Category:Cisco Systems -> Security
Extended ACL
Extended ACL example:
ip access-list extended VLAN_Access
remark - from VLAN100 to VLAN200 –
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
remark - from VLAN100 to VLAN300 –
deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip any any
Resequencing
How to resequence ACL entries example:
do sh ip access-lists 100
Extended IP access list 100
10 deny ip 172.16.0.0 0.0.255.255 10.72.0.0 0.0.255.255
20 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255 (7838 matches)
27 permit tcp host 199.99.99.99 eq 443 host 172.16.16.16 eq 443
28 deny ip 199.99.99.0 0.0.0.255 any (34602 matches)
30 permit ip any any (298676 matches)
ip access-list resequence 100 10 10
// ip access-list resequence (ACL number) (starting entry number) (pace)
do sh ip access-lists 100
Extended IP access list 100
10 deny ip 172.16.0.0 0.0.255.255 10.72.0.0 0.0.255.255
20 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255 (7936 matches)
30 permit tcp host 199.99.99.99 eq 443 host 172.16.16.16 eq 443
40 deny ip 199.99.99.0 0.0.0.255 any (34904 matches)
50 permit ip any any (299146 matches)
Time based ACL
Configuration example:
time-range Work
periodic weekdays 9:00 to 18:00
ip access-list extended VLAN_Access
permit tcp any any time-range Work eq 80
permit tcp any any time-range Work eq 443
//Employees are allowed web surfing using HTTP and HTTPS protocols from 9.00 to 18.00 during weekdays.
Reflexive ACL
Reflexive ACL’s behaviour is pretty similar to CBAC or ZBFW or ASA inside/outside and so on and it works only on routers.
Take a look at the following diagram:
Configuration example:
interface VLAN50
description Untrusted
ip access-group INBOUND in
ip access-group OUTBOUND out
!
ip access-list extended OUTBOUND
permit tcp host 10.0.0.1 any reflect ADMINACCESS
permit udp host 10.0.0.1 any reflect ADMINACCESS
!
ip access-list extended INBOUND
evaluate ADMINACCESS
deny ip any 10.0.0.0 0.255.255.255
permit ip any any
VACL vs PACL
Applying an ACL/policy to the vlan interface means it will only police the traffic that goes through it (leaving the subnet/being routed)! To police the traffic that is only within VLAN 10 for e.g. (that is switched from one port to another), you need to apply ACL to each port.
By privilege15