ACLs for IPv4 Configuration
Upon completion of this chapter, you will be able to answer the following questions:
How do you configure standard IPv4 ACLs to filter traffic to meet networking requirements?
How do you use sequence numbers to edit existing standard IPv4 ACLs?
How do you configure a standard ACL to secure vty access?
How do you configure extended IPv4 ACLs to filter traffic according to networking requirements?
This chapter uses the following key term. You can find the definition in the Glossary.
In the gated community where your grandparents live, there are rules for who can enter and leave the premises. The guard will not raise the gate to let you into the community until someone confirms that you are on an approved visitor list. Much like the guard in the gated community, an access control list (ACL) may be configured to permit and deny network traffic passing through an interface. How do you configure ACLs? How do you modify them if they are not working correctly or if they require other changes? How do ACLs provide secure remote administrative access? Get started with this chapter to learn more!
In this section, you will learn how to configure standard IPv4 ACLs.
In Chapter 4, “ACL Concepts,” you learned what an ACL does and why it is important. In this section, you will learn about creating ACLs.
All ACLs must be planned, but planning is especially important for ACLs that require multiple access control entries (ACEs).
When configuring a complex ACL, it is suggested that you
Use a text editor to write out the specifics of the policy to be implemented.
Add the IOS configuration commands to accomplish those tasks.
Include remarks to document the ACL.
Copy and paste the commands onto the device.
Thoroughly test each ACL to ensure that it correctly applies the desired policy.
These recommendations enable you to create an ACL thoughtfully and without impacting the traffic on the network.
To create a numbered standard ACL, use the following global configuration command:
Router(config)# access-list access-list-number {deny | permit | remark text} source [source-wildcard] [log]
Use the no access-list access-list-number global configuration command to remove a numbered standard ACL.
Table 5-1 provides a detailed explanation of the syntax used in creating a standard ACL.
Table 5-1 Syntax for Numbered Standard IPv4 ACLs
Parameter |
Description |
access-list-number |
|
deny |
|
permit |
|
remark text |
|
source |
|
source-wildcard |
|
log |
|
Naming an ACL makes it easier to understand its function. To create a named standard ACL, use the following global configuration command:
Router(config)# ip access-list standard access-list-name
This command enters the named standard configuration mode where you configure the ACL ACEs.
ACL names are alphanumeric and case sensitive, and they must be unique. Capitalizing ACL names is not required but makes them stand out when viewing the running configuration output. It also makes it less likely that you will accidentally create two different ACLs with the same name but with different uses of capitalization.
Note
Use the no ip access-list standard access-list-name global configuration command to remove a named standard IPv4 ACL.
Example 5-1 shows the creation of a named standard IPv4 ACL called NO-ACCESS.
Example 5-1 Options for Creating a Named Standard ACL
R1(config)# ip access-list standard NO-ACCESS R1(config-std-nacl)# ? Standard Access List configuration commands: <1-2147483647> Sequence Number default Set a command to its defaults deny Specify packets to reject exit Exit from access-list configuration mode no Negate a command or set its defaults permit Specify packets to forward remark Access list entry comment R1(config-std-nacl)#
Notice that the prompt changes to named standard ACL configuration mode. ACE statements are entered in the named standard ACL subconfiguration mode. Use the help facility to view all the named standard ACL ACE options.
The three highlighted options in Example 5-1 are configured similarly to the numbered standard ACL. Unlike with the numbered ACL method, however, there is no need to repeat the initial ip access-list command for each ACE.
After a standard IPv4 ACL is configured, it must be linked to an interface or a feature. The following interface configuration command can be used to bind a numbered or named standard IPv4 ACL to an interface:
Router(config-if)# ip access-group {access-list-number | access-list-name} {in | out}
To remove an ACL from an interface, first enter the no ip access-group interface configuration command. At this point, the ACL will still be configured on the router. To remove the ACL from the router, use the no access-list or no ip access-list global configuration command.
The topology in Figure 5-1 is used in this section to demonstrate configuring and applying numbered and named standard IPv4 ACLs to an interface. This first example shows a numbered standard IPv4 ACL implementation.
Figure 5-1 Numbered and Named Standard ACL Reference Topology
Say that only PC1 is allowed out to the internet. To enable this policy, a standard ACL ACE could be applied outbound on S0/1/0, as shown in Example 5-2.
Example 5-2 ACE to Permit PC1
R1(config)# access-list 10 remark ACE permits ONLY host 192.168.10.10 to the internet
R1(config)# access-list 10 permit host 192.168.10.10
R1(config)#
R1(config)# do show access-lists
Standard IP access list 10
10 permit 192.168.10.10
R1(config)#
Notice that the output of the show access-lists command does not display the remark statements. ACL remarks are displayed in the running configuration file. Although the remark command is not required to enable the ACL, it is strongly suggested for documentation purposes.
Now say that a new network policy states that hosts in LAN 2 should also be permitted to the internet. To enable this policy, a second standard ACL ACE could be added to ACL 10, as shown in Example 5-3.
Example 5-3 Adding Another ACE to the ACL
R1(config)# access-list 10 remark ACE permits all host in LAN 2
R1(config)# access-list 10 permit 192.168.20.0 0.0.0.255
R1(config)#
R1(config)# do show access-lists
Standard IP access list 10
10 permit 192.168.10.10
20 permit 192.168.20.0, wildcard bits 0.0.0.255
R1(config)#
Apply ACL 10 outbound on the Serial 0/1/0 interface, as shown in Example 5-4.
Example 5-4 Applying the ACL
R1(config)# interface Serial 0/1/0 R1(config-if)# ip access-group 10 out R1(config-if)# end R1#
ACL 10 permits only host 192.168.10.10 and all hosts from LAN 2 to exit the Serial 0/1/0 interface. All other hosts in the 192.168.10.0 network are not permitted to the internet.
Use the show running-config command to review the ACL in the configuration, as shown in Example 5-5. Notice that the remarks statements are displayed in this case.
