Configuring Extended IP Access Lists

20 Mar

Configuring Extended IP Access Lists
Extended IP access lists match a packet according to the source and destination addresses, and optional protocol type information for finer granularity of control as opposed to standard access lists, which are only matched by the source IP address. This allows for greater flexibility in terms of packet−matching characteristics for deciding whether or not to forward a packet.

Except for configuring the packet−matching features of the access list, the process used to configure an extended IP access list is the same process used to configure a standard IP access list. To configure an extended access list, follow these steps:

1.Use the following command to define the extended access list:

access−list <access−list−number> <deny | permit> protocol −
<source source−wildcard> <destination destination−wildcard>−
<precedence precedence−value> <tos tos−value> −
<log | log−input>

2.Use this command to select the input interface under which the access list will be applied:

interface <interface name> <interface number>

3.Use the following command to apply the access list to the interface:

ip access−group <access−list−number> <in | out>

When applied inbound or outbound, the access list functions the same as it does in a standard access list configuration (see Step 3 in the section “Configuring Standard IP Access Lists”).

Note Any access list defined under an interface without a matching access list entry is interpreted by the router as a permit. This is sometimes called an undefined access list.

In Step 1, the access−list number parameter is the identification number of the access list; the number range for an extended IP access list can be any number from 100 to 199. The protocol specifies either the name or number of an IP protocol that is passed in the header of the packet. The values that can be used for this field are listed in Table 7.2. The source and destination fields specify the number of the network or host in a 32−bit format. The keywords any and host may be used to simplify the configuration. The source−wildcard and the destination−wildcard fields specify the number of wildcard bits that should be applied to the source or destination. The wildcard field can be populated by specifying a 32−bit value, where the value of 1 is not counted. If the keyword any is used for specification of the source or destination, a wildcard mask of all 1s is assumed. If the keyword host is used for specification of the source or destination, a wildcard mask of all 0s is assumed.

Specification of the precedence value is optional and allows for filtering based on the configured precedence value of the packet. The precedence−value field may be populated by either a name or a number. The values that can be used to specify the precedence are listed in Table 7.3.

The optional log parameter will generate an informational syslog message about a packet that matches the filter. Figure 7.5 displays a network in which packet filtering using extended access lists may be used. Raul should be configured to allow only connection requests to 192.168.50.50 from 192.168.30.30 and to allow only connection request from 192.168.20.21 to 192.168.40.41. Listing 7.7 shows the configuration for Raul, and Listing 7.8 shows the configuration for Chris.

Figure 7.5: Two routers configured for extended access lists.
Listing 7.7: Extended access list configuration of Raul.

!
interface FastEthernet1/0
ip address 192.168.10.2 255.255.255.0
no ip directed−broadcast
ip access−group 101 in
!
interface FastEthernet2/0
ip address 192.168.40.1 255.255.255.0
no ip directed−broadcast
!
interface FastEthernet3/0
ip address 192.168.50.1 255.255.255.0
no ip directed−broadcast
!
ip route 192.168.20.0 255.255.255.0 192.168.10.1
ip route 192.168.30.0 255.255.255.0 192.168.10.1
!
access−list 101 permit ip host 192.168.30.30 host 192.168.50.50 −
log
access−list 101 permit ip host 192.168.20.21 host 192.168.40.41 −
log
!

Listing 7.8: Extended access list configuration of Chris.

hostname Chris
!
interface FastEthernet0
ip address 192.168.10.1 255.255.255.0
no ip directed−broadcast
!
interface Ethernet1
ip address 192.168.20.1 255.255.255.0
no ip directed−broadcast
!
interface FastEthernet1
ip address 192.168.30.1 255.255.255.0
no ip directed−broadcast
!
ip route 192.168.40.0 255.255.255.0 192.168.10.2
ip route 192.168.50.0 255.255.255.0 192.168.10.2
!

