↪️
ccie.nyquist.eu
  • Table of Contents
  • Layer 2 Technologies
    • Ethernet Switching
      • L2 Switch Operations
      • Spanning Tree
        • 802.1d – STP
        • 802.1w – RSTP
        • 802.1s – MSTP
      • VTP 101
      • Private VLANs
      • VLANs
      • EtherChannel 101
    • Layer 2 WAN Protocols
      • HDLC
        • HDLC 101
      • PPP
        • PPP 101
        • PPP Authentication - PAP
        • PPP Authentication – CHAP
        • PPP Authentication – EAP
        • PPP Multilink
        • PPPoFR – PPP over Frame Relay
        • PPPoE – PPP over Ethernet
      • Frame Relay
        • Frame Relay 101
        • Frame Relay 102
        • Frame Relay Encapsulations – IETF vs Cisco
        • Multilink Frame Relay
        • Frame Relay Switching
        • Routing over Frame Relay
      • Bridging
        • Bridging on a router
        • MTU 101
    • Wireless
      • Wireless Principles
      • Wireless Implementations
      • Wireless Roaming
      • Wireless Authentication
        • WPA2 PSK
        • WPA2 802.1X
  • IPv4
    • IPv4 Addressing
      • Backup Interfaces
      • FHRP 101
      • DHCP 101
      • DNS 101
      • ARP 101
      • IPv4 101
      • Tunnel Interfaces
        • GRE Tunnels
      • BFD – Bidirectional Forwarding Detection
    • IPv4 Routing
      • How the routing table is built
        • How CEF works
        • Routing Order of Operations
        • NSF – Non Stop Forwarding
      • RIP
        • RIP 101
      • EIGRP
        • EIGRP 101
        • EIGRP Metric
        • More EIGRP Features
      • OSPF
        • OSPF 101
        • OSPF Areas
        • OSPF LSAs
        • OSPF Mechanics
      • IS-IS
        • IS-IS 101
        • IS-IS Mechanics – CLNP
      • BGP
        • BGP 101
        • BGP Attributes
        • More BGP
      • Route Redistribution
      • Policy based Routing
      • PfR 101 – Perfromance Routing
      • ODR
  • IPv6
    • IPv6-101
    • IPv6 Routing
    • Interconnecting IPv6 and IPv4
  • MPLS
    • MPLS 101
    • MPLS L3 VPN
  • Multicast
    • Multicast 101
    • PIM 101
    • IGMP 101
    • Inter Domain Multicast
    • IPv6 Multicast
    • Multicast features on switches
  • Security
    • NAT 101
    • NAT for Overlapping Networks
    • ACLs 101
    • ACLs 102
    • Cisco IOS Firewall
    • Zone Based Firewall
    • AAA 101
    • Controlling CLI Access
    • Control Plane
    • Switch Security
      • Switchport Traffic Control
      • Switchport Port Security
      • DHCP Snooping and DAI
      • 802.1x
      • Switch ACLs
    • IPSec VPN 101
      • IKE / ISAKMP 101
      • IPSEC Crypto Maps 101
      • IPSEC VTI 101
      • DMVPN 101
    • EAP 101
  • Network Services
    • NTP 101
    • HTTP 101
    • File Transfer 101 – TFTP & FTP
    • WCCP 101
  • QoS
    • QoS 101
    • Classification and Marking
    • Congestion Management
      • Legacy Congestion Management
      • SPD – Selective Packet Discard
      • CBWFQ
      • IP RTP Priority
    • Congestion Avoidance – WRED
    • Policing and Shaping
      • CAR 101
    • Compression and LFI
      • Header and Payload Compression
      • LFI for MultiLink PPP
    • Frame Relay QoS
      • Per VC Frame Relay QoS
    • RSVP 101
    • Switching QoS
  • Network Optimization
    • NetFlow 101 – TNF – Traditional NetFlow
    • NetFlow 102 – FNF – Flexible NetFlow
    • IP SLA 101
    • IP Accounting 101
    • Logging 101
    • SNMP and RMON 101
    • Cisco CLI Tips and Tricks
    • AutoInstall
    • Enhanced Object Tracking
    • Troubleshooting 101
    • SPAN, RSPAN, ERSPAN
  • Network Architecture
    • Hierarchical Network Architecture
    • SD Access
    • SD WAN
Powered by GitBook
On this page
  • Numbered ACLs
  • Standard ACLs
  • Extended ACLs
  • Named ACLs
  • Standard ACLs
  • Extended ACLs
  • Using ACLs
  • Filter traffic on an interface
  • Limit CLI access
  • Fragments
  • Logging ACLs