Example 5-5 Verifying the ACL in the Running Configuration
R1# show run | section access-list access-list 10 remark ACE permits host 192.168.10.10 access-list 10 permit 192.168.10.10 access-list 10 remark ACE permits all host in LAN 2 access-list 10 permit 192.168.20.0 0.0.0.255 R1#
Finally, use the show ip interface command to verify whether an interface has an ACL applied to it. In Example 5-6, the output is specifically looking at the Serial 0/1/0 interface for lines that include access list.
Example 5-6 Verifying That the ACL Is Applied to the Interface
R1# show ip int Serial 0/1/0 | include access list
Outgoing Common access list is not set
Outgoing access list is 10
Inbound Common access list is not set
Inbound access list is not set
R1#
This section shows an example of a named standard IPv4 ACL implementation. This example uses the same topology as before, repeated in Figure 5-2 for your convenience.
Figure 5-2 Numbered and Named Standard ACL Reference Topology
Say that only PC1 is allowed out to the internet. To enable this policy, a named standard ACL called PERMIT-ACCESS could be applied outbound on S0/1/0.
Remove the previously configured named ACL 10 and create a named standard ACL called PERMIT-ACCESS, as shown in Example 5-7.
Example 5-7 Removing an ACL and Configuring It as a Named ACL
R1(config)# no access-list 10 R1(config)# ip access-list standard PERMIT-ACCESS R1(config-std-nacl)# remark ACE permits host 192.168.10.10 R1(config-std-nacl)# permit host 192.168.10.10 R1(config-std-nacl)#
Now add an ACE permitting only host 192.168.10.10 and another ACE permitting all LAN 2 hosts to the internet, as shown in Example 5-8.
Example 5-8 Adding an ACE to the Named ACL
R1(config-std-nacl)# remark ACE permits host 192.168.10.10 R1(config-std-nacl)# permit host 192.168.10.10 R1(config-std-nacl)# remark ACE permits all hosts in LAN 2 R1(config-std-nacl)# permit 192.168.20.0 0.0.0.255 R1(config-std-nacl)# exit R1(config)#
Apply the new named ACL outbound to the Serial 0/1/0 interface, as shown in Example 5-9.
Example 5-9 Applying the Named ACL
R1(config)# interface Serial 0/1/0 R1(config-if)# ip access-group PERMIT-ACCESS out R1(config-if)# end R1#
Use the show access-lists and show running-config commands to review the ACL in the configuration, as shown in Example 5-10.
Example 5-10 Verifying the Named ACL Configuration
R1# show access-lists Standard IP access list PERMIT-ACCESS 10 permit 192.168.10.10 20 permit 192.168.20.0, wildcard bits 0.0.0.255 R1# R1# show run | section ip access-list ip access-list standard PERMIT-ACCESS remark ACE permits host 192.168.10.10 permit 192.168.10.10 remark ACE permits all hosts in LAN 2 permit 192.168.20.0 0.0.0.255 R1#
Finally, use the show ip interface command to verify whether an interface has an ACL applied to it. In Example 5-11, the output is specifically looking at the Serial 0/1/0 interface for lines that include access list.
Example 5-11 Verifying That the Named ACL Is Applied to the Interface
R1# show ip int Serial 0/1/0 | include access list Outgoing Common access list is not set Outgoing access list is PERMIT-ACCESS Inbound Common access list is not set Inbound access list is not set R1#
Syntax Check—Configure Standard IPv4 ACLs (5.1.7)
Refer to the online course to complete this activity.
Packet Tracer—Configure Numbered Standard IPv4 ACLs (5.1.8)
Standard ACLs are router configuration scripts that control whether a router permits or denies packets based on the source address. This activity focuses on defining filtering criteria, configuring standard ACLs, applying ACLs to router interfaces, and verifying and testing the ACL implementation. The routers are already configured, including IPv4 addresses and EIGRP routing.
Packet Tracer—Configure Named Standard IPv4 ACLs (5.1.9)
The senior network administrator has asked you to create a named standard ACL to prevent access to a file server. All clients from one network and one specific workstation from a different network should be denied access.
ACLs can be very complex and long. What happens if you notice a mistake in one ACE? Do you delete the entire ACL and re-create it? Can you change one ACE only? In this section, you will learn how to modify an existing IPv4 ACL.
After an ACL is configured, it may need to be modified. Configuring ACLs with multiple ACEs can be complex. Sometimes the configured ACE does not yield the expected behaviors. Therefore, ACL configuration may initially require a bit of trial and error to achieve the desired filtering result.
This section discusses two methods to use when modifying an ACL:
Using a text editor
Using sequence numbers
ACLs with multiple ACEs should be created in a text editor. Using this method allows you to plan the required ACEs, create the ACL, and then paste it into the router interface. It also simplifies the tasks involved in editing and fixing an ACL.
For example, say that ACL 1 was entered incorrectly using 19 instead of 192 for the first octet, as shown in Example 5-12.
Example 5-12 Error in the First ACE
R1# show run | section access-list
access-list 1 deny 19.168.10.10
access-list 1 permit 192.168.10.0 0.0.0.255
R1#
In this example, the first ACE should have been to deny the host at 192.168.10.10. However, the ACE was incorrectly entered.
To correct the error:
Step 1. Copy the ACL from the running configuration and paste it into the text editor.
Step 2. Make the necessary changes.
Step 3. Remove the previously configured ACL on the router; otherwise, pasting the edited ACL commands will only append (that is, add) to the existing ACL ACEs on the router.
Step 4. Copy and paste the edited ACL back to the router.
Say that ACL 1 has now been corrected. Therefore, the incorrect ACL must be deleted, and the corrected ACL 1 statements must be pasted in using global configuration mode, as shown in Example 5-13.
Example 5-13 Deleting the ACL Before Correctly Configuring the ACE
R1(config)# no access-list 1
R1(config)#
R1(config)# access-list 1 deny 192.168.10.10
R1(config)# access-list 1 permit 192.168.10.0 0.0.0.255
R1(config)#
An ACL ACE can be deleted or added by using the ACL sequence numbers. Sequence numbers are automatically assigned when an ACE is entered. To see these numbers listed, run the show access-lists command. The show running-config command output does not display sequence numbers.
The incorrect ACE for ACL 1 is using sequence number 10, as shown in the output of the show access-lists command in Example 5-14.
