jskfan
asked on
Inbound/outbound ACL
Can someone explain:
1-How are packets processed with Inbound/Outbound ACL?
2-if I have to permit ip range from 192.168.1.34 to 192.168.1.37 do I still need to use:
access-list 1 permit 192.168.1.32 0.0.0.8
or
access-list 1 permit 192.168.1.34 0.0.0.3
3-what s the difference between static, default static route, default route and which letter shows up on th routing table for each of them?
4-do we use port name or number in ACL
ex: Access list 115 deny TCP 10.0.1.0 0.0.0.255 eq 23
OR
Access list 115 deny TCP 10.0.1.0 0.0.0.255 eq telnet
thanks
1-How are packets processed with Inbound/Outbound ACL?
2-if I have to permit ip range from 192.168.1.34 to 192.168.1.37 do I still need to use:
access-list 1 permit 192.168.1.32 0.0.0.8
or
access-list 1 permit 192.168.1.34 0.0.0.3
3-what s the difference between static, default static route, default route and which letter shows up on th routing table for each of them?
4-do we use port name or number in ACL
ex: Access list 115 deny TCP 10.0.1.0 0.0.0.255 eq 23
OR
Access list 115 deny TCP 10.0.1.0 0.0.0.255 eq telnet
thanks
agreed with memo .. to add here ...
1. Inbound and outbound access lists are applied at interfaces. At interface you normally define whether the filtering has to be done for incoming traffic or outgoing traffic.
interface <interface>
ip access-group number {in|out}
The logic of filtering is defined in the access list for filtering packets.
The access list when applied on an interface will execute only the logic defined in the access list. So, preferable use a "permit all" at the end of the access list.
2. So basically, you want to block the numbers between 192.168.1.34 to 192.168.1.37 i.e. 4.
Now, 4 means /30 subnet. That brings us to the wildcard mask of 255-252 (/30 last octate)=3.
So the access list can be... access-list 1 permit 192.168.1.34 0.0.0.3
3. STATIC ROUTES: defined to reach a particular interface/ip address reachable from the router.
e.g. ip route <ip address> <subnet mask> <next hop address/interface>
DEFAULT STATIC ROUTES: When in te above command <ip address> and <subnet mask> field is replaced by 0.0.0.0, this is termed as default static route.
e.g. ip route 0.0.0.0 0.0.0.0 <next hop address/interface>
for other stuff better referring following link: http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094374.shtml#ipgateway
4. There are 2 typers of access lists 1. Standard access list 2. Extended access list.
STANDARD ACCESS LIST:
Syantax
access-list access-list-number {permit|deny}
{host|source source-wildcard|any}
EXTENDED ACCESS LIST:
Syantax
access-list access-list-number [dynamic dynamic-name [timeout minutes]]
{deny | permit} protocol source source-wildcard
destination destination-wildcard [precedence precedence]
[tos tos] [log | log-input] [time-range time-range-name]
So the port number and name can be defined incase of extended lists and not in standard list.
For details refer:http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#standacl
Hope this helps.
Thanks
Nishant
1. Inbound and outbound access lists are applied at interfaces. At interface you normally define whether the filtering has to be done for incoming traffic or outgoing traffic.
interface <interface>
ip access-group number {in|out}
The logic of filtering is defined in the access list for filtering packets.
The access list when applied on an interface will execute only the logic defined in the access list. So, preferable use a "permit all" at the end of the access list.
2. So basically, you want to block the numbers between 192.168.1.34 to 192.168.1.37 i.e. 4.
Now, 4 means /30 subnet. That brings us to the wildcard mask of 255-252 (/30 last octate)=3.
