This tutorial is the last part of our article Cisco IP ACL Configuration Guide. You can read other parts of this article here:-

Transcription

1 In this tutorial I will explain how to create Extended Access List, how to enable extended ACL in interface, how to edit extended ACL, how to delete extended ACL, how to update extended ACL and how to verify extended ACL implementation with show command in detail with examples. This tutorial is the last part of our article Cisco IP ACL Configuration Guide. You can read other parts of this article here:- This tutorial is the first part of this article. In this part I provided a brief introduction to Cisco IP ACLs such as what is ACL and how it works including ACLs direction and locations. This tutorial is the second part of this article. In this part I explained Standard Access Control List configuration commands and its parameters in detail with examples. This tutorial is the third part of this article. In this part I provided a step by step configuration guide for Standard Access Control List. This tutorial is the fourth part of this article. In this part I explained Extended Access Control List configuration commands and its parameters in detail with examples. For demonstration purpose I will use packet tracer network simulator software. You can use it or can use any other network simulator software such as Boson, NetSim, GNS etc. Create a topology as illustrate in following figure.

2 For detail information about this topology please see the third part of this article. This is same network topology which I used to explain Standard ACL. For this article I assume that you have above network topology in your network simulator software with following essential configurations:- IP address is assigned on all end devices. IP addresses are configured on all used interfaces (in both routers). RIPv2 (or any other routing protocol) is configured In this network, at this moment all sections are connected with each other s. Users are able to access all resources from other sections as well as their own. You are hired to secure this network. If you are following this tutorial in packet tracer, you can download my practice topology with above essential configuration from our server. This network has following security requirements. Company has three servers. Assign one server for each section; Server0 for development section, Server1 for production section and Server2 for management section. Sections should be able to access only their own server. They are not allowed to access each other s server. Development section should be able to access production section. It should not be able to access management section. Production section should be able to access development section. It should not be able to access management section. Users from development are not allowed to ping their server (Server0). But they are allowed to access all services running on their server. One user (PC0) from development section should not be able to access anything except its own section. One user (PC2) is allowed to access only web server from server. One user (PC3) from production section should also be able to access management section. One user (laptop0) from management section should be able to access only Server section not the development section and production section. He is allowed to access only ftp and web service from server. ACL Locations For above requirements we need to secure three locations. For each location we need a separate ACL.

3 As you know we can create an extended ACL in three ways:- 1. Classic Numbered 2. Modern Numbered 3. Modern Named To get a better overview of these methods we will use all of them in our example. ACL Number / Name ACL Type ACL Direction Applied Interface 110 Classic Numbered Inbound R1 s Fa0/0 120 Modern Numbered Inbound R1 s Fa0/1 SecureManage Modern Numbered Inbound R2 s Fa0/0 Understanding ACL Location and requirements Unlike standard ACL where we are limited with source address, in extended ACL we have a lot more options to match the packet. Due to these options we should always place an extended ACL near to the source address. This way an unwanted packet will be filtered as soon as it enters in the network. As I explained in third part of this article, we should always create ACL conditions in paper before router. This way we can edit/update/reorder/delete ACL conditions without messing a live network. Once satisfied we can migrate them in router easily. ACL-110

4 This will be our first ACL. We will create this ACL in router R1 and enable it in interface Fa0/0. It will filter traffic in inward direction. This ACL will be used to fulfill following requirements:- Development section should be able to access production section. It should not be able to access management section. For this requirement we need two statements; one permit statement for production section and another deny statement for management section. permit ip deny ip Our statement starts with action (permit or deny). When a match found, what action should router take? It is defined by this keyword. With permit keyword we tell router that if match found, let the packet go. With deny keyword we tell router that when a match found, discard the packet immediately. After action we need to specify the level of filtering. Extended ACL allows us to filter a packet based on its address or application. In this requirement we are asked to filter all packets regardless what applications data they are carrying. For this requirement we have to use IP keyword. With IP keyword we are tells router that matches all IP packets no matter which IP applications is sending /receiving data. Later we need to provide source address and destination address with wildcard mask. To match a network range, we need to use network ID. In this requirement we are filtering traffic that is originated form development section (Network ID ) and going to production section (Network ID ) and management section (Network ID ). Along with network ID we need to provide wildcard mask. Wildcard mask controls the range of addresses which will be matched. Wildcard mask are explained in detail with example in second part of this article. Sections should be able to access only their own server. They are not allowed to access each other s server. We need two conditions for this requirement. First permit condition which allows development section to access its own server. Second deny condition which blocks it from accessing other servers from server section. permit ip host deny ip Users from development are not allowed to ping their server (Server0). But they are allowed to access all services running on their server. For this requirement we need to create a deny statement.