Example 5-14 Viewing the Sequence Number for Each ACE
R1# show access-lists
Standard IP access list 1
10 deny 19.168.10.10
20 permit 192.168.10.0, wildcard bits 0.0.0.255
R1#
Use the ip access-list standard command to edit an ACL. A statement cannot be overwritten using the same sequence number as an existing statement. Therefore, the current statement must be deleted first with the no 10 command. Then the correct ACE can be added, using sequence number 10. Verify the changes using the show access-lists command, as shown in Example 5-15.
Example 5-15 Configuring and Verifying a New ACE for Sequence Number 10
R1# conf t
R1(config)# ip access-list standard 1
R1(config-std-nacl)# no 10
R1(config-std-nacl)# 10 deny host 192.168.10.10
R1(config-std-nacl)# end
R1#
R1# show access-lists
Standard IP access list 1
10 deny 192.168.10.10
20 permit 192.168.10.0, wildcard bits 0.0.0.255
R1#
With named ACLs you can use sequence numbers to delete and add ACEs. Refer to Example 5-16 for the ACL NO-ACCESS.
Example 5-16 Verifying the Sequence Numbers for an ACL
R1# show access-lists Standard IP access list NO-ACCESS 10 deny 192.168.10.10 20 permit 192.168.10.0, wildcard bits 0.0.0.255 R1#
Assume that host 192.168.10.5 from the 192.168.10.0/24 network should also have been denied. If you entered a new ACE, it would be appended to the end of the ACL, and the host would never be denied because ACE 20 permits all hosts from that network.
The solution is to add an ACE denying host 192.168.10.5 in between ACE 10 and ACE 20. Example 5-17 shows ACE 15 added. Notice that the new ACE was entered without using the host keyword; this keyword is optional when specifying a destination host.
Example 5-17 Using a Sequence Number to Insert an ACE
R1# configure terminal R1(config)# ip access-list standard NO-ACCESS R1(config-std-nacl)# 15 deny 192.168.10.5 R1(config-std-nacl)# end R1# R1# show access-lists Standard IP access list NO-ACCESS 15 deny 192.168.10.5 10 deny 192.168.10.10 20 permit 192.168.10.0, wildcard bits 0.0.0.255 R1#
The show access-lists command is used to verify that the ACL now has a new ACE 15 inserted appropriately before the permit statement.
Notice that sequence number 15 is displayed prior to sequence number 10. We might expect the order of the statements in the output to reflect the order in which they were entered. However, IOS orders host statements by using a special hashing function. The resulting order optimizes the ACL to search by host entries first, and then by network entries.
Note
The hashing function is only applied to host statements in an IPv4 standard access list. The details of the hashing function are beyond the scope of this book.
Notice in Example 5-18 that the show access-lists command shows statistics for each statement that has been matched. The deny ACE in the NO-ACCESS ACL has been matched 20 times, and the permit ACE has been matched 64 times.
Example 5-18 Verifying and Clearing ACL Matches
R1# show access-lists Standard IP access list NO-ACCESS 10 deny 192.168.10.10 (20 matches) 20 permit 192.168.10.0, wildcard bits 0.0.0.255 (64 matches) R1# R1# clear access-list counters NO-ACCESS R1# R1# show access-lists Standard IP access list NO-ACCESS 10 deny 192.168.10.10 20 permit 192.168.10.0, wildcard bits 0.0.0.255 R1#
Note that the implied deny any in the last statement does not display any statistics. To track how many implicit denied packets have been matched, you must manually configure the deny any command at the end of the ACL.
Use the clear access-list counters command to clear the ACL statistics. This command can be used alone or with the number or name of a specific ACL.
Syntax Checker—Modify IPv4 ACLs (5.2.6)
Refer to the online course to complete this activity.
Packet Tracer—Configure and Modify Standard IPv4 ACLs (5.2.7)
In this Packet Tracer activity, you will complete the following objectives:
Part 1: Configure devices and verify connectivity
Part 2: Configure and verify standard numbered and named ACLs
Part 3: Modify a standard ACL
In this section, you will learn how to use a standard ACL to secure vty access.
ACLs typically filter incoming or outgoing traffic on an interface. However, an ACL can also be used to secure remote administrative access to a device using the vty lines.
Use the following two steps to secure remote administrative access to the vty lines:
Step 1. Create an ACL to identify which administrative hosts should be allowed remote access.
Step 2. Apply the ACL to incoming traffic on the vty lines.
Use the following line configuration mode command to apply an ACL to the vty lines:
R1(config-line)# access-class {access-list-number | access-list-name} {in | out}
The in keyword is the most commonly used option to filter incoming vty traffic. The out parameter filters outgoing vty traffic and is rarely applied.
The following should be considered when configuring access lists on vty lines:
Both named and numbered access lists can be applied to vty lines.
Identical restrictions should be set on all the vty lines because a user can attempt to connect to any of them.
The topology in Figure 5-3 is used to demonstrate how to configure an ACL to filter vty traffic. In this example, only PC1 will be allowed to Telnet in to R1.
Note
Telnet is used here for demonstration purposes only. SSH should be used in a production environment.
To increase secure access, a username and password will be created, and the login local authentication method will be used on the vty lines. The command in Example 5-19 creates a local database entry for user ADMIN and password class.
Figure 5-3 Numbered and Named Standard ACL Reference Topology
Example 5-19 Configuring and Applying an ACL to vty Lines
R1(config)# username ADMIN secret class R1(config)# ip access-list standard ADMIN-HOST R1(config-std-nacl)# remark This ACL secures incoming vty lines R1(config-std-nacl)# permit 192.168.10.10 R1(config-std-nacl)# deny any R1(config-std-nacl)# exit R1(config)# R1(config)# line vty 0 4 R1(config-line)# login local R1(config-line)# transport input telnet R1(config-line)# access-class ADMIN-HOST in R1(config-line)# end R1#
A named standard ACL called ADMIN-HOST is created and identifies PC1. Notice that the deny any has been configured to track the number of times access has been denied.
The vty lines are configured to use the local database for authentication, permit Telnet traffic, and use the ADMIN-HOST ACL to restrict traffic.
