Acl

Bolton07 · August 2011

Why do packet tracer exercises require the 'deny ip any any' command manually entered to the end of an ACL? I thought it was automatically entered to the end.

Also in my book it says DNS uses both UDP and TCP. So how would I know which to use in the ACL exercise below or any other time?

Create an ACL numbered 110 which permits the HTTP and DNS protocols for any host, but denies all other IP traffic to the Web Server and DNS Server.

Web Server IP Address: 10.10.10.254
DNS Server IP Address: 10.10.10.250

Note: Create the ACL to filter traffic using protocols instead of port numbers.

Apply the ACL outbound on Fast Ethernet 0/1.

toshinden5 · August 2011

Bolton07 wrote: »

Why do packet tracer exercises require the 'deny ip any any' command manually entered to the end of an ACL? I thought it was automatically entered to the end.

Also in my book it says DNS uses both UDP and TCP. So how would I know which to use in the ACL exercise below or any other time?

Create an ACL numbered 110 which permits the HTTP and DNS protocols for any host, but denies all other IP traffic to the Web Server and DNS Server.

Web Server IP Address: 10.10.10.254
DNS Server IP Address: 10.10.10.250

Note: Create the ACL to filter traffic using protocols instead of port numbers.

Apply the ACL outbound on Fast Ethernet 0/1.

well dns uses tcp and udp, but uses the same port. So you can use the deny tcp command.

Bolton07 · August 2011

This activity says that you have to use protocols instead of port numbers though.

And UDP seems to be the only one it accepts when using DNS in the ACL. Why does it only accept UPD and not TCP?

onesaint · August 2011

Packet tracer ACL activities can be real finicky. With that in mind PT wants you to add "deny IP any any" so that you can track the ACL filtering better. Also, the deny rule is at the end of the ACL, hidden. As for the DNS, although DNS uses both TCP and UDP, it's UDP that does most of the work with TCP showing up when the DNS answer information is over 512 bytes. Using "eq DNS" for the protocol in your extended ACL should cover DNS for the activity.

Bolton07 · August 2011

I think for DNS it is 'eq domain' in ACLs

Not 'eq DNS'

Am I right?

hiddenknight821 · August 2011

Bolton07 wrote: »

I think for DNS it is 'eq domain' in ACLs

Not 'eq DNS'

Am I right?

Correct. You should use the ? command or [TAB] to help you fill in the blank.

onesaint · August 2011

Bolton07 wrote: »

I think for DNS it is 'eq domain' in ACLs

Not 'eq DNS'

Am I right?

Too right. I guess that's what I get for posting at 2am!

Still, I like the theory that I can be woken up in the middle of the night and still know what I'm talking about. *Note to self, work on equals in ACLs.

hiddenknight821 · August 2011

onesaint wrote: »

Too right. I guess that's what I get for posting at 2am!

Still, I like the theory that I can be woken up in the middle of the night and still know what I'm talking about. *Note to self, work on equals in ACLs.

Another note you should also keep in mind is to practice the well-known ports by it numbers. So that you can always remember the port numbers for other applications that does not have the same convenience as the ACL commands. For example, if you work with firewalls, you may wonder what is the port number for DNS, but you are unable to type in "DNS" since the firewalls may not know what that is.

hiddenknight821 · August 2011

I forgot to add that the "eq" (equal) command is not the only available option. Keep in mind you have neq (not equal to), lt (less than), gt (greater than), and range command to play around with. I should also try practicing using range command since most of the materials I worked with used two lines for FTP. I dunno why.

onesaint · August 2011

hiddenknight821 wrote: »

Another note you should also keep in mind is to practice the well-known ports by it numbers. So that you can always remember the port numbers for other applications that does not have the same convenience as the ACL commands.

Thanks for the pointer. I usually try to shoot for the lowest common denominator for KISS purposes and troubleshooting. In this case, that would be port numbers. However, with the Packet Tracer ACL activities, I know they are super finicky and require exact syntax (of their choice) and number of rules per ACL.

hiddenknight821 wrote: »

I forgot to add that the "eq" (equal) command is not the only available option. Keep in mind you have neq (not equal to), lt (less than), gt (greater than), and range command to play around with. I should also try practicing using range command since most of the materials I worked with used two lines for FTP. I dunno why.

