OSPF_Base_Topology

I was going to just use two routers for this example, after work when I was tired and rushing, so I stopped and decided to be thorough I didn’t want to work with loopbacks. So please forget the Stub things in the topology, those area’s are not stubs, however the OSPF information is correct. Also missing is the Ethernet segment off R2 and R3, 172.12.23.0 /24 Area 23, once I get some time I’ll adjust this Topology to be correct.

(Topology corrected)

A couple of key points with ACL’s that you might forget if you are rusty:

  • ACL’s use a wildcard mask, so if you see a subnet mask, it is immediately invalid
  • ACL’s must be applied to an interface to work for filtering, and a direction of traffic flow MUST be chosen for the command to go through

First there is one subject that is important to refresh for any CCNP candidate, and that is where to place the different types of ACL’s, so I just list here the type, where to put it, and why.

Where to put ACL’s and why:

The point of this conversation, is that ACL’s should be used so that the least processing on routers and network devices is used while traffic is traversing the network, so there are naturally going to be best places for these different types of ACLs:

Extended-Access Lists: You should configure on the router closest to the source of the traffic really all the time in real life, preferably going “in” the main LAN uplink port, to save the local router some resources rather than filtering them going “out” the WAN port. Either way, best practice will dictate, Extended ACL’s be closest to source they are originating from.

Standard Access-Lists: You should configure these on the routers closest to the source as possible, because they only use the source as criteria for dropping packets.

First lets look at some access-list configuration output to get some ideas of ranges:

R1(config)#access-list ?
              IP standard access list
         IP extended access list
IPX SAP access list
Extended 48-bit MAC address access list
IPX summary address access list
       IP standard access list (expanded range)
         Protocol type-code access list
       IP extended access list (expanded range)
         DECnet access list
Appletalk access list
48-bit MAC address access list
IPX standard access list
IPX extended access list
dynamic-extended  Extend the dynamic ACL absolute timer
rate-limit        Simple rate-limit specific access list


R1(config)#access-list

As can be seen we have a lot of ranges here, but there are only 4 which are highlighted in two colors, blue for standard ACL range #’s and red for extended range #’s.

  • Standard ranges are 1-99, 1300-1999
  • Extended ranges 100-199, 2000-2699

Named ACL’s are really extended ACL’s only they use names instead of numbers for their Access-List, which I like, because due to complete lack of anyone use the Remark statements on ACL’s they sometimes name it intuitively which is nice (in the real world).

So I used Loopback44 with IP add 44.44.44.1 as R4’s RID since we will be blocking some traffic to 4.4.4.4, and just got the virtual link to form, this is almost as much work as the ACL configuration (if not more)… and assuming everything goes smoothly.

SO LETS GET TO WORK SO I CAN ENJOY THE REST OF MY NIGHT 😀

First, verify R5 and R4 see each others loopbacks and can ping each other:

R4#sh ip route ospf

Gateway of last resort is not set

      2.0.0.0/32 is subnetted, 1 subnets
O IA     2.2.2.2 [110/66] via 172.12.34.3, 00:06:51, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
O IA     3.3.3.3 [110/2] via 172.12.34.3, 00:06:51, FastEthernet0/1
      5.0.0.0/32 is subnetted, 1 subnets
O IA     5.5.5.5 [110/67] via 172.12.34.3, 00:06:51, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 5 subnets, 2 masks
O IA     172.12.15.0/24 [110/66] via 172.12.34.3, 00:06:51, FastEthernet0/1
O IA     172.12.23.0/24 [110/2] via 172.12.34.3, 00:06:51, FastEthernet0/1
O        172.12.123.0/24 [110/65] via 172.12.34.3, 00:06:51, FastEthernet0/1
R4#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/64/68 ms
R4#
ASR#5
[Resuming connection 5 to r5 … ]

R5(config-router)#^Z
R5#sh
*Mar 14 04:37:13.827: %SYS-5-CONFIG_I: Configured from console by console
R5#sh ip route ospf

Gateway of last resort is not set

      2.0.0.0/32 is subnetted, 1 subnets
O IA     2.2.2.2 [110/66] via 172.12.15.1, 00:17:03, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
O IA     3.3.3.3 [110/66] via 172.12.15.1, 00:13:05, FastEthernet0/1
      4.0.0.0/32 is subnetted, 1 subnets
O IA     4.4.4.4 [110/67] via 172.12.15.1, 00:07:03, FastEthernet0/1
      44.0.0.0/32 is subnetted, 1 subnets
O IA     44.44.44.1 [110/67] via 172.12.15.1, 00:02:46, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 5 subnets, 2 masks
O IA     172.12.23.0/24 [110/66] via 172.12.15.1, 00:17:03, FastEthernet0/1
O IA     172.12.34.0/24 [110/66] via 172.12.15.1, 00:14:53, FastEthernet0/1
O IA     172.12.123.0/24 [110/65] via 172.12.15.1, 00:17:03, FastEthernet0/1
R5#ping 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/64/68 ms
R5#

