ACL / Access Control Lists

• To see existing IP access lists: #show ip access-list
• To create new ACL:

• #ip access-list <name> //creates extended ACL
• #ip access-list standard <name> //creates standard ACL

• Standard ACL:

• Here, we cannot specify the destination IP address
• We can specify only the source IP address
• #ip access-list standard test1
• (test1)#permit 10.10.10.10 0.0.0.0  //ip and wildcard
• (test2)#deny any any
• //The sequence matters. If we had used deny first, then, the deny rule itself matches, so it won’t go to the permit. Note: deny is an implicit rule. SO, no need to configure that on any ACL

• To apply the IP address, we should use on the specific interface
• If we don’t even want the packet to enter the switch and not use that switch, use the ingress interface. This is recommended as we prefer to do so near the source
• If we have another path via the switch and want the packet to take that, then, use this ACL on the not-used interface
• #int et 2/1
• #ip access-group test in //ACL is configured for the packet and doesn’t allow the IP address ‘in’
• We can see it in the counters of ACL using #show ip access-list test2

• Extended ACL:

• #ip access-list test2
• (test2)#permit ? //we can even specify higher layer protocols like TCP, UDP, OSPF, IP, ICMP, etc…
• test1)#permit tcp 10.10.10.3/32 host 10.10.10.4 eq ssh

• //Source IP for which TCP ACL is being configured
• //host tells us that the ACL is for a single destination host
• //Next we give the destination IP
• //eq is for telling which port number. We can either use the port number itself or tell the name of protocol. Eg) ssh
• Note: deny is an implicit rule. So, no need to configure that on any ACL

• The above ACL will work if the protocol is TCP and the Source and destination IP are matching and blocks ssh
• Now, try to ssh from 1st switch to 3rd switch

• We configured ssh on 2nd switch’s  egress port using:

#int et 14/1

#ip access-group test2 out

• We can see that only ssh will work, ping and all won’t work.
• We can see it in the counters of ACL using #show ip access-list test2

• Resequence: We can go into an ACL and use resequence command to resequence the ACL options
• We should optimize ACLs as TCAMs are expensive

• For example, Requirements: All VLANs should be able to communicate with each other but not to gateway.
• 
• If we have 4 VLANs, then, if we give 4 ACLs; then, it is not optimal

• 10.10.0.X                 //vlan 10 IP
• 10.10.10.X                 //vlan 20 IP
• 10.10.20.X                 //vlan 30 IP
• 10.10.30.X                 //vlan 40 IP

• So, we can use IP address and wildcard masks carefully.

• #deny 10.10.10.254 10.10.(00011110)b.0  →
•  #deny ip any 10.10.10.254 10.10.30.0
• Also, we have implicit deny, so we need to give #permit ip any any

• Thus, ACL summarization is important

• Now, to deny all odd IP address only:

• #deny <ip address> 10.10.10.0 0.0.0.254  //this wildcard applies only to all odd IP addresses

• Now to match only 4,8,16,32,64,128 IP address:

• Wildcard is X.X.X.(1111 1100)b

• See this:

• http://www.computernetworkingnotes.com/ccna-study-guide/configure-standard-access-control-list-step-by-step-guide.html
• http://www.computernetworkingnotes.com/ccna-study-guide/configure-extended-access-control-list-step-by-step-guide.html