Thanks! I didn't realize (or possibly forgot) there were options other than "range," "neq," and "eq." I'll have to play with greater than and less than.

Ltat42a · August 2011

Doesn't statement 2 negate statement 1 in this question???

How many access lists can be applied to an interface on a Cisco router?

Only one access list per protocol, per direction, per interface can be applied on a Cisco router. Multiple access lists are permitted per interface, but they must be for a different protocol.

hiddenknight821 · August 2011

Ltat42a wrote: »

Doesn't statement 2 negate statement 1 in this question???

How many access lists can be applied to an interface on a Cisco router?

Only one access list per protocol, per direction, per interface can be applied on a Cisco router. Multiple access lists are permitted per interface, but they must be for a different protocol.

Sounds legit to me. You can have many access-list on a single interface. What the statement meant is that you cannot have more than one access-list that has the same rule for that specific protocol since that could lead to overlapping issue and you can end up becoming more confused and frustrated. Let me give you an example.

Access-list applied on S0/0/0 interface blocking incoming traffic from outside:
ip access-list extended BlockFromBadGuy1
deny tcp host 22.33.44.55 192.168.1.0 0.0.0.255 eq www
permit ip any any

Access-list applied on S0/0/0 interface blocking incoming traffic from outside:
ip access-list extended BlockFromBadGuy2
deny tcp host 66.77.88.99 192.168.1.0 0.0.0.255 eq www
permit ip any any

Wouldn't it makes sense to put these rules in the same ACL? I think whatever material you are trying to read is trying to prepare you and they believe this is the standard we should conform to when writing our ACL rules to avoid unnecessary headaches. By the way, if you are concern about the "IP" protocol, don't worry about it since it's encompasses the whole suite of protocols, so it won't be counted against the rule if used properly like using (permit ip any any) on every ACL when using deny statements.

instant000 · August 2011

Bolton07 wrote: »

Why do packet tracer exercises require the 'deny ip any any' command manually entered to the end of an ACL? I thought it was automatically entered to the end.

Also in my book it says DNS uses both UDP and TCP. So how would I know which to use in the ACL exercise below or any other time?

Create an ACL numbered 110 which permits the HTTP and DNS protocols for any host, but denies all other IP traffic to the Web Server and DNS Server.

Web Server IP Address: 10.10.10.254
DNS Server IP Address: 10.10.10.250

Note: Create the ACL to filter traffic using protocols instead of port numbers.

Apply the ACL outbound on Fast Ethernet 0/1.

1. I don't use Packet Tracer, no idea why, maybe it's meant as a learning aid? yes, the deny any any is implicitly present for all acls
2. in real life, you would know, because the application owner would request the ports they needed. usually, people just use udp 53, but depending on the size (as another poster alluded to), then tcp 53 wil be necessary. As a safe practice, i would use both in a question such as this, as you have no idea what they mean.

access-list 110 permit tcp any host 10.10.10.254 eq www
access-list 110 permit udp any host 10.10.10.250 eq domain
access-list 110 permit tcp any host 10.10.10.250 eq domain

int f0/1
ip access-group 110 out

Ltat42a wrote: »

Doesn't statement 2 negate statement 1 in this question???

How many access lists can be applied to an interface on a Cisco router?

Only one access list per protocol, per direction, per interface can be applied on a Cisco router. Multiple access lists are permitted per interface, but they must be for a different protocol.

No, it does not.

Ok, Tech eXams, a picture says a thousand words:

r1(config)#do sh run | b 0/0
interface FastEthernet0/0
 ip address 10.0.1.2 255.255.255.252
 ip access-group 112 in
 ip access-group 113 out
 duplex auto
 speed auto
 appletalk address 1.2
 appletalk access-group 600 out
 appletalk access-group 602 in
 ipx access-group 802 in
 ipx access-group 800 out
 ipx network 1
!

one access-list, per protocol, per direction
protocol is speaking of stuff like appletalk, ipx, ip, etc.

meaning i can have one ip access list inbound or outbound
i can have one appletalk list inbound or outbound
i can have one ipx list inbound or outbound, etc.

