CONMUTACIÓN Y RUTEO I

Tema 17. Packet Filtering with

ACLs IPv4 & IPv6
Alberto Arellano A. Ing. Msc.
aarellano@espoch.edu.ec
CCNA – CCNP - CCSP
 What are ACLs?

 An ACL is a sequential list of of permit or

deny statements, known as access control
entries (ACEs).
 ACEs are also commonly called ACL

statements.
 ACLs control whether a router permits or
denies packets based on criteria in the header
that identifies the:
 Source IP address

 Destination IP address

 IP protocols (ICMP, TCP, UDP, EIGRP, …)

 TCP/UDP source port

 TCP/UDP destination port

 Packet Filtering Example

 For example, you could say,

 Only permit web access to users from network A.

 Deny web access to users from network B, but permit them to have all

other access."
 This is just a simple example. You can configure multiple rules to further
permit or deny services to specific users. You can also filter packets at
the port level using an extended ACL.
 Types of ACLs
 Standard ACLs
 Can permit or deny traffic for Source IP addresses … only!

 Extended ACLs
 Can permit or deny traffic for:
 Protocol type IP (IP, ICMP, EIGRP, OSPF, TCP, UDP, …)
 Source IP address
 Source TCP or UDP ports
 Destination IP address
 Destination TCP or UDP ports
 Numbered and Named
ACLs

5
 Wildcard Mask

 Standard and Extended ACLs both use wildcard

masks.
 Wildcard masks and subnet masks differ in the

way they match binary 1s and 0s.

 Wildcard masks use the following rules to match

binary 1s and 0s:
 Wildcard mask bit 0 - Match the corresponding

bit value in the address

 Wildcard mask bit 1 - Ignore the corresponding

bit value in the address

 Calculating Wildcard
Masks #1
 Calculating wildcard masks can be difficult, but you can do it
easily by subtracting the subnet mask from 255.255.255.255.

 For example, assume you wanted to permit access to all

users from the 192.168.3.0 /24
 Subtract the subnet mask (255.255.255.0) from the subnet

mask 255.255.255.255.

255.255.255.255
-255.255.255. 0
0. 0. 0.255

access-list 1 permit 192.168.3.0 0.0.0.255

 Calculating Wildcard
Masks #2
 Assume you wanted to permit access to all
users from the 192.168.3.32 /28
 Subtract the subnet mask (255.255.255.240)

from the subnet mask 255.255.255.255.

255.255.255.255
-255.255.255.240
0. 0. 0. 15

access-list 1 permit 192.168.3.32 0.0.0.15

 Host keyword
access-list 1 permit 192.168.1.1 0.0.0.0

Decimal Binary
IP Address 192.168.1.1 11000000.10101000.00000001.00000001

Wildcard Mask 0.0.0.0 00000000.000000000.00000000.00000000

Result 192.168.1.1 11000000.10101000.00000001.00000001

 The host keyword can be used to substitute for the 0.0.0.0 wildcard
mask.
 This mask states that all IPv4 address bits must match or only one
host is matched.
access-list 1 permit host 192.168.1.1

Note: The host keyword can also be used in IPv6 ACLs.

 Any Keyword
access-list 1 permit 0.0.0.0 255.255.255.255

Decimal Binary
IP Address 0.0.0.0 00000000.00000000.00000000.00000000

Wildcard Mask 255.255.255.255 11111111.11111111.11111111.11111111

Result 0.0.0.0 00000000.000000000.00000000.00000000

 The any keyword substitutes for the 255.255.255.255 wildcard

mask.
 This mask says to ignore the entire IPv4 address or to accept
any addresses.
access-list 1 permit any
Any Traffic filtering on a
Router
 ACL Placement
 Extended ACLs - This way,
undesirable traffic is denied close to
the source network without crossing
the network infrastructure.
 Standard ACLs - Because standard
ACLs do not specify destination
addresses, place them as close to the
destination as possible.
 Placing a standard ACL at the source
of the traffic will effectively prevent
that traffic from reaching any other
networks through the interface where
the ACL is applied.
 ACL Placement

 Placement of the ACL and therefore

the type of ACL used may also
depend on:
 The extent of the network

administrator’s control
 Bandwidth of the networks

involved
 Ease of configuration

13
 Can only permit/deny based on source address.
Will deny traffic to all sites.

Why not here?

14
 Can permit/deny based on source,
destination, protocol... Can block before
wasting network bandwidth.

Why here?

OR
 How are ACLs Created?

