Monday 27 April 2015

Configure Access List

Configuring ACLs

Configuring ACLs on Layer 2 or Layer 3 management VLAN interfaces is the same as configuring ACLs on Cisco routers. The process is briefly described here. For more detailed information on configuring router ACLs, refer to the "Configuring IP Services" chapter in the Cisco IP and IP Routing Configuration Guide for IOS Release 12.1. For detailed information about the commands, refer to Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1. For a list of IOS features not supported on the Catalyst 2950 switch, see the "Unsupported Features" section.

Unsupported Features

The Catalyst 2950 switch does not support these IOS router ACL-related features:
Non-IP protocol ACLs 
Bridge-group ACLs.
IP accounting.
No ACL support on the outbound direction.
Inbound and outbound rate limiting (except with QoS ACLs).
IP packets with a header length of less than five are not be access-controlled.
Reflexive ACLs.
Dynamic ACLs (except for certain specialized dynamic ACLs used by the switch clustering feature).
ICMP-based filtering.
IGMP-based filtering.

Creating Standard and Extended IP ACLs

This section describes how to create switch IP ACLs. An ACL is a sequential collection of permit and deny conditions. The switch tests packets against the conditions in an access list one by one. The first match determines whether the switch accepts or rejects the packet. Because the switch stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the switch denies the packet.
Use these steps to use ACLs:
Step 1 Create an ACL by specifying an access list number or name and access conditions.
Step 2 Apply the ACL to interfaces or terminal lines.
The software supports these styles of ACLs or IP access lists:
Standard IP access lists use source addresses for matching operations.
Extended IP access lists use source and destination addresses for matching operations and optional protocol-type information for finer granularity of control.
MAC extended access list use source and destination MAC addresses and optional protocol type information for matching operations.
The next sections describe access lists and the steps for using them.

ACL Numbers

The number you use to denote your ACL shows the type of access list that you are creating. Table 23-2 lists the access list number and corresponding type and shows whether or not they are supported by the switch. The Catalyst 2950 switch supports IP standard and IP extended access lists, numbers 1 to 199 and 1300 to 2699.
Table 23-2 Access List Numbers 
ACL Number
Type
Supported
1-99
IP standard access list
Yes
100-199
IP extended access list
Yes
200-299
Protocol type-code access list
No
300-399
DECnet access list
No
400-499
XNS standard access list
No
500-599
XNS extended access list
No
600-699
AppleTalk access list
No
700-799
48-bit MAC address access list
No
800-899
IPX standard access list
No
900-999
IPX extended access list
No
1000-1099
IPX SAP access list
No
1100-1199
Extended 48-bit MAC address access list
No
1200-1299
IPX summary address access list
No
1300-1999
IP standard access list (expanded range)
Yes
2000-2699
IP extended access list (expanded range)
Yes

Creating a Numbered Standard ACL
Beginning in privileged EXEC mode, follow these steps to create a numbered standard ACL:
 
Command
Purpose
Step 1 
configure terminal
Enter global configuration mode.
Step 2 
access-list access-list-number {deny |permit | remark} {source source-wildcard | host source | any}
Define a standard IP ACL by using a source address and wildcard.
The access-list-number is a decimal number from 1 to 99 or 1300 to 1999.
Enter deny or permit to specify whether to deny or permit access if conditions are matched.
The source is the source address of the network or host from which the packet is being sent:
The 32-bit quantity in dotted-decimal format.
The keyword any as an abbreviation for source andsource-wildcard of 0.0.0.0 255.255.255.255. You do not need to enter a source-wildcard.
The keyword host as an abbreviation for source and source-wildcard of source 0.0.0.0.
(Optional) The source-wildcard applies wildcard bits to the source. (See first bullet item.)
Note The log option is not supported on Catalyst 2950 switches.
Step 3 
end
Return to privileged EXEC mode.
Step 4 
show access-lists [number | name]
Show the access list configuration.
Step 5 
copy running-config startup-config
(Optional) Save your entries in the configuration file.
Use the no access-list access-list-number global configuration command to delete the entire ACL. You cannot delete individual ACEs from numbered access lists.
This example shows how to create a standard ACL to deny access to IP host 171.69.198.102, permit access to any others, and display the results.
Switch (config)# access-list 2 deny host 171.69.198.102