Beautiful, now first example is a Standard access-list blocking all traffic from reaching 4.4.4.4, but this presents a fun opportunity, because this router also has an interface in an  Ethernet Segment not yet in the Topology, so I will want to get this as close to the source address by applying it to outbound interface facing the destination network rather than “in”coming packets from the WAN:

R3(config-router)#exit
R3(config)#access-list 15 deny 172.12.15.0 0.0.0.255
R3(config)#access-list 15 permit any
R3(config)#int fa0/1
R3(config-if)#ip access-group ?
        IP access list (standard or extended)
    IP expanded access list (standard or extended)
  WORD         Access-list name

R3(config-if)#ip access-group 15

% Incomplete command.

R3(config-if)#ip access-group 15 ?
  in   inbound packets
  out  outbound packets

R3(config-if)#ip access-group 15 out
R3(config-if)#

I left that derp in there to underscore, you really need to remember a direction MUST be chosen, and in this instance it is outbound traffic toward R4 blocking network 172.12.15.0:

R5#ping 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
U.U.U

Success rate is 0 percent (0/5)
R5#

Success, but we demand answers about that U.U.U, and the explanation is as part of the “security” of the router it doesn’t just want to drop pings and let a would be intruder know an ACL is set, so it responds with the same response you get when an upstream router doesn’t have a return route to your network.

Also I picked the Fa0/1 interface and direction going “out” again so it is only impacting that network, and not “in” on the WAN interface possibly interfering with traffic destined for 172.12.23.0/24 network.

So on to Extended ACL’s!

This will be an R3 configuration again, and I actually don’t want R4 to ping 1.1.1.1 on R1, which will again go on R3’s Fa0/1 interface – However we get to have an ACL going in both directions so no sweat! :

R3(config-if)#exit
R3(config)#access-list 111 ?
  deny     Specify packets to reject
  dynamic  Specify a DYNAMIC list of PERMITs or DENYs
  permit   Specify packets to forward
  remark   Access list entry comment

R3(config)#access-list 111 deny ?
    An IP protocol number
  ahp      Authentication Header Protocol
  eigrp    Cisco’s EIGRP routing protocol
  esp      Encapsulation Security Payload
  gre      Cisco’s GRE tunneling
  icmp     Internet Control Message Protocol
  igmp     Internet Gateway Message Protocol
  ip       Any Internet Protocol
  ipinip   IP in IP tunneling
  nos      KA9Q NOS compatible IP over IP tunneling
  ospf     OSPF routing protocol
  pcp      Payload Compression Protocol
  pim      Protocol Independent Multicast
  tcp      Transmission Control Protocol
  udp      User Datagram Protocol

R3(config)#access-list 111 deny ip ?
  A.B.C.D  Source address
  any      Any source host
  host     A single source host

R3(config)#access-list 111 deny ip any ?
  A.B.C.D  Destination address
  any      Any destination host
  host     A single destination host

R3(config)#access-list 111 deny ip any host 1.1.1.1 ?
  dscp        Match packets with given dscp value
  fragments   Check non-initial fragments
  log         Log matches against this entry
  log-input   Log matches against this entry, including input interface
  precedence  Match packets with given precedence value
  time-range  Specify a time-range
  tos         Match packets with given TOS value
 

R3(config)#access-list 111 deny ip any host 1.1.1.1
R3(config)#int fa0/1
R3(config-if)#ip access-group 111 in
R3(config-if)#

As can be seen, you always have to state permit / deny / remark with ACL’s, I like the way that has never changed, that your first order of business is always permit or deny.

I completely screwed the pooch on this configuration though, I am not sure if you (the one person reading this post maybe) caught it, I forgot the permit ip any any statement to allow all other traffic to flow without the implicit deny smacking them down.

