CCNA: ACLs

2 minute read

Description:

Standard ACLs = close to the destination as possible
Extended ACLs = close to the source as possible

Standard ACL created and applied to interface:

Router(config)#access-list 1 permit 172.16.1.1 # only permit or deny based on source IP
Router(config)#access-list 1 permit 172.16.2.1
Router(config)#interface FastEthernet0/0
Router(config-if)#ip access-group 1 in
Router(config-if)#end

To add an ACL for a line interface

Router(config)#line vty 0 15
Router(config-line)#access-class 101 in

Matching subnet 192.200.1.0 255.255.255.192 would require the following:

Router(config)#access-list 1 permit 192.200.1.0 0.0.0.63 # remember that this would drop all packets not in this network!

Take off the active interface:

Router(config)#int FastEthernet0/0
Router(config-if)#no ip access-group 1 in
Router(config-if)#end

To modify one:

  1. View the access list
Router#show ip access-list
  1. Copy and paste to notepad. Make sure to put an “!” in between each line to tell the router to do a carriage return.
    ex:
access-list 1 permit host 172.16.1.1
!
access-list 1 permit host 172.16.2.2

change to:
access-list 1 deny host 172.16.1.1
!
access-list 1 permit host 172.16.2.2
  1. Take it off the interface
Router#config t
Router(config)#int fa0/0
Router(config-if)#no ip access-group 1 in
Router(config-if)#end
  1. Modify it
Router(config)# # this will over-ride whatever is current
Router(config)#end
  1. Re-apply to interface
Router#config t
Router(config)#int fa0/0
Router(config-if)#ip access-group 1 in
Router(config-if)#end

To create a named Standard ACL

Router(config)#ip access-list standard test
Router(config-std-nacl)#15 permit 172.20.1.1
Router(config-std-nacl)#end

To Add to an ACL

Router(config)#ip access-list standard test
Router(config-std-nacl)#15 permit 172.20.1.1
Router(config-std-nacl)#do show ip access-lists
Standard IP access list test
30 permit 10.1.1.1
20 permit 192.168.1.1
15 permit 172.20.1.1
10 permit 172.16.1.1

To Remove an ACL line: no (acl sequence number)

Router(config)#ip access-list standard test
Router(config-std-nacl)#no 15
Router(config-std-nacl)#do show ip access-lists
Standard IP access list test
30 permit 10.1.1.1
20 permit 192.168.1.1
10 permit 172.16.1.1

To resequence an ACL: ip access-list resequence (acl_name, starting_seq_number, step_to_increment)

Router(config)#ip access-list resequence test 100 20
Router(config)#do show ip access-lists
Standard IP access list test
100 permit 10.1.1.1
120 permit 172.20.1.1
140 permit 172.16.1.1
# The resequence command created new sequence numbers, starting from 100, and incremented them by 20 for each new ACL line.
Router(config)#ip access-list extended test
Router(config)#no 10
Router(config)#10 deny tcp any any eq 80 log
# When a packet hits that matches the rule, this is what you will see
%SEC-6-IPACCESSLOGP: list test denied tcp 10.10.10.2(24667) -> 10.10.10.1(80), 1 packet
# For even more information, replace "log" with "log-input" which includes the incoming interface and the source MAC address.
%SEC-6-IPACCESSLOGP: list test denied tcp 10.10.10.2(14013) (FastEthernet0/0 00aa.aabb.ccdd) -> 10.10.10.1(80), 1 packet

To configure an extended ACL:

access list [100-199] [permit/deny] [service/protocol] [source network/IP] [destination network/IP] [port#]
# can filter on source, destination, or port. Preferred.
For example:
Router(config)#access-list 101 deny tcp 10.1.0.0 0.0.255.255 host 172.30.1.1 eq telnet
Router(config)#access-list 100 permit tcp 10.1.0.0 0.0.255.255 host 172.30.1.1 eq ftp
Router(config)#access-list 100 permit icmp any any

To make sure a connection is established first:

access-list 102 permit tcp any host 172.30.1.1 eq ftp established
# The "established" keyword tells the router to permit the traffic only if it was originated by hosts on the inside.
# I'm not going into too many examples here because there are so many combinations!!

Show commands (all ACLs):

show access-lists
show ip acces-list interface [in/out] # more details

 

Tags:

Categories:

Updated: