Wednesday, February 22, 2012

ACCESS-LISTS


Access-Lists

  • The two core access list types are Standard or extended access list. Standard will only match source ip while extended has moreflexibility will match on ip protocol number,source/destination address,tcp/udp ports(eq,neq,lt,gt,range),icmp type code ,tcp state (established keyword) qos packet markings (DSCP/IPP) ,Non initial fragments (fragment keyword)
  • We can use name access-list to assign a relevant name for better understanding of function
  • ACL can have different meaning depending on function for example in bgp filtering with distribute list the source can repersent the network mask while the destination can repersent to prefix mask
  • In igp the source can repersent the source of the update and the destination repersent the network address
  • In data plane source is source of traffic destination is destination of traffic
  • Acl have many different functions they can can be used for dataplane traffic with use of the access-group command
  • They can be used in class map for traffic classification match access-group
  • They can be used in route-filtering with distribute list or route-map
  • they can be used to limit access to devices i.e vty lines access-class in/out
Access Logging

  • Access-list can also be set to log but bear in mind in order to log it will process switch the traffic rather than cef switch so it could potential have a significant performance impact
  • There are two main logging types log vs log input the main difference been that log input includes incoming interface + the layer 2 originating address
  • We can rate limit the logging with ip access-list logging interval
  • ip access-list log-update threshold "hits" - you can say like update every 10 hits
  • logging rate-limit- this will rate limit all logging not just access list logging
  • We can also uses access list correlation tags there basically ways to add string or value to make the log more recognisable these would be used alot when logging to syslog server

Commands
access-list 1-101 permit "source""wildcard mask"
access-list 101-200 permit "protocol" "source" "wildcard mask"  "destinatipon""wildcardmask" eq "portnumber"
ip access-list standard "name"
permit source wildcard mask

ip access-list extended "name"
permit "protocol" source destination eq

access-list 1-101 permit "source""wildcard mask" log
access-list 1-101 permit "source""wildcard mask" log input

same can be applied to extended

LAB
----
Ok for the lab we will look at the established access list and logging
 The section sw4 and sw2 and r5  are the inside of the network r5 frame relay connection out is the wan connection or outside




so for the established access-list lab we do not want to allow any traffic in to sw2 that has is not a reply to s2 originated traffic.
r5 will do the filtering

r5(config)#int s0/0/0
r5(config)#access-list 101 permit eigrp any any
r5(config)#access-list 101 deny ip any any
r5(config-if)#ip access-group 101 in

ok on r5 for the inbound access-list we will deny all traffic bar eigrp we want to keep our eigrp session up in to r5. R5 is in the transit to s2.
s2
---
ok so on s2 we can not ping 2.1.1.1
s2#ping 2.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
s2#

r5
---
ok on r5 lets add logging to see what is happening
r5(config)#ip access-list extended 101
r5(config-ext-nacl)#20 deny ip any any log
% Duplicate sequence number
r5(config-ext-nacl)#19  deny ip any any log

r5#sh access-list 101
Extended IP access list 101
    10 permit eigrp any any (186 matches)
    19 deny ip any any log (13 matches)
    20 deny ip any any (83 matches)
r5#

so i have just added a deny ip any any with the logging keyword

if we ping again from r2 on r5 log we can see

5#sh log
Syslog logging: enabled (1 messages dropped, 1 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)
    Console logging: level debugging, 55 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level debugging, 2 messages logged, xml disabled,
                    filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
No active filter modules.
    Trap logging: level informational, 59 message lines logged
Log Buffer (9999 bytes):
*Feb 21 20:38:27.367: %SEC-6-IPACCESSLOGDP: list 101 denied icmp 2.1.1.1 -> 155.0.58.2 (0/0), 1 packet
r5#

lets try log input to see the difference

config-ext-nacl)#18  deny ip any any log-input

*Feb 21 20:40:51.511: %SEC-6-IPACCESSLOGSP: list 101 denied igmp 155.0.0.1 (Seri                                                                             al0/0/0 ) -> 224.0.0.1 (0), 1 packet
*Feb 21 20:41:05.715: %SEC-6-IPACCESSLOGDP: list 101 denied icmp 2.1.1.1 (Serial                                                                             0/0/0 ) -> 155.0.58.2 (0/0), 1 packet

Ok back to the issue so are traffic is being denied from  sw1 even though it is reply to traffic from sw2 which repersents our inside network

s2
---
i can not even telnet
s2#telnet 2.1.1.1
Trying 2.1.1.1 ...

r5
---
r5(config)#ip access-list extended 101
r5(config-ext-nacl)#2 permit tcp any any eq 23 established
r5(config-ext-nacl)#

s2
---
s2#telnet 2.1.1.1
Trying 2.1.1.1 ... Open

User Access Verification
Username: cisco
Password:
s1>

r5
---
r5#sh access-list
Extended IP access list 101
    2 permit tcp any any established (54 matches)
    10 permit eigrp any any (237 matches)
    19 deny ip any any log (172 matches)
    20 deny ip any any (33 matches)
Extended IP access list 102

we can see the hits on established

s1
---
s1#telnet 22.2.2.2
Trying 22.2.2.2 ...
% Destination unreachable; gateway or host down
s1#telnet 22.2.2.2
Trying 22.2.2.2 ...
% Destination unreachable; gateway or host down
s1#
i am denied
so it is working from inside i can telnet to s1 and recieve back s1 packets
but s1 can not iniate a session with me

No comments:

Post a Comment