In fact, it’s already impacting the network almost immediately, so lets examine the output that showed me I have killed the OSPF adjacencies with no regard to OSPF life, and then correct the issue:

The adjacencies dying:

R3(config-if)#ip access-group 111 in
R3(config-if)#
*Mar  2 09:59:45.761: %OSPF-5-ADJCHG: Process 1, Nbr 44.44.44.1 on FastEthernet0/1 from FULL to DOWN, Neighbor Down: Dead timer expired
R3(config-if)#
*Mar  2 09:59:51.266: %OSPF-5-ADJCHG: Process 1, Nbr 44.44.44.1 on OSPF_VL0 from FULL to DOWN, Neighbor Down: Interface down or detached

Fixing the adjacencies:

R3(config-if)#exit
R3(config)#access-list 111 permit ip any any
*Mar  2 10:04:55.661: %OSPF-5-ADJCHG: Process 1, Nbr 44.44.44.1 on FastEthernet0/1 from LOADING to FULL, Loading Done
R3(config)#
*Mar  2 10:05:10.690: %OSPF-5-ADJCHG: Process 1, Nbr 44.44.44.1 on OSPF_VL0 from LOADING to FULL, Loading Done

Now lets test a ping to 1.1.1.1 from R4, and move right along here:

[Resuming connection 4 to r4 … ]

R4(config)#do ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
R4(config)#

It is using all dots for a reply I found when working with the ACL below, check it out.

And Finally, Named ACL’s!

The exact same as an extended ACL, except it uses a name, making it a bit more intuitive. I just learned tonight (or probably re-learned) that you can actually drop into ACL mode with extended ACL #’s to revise it line by line:

R3(config)#ip access-list ?
  extended    Extended Access List
  log-update  Control access list log updates
  logging     Control access list logging
  resequence  Resequence Access List
  standard    Standard Access List

R3(config)#ip access-list extended ?
      Extended IP access-list number
    Extended IP access-list number (expanded range)
  WORD         Access-list name

R3(config)#ip access-list extended 111 ?
 

R3(config)#ip access-list extended 111
R3(config-ext-nacl)#?
Ext Access List configuration commands:
    Sequence Number
  default         Set a command to its defaults
  deny            Specify packets to reject
  dynamic         Specify a DYNAMIC list of PERMITs or DENYs
  evaluate        Evaluate an access list
  exit            Exit from access-list configuration mode
  no              Negate a command or set its defaults
  permit          Specify packets to forward
  remark          Access list entry comment

R3(config-ext-nacl)#do sh access-list 111
Extended IP access list 111
    10 deny ip any host 1.1.1.1  
    20 permit ip any any (118 matches)
R3(config-ext-nacl)#
ASR#4
[Resuming connection 4 to r4 … ]

R4(config)#
R4(config)#do sh ip route
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
       D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
       N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
       E1 – OSPF external type 1, E2 – OSPF external type 2
       i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
       ia – IS-IS inter area, * – candidate default, U – per-user static route
       o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
       + – replicated route, % – next hop override

Gateway of last resort is not set

      2.0.0.0/32 is subnetted, 1 subnets
O IA     2.2.2.2 [110/66] via 172.12.34.3, 00:11:43, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
O IA     3.3.3.3 [110/2] via 172.12.34.3, 00:11:43, FastEthernet0/1
      4.0.0.0/32 is subnetted, 1 subnets
C        4.4.4.4 is directly connected, Loopback4
      5.0.0.0/32 is subnetted, 1 subnets
O IA     5.5.5.5 [110/67] via 172.12.34.3, 00:11:43, FastEthernet0/1
      44.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        44.44.44.0/24 is directly connected, Loopback44
L        44.44.44.1/32 is directly connected, Loopback44

(At this point I have no idea 1.1.1.1 is not in the routing table, my tired mind has once again glossed over a major detail looking for some other information)

R4(config)#
ASR#3
[Resuming connection 3 to r3 … ]

R3(config-ext-nacl)#15 ?
  deny      Specify packets to reject
  dynamic   Specify a DYNAMIC list of PERMITs or DENYs
  evaluate  Evaluate an access list
  exit      Exit from access-list configuration mode
  permit    Specify packets to forward

R3(config-ext-nacl)#15 deny ?
    An IP protocol number
  ahp      Authentication Header Protocol
  eigrp    Cisco’s EIGRP routing protocol
  esp      Encapsulation Security Payload
  gre      Cisco’s GRE tunneling
  icmp     Internet Control Message Protocol
  igmp     Internet Gateway Message Protocol
  ip       Any Internet Protocol
  ipinip   IP in IP tunneling
  nos      KA9Q NOS compatible IP over IP tunneling
  ospf     OSPF routing protocol
  pcp      Payload Compression Protocol
  pim      Protocol Independent Multicast
  tcp      Transmission Control Protocol
  udp      User Datagram Protocol

R3(config-ext-nacl)#15 deny ip 172.12.34.0 0.0.0.255 ?
  A.B.C.D  Destination address
  any      Any destination host
  host     A single destination host