And, appletalk is a chatty protocol.

However, this demonstration should show you what you need to know.

Hope this helps!

instant000 · August 2011

hiddenknight821 wrote: »

Sounds legit to me. You can have many access-list on a single interface. What the statement meant is that you cannot have more than one access-list that has the same rule for that specific protocol since that could lead to overlapping issue and you can end up becoming more confused and frustrated. Let me give you an example.

Access-list applied on S0/0/0 interface blocking incoming traffic from outside:
ip access-list extended BlockFromBadGuy1
deny tcp host 22.33.44.55 192.168.1.0 0.0.0.255 eq www
permit ip any any

Access-list applied on S0/0/0 interface blocking incoming traffic from outside:
ip access-list extended BlockFromBadGuy2
deny tcp host 66.77.88.99 192.168.1.0 0.0.0.255 eq www
permit ip any any

Wouldn't it makes sense to put these rules in the same ACL? I think whatever material you are trying to read is trying to prepare you and they believe this is the standard we should conform to when writing our ACL rules to avoid unnecessary headaches. By the way, if you are concern about the "IP" protocol, don't worry about it since it's encompasses the whole suite of protocols, so it won't be counted against the rule if used properly like using (permit ip any any) on every ACL when using deny statements.

Huh? Please review my explanation above.

Thanks!

onesaint · August 2011

Ltat42a wrote: »

Doesn't statement 2 negate statement 1 in this question???

How many access lists can be applied to an interface on a Cisco router?

Only one access list per protocol, per direction, per interface can be applied on a Cisco router. Multiple access lists are permitted per interface, but they must be for a different protocol.

From IP Routing Frequently Asked Questions - Cisco Systems:

"Q. Can an interface have more than one ip access-group statement in its configuration?

A. In Cisco IOS versions 10.0 and later, you can have two ip access-group commands per interface (one for each direction):

interface ethernet 0
ip access-group 1 in
ip access-group 2 out

One access-group is used for inbound traffic and one for outbound traffic. Refer to Configuring Commonly Used IP ACLs and Configuring IP Access Lists for more information on ACLs.

A better explanation comes from the 2948 config guide:

"ACLs, which are sometimes called filters, allow you to restrict network use by certain users or devices. ACLs are created for each protocol and applied on the interface either for inbound or outbound traffic. They can be configured for all routed network protocols (IP or IPX) to filter packets for the protocol as they pass through a router. Only one ACL filter can be applied per direction, per protocol per (sub)interface."

hiddenknight821 · August 2011

instant000 wrote: »

Huh? Please review my explanation above.

Thanks!

I'm stumped. I could have sworn the LabSim threw me off there a bit when I was taking the practice exam in that domain lately. I'm gonna check to see where I went wrong here. I didn't know they were talking about "Routed" protocols. Thanks anyway. OneSaint helped clear up everything by pointing to the authority of Cisco

EDIT: I just identified my problem which caught me off guard.

Only one access list per protocol, per direction, per interface can be applied on a Cisco router. Multiple access lists are permitted per interface, but they must be for a different protocol.

Instead, it should explicitly stated routed or routable protocol. I need to do some cautious reading before I take the author's interpretation the way he worded it. Reading has never been so easy for me.

instant000 · August 2011

Just for full disclosure, it caught me off guard initially, too. I had to do additional reading (and configuration attempts) before I could fully understand this. Also, it really doesn't help much to identify the "per protocol" portion, when the only things they "training materials/trainers) show you are ip stuff.

So, hopefully my demonstrated config above, showing in and out ACL's applied for several protocols will help in the long run.

Also, OneSaint posted fantastic documentation, that explains it better than I did.

Helping each other figure this stuff out is what this forum is designed for

Acl

Comments