Are there any Access Lists and Extended access lists that I should be proficient at?

gbdavidx

What should I be able to do? For example, should i be able to block a single host and also be able to block an via a host port on an Interface?

mikeybinec

I took 640-802 a few years ago, and you needed to know your block size i.e. 0.0.0.63 defines the /26

Lammle's book sez you need to know some of the switches i.e. = telnet or put a log on the end of the access list line to see how many times
it has been brought into play

Regards..

Dieg0M

Do you mean for the CCENT/CCNA or in the networking industry in general? For the CCENT/CCNA exam the restrictions will be given to you and it is really straightforward as long as you know your wildcard bits.

In the networking industry, you will also need to know your ACL's really well but most importantly you will need to understand how the technologies work.
For example, let's say you have a customer that will pass to you multicast feeds and the RP is on their side. You need to establish a BGP interconnect with this customer and write an inbound ACL that will ONLY allow the BGP and those multicast feeds to pass through. How would you tackle this problem if you don't know how BGP or how PIM SM works?

OfWolfAndMan

Here's a few things to remember when it comes to ACLs (with command line examples):

1. With standard ACLs, the statement will go as close to the destination as possible. With extended ACLs, you want to put the statement as close to the source as possible.

2. There are many types of ACLs, but the two main ones you'll be focused on in CCNA is numbered and named access lists. 1-99 for normal standard ACLs and 100-199 for normal extended. There are more but those will be the main numbers you'll focus on. Named access lists don't limit the number of ACLs you can write and they have special abilities numbered access lists don't

3. What you're talking about is an extended access list specifying a certain protocol. Consider the example below:

Let's say 10.0.1.1 wants to reach 10.0.2.1 via ftp, but the destination only wants you to connect via port 21 (ftp). You would input the following command on the router:
#ip access-list extended 100
#permit tcp host 10.0.1.1 host 10.0.2.1 eq ftp OR permit tcp 10.0.1.1 0.0.0.0 10.0.2.1 0.0.0.0 eq ftp
You would put that on the f0 interface going in. Now, let's make it a bit more interesting and add a second computer on the left, 10.0.1.2 and say you want that guy to be able to access 10.0.2.1 normally EXCEPT not allowing http. You would add the following line:
#deny tcp host 10.0.1.2 host 10.0.2.1 eq www
#permit ip any any
Since we're assuming the two computer would be on seperate interfaces of the router, the last command is necessary as it will allow normal communication between 10.0.1.1 and 10.0.1.2. Otherwise, that implicit deny would get ya.

Good luck in your studies!

theodoxa

Permit/Deny by Source IP
Permit/Deny by Destination IP
Permit/Deny by Source Port/Layer 4 Protocol (TCP/UDP)
Permit/Deny by Destination Port/Layer 4 Protocol (TCP/UDP)
Permit/Deny by Source and Destination IP
Permit/Deny by Source IP and/or Port/Layer 4 Protocol and Destination IP and/or Port/Layer 4 Protocol

The first (Source IP Only) is a standard ACL. Everything else would use an extended ACL and you might be asked about any or all of them. You might also be asked about the "log" option.

Example --

Permit HTTP traffic from the LAN1 subnet (192.168.1.0/24) to the Web Server (99.1.250.4):

permit tcp 192.168.1.0 0.0.0.255 host 99.1.250.4 eq www

gbdavidx

theodoxa wrote: »

Permit/Deny by Source IP
Permit/Deny by Destination IP
Permit/Deny by Source Port/Layer 4 Protocol (TCP/UDP)
Permit/Deny by Destination Port/Layer 4 Protocol (TCP/UDP)
Permit/Deny by Source and Destination IP
Permit/Deny by Source IP and/or Port/Layer 4 Protocol and Destination IP and/or Port/Layer 4 Protocol

The first (Source IP Only) is a standard ACL. Everything else would use an extended ACL and you might be asked about any or all of them. You might also be asked about the "log" option.

Example --

Permit HTTP traffic from the LAN1 subnet (192.168.1.0/24) to the Web Server (99.1.250.4):

permit tcp 192.168.1.0 0.0.0.255 host 99.1.250.4 eq www

you have all of this just memorized?

theodoxa

gbdavidx wrote: »

you have all of this just memorized?

No. There is a basic pattern to ACLs.

