ADVANCED Access Lists (ACL) Configuration
Share this page:TIP: ACL is applied directly to the interface using the “ip access-group” command:
(config-subif)#ip access-group EXTENDED_OR_STANDARD_ACL [in | out]
TIP: Watch out not to ban the routing protocol traffic!!! You might need to add this to your filter ACL:
(config-ext-nacl)#permit ospf any any
TIP: deny any any doesn’t affect the locally generated traffic on the router
It’s enough to configure the extended ACL, and hit a question mark when you want to define a PORT, just to realize that there is an entire world of ACL configuration options that we never knew about.
One of the awesome features is playing with the ESTABLISHED attribute, which means - allow back the traffic from the hosts TCP session has already been established with. In this example we’re allowing back in the TELNET and HTTP traffic to HOST 10.187.12.1:
**(config-ext-nacl)#permit tcp any range 80 23 host 10.187.12.1 established**
TIME-BASED ACL
STEP 1: define the time range using the “time-range TIMERANGE” command in the global configuration mode
*be sure the Clock is correct using the “show clock”, and if not - set it using the “clock set”, or with NTP server
STEP 2: attach the time-range to the ACL:
**(Config)#access-list 120 permit tcp any any eq 23 time-range TIMERANGE**
DYNAMIC ACL (aka Lock and key ACL)
Special Feature used for AUTHENTICATION of other devices
Like the time-range, but instead of the time we permit or deny ACLs actions based on Authentication.
The ACL is defined using “access-list 102 dynamic…”
STEP 1: Create and EXTENDED ACL, but be sure to allow all the needed protocols before you apply it on the interface:
**(config)#access-list 100 permit eigrp any any**
(config)#access-list 100 permit icmp any any
**STEP 2:** Create a DYNAMIC entry in the defined ACL, which will create a Dynamic ACL called DYN\_ACL:
(config)#access-list 100 dynamic DYN_ACL permit ip any any
**STEP 3:** Apply the ACL on the interface:
**(config-if)#ip access-group 100 in**
**STEP 4**: Configure the VTY line for the dynamic ACL using the AUTOCOMMAND feature:
**(config-line)#autocommand access-enable host**
\*"access-enable" is an EXEC, it doesnt appear when "?" is pressed
\*\*AUTOCOMMAND links the DYNAMIC ACL to TELNET AUTHENTICATION
\*"rotary" command under the VTY changes the telnet port to that line. "rotary 5" sets the port on that line to 3005
**REFLEXIVE ACL** \- For Session Filtering
Applied on the outbound interface of the router, we're taking care of the outgoing traffic, and then
we CHECK THE RETURNING TRAFFIC, meaning - we are making sure that the returning traffic is opposite of what went out.
When configuring, you need 2 ACLs:
**STEP 1** - OUTBOUND ACL, For the outbound within the extended ACL configure:
**(config)#ip access-list extended OUT\_ACL**
**(config-ext-nacl)#permit tcp host any any eq www reflect REFLECT\_ACL**
**(config-ext-nacl)#permit tcp host any any eq telnet reflect REFLECT\_ACL**
**(config-ext-nacl)#permit tcp host any any eq https reflect REFLECT\_ACL**
**(config-ext-nacl)#permit ospf any any**
**STEP 2**: And on the inbound ACL within the extended ACL configuration:
**(config)#ip access-list extended IN\_ACL**
**(config-ext-nacl)#permit ospf any any**
**(config-ext-nacl)#evaluate REFLECT\_ACL**
**STEP 3**: Then apply the first one outbound, and the second one inbound on the same interface.
**(config-subif)#ip access-group OUT\_ACL out**
**(config-subif)#ip access-group IN\_ACL in**
After 5 minutes of inactivity the entries expire. it can be modified using the command "ip reflexive-list timeout X":
**(config)#ip reflexive-list timeout 120** <-TIME REFLEXIVE ACL EXISTS WHEN NO PACKETS ARE DETECTED (default 300 seconds)