In a production environment, you would set the vty lines to only allow SSH, as shown in Example 5-20.
Example 5-20 Configuring VYT Lines for SSH Access Only
R1(config)# line vty 0 4
R1(config-line)# login local
R1(config-line)# transport input ssh
R1(config-line)# access-class ADMIN-HOST in
R1(config-line)# end
R1#
After an ACL to restrict access to the vty lines is configured, it is important to verify that it is working as expected. As shown in Figure 5-4, when PC1 Telnets to R1, the host is prompted for a username and password before the user on PC1 can successfully access the command prompt.
Figure 5-4 Remote Access from PC1
The R1> prompt verifies that PC1 can access R1 for administrative purposes.
Next, test the connection from PC2. As shown in Figure 5-5, when PC2 attempts to Telnet, the connection is refused.
To verify the ACL statistics, issue the show access-lists command. Notice the informational message displayed on the console regarding the admin user, as shown in Example 5-21. An informational console message is also generated when a user exits the vty line.
Figure 5-5 Remote Access Attempt from PC2
Example 5-21 Logging Message for Failed Login Attempt
R1# Oct 9 15:11:19.544: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: 192.168.10.10] [localport: 23] at 15:11:19 UTC Wed Oct 9 2019 R1# R1# show access-lists Standard IP access list ADMIN-HOST 10 permit 192.168.10.10 (2 matches) 20 deny any (2 matches) R1#
The matches in the permit line of the output result from the successful Telnet connection by PC1. The matches in the deny statement are due to the failed attempt to create a Telnet connection by PC2, a device on the 192.168.11.0/24 network.
Syntax Checker—Secure the VTY Ports (5.3.4)
Refer to the online course to complete this activity.
Extended ACLs enable more control of the filter. In this section, you configure numbered and named extended IPv4 ACLs.
In the previous sections, you learned how to configure and modify standard ACLs and how to secure vty ports with a standard IPv4 ACL. Standard ACLs only filter on source address. When more precise traffic-filtering control is required, extended IPv4 ACLs can be created.
Extended ACLs are used more often than standard ACLs because they provide a greater degree of control. They can filter on source address, destination address, protocol (that is, IP, TCP, UDP, ICMP), and port number. This provides a greater range of criteria on which to base the ACL. For example, one extended ACL can allow email traffic from a network to a specific destination while denying file transfers and web browsing.
Like standard ACLs, extended ACLs can be created as either numbered or named:
Numbered extended ACL: Created using the access-list access-list-number global configuration command.
Named extended ACL: Created using the ip access-list extended access-list-name.
The procedural steps for configuring extended ACLs are the same as for standard ACLs. The extended ACL is first configured, and then it is activated on an interface. However, the command syntax and parameters are more complex to support the additional features provided by extended ACLs.
To create a numbered extended ACL, use the following global configuration command:
Router(config)# access-list access-list-number {deny | permit | remark text} protocol source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [log]
Use the no ip access-list extended access-list-name global configuration command to remove an extended ACL.
Although there are many keywords and parameters for extended ACLs, it is not necessary to use all of them when configuring an extended ACL. Table 5-2 provides a detailed explanation of the syntax for an extended ACL.
Table 5-2 Syntax for Numbered Extended IPv4 ACLs
Parameter |
Description |
access-list-number |
|
deny |
|
permit |
|
remark text |
|
protocol |
|
source |
|
source-wildcard |
|
destination |
|
destination-wildcard |
|
operator |
|
port |
|
established |
|
log |
|
The command to apply an extended IPv4 ACL to an interface is the same as the command used for standard IPv4 ACLs:
Router(config-if)# ip access-group access-list-name {in | out}
To remove an ACL from an interface, first enter the no ip access-group interface configuration command. To remove the ACL from the router, use the no access-list global configuration command.
Note
The internal logic applied to the ordering of standard ACL statements does not apply to extended ACLs. The order in which the statements are entered during configuration is the order in which they are displayed and processed.
Extended ACLs can filter on many different types of internet protocols and ports. The following sections provide more information about the internet protocols and ports on which extended ACLs can filter.
The four highlighted protocols in Example 5-22 are the most popular options.
Note
Use the ? to get help when entering a complex ACE.
Note
If an internet protocol is not listed, then the IP protocol number could be specified. For instance, the ICMP protocol number is 1, TCP is 6, and UDP is 17.
Example 5-22 Extended ACL Protocol Options
R1(config)# access-list 100 permit ? <0-255> An IP protocol number ahp Authentication Header Protocol dvmrp dvmrp eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol ip Any Internet Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling object-group Service object group ospf OSPF routing protocol pcp Payload Compression Protocol pim Protocol Independent Multicast tcp Transmission Control Protocol udp User Datagram Protocol R1(config)# access-list 100 permit
Selecting a protocol influences the port options. For instance, if you select
tcp as the protocol, you get TCP-related ports options
udp as the protocol, you get UDP-specific ports options
icmp as the protocol, you get ICMP-related ports (that is, message) options
Notice how many TCP port options are available in Example 5-23. The highlighted ports are popular options.
Example 5-23 Extended ACL Port Keywords
R1(config)# access-list 100 permit tcp any any eq ? <0-65535> Port number bgp Border Gateway Protocol (179) chargen Character generator (19) cmd Remote commands (rcmd, 514) daytime Daytime (13) discard Discard (9) domain Domain Name Service (53) echo Echo (7) exec Exec (rsh, 512) finger Finger (79) ftp File Transfer Protocol (21) ftp-data FTP data connections (20) gopher Gopher (70) hostname NIC hostname server (101) ident Ident Protocol (113) irc Internet Relay Chat (194) klogin Kerberos login (543) kshell Kerberos shell (544) login Login (rlogin, 513) lpd Printer service (515) msrpc MS Remote Procedure Call (135) nntp Network News Transport Protocol (119) onep-plain Onep Cleartext (15001) onep-tls Onep TLS (15002) pim-auto-rp PIM Auto-RP (496) pop2 Post Office Protocol v2 (109) pop3 Post Office Protocol v3 (110) smtp Simple Mail Transport Protocol (25) sunrpc Sun Remote Procedure Call (111) syslog Syslog (514) tacacs TAC Access Control System (49) talk Talk (517) telnet Telnet (23) time Time (37) uucp Unix-to-Unix Copy Program (540) whois Nicname (43) www World Wide Web (HTTP, 80) R1(config)#
Port names or numbers can be specified. However, keep in mind that port names make it easier to understand the purpose of an ACE.
