Showing posts with label access list. Show all posts
Showing posts with label access list. Show all posts

Thursday, 31 July 2025

Extended ACLs

An Extended Access Control List (ACL) allows you to filter traffic based on source IP, destination IP, protocol type (TCP, UDP, ICMP), source/destination port numbers.

+Numbered Extended ACL Ranges -

100–199

2000–2699


+ We can also use named ACLs


+ Placed close to Source - Since in extended ACLs we can filter on bases of Source IP , Destination IP ,port number so placing them near the source gives precise control over who can access what and how. 




Lets block - port 80 http of server 20.1.1.1 for laptop 10.1.1.100


Source IP - 10.1.1.100

Destination IP - 20.1.1.1

Destination port number - 80



Step 1 - Creating Extended ACL 


access-list 100 deny tcp 10.1.1.0 0.0.0.0 20.1.1.0 0.0.0.0 eq 80

access-list 100 permit ip any any


Router#show ip access-lists

Extended IP access list 100

10 deny tcp 10.1.1.0 0.0.0.0 20.1.1.0 0.0.0.0 eq www

20 permit ip any any


Step 2 - Apply the Extended ACL 


We would need to apply it close to the source and that will be in in direction


interface GigabitEthernet0/0/0

ip access-group 100 in



Lets try from laptop to access port 80 and port 443 of server 20.1.1.100




Port 80 is not accessible 

Port 443 is accessible 


Now check the hits on the acl entry 

Router#show ip access-lists

Extended IP access list 100

10 deny tcp 10.1.1.0 0.0.0.0 20.1.1.0 0.0.0.0 eq www (36 match(es))

20 permit ip any any


============================================


Complete configuration Router - 


Router#show run

Building configuration...


Current configuration : 854 bytes

!

version 15.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

!

!

!

!

!

!

!

ip cef

no ipv6 cef

!

!

!

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface GigabitEthernet0/0/0

ip address 10.1.1.1 255.255.255.0

ip access-group 100 in

duplex auto

speed auto

!

interface GigabitEthernet0/0/1

ip address 20.1.1.1 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/0/2

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

ip flow-export version 9

!

!

access-list 100 deny tcp 10.1.1.0 0.0.0.0 20.1.1.0 0.0.0.0 eq www

access-list 100 permit ip any any

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end


Happy Learning !!


Network Engineer Stuff



Posted by at No comments:
Labels: , , ,

Standard ACL

 A Standard Access List Control ACL is a type of ACL used on Cisco

devices to filter network traffic based only on "Source IP Address"


>Match only SIP and cannot filter by DIP , ports or protocols


>Uses numbered ACL (1-99 and 1300 -1999) or named ACL .


> Applied as close to the destination 




Configuration on Router 


Step 1 - Configuration of Standard ACL 


access-list 10 deny host 10.1.1.100

access-list 10 permit any


Router#show ip access-lists

Standard IP access list 10

10 deny host 10.1.1.100

20 permit any


Step 2 - Apply the ACL on the interface close to the destination


interface GigabitEthernet0/0/1

ip access-group 10 out



Now lets access server 20.1.1.100 from the Laptop 



We can see that laptop is not able to access the server


On Router we can see the hits as well. 


Router#show ip access-lists

Standard IP access list 10

10 deny host 10.1.1.100 (4 match(es))

20 permit any


Complete Router Configuration 


Router#show run

Building configuration...


Current configuration : 750 bytes

!

version 15.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

!

!

!

!

!

!

!

ip cef

no ipv6 cef

!

!

!

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface GigabitEthernet0/0/0

ip address 10.1.1.1 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/0/1

ip address 20.1.1.1 255.255.255.0

ip access-group 10 out

duplex auto

speed auto

!

interface GigabitEthernet0/0/2

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

ip flow-export version 9

!

!

access-list 10 deny host 10.1.1.100

access-list 10 permit any

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end


Happy Learning !!


Network Engineer Stuff

Posted by at No comments:
Labels: , ,

Wednesday, 25 March 2020

Add , Remove & Resequence entries in ACL

Today in this post we will see how to add , remove and resequence entries in an ACL.
               
So we have an existing acl named techstuff


Let's check this acl.


