Access List

Access list

  1. Standard numberd ACL (1-99)
    1. Access-list <acl # > {deny | permit} <source ip > <source wild> [log]
    2. Access-list <acl #> remark <text>
    3. In access-group <# > {in | out}
  2. Extended numbered ACL (100-199)
    1. Access-list <acl # > {deny|permit} [protocol] [source] [source wild] [destination] [destinamtion wild] [log]
    2. Access-list <acl # > {deny|permit} tcp [source] [source wild] [port] [destination] [destinamtion wild] [port] [log]
      1. Eq (equals) , gt ( greater than), lt ( less than)
    3. access-list <acl #> remark [text]
    4. Int sx
      1. Ip access-group {number \name [in|out]}
    5. Line vty
      1. Access-class [number | name ] in| out
    6. Ip access-list { standard | extended} name
      1. {deny | permit} [source] [source wild] [log]
      2. {deny | permit} [protocol] [source] [source wild] [destination] [destination] [log]
      3. {deny | permit} tcp [source] [source wild] [port] [destination] [destination] [port] [log]
  3. Additional ACL numbers (1300-1999) standard, (2000-2699) extended
  4. Named ACLs
  5. Improved editing sequence number
  6. Configure standard ACL
    1. Access-list 1 permit 10.1.1.1
    2. Access-list 1 deny 10.1.1.0 0.0.0.255
    3. Access-list 1 permit 10.0.0.0 0.255.255.255
    4. Interface S0/0/1
      1. Ip access-group 1 in
  7. Configure extended ACL
    1. numbered
      1. Access-list 101 remark <text>
      2. Access-list 101 deny tcp host 172.16.3.10 1772.16.1.0 0.0.0.255 eq ftp
      3. Access-list 101 deny tcp host 172.16.2.10 host 172.16.1.100 eq www
      4. Access-list 101 permit ip any any
      5. Int s0
        1. Ip access-group 101 in
      6. Int s1
        1. Ip access-group 101 in
    2. Named
      1. Ip access-list extended barney
        1. Permit tcp host 10.1.1.2 eq www any
        2. Deny udp host 10.1.1.1 10.1.2.0 .0.0.255
        3. Deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255
        4. Deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255
        5. No Deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255
        6. Permit ip any any
      2. Int s1
        1. Ip access-group barney out
  8. Verify standard acl
    1. Show ip access-list [acl # | name]
      1. Show ip access lists
    2. Show access-list [acl # | name]
      1. Show details of config acl for all protocols
    3. Show ip int s0/0/1
      1. Accesslist set to the interface in and out

ACL IPv6

  1. Similarity
    1. Both match on the source address or the destination address in the protocol header.
    2. Both match individual host addresses or subnets/prefixes.
    3. Both can be applied directionally (inbound and outbound) to a router interface.
    4. Both can match on transport layer protocol information such as TCP or UDP source or destination port number
    5. Both can match on specific ICMP message types and codes
    6. Both have an implict deny statement at the end of the ACL that matches all remaining packets.
    7. Both support time ranges for time-based ACLs.
  2. Differences
    1. Ipv4 ACL can only match ipv4 packets and ipv6 acls can only match ipv6 packets.
    2. Ipv4 ACL can be identifieed by number or name, while ipv6 is name only
    3. Ipv4 ACL identify that acl is standard or extended but ipv6 identity differently
    4. Ipv4 ACL can match on specific values unique to an ipv4 header (eg. Option, precedence, Tos TTL, fragments
    5. Ipv6 acl can match on specific values unique to an ipv6 header (flow label, dscp) as well as extension and option header values
    6. Ipv6 acl have some implict permit statements at the end of each ACL just before the implicit deny all at the end of the ACL, while ipv4 do not have implict permit statement.
  3. Ipv6 can match
    1. Traffic class (DSCP, 0 to 63)
    2. Flow label (0 to 1048575)
    3. Ipv6 Next Header field indicting extension header type/number
    4. Source and destination 128-bit ipv6 addresses
    5. Upper-Layer header details: TCP or UDP port numbers, TCP flags SYN,, ACK, FIN, PUSH, URG, RST
    6. ICMPv6 type and code
    7. Ipv6 extension header value and type (hop-by-hop headers, routing headers, fragmentation headers, Ipsec, destination options, among others)
  4. Config
    1. Standard ACL
      1. Ipv6 access-list [name]
        1. [permit | deny] ipv6 {source ip | any | host source ip} {destination ip | any | host destination ip} [log]
      2. Int gi0/2
        1. Ipv6 traffic-filter [name of acl] [in|out]
    2. Extended ACL
      1. Ipv6 access-list [name]
        1. [permit | deny] <protocol> {source ip | any | host source ip} [opperator [port #]] {destination ip | any | host destination ip} [opperator [port #]] [dest-option-type [doh number | type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [ mobility] [mobility-type [mh-number | type]] [reflect <name> [timeout <value>]] [routing] [routing-type <routing number>] [sequence value] [ time-range <name>]
        2. [permit | deny] icmp {source ip | any | host source ip} icmp-type [icmp-code] | icmp-message] [opperator [port #]] {destination ip | any | host destination ip} [opperator [port #]] [[dest-option-type [doh number | type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [ mobility] [mobility-type [mh-number | type]] [routing] [routing-type <routing number>] [sequence value] [ time-range <name>]
        3. [permit | deny] tcp {source ip | any | host source ip} [opperator [port #]] {destination ip | any | host destination ip} [opperator [port #]] [ack] [dest-option-type [doh number | type]] [dscp value] [established] [fin] [flow-label value] [fragments] [hbh] [log] [log-input] [ mobility] [mobility-type [mh-number | type]] [neq {port| protocol}] [psh] [range {port|protocol}] [reflect <name> [timeout <value>]] [routing] [routing-type <routing number>] [rst] [sequence value] [ time-range <name>] [urg]
        4. [permit | deny] udp {source ip | any | host source ip} [opperator [port #]] {destination ip | any | host destination ip} [opperator [port #]] [dest-option-type [doh number | type]] [dscp value] [flow-label value] [fragments] [hbh] [log] [log-input] [ mobility] [mobility-type [mh-number | type]] [neq {port| protocol}] [range {port|protocol}] [reflect <name> [timeout <value>]] [routing] [routing-type <routing number>] [sequence value] [ time-range <name>]
        5. Permit icmp any any nd-na (permits NDP NA message)
        6. Permit icmp any any nd-ns (permits NDP NS message)
        7. Permit icmp any any router-solicitation
        8. Permit icmp any any router-advertisement
      2. Int gi0/1
        1. Ipv6 traffic-filter [name acl] [in|out]
      3. Line vty 0 4
        1. Ipv6 access-class [name] [in|out]
      4. Show ipv6 access-list
      5. Show ipv6 interface | inc line|list