5 deny icmp host echo In this statement:- deny keyword specifies the action. icmp keyword tells router that we want to match a packet based on ICMP protocol is the network ID of development section (Source) is the wildcard mask of source address. host keyword tells router that we want to match a single host is the IP address of server (Destination). echo keyword is used to specify the type of message (ping) which we want match. One user (PC0) from development section should not be able to access anything except its own section. For this requirement we need following deny statement. deny ip host any In this statement deny is the action which say drop the packet that match with this criteria. ip is the base line for filter which say match all IP traffics regardless which IP application it carry host keyword is used to match a single host is the source IP address. any keyword is used to match all addresses. It says match all packets. We can also use wildcard mask instead of host and any keywords. For host keyword wildcard mask is used. For any keyword address and wildcard mask is used. With this approach above condition would be deny ip Both methods work exactly same. It s only a matter of choice which method you prefer. Okay let s have a quick look on our requirements and statement once again Development section ( ) should be able to access production section ( ). It ( ) should not be able to access management section ( ).

6 Development section ( ) should be able to access only its own server ( ). Development section ( ) is not allowed to access any other sever from server section ( ). Users from development section ( ) are not allowed to ping their server ( ). One user ( ) from development section should not be able to access anything except its own section. permit ip deny ip permit ip host deny ip deny icmp host echo deny ip host any Can we create statements in above order? Technically yes, router will accept statements in any order. It does not have a brain to understand our requirements. It will do what we will say it to do. So it s our responsibility to give it order in correct sequence. As we know ACL statements are matched from top to down without skipping any condition. Once a match is found, next condition will never be checked for that packet. If we create statements in above order, last two statements will never match any packet. Statement fifth says drop an icmp packet if it is originated from /25 network and going for host. While statement three says allow all IP packets if they are originated from network /25 and going for host Just like this, statement six says deny a packet if it is coming from host while statement one says allow packets if they are coming from /25 and going for /192. Thus statement fifth is overruled by statement three, while statement six is override by statement one. For more detail about how ACLs are processed please see the first part of this article which explains this process in detail with example. Okay let s arrange conditions in correct order deny ip host any permit ip deny ip deny icmp host echo permit ip host

7 deny ip ACL-120 ACL-20 will filter incoming traffic from production department in R1 s Fa0/1. Production department has following requirements:- Sections should be able to access only their own server. They are not allowed to access each other s server. For this requirement we need two statements. First statement will allow production department to access its server Server1. Second statement will block production section from accessing other resources from server section. permit ip host deny ip Production section should be able to access development section. It should not be able to access management section. This requirement needs two conditions. First condition allows production section to access development section. Second condition blocks production section to access management section. permit ip deny ip One user (PC2) is allowed to access only web server from server. For this requirement we need two statements. First statement allows host to access web server from Server. Second condition blocks this host from accessing anything from Sever. permit tcp host host eq 80 deny ip host host eq is the operator which stands for equal. 80 is the port number of web server. We can also use keyword www here instead of port number. Collectively eq 80 says match a packet which is going for web server. If you are asked to match secure web server, use port number 443. For more detail about port number and operator please check previous part of this article. One user (PC3) from production section should also be able to access management section. We need one permit condition for this requirement.

8 permit ip host Okay let s arrange above conditions in proper order. permit ip permit ip host deny ip permit tcp host host eq 80 deny ip host host permit ip host deny ip ACL-SecureManagement This ACL will filter incoming traffic from management section in router R2 s Fa0/0. Management section has following requirements Sections should be able to access only their own server. They are not allowed to access each other s server. permit ip host deny ip One user (laptop0) from management section should be able to access only Server section not the development section and production section. He is allowed to access only tftp and telnet service from server. For this requirement we need three statements. First statement allows user to access ftp service from server. Second statement allows user to access web service. Last statement blocks it from accessing server. permit tcp host host eq 21 permit udp host host eq 80 deny ip host host We need to add one more permit statement in this ACL for following requirement One user (PC3) from production section should also be able to access management section. permit ip host We have already allowed this user in ACL-20 then why we need above permit statement for this user in this ACL. Any guesses..

