Ill

Example 10-7 Using an ACL to Provide RIPv2 Route Filtering

R1(config)# access-list 12 deny 12.2.2.0 0.0.0.255 R1(config)# access-list 12 permit any R1(config)# router rip

R1(config-router)# distribute-list 12 out

R1(config-router)# version 2 R1(config-router)# no auto-summary R1(config-router)# network 12.0.0.0 R1(config-router)# end

Here a standard IP ACL is applied to RIP. Access list 12 is used to prevent R1 from advertising any routes of the 12.2.2.0 DMZ network out of interface e0/0.

Grouping ACL Functions

To this point we have looked at a number of discrete ACLs that are designed for a specific function. Although this has worked well for the purposes of our discussion, it is not a realistic application of how ACLs typically are used. It is far more common to combine many ACL functions into two or three larger ACLs.

This section examines a possible configuration for a typical router. Example 10-8 shows a partial configuration file that contains several ACLs made up of most of the ACL features we have discussed. This is presented as an example of how to integrate multiple ACL policies into a few main router ACLs.

Example 10-8 Integrating Multiple ACL Policies hostname R2 !

interface Ethernet0/0 ip address 12.1.1.2 255.255.0.0

ip access-group 126 in !

interface Ethernet0/1

ip address 12.2.1.1 255.255.255.0

ip access-group 128 in !

router ospf 44

network 12.1.0.0 0.0.255.255 area 0

no access-list 80

access-list 80 permit host 12.2.1.2

access-list 80 permit host 12.2.1.3 !

isnmp-server community snmp-host1 ro 80 no access-list 126

comment - the entry below prevents any IP packets containing the source address of any internal hosts or networks, inbound to the private network. access-list 126 deny ip 12.2.1.0 0.0.0.255 any log ! comment - the set of entries below prevent any IP packets ! containing the invalid source address such as the local loopback access-list 126 deny ip 127.0.0.0 0.255.255.255 any log access-list 126 deny ip 0.0.0.0 0.255.255.255 any log access-list 126 deny ip 12.0.0.0 0.255.255.255 any log access-list 126 deny ip 172.16.0.0 0.15.255.255 any log access-list 126 deny ip 192.168.0.0 0.0.255.255 any log access-list 126 deny ip 224.0.0.0 15.255.255.255 any log access-list 126 deny ip any host 12.2.1.255 log access-list 126 deny ip any host 12.2.1.0 log access-list 126 permit tcp any 12.2.1.0 0.0.0.255 established access-list 126 deny icmp any any echo log access-list 126 deny icmp any any redirect log access-list 126 deny icmp any any mask-request log access-list 126 permit icmp any 12.2.1.0 0.0.0.255 access-list 126 permit ospf 12.1.0.0 0.0.255.255 host 16.1.1.2 access-list 126 deny tcp any any range 6000 6063 log access-list 126 deny tcp any any eq 6667 log access-list 126 deny tcp any any range 12345 12346 log

Example 10-8 Integrating Multiple ACL Policies (Continued)

access-list 126 deny tcp any any eq 31337 log access-list 126 permit tcp any eq 20 12.2.1.0 0.0.0.255 gt 1023 access-list 126 deny udp any any eq 2049 log access-list 126 deny udp any any eq 31337 log access-list 126 deny udp any any range 33400 34400 log access-list 126 permit udp any eq 53 12.2.1.0 0.0.0.255 gt 1023 access-list 126 deny tcp any range 0 65535 any range 0 65535 log access-list 126 deny udp any range 0 65535 any range 0 65535 log access-list 126 deny ip any any log

no access-list 128

access-

list

128

permit icmp 12.2.

1.0 0.

0.0.255 any

echo

access-

list

128

permit icmp 12.2.

1.0 0.

0.0.255 any

parameter-problem

access-

list

128

permit icmp 12.2.

1.0 0.

0.0.255 any

packet-too-big

access-

list

128

permit icmp 12.2.

1.0 0.

0.0.255 any

source-quench

access-

list

128

deny

tcp

any any

range

1 19 log

access-

list

128

deny

tcp

any any

eq 43

log

access-

list

128

deny

tcp

any any

eq 93

log

access-

list

128

deny

tcp

any any

range

135 139 log

access-

list

128

deny

tcp

any any

eq 445

log

access-

list

128

deny

tcp

any any

range

512 518 log

access-

list

128

deny

tcp

any any

eq 540

log

access-

list

128

permit tcp 12.2.1

.0 0.0

1.0.255 gt 1023 any lt 1024

access-

list

128

permit udp 12.2.1

.0 0.0

1.0.255 gt 1023 any eq 53

access-

list

128

permit udp 12.2.1

.0 0.0

.0.255 any

range 33400 34400

log

access-

list

128

deny

tcp

any range 0 65535 any range 0 65535 log

access-

list

128

deny

udp

any range 0 65535 any range 0 65535 log

access-

list

128

deny

ip any any log

snmp-server community snmp-host1 ro 80

snmp-server community snmp-host1 ro 80

0 0

Post a comment