Saturday, March 19, 2011

Lesson 48 - Standard ACL Examples

Pic. 1 - Topology.
Icons designed by: Andrzej Szoblik - http://www.newo.pl

Task 1
Configure an IP standard ACL that denies packets coming from 172.31.3.16/28 going towards 192.168.4.0/24. All other traffic should be allowed.

Task 2
Configure an IP standard ACL that denies packets coming from the host 172.31.123.3 going towards 192.168.5.0/24. Traffic from other sources should be allowed.

Let's get 'em tiger!

When it comes to configuring ACLs my work flow goes like this:
  1. Which ACL is going to accomplish my goal: Standard or Extended?
  2. Which router and interface should I apply the ACL on?
  3. Which direction should I use: in or out?
Dig this! 
Since as of this moment we talk about standard ACL, the answer to the first question is obvious: standard ACL must be used. In real life examples, the goals you try to accomplish will impose the criteria. If you must filter out some specific TCP traffic (e.g. going towards port 80), an extended ACL must be used as the standard one cannot filter on TCP (source IP only).

The guidelines specify that standard ACL must be placed as close to the destination as possible. Think about it. If I applied the ACL in Task 1 on R3 F1/0 out, the packet with the source 172.31.3.32/28 could not go anywhere out that interface. We're supposed to filter this source going towards Branch 1 (R4) and not anywhere else. R4 is going to be the router I'm going to apply the ACL on.

As for the last question about the direction, I could use R4's S0/2 inbound or F1/0 outbound. Since there are only two interfaces, I can apply this on s0/2 inbound and it won't make much difference except that the packet will be rejected on the inbound interface. This way, R4 won't have to do layer 3 lookup and waste it resources. If there were more interfaces I would use it on F1/0 interface outbound since the traffic should not be sent to the specific network (192.168.4.0).

Task 1
Configure an IP standard ACL that denies packets coming from 172.31.3.16/28 going towards 192.168.4.0/24. All other traffic should be allowed.

Pic. 2 - Communication Before Applying ACL.
Notice!
I pinged from the subnet in question (172.31.3.16/28).

R4 Configuration:
!
! Step 1 - Create an ACL statement in the global config
R4(config)#access-list 1 deny 172.31.3.16 0.0.0.15
R4(config)#access-list 1 permit any              
R4(config)#
!
! Step 2 - Apply the ACL on the interface
R4(config)#int s0/2
R4(config-if)#ip access-group 1 in
R4(config-if)#
!

Verification:
Pic. 3 - Communication After Applying ACL.
Notice!
Only packets sourced from the 172.31.3.16/24 are being blocked on R4. The packets from 172.31.3.0/28 are getting through.

Pic. 4 - R4's ACL counters.

I owe you an explanation here.
!
R4(config)#access-list 1 deny 172.31.3.16 0.0.0.15
!

access-list 1 - the number 1 implies the standard ACL (1-99)
deny - the packets meeting the criterion that follows will be denied (dropped)
172.31.3.16 - the source IP criterion
0.0.0.15 - the wildcard mask which is the subnet's inversed network mask

The subnet's network mask is: 255.255.255.240. In the binary it looks like:
11111111.11111111.11111111.11110000

If we inverse this network mask we get:
00000000.00000000.00000000.00001111

That, converted to decimal is: 0.0.0.15

Easy right?
!
R4(config)#access-list 1 permit any
!
permit any - this permits all other source IP. The word 'any' is the alias for:

0.0.0.0 255.255.255.255
Try to write an ACL according to the Task 2 description on your own. I will show you the solution in the next post.

In my next post: solution to the Task 2 and extended ACLs. 

Stop by and see what magic they can do! Meanwhile, happy studying!