Switch (config)# access-list 2 permit any



Switch(config)# end 



Switch# show access-lists



Standard IP access list 2



    deny   171.69.198.102



    permit any

Creating a Numbered Extended ACL

Although standard ACLs use only source addresses for matching, you can use an extended ACL source and destination addresses for matching operations and optional protocol type information for finer granularity of control. Some protocols also have specific parameters and keywords that apply to that protocol.
These IP protocols are supported (protocol keywords are in parentheses in bold): Internet Protocol (ip), Transmission Control Protocol (tcp), or User Datagram Protocol (udp).
Supported parameters can be grouped into these categories:
TCP
UDP
Table 23-3 lists the possible filtering parameters for ACEs for each protocol type.
Table 23-3 Filtering Parameter ACEs Supported by Different IP Protocols 
Filtering Parameter 1
TCP
UDP
Layer 3 Parameters:
  
 
IP ToS byte2
-
-
 
Differentiated Services Code Point (DSCP)
-
-
 
IP source address
X
X
 
IP destination address
X
X
 
Fragments
-
-
 
TCP or UDP
X
X
Layer 4 Parameters
  
 
Source port operator
X
X
 
Source port
X
X
 
Destination port operator
X
X
 
Destination port
X
X
 
TCP flag
-
-
For more details on the specific keywords relative to each protocol, refer to the Cisco IP and IP Routing Command Reference for IOS Release 12.1.
When creating ACEs in numbered extended access lists, remember that after you create the list, any additions are placed at the end of the list. You cannot reorder the list or selectively add or remove ACEs from a numbered list.
Beginning in privileged EXEC mode, follow these steps to create an extended ACL:
 
Command
Purpose
Step 1 
configure terminal
Enter global configuration mode.
Step 2 
access-list access-list-number
{deny | permit | remark} protocol
{source source-wildcard | host source | any} [operator port] {destination destination-wildcard | host destination | any} [operatorport]
Define an extended IP access list and the access conditions.
The access-list-number is a decimal number from 100 to 199 or 2000 to 2699.
Enter deny or permit to specify whether to deny or permit the packet if conditions are matched.
For protocol, enter the name or number of an IP protocol:iptcp, or udp. To match any Internet protocol (including TCP and UDP), use the keyword ip.
Note This step includes options for most IP protocols.
The source is the number of the network or host from which the packet is sent.
The source-wildcard applies wildcard bits to the source.
The destination is the network or host number to which the packet is sent.
Define a destination or source port.
The operator can be only eq (equal).
If operator is after source source-wildcard, conditions match when the source port matches the defined port.
If operator is after destination destination-wildcard, conditions match when the destination port matches the defined port.
The port is a decimal number or name of a TCP or UDP port. The number can be from 0 to 65535.
Use TCP port names only for TCP traffic.
Use UDP port names only for UDP traffic.
The destination-wildcard applies wildcard bits to the destination.
Sourcesource-wildcarddestination, and destination-wildcard can be specified in three ways:
The 32-bit quantity in dotted-decimal format.
The keyword any as an abbreviation for source andsource-wildcard of 0.0.0.0 255.255.255.255 or any source host.
The keyword host, followed by the 32-bit quantity in dotted-decimal format, as an abbreviation for a single host with source and source-wildcard of source0.0.0.0.
Note Only the iptcp, and udp protocols are supported on Catalyst 2950 switches.
Step 3 
show access-lists [number | name]
Verify the access list configuration.
Step 4 
copy running-config startup-config
(Optional) Save your entries in the configuration file.
Use the no access-list access-list-number global configuration command to delete the entire access list. You cannot delete individual ACEs from numbered access lists.
This example shows how to create and display an extended access list to deny Telnet access from any host in network 171.69.198.0 to any host in network 172.20.52.0 and permit any others. (The eq keyword after the destination address means to test for the TCP destination port number equaling Telnet.)



