Cisco Extended ACL’s —
I used to be mystified by Access Lists on Cisco devices.. but I’m feeling pretty comfy with them now.
Essentially an Access Lists is a Matching Filter List. It’s got two options, Permit and Deny.
Here is my Lab. It’s actually similar to something I’m already working on but the names have been changed to protect the innocent.
I have 3 VLANS, 85, 86 and 87. The vlans I do not want talking to each other, except for a single Server on 85 I want 86 to see.
Access lists are actually really easy to set up. First you configure, then you apply to an interface, and you specify in what directions you want to match your traffic to the ACL, either in or out.
Lets start with our configuration with VLAN 86.
I’ve made interfaces on the router for each vlan, and while i could have made a trunk and some sub interfaces I didn’t bother here, since it’s a lab.
ROUTER#show ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.85.1 YES manual up up
GigabitEthernet0/1 192.168.86.1 YES manual up up
FastEthernet0/0/0 unassigned YES unset up up
FastEthernet0/0/1 unassigned YES unset up down
FastEthernet0/0/2 unassigned YES unset up down
FastEthernet0/0/3 unassigned YES unset up down
Vlan1 unassigned YES unset administratively down down
Vlan85 unassigned YES unset down down
Vlan87 192.168.87.1 YES manual up up
I’ve made some vlans on the switch and have applied static IPs to the various workstations and a single server.
The goal is to not allow traffic from any vlan to any other vlan, except for a single server.
ACL’s are processed from the top down, and once packets meet any criteria as they are processed thru the list they are sent along according to the rule they matched. So as an example. If sequence 5 tells the router to allow packets from 192.168.1.20 to reach network 192.168.20.0/24 then those are allowed if the next sequence tells it to deny 192.168.1.0/24 from 192.168.20.0/24 which would match up with the rest of the source IPs on that subnet. Also.. if you had those sequences switched this rule would be ignored.
To create an access list first you configure and then you apply.
Lets start with VLAN 87.
We simply want to block any IP from 192.168.87.0/24 from reaching any 192.168.86.0 address or 192.168.89.0 address.
on our cli we need to start with giving the acl a name, and specifying that it’s an extended list.
Router(config)#ip access-list extended VLAN87
Router(config-ext-nacl)#
Note, if you start putting in rules with no sequence number, you will simply start at 10 and then increment to the next 10, so 10, 20, so on.
However, if you specify the sequence number first, you can choose where your entry lands on your list. I personally like separating them to give me room for later changes.
The command is simple, it’s
Sequence# – the numbers are always observed as 10, 20, 30 and so one in increments of 10, but if you put one in as 31 then it will become 40 and 40 will move down.
deny or allow
protocol, ip means everything.. otherwise port number or name if it’s recognized.
Source IP network or host or any
Destination network or host or any
It’s also work noting that the item that looks like a subnet there is actually wildcard bits, which.. is a curve, but you will learn fast, essentially if it changes how many bits can change.
Router(config-ext-nacl)#10 deny ip 192.168.87.0 0.0.0.255 192.168.85.0 0.0.0.255
Router(config-ext-nacl)#20 deny ip 192.168.87.0 0.0.0.255 192.168.86.0 0.0.0.255
Router(config-ext-nacl)#30 permit ip any any
Note that I’ve placed an “any any” at the end. If your access list is only made of denials, it will simply deny everything because of the explicit and hidden “deny deny” that is at the end. If you only need to allow certain address then please of course do that.
Once completed we can see it and my two other ACL’s I’ve created:
Router(config)#do sho ip access-lists
Extended IP access list VLAN86
10 permit ip 192.168.86.0 0.0.0.255 host 192.168.85.5
20 deny ip 192.168.86.0 0.0.0.255 192.168.85.0 0.0.0.255
30 deny ip 192.168.86.0 0.0.0.255 192.168.87.0 0.0.0.255
40 permit ip any any
Extended IP access list VLAN87
10 deny ip 192.168.87.0 0.0.0.255 192.168.85.0 0.0.0.255
20 deny ip 192.168.87.0 0.0.0.255 192.168.86.0 0.0.0.255
30 permit ip any any
Extended IP access list VLAN85
10 permit ip host 192.168.85.5 any
20 deny ip 192.168.85.0 0.0.0.255 192.168.86.0 0.0.0.255
30 deny ip 192.168.85.0 0.0.0.255 192.168.87.0 0.0.0.255
40 permit ip any any
Now we need to apply the ACL’s to our interfaces. You have to specify whether or not this filter should be applied on an interface on traffic that the router is sending to (out) or receiving from (in) other devices.
This is how we apply the VLAN86 acl to int gi0/1
Router(config)#int gi 0/1
Router(config-if)#ip access-group VLAN86 in
Router(config-if)#
We repeat as necessary for our other ACL’s