R1#sh ip access-lists techstuff

Extended IP access list techstuff

    10 permit ip 10.0.0.0 0.0.0.255 any

    20 permit ip 20.0.0.0 0.0.0.255 any

    30 permit ip 30.0.0.0 0.0.0.255 any

    40 permit ip 40.0.0.0 0.0.0.255 any

    50 permit ip 50.0.0.0 0.0.0.255 any


Now , Need to deny host 20.1.1.1 in the ACL

Hence need to add the entry before entry with sequence number 20


R1(config)#ip access-list extended techstuff

R1(config-ext-nacl)#15 deny ip host 20.1.1.1 any

R1(config-ext-nacl)#do sh ip access-list techstuff

Extended IP access list techstuff

    10 permit ip 10.0.0.0 0.0.0.255 any

    15 deny ip host 20.1.1.1 any <--------------- New entry

    20 permit ip 20.0.0.0 0.0.0.255 any

    30 permit ip 30.0.0.0 0.0.0.255 any

    40 permit ip 40.0.0.0 0.0.0.255 any

    50 permit ip 50.0.0.0 0.0.0.255 any


Now lets see how to remove an entry


R1(config)#ip access-list extended techstuff

R1(config-ext-nacl)#no 40

R1(config-ext-nacl)#do sh ip access-list techstuff

Extended IP access list techstuff

    10 permit ip 10.0.0.0 0.0.0.255 any

    15 deny ip host 20.1.1.1 any

    20 permit ip 20.0.0.0 0.0.0.255 any

    30 permit ip 30.0.0.0 0.0.0.255 any

    50 permit ip 50.0.0.0 0.0.0.255 any


Here we can see the start sequence number is 10 but the intervals between the entries are not even


Lets make the interval as 10


R1(config)#ip access-list ?

  extended    Extended Access List

  log-update  Control access list log updates

  logging     Control access list logging

  resequence  Resequence Access List

  standard    Standard Access List


R1(config)#ip access-list reseque

R1(config)#ip access-list resequence ?

  <1-99>       Standard IP access-list number

  <100-199>    Extended IP access-list number

  <1300-1999>  Standard IP access-list number (expanded range)

  <2000-2699>  Extended IP access list number (expanded range)

  WORD         Access-list name


R1(config)#ip access-list resequence techstuff ?

  <1-2147483647>  Starting Sequence Number


R1(config)#ip access-list resequence techstuff 10 ?

  <1-2147483647>  Step to increment the sequence number


R1(config)#ip access-list resequence techstuff 10 10

R1(config)#^Z



R1#sh ip access-list techstuff

Extended IP access list techstuff

    10 permit ip 10.0.0.0 0.0.0.255 any

    20 deny ip host 20.1.1.1 any

    30 permit ip 20.0.0.0 0.0.0.255 any

    40 permit ip 30.0.0.0 0.0.0.255 any

    50 permit ip 50.0.0.0 0.0.0.255 any



Hope Guys !!! You find this blog informative and useful !!!

Thanks!!!!
Posted by at 1 comment:
Labels:

Tuesday, 24 March 2020

Adding Remarks to Entries in Active ACL

In this blog will show you have to add remarks to entries in an active ACL .

"Remarks" are logically associated with entries in ACL .

They are nothing but the comments given to the entries in an ACL which helps Network administrator to get some information regarding the particular entry in the ACL. 

 Now let's check an existing ACL named "techstuff" configured in Router R1

R1#sh ip access-lists techstuff
Extended IP access list techstuff
    10 permit ip 10.0.0.0 0.0.0.255 any
    20 deny ip host 20.1.1.1 any
    30 permit ip 20.0.0.0 0.0.0.255 any
    40 permit ip 30.0.0.0 0.0.0.255 any
    50 permit ip 40.0.0.0 0.0.0.255 any


Alway remember Guys!!! sh ip access-list wont show you any remarks .

To view remarks you need to check the show run of the router 

R1#sh run | begin techstuff
ip access-list extended techstuff
 permit ip 10.0.0.0 0.0.0.255 any
 deny   ip host 20.1.1.1 any
 permit ip 20.0.0.0 0.0.0.255 any
 permit ip 30.0.0.0 0.0.0.255 any
 permit ip 40.0.0.0 0.0.0.255 any
!