Notice that some common ports names (for example, SSH and HTTPS) are not listed. For these protocols, port numbers have to be specified.
Extended ACLs can filter on different port number and port name options. Example 5-24 shows the configuration of an extended ACL 100 to filter HTTP traffic. The first ACE uses the www port name. The second ACE uses the port number 80. The two ACEs achieve exactly the same result.
Example 5-24 Configuring a Port with a Keyword or Port Number
R1(config)# access-list 100 permit tcp any any eq www !or... R1(config)# access-list 100 permit tcp any any eq 80
Configuring the port number is required when there is not a specific protocol name listed, such as SSH (port number 22) or HTTPS (port number 443), as shown in Example 5-25.
Example 5-25 Some Protocols That Must Be Configured Using a Port Number
R1(config)# access-list 100 permit tcp any any eq 22 R1(config)# access-list 100 permit tcp any any eq 443 R1(config)#
The topology in Figure 5-6 is used in this section to demonstrate how to configure and apply numbered and named extended IPv4 ACLs to an interface. The first example shows a numbered extended IPv4 ACL implementation.
Figure 5-6 Numbered and Named Extended ACL Reference Topology
In Example 5-26, the ACL permits both HTTP and HTTPS traffic from the 192.168.10.0 network to go to any destination. Extended ACLs can be applied in various locations. However, they are commonly applied close to the source. Therefore, in Example 5-26, ACL 110 is applied inbound on the R1 G0/0/0 interface.
Example 5-26 Configuring and Applying a Numbered Extended ACL
R1(config)# access-list 110 permit tcp 192.168.10.0 0.0.0.255 any eq www R1(config)# access-list 110 permit tcp 192.168.10.0 0.0.0.255 any eq 443 R1(config)# R1(config)# interface g0/0/0 R1(config-if)# ip access-group 110 in R1(config-if)# exit R1(config)#
You can have TCP perform basic stateful firewall services by using the TCP established keyword. The keyword enables inside traffic to exit the inside private network and permits the returning reply traffic to enter the inside private network, as shown in Figure 5-7.
Figure 5-7 TCP Traffic Example
However, TCP traffic generated by an outside host and attempting to communicate with an inside host is denied.
The established keyword can be used to permit only the return HTTP traffic from requested websites and deny all other traffic.
In Figure 5-8, ACL 110, which was previously configured, filters traffic from the inside private network. ACL 120, using the established keyword, filters traffic coming into the inside private network from the outside public network.
Figure 5-8 Topology Design for Inbound and Outbound Extended ACLs for Established TCP Sessions
In Example 5-27, ACL 120 is configured to only permit returning web traffic to the inside hosts. The new ACL is then applied outbound on the R1 G0/0/0 interface.
Example 5-27 Configuring an ACL to Check for a TCP-Established Session
R1(config)# access-list 120 permit tcp any 192.168.10.0 0.0.0.255 established R1(config)# R1(config)# interface g0/0/0 R1(config-if)# ip access-group 120 out R1(config-if)# end R1# R1# show access-lists Extended IP access list 110 10 permit tcp 192.168.10.0 0.0.0.255 any eq www 20 permit tcp 192.168.10.0 0.0.0.255 any eq 443 (657 matches) Extended IP access list 120 10 permit tcp any 192.168.10.0 0.0.0.255 established (1166 matches) R1#
The show access-lists command displays both ACLs. Notice from the match statistics in Example 5-27 that inside hosts have been accessing the secure web resources from the internet. Also notice that the permit secure HTTPS counter (that is, eq 443) in ACL 110 and the return established counter in ACL 120 have increased.
The established parameter allows only responses to traffic that originates from the 192.168.10.0/24 network to return to that network. Specifically, a match occurs if the returning TCP segment has the ACK or reset (RST) flag bits set. This indicates that the packet belongs to an existing connection. Without the established parameter in the ACL statement, clients could send traffic to a web server but would not receive traffic returning from the web server.
Naming an ACL makes it easier to understand its function. To create a named extended ACL, use the following global configuration command:
Router(config)# ip access-list extended access-list-name
This command enters the named extended configuration mode. Recall that ACL names are alphanumeric and case sensitive, and they must be unique.
In Example 5-28, a named extended ACL called NO-FTP-ACCESS is created, and the prompt changes to named extended ACL configuration mode. ACE statements are entered in the named extended ACL subconfiguration mode
Example 5-28 Applying a Named Extended ACL
R1(config)# ip access-list extended NO-FTP-ACCESS R1(config-ext-nacl)#
Named extended ACLs are created in essentially the same way that named standard ACLs are created.
The topology in Figure 5-9 is used to demonstrate configuring and applying two named extended IPv4 ACLs to an interface:
SURFING: This ACL will permit inside HTTP and HTTPS traffic to exit to the internet.
BROWSING: This ACL will only permit returning web traffic to the inside hosts while implicitly denying all other traffic exiting the R1 G0/0/0 interface.
Figure 5-9 Topology Design for Named Extended ACLs
Example 5-29 shows the configuration for the inbound SURFING ACL and the outbound BROWSING ACL.
