6.3 Configure, verify, and troubleshoot IPv4 and IPv6 access list for traffic filtering

IPv4 ACLs

6.3.a Standard

Screenshot_2018-12-09_06-18-36

Using the above topology, we will use standard ACLs to block (1-99) traffic. Using the implicit “deny” at the end of the ACL will reduce the amount of ACLs needed.

On R1:

interface GigabitEthernet1/0
 ip address 10.0.0.1 255.255.255.0
 ip access-group 1 out
 negotiation auto
!
interface GigabitEthernet2/0
 ip address 10.0.1.1 255.255.255.0
 ip access-group 2 out
 negotiation auto
!
access-list 1 permit 192.168.122.0 0.0.0.255 log
access-list 2 permit 10.0.2.0 0.0.0.255 log
!

To verify use pings, and extended pings:

BANKING> ping 10.0.0.2   
*10.0.1.1 icmp_seq=1 ttl=255 time=9.955 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.0.1.1 icmp_seq=2 ttl=255 time=3.232 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.0.1.1 icmp_seq=3 ttl=255 time=2.574 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.0.1.1 icmp_seq=4 ttl=255 time=2.354 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.0.1.1 icmp_seq=5 ttl=255 time=1.745 ms (ICMP type:3, code:13, Communication administratively prohibited)

DEVOPS> ping 10.0.0.2 
*10.0.2.1 icmp_seq=1 ttl=255 time=9.813 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.0.2.1 icmp_seq=2 ttl=255 time=2.622 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.0.2.1 icmp_seq=3 ttl=255 time=11.419 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.0.2.1 icmp_seq=4 ttl=255 time=10.533 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.0.2.1 icmp_seq=5 ttl=255 time=2.351 ms (ICMP type:3, code:13, Communication administratively prohibited)

router#ping
Protocol [ip]: 
Target IP address: 10.0.0.2
Repeat count [5]: 
Datagram size [100]: 
Timeout in seconds [2]: 
Extended commands [n]: y
Source address or interface: GigabitEthernet0/0
Type of service [0]: 
Set DF bit in IP header? [no]: 
Validate reply data? [no]: 
Data pattern [0xABCD]: 
Loose, Strict, Record, Timestamp, Verbose[none]: 
Sweep range of sizes [n]: 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.122.180 
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/266/1040 ms
router#

6.3.b Extended

Extended access list are in the range <100-199>.

Extended commands allow us to match on the destination address as well as the protocol.

<0-255>       An IP protocol number
  ahp           Authentication Header Protocol
  eigrp         Cisco's EIGRP routing protocol
  esp           Encapsulation Security Payload
  gre           Cisco's GRE tunneling
  icmp          Internet Control Message Protocol
  igmp          Internet Gateway Message Protocol
  ip            Any Internet Protocol
  ipinip        IP in IP tunneling
  nos           KA9Q NOS compatible IP over IP tunneling
  object-group  Service object group
  ospf          OSPF routing protocol
  pcp           Payload Compression Protocol
  pim           Protocol Independent Multicast
  tcp           Transmission Control Protocol
  udp           User Datagram Protocol

interface GigabitEthernet1/0
 ip address 10.0.0.1 255.255.255.0
 ip access-group 100 out
 negotiation auto
!
interface GigabitEthernet2/0
 ip address 10.0.1.1 255.255.255.0
 ip access-group 101 out
 negotiation auto
!
access-list 100 permit ip 192.168.122.0 0.0.0.255 host 10.0.0.2 log
access-list 101 permit ip 10.0.2.0 0.0.0.255 host 10.0.1.2 log

6.3.c Named

Using named ACLs is the same as the above, except individual sequences can be entered:

<1-2147483647>  Sequence Number
  default         Set a command to its defaults
  deny            Specify packets to reject
  dynamic         Specify a DYNAMIC list of PERMITs or DENYs
  evaluate        Evaluate an access list
  exit            Exit from access-list configuration mode
  no              Negate a command or set its defaults
  permit          Specify packets to forward
  remark          Access list entry comment
router(config)#ip access-list extended RULE1
router(config-ext-nacl)#1 permit ip 192.168.122.0 0.0.0.255 host 10.0.0.2 log

router(config)#ip access-list extended RULE2
router(config-ext-nacl)#1 permit ip 10.0.2.0 0.0.0.255 host 10.0.1.2 log

Then you can delete in individual sequence numbers:

router(config)#ip access-list extended RULE1
router(config-ext-nacl)#no ?
  <1-2147483647>  Sequence Number
  deny            Specify packets to reject
  dynamic         Specify a DYNAMIC list of PERMITs or DENYs
  evaluate        Evaluate an access list
  permit          Specify packets to forward
  remark          Access list entry comment

router(config-ext-nacl)#no 1

IPv6 ACLs

According to Cisco: “With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs.”

Here is the topology:

Screenshot_2018-12-09_06-18-36

Here are the ACLs:

interface GigabitEthernet0/0
 ip address dhcp
 duplex full
 speed 1000
 media-type gbic
 negotiation auto
 ipv6 address 2001:DB8:4::/48 eui-64
!
interface GigabitEthernet1/0
 no ip address
 negotiation auto
 ipv6 address 2001:DB8:1::/48 eui-64
 ipv6 traffic-filter RULE1 out
!
interface GigabitEthernet2/0
 no ip address
 negotiation auto
 ipv6 address 2001:DB8:2::/48 eui-64
 ipv6 traffic-filter RULE2 out
!
interface GigabitEthernet3/0
 no ip address
 negotiation auto
 ipv6 address 2001:DB8:3::/48 eui-64
!
ipv6 access-list RULE1
 permit ipv6 2001:DB8:4::/48 2001:DB8:1::/48 log
!
ipv6 access-list RULE2
 permit ipv6 2001:DB8:3::/48 2001:DB8:2::/48 log
!
control-plane

The steps to verify are as above. Adding the log keyword helps by showing when the ACL is triggered:

router#
*Dec 9 09:25:43.011: %IPV6_ACL-6-ACCESSLOGDP: list RULE2/10 permitted icmpv6 2001:DB8:3::1 -> 2001:DB8:2::1 (128/0), 1 packet

Ping commands will also return “prohibited” when attempting to reach ACL restricted subnets:

DEVOPS> ping 2001:db8:1::1

*2001:db8:3:0:c801:12ff:fe77:54 icmp6_seq=1 ttl=64 time=18.509 ms (ICMP type:1, code:1, Communication with destination administratively prohibited)
*2001:db8:3:0:c801:12ff:fe77:54 icmp6_seq=2 ttl=64 time=9.367 ms (ICMP type:1, code:1, Communication with destination administratively prohibited)
*2001:db8:3:0:c801:12ff:fe77:54 icmp6_seq=3 ttl=64 time=9.834 ms (ICMP type:1, code:1, Communication with destination administratively prohibited)
*2001:db8:3:0:c801:12ff:fe77:54 icmp6_seq=4 ttl=64 time=9.151 ms (ICMP type:1, code:1, Communication with destination administratively prohibited)
*2001:db8:3:0:c801:12ff:fe77:54 icmp6_seq=5 ttl=64 time=9.522 ms (ICMP type:1, code:1, Communication with destination administratively prohibited)

2 thoughts on “6.3 Configure, verify, and troubleshoot IPv4 and IPv6 access list for traffic filtering

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s