Friday, December 5, 2008
be refreshing!
I’ll get to IPv6 in the bottom of this, it might prove extremely useful to understand the concept at first.
What are Access Control Lists?
ACLs are simple rulesets, they can be used to filter network traffic, routing updates, matching packets and a lot of different uses. The most common and basic usage must be to restrict network traffic to your router by applying it on the vty lines.
The access control lists have numbers and can also have text as identifiers, each number or string represents a specific access control list.
There are several “classes” of Access Control Lists, the most common ones are
- IP Standard Access List
List numbers 1-99, can only define source or destination, not source and destination. - IP Extended Access List
List numbers 100-199, can define both source and destination as well as port and protocol numbers.
Okay, I understand…. but how do I configure it?
A IP standard access control list with two entries is configured like this
Router#conf t
Router(config)#ip access-list standard 5
Router(config-std-nacl)#5 permit 192.168.0.0 0.0.0.255
Router(config-std-nacl)#10 permit 192.168.1.0 0.0.0.255
To apply this inbound on an interface, just use
Router#conf t
Router(config)#int te 1/1
Router(config-if)#ip access-group 5 in
The alternative way to define an access list number 5 with two entries is
Router#conf t
Router(config)#access-list 5 permit 192.168.0.0 0.0.0.255
Router(config)#access-list 5 permit 192.168.1.0 0.0.0.255
Router(config)#
To apply this one inbound on a line interface
Router#conf t
Router(config)#line vty 1
Router(config-line)#access-class 5 in
Nice, now I have a lot of ACLs configured in my network for all the IPv4 traffic, mon ami! But IPv6 traffic still seems to keep flowing right through, thought you said you were supposed to make sense of all this in the end?
Yeah, I know I promised that and as long as you understand the IPv4 basics you will understand IPv6 pretty well. You will need to understand basic IPv6 subnetting theory to be able to filter subnets (obviously), if anyone wants me to write an article about it, just comment about it and I will get on to it ASAP. When you learn that, you will see that IPv6 access control lists are pretty much the same as for IPv4.
Anyways, I take for granted you understand IPv6 subnetting by now so I will just get right on to the configuration, an example for an IPv6 access list in Cisco IOS follows
Router#conf t
Router(config)#ipv6 access-list myfirewall
Router(config-ipv6-acl)#permit 3ffe:200::/32 any
Router(config-ipv6-acl)#permit 3ffe:100::/32 any
To verify the access-lists just look at this
Router#show access-lists myfirewall
IPv6 access list myfirewall
permit ipv6 3FFE:200::/32 any sequence 10
permit ipv6 3FFE:201::/32 any sequence 20
Router#
To apply this IPv6 Access Control List to an interface, just do as follows
Router#conf t
Router(config)#int te 1/1
Router(config-if)#ipv6 traffic-filter myfirewall in
To apply this IPv6 access control list to a line
Router#conf t
Router(config)#line vty 1
Router(config-line)#ipv6 access-class myfirewall in
Labels: CISCO, Cisco configure, Cisco IOS, CISCO MARS, Cisco Network, Cisco Router, Cisco Switches