Switch(config)# access-list 102 deny tcp 171.69.198.0 0.0.0.255 172.20.52.0 0.0.0.255 eq 







telnet



Switch(config)# access-list 102 permit tcp any any 



Switch(config)# end 



Switch# show access-lists



Extended IP access list 102



    deny tcp 171.69.198.0 0.0.0.255 172.20.52.0 0.0.0.255 eq telnet



    permit tcp any any
After an ACL is created, any additions (possibly entered from the terminal) are placed at the end of the list. You can add ACEs to an ACL, but deleting any ACE deletes the entire ACL.

Creating Named Standard and Extended ACLs

You can identify IP ACLs with an alphanumeric string (a name) rather than a number. You can use named ACLs to configure more IP access lists on a switch than if you use numbered access lists. If you identify your access list with a name rather than a number, the mode and command syntax are slightly different. However, not all commands that use IP access lists accept a named ACL.
Consider these guidelines and limitations before configuring named ACLs:
A standard ACL and an extended ACL cannot have the same name.
Numbered ACLs are also available, as described in the "Creating Standard and Extended IP ACLs" section.
Beginning in privileged EXEC mode, follow these steps to create a standard access list using names:
 
Command
Purpose
Step 1 
configure terminal
Enter global configuration mode.
Step 2 
ip access-list standard{name | access-list-number}
Define a standard IP access list using a name, and enter access-list configuration mode.
Note The name can be a number from 1 to 99.
Step 3 
deny {source source-wildcard | host source |any}
or
permit {source source-wildcard | host source |any}
In access-list configuration mode, specify one or more conditions denied or permitted to determine if the packet is forwarded or dropped.
host source represents a source and source wildcard of source0.0.0.0.
any represents a source and source wildcard of 0.0.0.0 255.255.255.255.
Note The log option is not supported on Catalyst 2950 switches.
Step 4 
end
Return to privileged EXEC mode.
Step 5 
show access-lists [number | name]
Show the access list configuration.
Step 6 
copy running-config startup-config
(Optional) Save your entries in the configuration file.
Beginning in privileged EXEC mode, follow these steps to create an extended ACL using names:
 
Command
Purpose
Step 1 
configure terminal
Enter global configuration mode.
Step 2 
ip access-list extended {name | access-list-number}
Define an extended IP access list by using a name, and enter access-list configuration mode.
Note The name can be a number from 100 to 199.
Step 3 
{deny | permit} protocol
{source source-wildcard | host source | any} [operator port] {destination destination-wildcard | host destination | any} [operatorport]
In access-list configuration mode, specify the conditions allowed or denied.

host source represents a source and source wildcard of source 0.0.0.0, and host destination represents a destination and destination wildcard of destination0.0.0.0.
any represents a source and source wildcard or destination and destination wildcard of 0.0.0.0 255.255.255.255.
Step 4 
end
Return to privileged EXEC mode.
Step 5 
show access-lists [number | name]
Show the access list configuration.
Step 6 
copy running-config startup-config
(Optional) Save your entries in the configuration file.
When making the standard and extended ACL, remember that, by default, the end of the ACL contains an implicit deny statement for everything if it did not find a match before reaching the end. For standard ACLs, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask.
After you create an ACL, any additions are placed at the end of the list. You cannot selectively add ACEs to a specific ACL. However, you can use no permit and no deny commands to remove ACEs from a named ACL. This example shows how you can delete individual ACEs from a named ACL:

Switch(config)# ip access-list extended border-list



Switch(config-ext-nacl)# no permit ip host 10.1.1.3 any
Being able to selectively remove lines from a named ACL is one reason you might use named ACLs instead of numbered ACLs.
After creating an ACL, you must apply it to a line or interface, 
Posted by at
Location: Patiala, Punjab, India

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)