Tuesday, 28 April 2015

Configure Access List (Cont.)

Including Comments About Entries in ACLs

You can use the remark command to include comments (remarks) about entries in any IP standard or extended ACL. The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters.
The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark so that it is clear which remark describes which permit or deny statement. For example, it would be confusing to have some remarks before the associated permit or deny statements and some remarks after the associated statements.
For IP numbered standard or extended ACLs, use the access-list access-list number remark remark global configuration command to include a comment about an access list. To remove the remark, use the no form of this command.
In this example, the workstation belonging to Jones is allowed access, and the workstation belonging to Smith is not allowed access:

Switch(config)# access-list 1 remark Permit only Jones workstation through



Switch(config)# access-list 1 permit 171.69.2.88



Switch(config)# access-list 1 remark Do not allow Smith workstation through



Switch(config)# access-list 1 deny 171.69.3.13
For an entry in a named IP ACL, use the remark access-list global configuration command. To remove the remark, use the no form of this command.
In this example, the Jones subnet is not allowed to use outbound Telnet:


Switch(config)# ip access-list extended telnetting



Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out



Switch(config-ext-nacl)# deny tcp host 171.69.2.88 any eq telnet

Applying the ACL to an Interface or Terminal Line

After you create an ACL, you can apply it to one or more interfaces or terminal lines. ACLs can be applied on inbound interfaces. This section describes how to accomplish this task for both terminal lines and network interfaces. Note these guidelines:
When controlling access to a line, you must use a number. Numbered ACLs and MAC extended ACLs can be applied to lines.
When controlling access to an interface, you can use a name or number.
Set identical restrictions on all the virtual terminal lines because a user can attempt to connect to any of them.
If you apply an ACL to a management interface, the ACL only filters packets that are intended for the CPU, such as SNMP, Telnet, or Web traffic.
Beginning in privileged EXEC mode, follow these steps to restrict incoming connections between a virtual terminal line and the addresses in an ACL:

Command

Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

line [console | vty]line-number

Identify a specific line for configuration, and enter in-line configuration mode.

Enter console for the console terminal line. The console port is DCE.

Enter vty for a virtual terminal for remote console access.

The line-number is the first line number in a contiguous group that you want to configure when the line type is specified. The range is from 0 to 16.

Step 3 

access-classaccess-list-number {in}

Restrict incoming and outgoing connections between a particular virtual terminal line (into a device) and the addresses in an access list.

Step 4 

end

Return to privileged EXEC mode.

Step 5 

show running-config

Display the access list configuration.

Step 6 

copy running-config startup-config

(Optional) Save your entries in the configuration file.
Beginning in privileged EXEC mode, follow these steps to control access to a Layer 2 or management interface:

Command

Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Identify a specific interface for configuration and enter interface configuration mode.

The interface must be a Layer 2 or management interface or a management interface VLAN ID.

Step 3 

ip access-group {access-list-number | name} {in}

Control access to the specified interface.

Step 4 

end

Return to privileged EXEC mode.

Step 5 

show running-config

Display the access list configuration.

Step 6 

copy running-config startup-config

(Optional) Save your entries in the configuration file.
This example shows how to apply access list 2 on Gigabit Ethernet interface 0/3 to filter packets entering the interface:


Switch(config)# interface gigabitethernet0/3



Router(config-if)# ip access-group 2 in

For inbound ACLs, after receiving a packet, the switch checks the packet against the ACL. If the ACL permits the packet, the switch continues to process the packet. If the ACL rejects the packet, the switch discards the packet.
When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to the interface and permits all packets. Remember this behavior if you use undefined ACLs for network security.

Displaying ACLs

You can display existing ACLs by using show commands.
Beginning in privileged EXEC mode, follow these steps to display access lists:

Command

Purpose

Step 1 

show access-lists[number | name]

Show information about all IP and MAC address access lists or about a specific access list (numbered or named).

Step 2 

show ip access-list[number | name]

Show information about all IP address access lists or about a specific IP ACL (numbered or named).
This example displays all standard and extended ACLs:
Switch# show access-lists



Standard IP access list 1



    permit 172.20.10.10



Standard IP ACL 10



    permit 12.12.12.12



Standard IP access list 12



    deny   1.3.3.2



Standard IP access list 32



    permit 172.20.20.20



Standard IP access list 34



    permit 10.24.35.56



    permit 23.45.56.34



Extended IP access list 120



Extended MAC access list mac1 



This example displays only IP standard and extended ACLs.


