ADVANCED Access Lists (ACL) Configuration

TIP: ACL is applied directly to the interface using the "ip access-group" command:
(config-subif)#ip access-group EXTENDED_OR_STANDARD_ACL [in | out]
TIP: Watch out not to ban the routing protocol traffic!!! You might need to add this to your filter ACL:
(config-ext-nacl)#permit ospf any any
TIP: deny any any doesn't affect the locally generated traffic on the router


It's enough to configure the extended ACL, and hit a question mark when you want to define a PORT, just to realize that there is an entire world of ACL configuration options that we never knew about.

One of the awesome features is playing with the ESTABLISHED attribute, which means - allow back the traffic from the hosts TCP session has already been established with. In this example we're allowing back in the TELNET and HTTP traffic to HOST 10.187.12.1:
(config-ext-nacl)#permit tcp any range 80 23  host 10.187.12.1 established



TIME-BASED ACL
STEP 1: define the time range using the "time-range TIMERANGE" command in the global configuration mode
*be sure the Clock is correct using the "show clock", and if not - set it using the "clock set", or with NTP server

STEP 2: attach the time-range to the ACL:
(Config)#access-list 120 permit tcp any any eq 23 time-range TIMERANGE

DYNAMIC ACL (aka Lock and key ACL)
Special Feature used for AUTHENTICATION of other devices
Like the time-range, but instead of the time we permit or deny ACLs actions based on Authentication.
The ACL is defined using "access-list 102 dynamic..."

STEP 1: Create and EXTENDED ACL, but be sure to allow all the needed protocols before you apply it on the interface:
(config)#access-list 100 permit eigrp any any
(config)#access-list 100 permit icmp any any


STEP 2: Create a DYNAMIC entry in the defined ACL, which will create a Dynamic ACL called DYN_ACL:
(config)#access-list 100 dynamic DYN_ACL permit ip any any


STEP 3: Apply the ACL on the interface:
(config-if)#ip access-group 100 in

STEP 4: Configure the VTY line for the dynamic ACL using the AUTOCOMMAND feature:
(config-line)#autocommand access-enable host
*"access-enable" is an EXEC, it doesnt appear when "?" is pressed
**AUTOCOMMAND links the DYNAMIC ACL to TELNET AUTHENTICATION
*"rotary" command under the VTY changes the telnet port to that line. "rotary 5" sets the port on that line to 3005


REFLEXIVE ACL - For Session Filtering
Applied on the outbound interface of the router, we're taking care of the outgoing traffic, and then
we CHECK THE RETURNING TRAFFIC, meaning - we are making sure that the returning traffic is opposite of what went out.
When configuring, you need 2 ACLs:

STEP 1 - OUTBOUND ACL, For the outbound within the extended ACL configure:
(config)#ip access-list extended OUT_ACL
(config-ext-nacl)#permit tcp host any any eq www reflect REFLECT_ACL
(config-ext-nacl)#permit tcp host any any eq telnet reflect REFLECT_ACL
(config-ext-nacl)#permit tcp host any any eq https reflect REFLECT_ACL
(config-ext-nacl)#permit ospf any any

STEP 2: And on the inbound ACL within the extended ACL configuration:
(config)#ip access-list extended IN_ACL
(config-ext-nacl)#permit ospf any any
(config-ext-nacl)#evaluate REFLECT_ACL

STEP 3: Then apply the first one outbound, and the second one inbound on the same interface.
(config-subif)#ip access-group OUT_ACL out
(config-subif)#ip access-group IN_ACL in

After 5 minutes of inactivity the entries expire. it can be modified using the command "ip reflexive-list timeout X":
(config)#ip reflexive-list timeout 120 <-TIME REFLEXIVE ACL EXISTS WHEN NO PACKETS ARE DETECTED (default 300 seconds)

No comments:

Post a Comment

Most Popular Posts