Geek.Like.Todd

Cisco Extended ACL’s —

I used to be mystified by Access Lists on Cisco devices.. but I’m feeling pretty comfy with them now.

Essentially an Access Lists is a Matching Filter List. It’s got two options, Permit and Deny.

Here is my Lab. It’s actually similar to something I’m already working on but the names have been changed to protect the innocent.

I have 3 VLANS, 85, 86 and 87. The vlans I do not want talking to each other, except for a single Server on 85 I want 86 to see.

ACLEXTLAB

Access lists are actually really easy to set up. First you configure, then you apply to an interface, and you specify in what directions you want to match your traffic to the ACL, either in or out.

Lets start with our configuration with VLAN 86.

I’ve made interfaces on the router for each vlan, and while i could have made a trunk and some sub interfaces I didn’t bother here, since it’s a lab.

ROUTER#show ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.85.1 YES manual up up
GigabitEthernet0/1 192.168.86.1 YES manual up up
FastEthernet0/0/0 unassigned YES unset up up
FastEthernet0/0/1 unassigned YES unset up down
FastEthernet0/0/2 unassigned YES unset up down
FastEthernet0/0/3 unassigned YES unset up down
Vlan1 unassigned YES unset administratively down down
Vlan85 unassigned YES unset down down
Vlan87 192.168.87.1 YES manual up up

I’ve made some vlans on the switch and have applied static IPs to the various workstations and a single server.

The goal is to not allow traffic from any vlan to any other vlan, except for a single server.

ACL’s are processed from the top down, and once packets meet any criteria as they are processed thru the list they are sent along according to the rule they matched. So as an example. If sequence 5 tells the router to allow packets from 192.168.1.20 to reach network 192.168.20.0/24 then those are allowed if the next sequence tells it to deny 192.168.1.0/24 from 192.168.20.0/24 which would match up with the rest of the source IPs on that subnet.  Also.. if you had those sequences switched this rule would be ignored.

To create an access list first you configure and then you apply.

Lets start with VLAN 87.

We simply want to block any IP from 192.168.87.0/24 from reaching any 192.168.86.0 address or 192.168.89.0 address.

on our cli we need to start with giving the acl a name, and specifying that it’s an extended list.

Router(config)#ip access-list extended VLAN87
Router(config-ext-nacl)#

Note, if you start putting in rules with no sequence number, you will simply start at 10 and then increment to the next 10, so 10, 20, so on.

However, if you specify the sequence number first, you can choose where your entry lands on your list. I personally like separating them to give me room for later changes.

The command is simple, it’s
Sequence# – the numbers are always observed as 10, 20, 30 and so one in increments of 10, but if you put one in as 31 then it will become 40 and 40 will move down.
deny or allow
protocol, ip means everything.. otherwise port number or name if it’s recognized.
Source IP network or host or any
Destination network or host or any

It’s also work noting that the item that looks like a subnet there is actually wildcard bits, which.. is a curve, but you will learn fast, essentially if it changes how many bits can change.

Router(config-ext-nacl)#10 deny ip 192.168.87.0 0.0.0.255 192.168.85.0 0.0.0.255
Router(config-ext-nacl)#20 deny ip 192.168.87.0 0.0.0.255 192.168.86.0 0.0.0.255
Router(config-ext-nacl)#30 permit ip any any

Note that I’ve placed an “any any” at the end. If your access list is only made of denials, it will simply deny everything because of the explicit and hidden “deny deny” that is at the end. If you only need to allow certain address then please of course do that.