Switch# show ip access-lists



Standard IP access list 1



    permit 172.20.10.10



Standard IP access list 10



    permit 12.12.12.12



Standard IP access list 12



    deny   1.3.3.2



Standard IP access list 32



    permit 172.20.20.20



Standard IP access list 34



    permit 10.24.35.56



    permit 23.45.56.34



Extended IP access list 120

Displaying Access Groups

You use the ip access-group interface configuration command to apply ACLs to a Layer 3 interface. When IP is enabled on an interface, you can use theshow ip interface interface-id privileged EXEC command to view the input and output access lists on the interface, as well as other interface characteristics. If IP is not enabled on the interface, the access lists are not shown.
This example shows how to view all access groups configured for VLAN 1 and for Gigabit Ethernet interface 0/2:
Switch# show ip interface vlan 1



GigabitEthernet0/2 is up, line protocol is down



  Internet address is 10.20.30.1/16



  Broadcast address is 255.255.255.255



  Address determined by setup command



  MTU is 1500 bytes



  Helper address is not set



  Directed broadcast forwarding is disabled



  Outgoing access list is permit Any



  Inbound  access list is 13



<information truncated>
Switch# show ip interface fastethernet0/9


FastEthernet0/9 is down, line protocol is down



  Inbound  access list is ip1
The only way to ensure that you can view all configured access groups under all circumstances is to use the show running-config privileged EXEC command. To display the ACL configuration of a single interface, use the show running-config interface interface-id command.
This example shows how to display the ACL configuration of Gigabit Ethernet interface 0/1:

Switch# show running-config interface gigabitethernet0/1



Building configuration...



Current configuration :112 bytes



!



interface GigabitEthernet0/1



 ip access-group 11 in



 snmp trap link-status



 no cdp enable



end!

Examples for Compiling ACLs

For detailed information about compiling ACLs, refer to the Security Configuration Guide and the "IP Services" chapter of the Cisco IOS IP and IP Routing Configuration Guide for IOS Release 12.1.
Figure 23-2 shows a small networked office with a stack of Catalyst 2950 switches that are connected to a Cisco router. A host is connected to the network through the Internet using a WAN link.
Use switch ACLs to do these:
Create a standard ACL, and filter traffic from a specific Internet host with an address 172.20.128.64.
Create an extended ACL, and filter traffic to deny HTTP access to all Internet hosts but allow all other types of access.
Figure 23-2 Using Switch ACLs to Control Traffic
This example uses a standard ACL to allow access to a specific Internet host with the address 172.20.128.64.

Switch(config)# access-list 6 permit 172.20.128.64 0.0.0.0



Switch(config)# end



Switch(config)# interface gigabitethernet0/1



Switch(config-if)# ip access-group 6 in
This example uses an extended ACL to deny traffic from port 80 (HTTP). It permits all other types of traffic.
Switch(config)# access-list 106 deny tcp any any eq 80



Switch(config)# access-list 106 permit ip any any



Switch(config)# interface gigabitethernet0/2



Switch(config-if)# ip access-group 106 in

Numbered ACL Examples

This example shows that the switch accepts addresses on network 36.0.0.0 subnets and denies all packets coming from 56.0.0.0 subnets. The ACL is then applied to packets entering Gigabit Ethernet interface 0/1.
Switch(config)# access-list 2 permit 36.0.0.0 0.255.255.255



Switch(config)# access-list 2 deny 56.0.0.0 0.255.255.255



Switch(config)# interface gigabitethernet0/1



Switch(config-if)# ip access-group 2 in

Extended ACL Examples

In this example of using an extended ACL, you have a network connected to the Internet, and you want any host on the network to be able to form TCP Telnet and SMTP connections to any host on the Internet.


Switch(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 eq 23



Switch(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 eq 25



Switch(config)# interface gigabitethernet0/1



Switch(config-if)# ip access-group 102 in
SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The same port numbers are used throughout the life of the connection. Mail packets coming in from the Internet have a destination port of 25. Because the secure system behind the switch always accepts mail connections on port 25, the incoming services are controlled.

Named ACL Example

The Marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171.69.0.0 0.0.255.255 and denies any other TCP traffic. It permits any other IP traffic.

Switch(config)# ip access-list extended marketing_group



Switch(config-ext-nacl)# permit tcp any 171.69.0.0 0.0.255.255 eq telnet



Switch(config-ext-nacl)# deny tcp any any



Switch(config-ext-nacl)# permit ip any any
The ACLs are applied to permit Gigabit Ethernet port 0/1, which is configured as a Layer 2 port, with the Marketing_group ACL applied to incoming traffic.

