ACL Sequencing in PT 6.

Bogdan Doinea
Technical Manager Europe Central
&RCIS
bdoinea@cisco.com

Numbered ACLs
Standard
Use only layer 3 source addresses

access-list
access-list 10
10 permit
permit 192.168.146.0
192.168.146.0 0.0.1.255
0.0.1.255
Extended
Can filter using layer3/4 information and by source/destination addresses

access-list
access-list 101
101 permit
permit tcp
tcp host
host 10.1.1.2
10.1.1.2 host
host 172.16.1.1
172.16.1.1 eq
eq telnet
telnet
Limitations?
When editing, we can only add statements to the end of the ACL

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

 Named ACLs have sequence numbers for each entry

ip
ip access-list
access-list extended
extended in_to_out
in_to_out
permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet log
deny
deny ip
ip any
any any
any
All ACLs have an implicit, invisible deny statement at the end
ONLY if they have at least one statement

Recommendation: you should always manually write the deny ip

any any rule

in order to see if packets matched it

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Router(config)#ip access-list extended sequence_x

Router(config-ext-nacl)#permit tcp any host 10.0.0.3 eq 23
Router(config-ext-nacl)#permit tcp any host 10.0.0.3 eq 22
Router(config-ext-nacl)#deny tcp any host 10.0.0.3
Router(config-ext-nacl)#permit udp any any
Router(config-ext-nacl)#deny ip any any
Router(config-ext-nacl)#do sh access-l
Extended IP access list sequence_x
10 permit tcp any host 10.0.0.3 eq telnet
20 permit tcp any host 10.0.0.3 eq 22
30 deny tcp any host 10.0.0.3
40 permit udp any any
50 deny ip any any

The administrator forgot to permit port 80 for tcp on host 10.0.0.3

What to do?

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

 http://lms.netacad.net/course/view.php?id=3101

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Thank you.