Was this helpful?

  1. Security

ACLs 101

An ACL contains one or more ACEs (Entries) that permit or deny traffic and have an implicit deny any at the end.

Numbered ACLs

Standard ACLs

R(config)# access-list ACL-NUMBER {permit|deny} {IP-ADDRESS [WILDCARD] | any} [log]
! ACL-NUMBER: 1-99, 1300-1999
! when the wildcard is missing, a default of 0.0.0.0 is considered
! any <=> IP-ADDRESS 255.255.255.255
! log = adds an entry in the log (one entry every 5 minutes)
R(config)# access-list ACL-NUMBER remark COMMENT

You cannot edit one individual entry in a numbered ACL. The ACL must be deleted and re-created.

Extended ACLs

R(config)# access-list ACL-NUMBER {permit|deny} PROTOCOL {any|SRC-IP SRC-WILDCARD} {any|DST-IP DST-WILDCARD} [OPTIONS] [log|log-input]
! ACL-NUMBER: 100-199, 2000-2699
! PROTOCOL = ip, tcp, upd, protocol number, etc
! any <=> IP 255.255.255.255
! host IP <=> IP 0.0.0.0
! log = adds an entry in the log (one entry every 5 minutes)
! log-input = adds additional info to the log (input interface, source MAC)
! OPTIONS: dscp, precedence, tos, IP Options, fragments, ttl...
R(config)# access-list ACL-NUMBER remark COMMENT

Established

One option for TCP traffic is to allow only packets that are part of an established connection. Packets that are part of an established TCP connection have the ACK or RST bit set. When using the established keyword at the end of TCP extended ACL, you can match only these packets:

R(config-ext-acl)# {permit|deny} tcp {any|SRC-IP SRC-WILDCARD} {any|DST-IP DST-WILDCARD} established

This is useful when you don’t want one side to initiate the connection, but you need it to be able to respond to connections initiated from the other side.

Matching Tips

Here are some tips for matching traffic with extended ACLs:

! Match RIP:
R(config-ext-acl)# {permit|deny} udp {any|SRC-IP SRC-WILDCARD} any eq {520|rip}
! Match EIGRP
R(config-ext-acl)# {permit|deny} eigrp {any|SRC-IP SRC-WILDCARD} {any|DST-IP DST-WILDCARD}
! Match OSPF
R(config-ext-acl)# {permit|deny} ospf {any|SRC-IP SRC-WILDCARD} {any|DST-IP DST-WILDCARD}
! Match BGP
R(config-ext-acl)# {permit|deny} tcp {any|SRC-IP SRC-WILDCARD} {any|DST-IP DST-WILDCARD} eq {179|bgp}
! Match LDP
R(config-ext-acl)# {permit|deny} tcp {any|SRC-IP SRC-WILDCARD} {any|DST-IP DST-WILDCARD} eq 646
R(config-ext-acl)# {permit|deny} udp {any|SRC-IP SRC-WILDCARD} any eq 711
! Match TDP
! Match LDP
R(config-ext-acl)# {permit|deny} tcp {any|SRC-IP SRC-WILDCARD} {any|DST-IP DST-WILDCARD} eq 711
R(config-ext-acl)# {permit|deny} udp {any|SRC-IP SRC-WILDCARD} any eq 646
! Match FTP
R(config-ext-acl)# {permit|deny} tcp {any|SRC-IP SRC-WILDCARD} {any|DST-IP DST-WILDCARD} range 20 21
!Match ping
R(config-ext-acl)# {permit|deny} icmp {any|SRC-IP SRC-WILDCARD} {any|DST-IP DST-WILDCARD} echo
R(config-ext-acl)# {permit|deny} icmp {any|SRC-IP SRC-WILDCARD} {any|DST-IP DST-WILDCARD} echo-reply
!Match traceroute
R(config-ext-acl)# {permit|deny} icmp {any|SRC-IP SRC-WILDCARD} {any|DST-IP DST-WILDCARD} time-exceeded
R(config-ext-acl)# {permit|deny} icmp {any|SRC-IP SRC-WILDCARD} {any|DST-IP DST-WILDCARD} port-unreachable
R(config-ext-acl)# {permit|deny} udp {any|SRC-IP SRC-WILDCARD} {any|DST-IP DST-WILDCARD} range 33434 33464
! Match Path MTU Discovery
R(config-ext-acl)# {permit|deny} icmp {any|SRC-IP SRC-WILDCARD} {any|DST-IP DST-WILDCARD} packet-too-big