Example 5-29 Configuring Inbound and Outbound Named Extended ACLs
R1(config)# ip access-list extended SURFING R1(config-ext-nacl)# Remark Permits inside HTTP and HTTPS traffic R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 80 R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 443 R1(config-ext-nacl)# exit R1(config)# R1(config)# ip access-list extended BROWSING R1(config-ext-nacl)# Remark Only permit returning HTTP and HTTPS traffic R1(config-ext-nacl)# permit tcp any 192.168.10.0 0.0.0.255 established R1(config-ext-nacl)# exit R1(config)# R1(config)# interface g0/0/0 R1(config-if)# ip access-group SURFING in R1(config-if)# ip access-group BROWSING out R1(config-if)# end R1# R1# show access-lists Extended IP access list SURFING 10 permit tcp 192.168.10.0 0.0.0.255 any eq www 20 permit tcp 192.168.10.0 0.0.0.255 any eq 443 (124 matches) Extended IP access list BROWSING 10 permit tcp any 192.168.10.0 0.0.0.255 established (369 matches) R1#
The SURFING ACL permits HTTP and HTTPS traffic from inside users to exit the G0/0/1 interface connected to the internet. Web traffic returning from the internet is permitted back into the inside private network by the BROWSING ACL.
The SURFING ACL is applied inbound, and the BROWSING ACL is applied outbound on the R1 G0/0/0 interface, as shown in the output.
Inside hosts have been accessing the secure web resources from the internet. The show access-lists command is used to verify the ACL statistics. Notice that the permit secure HTTPS counter (that is, eq 443) in the SURFING ACL and the return established counter in the BROWSING ACL have increased.
Like standard ACLs, an extended ACL can be edited using a text editor when many changes are required. Otherwise, if the edit applies to one or two ACEs, sequence numbers can be used.
In Example 5-30, say that you have just entered the SURFING and BROWSING ACLs and wish to verify their configuration by using the show access-lists command.
Example 5-30 Verifying the Extended ACL Configuration
R1# show access-lists Extended IP access list BROWSING 10 permit tcp any 192.168.10.0 0.0.0.255 established Extended IP access list SURFING 10 permit tcp 19.168.10.0 0.0.0.255 any eq www 20 permit tcp 192.168.10.0 0.0.0.255 any eq 443 R1#
You notice that the ACE sequence number 10 in the SURFING ACL has an incorrect source IP network address.
To correct this error using sequence numbers, the original statement is removed with the no sequence_# command, and the corrected statement is added in place of the original statement, as shown in Example 5-31.
Example 5-31 Using a Sequence Number to Delete and Add an ACE to an Extended ACL
R1# configure terminal R1(config)# ip access-list extended SURFING R1(config-ext-nacl)# no 10 R1(config-ext-nacl)# 10 permit tcp 192.168.10.0 0.0.0.255 any eq www R1(config-ext-nacl)# end R1#
The output of the show access-lists command in Example 5-32 verifies the configuration change.
Example 5-32 Verifying the Edited ACL
R1# show access-lists Extended IP access list BROWSING 10 permit tcp any 192.168.10.0 0.0.0.255 established Extended IP access list SURFING 10 permit tcp 192.168.10.0 0.0.0.255 any eq www 20 permit tcp 192.168.10.0 0.0.0.255 any eq 443 R1#
Figure 5-10 shows another scenario for implementing a named extended IPv4 ACL. Assume that PC1 in the inside private network is permitted FTP, SSH, Telnet, DNS, HTTP, and HTTPS traffic. However, all other users in the inside private network should be denied access.
Two named extended ACLs are created in this example:
PERMIT-PC1: This ACL permits only PC1 TCP access to the internet and denies all other hosts in the private network.
REPLY-PC1: This ACL permits only specified returning TCP traffic to PC1 and implicitly denies all other traffic.
Figure 5-10 Topology Design for Another Named Extended ACL
Example 5-33 shows the configuration for the inbound PERMIT-PC1 ACL and the outbound REPLY-PC1 ACL.
The PERMIT-PC1 ACL permits PC1 (that is, 192.168.10.10) TCP access to FTP (that is, ports 20 and 21), SSH (22), Telnet (23), DNS (53), HTTP (80), and HTTPS (443) traffic.
The REPLY-PC1 ACL permits return traffic to PC1.
There are many factors to consider when applying an ACL, including
The device to apply it on
The interface to apply it on
The direction to apply it
Careful consideration must be taken to avoid undesired filtering results. In this example, the PERMIT-PC1 ACL is applied inbound, and the REPLY-PC1 ACL is applied outbound on the R1 G0/0/0 interface.
Example 5-33 Configuring and Applying ACLs to Permit PC1 Based on the Policy
R1(config)# ip access-list extended PERMIT-PC1 R1(config-ext-nacl)# Remark Permit PC1 TCP access to internet R1(config-ext-nacl)# permit tcp host 192.168.10.10 any eq 20 R1(config-ext-nacl)# permit tcp host 192.168.10.10 any eq 21 R1(config-ext-nacl)# permit tcp host 192.168.10.10 any eq 22 R1(config-ext-nacl)# permit tcp host 192.168.10.10 any eq 23 R1(config-ext-nacl)# permit tcp host 192.168.10.10 any eq 53 R1(config-ext-nacl)# permit tcp host 192.168.10.10 any eq 80 R1(config-ext-nacl)# permit tcp host 192.168.10.10 any eq 443 R1(config-ext-nacl)# deny ip 192.168.10.0 0.0.0.255 any R1(config-ext-nacl)# exit R1(config)# R1(config)# ip access-list extended REPLY-PC1 R1(config-ext-nacl)# Remark Only permit returning traffic to PC1 R1(config-ext-nacl)# permit tcp any host 192.168.10.10 established R1(config-ext-nacl)# exit R1(config)# R1(config)# interface g0/0/0 R1(config-if)# ip access-group PERMIT-PC1 in R1(config-if)# ip access-group REPLY-PC1 out R1(config-if)# end R1#
After an ACL has been configured and applied to an interface, use Cisco IOS show commands to verify the configuration.
The show ip interface command is used to verify the ACL on the interface and the direction in which it was applied, as shown in Example 5-34. The command generates quite a bit of output but notice how the capitalized ACL names stand out in the output. To reduce the command output, use filtering techniques, as shown in the second command in this example.
Example 5-34 The show ip interface Command
R1# show ip interface g0/0/0 GigabitEthernet0/0/0 is up, line protocol is up (connected) Internet address is 192.168.10.1/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is REPLY-PC1 Inbound access list is PERMIT-PC1 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is disabled IP fast switching on the same interface is disabled IP Flow switching is disabled IP Fast switching turbo vector IP multicast fast switching is disabled IP multicast distributed fast switching is disabled Router Discovery is disabled R1# R1# show ip interface g0/0/0 | include access list Outgoing access list is REPLY-PC1 Inbound access list is PERMIT-PC1 R1#
The show access-lists command can be used to confirm that the ACLs work as expected. This command displays statistic counters that increase whenever an ACE is matched.
