IOS ACLs, Time-Based ACLs, Dynamic ACLs and Reflexive ACLs (CCIE Notes)


IOS ACLs:

  • Named and Numbered ACLs (standard/extended).
  • Named ACLs can be edited and modified, a numbered ACL has to be deleted completely and re-written for any modifications in it.
  • Since IOS devices are not stateful (by default), return traffic needs to be allowed if there is an ACL in the path of the returning traffic. The ‘Established’ keyword in an ACE can be used allow the return traffic. The beauty of this keyword is that it doesn’t allow any originating traffic. The ACE with the established keyword has to be included in the ACL that is applied on the interface where the returning traffic is expected.
  • ACL applied to an interface filters – any traffic that is destined to the router and any traffic that traverses the router.
  • ACL applied to an interface does not filter – traffic originating from the router.
  • When creating new ACLs, make sure to include routing protocol traffic.

Cisco Doc Linkhttp://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-mt/sec-create-ip-apply.html

Configuration:

Numbered:

access-list 101 permit eigrp any any
access-list 101 permit tcp any any established
access-list 101 permit tcp any host 10.1.1.10 eq www
access-list 101 permit icmp any host 10.1.1.10 echo
access-list 101 deny ip any any log
!
interface fa0/0
 ip access-group 101 in

Named:

object-group service WEBSERVER_services
 tcp eq www
 icmp echo
!
ip access-list extended inside_in
 permit eigrp any any
 permit object-group WEBSERVER_services any host 10.1.1.10
 deny ip any any log
!
interface fa0/0
 ip access-group inside_in in

Time-based ACLs

  • Time-Based ACLs are just like normal ACLs except that they are active only when the specified time-range kicks in.
  • The end time stays valid until beginning of next minute. Eg If you want the ACL to be active from 10:00 pm to 2:00 am you will define the time as follows > 22:00 to 01:59
  • Time-based ACLs are nested within Named or Numbered ACLs. You can have multiple time-based ACEs in an ACL.

Cisco Doc Linkhttp://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-mt/sec-refine-ip-al.html

Configuration:

time-range UPDATE
 periodic daily 22:00 to 01:59
!
ip access-list extended dmz_in
 permit ip any host 2.2.2.2 time-range UPDATE

Dynamic ACLs

  • Also known as Lock-and-Key Security.
  • It creates temporary ACEs in the ACL applied in the path of the originating traffic for it to be allowed for a particular user for a specific time limit and then discard the entry after the idle/absolute timeout value has expired.
  • You can only have one dynamic entry per ACL that is applied to an interface.
  • The users must pass a user authentication process (telnet) before they are permitted access to their designated hosts.
  • Telneting to the interface has to be allowed in the ACL applied to the inbound interface. It should not be a part of the dynamic ACL.
  • VTY lines have to be configured for either local/TACACS authentication.
  • In case of local authentication username with password has to be created.
  • absolute timer – specified in the ACL
  • idle timer – specified in the autocommand access-enable timeout command
  • Idle timer should be less than the absolute timeout value.
  • access-list dynamic-extended extends the timeout value by 6 minutes.

Cisco Doc Link: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-mt/sec-lock-key-secrty.html

Configuration:

access-list 101 permit eigrp any any
access-list 101 permit tcp any host 1.1.1.1 eq telnet
access-list 101 dynamic dynacl timeout 2 permit ip any host 10.0.0.100
access-list dynamic-extended
!
interface fa0/1
 ip address 1.1.1.1 255.255.255.0
 ip access-group 101 in
!
username user1 password cisco
!
line vty 0 4
 login local
 autocommand access-enable timeout 1

Reflexive ACLs

  • Also known as IP session filtering.
  • Can be defined with extended named IP access lists only
  • Makes the IOS device work somewhat in a stateful manner for the ACL configured.
  • Unlike the ‘established’ which works only for TCP traffic, Reflexive ACLs work for TCP, UDP, ICMP and IGMP.
  • For TCP, session ending is determined by the TCP flags or the timeout value. For UDP, the timeout value specifies when to end a session and do not allow the return traffic back in.
  • Two ACLs to be created which will work in conjunction. One for outbound (originating) and one for inbound (returning).
  • Outbound ACL will have the ‘reflect’ keyword. It is the ACL that matches the originating traffic.
  • Inbound ACL will have the ‘evaluate’ keyword. It is the ACL that matches the returning traffic.
  • Make sure to include any routing protocol traffic wherever required, to avoid breaking any neighbor adjacency in the topology.

Cisco Doc Linkhttp://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-mt/sec-cfg-ip-filter.html

Configuration:

ip access-list extended outboundacl
 permit tcp any any reflect TCP timeout 300
 permit tcp any any reflect UDP timeout 60
!
ip access-list extended inboundacl
 permit eigrp any any
 evaluate TCP
 evaluate UDP
!
interface fa0/0
 ip access-group outboundacl in
interface fa0/1
 ip access-group inboundacl in

OR

interface fa0/1
 ip access-group outboundacl out
 ip access-group inboundacl in

Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/tag/CCIE

Advertisements

2 thoughts on “IOS ACLs, Time-Based ACLs, Dynamic ACLs and Reflexive ACLs (CCIE Notes)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s