More Access Control Lists: Eumed - Grnet
More Access Control Lists: Eumed - Grnet
More Access Control Lists: Eumed - Grnet
EUMED - GRNET
ACL Types
32 bit long
Mask bits of 0 imply that the same bit positions
must be compared
Mask bits of 1imply that the same bit positions
are considered to match
Extended ACL (100-199)
– One nice feature in the Cisco IOS is the ability to name ACLs. This
is especially helpful if you need more than 99 standard ACLs on the
same router.
– Once you name an ACL, the prompt changes and you no longer
have to enter the access-list and access-list-number
parameters.
– In the example below, the ACL is named over_and as a hint to how
it should be placed on the interface--out
Show commands:
– show access-lists
shows all access-lists configured on the router
– show access-lists {name | number}
shows the identified access list
– show ip interface
shows the access-lists applied to the interface--both inbound and
outbound.
– show running-config
shows all access lists and what interfaces they are applied on
Enhanced Access Lists
Logging
–(config-ext-nacl)# permit tcp any any log-input
(config-ext-nacl)# permit ip any any log
Time based
–(conf)# time-range bar
(conf-time-range)# periodic daily 10:00 to 13:00
(conf-time-range)# ip access-list tin
(config-ext-nacl)# deny tcp any any eq www time-range bar
(config-ext-nacl)# permit ipv6 any any
IOS ACL Reflexive
Reflect
–A reflexive ACL is created dynamically, when traffic matches a permit entry
containing the reflect keyword.
–The reflexive ACL mirrors the permit entry and times out (by default after 3
mins), unless further traffic matches the entry (or a FIN is detected for TCP
traffic).
–The timeout keyword allows setting a higher or lower timeout value.
–Reflexive ACLs can be applied to TCP, UDP, SCTP and ICMPv6.
Evaluate
–Apply the packet against a reflexive ACL.
–Multiple evaluate statements are allowed per ACL.
–The implicit deny any any rule does not apply at the end of a reflexive ACL;
matching continues after the evaluate in this case.