I was going to just use two routers for this example, after work when I was tired and rushing, so I stopped and decided to be thorough I didn’t want to work with loopbacks. So please forget the Stub things in the topology, those area’s are not stubs, however the OSPF information is correct. Also missing is the Ethernet segment off R2 and R3, 172.12.23.0 /24 Area 23, once I get some time I’ll adjust this Topology to be correct.
(Topology corrected)
A couple of key points with ACL’s that you might forget if you are rusty:
- ACL’s use a wildcard mask, so if you see a subnet mask, it is immediately invalid
- ACL’s must be applied to an interface to work for filtering, and a direction of traffic flow MUST be chosen for the command to go through
First there is one subject that is important to refresh for any CCNP candidate, and that is where to place the different types of ACL’s, so I just list here the type, where to put it, and why.
Where to put ACL’s and why:
The point of this conversation, is that ACL’s should be used so that the least processing on routers and network devices is used while traffic is traversing the network, so there are naturally going to be best places for these different types of ACLs:
Extended-Access Lists: You should configure on the router closest to the source of the traffic really all the time in real life, preferably going “in” the main LAN uplink port, to save the local router some resources rather than filtering them going “out” the WAN port. Either way, best practice will dictate, Extended ACL’s be closest to source they are originating from.
Standard Access-Lists: You should configure these on the routers closest to the source as possible, because they only use the source as criteria for dropping packets.
First lets look at some access-list configuration output to get some ideas of ranges:
R1(config)#access-list ?
IP standard access list
IP extended access list
IPX SAP access list
Extended 48-bit MAC address access list
IPX summary address access list
IP standard access list (expanded range)
Protocol type-code access list
IP extended access list (expanded range)
DECnet access list
Appletalk access list
48-bit MAC address access list
IPX standard access list
IPX extended access list
dynamic-extended Extend the dynamic ACL absolute timer
rate-limit Simple rate-limit specific access list
R1(config)#access-list
As can be seen we have a lot of ranges here, but there are only 4 which are highlighted in two colors, blue for standard ACL range #’s and red for extended range #’s.
- Standard ranges are 1-99, 1300-1999
- Extended ranges 100-199, 2000-2699
Named ACL’s are really extended ACL’s only they use names instead of numbers for their Access-List, which I like, because due to complete lack of anyone use the Remark statements on ACL’s they sometimes name it intuitively which is nice (in the real world).
So I used Loopback44 with IP add 44.44.44.1 as R4’s RID since we will be blocking some traffic to 4.4.4.4, and just got the virtual link to form, this is almost as much work as the ACL configuration (if not more)… and assuming everything goes smoothly.
SO LETS GET TO WORK SO I CAN ENJOY THE REST OF MY NIGHT 😀
First, verify R5 and R4 see each others loopbacks and can ping each other:
R4#sh ip route ospf
Gateway of last resort is not set
2.0.0.0/32 is subnetted, 1 subnets
O IA 2.2.2.2 [110/66] via 172.12.34.3, 00:06:51, FastEthernet0/1
3.0.0.0/32 is subnetted, 1 subnets
O IA 3.3.3.3 [110/2] via 172.12.34.3, 00:06:51, FastEthernet0/1
5.0.0.0/32 is subnetted, 1 subnets
O IA 5.5.5.5 [110/67] via 172.12.34.3, 00:06:51, FastEthernet0/1
172.12.0.0/16 is variably subnetted, 5 subnets, 2 masks
O IA 172.12.15.0/24 [110/66] via 172.12.34.3, 00:06:51, FastEthernet0/1
O IA 172.12.23.0/24 [110/2] via 172.12.34.3, 00:06:51, FastEthernet0/1
O 172.12.123.0/24 [110/65] via 172.12.34.3, 00:06:51, FastEthernet0/1
R4#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/64/68 ms
R4#
ASR#5
[Resuming connection 5 to r5 … ]
R5(config-router)#^Z
R5#sh
*Mar 14 04:37:13.827: %SYS-5-CONFIG_I: Configured from console by console
R5#sh ip route ospf
Gateway of last resort is not set