Once completed we can see it and my two other ACL’s I’ve created:

Router(config)#do sho ip access-lists
Extended IP access list VLAN86
10 permit ip 192.168.86.0 0.0.0.255 host 192.168.85.5
20 deny ip 192.168.86.0 0.0.0.255 192.168.85.0 0.0.0.255
30 deny ip 192.168.86.0 0.0.0.255 192.168.87.0 0.0.0.255
40 permit ip any any
Extended IP access list VLAN87
10 deny ip 192.168.87.0 0.0.0.255 192.168.85.0 0.0.0.255
20 deny ip 192.168.87.0 0.0.0.255 192.168.86.0 0.0.0.255
30 permit ip any any
Extended IP access list VLAN85
10 permit ip host 192.168.85.5 any
20 deny ip 192.168.85.0 0.0.0.255 192.168.86.0 0.0.0.255
30 deny ip 192.168.85.0 0.0.0.255 192.168.87.0 0.0.0.255
40 permit ip any any

Now we need to apply the ACL’s to our interfaces. You have to specify whether or not this filter should be applied on an interface on traffic that the router is sending to (out) or receiving from (in) other devices.

This is how we apply the VLAN86 acl to int gi0/1

Router(config)#int gi 0/1
Router(config-if)#ip access-group VLAN86 in
Router(config-if)#

We repeat as necessary for our other ACL’s


Simple Cisco DHCP —

I’m doing a little labwork and wanted to post this really for nothing other than to assist with my remembering it, and hey.. maybe you might find it helpful. Typically whenever I need DHCP I turn to an OS to do that for me, if AD is involved, I’m using Windows, if it’s not I’ll use Linux.  But if you have neither, but do have a Cisco Router, never fear it can do that for you.  Here is our lab, consisting of a single router, a switch, and 3 workstations:

DHCPLAB

Our IP address range for this lab is 192.168.1.0/24 and we want to reserve ip range 192.168.1.1 – 192.168.1.49 but allow the rest be available for our pool.

My fake PC clients are all set to DHCP.

Step one: Assign an interface on the router for the network.
dhcptest(config)#int fa 0/0
dhcptest(config-if)#description inside
dhcptest(config-if)#ip address 192.168.1.1 255.255.255.0
dhcptest(config-if)#no shut

Step two: Reserve your IP’s that you wish to exclude from your pool.

dhcptest(config)#ip dhcp excluded-address 192.168.1.1 192.168.1.49

Step three: Create your pool, in our test we are naming our pool “inside” but you may name yours whatever you want.

dhcptest(config)#ip dhcp pool inside
dhcptest(dhcp-config)# network 192.168.1.0 255.255.255.0
dhcptest(dhcp-config)#default-router 192.168.1.1
dhcptest(dhcp-config)#dns-server 8.8.8.8 8.8.4.4

Step four: check your dhcp binding

dhcptest#sho ip dhcp binding
IP address Client-ID/ Lease expiration Type
Hardware address
192.168.1.50 0060.7098.9145 -- Automatic
192.168.1.51 00D0.BCA1.3A33 -- Automatic
192.168.1.52 0060.2F5A.3953 -- Automatic
192.168.1.53 000A.4143.6916 -- Automatic

Enjoy!
Here is a link to Cisco’s Guide on DHCP, with cooler options than mine..
Cisco DHCP

Note, I used packet tracer, and in my version, I couldn’t set a second DNS server, but the documentation tells me I can set 8.  😀

Here is a Link to the Packet Tracer File I used:

DHCP LAB


MST3k!! #BringBackMST3K —

I’m a huge huge..  mystie.. I have been since maybe season 2?  I was young.. I don’t remember when I started watching.. but Comedy Central and SciFi were both young at the time..  anyhow.. I’m super excited to see that this might happen.. and I really really want another MST3k season. So much that I’m willing to support it.

Don’t know what MST3k is? Well.. I want to explain it.. but I dont really.. nothing else ever came out at the time to challenge it.. and even tho with Rifftrax and other post Mike / Joel / Other MST3k member products.. they didn’t have the magic of Mike, Joel and the bots.  If you really want to see what it’s about.. On Turkey Day.. go here.. MST3k on Youtube

Anyhow… I’ve gotten my family sucked into it.. they have a favorite.. it’s the Final Sacrifice.. the worst thing to ever come out of canada..