Switch(config)# interface gigabitethernet0/1



Switch(config-if)# ip access-group marketing_group in



...

Commented IP ACL Entry Examples

In this example of a numbered ACL, the workstation belonging to Jones is allowed access, and the workstation belonging to Smith is not allowed access:

Switch(config)# access-list 1 remark Permit only Jones workstation through



Switch(config)# access-list 1 permit 171.69.2.88



Switch(config)# access-list 1 remark Do not allow Smith workstation through



Switch(config)# access-list 1 deny 171.69.3.13
In this example of a numbered ACL, the Winter and Smith workstations are not allowed to browse the Web:


Switch(config)# access-list 100 remark Do not allow Winter to browse the web



Switch(config)# access-list 100 deny host 171.69.3.85 any eq www



Switch(config)# access-list 100 remark Do not allow Smith to browse the web



Switch(config)# access-list 100 deny host 171.69.3.13 any eq www
In this example of a named ACL, the Jones subnet is not allowed access:


Switch(config)# ip access-list standard prevention



Switch(config-std-nacl)# remark Do not allow Jones subnet through



Switch(config-std-nacl)# deny 171.69.0.0 0.0.255.255



In this example of a named ACL, the Jones subnet is not allowed to use outbound Telnet:


Switch(config)# ip access-list extended telnetting



Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out



Switch(config-ext-nacl)# deny tcp 171.69.0.0 0.0.255.255 any eq telnet

Creating Named MAC Extended ACLs

You can filter Layer 2 traffic on a physical Layer 2 interface by using MAC addresses and named MAC extended ACLs. The procedure is similar to that of configuring other extended named access lists.
For more information about the supported non-IP protocols in the mac access-list extended command, refer to the Catalyst 2950 Desktop Switch Command Reference for this release.
Beginning in privileged EXEC mode, follow these steps to create a named MAC extended ACL:

Command

Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

mac access-list extended name

Define an extended MAC access list by using a name.

Step 3 

{deny | permit} {any | host source MAC address} {any |host destination MAC address} [aarp | amber | appletalk |dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | mop-console | mop-dump | msdos | mumps | netbios | vines-echo |vines-ip | xns-idp]

In extended MAC access-list configuration mode, specify to permit or deny any source MAC address or a specific host source MAC address and any destination MAC address.

(Optional) You can also enter these options:

aarp | amber | appletalk | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | mop-console | mop-dump | msdos | mumps | netbios | vines-echo |vines-ip | xns-idp—(a non-IP protocol).

Step 4 

end

Return to privileged EXEC mode.

Step 5 

show access-lists [number | name]

Show the access list configuration.

Step 6 

copy running-config startup-config

(Optional) Save your entries in the configuration file.
Use the no mac access-list extended name global configuration command to delete the entire ACL. You can also delete individual ACEs from named MAC extended ACLs.
This example shows how to create and display an access list named mac1, denying only EtherType DECnet Phase IV traffic, but permitting all other types of traffic.


Switch(config)# mac access-list extended mac1



Switch(config-ext-macl)# deny any any decnet-iv



Switch(config-ext-macl)# permit any any



Switch(config-ext-macl)# end



Switch # show access-list



Extended MAC access list mac1



    deny   any any decnet-iv 



    permit any any

Creating MAC Access Groups

Beginning in privileged EXEC mode, follow these steps to create MAC access groups:

Command

Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Identify a specific interface for configuration, and enter interface configuration mode.

The interface must be a Layer 2 interface.

Step 3 

mac access-group {name} {in}

Control access to the specified interface.

Step 4 s

show mac access-group

Display the MAC ACLs applied to the interface.

Step 5 

end

Return to privileged EXEC mode.

Step 6 

show mac-access group

Display the ACL configuration.

Step 7 

copy running-config startup-config

(Optional) Save your entries in the configuration file.
This example shows how to apply ACL 2 on Gigabit Ethernet interface 0/1 to filter packets entering the interface:


Switch(config)# interface gigabitethernet0/1



Router(config-if)# mac access-group 2 in

For inbound ACLs, after receiving a packet, the switch checks the packet against the ACL. If the ACL permits the packet, the switch continues to process the packet. If the ACL rejects the packet, the switch discards the packet. The MAC ACL applies to both IP as well as non-IP packets.

When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to the interface and permits all packets. Remember this behavior if you use undefined ACLs as a means of network security.
Posted by at
Location: Patiala, Punjab, India

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)