R3(config-ext-nacl)#15 deny ip host 172.12.34.4 ?
  A.B.C.D  Destination address
  any      Any destination host
  host     A single destination host

R3(config-ext-nacl)#15 deny ip host 172.12.34.4 host 2.2.2.2
R3(config-ext-nacl)#do sh access-list 111
Extended IP access list 111
    10 deny ip any host 1.1.1.1
    15 deny ip host 172.12.34.4 host 2.2.2.2
    20 permit ip any any (134 matches)
R3(config-ext-nacl)#
ASR#4
[Resuming connection 4 to r4 … ]

R4(config)#do ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)
R4(config)#
ASR#3
[Resuming connection 3 to r3 … ]

R3(config-ext-nacl)#do sh access-list 111
Extended IP access list 111
    10 deny ip any host 1.1.1.1
    15 deny ip host 172.12.34.4 host 2.2.2.2 (11 matches)
    20 permit ip any any (144 matches)
R3(config-ext-nacl)#

I actually did this to fix it before realizing I hadn’t put 1.1.1.1 into OSPF to be advertised:

R3(config-ext-nacl)#no 10
R3(config-ext-nacl)#10 deny ip host 172.12.34.4 host 1.1.1.1
R3(config-ext-nacl)#do sh access-list 111
Extended IP access list 111
    10 deny ip host 172.12.34.4 host 1.1.1.1
    15 deny ip host 172.12.34.4 host 2.2.2.2 (11 matches)
    20 permit ip any any (162 matches)
R3(config-ext-nacl)#

I really did want to post that just to show how easy it is, and the reason we got ….. instead of U.U.U was because we didn’t have a route to it, lets check now:

R4(config)#do sh ip route ospf | i 1.1.1.1
O IA     1.1.1.1 [110/66] via 172.12.34.3, 00:02:41, FastEthernet0/1
R4(config)#

Minimal output, maximum effort, so lets ping away and see some hits:

R3(config-ext-nacl)#do sh access-list 111
Extended IP access list 111
    10 deny ip host 172.12.34.4 host 1.1.1.1 (11 matches)
    15 deny ip host 172.12.34.4 host 2.2.2.2 (11 matches)
    20 permit ip any any (208 matches)
R3(config-ext-nacl)#

You will notice that other ACL of permit any any to increment for OSPF traffic, and I am sure that would have worked with “Any” defined as well, because only R4 traffic is coming into that interface so that is fine.

I won’t go into a configuration about named ACL’s as you’ve seen in the access-group on interfaces you can use (word) instead of number, but also you’ve seen the ACL (or nacl) configuration mode and how it works a bit, but I will show you this:

R3(config)#ip access-list extended ?
      Extended IP access-list number
    Extended IP access-list number (expanded range)
  WORD         Access-list name

R3(config)#ip access-list extended

Once you type a number from those ranges or a word, it puts you into the nacl config mode to build your ACL.

The only real tricky part is typing ip first when configuring the access-list to get to nacl config mode to remove and insert lines to extended lists, otherwise named ones work the exact same as extended they just swap out numbers for names.

As much as I want this to be over, a couple of commands to verify or check quickly what ACL’s is on your router or a given interface:

R3#sh access-list
Standard IP access list 15
    10 deny   172.12.15.0, wildcard bits 0.0.0.255 (8 matches)
    20 permit any
Extended IP access list 111
    10 deny ip host 172.12.34.4 host 1.1.1.1 (11 matches)
    15 deny ip host 172.12.34.4 host 2.2.2.2 (11 matches)
    20 permit ip any any (243 matches)
R3#

It doesn’t show you what interfaces they are applied to (or what mechanism on the router is using them), but it shows they are there and their hit counts. To see what ACL is configured to an interface its seen under ip access-group in sh run, but because we can’t count on that for lab day you can also use “sh ip int …”:

R3#sh ip int fa0/1
FastEthernet0/1 is up, line protocol is up
  Internet address is 172.12.34.3/24
  Broadcast address is 255.255.255.255
  Address determined by non-volatile memory
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Multicast reserved groups joined: 224.0.0.5 224.0.0.6
  Outgoing access list is 15
  Inbound  access list is 111
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF Feature Fast switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is disabled
  Network address translation is disabled
  BGP Policy Mapping is disabled
  WCCP Redirect outbound is disabled
  WCCP Redirect inbound is disabled
  WCCP Redirect exclude is disabled
R3#

Alright, and that concludes my middle of the night lab session on ACL’s, see you next time with some time based ACL configurations!