08.ACLs and Route Summarization

7/22/2019 08.ACLs and Route Summarization

1/29

The Ultimate CCNA Study Package - ICND 2

Chris Bryant, CCIE #12933 - www.thebryantadvantage.com

Back To Index

ACLs And Route SummarizationOverview

Introduction To ACLs

ACL Logic And The Implicit Deny

ACL Numeric Ranges

The Wildcard Mask

Standard ACLs

Adding Remarks To Your ACL

Using "host" and "any"

The Order Of The ACL Lines

Extended ACLs

Named ACLs

Using An ACL To Block Telnet Access

Where To Place An ACL

How And When To Block Pings

Dynamic And Time-Based ACLs

Common Port Numbers To Block And Deny

Sequence Numbers

Intro To Route Summarization

Route Summarization And RIP

Route Summarization And EIGRP

VLSM And CIDR


2/29

Introduction To Access Control Lists

The basic purpose of Access Control Lists (ACLs) is to allow a router topermit or deny packets based on a variety of criteria. The ACL isconfigured in global mode, but is applied at the interface level. An ACLdoes not take effect until it is expressly applied to an interface with the ipaccess-groupcommand. Packets can be filtered as they enter or exit aninterface.

Throughout your Cisco studies, you're going to find more and more usesfor ACLs. Actually, you're going to find quite a few right here! We'll blocktraffic from entering an interface, exiting an interface, prevent Telnetaccess, allow Telnet access.... the list of uses for ACLs goes on and on.This is one skill you must master in order to work with today's Ciscodevices... and I can guarantee ACL usage will come up more than once onyour CCNA exam!

We'll start our ACL discussion with the most common usage - to deny orallow traffic from entering or exiting an interface. There are some basicrules you must keep in mind in order to master ACLs, and I'll make specialnote of those as we go through some examples. I may get repetitive on

some of this, but trust me - you'll be glad I did when these rules becomesecond nature and help you to earn your CCNA.

ACL Logic And The Implicit Deny

When a packet enters or exits an interface with an ACL applied, thepacket is compared against the criteria of the ACL. If the packet matchesthe first line of the ACL, the appropriate permit or deny action is taken.If there is no match, the second lines criteria is examined. Again, if thereis a match, the appropriate action is taken; if there is no match, the thirdline of the ACL is compared to the packet.

This process continues until a match is found, at which time the ACL stopsrunning. If no match is found, a implicit denyis applied to the packet. If apacket is not expressly permitted by a line in the ACL, it will be subject tothe implicit deny. Take special note of the implicit deny feature. Forgettingabout this deny is the #1 reason for ACLs not giving you the desiredresults.

The behavior described above concerning the line-by-line ACL matchingprocess, along with the implicit deny, are default behaviors of all ACLtypes discussed in this section.

Comparing Standard And Extended ACLs

A standard ACL is concerned with only one factor, the source IP address

Using Summarization With ACLs

"Hot Spots And Gotchas"


3/29

of the packet. The destination IP address is not considered.

Extended ACLs consider both the source and destination IP address ofthe packet, and can consider the port number as well. You'll see some ofthose options later in this section.

Standard and extended ACLs do not use the same numeric ranges, andyou must watch out for these on the exam and in the real world. Standard

ACLs use the ranges 1-99 and 1300-1999, extended lists use 100-199and 2000 to 2699. On that subject, let's use IOS Help to view all of thenumeric ranges for ACLs.

R1(config)#access-list ? IP standard access list IP extended access list Extended 48-bit MAC address access list IP standard access list (expanded range) Protocol type-code access list IP extended access list (expanded range)

48-bit MAC address access list dynamic-extended Extend the dynamic ACL abolute timer rate-limit Simple rate-limit specific access list

The obvious question is "Why are the standard and extended list rangesbroken up? Why aren't they just one big range?" Besides giving ussomething else to have to remember for the exam, there's a very goodreason.

When ACLs were first introduced, it was accepted that we'd never needmore than 100 ACLs of any type on a single router.

We also used to think we'd never need a home data storage device biggerthan a floppy disk, and thatcertainly changed! As the number of differentuses for ACLs expanded, the range of available ACLs on many routersbegan to shrink. That's when Cisco came up with the expanded ranges,and I'm sure you noticed that the expanded ranges are much larger inscope than the originals!