Standard ACL --

permit SOURCE
deny SOURCE

Extended ACL --

permit L4_PROTOCOL SOURCE DESTINATION
deny L4_PROTOCOL SOURCE DESTINATION

For a Standard ACL, SOURCE is either a specific host ("host 99.1.250.4") or a range of IP Addresses ("192.168.1.0 0.0.0.255") specified using a Subnet ID and Wildcard Mask.

For an Extended ACL, L4 PROTOCOL represents the Layer 4 Protocol. Usually, this would be TCP or UDP, but could include protocols such as ICMP and others (though, I don't believe the CCNA covers anything but TCP/UDP/IP). IP is used to mean all Layer 4 Protocols (TCP, UDP, etc...). With and Extended ACL either source or destination [or - you'll never see it in the real world, but it could show up on a test - both] ports or port ranges can be specified in addition to the IP Address(es).

host IP_ADDRESS [OPERATOR PORT]
SUBNET_ID WILDCARD_MASK [OPERATOR PORT]

OPERATOR is a comparison. The most common is "eq" meaning a single matching port ("eq www" would match only port 80). But, there are others such as "lt" (less than), "gt" (greater than), etc...

PORT is the Layer 4 port number (HTTP = 80, HTTPS, = 443, etc...) There are a few of these (Telnet - 23, FTP - 20/21, HTTP - 80, HTTPS - 443, SSH - 22, SMTP - 25, and DNS - 53 come to mind) that you might want to memorize. Cisco provides some names you can substitute for the most common ports ("www", "telnet", etc...).

theodoxa

It might be a bit difficult to follow, but my notes for the Security portion of CCNA --

http://www.agredon.com/security.odt

Magic Johnson

theodoxa wrote: »

No. There is a basic pattern to ACLs.

Standard ACL --

permit SOURCE
deny SOURCE

Extended ACL --

permit L4_PROTOCOL SOURCE DESTINATION
deny L4_PROTOCOL SOURCE DESTINATION

For a Standard ACL, SOURCE is either a specific host ("host 99.1.250.4") or a range of IP Addresses ("192.168.1.0 0.0.0.255") specified using a Subnet ID and Wildcard Mask.

For an Extended ACL, L4 PROTOCOL represents the Layer 4 Protocol. Usually, this would be TCP or UDP, but could include protocols such as ICMP and others (though, I don't believe the CCNA covers anything but TCP/UDP/IP). IP is used to mean all Layer 4 Protocols (TCP, UDP, etc...). With and Extended ACL either source or destination [or - you'll never see it in the real world, but it could show up on a test - both] ports or port ranges can be specified in addition to the IP Address(es).

host IP_ADDRESS [OPERATOR PORT]
SUBNET_ID WILDCARD_MASK [OPERATOR PORT]

OPERATOR is a comparison. The most common is "eq" meaning a single matching port ("eq www" would match only port 80). But, there are others such as "lt" (less than), "gt" (greater than), etc...

PORT is the Layer 4 port number (HTTP = 80, HTTPS, = 443, etc...) There are a few of these (Telnet - 23, FTP - 20/21, HTTP - 80, HTTPS - 443, SSH - 22, SMTP - 25, and DNS - 53 come to mind) that you might want to memorize. Cisco provides some names you can substitute for the most common ports ("www", "telnet", etc...).

What a great post. This, this and more this for CCENT anyway.

gbdavidx

i truly hate ACL's

mikeybinec

LOL But they are the basic building blocks of a firewall..Embrace them with gusto ;{D

davenull

gbdavidx wrote: »

i truly hate ACL's

I wouldn't. I found them useful for emulating an ISP router's behavior when a GNS3 lab called for internet connection. Just block the private address ranges, set up an 8.8.8.8 and you have the 'internet'.

theodoxa

davenull wrote: »

I wouldn't. I found them useful for emulating an ISP router's behavior when a GNS3 lab called for internet connection. Just block the private address ranges, set up an 8.8.8.8 and you have the 'internet'.

Not to mention, ACLs are used for countless things beyond simple packet filtering - QoS, Zone-Based Firewall, Policy Routing, Dynamic NAT, and many others. Basically, any time you need to identify traffic, you'll be using an ACL or a Class Map [which will also likely use one or more ACLs itself].