What are different types of acl

10 access control lists

Next page:11 Connection to the Upwards:content Previous page:9 Transport Relay Translator & nbsp content


Cisco IOS offers so-called for both IPv4 and IPv6 Access Control Lists (ACL), which offer a simple filter option for incoming and outgoing packets. The following types of IPv6 access lists exist:

Standard ACL:
Permit / Deny on incoming or outgoing interfaces based on the source or destination address (or based on prefix lists)
Extended ACL:
Additional support for filtering by IP options header and by higher layers. Further features: logging, time-dependent lists.

The Cisco presentation gives an overview of the possibilities and configuration of ACLs Cisco IOS IPv6 Access Control Lists (10).

The various access restrictions are to be demonstrated in this chapter using a few simple examples.

1 preparation

The two Fast Ethernet interfaces are prepared as follows:

R5 (config) #interface f0 / 0 R5 (config-if) # ipv6 enable R5 (config-if) # ipv6 address FEC2 :: / 64 eui-64 R5 (config-if) # ipv6 nd prefix FEC2 :: / 64 R5 (config-if) # ipv6 nd ra-interval 10 R5 (config) #interface f0 / 1 R5 (config-if) # ipv6 enable R5 (config-if) # ipv6 address FEC1 :: / 64 eui-64 R5 ( config-if) # ipv6 nd prefix FEC1 :: / 64 R5 (config-if) # ipv6 nd ra-interval 10

2 Define the access list

To allow access only from subnet A, the access list is created in the global configuration mode and connected to the interface f0 / 0. This now means that only traffic from the subnet is allowed.

R5 (config) # ipv6 access-list list0 R5 (config-ipv6-acl) #permit ipv6 FEC2 :: / 64 any log R5 (config-ipv6-acl) #exit R5 (config) #int f0 / 0 R5 (config -if) # ipv6 traffic-filter list0 in

With the second access list (), port 80 (http) is blocked on weekdays during working hours. This ACL is activated on the second interface f0 / 1.

R5 (config) # ipv6 access-list list1 R5 (config-ipv6-acl) #deny tcp any any eq 80 time-range morning log R5 (config-ipv6-acl) #deny tcp any any eq 80 time-range afternoon log R5 (config-ipv6-acl) #permit tcp any any eq 80 log R5 (config-ipv6-acl) #exit R5 (config) #int f0 / 1 R5 (config-if) # ipv6 traffic-filter list1 out

This was indicated in the with and. These two times still have to be defined.

R5 (config) # time-range morning R5 (config-time-range) #periodic weekdays 07:00 to 12:00 R5 (config-time-range) #exit R5 (config) # time-range afternoon R5 (config- time-range) #periodic weekdays 13:00 to 17:30 R5 (config-time-range) #exit

The complete configuration is given in Appendix C.2.7.

The option behind the rules causes the router to record all packets that meet the rule. This log can be output directly to the console with the command so that the rules can be tested. The output looks something like this:

Oct 10 10: 34: 16.406:% IPV6-6-ACCESSLOGP: list list1 / 10 denied tcp FEC2 :: 201: 2FF: FE87: 17A5 (33960) -> FEC1 :: 201: 2FF: FE87: 179C (80), 1 packet

To check the effectiveness of the ACLs, they can be displayed with the command. It's nice to see the number of matches and whether a filter is active at all. With list1, for example, the first two filters must not be active at the same time because the time-ranges do not overlap.

R5 # show access-lists IPv6 access list list0 permit ipv6 FEC2 :: / 64 any log (\ textbf {29 matches}) sequence 10 IPv6 access list list1 deny tcp any any eq www log time-range morning (\ textbf {active} ) sequence 10 deny tcp any any eq www log time-range afternoon (\ textbf {inactive}) sequence 20 permit tcp any any eq www log (\ textbf {22 matches}) sequence 30

If the option is used, it must be checked whether the time and date are set correctly at all. With smaller Cisco routers in particular, the clock is not battery-backed and must therefore be reset every time it is switched on.

R5 # clock set 10:34:00 10 oct 2003

Packets that are intercepted by the access lists are sent to the sender with a ICMPv6 Unreachable signaled (line 2). The ICMP code is 1, which stands for Administratively prohibited (Line 3). The ICMPv6 types and codes are defined in RFC 2463 (3).

Internet Control Message Protocol v6 \ textbf {Type: 1 (Unreachable)} \ textbf {Code: 1 (Administratively prohibited)} Checksum: 0x554b (correct) Internet Protocol Version 6 Version: 6 Traffic class: 0x00 Flowlabel: 0x00000 Payload length: 40 Next header: TCP (0x06) Hop limit: 63 Source address: fec2 :: 201: 2ff: fe87: 17a5 (fec2 :: 201: 2ff: fe87: 17a5) Destination address: fec1 :: 201: 2ff: fe87: 179c ( fec1 :: 201: 2ff: fe87: 179c) Transmission Control Protocol, Src Port: 34095, Dst Port: 22, Seq: 156188826, Ack: 0, Len: 0 Source port: 34095 (34095) Destination port: ssh (22) Sequence number: 156188826 Header length: 40 bytes Flags: 0x0002 (SYN) 0 ... .... = Congestion Window Reduced (CWR): Not set .0 .. .... = ECN echo: Not set .. 0. .... = Urgent: Not set ... 0 .... = Acknowledgment: Not set .... 0 ... = Push: Not set .... .0 .. = Reset: Not set .. .. ..1. = Syn: Set .... ... 0 = Fin: Not set Window size: 5760 Checksum: 0xd73c (correct) Options: (20 bytes) Maximum segment size: 1440 bytes SACK permitted Time stamp: tsval 9918147, tsecr 0 NOP Window scale: 0 bytes

Next page:11 Connection to the Upwards:content Previous page:9 Transport Relay Translator & nbsp content Beat Graf / Daniel Werner