1. Create an ACL definition.

 Enter global configuration

mode.
 Define statements of what to

filter.
2. Apply the ACL to an interface.
 Enter interface configuration

mode.
 Identify the ACL and the

direction to filter.
 Create a Standard ACL
RTR(config)# access-list ACL# {permit|deny} { test-conditions }

access-list 5 permit 172.34.54.34 0.0.0.0

 ACL-# is a unique identifier.

 The # range identifies the type of ACL.

 permit | deny are terms to specify how the

packets which meet the condition will be handled.
 permit: Implies the packet will not be filtered.
 deny: Implies the packet will be filtered.
 remark: Allows you to enter a description of the
ACL
 Apply the ACL to an
interface
RTR(config-if)# {protocol} access-group list-# {in|out}
ip access-group 5 out

 in | out identifies if the ACL is for incoming or outgoing

traffic.
in means that packets are filtered as they enter the
interface, before the routing decision.
out means that packets are filtered as they leave the
interface, after the routing decision.
 “out” is the default.
Outbound ACLs are generally more efficient, and are
preferred.
Inbound ACLs must check every packet.
 Deny Any Implied

By default, there is an
implied deny at the
end of all ACLs for
traffic that was not
matched to a
configured entry.

R1(config)# access-list 1 permit 192.168.10.0 0.0.0.255

SAME AS

R1(config)# access-list 2 permit 192.168.10.0 0.0.0.255

R1(config)# access-list 2 deny any
20
 Removing an ACL

R1(config)# access-list 10 permit 192.168.10.0 0.0.0.255

R1(config)# exit
R1# show access-lists
Standard IP access list 10
10 permit 192.168.10.0, wildcard bits 0.0.0.255
R1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)# no access-list 10
R1(config)# exit
R1 #show access-lists
R1#
 Comments -
remark

R1(config)# access-list 10 remark Permit hosts from the 192.168.10.0 LAN

R1(config)# access-list 10 permit 192.168.10.0 0.0.0.255
R1(config)# exit
R1# show running-config | include access-list 10
access-list 10 remark Permit hosts from the 192.168.10.0 LAN
access-list 10 permit 192.168.10.0 0.0.0.255
R1#
 Internal Logic
Order matters

Conflict with Statements

ACL 3: Host statement conflicts with previous range statement

R1(config)# access-list 3 deny 192.168.10.0 0.0.0.255

R1(config)# access-list 3 permit host 192.168.10.10
% Access rule can't be configured at higher sequence num as
it is part of the existing rule at sequence num 10
R1(config)#
 Internal Logic
Order matters

Host Statement Entered Before Range

ACL 4: Host statement can always be configured before range statements

R1(config)# access-list 4 permit host 192.168.10.10

R1(config)# access-list 4 deny 192.168.10.0 0.0.0.255
R1(config)#
 Applying Standard ACLs to
Interfaces

Step 1: Configure the ACL statements

R1(config)# access-list 1 permit 192.168.10.0 0.0.0.255

Step 2: Select the interface to apply the ACL

R1(config)# interface serial 0/0/0

Step 3: Apply the ACL to the interface using the ip access-group command

R1(config-if)# ip access-group 1 out

 Permit a Specific
Subnet

R1(config)# access-list 1 permit 192.168.10.0 0.0.0.255

R1(config)# interface s0/0/0
R1(config-if)# ip access-group 1 out
 Deny a Specific Host
and Permit a Specific
Subnet

X
X
R1(config)# access-list 1 deny host 192.168.10.10
R1(config)# access-list 1 permit 192.168.10.0 0.0.0.255
R1(config)# interface s0/0/0
R1(config-if)# ip access-group 1 out

27
Named ACL
 Named ACLs
RTR(config)# ip access-list {standard|extended} { NAME }

ip access-list extended TELNET-FILTER

 Named ACLs allow standard and extended IP ACLs to be

identified with a name.
 Name cannot start with a number.

 Named ACLs help identify the function of the ACL.

 The actual names used must be unique across all named
access lists of all protocols and types on an individual router.
 Names can be duplicated on different routers.

 ACLs of different types cannot have the same name.

 For example, it is illegal to specify a standard ACL named

Filter_Web and an extended ACL with the same name.

 Named ACLs Syntax
RTR(config)# ip access-list {standard|extended} { NAME }

ip access-list extended TELNET-FILTER

 Create the named ACL in global configuration mode.

 Notice that the access-list command has changed to:
 ip access-list
 Then enter named ACL configuration mode.
 The sub config mode prompt varies between standard and extended
ACLs.

