Extended IP Access Lists Example

Figure 8-7 shows the network for another example of extended IP access lists. The filtering criteria for this extended access list example are more complicated: • The Web server (Daffy) is available to all users.

• UDP-based clients and servers on Bugs are unavailable to hosts whose IP addresses are in the upper half of the valid IP addresses in each subnet. (The subnet mask used is 255.255.255.0.)

• Packets between hosts on the Yosemite Ethernet and the Seville Ethernet are allowed only if packets are routed across the direct serial link.

• Clients Porky and Petunia can connect to all hosts except Red.

• Any other connections are permitted.

Figure 8-7 Network Diagram for Extended Access List Example 3

Porky 10.1.1.130

Daffy 10.1.1.2

Petunia 10.1.1.28

Yosemite

Yosemite

Seville

Elmer 10.1.3.1

Examples 8-9, 8-10, and 8-11 show one solution for this third extended access list example.

Example 8-9 Yosemite Configuration for Extended Access List Example 3

interface serial 0 ip access-group 110 !

interface serial 1 ip access-group 111

! Criterion

1 met with next statement

access-list

110 permit tcp any host 10.

1.1.2 eq

www

! Criterion

2 met with next statement

access-list

110 deny udp 0.0.0.128 255

.255.255

127

host

10.1.1.1

! Criterion

3 met with next statement

access-list

110 deny ip 10.1.2.0 0.0.0.

255 10.1

3.0

0.0.0

255

! Criterion

5 met with next statement

access-list !

110 permit ip any any

! Criterion access-list

1 met with next statement 111 permit tcp any host 10.

1.1.2 eq

www

! Criterion access-list

2 met with next statement 111 deny udp 0.0.0.128 255

.255.255

127

host

10.1.1.1

! Criterion access-list

5 met with next statement 111 permit ip any any

Example 8-10 Seville Configuration for Extended Access List Example 3

interface serial 0

ip access-group 110 !

interface serial 1 ip access-group 111

! Criterion

1 met with next statement

access-list

110 permit tcp any host 10.

1.1.2 eq

www

! Criterion

2 met with next statement

access-list

110 deny udp 0.0.0.128 255

.255.255

127

host

10.1.1.1

! Criterion

3 met with next statement

access-list

110 deny ip 10.1.3.0 0.0.0.

255 10.1

2.0

0.0.0

255

! Criterion

5 met with next statement

access-list !

110 permit ip any any

! Criterion access-list

1 met with next statement 111 permit tcp any host 10.

1.1.2 eq

www

! Criterion access-list

2 met with next statement 111 deny udp 0.0.0.128 255

.255.255

127

host

10.1.1.1

! Criterion access-list

5 met with next statement 111 permit ip any any

Example 8-11 Albuquerque Configuration for Extended Access List Example 3

interface serial 0 ip access-group 112

interface serial 1 ip access-group 112

! Criterion 4 met with next four statements access-list 112 deny ip host 10.1.1.130 host 10.1.3.2 access-list 112 deny ip host 10.1.1.28 host 10.1.3.2 access-list 112 permit ip host 10.1.1.130 any access-list 112 permit ip host 10.1.1.28 any ! Criterion 5 met with next statement access-list 112 permit ip any any

The access lists on Yosemite and Seville are almost identical; each is focused on the first three criteria. List 110 is used as outbound access lists on the Yosemite and Seville links connected to Albuquerque. The first three statements in list 110 in each router complete the first three criteria for this example; the only difference is in the source and destination addresses used in the third statement, which checks for the respective subnet numbers at each site.

Both Yosemite and Seville have a list 111 that is used on the link between the two. Each list 111 on Yosemite and Seville is identical to list 110, except that list 111 is missing one statement. This missing statement (relative to list 110) is the one that meets criterion 3, which says to not filter this traffic from going across the direct serial link. Because list 111 is used on that link, there is no need for the extra statement. The final statement in lists 110 and 111 in Seville and Yosemite provides coverage for the fifth criterion for this example—allowing all other packets to flow.

The second access-list statement in lists 110 and 111 on Seville and Yosemite is trickier than you will see on the CCNA exam. This example is representative of the types of nuances you might see on the CCNP and CCIE exams. The mask has only one binary 0 in it, in bit 25 (the first bit in the last byte). The corresponding bit in the address has value 1; in decimal, the address and mask imply addresses whose fourth byte is between 128 and 255, inclusive. Regardless of subnet number, hosts in the upper half of the assignable addresses in each subnet are matched with this combination. (Because the subnet mask is 255.255.255.0, all host addresses in the upper half of the address range are between 128 and 254 in the last octet.)

Two major problems exist when you use extensive detailed criteria for access lists. First, the criteria are open to interpretation. Many people tend to create the lists to match the order in which each point of the criteria are written; no attempt at optimization is made. Finally, it is easy to create the lists in such a way that the criteria are not actually met, as in extended IP access list Example 2.

Example 8-12 shows an alternative solution to the extended access list Example 3 solution that was shown in Examples 8-9, 8-10, and 8-11. All access lists have been removed from Seville and Yosemite, as compared to that earlier solution.

Example 8-12 Albuquerque Configuration for Extended Access List Example 3: Second Solution interface serial 0 ip access-group 112 !

interface serial 1 ip access-group 112

interface serial 0 ip access-group 112 !

interface serial 1 ip access-group 112

! Next

statement meets criterion 1

access

list 112 permit tcp host 10.1.1.2

eq www any

! Next

statement meets criterion 2

access

list 112 deny udp host 10.1.1.1

0.0.0.128 255.255.255.127

! Next

statements meet criterion 3

access-list 112 deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 112 deny ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255 ! Next statement meets criterion 4

access-list 112 deny ip host 10.1.1.130 host 10.1.3.2 access-list 112 deny ip host 10.1.1.28 host 10.1.3.2

access-list 112 deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 112 deny ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255 ! Next statement meets criterion 4

access-list 112 deny ip host 10.1.1.130 host 10.1.3.2 access-list 112 deny ip host 10.1.1.28 host 10.1.3.2

! Next statement meets criterion 5 access-list 112 permit ip any any

Several differences exist between the first solution in Examples 8-9, 8-10, and 8-11, and the second solution in Example 8-12. First, all the filtering is performed in Albuquerque. Criterion point 4 is completed more concisely, allowing the permit all final statement to let Porky and Petunia talk to other hosts besides Red. Packets are sent by Yosemite and Seville to Albuquerque hosts, as well as packets sent back from servers in Albuquerque to the Albuquerque router, before being filtered. However, the number of these packets will be small, because the filter prevents the client from sending more than the first packet used to connect to the service.

+1 0

Post a comment