2.0.0.0/32 is subnetted, 1 subnets
O IA 2.2.2.2 [110/66] via 172.12.15.1, 00:17:03, FastEthernet0/1
3.0.0.0/32 is subnetted, 1 subnets
O IA 3.3.3.3 [110/66] via 172.12.15.1, 00:13:05, FastEthernet0/1
4.0.0.0/32 is subnetted, 1 subnets
O IA 4.4.4.4 [110/67] via 172.12.15.1, 00:07:03, FastEthernet0/1
44.0.0.0/32 is subnetted, 1 subnets
O IA 44.44.44.1 [110/67] via 172.12.15.1, 00:02:46, FastEthernet0/1
172.12.0.0/16 is variably subnetted, 5 subnets, 2 masks
O IA 172.12.23.0/24 [110/66] via 172.12.15.1, 00:17:03, FastEthernet0/1
O IA 172.12.34.0/24 [110/66] via 172.12.15.1, 00:14:53, FastEthernet0/1
O IA 172.12.123.0/24 [110/65] via 172.12.15.1, 00:17:03, FastEthernet0/1
R5#ping 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/64/68 ms
R5#
Beautiful, now first example is a Standard access-list blocking all traffic from reaching 4.4.4.4, but this presents a fun opportunity, because this router also has an interface in an Ethernet Segment not yet in the Topology, so I will want to get this as close to the source address by applying it to outbound interface facing the destination network rather than “in”coming packets from the WAN:
R3(config-router)#exit
R3(config)#access-list 15 deny 172.12.15.0 0.0.0.255
R3(config)#access-list 15 permit any
R3(config)#int fa0/1
R3(config-if)#ip access-group ?
IP access list (standard or extended)
IP expanded access list (standard or extended)
WORD Access-list name
R3(config-if)#ip access-group 15
% Incomplete command.
R3(config-if)#ip access-group 15 ?
in inbound packets
out outbound packets
R3(config-if)#ip access-group 15 out
R3(config-if)#
I left that derp in there to underscore, you really need to remember a direction MUST be chosen, and in this instance it is outbound traffic toward R4 blocking network 172.12.15.0:
R5#ping 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R5#
Success, but we demand answers about that U.U.U, and the explanation is as part of the “security” of the router it doesn’t just want to drop pings and let a would be intruder know an ACL is set, so it responds with the same response you get when an upstream router doesn’t have a return route to your network.
Also I picked the Fa0/1 interface and direction going “out” again so it is only impacting that network, and not “in” on the WAN interface possibly interfering with traffic destined for 172.12.23.0/24 network.
So on to Extended ACL’s!
This will be an R3 configuration again, and I actually don’t want R4 to ping 1.1.1.1 on R1, which will again go on R3’s Fa0/1 interface – However we get to have an ACL going in both directions so no sweat! :
R3(config-if)#exit
R3(config)#access-list 111 ?
deny Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit Specify packets to forward
remark Access list entry comment
R3(config)#access-list 111 deny ?
An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco’s EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco’s GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
R3(config)#access-list 111 deny ip ?
A.B.C.D Source address
any Any source host
host A single source host
R3(config)#access-list 111 deny ip any ?
A.B.C.D Destination address
any Any destination host
host A single destination host
R3(config)#access-list 111 deny ip any host 1.1.1.1 ?
dscp Match packets with given dscp value
fragments Check non-initial fragments
log Log matches against this entry
log-input Log matches against this entry, including input interface
precedence Match packets with given precedence value
time-range Specify a time-range
tos Match packets with given TOS value
R3(config)#access-list 111 deny ip any host 1.1.1.1
R3(config)#int fa0/1
R3(config-if)#ip access-group 111 in
R3(config-if)#
As can be seen, you always have to state permit / deny / remark with ACL’s, I like the way that has never changed, that your first order of business is always permit or deny.
I completely screwed the pooch on this configuration though, I am not sure if you (the one person reading this post maybe) caught it, I forgot the permit ip any any statement to allow all other traffic to flow without the implicit deny smacking them down.