Note
Traffic must be generated to verify the operation of the ACL.
In Example 5-35, the Cisco IOS command is used to display the contents of all ACLs. Notice that IOS is displaying the keyword even though port numbers were configured. Also notice that extended ACLs do not implement the same internal logic and hashing function as standard ACLs. The output and sequence numbers displayed in the show access-lists command output reflect the order in which the statements were entered. Host entries are not automatically listed prior to range entries.
Example 5-35 The show access-lists Command
R1# show access-lists Extended IP access list PERMIT-PC1 10 permit tcp host 192.168.10.10 any eq 20 20 permit tcp host 192.168.10.10 any eq ftp 30 permit tcp host 192.168.10.10 any eq 22 40 permit tcp host 192.168.10.10 any eq telnet 50 permit tcp host 192.168.10.10 any eq domain 60 permit tcp host 192.168.10.10 any eq www 70 permit tcp host 192.168.10.10 any eq 443 80 deny ip 192.168.10.0 0.0.0.255 any Extended IP access list REPLY-PC1 10 permit tcp any host 192.168.10.10 established R1#
The show running-config command can be used to validate a configuration. The command also displays configured remarks. The command can be filtered to display only pertinent information, as shown in Example 5-36.
Example 5-36 The show running-config Command Filtered for ACL Configuration
R1# show running-config | begin ip access-list ip access-list extended PERMIT-PC1 remark Permit PC1 TCP access to internet permit tcp host 192.168.10.10 any eq 20 permit tcp host 192.168.10.10 any eq ftp permit tcp host 192.168.10.10 any eq 22 permit tcp host 192.168.10.10 any eq telnet permit tcp host 192.168.10.10 any eq domain permit tcp host 192.168.10.10 any eq www permit tcp host 192.168.10.10 any eq 443 deny ip 192.168.10.0 0.0.0.255 any ip access-list extended REPLY-PC1 remark Only permit returning traffic to PC1 permit tcp any host 192.168.10.10 established ! (Output omitted) R1#
Packet Tracer—Configure Extended IPv4 ACLs—Scenario 1 (5.4.12)
In this Packet Tracer activity, you will complete the following objectives:
Part 1: Configure, apply, and verify an extended numbered IPv4 ACL
Part 2: Configure, apply, and verify an extended named IPv4 ACL
Packet Tracer—Configure Extended IPv4 ACLs—Scenario 2 (5.4.13)
In this Packet Tracer activity, you will complete the following objectives:
Part 1: Configure a named extended IPv4 ACL
Part 2: Apply and verify the extended IPv4 ACL
The following is a summary of the sections in this chapter.
All access control lists (ACLs) must be planned, especially for ACLs requiring multiple access control entries (ACEs). When configuring a complex ACL, it is suggested that you use a text editor and write out the specifics of the policy to be implemented, add the IOS configuration commands to accomplish those tasks, include remarks to document the ACL, copy and paste the commands on a lab device, and always thoroughly test an ACL to ensure that it correctly applies the desired policy. To create a numbered standard ACL, use the ip access-list standard access-list-name global configuration command. Use the no access-list access-list-number global configuration command to remove a numbered standard ACL. Use the show ip interface command to verify whether an interface has an ACL applied to it. In addition to standard numbered ACLs, there are named standard ACLs. ACL names are alphanumeric and case sensitive, and they must be unique. Capitalizing ACL names is not required but makes them stand out in the running configuration output. To create a named standard ACL, use the ip access-list standard access-list-name global configuration command. Use the no ip access-list standard access-list-name global configuration command to remove a named standard IPv4 ACL. After a standard IPv4 ACL is configured, it must be linked to an interface or feature. To bind a numbered or named standard IPv4 ACL to an interface, use the ip access-group {access-list-number | access-list-name} { in | out } global configuration command. To remove an ACL from an interface, first enter the no ip access-group interface configuration command. To remove the ACL from the router, use the no access-list global configuration command.
To modify an ACL, use a text editor or use sequence numbers. ACLs with multiple ACEs should be created in a text editor. Using a text editor allows you to plan the required ACEs, create the ACL, and then paste it into the router interface. An ACL ACE can also be deleted or added using the ACL sequence number. A sequence number is automatically assigned when an ACE is entered. These numbers are listed in the output of the show access-lists command. The show running-config command output does not display sequence numbers. Named ACLs can also use sequence numbers to delete and add ACEs. The show access-lists command shows statistics for each statement that has been matched. The clear access-list counters command clears the ACL statistics.
ACLs typically filter incoming or outgoing traffic on an interface. However, a standard ACL can also be used to secure remote administrative access to a device using the vty lines. The two steps to secure remote administrative access to the vty lines are to create an ACL to identify which administrative hosts should be allowed remote access and to apply the ACL to incoming traffic on the vty lines. The in keyword is the most commonly used option to filter incoming vty traffic. The out parameter filters outgoing vty traffic and is rarely applied. Both named and numbered access lists can be applied to vty lines. Identical restrictions should be set on all the vty lines because a user can attempt to connect to any of them. After the ACL to restrict access to the vty lines is configured, it is important to verify that it is working as expected. Use the show ip interface command to verify whether an interface has an ACL applied to it. To verify ACL statistics, issue the show access-lists command.