So the access list can be... access-list 1 permit 192.168.1.34 0.0.0.3
3. STATIC ROUTES: defined to reach a particular interface/ip address reachable from the router.
e.g. ip route <ip address> <subnet mask> <next hop address/interface>
DEFAULT STATIC ROUTES: When in te above command <ip address> and <subnet mask> field is replaced by 0.0.0.0, this is termed as default static route.
e.g. ip route 0.0.0.0 0.0.0.0 <next hop address/interface>
for other stuff better referring following link: http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094374.shtml#ipgateway
4. There are 2 typers of access lists 1. Standard access list 2. Extended access list.
STANDARD ACCESS LIST:
Syantax
access-list access-list-number {permit|deny}
{host|source source-wildcard|any}
EXTENDED ACCESS LIST:
Syantax
access-list access-list-number [dynamic dynamic-name [timeout minutes]]
{deny | permit} protocol source source-wildcard
destination destination-wildcard [precedence precedence]
[tos tos] [log | log-input] [time-range time-range-name]
So the port number and name can be defined incase of extended lists and not in standard list.
For details refer:http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#standacl
Hope this helps.
Thanks
Nishant
ASKER
1- I have seen ACL applied to the destination interface and you would think that they should use acess-group in, but they use acc-ess-group out, so I got confused when to use in and out.
2-So access-list 1 permit 192.168.1.34 0.0.0.3 is correct?
3- default static route:
ip route <<this subnet>><<subnet mask>> <<next hop ip address>>
it should show an <S> in the show ip route output
default route:
ip route 0.0.0.0 0.0.0.0 <next hop ip address>
it should show <S*> in the show ip route output
Correct?
2-So access-list 1 permit 192.168.1.34 0.0.0.3 is correct?
3- default static route:
ip route <<this subnet>><<subnet mask>> <<next hop ip address>>
it should show an <S> in the show ip route output
default route:
ip route 0.0.0.0 0.0.0.0 <next hop ip address>
it should show <S*> in the show ip route output
Correct?
yes, that's right
but be advised that
access-list 1 permit 192.168.1.34 0.0.0.3 >>> will include also .33
so, u need to refer to my suggestion above!
BR
but be advised that
access-list 1 permit 192.168.1.34 0.0.0.3 >>> will include also .33
so, u need to refer to my suggestion above!
BR
agreed with what memo_tnt commented ...
>>>> Problem 1: see .. in or out in the access list refers to the traffic being received or sent over the interface ...
if access-list refers to "in", it will match the incoming traffic to the logic applied in the access-list ...
if access-list refers to "out", it will match the outgoing traffic to the logic applied in the access-list ...
>>>>> Problem 2: about the access-list : access-list 1 permit 192.168.1.34 0.0.0.3
as i told earlier in my comment: 4 hosts means /30 mask .. so this access list includes following:
192.168.1.32 to 192.168.1.35
but this doesn't include 192.168.1.36 to 192.168.1.37, which is your requirement, so create the access list a follows :
access-list 1 permit 192.168.1.34 0.0.0.1
access-list 1 permit 192.168.1.36 0.0.0.1
so, the above rule means:
For subnet: 192.168.1.36/31
Mask: 192.168.1.36/255.255.255.2 54
Range 192.168.1.36 - 192.168.1.37
For subnet : 192.168.1.34/31
Mask: 192.168.1.34/255.255.255.2 54
Range 192.168.1.34 - 192.168.1.35
This serves your hosts from 34 to 37 and you dont have to worry about any other subnets ... i think this will be the solution to your problem ... other way described by memo_tnt are also good ...
>>>>> Problem 3: If you execute a "sh ip route" command in the router, you will get the below output:
router>show ip route
Codes: C - connected O - OSPF i - IS-IS
S - static UD - Up/Down bit 1 L1 - level-1
B - BGP E1 - external type 1 L2 - level-2
M - MPLS E2 - external type 2
* - candidate default
m - route's metric
d - administrative distance
S * 0.0.0.0/0 via 10.200.0.1 [d:1 m:0]
S 9.9.9.9/32 via 127.0.0.1 [d:1 m:0]
so, you can see "*" denotes a "candidate default" route that is a 0.0.0.0/0 route (in the example above) denoted as "S*" and other routes will be static route normal denoted a "S".
I hope this clarifies your doubt.
Thanks
Nishant
>>>> Problem 1: see .. in or out in the access list refers to the traffic being received or sent over the interface ...
if access-list refers to "in", it will match the incoming traffic to the logic applied in the access-list ...
if access-list refers to "out", it will match the outgoing traffic to the logic applied in the access-list ...