In fact, it’s already impacting the network almost immediately, so lets examine the output that showed me I have killed the OSPF adjacencies with no regard to OSPF life, and then correct the issue:
The adjacencies dying:
R3(config-if)#ip access-group 111 in
R3(config-if)#
*Mar 2 09:59:45.761: %OSPF-5-ADJCHG: Process 1, Nbr 44.44.44.1 on FastEthernet0/1 from FULL to DOWN, Neighbor Down: Dead timer expired
R3(config-if)#
*Mar 2 09:59:51.266: %OSPF-5-ADJCHG: Process 1, Nbr 44.44.44.1 on OSPF_VL0 from FULL to DOWN, Neighbor Down: Interface down or detached
Fixing the adjacencies:
R3(config-if)#exit
R3(config)#access-list 111 permit ip any any
*Mar 2 10:04:55.661: %OSPF-5-ADJCHG: Process 1, Nbr 44.44.44.1 on FastEthernet0/1 from LOADING to FULL, Loading Done
R3(config)#
*Mar 2 10:05:10.690: %OSPF-5-ADJCHG: Process 1, Nbr 44.44.44.1 on OSPF_VL0 from LOADING to FULL, Loading Done
Now lets test a ping to 1.1.1.1 from R4, and move right along here:
[Resuming connection 4 to r4 … ]
R4(config)#do ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
R4(config)#
It is using all dots for a reply I found when working with the ACL below, check it out.
And Finally, Named ACL’s!
The exact same as an extended ACL, except it uses a name, making it a bit more intuitive. I just learned tonight (or probably re-learned) that you can actually drop into ACL mode with extended ACL #’s to revise it line by line:
R3(config)#ip access-list ?
extended Extended Access List
log-update Control access list log updates
logging Control access list logging
resequence Resequence Access List
standard Standard Access List
R3(config)#ip access-list extended ?
Extended IP access-list number
Extended IP access-list number (expanded range)
WORD Access-list name
R3(config)#ip access-list extended 111 ?
R3(config)#ip access-list extended 111
R3(config-ext-nacl)#?
Ext Access List configuration commands:
Sequence Number
default Set a command to its defaults
deny Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
evaluate Evaluate an access list
exit Exit from access-list configuration mode
no Negate a command or set its defaults
permit Specify packets to forward
remark Access list entry comment
R3(config-ext-nacl)#do sh access-list 111
Extended IP access list 111
10 deny ip any host 1.1.1.1
20 permit ip any any (118 matches)
R3(config-ext-nacl)#
ASR#4
[Resuming connection 4 to r4 … ]
R4(config)#
R4(config)#do sh ip route
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
+ – replicated route, % – next hop override
Gateway of last resort is not set
2.0.0.0/32 is subnetted, 1 subnets
O IA 2.2.2.2 [110/66] via 172.12.34.3, 00:11:43, FastEthernet0/1
3.0.0.0/32 is subnetted, 1 subnets
O IA 3.3.3.3 [110/2] via 172.12.34.3, 00:11:43, FastEthernet0/1
4.0.0.0/32 is subnetted, 1 subnets
C 4.4.4.4 is directly connected, Loopback4
5.0.0.0/32 is subnetted, 1 subnets
O IA 5.5.5.5 [110/67] via 172.12.34.3, 00:11:43, FastEthernet0/1
44.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 44.44.44.0/24 is directly connected, Loopback44
L 44.44.44.1/32 is directly connected, Loopback44
(At this point I have no idea 1.1.1.1 is not in the routing table, my tired mind has once again glossed over a major detail looking for some other information)
R4(config)#
ASR#3
[Resuming connection 3 to r3 … ]
R3(config-ext-nacl)#15 ?
deny Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
evaluate Evaluate an access list
exit Exit from access-list configuration mode
permit Specify packets to forward
R3(config-ext-nacl)#15 deny ?
An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco’s EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco’s GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
R3(config-ext-nacl)#15 deny ip 172.12.34.0 0.0.0.255 ?
A.B.C.D Destination address
any Any destination host
host A single destination host
R3(config-ext-nacl)#15 deny ip host 172.12.34.4 ?
