ACL’s
Deny only 100.0.0.2, 100.0.0.4 and 100.0.0.6. Do not drop OSPF adjacencies access-list 1 deny 100.0.0.0 0.0.0.6 ( this denies even routes 0,2,4,6) access-list 1 per any Permit web/ftp/ospf traffic for all users on the 10.1.1.0/24 network (there are web/ftp clients on the 10.1.1.0/24 network (destination))ip access-list extended test
remark permits web/ftp/ospf traffic for all users on the 10.1.1.0/24 network (there are web/ftp clients on the 10.1.1.0/24 network)
permit tcp 10.1.1.0 0.0.0.255 any eq www
permit tcp 10.1.1.0 0.0.0.255 any eq ftp
permit tcp 10.1.1.0 0.0.0.255 any eq ftp-data
remark these three lines cover user generated traffic
permit tcp 10.1.1.0 0.0.0.255 eq www any
remark this line covers replies from the web servers on the inside
permit tcp 10.1.1.0 0.0.0.255 any established
remark this line is necessary for the FTP server responses since ports vary
permit ospf 10.1.1.0 0.0.0.255 any
remark permits ospf traffic
Timed ACL’s
I couldn’t find this one the doc cd under router configuration. I did however find it under the switching section here: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/swacl.html
*** The time range relies on the switch system clock; therefore, you need a reliable clock source. Use Network Time Protocol (NTP).
|
Command
|
Purpose
|
|
|---|---|---|
| Step 1 | configure terminal | Enter global configuration mode. |
| Step 2 | time-range time-range-name | Assign a meaningful name (for example, workhours) to the time range to be created, and enter time-range configuration mode. The name cannot contain a space or quotation mark and must begin with a letter. |
| Step 3 | absolute [start time date] [end time date] or periodic day-of-the-week hh:mm to [day-of-the-week] hh:mm or periodic {weekdays | weekend | daily} hh:mm to hh:mm |
Specify when the function it will be applied to is operational. •  You can use only one absolute statement in the time range. If you configure more than one absolute statement, only the one configured last is executed.• You can enter multiple periodic statements. For example, you could configure different hours for weekdays and weekends.See the example configurations. |
| Step 4 | end | Return to privileged EXEC mode. |
| Step 5 | show time-range | Verify the time-range configuration. |
| Step 6 | copy running-config startup-config | (Optional) Save your entries in the configuration file. |
Repeat the steps if you have multiple items that you want in effect at different times.
To remove a configured time-range limitation, use the no time-range time-range-name global configuration command.
This example shows how to configure time ranges for workhours and to configure January 1, 2006, as a company holiday and to verify your configuration.
time-range AFTERHOURS
periodic daily 0:00 to 6:59
!
time-range HOLIDAY
absolute start 00:00 4 July 2009 end 23:59 4 July 2009
!
time-range WEB
periodic weekdays 0:00 to 23:59
ip access-list extended AFTERHOURS
deny udp 150.50.7.0 0.0.0.255 150.50.4.0 0.0.0.255 eq domain time-range AFTERHOURS
deny tcp 150.50.7.0 0.0.0.255 150.50.4.0 0.0.0.255 eq domain time-range AFTERHOURS
deny tcp 150.50.7.0 0.0.0.255 150.50.4.0 0.0.0.255 eq smtp time-range AFTERHOURS
deny tcp 150.50.7.0 0.0.0.255 150.50.4.0 0.0.0.255 eq www time-range AFTERHOURS
permit ip any any
ip access-list extended FILTEROUT
deny tcp host 150.50.4.100 any eq www time-range WEB
deny ip 150.50.4.0 0.0.0.255 any time-range HOLIDAY
permit ip any any
=============================
Extended IP access list OSPFPIM102310 permit ospf host 150.50.7.5 any log
15 deny ospf any any
20 deny pim host 150.50.7.6 any
30 deny tcp 150.50.7.32 0.0.0.31 any gt 1023
40 permit ip any any ================= r1 <> r2 <> r3
Restrict traffic from R1 to R2 and beyond
ip access-list extended Trusted
permit ip any any reflect TrustMe
remark this is all we need to establish a peer state.