9 To understand this statement we need to have a quick look on how data flows:- PC3 ( ) generates a packet with destination Laptop1 ( ). PC3 sends this packet to router R1. R1 receives this packet in interface FastEthernet 0/1. Interface FastEthernet 0/1 has an inbound ACL (Numbered ACL -120) in FastEthernet 0/1. ACL-120 will compare this packet and let it in as it has an allow statement for this situation. R1 will forward this packet from its Serial 0/0/0. R2 will receive this packet in its Serial 0/0/0. R2 will forward this packet from Fa0/0. This packet will be received by Laptop1 ( ). Laptop1 ( source ) will respond to PC3 (destination ). R2 will receive return packet in FastEthernet 0/0. This interface has an inbound ACL (Named ACL-SecureManagement). This ACL has not statement for this packet. Every ACL has a default implicit deny statement in its end. This statement uses any (source) any (destination) keyword in matching criteria which means it does not care from where packet is coming and where it is going. It will match every packet that is compared with it. If packet does not match with any condition in ACL then it will be matched with implicit deny statement. Since there is no defined condition for our packet, it will matched with default implicit deny statement. Our packet will be dropped as soon as it meets with implicit deny statement. This way source PC will never receive a response from destination PC. To allow return traffic from management section we need a permit statement for PC3.

10 Here I have question for you How ACLs are processed and what is implicit deny? If you know the answer, great keep going. If you don t know the answer, I would suggest you to take a pause here and go through the first part of this article. First part of this article covers essential features of ACL in detail such as Implicit deny, ACL types, how ACL statements are processed and data flow directions. Oaky lets arrange statements in proper order for ACL-SecureManagement permit tcp host host eq 21 permit udp host host eq 80 deny ip host host permit ip host deny ip permit ip host That s all paper work we need to do before creating real ACLs. Well you may be a little bit annoyed with all above preparation. But believe me friends; it will save a lot of time and effort in Cisco exams and as well as in job life. Create Extended ACL An extended ACL can be created in two ways:- 1. Classic numbered method 2. Modern numbered or named method Classic numbered method uses following global configuration mode command Router(config)# access-list ACL_Identifier_number permit deny IP_protocol source_address source_wildcard_mask [protocol_information] destination_address destination_wildcard_mask [protocol_information] [log] Modern numbered or named method uses following global configuration mode commands Router(config)# ip access-list extended ACL_name_number Router(config-ext-acl)# permit deny IP_protocol source_ip_address wildcard_mask [protocol_information] destination_ip_address wildcard_mask [protocol_information] [log] I have already explained above commands and parameters in detail with examples in previous part of this article. For this part I assume that you are familiar with above commands. In our example we will create two ACLs (110 and 120) in Router1 and one ACL (SecureManagement) in Router2.

11 Okay let s create them one by one ACL-110 (Configuration style - Classical Numbered) Access CLI prompt of Router1 and enter in global configuration mode Enter following commands Router(config)#access-list 110 deny ip host any Router(config)#access-list 110 permit ip Router(config)#access-list 110 deny ip Router(config)#access-list 110 deny icmp host echo Router(config)#access-list 110 permit ip host Router(config)#access-list 110 deny ip Great job, we have just created our first ACL with classic numbered method. Now let s create our second ACL, but this time use modern numbered method. ACL-120 (Configuration style Modern Numbered) Router(config)#ip access-list extended 120 Router(config-ext-acl)# permit ip Router(config-ext-acl)# permit ip host Router(config-ext-acl)# deny ip Router(config-ext-acl)# permit tcp host host eq 80 Router(config-ext-acl)# deny ip host host Router(config-ext-acl)# permit ip host Router(config-ext-acl)# deny ip Router(config-ext-acl)#exit Router(config)#

12 Good going, we have finished our ACL creation task or router R1. Now access the global configuration mode of router R2 and enter following commands to create ACL- SecureManagement ACL- SecureManagement (Configuration style Modern Named) Router(config)#ip access-list extended SecureManagement Router(config-ext-acl)#permit tcp host host eq 21 Router(config-ext-acl)#permit tcp host host eq 80 Router(config-ext-acl)#deny ip host host Router(config-ext-acl)#permit ip host Router(config-ext-acl)#deny ip Router(config-ext-acl)#permit ip host Router(config-ext-acl)#exit Router(config)# Assign Extended ACLs in interfaces No matter how we have created ACLs, assigning them in interfaces are the same steps process:- Router(config)# interface type [slot_#] port_# Router(config-if)# ip access-group ACL_# in out Commands and parameters are explained in previous part of this article. In this part we will use these commands in assigning the ACLs. Let s assign our ACLs in their respective interfaces ACL-110 (R1 s Fa0/0 interface, Inbound direction) Router(config)#interface fastethernet 0/0 Router(config-if)#ip access-group 110 in Router(config-if)#exit Router(config)# ACL-120 ( R1 s Fa0/1, Inbound direction) Router(config)#interface fastethernet 0/1 Router(config-if)#ip access-group 120 in Router(config-if)#exit