R1(config)# ip access-list standard NAME-OF-THE-ACL

R1(config-std-nacl)# exit
R1(config)# ip access-list extended A-DIFFERENT-NAME-ACL
R1(config-ext-nacl)# exit
 Named ACLs Syntax

 In ACL configuration mode, specify one or more

conditions permitted or denied.
 This determines whether the packet is passed or

dropped.
RTR(config {std- | ext-}nacl)# deny {source [source wildcard] | any}

RTR(config {std- | ext-}nacl)# permit {source [source wildcard] | any}

RTR(config {std- | ext-}nacl)# remark [comment]

 Named ACL
Example

X
R1(config)# ip access-list standard NO_ACCESS
R1(config-std-nacl)# deny host 192.168.11.10
R1(config-std-nacl)# permit any
R1(config-std-nacl)# exit
R1(config)# interface g0/0
R1(config-if)# ip access-group NO_ACCESS out
 Commenting ACLs
Example 1 – Commenting a numbered ACL
R1(config)# access-list 1 remark Do not allow Guest workstation through
R1(config)# access-list 1 deny host 192.168.10.10
R1(config)# access-list 1 remark Allow devices from all other 192.168.x.x subnets
R1(config)# access-list 1 permit 192.168.0.0 0.0.255.255
R1(config)# interface s0/0/0
R1(config-if)# ip access-group 1 out
R1(config-if)#

Example 2 – Commenting a named ACL

R1(config)# ip access-list standard NO_ACCESS
R1(config-std-nacl)# remark Do not allow access from Lab workstation
R1(config-std-nacl)# deny host 192.168.11.10
R1(config-std-nacl)# remark Allow access from all other networks
R1(config-std-nacl)# permit any
R1(config-std-nacl)# interface G0/0
R1(config-if)# ip access-group NO_ACCESS out
R1(config-if)#
 Editing Numbered ACLs Using
Sequence Numbers
Configuration
R1(config)# access-list 1 deny host 192.168.10.99
R1(config)# access-list 1 permit 192.168.0.0 0.0.255.255

Step 1 R1# show access-lists 1

Standard IP access list 1
10 deny 192.168.10.99
20 permit 192.168.0.0, wildcard bits 0.0.255.255
R1#
Step 2 R1# conf t
R1(config)# ip access-list standard 1
R1(config-std-nacl)# no 10
R1(config-std-nacl)# 10 deny host 192.168.10.10
R1(config-std-nacl)# end
R1#
Step 3 R1# show access-lists
Standard IP access list 1
10 deny 192.168.10.10
20 permit 192.168.0.0, wildcard bits 0.0.255.255
R1#
 Editing Named ACLs –
Adding a Line
R1# show access-lists
Standard IP access list NO_ACCESS
10 deny 192.168.11.10
20 permit 192.168.11.0, wildcard bits 0.0.0.255
R1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)# ip access-list standard NO_ACCESS
R1(config-std-nacl)# 15 deny host 192.168.11.11
R1(config-std-nacl)# end
R1# show access-lists
Standard IP access list NO_ACCESS
10 deny 192.168.11.10
15 deny 192.168.11.11
20 permit 192.168.11.0, wildcard bits 0.0.0.255
R1#

Note: The no sequence-number named-ACL command is used to delete

individual statements.
 Verifying ACLs
R1# show ip interface s0/0/0
Serial0/0/0 is up, line protocol is up
Internet address is 10.1.1.1/30
<output omitted>
Outgoing access list is 1
Inbound access list is not set
<output omitted>

R1# show ip interface g0/0

GigabitEthernet0/1 is up, line protocol is up
Internet address is 192.168.10.1/24
<output omitted>
Outgoing access list is NO_ACCESS
Inbound access list is not set
<output omitted>
R1# show access-lists
Standard IP access list 1
10 deny 192.168.10.10
20 permit 192.168.0.0, wildcard bits 0.0.255.255
Standard IP access list NO_ACCESS
15 deny 192.168.11.11
10 deny 192.168.11.10
20 permit 192.168.11.0, wildcard bits 0.0.0.255
R1#
 Viewing ACL Statistics
R1# show access-lists
Standard IP access list 1
10 deny 192.168.10.10 (4 match(es))
20 permit 192.168.0.0, wildcard bits 0.0.255.255
Standard IP access list NO_ACCESS
15 deny 192.168.11.11
10 deny 192.168.11.10 (4 match(es))
20 permit 192.168.11.0, wildcard bits 0.0.0.255
R1#

Output after pinging PC3 from PC1.

