Let’s configure some access-lists so I can demonstrate to you how this is done on Cisco IOS routers. In this lesson we’ll cover the standard access-list. Here’s the topology:
Two routers and each router has a loopback interface. I will use two static routes so that the routers can reach each other’s loopback interface:
R1(config)#ip route 2.2.2.0 255.255.255.0 192.168.12.2R2(config)#ip route 1.1.1.0 255.255.255.0 192.168.12.1
If you choose to use a routing protocol to advertise networks, be careful that your access-list doesn’t block your RIP, EIGRP or OSPF traffic…
Now let’s start with a standard access-list! I’ll create something on R2 that only permits traffic from network 192.168.12.0 /24:
R2(config)#access-list 1 permit 192.168.12.0 0.0.0.255
This single permit entry will be enough. Keep in mind at the bottom of the access-list is a “deny any”. We don’t see it but it’s there. Let’s apply this access-list inbound on R2:
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip access-group 1 in
Use the ip access-group command to apply it to an interface. I applied it inbound with the in keyword.
R2#show ip interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
Internet address is 192.168.12.2/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 1
You can verify that the access-list has been applied with the show ip interface command. Above you see that access-list 1 has been applied inbound.
Now let’s generate some traffic…
R1#ping 192.168.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Our ping is successful; let’s check the access-list:
R2#show access-lists
Standard IP access list 1
10 permit 192.168.12.0, wildcard bits 0.0.0.255 (27 matches)
As you can see the access-list shows the number of matches per statement. We can use this to verify our access-list. Let me show you something useful when you are playing with access-lists:
R1#ping 192.168.12.2 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
U.U.U
Success rate is 0 percent (0/5)
When you send a ping you can use the source keyword to select the interface. The source IP address of this IP packet is now 1.1.1.1 and you can see these pings are failing because the access-list drops them.
R2#show access-lists
Standard IP access list 1
10 permit 192.168.12.0, wildcard bits 0.0.0.255 (27 matches)
You won’t see them with the show access-list command because the “deny any” is dropping them.
What if I wanted something different? Let’s say I want to deny traffic from network 192.168.12.0 /24 but permit all other networks? I can do something like this:
R2(config)#access-list 2 deny 192.168.12.0 0.0.0.255
R2(config)#access-list 2 permit any
I’ll create a new access-list and the first statement will deny network 192.168.12.0 /24. The second statement is a permit any. Because of this permit any nothing will ever hit the invisible “deny any” with the exception of 192.168.12.0 /24. Let’s apply the new access-list:
R2(config-if)#no ip access-group 1 in
R2(config-if)#ip access-group 2 in
Now it’s active, let’s give it a test run:
R1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)R2#show access-lists 2
Standard IP access list 2
10 deny 192.168.12.0, wildcard bits 0.0.0.255 (11 matches)
20 permit any
These pings are hitting the first statement and are dropped….
R1#ping 2.2.2.2 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R2#show access-lists 2
Standard IP access list 2
10 deny 192.168.12.0, wildcard bits 0.0.0.255 (11 matches)
20 permit any (15 matches)
And pings from the loopback0 interface of R1 are hitting the second statement and are allowed.
If I want to remove a statement from an access-list, you will await a nice surprise:
R2(config)#no access-list 2 deny 192.168.12.0 0.0.0.255
Let’s say I want to remove the statement above. I’ll type no access-list and this is what you’ll discover:
R2#show access-lists 2
The whole access-list is gone…ouch! You can’t use no access-list to remove a statement. Your router will just accept “no access-list 2” and remove the whole access-list. Fun to discover in a lab, not so much fun on a production network. I’ll show you how to deal with this in a bit.
Besides applying an access-list inbound or outbound you can also apply them to the VTY lines. This is useful if you want to secure telnet or SSH access to your router. Let’s configure R1 so telnet access is only allowed from network 192.168.12.0 /24:
R1(config)#access-list 3 permit 192.168.12.0 0.0.0.255
R1(config)#line vty 0 4
R1(config-line)#access-class 3 in
Above you can see that I created access-list 3 but I used the access-class command on the VTY lines. On interfaces we use the “access-group” command but on VTY lines you need to use “access-class” to apply them.
Let’s try to use telnet:
R2#telnet 192.168.12.1
Trying 192.168.12.1 ... Open
Password required, but none set
[Connection to 192.168.12.1 closed by foreign host]
It says “open” which means that it connects. The connection is closed because I didn’t configure a password for telnet but the access-list should work:
R1#show access-lists
Standard IP access list 3
10 permit 192.168.12.0, wildcard bits 0.0.0.255 (2 matches)
You can see that the packets have matched the statement in access-list 3.
hostname R1
!
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
ip route 2.2.2.0 255.255.255.0 192.168.12.2
!
access-list 3 permit 192.168.12.0 0.0.0.255
!
line vty 0 4
access-class 3 in
!
endhostname R2
!
interface FastEthernet0/0
ip address 192.168.12.2 255.255.255.0
ip access-group 2 in
!
interface Loopback0
ip address 2.2.2.1 255.255.255.0
!
ip route 1.1.1.0 255.255.255.0 192.168.12.1
!
access-list 1 permit 192.168.12.0 0.0.0.255
access-list 2 deny 192.168.12.0 0.0.0.255
access-list 2 permit any
!
endThat’s all for now. You have now learned how to configure standard access-lists and how to apply them to your interfaces or VTY line. I hope you learned something from this lesson, if you have any questions please leave a comment!
No comments:
Post a Comment