Extended ACL vs. Named ACL
Case1:
We need the BLOCK the traffic from PC2 to PC1
Allow others.
Use a Extended ACL
# access-list 100 deny ip host 192.168.2.100 host 192.168.1.100
# int f0/1 (R2 interface to SW2)
# ip access-group 100 in
Here ALL GOOD as we cannot ping PC1 from PC2, but can ping other devices.
But when we try R3, it also cannot ping
PING from PC2 to PC4 also fails.
That’s means implicit deny rule there.
Adding an ACL to ACL 100.
R2(config)#access-list 100 permit ip any any
Now::
When ping from PC2 --> PC1 Deny due to RULE 10 sequence
When ping from PC2 --> other allow (able to PING) it goes via 20 rule. Permit any any.
Now the manager wants to disable ping from PC2 --> R3
Let’s add a deny rule to access-list 100
R2(config)#access-list 100 deny ip host 192.168.2.100 host 192.168.1.254
But this does not work and why?
Ping from PC2 --> PC1 fail (due to denying rule 10)
We think after adding the deny rule to the R3 network will deny the ping from PC2 to R3.
But not, because 20 rule ANY ANY satisfied the ACL as it permit any network to any destination.
Even 30 rule is there, after satisfying the ping from rule 20, it will not check the rule 30 sequence.
However, don’t remove the any any rule, it will remove the all ACL 100.
Let's try to add ACL 101 to deny R3
NOW !!! we cannot ping the device due to deny rule and after that implicit deny rule.
We add ANY ANY rule to 101 ACL
Now,
Ping from PC2 to R3 DENY
Ping from PC2 to other devices ok means 100 ACL 10 sequence is not working.
That rule skips because there is 101 ANY ANY rule.
So, now the problem is, when ACL is there, how to block another IP.
When we implement a new ACL it will skip other rules.
If we put the RULE into the same ACL (100), a sequence number set and rules go to below and the top rules are not working because of ANY ANY rule there.
The BEST solution here is to USE NAMED-ACL. it can set the SEQUENCE.
So if any rule is satisfied it will APPLY the RULE and don’t go further as checking the next RULE sequence.
Let’s implement this.
DENY PING from PC2 --> PC1
ALLOW PING from PC2 --> Other devices
BLOCK PING from PC2 --> R3
R2(config)#ip access-list extended BLOCK-PC1
R2(config-ext-nacl)#deny ip host 192.168.2.100 host 192.168.1.100
R2(config-ext-nacl)#permit ip any any
10=deny ping to PC1
20=allow ping to other devices.
NOW apply a rule to block R3
Here DENY 30 rule is not working, ping R3, it will allow by 2 rules and be satisfied.
So we need to get the RULE sequence between 10-20 to deny the R3
R2(config)#ip access-list extended BLOCK-PC1
R2(config-ext-nacl)#no 30 deny ip host 192.168.2.100 host 192.168.1.254
R2(config-ext-nacl)#15 deny ip host 192.168.2.100 host 192.168.1.254
DONE DEAL….. LAB DONE!!!!!
PC2 cannot ping PC1 and R3.
But can ping 4 network.
Let’s go further.
Let’s block the 4 network by new NAMED-ACL rule
OH NO! Block all devices. Because after the new NAMED ACL, it takes the sequence.
SO NEW rule has to be checked 1st.
To deny all traffic
What happens, if we apply new ACL 200 to allow PC1
PC1 is okay because we permit it.
But as that implicit deny rule will block all devices.
TESTING!!!!!! RESULT!!!!!
NAMED ACL is better….
Because;
Ping deny from PC2 to PC1
Put allow the rule to allow other devices.
ALL OKAY.
Meanwhile, the manager asked to blow R3.
Apply a rule to block R3
IT WILL NOT WORK.
WHY? Because 2nd sequence is ANY ANY RULE.. it will satisfy and not check the next sequence rule as the new rule to block R3.
Solution:
Check the show access-list
APPLY NAMED ACL (already created one)
Change the SEQUENCE BETWEEN THE RULES.
DONE!!!! CHEERS!!!! ACL DONE!!!!
Hello,
ReplyDeleteDo you know that it is possbile to download official free Cisco IOS to do that lab?
Yes, that's correct. You can download the official free Cisco IOS. Please also note that the blog post lab has been tested in GNS3. All the Cisco commands were able to enter and the result was 100% accurate. Cheers!
Delete