The configuration of Raul in Listing 7.7 makes use of the keyword host in the access list

configuration. When the host parameter is used, there is no need to specify a wildcard mask because an all 0s mask is assumed by the router. To make sure the configuration is correct and that Raul is allowing only the connections the access list is configured for, you must do some testing. Using the debug IP packet command on Raul will help you to determine the effects of the access list. If you try to ping host 192.168.50.50 from the workstation with the IP address 192.168.30.31, the ping should fail. Listing 7.9 shows an attempt to ping from 192.168.30.31 to 192.168.50.50.

Listing 7.9: Ping attempt to 192.168.50.50 from 192.168.30.31.

C:\>ping 192.168.50.50
Pinging 192.168.50.50 with 32 bytes of data:
Reply from 192.168.10.2: Destination net unreachable
Reply from 192.168.10.2: Destination net unreachable
Reply from 192.168.10.2: Destination net unreachable
Reply from 192.168.10.2: Destination net unreachable

When you look at Raul, which has the debug IP packet command running, you will note that it is denying the ping packet request. In the output in Listing 7.10. you can see the ping packet being denied.

Listing 7.10: Output of the debug IP packet command on Raul.

ip: s=192.168.10.2, d=192.168.30.31, len 56, sending
ip: s=192.168.30.31, d=192.168.50.50, len 100, access denied
!
ip: s=192.168.10.2, d=192.168.30.31, len 56, sending
ip: s=192.168.30.31, d=192.168.50.50, len 100, access denied
!
ip: s=192.168.10.2, d=192.168.30.31, len 56, sending
ip: s=192.168.30.31, d=192.168.50.50, len 100, access denied
!
ip: s=192.168.10.2, d=192.168.30.31, len 56, sending
ip: s=192.168.30.31, d=192.168.50.50, len 100, access denied

The connection request to 192.168.50.50 was denied at Raul because the source of the packet was not configured with a permit statement in the access list. However, if you try to access 192.168.50.50 from 192.168.30.30 using the ping command, everything should work. Listing 7.11 displays the output of the ping command issued on 192.168.30.30.

Listing 7.11: Ping attempt to 192.168.50.50 from 192.168.30.30.

C:\>ping 192.168.50.50
Pinging 192.168.50.50 with 32 bytes of data:
Reply from 192.168.50.50: bytes=32 time=126ms TTL=233
Reply from 192.168.50.50: bytes=32 time=117ms TTL=233
Reply from 192.168.50.50: bytes=32 time=117ms TTL=233
Reply from 192.168.50.50: bytes=32 time=116ms TTL=233

The ping request worked, so now you can look again at the debug output on Raul, as displayed in Listing 7.12.

Listing 7.12: Output of the debug IP packet command on Raul.

ip: s=192.168.30.30, d=192.168.50.50, len 100, rcvd 4
ip: s=192.168.50.50, d=192.168.30.30, len 100, sending
!
ip: s=192.168.30.30, d=192.168.50.50, len 100, rcvd 4
ip: s=192.168.50.50, d=192.168.30.30, len 100, sending
!
ip: s=192.168.30.30, d=192.168.50.50, len 100, rcvd 4
ip: s=192.168.50.50, d=192.168.30.30, len 100, sending
!
ip: s=192.168.30.30, d=192.168.50.50, len 100, rcvd 4
ip: s=192.168.50.50, d=192.168.30.30, len 100, sending

Another troubleshooting command to issue is the show IP access−lists command, which will display each access list configured on the router; if the optional log parameter is specified in the configuration of the access list, the show IP access−lists command will display the number of matches the access list has encountered. Issuing the show IP access−lists command on Raul displays the number of packets that have matched access list 101:

Raul#sh access−lists
Extended ip access list 101
permit ip host 192.168.30.0 host 192.168.50.0 log
(13222 matches)
permit ip host 192.168.20.0 host 192.168.40.0 log

Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.