Matches
R1# show access-lists have been
Standard IP access list 1 incremented.
10 deny 192.168.10.10 (8 match(es))
20 permit 192.168.0.0, wildcard bits 0.0.255.255
Standard IP access list NO_ACCESS
15 deny 192.168.11.11
10 deny 192.168.11.10 (4 match(es))
20 permit 192.168.11.0, wildcard bits 0.0.0.255
R1#
 Clearing ACL Statistics
R1#show access-lists
Standard IP access list 1
10 deny 192.168.10.10 (8 match(es))
20 permit 192.168.0.0, wildcard bits 0.0.255.255
Standard IP access list NO_ACCESS
15 deny 192.168.11.11
10 deny 192.168.11.10 (4 match(es))
20 permit 192.168.11.0, wildcard bits 0.0.0.255
R1#
R1#clear access-list counters 1
R1# Matches have
R1#show access-lists been cleared.
Standard IP access list 1
10 deny 192.168.10.10
20 permit 192.168.0.0, wildcard bits 0.0.255.255
Standard IP access list NO_ACCESS
15 deny 192.168.11.11
10 deny 192.168.11.10 (4 match(es))
20 permit 192.168.11.0, wildcard bits 0.0.0.255
 Standard ACL Sequence
Numbers and Internal Logic
R1(config)#access-list 1 deny 192.168.10.0 0.0.0.255 Range
R1(config)#access-list 1 deny 192.168.20.0 0.0.0.255 (network)
R1(config)#access-list 1 deny 192.168.30.0 0.0.0.255 statements
R1(config)#access-list 1 permit 10.0.0.1
R1(config)#access-list 1 permit 10.0.0.2
R1(config)#access-list 1 permit 10.0.0.3 Host
R1(config)#access-list 1 permit 10.0.0.4 statements (no
R1(config)#access-list 1 permit 10.0.0.5 conflicts
R1(config)#end
R1#show running-config | include access-list 1
access-list 1 permit 10.0.0.2
access-list 1 permit 10.0.0.3
access-list 1 permit 10.0.0.1 Host
statements (no
access-list 1 permit 10.0.0.4
conflicts
access-list 1 permit 10.0.0.5
access-list 1 deny 192.168.10.0 0.0.0.255 Range
access-list 1 deny 192.168.20.0 0.0.0.255 (network)
access-list 1 deny 192.168.30.0 0.0.0.255 statements
R1#
R1#show access-lists 1 Reload
Standard IP access list 1
50 permit 10.0.0.2
60 permit 10.0.0.3 Host statements are listed first, in an
40 permit 10.0.0.1 order to be efficiently processed by the
70 permit 10.0.0.4 IOS keeping the original sequence
80 permit 10.0.0.5 numbers assigned by IOS
10 deny 192.168.10.0, wildcard bits 0.0.0.255
20 deny 192.168.20.0, wildcard bits 0.0.0.255
30 deny 192.168.30.0, wildcard bits 0.0.0.255
R1#copy running-config startup-config
R1#reload Range statements are listed
R1#show access-lists 1 after host statements, in the
Standard IP access list 1 order they were entered,
10 permit 10.0.0.2 also with original sequence
20 permit 10.0.0.3 numbers
30 permit 10.0.0.1
40 permit 10.0.0.4
50 permit 10.0.0.5
60 deny 192.168.10.0, wildcard bits 0.0.0.255
70 deny 192.168.20.0, wildcard bits 0.0.0.255
80 deny 192.168.30.0, wildcard bits 0.0.0.255
R1#
Extended ACL
 Extended ACLs

 Extended ACLs are used more often than standard ACLs

because they provide a greater degree of control. Extended
ACLs provide more precise traffic-filtering control.
 Also referred to as “increased granular control”.

 All extended ACLs filter on Source IP address AND

Destination IP address.
 But what make them really special is that they can also filter
based on:
 Upper layer protocols (e.g., IP, TCP, UDP, ICMP, EIGRP,

…)
 Source port

 Destination port
 Extended ACLs Syntax
Extended ACLs also filter on Protocol and Destination address.
The choice of Protocol adds
 All extended ACLs follow this basic syntax. various other options.

permit Source Destination

access-list list-# deny Protocol Operator Port
remark IP Wildcard IP Wildcard

IP 20 (FTP-data)
100- LT
199 TCP 21 (FTP)
GT
UDP any any 23 (TELNET)
EQ
2000 ICMP host host 25 (SMTP)
NEQ
to EIGRP 53 (DNS)
2699
OSPF 80 (HTTP)