Here you can check there is no remark yet configured for this ACL . 

Lets do for the entry with sequence no.20 which is denying the host 20.1.1.1 for any destination . 

R1(config)#ip access-list ex techstuff
R1(config-ext-nacl)#no 20
R1(config-ext-nacl)#remark ** DONT ALLOW 20.1.1.1 WHICH BELONGS TO 3RD FLOOR **
R1(config-ext-nacl)#20 deny ip host 20.1.1.1 any

R1#show run | begin techstuff
ip access-list extended techstuff
 permit ip 10.0.0.0 0.0.0.255 any
remark ** DONT ALLOW 20.1.1.1 WHICH BELONGS TO 3RD FLOOR **
 deny   ip host 20.1.1.1 any
 permit ip 20.0.0.0 0.0.0.255 any
 permit ip 30.0.0.0 0.0.0.255 any
 permit ip 40.0.0.0 0.0.0.255 any
!

Now let deny another host 40.1.1.1 along with remark

R1(config)#ip access-list ex techstuff
R1(config-ext-nacl)#remark ** DONT ALLOW 40.1.1.1 WHICH BELONGS TO 3RD FLOOR **
R1(config-ext-nacl)#45 deny ip host 40.1.1.1 any

R1#show run | begin techstuff
ip access-list extended techstuff
 permit ip 10.0.0.0 0.0.0.255 any
 remark ** DONT ALLOW 20.1.1.1 WHICH BELONGS TO 3RD FLOOR **
 deny   ip host 20.1.1.1 any
 permit ip 20.0.0.0 0.0.0.255 any
 permit ip 30.0.0.0 0.0.0.255 any
remark ** DONT ALLOW 40.1.1.1 WHICH BELONGS TO 3RD FLOOR **
deny   ip host 40.1.1.1 any
 permit ip 40.0.0.0 0.0.0.255 any
!

Lets also perform the resequence 

R1(config)#ip access-list resequence techstuff ?
  <1-2147483647>  Starting Sequence Number

R1(config)#ip access-list resequence techstuff 10 ?
  <1-2147483647>  Step to increment the sequence number

R1(config)#ip access-list resequence techstuff 10 10
R1(config)#^Z
R1#
R1#sh ip access-lists
Extended IP access list techstuff
    10 permit ip 10.0.0.0 0.0.0.255 any
    20 deny ip host 20.1.1.1 any
    30 permit ip 20.0.0.0 0.0.0.255 any
    40 permit ip 30.0.0.0 0.0.0.255 any
    50 deny ip host 40.1.1.1 any
    60 permit ip 40.0.0.0 0.0.0.255 any
R1#

Now if you delete an entry the remark associated with it will also get deleted

R1#show run | begin techstuff
ip access-list extended techstuff
 permit ip 10.0.0.0 0.0.0.255 any
 remark ** DONT ALLOW 20.1.1.1 WHICH BELONGS TO 3RD FLOOR **
 deny   ip host 20.1.1.1 any
 permit ip 20.0.0.0 0.0.0.255 any
 permit ip 30.0.0.0 0.0.0.255 any
 remark ** DONT ALLOW 40.1.1.1 WHICH BELONGS TO 3RD FLOOR **
 deny   ip host 40.1.1.1 any
 permit ip 40.0.0.0 0.0.0.255 any

R1(config)#ip access-list extended techstuff
R1(config-ext-nacl)#no 50
R1(config-ext-nacl)#^Z

R1#show run | begin techstuff
*Mar  1 00:44:54.479: %SYS-5-CONFIG_I: Configured from console by console
R1#show run | begin techstuff
ip access-list extended techstuff
 permit ip 10.0.0.0 0.0.0.255 any
 remark ** DONT ALLOW 20.1.1.1 WHICH BELONGS TO 3RD FLOOR **
 deny   ip host 20.1.1.1 any
 permit ip 20.0.0.0 0.0.0.255 any
 permit ip 30.0.0.0 0.0.0.255 any
 permit ip 40.0.0.0 0.0.0.255 any
!


Hope you all find this post informative and useful .

Thanks for reading

Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)