13 Router(config)# ACL-SecureManagement (R2 s Fa0/0 interface, Inbound direction) Router(config)#interface Fa0/0 Router(config-if)#ip access-group SecureManagement in Router(config-if)#exit Router(config)# Testing Standard ACLs Packet Tracer includes several tools to verify our implementation such as ping command that can be used to test the connectivity. We can use FTP and Web Browser to test applications level filter. Let s test implementation from PC0. As per permission PC0 is allowed to access only its section. It is not allowed to access anything from outside.

14 Let s do one more testing form PC2. As per permission PC2 is allowed to access development section and only web service from server. Now it s your turn to test remaining conditions. If you have followed all above steps then requirements should be fulfilled. If you are missing any requirement or not getting result as expected, use my practice topology for cross check. You can download my practice topology from our server. Verifying Extended Access List configuration Once created and activated ACLs, we can verify them with following privilege exec mode commands. To show which ACLs are activated on which interfaces in which direction, we can use show ip interface command

15 From output we can see that ACL-110 is applied in inbound direction on FastEthernet0/0. By default above command will list all interfaces. To view a single interface, we need to specify it in above command as command line option. For example, to view only serial interface use show ip interface FastEthernet 0/1 command. To view the conditions in ACL, we have two commands Router# show access-lists ACL_Number_or_Name (Optional, used to see the specific ACL)

16 Router# show ip access-list ACL_Number_or_Name (Optional, used to see the specific ACL) Have you notice any difference between outputs? Second command provides more detailed information about modern style ACLs. It lists the sequence number of each condition in ACL. Sequence numbers are used to edit or delete any condition from ACL. Sequence numbers are available only when you create ACL from modern style. Router keeps track of every match on every condition. To reset this counter, use clear command. We can also view all running configuration including ACLs from show running-config command.

17 Editing / Updating Extended ACLs We can edit or update an extended ACL only if it is created from modern configuration style. If it is created from classic configuration style then we cannot edit or update it, we can only append it. How will I know which ACL is created from which style? ACLs created from modern way have sequence numbers. We can use show ip access-list command to know whether a specific ACL is created from classic style or modern style. If output of this command show sequence numbers in front of conditions then that ACL is created from modern style. For example following figure illustrates the output of show ip access-list command from router R2. As we can see in output, ACL-SecureManagement has sequence numbers. So it is created from modern named style. Now suppose we want to allow host full permission on Server Okay let s update this ACL step by step.

18 Verify current status Router#show ip access-list SecureManagement Extended IP access list SecureManagement 10 permit tcp host host eq ftp 20 permit tcp host host eq www 30 deny ip host host permit ip host deny ip permit ip any host Currently host is allowed to access only FTP and Web Service from server. In order to grant it full permission we need to remove three statements 10, 20 and 30. As host belong to network which has full permission on server (statement 40), once deny statement is removed, host will get full permission automatically. Remove old permission Router(config)#ip access-list extended SecureManagement Router(config-ext-nacl)#no 10 Router(config-ext-nacl)#no 20 Router(config-ext-nacl)#no 30 Router(config-ext-nacl)#exit Router(config)#exit Router# Confirm removal Router#show ip access-list SecureManagement Extended IP access list SecureManagement 40 permit ip host deny ip permit ip any host Router# Insert new condition in extended ACL Now suppose we want to allow host to access only TFTP service from server. Currently this host has full permission on Server (See above output). For this requirement we need to allow TFTP service first and deny all services before full permission for network statement. Router(config)#ip access-list extended SecureManagement Router(config-ext-nacl)#10 permit udp host host eq 69 Router(config-ext-nacl)#20 deny ip host host

19 Router(config-ext-nacl)#exit Router(config)#exit Router# Verify update Router#show ip access-lists SecureManagement Extended IP access list SecureManagement 10 permit udp host host eq deny ip host host permit ip host deny ip permit ip any host Router# How to delete a Standard ACL We have two commands to delete an extended ACL. Router(config)#no access-list [ACL_Number] Router(config)#no ip access-list extended [ACL_Number_or_Name] First command is used to delete numbered ACL while second command is used to delete both numbered and named ACLs. Let s have an example of both commands. Delete both ACLs from router R1. Router(config)#no access-list 110 Router(config)#no ip access-list standard SecureManagement For more articles please visit our site ComputerNetworkingNotes.com