>>>>> Problem 2: about the access-list : access-list 1 permit 192.168.1.34 0.0.0.3
as i told earlier in my comment: 4 hosts means /30 mask .. so this access list includes following:
192.168.1.32 to 192.168.1.35
but this doesn't include 192.168.1.36 to 192.168.1.37, which is your requirement, so create the access list a follows :
access-list 1 permit 192.168.1.34 0.0.0.1
access-list 1 permit 192.168.1.36 0.0.0.1
so, the above rule means:
For subnet: 192.168.1.36/31
Mask: 192.168.1.36/255.255.255.2
Range 192.168.1.36 - 192.168.1.37
For subnet : 192.168.1.34/31
Mask: 192.168.1.34/255.255.255.2
Range 192.168.1.34 - 192.168.1.35
This serves your hosts from 34 to 37 and you dont have to worry about any other subnets ... i think this will be the solution to your problem ... other way described by memo_tnt are also good ...
>>>>> Problem 3: If you execute a "sh ip route" command in the router, you will get the below output:
router>show ip route
Codes: C - connected O - OSPF i - IS-IS
S - static UD - Up/Down bit 1 L1 - level-1
B - BGP E1 - external type 1 L2 - level-2
M - MPLS E2 - external type 2
* - candidate default
m - route's metric
d - administrative distance
S * 0.0.0.0/0 via 10.200.0.1 [d:1 m:0]
S 9.9.9.9/32 via 127.0.0.1 [d:1 m:0]
so, you can see "*" denotes a "candidate default" route that is a 0.0.0.0/0 route (in the example above) denoted as "S*" and other routes will be static route normal denoted a "S".
I hope this clarifies your doubt.
Thanks
Nishant
ASKER
<<if access-list refers to "out", it will match the outgoing traffic to the logic applied in the access-list >>>
I have seen access-list refers to "out applied to an interface in incoming traffic.BUT If I remember the router has 2 interfaces one of them is really the first one facing the traffic then the traffic goes to the second interface in the same router. so the OUT was applied to the second interface.
could that be correct?
I have seen access-list refers to "out applied to an interface in incoming traffic.BUT If I remember the router has 2 interfaces one of them is really the first one facing the traffic then the traffic goes to the second interface in the same router. so the OUT was applied to the second interface.
could that be correct?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
1- inbound:
Packet hits inbound interface, router runs it against ACL. Allows what is specified, drops the rest. Continues to process only the allowed traffic,
outbound: Packet hits router, process it and moves it to the destination interface. That interface processes the packet again, then applies it against the outbound ACL. Allows what is specified, drops the rest.
***** For the second scenario, you've now processed traffic you don't want twice, wasting resources. In terms of a small home network, not a big deal. As you scale larger, can become a big problem.
2- access-list 1 permit 192.168.1.32 0.0.0.8 (wild card .8) is not accessibal so if u used .7 >>> this will include .33 and .38 also ...
access-list 1 permit 192.168.1.34 0.0.0.3 >>> this will include .33
so i prefer the following:
deny ip host 192.168.1.33 any
access-list 1 permit 192.168.1.32 0.0.0.3 any
or;;; include each of the 4 IP's and all others are blocked by the implicit deny all
permit ip host 192.168.1.34 any
permit ip host 192.168.1.35 any
permit ip host 192.168.1.36 any
permit ip host 192.168.1.37 any
3- The 'ip default-gateway' command is used to enter your router's default gateway, just as you would do on your normal Windows machine. This command does not differ from your everyday 'gateway' used in all devices required to access hosts outside the local network.
On the other side, the 'ip route' command is available to help us create 'static' routes. In other words, we can tell the router which 'gateway' it must use in order to reach specific networks.
The 'ip route' command can also be used to define a default gateway using the following command:
ip route 0.0.0.0 0.0.0.0 <next hop ip address>
But the main use of this command is to provide routes to other networks which cannot be reached via the 'default gateway'.
4- it's the same we can use both port number and port name ...
I wish this help you
BR