These options change

depending which Protocol is
selected.
 Port Names versus Port
Number
access-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq 23
access-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq 21
access-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq 20

access-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq telnet

access-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq ftp
access-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq ftp-data

Port/protocol after destination address

refers to the destination port
 Note:
 Not all protocols have a port name assigned
 Port numbers always work.
 E.g., SSH and HTTPS do not have port names assigned and must therefore
be assigned using their respective port numbers (22 and 443)

Use ? examples.
 Extended IP ACLs
Examples

access-list 101 permit ip any any

Permit all packets

access-list 101 deny ip any host 10.1.1.1

Deny all packets from any source address going specifically to host 10.1.1.1.

access-list 101 deny ip host 10.1.1.1 any

Deny all packets from host 10.1.1.1 going to any destination address.
 Extended TCP ACLs
Examples
access-list 101 deny tcp any any eq telnet

Deny packets from any source address telnetting to anywhere.

access-list 101 deny tcp any host 10.1.1.1 eq 23

Deny packets from any source address telnetting to 10.1.1.1.

access-list 101 deny tcp any host 10.1.1.1 eq telnet

Same function as last example; except it denies using the keyword telnet.
 Extended TCP ACLs
Examples

Port/protocol after destination address refers to the destination port

access-list 101 permit tcp 192.168.32.0 0.0.31.255 any eq 20
access-list 101 permit tcp 192.168.32.0 0.0.31.255 any eq 21

Packets from subnets 192.168.32.0 to 192.168.63.0 are permitted FTP access to

any destination.

FTP requires both ports to be permitted.

- Port 20 = ftp-data
- Port 21 = ftp (commands)
 Configuring Extended ACLs
S0/1/0

S0/0/0 R2 S0/0/1 ISP

S0/0/0 S0/0/1
10.1.1.1/30

R1 G0/1
R3
G0/0
192.168.10.0/24 192.168.11.0/24

S1 S2

R1(config)# access-list 103 permit tcp 192.168.10.0 0.0.0.255 any eq 80

R1(config)# access-list 103 permit tcp 192.168.10.0 0.0.0.255 any eq 443
R1(config)# access-list 104 permit tcp any 192.168.10.0 0.0.0.255
established

The established parameter allows only responses to traffic that originates from the
192.168.10.0/24 network to return to that network.
Without the established parameter in the ACL statement, clients could send traffic to a
web server, but not receive traffic returning from the web server.
 Applying Extended ACLs to
Interfaces
S0/1/0

S0/0/0 R2 S0/0/1 ISP

S0/0/0 S0/0/1
10.1.1.1/30

R1 G0/1
R3
G0/0
192.168.10.0/24 192.168.11.0/24

S1 S2

R1(config)# access-list 103 permit tcp 192.168.10.0 0.0.0.255 any eq 80

R1(config)# access-list 103 permit tcp 192.168.10.0 0.0.0.255 any eq 443
R1(config)# access-list 104 permit tcp any 192.168.10.0 0.0.0.255
established

R1(config)#interface g0/0
R1(config-if)# ip access-group 103 in
R1(config-if)# ip access-group 104 out
 Deny FTP and Permit
Everything Else
S0/1/0

S0/0/0 R2 S0/0/1 ISP

S0/0/0 S0/0/1
10.1.1.1/30

R1 G0/1
R3
G0/0
192.168.10.0/24 192.168.11.0/24

S1 S2 FTP X

R1(config)# access-list 101 deny tcp 192.168.11.0 0.0.0.255 192.168.10.0

0.0.0.255 eq ftp
R1(config)# access-list 101 deny tcp 192.168.11.0 0.0.0.255 192.168.10.0
0.0.0.255 eq ftp-data
R1(config)# access-list 101 permit ip any any
R1(config)# interface g0/1
R1(config-if)# ip access-group 101 in
 Deny SSH and Permit
Everything Else
S0/1/0

