Friday, 5 March 2010

Create a Named Extended ACL

In this post I'll be creating a named Access-List which will will block ICMP from R0 to R3. I'll also perform a little troubleshooting and I'll update the ACL. I'll be using the network shown in the diagram below.





I start off by checking I can currently Ping R3 from R0.


R0

R0#ping r3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.58, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/16 ms


On R1 I create the ACL and apply it to the interface nearest to the source.


R1

R1(config)#ip access-list extended ping_block
R1(config-ext-nacl)#deny icmp host 192.168.1.49 192.168.1.58 0.0.0.0 log
R1(config-ext-nacl)#permit ip any any log
R1(config-ext-nacl)#exit

R1(config)#int ethernet 0/0
R1(config-if)#ip access-group block_ping in
R1(config-if)#end

R1#sh ip access-lists
Extended IP access list ping_block
10 deny icmp host 192.168.1.49 host 192.168.1.58 log
20 permit ip any any log


Now I test ping again.


R0

R0#ping r3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.58, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/9/16 ms


What went wrong? Lets look at the interface I applied the rule to.


R1#sh ip interface ethernet 0/0
Ethernet0/0 is up, line protocol is up
Internet address is 192.168.1.50/30
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is not set
Inbound access list is block_ping
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled


Ah, a typo. I applied a named access-list to the interface but the name was block_ping not ping_block. I'll remove it and enter the correct ACL name.


R1(config)#interface ethernet 0/0
R1(config-if)#no ip access-group block_ping in
R1(config-if)#ip access-group ping_block in
R1(config-if)#end


Now I'll test the ping again.


R0

R0#ping r3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.58, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)


Great, no response. Can I ping R1 and R2?


R0#ping r1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.50, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/12/36 ms


R0#ping r2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.54, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/16 ms


Brilliant. And on R1 I see the packets hitting the statement and being logged to the screen.


R1

*Mar 1 00:29:49.719: %SEC-6-IPACCESSLOGDP: list ping_block denied icmp 192.168.1.49 -> 192.168.1.58 (0/0), 1 packet
R1#
*Mar 1 00:31:07.123: %SEC-6-IPACCESSLOGDP: list ping_block permitted icmp 192.168.1.49 -> 192.168.1.50 (0/0), 1 packet
R1#
*Mar 1 00:31:12.175: %SEC-6-IPACCESSLOGDP: list ping_block permitted icmp 192.168.1.49 -> 192.168.1.54 (0/0), 1 packet


The benefit of using a named ACL is I can modify the access-list on the fly. Here I can see each statement is numbered.


R1#sh ip access-lists Extended IP access list ping_block
10 deny icmp host 192.168.1.49 host 192.168.1.58 log (5 matches)

20 permit ip any any log (35 matches)


Now i'll update the ACL to include a statement to block R0 from pinging R2.


R1(config)#ip access-list extended ping_block
R1(config-ext-nacl)#15 deny icmp host 192.168.1.49 host 192.168.1.54 log


R1#sh ip access-lists
Extended IP access list ping_block

10 deny icmp host 192.168.1.49 host 192.168.1.58 log (5 matches)

15 deny icmp host 192.168.1.49 host 192.168.1.54 log

20 permit ip any any log (51 matches)



Now I test the updated ACL


R0

R0#ping r2
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.54, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

Brilliant.