Showing posts with label Extended ACL. Show all posts
Showing posts with label Extended ACL. Show all posts

Friday, 5 March 2010

Create a Named Extended ACL

In this post I'll be creating a named Access-List which will will block ICMP from R0 to R3. I'll also perform a little troubleshooting and I'll update the ACL. I'll be using the network shown in the diagram below.





I start off by checking I can currently Ping R3 from R0.


R0

R0#ping r3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.58, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/16 ms


On R1 I create the ACL and apply it to the interface nearest to the source.


R1

R1(config)#ip access-list extended ping_block
R1(config-ext-nacl)#deny icmp host 192.168.1.49 192.168.1.58 0.0.0.0 log
R1(config-ext-nacl)#permit ip any any log
R1(config-ext-nacl)#exit

R1(config)#int ethernet 0/0
R1(config-if)#ip access-group block_ping in
R1(config-if)#end

R1#sh ip access-lists
Extended IP access list ping_block
10 deny icmp host 192.168.1.49 host 192.168.1.58 log
20 permit ip any any log


Now I test ping again.


R0

R0#ping r3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.58, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/9/16 ms


What went wrong? Lets look at the interface I applied the rule to.


R1#sh ip interface ethernet 0/0
Ethernet0/0 is up, line protocol is up
Internet address is 192.168.1.50/30
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is not set
Inbound access list is block_ping
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled


Ah, a typo. I applied a named access-list to the interface but the name was block_ping not ping_block. I'll remove it and enter the correct ACL name.


R1(config)#interface ethernet 0/0
R1(config-if)#no ip access-group block_ping in
R1(config-if)#ip access-group ping_block in
R1(config-if)#end


Now I'll test the ping again.


R0

R0#ping r3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.58, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)


Great, no response. Can I ping R1 and R2?


R0#ping r1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.50, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/12/36 ms


R0#ping r2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.54, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/16 ms


Brilliant. And on R1 I see the packets hitting the statement and being logged to the screen.


R1

*Mar 1 00:29:49.719: %SEC-6-IPACCESSLOGDP: list ping_block denied icmp 192.168.1.49 -> 192.168.1.58 (0/0), 1 packet
R1#
*Mar 1 00:31:07.123: %SEC-6-IPACCESSLOGDP: list ping_block permitted icmp 192.168.1.49 -> 192.168.1.50 (0/0), 1 packet
R1#
*Mar 1 00:31:12.175: %SEC-6-IPACCESSLOGDP: list ping_block permitted icmp 192.168.1.49 -> 192.168.1.54 (0/0), 1 packet


The benefit of using a named ACL is I can modify the access-list on the fly. Here I can see each statement is numbered.


R1#sh ip access-lists Extended IP access list ping_block
10 deny icmp host 192.168.1.49 host 192.168.1.58 log (5 matches)
20 permit ip any any log (35 matches)


Now i'll update the ACL to include a statement to block R0 from pinging R2.


R1(config)#ip access-list extended ping_block
R1(config-ext-nacl)#15 deny icmp host 192.168.1.49 host 192.168.1.54 log

R1#sh ip access-lists
Extended IP access list ping_block
10 deny icmp host 192.168.1.49 host 192.168.1.58 log (5 matches)
15 deny icmp host 192.168.1.49 host 192.168.1.54 log
20 permit ip any any log (51 matches)


Now I test the updated ACL


R0

R0#ping r2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.54, timeout is 2 seconds: U.U.U
Success rate is 0 percent (0/5)

Brilliant.
Posted by at
Labels: ,

Wednesday, 3 March 2010

Extended ACLs

In this post I will create an Extended ACL to block Telnet traffic from the 192.168.1.48/30 network reaching the R3 router. I'll be working with the network in the diagram below.



Unlike Standard ACL's which are placed as near to the destination as possible, Extended ACL's are placed as near to the source as possible, this is to reduce processing on the routers.


R1


R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip access-list extended 100
R1(config-ext-nacl)#deny 192.168.1.48 0.0.0.3 192.168.1.58 0.0.0.0 eq 23 log
R1(config-ext-nacl)#permit ip any any log
R1(config-ext-nacl)#exit


I have created an access-list to block all the 192.168.1.48/30 subnet from access R3 with Telnet.


R1(config-if)#ip access-group 100 in
R1(config-if)#end


I have applied the list to interface ethernet 0/0 on R1


R1#sh ip inter ethernet 0/0
Ethernet0/0 is up, line protocol is up
Internet address is 192.168.1.50/30
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is not set
Inbound access list is 100
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Feature Fast switching turbo vector
IP multicast fast switching is enabled


I test that I can telnet to R3 from R1.


R1#telnet 192.168.1.58
Trying 192.168.1.58 ... Open
User Access Verification
Password:
Last login: Wed Mar 3 21:06:01 on ttys001


Now on R0 I attempt to telnet to R3


R0

R0#telnet 192.168.1.58
Trying 192.168.1.58 ...
% Destination unreachable; gateway or host down

R0#ping 192.168.1.58
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.58, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/16 ms


My telnet fails but ping works just fine. I check R1 to see the statement being hit.


R1

*Mar 1 00:10:52.315: %SEC-6-IPACCESSLOGP: list 100 denied tcp 192.168.1.49(22404) -> 192.168.1.58(23), 1 packet
R1#
*Mar 1 00:11:02.615: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp 192.168.1.49 -> 192.168.1.58 (8/0), 1 packet
R1#
Posted by at
Labels: ,
Subscribe to: Posts (Atom)