Thursday, March 12, 2009

IPV4 and IPV6 Access Control Lists on Cisco IOS

ACLs are used to filter network traffic, routing updates, matching packets and a lot of different uses. Main usage is restrict network traffic to unwanted systems.

The access control lists have numbers and can also have text as identifiers, each number or string represents a specific access control list.

There are may types of Access Control Lists, the most common ones are;


IP Standard Access List
List numbers 1-99, can only define source or destination, not source and destination.
IP Extended Access List
List numbers 100-199, can define both source and destination as well as port and protocol numbers.

A IP standard access control list with two entries is configured like this

Router#conf t
Router(config)#ip access-list standard 5
Router(config-std-nacl)#5 permit 192.168.0.0 0.0.0.255
Router(config-std-nacl)#10 permit 192.168.1.0 0.0.0.255

To apply this inbound on an interface, just use

Router#conf t
Router(config)#int te 1/1
Router(config-if)#ip access-group 5 in

The alternative way to define an access list number 5 with two entries is

Router#conf t
Router(config)#access-list 5 permit 192.168.0.0 0.0.0.255
Router(config)#access-list 5 permit 192.168.1.0 0.0.0.255
Router(config)#

To apply this one inbound on a line interface

Router#conf t
Router(config)#line vty 1
Router(config-line)#access-class 5 in

IPV6 usage of Access Lists

Router#conf t
Router(config)#ipv6 access-list myfirewall
Router(config-ipv6-acl)#permit 3ffe:200::/32 any
Router(config-ipv6-acl)#permit 3ffe:100::/32 any

To verify the access-lists just look at this

Router#show access-lists myfirewall
IPv6 access list myfirewall
permit ipv6 3FFE:200::/32 any sequence 10
permit ipv6 3FFE:201::/32 any sequence 20
Router#

To apply this IPv6 Access Control List to an interface, just do as follows

Router#conf t
Router(config)#int te 1/1
Router(config-if)#ipv6 traffic-filter myfirewall in

To apply this IPv6 access control list to a line

Router#conf t
Router(config)#line vty 1
Router(config-line)#ipv6 access-class myfirewall in

No comments:

Post a Comment

 
span.fullpost {display:inline;}