Monday, March 23, 2009

IOS Access Control Lists

In this video demonstration, we show an example of writing IOS Access Control Lists (ACL's) on a home router. We use the revision control system (RCS) to maintain the master ACL file and push the ACL's to the router via TFTP. This is similar to many production networks, where maintaing comments and old revisions of ACL's is a requirement. We also show examples explaining the "don't care bit" format of IOS ACLs. Many network engineers mistakenly refer to the format as inverse-netmask, but that is incorrect.
PIXes, FWSMs, and ASA's use a netmask format for ACLs. It is vitally important not to make the mistake of accidentally pushing a netmask format ACL line to an IOS device. That sort of error could result in an unplanned hole in your firewall and a serious security incident.

Labels:

7 Comments:

Blogger Darrell Root said...

aclvi script:

#!/bin/sh
co -l $1
vi $1
ci -u $1

sun-isp-acl file:

no ip access-list extended sun-isp-in
ip access-list extended sun-isp-in
deny icmp any any echo log
permit tcp any 10.0.1.0 0.0.0.255 established
permit icmp any any
permit udp any eq 53 10.0.1.0 0.0.0.255 gt 1023
deny ip any any log

no ip access-list extended sun-isp-out
ip access-list extended sun-isp-out
permit icmp any any
permit udp 10.0.1.0 0.0.0.255 any eq 53
permit tcp 10.0.1.0 0.0.0.255 any eq 53
permit tcp 10.0.1.0 0.0.0.255 any eq 80
permit tcp 10.0.1.0 0.0.0.255 any eq 443
deny ip any any log
end

March 23, 2009 at 9:56 PM  
Blogger Michael said...

Darrell,

This series is a godsend for people like myself who are entering the cisco world! I thank you and ask that you keep up the good work!!

April 3, 2009 at 2:30 PM  
Blogger Chris said...

Diddo!

June 1, 2009 at 3:36 PM  
Blogger Justin said...

Is is possible to get aclvi working on a linux box? If so how?

December 9, 2009 at 3:26 PM  
Blogger Darrell Root said...

I would not expect any difficulty getting aclvi working on any unix system, including a linux system. You just need vi, RCS, and the bourne shell (your linux system would probably have bash). You might need to specify the full path to the co, vi, and ci commands in the script.

March 20, 2010 at 10:28 PM  
Blogger Peter Bodde said...

Thanks for this templated configuration. I will jot them down for future use.
polycom ip 550

January 17, 2012 at 4:41 PM  
Blogger meghanasmiley03 said...

Nice post, I bookmark your blog because I found very good information on your blog, Thanks for sharing more information. RegardsĀ aws jobs in hyderabad.

May 30, 2017 at 4:22 AM  

Post a Comment

Subscribe to Post Comments [Atom]

Links to this post:

Create a Link

<< Home