A.B.C.D Destination address
any Any destination host
host A single destination host
R3(config-ext-nacl)#15 deny ip host 172.12.34.4 host 2.2.2.2
R3(config-ext-nacl)#do sh access-list 111
Extended IP access list 111
10 deny ip any host 1.1.1.1
15 deny ip host 172.12.34.4 host 2.2.2.2
20 permit ip any any (134 matches)
R3(config-ext-nacl)#
ASR#4
[Resuming connection 4 to r4 … ]
R4(config)#do ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R4(config)#
ASR#3
[Resuming connection 3 to r3 … ]
R3(config-ext-nacl)#do sh access-list 111
Extended IP access list 111
10 deny ip any host 1.1.1.1
15 deny ip host 172.12.34.4 host 2.2.2.2 (11 matches)
20 permit ip any any (144 matches)
R3(config-ext-nacl)#
I actually did this to fix it before realizing I hadn’t put 1.1.1.1 into OSPF to be advertised:
R3(config-ext-nacl)#no 10
R3(config-ext-nacl)#10 deny ip host 172.12.34.4 host 1.1.1.1
R3(config-ext-nacl)#do sh access-list 111
Extended IP access list 111
10 deny ip host 172.12.34.4 host 1.1.1.1
15 deny ip host 172.12.34.4 host 2.2.2.2 (11 matches)
20 permit ip any any (162 matches)
R3(config-ext-nacl)#
I really did want to post that just to show how easy it is, and the reason we got ….. instead of U.U.U was because we didn’t have a route to it, lets check now:
R4(config)#do sh ip route ospf | i 1.1.1.1
O IA 1.1.1.1 [110/66] via 172.12.34.3, 00:02:41, FastEthernet0/1
R4(config)#
Minimal output, maximum effort, so lets ping away and see some hits:
R3(config-ext-nacl)#do sh access-list 111
Extended IP access list 111
10 deny ip host 172.12.34.4 host 1.1.1.1 (11 matches)
15 deny ip host 172.12.34.4 host 2.2.2.2 (11 matches)
20 permit ip any any (208 matches)
R3(config-ext-nacl)#
You will notice that other ACL of permit any any to increment for OSPF traffic, and I am sure that would have worked with “Any” defined as well, because only R4 traffic is coming into that interface so that is fine.
I won’t go into a configuration about named ACL’s as you’ve seen in the access-group on interfaces you can use (word) instead of number, but also you’ve seen the ACL (or nacl) configuration mode and how it works a bit, but I will show you this:
R3(config)#ip access-list extended ?
Extended IP access-list number
Extended IP access-list number (expanded range)
WORD Access-list name
R3(config)#ip access-list extended
Once you type a number from those ranges or a word, it puts you into the nacl config mode to build your ACL.
The only real tricky part is typing ip first when configuring the access-list to get to nacl config mode to remove and insert lines to extended lists, otherwise named ones work the exact same as extended they just swap out numbers for names.
As much as I want this to be over, a couple of commands to verify or check quickly what ACL’s is on your router or a given interface:
R3#sh access-list
Standard IP access list 15
10 deny 172.12.15.0, wildcard bits 0.0.0.255 (8 matches)
20 permit any
Extended IP access list 111
10 deny ip host 172.12.34.4 host 1.1.1.1 (11 matches)
15 deny ip host 172.12.34.4 host 2.2.2.2 (11 matches)
20 permit ip any any (243 matches)
R3#
It doesn’t show you what interfaces they are applied to (or what mechanism on the router is using them), but it shows they are there and their hit counts. To see what ACL is configured to an interface its seen under ip access-group in sh run, but because we can’t count on that for lab day you can also use “sh ip int …”:
R3#sh ip int fa0/1
FastEthernet0/1 is up, line protocol is up
Internet address is 172.12.34.3/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.5 224.0.0.6
Outgoing access list is 15
Inbound access list is 111
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
R3#
Alright, and that concludes my middle of the night lab session on ACL’s, see you next time with some time based ACL configurations!
The DEVNET GRIND! 