Please enable JavaScript.
Coggle requires JavaScript to display documents.
5. ACLs for IPv4 Configuration - Coggle Diagram
5. ACLs for IPv4 Configuration
5.2 Modifying ACLs for IPv4
5.2.1 Two Methods for Modifying an ACL
After configuring an ACL (Access Control List), it may need to be modified. ACLs with multiple ACEs (Access Control Entries) can be complex to configure. Sometimes, the configured ACE does not produce the expected behaviors. For these reasons, ACLs may initially require some trial and error to achieve the desired filtering result.
The two methods that can be used to modify an ACL
Using a Text Editor
Using a Text Editor
5.2.2 Text Editor Method
ACLs with multiple ACEs should be created in a text editor
R1# show run | section access-list
access-list 1 deny
access-list 1 permit
5.2.3 Sequence Numbers Method
An ACE (Access Control Entry) in an ACL (Access Control List) can also be added or removed using ACL sequence numbers. Sequence numbers are automatically assigned when an ACE is entered.
R1# show access-lists
ip access-list standard
5.2.4 Modify a Named ACL Example
Named ACLs can also use sequence numbers to add and remove ACEs.
R1# show access-lists
R1(config)# ip access-list standard NO-ACCESS
5.2.6 Syntax Checker - Modify IPv4 ACLs
Para realizar un seguimiento de cuántos paquetes denegados implícitos se han asociado, debe configurar manualmente
clear access-list counters
Configure Extended IPv4 ACLs
Numbered Extended ACL
Created using the access-list access-list-number global configuration command.
Syntax
The command to apply an extended IPv4 ACL to an interface is the same as the command used for standard IPv4 ACLs.
Router(config-if)# ip access-group {access-list-number | access-list-name} {in | out}
TCP Established Extended ACL
TCP can also perform basic stateful firewall services using the TCP established keyword. The keyword enables inside traffic to exit the inside private network and permits the returning reply traffic to enter the inside private network
Named Extended ACL
Created using the ip access-list extended access-list-name.
Syntax
To create a named extended ACL, use the following global configuration command
Router(config)# ip access-list extended access-list-name
This command enters the named extended configuration mode. Recall that ACL names are alphanumeric, case sensitive, and must be unique.
In the example, a named extended ACL called NO-FTP-ACCESS is created and the prompt changed to named extended ACL configuration mode. ACE statements are entered in the named extended ACL sub configuration mode.
R1(config)# ip access-list extended NO-FTP-ACCESS
R1(config-ext-nacl)#
Verify Extended ACLs
show ip interface
The show ip interface command is used to verify the ACL on the interface and the direction in which it was applied, as shown in the output
show access-lists
can be used to confirm that the ACLs work as expected. The command displays statistic counters that increase whenever an ACE is matched.
show running-config
can be used to validate what was configured. The command also displays configured remarks.
The command can be filtered to display only pertinent information, as shown in the following.
5.3 Secure VTY Ports with a Standard IPv4 ACL
5.3.1 The access-class Command
ACLs typically filter incoming or outgoing traffic on an interface. However, an ACL can also be used to secure remote administrative access to a device using the vty lines.
Use the following two steps to secure remote administrative access to the vty lines:
Create an ACL to identify which administrative hosts should be allowed remote access.
Apply the ACL to incoming traffic on the vty lines.
5.3.2 Secure VTY Access Example
To increase secure access, a username and password will be created, and the login local authentication method will be used on the vty lines. The command in the example creates a local database entry for a user ADMIN and password class.
A named standard ACL called ADMIN-HOST is created and identifies PC1. Notice that the deny any has been configured to track the number of times access has been denied. The vty lines are configured to use the local database for authentication, permit Telnet traffic, and use the ADMIN-HOST ACL to restrict traffic.
5.3.3 Verify the VTY Port is Secured
After the ACL to restrict access to the vty lines is configured, it is important to verify that it is working as expected.
To verify the ACL statistics, issue the show access-lists command. Notice the informational message displayed on the console regarding the admin user. An informational console message is also generated when a user exits the vty line.
5.1 Configure Standard IPv4 ACLs
Create an ACL
Use a text editor and write out the specifics of the policy to be implemented.
Add the IOS configuration commands to accomplish those tasks.
Include remarks to document the ACL.
Copy and paste the commands onto the device.
Always thoroughly test an ACL to ensure that it correctly applies the desired policy.
Numbered Standard IPv4 ACL Syntax
To create a numbered standard ACL, use the following global configuration command
Router(config)# access-list access-list-number {deny | permit | remark text} source [source-wildcard] [log]
Apply a Standard IPv4 ACL
After a standard IPv4 ACL is configured, it must be linked to an interface or feature. The following command can be used to bind a numbered or named standard IPv4 ACL to an interface:
Router(config-if) # ip access-group {access-list-number | access-list-name} {in | out}
Named Standard IPv4 ACL Syntax
To create a named standard ACL, use the following global configuration command:
Router(config)# ip access-list standard access-list-name