- Named and Numbered ACLs (standard/extended).
- Named ACLs can be edited and modified, a numbered ACL has to be deleted completely and re-written for any modifications in it.
- Since IOS devices are not stateful (by default), return traffic needs to be allowed if there is an ACL in the path of the returning traffic. The ‘Established’ keyword in an ACE can be used allow the return traffic. The beauty of this keyword is that it doesn’t allow any originating traffic. The ACE with the established keyword has to be included in the ACL that is applied on the interface where the returning traffic is expected.
- ACL applied to an interface filters – any traffic that is destined to the router and any traffic that traverses the router.
- ACL applied to an interface does not filter – traffic originating from the router.
- When creating new ACLs, make sure to include routing protocol traffic.
access-list 101 permit eigrp any any access-list 101 permit tcp any any established access-list 101 permit tcp any host 10.1.1.10 eq www access-list 101 permit icmp any host 10.1.1.10 echo access-list 101 deny ip any any log ! interface fa0/0 ip access-group 101 in
object-group service WEBSERVER_services tcp eq www icmp echo ! ip access-list extended inside_in permit eigrp any any permit object-group WEBSERVER_services any host 10.1.1.10 deny ip any any log ! interface fa0/0 ip access-group inside_in in
- Time-Based ACLs are just like normal ACLs except that they are active only when the specified time-range kicks in.
- The end time stays valid until beginning of next minute. Eg If you want the ACL to be active from 10:00 pm to 2:00 am you will define the time as follows > 22:00 to 01:59
- Time-based ACLs are nested within Named or Numbered ACLs. You can have multiple time-based ACEs in an ACL.
time-range UPDATE periodic daily 22:00 to 01:59 ! ip access-list extended dmz_in permit ip any host 184.108.40.206 time-range UPDATE
- Also known as Lock-and-Key Security.
- It creates temporary ACEs in the ACL applied in the path of the originating traffic for it to be allowed for a particular user for a specific time limit and then discard the entry after the idle/absolute timeout value has expired.
- You can only have one dynamic entry per ACL that is applied to an interface.
- The users must pass a user authentication process (telnet) before they are permitted access to their designated hosts.
- Telneting to the interface has to be allowed in the ACL applied to the inbound interface. It should not be a part of the dynamic ACL.
- VTY lines have to be configured for either local/TACACS authentication.
- In case of local authentication username with password has to be created.
- absolute timer – specified in the ACL
- idle timer – specified in the autocommand access-enable timeout command
- Idle timer should be less than the absolute timeout value.
- access-list dynamic-extended extends the timeout value by 6 minutes.
access-list 101 permit eigrp any any access-list 101 permit tcp any host 220.127.116.11 eq telnet access-list 101 dynamic dynacl timeout 2 permit ip any host 10.0.0.100 access-list dynamic-extended ! interface fa0/1 ip address 18.104.22.168 255.255.255.0 ip access-group 101 in ! username user1 password cisco ! line vty 0 4 login local autocommand access-enable timeout 1
- Also known as IP session filtering.
- Can be defined with extended named IP access lists only
- Makes the IOS device work somewhat in a stateful manner for the ACL configured.
- Unlike the ‘established’ which works only for TCP traffic, Reflexive ACLs work for TCP, UDP, ICMP and IGMP.
- For TCP, session ending is determined by the TCP flags or the timeout value. For UDP, the timeout value specifies when to end a session and do not allow the return traffic back in.
- Two ACLs to be created which will work in conjunction. One for outbound (originating) and one for inbound (returning).
- Outbound ACL will have the ‘reflect’ keyword. It is the ACL that matches the originating traffic.
- Inbound ACL will have the ‘evaluate’ keyword. It is the ACL that matches the returning traffic.
- Make sure to include any routing protocol traffic wherever required, to avoid breaking any neighbor adjacency in the topology.
ip access-list extended outboundacl permit tcp any any reflect TCP timeout 300 permit tcp any any reflect UDP timeout 60 ! ip access-list extended inboundacl permit eigrp any any evaluate TCP evaluate UDP ! interface fa0/0 ip access-group outboundacl in interface fa0/1 ip access-group inboundacl in
interface fa0/1 ip access-group outboundacl out ip access-group inboundacl in