To see a list of the most used well-known ports, use:

R# show ip port-map

Named ACLs

Standard ACLs

R(config)# ip access-list standard ACL-NAME
R(config-std-nacl)# {permit|deny} {IP-ADDRESS [WILDCARD] | any} [log]
R(config-std-nacl)# remark COMMENT

Extended ACLs

R(config)# ip access-list extended ACL-NAME
R(config-ext-nacl)# [seq-number] {permit|deny} PROTOCOL {any|SRC-IP SRC-WILDCARD} {any|DST-IP DST-WILDCARD} [OPTIONS] [log|log-input]
!seq-number can be used to edit an ACL entry or to insert one entry into an existing ACL
!if seq-number is missing, the ACE will be appended with a seq-number value of max-seq-number+10
R(config-ext-nacl)# remark COMMENT

Since ACEs can have a custom seq-numbere, they can be re-sequenced to allow other insertions:

R(config)# ip access-list resequence ACL-NAME SEQ-START INCREMENT

Using ACLs

Filter traffic on an interface

R(config-if)# ip access-group ACL {in|out}

Limit CLI access

R(config-line)# access-class ACL {in|out}
! ACL - can only be standard ACL
! in - ACL applies to inboud connections
! out - ACL applies to outbound connections. ACL matches destination address

Fragments

By default, an ACL without the fragments keyword works in the following manner:

  • If the ACL contains only Layer 3 information (SRC-IP, DEST-IP) the entry is applied to nonfragmented packets, initial fragments and non-initial fragments

  • If the ACL contains both Layer 3 and Layer 4 information (SRC-IP, DEST-IP, Layer 4 protocol):

    • The entry is applied to nonfragmented packets and initial fragments

    • If the entry is a permit, it will be applied to non-initial fragments, but since the Layer 4 information is missing, it will only match on Layer 3 information, and will ignore Layer 4 information.

    • If the entry is a deny, it will be ignored for non-initial fragments, and the next ACE is processed

When using the fragments keyword, the entry is applied only to non-initial fragments. Non-fragmented packets and initial fragments are not matched. This keyword cannot be used on entries that use Layer 4 information.

Logging ACLs

You must use the log keyword at the end of an ACE to enable generation of syslog messages when the ACE is hit. One message will be generated every 5 minutes. You can set the number of hits that will generate a log entry using:

R(config)# ip access-list log-update threshold HITS

For extended ACLs, you can use log-input keyword to add more information to the log (input interface, source MAC). You can add custom tags to the logs by using the log keyword followed by the tag, or you can generate automatic hashtags for each ACE by setting:

R(config)# ip access-list logging hash-generation

These hashtags will identify the ACE that generated them in the log output.

PreviousNAT for Overlapping NetworksNextACLs 102

Last updated 3 years ago

Was this helpful?