S0/0/0 R2 S0/0/1 ISP

Extended ACL to Deny Telnet

S0/0/0 S0/0/1
10.1.1.1/30

R1 G0/1
R3
G0/0
192.168.10.0/24 192.168.11.0/24

S1 S2
SSH X

R1(config)# access-list 102 deny tcp any 192.168.11.0 0.0.0.255 eq 22

R1(config)# access-list 102 permit ip any any

R1(config)# interface g0/1

R1(config-if)# ip access-group 102 out
 Creating Named Extended ACLs
S0/1/0

S0/0/0 R2 S0/0/1 ISP

S0/0/0 S0/0/1
10.1.1.1/30

R1 G0/1
R3
G0/0
192.168.10.0/24 192.168.11.0/24

S1 S2

R1(config)# ip access-list extended SURFING

R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 80
R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 443
R1(config-ext-nacl)# exit
R1(config)# ip access-list extended BROWSING
R1(config-ext-nacl)# permit tcp any 192.168.10.0 0.0.0.255 established
R1(config-ext-nacl)# exit
R1(config)# interface g0/0
R1(config-if)# ip access-group SURFING in
R1(config-if)# ip access-group BROWSING out
 Verifying Extended ACLs
R1#show access-lists
Extended IP access list BROWSING
10 permit tcp any 192.168.10.0 0.0.0.255 established
Extended IP access list SURFING
10 permit tcp 192.168.10.0 0.0.0.255 any eq www
20 permit tcp 192.168.10.0 0.0.0.255 any eq 443
R1#
R1#show ip interface g0/0
GigabitEthernet0/0 is up, line protocol is up
Internet address is 192.168.10.1/24
<output omitted for brevity>
Outgoing access list is BROWSING
Inbound access list is SURFING
<rest of output omitted for brevity>
 Editing Extended ACLs
R1# show access-lists
Extended IP access list BROWSING Should be
10 permit tcp any 192.168.10.0 0.0.0.255192.168.10.0
established
Extended IP access list SURFING
10 permit tcp 192.168.11.0 0.0.0.255 any eq www
20 permit tcp 192.168.10.0 0.0.0.255 any eq 443
R1#
R1# configure terminal
R1(config)# ip access-list extended SURFING
R1(config-ext-nacl)# no 10
R1(config-ext-nacl)# 10 permit tcp 192.168.10.0 0.0.0.255
any eq www
R1(config-ext-nacl)# exit
R1#
R1#show access-lists
Extended IP access list BROWSING
10 permit tcp any 192.168.10.0 0.0.0.255 established
Extended IP access list SURFING
10 permit tcp 192.168.10.0 0.0.0.255 any eq www
20 permit tcp 192.168.10.0 0.0.0.255 any eq 443
 Juniper Filters

55
 Juniper Filters
1 Create filter
edit firewall
set filter controlwww term 1 from source-address 10.10.20.0/24
set filter controlwww term 1 from destination-address 10.10.12.10/32
set filter controlwww term 1 from protocol icmp
set filter controlwww term 1 then accept
set filter controlwww term 2 from source-address 10.10.20.0/24
set filter controlwww term 2 from destination-address 10.10.12.10/32
set filter controlwww term 2 from protocol tcp
set filter controlwww term 2 from destination-port http
set filter controlwww term 2 then accept
quit

2 Apply filter on Interface

set interfaces em0 unit 0 family inet filter input controlwww
commit
ACLs Homework

• WWW Access only PC-1 and

PC3
• ICMP permit only PC-1 with
PC4 and PC1-PC3
• ICMP deny all PCs to WWW
 IPv6 ACL

IPv4 ACLs IPv6 ACLs

• Standard • Named only
• Numbered • Similar features to
• Named Extended ACLs
• Extended
• Numbered
• Named
 Comparing IPv4 and IPv6
I know your IPv6
address but I
need your MAC
ACLs
address
ICMP Neighbor Solicitation message
1 I have the IPv6
address you are
looking for and
here is my MAC
address
ICMP Neighbor Advertisement message
2

Very similar, but there are three significant differences

 Applying an IPv6 ACL
 IPv4 - ip access-group
 IPv6 - ipv6 traffic-filter
 No Wildcard Masks - Instead, the prefix-length is used
 Additional Default Statements
 permit icmp any any nd-na
 permit icmp any any nd-ns
 These two statements allow the router to participate in the IPv6
equivalent of ARP for IPv4.
 IPv6 Topology