ip access-list extended Untrusted
permit ospf any any
evaluate Trustme
deny ip any any log
remark this allows our monitoring of things that are not denied
Refective acl in action after pinging /telnetting from R1 to r5 (untrusted) and successful telnet from R5 to R1:
R2(config-if)#do sho access-list
Reflexive IP access list TrustMe
permit udp host 150.50.100.2 eq ntp host 200.0.0.8 eq ntp (13 matches) (time left 267)
permit icmp host 150.50.24.2 host 150.50.24.4 (7 matches) (time left 243)
permit udp host 150.50.17.1 eq ntp host 200.0.0.8 eq ntp (3 matches) (time left 121)
permit ospf host 150.50.100.2 host 150.50.100.5 (12 matches) (time left 277)
permit ospf host 224.0.0.5 host 150.50.9.5 (34 matches) (time left 297)
permit ospf host 150.50.100.2 host 150.50.100.6 (13 matches) (time left 295)
Extended IP access list Trusted
10 permit ip any any reflect TrustMe (88 matches)
Reflexive IP access list Trustme
Extended IP access list Untrusted
10 permit ospf any any (14 matches)
20 evaluate Trustme
30 deny ip any any log (8 matches)
——————————
HTTP / SNMP acl
snmp-server community ipexpert RO 2
snmp-server community IpExPeRt RW 3
access-list 2 permit 150.50.17.0 0.0.0.255
access-list 2 remark this is for http and snmp ro
access-list 3 permit 150.50.200.200
access-list 3 remark this is for SNMP rw
ip http access-class 2
———————
prevent access from with the least lines of acl config
97.150.81.0/24
129.150.17.0/24
129.150.81.-/24
161.150.17.0/24
161.150.81.0/24
193.150.17.0/24
193.150.81.0/24
97 = 01100001
129 = 10000001
161 = 10100001
193 = 11000001
^^^differences / some options see below
17 = 00010001
81 = 01010001
^ differences / so the acl will be X.X.64.255
2^x where x = the number of 1 bits in the ACL mask tells us the number pf matches that the mask will get.
97 = separate acl
129 and 161 have 1 common different bit (32) – one acl here 32.0.64.255
129 and 193 have 1 common differnet bit (64) – one acl here 64.0.64.255
so you have three choices.
Standard IP access list 1
10 deny 129.150.17.0, wildcard bits 32.0.64.255
20 deny 193.150.17.0, wildcard bits 0.0.64.255
30 deny 97.150.81.0, wildcard bits 0.0.0.255
40 permit any
or
Standard IP access list 2
10 deny 129.150.17.0, wildcard bits 64.0.64.255
20 deny 161.150.17.0, wildcard bits 0.0.64.255
30 deny 97.150.81.0, wildcard bits 0.0.0.255
40 permit any
or
Standard IP access list 3
10 deny 129.150.17.0, wildcard bits 96.0.64.255
20 deny 97.150.81.0, wildcard bits 0.0.0.255
30 permit any
———-
**Traffic that is generated by the router is not subject to outbound acl’s.
access-list 166 permit ip any any precedence critical
access-list 166 deny ip any any
interface Ethernet0/0
ip access-group 166 out
testing acl
R2(config)#do trace 150.50.7.7
Type escape sequence to abort.
Tracing the route to 150.50.7.7
1 150.50.100.6 28 msec
150.50.100.5 32 msec
150.50.9.5 24 msec
2 150.50.100.6 !A
150.50.7.7 28 msec *
!A means administratively prohibited.
————-
- When you apply and ACL to an outbound interface, the ACL acts upon traffic flowing through the router. It does not act upon traffic that originates in the router.
- Every ACL must have at least one permission statement. Otherwise you block all traffic.
- Use deny log to see how many times the acl was hit.
- Don’t forget to account for routing protocols when building ACL’s.
- When considering to use out or in use the interface as the point of reference.
- A 1 bit in an ACL mask means you don’t care what the value of that bit is .
- A 0 but in an ACL mask means the bit value will stay the same.