Extended ACLs are used more often than standard ACLs because they provide a greater degree of control. They can filter on source address, destination address, protocol (that is, IP, TCP, UDP, ICMP), and port number. This provides a greater range of criteria on which to base the ACL. Like standard ACLs, extended ACLs can be created as numbered extended ACLs and named extended ACLs. Numbered extended ACLs are created using the same global configuration commands that are used for standard ACLs. The procedural steps for configuring extended ACLs are the same as for standard ACLs. However, the command syntax and parameters are more complex to support the additional features provided by extended ACLs. To create a numbered extended ACL, use the Router(config)# access-list access-list-number {deny | permit | remark text} protocol source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [log] global configuration command. Extended ACLs can filter on many different types of internet protocols and ports. Selecting a protocol influences port options. For instance, selecting tcp would provide TCP-related ports options. Configuring the port number is required when there is not a specific protocol name listed, such as SSH (port number 22) or HTTPS (port number 443). TCP can also perform basic stateful firewall services with the TCP established keyword, which enables inside traffic to exit the inside private network and permits the returning reply traffic to enter the inside private network. After an ACL has been configured and applied to an interface, use Cisco IOS show commands to verify the configuration. The show ip interface command is used to verify the ACL on the interface and the direction in which it is applied.
Packet Tracer—IPv4 ACL Implementation Challenge (5.5.1)
In this Packet Tracer challenge, you will configure extended, standard named, and extended named IPv4 ACLs to meet specified communication requirements.
Lab—Configure and Verify Extended IPv4 ACLs (5.5.2)
In this lab, you will complete the following objectives:
Part 1: Build the network and configure basic device settings
Part 2: Configure and verify extended IPv4 ACLs
The following activities provide practice with the topics introduced in this chapter. The lab is available in the companion Enterprise Networking, Security, and Automation Labs & Study Guide (CCNAv7) (ISBN 9780136634690). The Packet Tracer activity instructions are also in the Labs & Study Guide. The PKA files are found in the online course.
Lab
Lab 5.5.2: Configure and Verify Extended IPv4 ACLs
Packet Tracer Activities
Packet Tracer 5.1.8: Configure Numbered Standard IPv4 ACLs
Packet Tracer 5.1.9: Configure Named Standard IPv4 ACLs
Packet Tracer 5.2.7: Configure and Modify Standard IPv4 ACLs
Packet Tracer 5.4.12: Configure Extended IPv4 ACLs—Scenario 1
Packet Tracer 5.4.13: Configure Extended IPv4 ACLs—Scenario 2
Packet Tracer 5.5.1: IPv4 ACL Implementation Challenge
Complete all the review questions listed here to test your understanding of the topics and concepts in this chapter. The appendix “Answers to the ‘Check Your Understanding’ Questions” lists the answers.
1. What packets match access-list 110 permit tcp 172.16.0.0 0.0.0.255 any eq 22?
Any TCP traffic from any host to the 172.16.0.0 network
Any TCP traffic from the 172.16.0.0 network to any destination network
SSH traffic from any source network to the 172.16.0.0 network
SSH traffic from the 172.16.0.0 network to any destination network
2. Which two keywords can be used in an access control list to replace a wildcard mask or address and wildcard mask pair? (Choose two.)
all
any
gt
host
most
some
3. Which two packet filters could a network administrator use on an IPv4 extended ACL? (Choose two.)
Computer type
Destination MAC address
Destination UDP port number
ICMP message type
Source TCP hello address
4. In the second ACE shown in the following example, port 400 was incorrectly specified instead of port 443. What is the best way to correct this error?
R1# show access-lists Extended IP access list SURFING 10 permit tcp 192.168.10.0 0.0.0.255 any eq www 20 permit tcp 192.168.10.0 0.0.0.255 any eq 400 R1#
Copy the ACL into a text editor, correct the ACE, and recopy the ACE to the router.
Create a new named ACL and apply it to the router interface.
Enter permit tcp 192.168.10.0 0.0.0.255 any eq 443.
Enter the no 20 keyword, and then enter permit tcp 192.168.10.0 0.0.0.255 any eq 443.
Remove the entire ACL and then re-create it with the correct ACE.
5. A network administrator needs to configure a standard ACL so that only the workstation of the administrator with the IP address 10.1.1.10 can access the virtual terminal of the main router. Which two configuration commands can achieve the task? (Choose two.)
R1(config)# access-list 10 permit host 10.1.1.10
R1(config)# access-list 10 permit 10.1.1.10 255.255.255.0
R1(config)# access-list 10 permit 10.1.1.10 255.255.255.255
R1(config)# access-list 10 permit 10.1.1.10 0.0.0.0
R1(config)# access-list 10 permit 10.1.1.10 0.0.0.255
6. A network administrator is writing a standard ACL to deny any traffic from the 10.10.0.0/16 network but permit all other traffic. Which two commands should be used? (Choose two.)
R1(config)# access-list 55 deny any
R1(config)# access-list 55 permit any
R1(config)# access-list 55 host 10.10.0.0
R1(config)# access-list 55 deny 10.10.0.0 0.0.255.255
R1(config)# access-list 55 deny 10.10.0.0 255.255.0.0
R1(config)# access-list 55 10.10.0.0 255.255.255.255
7. In the following example, you forgot to enter an ACE to deny the user at IP address 192.168.10.10. Which command would correctly enter the ACE to filter this address?
R1# show access-lists Extended IP access list PERMIT-NET 10 permit ip 192.168.10.0 0.0.0.255 any 20 permit ip 192.168.11.0 0.0.0.255 any R1#
deny ip host 192.168.10.10
5 deny ip host 192.168.10.10
15 deny ip host 192.168.10.10
25 deny ip host 192.168.10.10
8. You create a standard ACL called PERMIT-VTY to permit only an administrative host vty access to the router. Which line configuration command would correctly apply this ACL to the vty lines?
access-class PERMIT-VTY in
access-class PERMIT-VTY out
ip access-group PERMIT-VTY in
ip access-group PERMIT-VTY out
9. What effect does the permit tcp 10.10.100 0.0.0.255 any eq www extended named ACE have when implemented inbound on a G0/0 interface?
All TCP traffic is permitted, and all other traffic is denied.
All traffic from 10.10.100/24 is permitted anywhere on any port.
The command is rejected by the router because it is incomplete.
Traffic originating from 10.10.100/24 is permitted to all TCP port 80 destinations.
10. What does the CLI prompt change to after you enter the command ip access-list extended AAA-FILTER in global configuration mode?
R1(config-ext-nacl)#
R1(config-if)#
R1(config-line)#
R1(config-router)#
R1(config-std-nacl)#
3.136.18.65