2001:DB8:FEED:1::/64 S0/0/0 R2 S0/0/1

2001:DB8:FEED:2::/64
:2 :2

S0/0/0
S0/0/1
:1
:1

R1 R3
G0/0 G0/1
G0/0
:1 :1
:1
2001:DB8:CAFE:10::/64 2001:DB8:CAFE:11::/64 2001:DB8:CAFE:30::/64
S1 S2 S3

PC1 PC2
PC3

2001:DB8:CAFE:10::10 2001:DB8:CAFE:11::11 2001:DB8:CAFE:30::12/64

 Configuring the IPv6
Topology
R1(config)#interface g0/0
R1(config-if)#ipv6 address 2001:db8:cafe:10::1/64
R1(config-if)#exit
R1(config)#interface s0/0/0
R1(config-if)#ipv6 address 2001:db8:feed:1::1/64
R1(config-if)#exit
R1(config)#interface g0/1
R1(config-if)#ipv6 address 2001:db8:cafe:11::1/64
R1(config-if)#end
R1#show ipv6 interface brief
GigabitEthernet0/0 [up/up]
FE80::FE99:47FF:FE75:C3E0
2001:DB8:CAFE:10::1
GigabitEthernet0/1 [up/up]
FE80::FE99:47FF:FE75:C3E1
2001:DB8:CAFE:11::1
Serial0/0/0 [up/up]
FE80::FE99:47FF:FE75:C3E0
2001:DB8:FEED:1::1
<some output omitted for brevity>
R1#
 Configuring the IPv6
Topology
R2(config)#interface s0/0/0
R2(config-if)#ipv6 address 2001:db8:feed:1::2/64
R2(config-if)#exit
R2(config)#interface s0/0/1
R2(config-if)#ipv6 address 2001:db8:feed:2::2/64
R2(config-if)#end
R2#show ipv6 interface brief
Serial0/0/0 [up/up]
FE80::FE99:47FF:FE71:78A0
2001:DB8:FEED:1::2
Serial0/0/1 [up/up]
FE80::FE99:47FF:FE71:78A0
2001:DB8:FEED:2::2
<some output omitted for brevity>
R2#
 Configuring the IPv6
Topology
R3(config)#interface s0/0/1
R3(config-if)#ipv6 address 2001:db8:feed:2::1/64
R3(config-if)#exit
R3(config)#interface g0/0
R3(config-if)#ipv6 address 2001:db8:cafe:30::1/64
R3(config-if)#end
R3#show ipv6 interface brief
GigabitEthernet0/0 [up/up]
FE80::FE99:47FF:FE71:7A20
2001:DB8:CAFE:30::1
Serial0/0/1 [up/up]
FE80::FE99:47FF:FE71:7A20
2001:DB8:FEED:2::1
R3#
 Configuring IPv6 ACLs

R1(config-ipv6-acl)# deny | permit protocol {source-ipv6-prefix/prefix-length | any

| host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/
prefix-length | any | host destination-ipv6-address} [operator [port-number]]

Parameter Description

deny | permit Specifies whether to deny or permit the packet.

protocol Enter the name or number of an Internet protocol, or an integer representing an

IPv6 protocol number.
source-ipv6-prefix/prefix- The source or destination IPv6 network or class of networks for which to set deny or
length permit conditions

destination-ipv6-address
any Enter any as an abbreviation for the IPv6 prefix ::/0. This matches all addresses.

host For host source-ipv6-address or destination-ipv6-address, enter the source or

destination IPv6 host address for which to set deny or permit conditions
operator (Optional) An operand that compares the source or destination ports of the specified
protocol. Operands are lt (less than), gt (greater than), eq (equal), neq (not equal),
and range.
port-number (Optional) A decimal number or the name of a TCP or UDP port for filtering TCP or
UDP, respectively.
 2001:DB8:FEED:1::/64
S0/0/0
:2
R2 S0/0/1
:2 2001:DB8:FEED:2::/64

S0/0/0
:1 S0/0/1
:1

R1 R3
G0/0 G0/1
:1 G0/0
:1 :1
2001:DB8:CAFE:10::/64 2001:DB8:CAFE:11::/64 2001:DB8:CAFE:30::/64

S1 S2 S3 X
PC1 PC2 PC3

2001:DB8:CAFE:10::10 2001:DB8:CAFE:11::11 2001:DB8:CAFE:30::12/64

R1(config)# ipv6 access-list NO-R3-LAN-ACCESS

R1(config-ipv6-acl)# deny ipv6 2001:db8:cafe:30::/64 any
R1(config-ipv6-acl)# permit ipv6 any any
R1(config-ipv6-acl)# end
R1#
R1(config)# interface s0/0/0
R1(config-if)# ipv6 traffic-filter NO-R3-LAN-ACCESS in
 2001:DB8:FEED:1::/64 S0/0/0
:2
R2 S0/0/1
:2 2001:DB8:FEED:2::/64

