000 -> ignores first four bits, matches four last bit
11111111 -> ignore all bits in this octet

you can calculate a wildcard mask easily by subtracting the subnet mask from 255.255.255.255. example:
1. say that you want to filter the whole network of 192.168.1.0 because its subnet mask is 255.255.255.0, you can do
255.255.255.255
255.255.255.000 -
---------------
000.000.000.255 -> wildcard mask

2. you want to filter only the first 14 hosts of 192.168.1.0
255.255.255.255
255.255.255.240 -
---------------
000.000.000.015

3. you want to filter hosts from network 192.168.1.0 and 192.168.2.0, because bits of the network part that's the same between 192.168.1.0 and 192.168.2.0 is the first 22bits, you can do
255.255.255.255
255.255.252.000 -
---------------
000.000.003.255



you can avoid calculating the wildcard mask by using the host and any keyword:
  • host, is a substitute of the 0.0.0.0 means that all bits of the ip address should match. is used when you just want to filter a single host.
  • any, is a substitute of the 255.255.255.255 means to ignore all bits. used when you don't care from which the packet is sent.

example
access-list 1 permit any
access-list 1 permit host 192.168.10.10


Applying access-list to an interface
enter the following command at the interface configuration level
ip access-group [access-list-number | access-list-name] [in|out]

access-list-number: the number of the access-list that you want to apply
access-list-name: the name of the access-list that you want to apply
in : apply the access-list at inbound direction
out: apply the access-list at outbound direction

for example, let's say that you want to apply access-list 1 on interface Serial0/0 at outbound direction, you would enter the command
interface serial0/0/0
ip access-group 1 out


in addtion to restricting the remote connection through SSH only, you can also increase security by applying an access-list to the vty lines, the command is
access-class access-list-number [in [vrf-also] | out]

access-list-number: the number of the access-list that you want to apply
in : restricts incoming connection between a particular Cisco device and the addresses in the access-list.
out: restricts outgoing connections between a particular Cisco device and the addresses in the access list.

somethings to note about applying access-list on vty lines are:
  • apply the access-list to all of the lines. users can connect to any of it.
  • only numbered access-list can be applied at the vty lines.

example applying access-list 1 to incoming connection of vty 0-4.
line vty 0 4
login
password cisco
access-class 1 in


Editing Numbered Access-List
there's no built in editing feature to edit a change in an ACL. you cannot selectively insert or delete lines. to edit a numbered ACL, do the following:
  • step 1. show the ACL to be edited from the running-configuration with the command "show running-configuration | include access-list", the "include access-list" is used to only show access-list configuration.
  • step 2. select all the lines of the ACL that you want to be edited, copy it to a text editor. edit the ACL as required in the text editor.
  • step 3. back to the CLI. in global configuration mode, delete the ACL using "no access-list access-list-number" command. then paste the edited ACL from the text editor to the CLI.

Creating Named Access-List
first, you can create a named ACL with a command entered at the global configuration level, the syntax is:
ip access-list [standard | extended] name

name: the name of the access-list

then you will be in the access list configuration level. you can create statements for the ACL. to create a statement use the "permit" or "deny" command. you can also create a comment for each statment using the "remark" command. the syntax is:
[permit | deny | remark] {source [source-wildcard]} [log]

then you can apply the ACL to an interface by first enter the corresponding interface configuration level and enter the following command:
ip access-group name [in | out]

name: the name of the access-list


after you create an ACL (numbered or named) you can verify the ACL by using the command "show access-list" at the privileged EXEC mode.


Editing Named Access List
since Cisco IOS Software Realese 12.3, named ACLs are easier to be edited. you can edit individual entries in a named ACL. when you use the "show access-list" command, you can see that each entry in a named ACL, has a sequence number in front of it (the number usually starts from 10 and has an interval of 10 for the next entry). you can delete an entry or insert an entry without remaking the whole ACL.

let's say you want to insert an entry between the first entry and the second entry. you can enter the ACL configuration level using the command "ip access-list [standard | extended] name" command, and then enter the following
sequence-number [permit | deny] {source [source-wildcard]} [log]

sequence-number: a number that will determine the order of the statement in the list. if you want this entry to be between the first and the second entry, enter a number between 10 and 20.

0 comments:

top