S0/0/0
:1 S0/0/1
:1

R1 R3
G0/0 G0/1
:1 G0/0
:1 :1
2001:DB8:CAFE:10::/64 2001:DB8:CAFE:11::/64 2001:DB8:CAFE:30::/64

FTP X S1 S2 S3

PC1 PC2 PC3

2001:DB8:CAFE:10::10 2001:DB8:CAFE:11::11 2001:DB8:CAFE:30::12/64

R1(config)# ipv6 access-list NO-FTP-TO-11

R1(config-ipv6-acl)# deny tcp any 2001:db8:cafe:11::/64 eq ftp
R1(config-ipv6-acl)# deny tcp any 2001:db8:cafe:11::/64 eq ftp-data
R1(config-ipv6-acl)# permit ipv6 any any
R1(config-ipv6-acl)# exit
R1(config)# interface g0/0
R1(config-if)# ipv6 traffic-filter NO-FTP-TO-11 in
 2001:DB8:FEED:1::/64 S0/0/0
:2
R2 S0/0/1
:2 2001:DB8:FEED:2::/64

S0/0/0
:1 S0/0/1
:1

R1 R3
G0/1
HTTP/HTTPS G0/0
:1 :1 G0/0
:1
2001:DB8:CAFE:10::/64 2001:DB8:CAFE:11::/64 2001:DB8:CAFE:30::/64

X S1 S2 S3

Telnet
PC1 PC2 Telnet from

2001:DB8:CAFE:10::10
PC3
2001:DB8:CAFE:11::11
X PC3

2001:DB8:CAFE:30::12/64

• Permit access only HTTP and HTTPS to Network 10

• Deny all other traffic to PC1 – ::10
• Permit PC3 telnet access to PC2
• Deny telnet access to PC2 for all other devices
• Permit access to everything else
R3(config)# ipv6 access-list RETRICTED-ACCESS
R3(config-ipv6-acl)# remark Permit access only HTTP and HTTPS to Network 10
R3(config-ipv6-acl)# permit tcp any host 2001:db8:cafe:10::10 eq 80
R3(config-ipv6-acl)# permit tcp any host 2001:db8:cafe:10::10 eq 443

R3(config-ipv6-acl)# remark Deny all other traffic to Network 10

R3(config-ipv6-acl)# deny ipv6 any 2001:db8:cafe:10::/64

R3(config-ipv6-acl)# remark Permit PC3 telnet access to PC2

R3(config-ipv6-acl)# permit tcp host 2001:DB8:CAFE:30::12 host 2001:DB8:CAFE:11::11
eq 23

R3(config-ipv6-acl)# remark Deny telnet access to PC2 for all other devices
R3(config-ipv6-acl)# deny tcp any host 2001:db8:cafe:11::11 eq 23

R3(config-ipv6-acl)#remark Permit access to everything else

R3(config-ipv6-acl)#permit ipv6 any any
R3(config-ipv6-acl)#exit

R3(config)#interface g0/0
68
R3(config-if)#ipv6 traffic-filter RESTRICTED-ACCESS in
 Verifying IPv6 ACLs

R3# show ipv6 interface g0/0

GigabitEthernet0/0 is up, line protocol is up
Global unicast address(es):
2001:DB8:CAFE:30::1, subnet is 2001:DB8:CAFE:30::/64
Input features: Access List
Inbound access list RESTRICTED-ACCESS
<some output omitted for brevity>

R3# show access-lists

IPv6 access list RESTRICTED-ACCESS
permit tcp any host 2001:DB8:CAFE:10::10 eq www sequence 20
permit tcp any host 2001:DB8:CAFE:10::10 eq 443 sequence 30
deny ipv6 any 2001:DB8:CAFE:10::/64 sequence 50
permit tcp host 2001:DB8:CAFE:30::12 host 2001:DB8:CAFE:11::11
eq telnet sequence 70
deny tcp any host 2001:DB8:CAFE:11::11 eq telnet sequence 90
permit ipv6 any any sequence 110
R3#
 Verifying IPv6 ACLs

R3# show running-config

<some output omitted for brevity>
ipv6 access-list RESTRICTED-ACCESS
remark Permit access only HTTP and HTTPS to Network 10
permit tcp any host 2001:DB8:CAFE:10::10 eq www
permit tcp any host 2001:DB8:CAFE:10::10 eq 443
remark Deny all other traffic to Network 10
deny ipv6 any 2001:DB8:CAFE:10::/64
remark Permit PC3 telnet access to PC2
permit tcp host 2001:DB8:CAFE:30::12 host 2001:DB8:CAFE:11::11 eq telnet
remark Deny telnet access to PC2 for all other devices
deny tcp any host 2001:DB8:CAFE:11::11 eq telnet
remark Permit access to everything else
permit ipv6 any any