You don't really need to know which ranges were original and which areexpanded, but I'd know both of those ranges like the back of my handbefore taking the CCNA exam. Also remember that any ACL using anumber from the 1 - 99 and 1300 - 1399 ranges is a standard ACL, andstandard ACLs match only on the source IP address.

On that topic, you also need to remember that ACLs use wildcardmasks,not network or subnet masks. We can also use the words hostoranyinplace of those masks. Let's take a look at how to write a wildcard maskand how to use hostand anyin an ACL.

The Wildcard Mask

ACLs use wildcard masks to determine what part of a network numbershould and should not be examined for matches against the ACL.

Wildcard masks are written in binary, and then converted to dotteddecimal for router configuration. Zeroes indicate to the router that thisparticular bit must match, and ones are used as I dont care bits the


4/29

ACL does not care if there is a match or not.

In the following example, all packets that have a source IP address on the196.17.100.0 /24 network should be allowed to enter the router'sEthernet0 interface. No other packets should be allowed to do so.

We need to write an ACL that allows packets in if the first 24 bits match196.17.100.0 exactly, and does not allow any other packets regardless ofsource IP address.

Use this binary math chart to convert from binary to dotted decimal:

Converted to dotted decimal, the wildcard mask is 0.0.0.255. Watch thaton your exam - don't choose a network mask of 255.0.0.0 for an ACLwhen you mean to have a wildcard mask of 0.0.0.255.

Wildcard masks are also used with routing protocols OSPF and EIGRP.Consider a router with the following interfaces:

serial0: 172.12.12.12 /28 (or in dotted decimal, 255.255.255.240)serial1: 172.12.12.17 /28

The two interfaces are on different subnetworks. Serial0 is on the172.12.12.0 /28 subnet, where Serial1 is on the 172.12.12.16 /28subnet. If we wanted to run OSPF on serial0 but not serial1, using awildcard mask makes this possible.

The wildcard mask will require the first 28 bits to match 172.12.12.0; themask doesnt care what the last 4 bits are.

1stOctet All bits must match. 00000000

2ndOctet All bits must match. 00000000

3rdOctet All bits must match. 00000000

4thOctet I dont care 11111111

Resulting Wildcard Mask: 00000000 00000000 00000000 11111111

128 64 32 16 8 4 2 11stOctet: 0 0 0 0 0 0 0 0

2ndOctet: 0 0 0 0 0 0 0 0

3rdOctet: 0 0 0 0 0 0 0 0

4thOctet: 1 1 1 1 1 1 1 1


5/29

Use this binary math chart to convert from binary to dotted decimal:

Converted to dotted decimal, the wildcard mask is 0.0.0.15.

Configuring Standard Access Lists

Let's go over the ACL theory we learned earlier in this section. I can'tstress this enough - you've got to have this theory down cold.

Standard ACLs consideronlythe source IP address for matches.

The ACL lines are run from top to bottom. If there is no match on thefirst line, the second is run; if no match on the second, the third is run,and so on until there is a match, or the end of the ACL is reached.This top-to-bottom process places special importance on the order ofthe lines. This theory is true of all ACLs.

There is an implicit deny at the end of every ACL. If packets are notexpressly permitted, they are implicitly denied.

If Router 3s Ethernet interface should only accept packets with a sourcenetwork of 172.12.12.0, the ACL will be configured like this:

R3(config)#access-list 5 permit 172.12.12.0 0.0.0.255

That's actually all we need. The implicit deny will deny all packets notmatching the first line.

The ACL is then applied to the Ethernet0 interface with the ip access-group command. I'll use IOS Help to show you one more important option.

R1(config)#interface e0R1(config-if)#ip access-group 5 ? in inbound packets out outbound packetsR1(config-if)#ip access-group 5 in

Overall, using an ACL to deny or permit traffic at the interface level is atwo-step process:

1stOctet: All bits must match. 00000000

2ndOctet: All bits must match. 00000000

3rdOctet: All bits must match. 00000000

4thOctet: First four bits must

match.

00001111

Resulting Wildcard Mask: 00000000 00000000 0000000000001111

128 64 32 16 8 4 2 11stOctet: 0 0 0 0 0 0 0 0

2ndOctet: 0 0 0 0 0 0 0 0

3rdOctet: 0 0 0 0 0 0 0 0

4thOctet: 0 0 0 0 1 1 1 1


6/29

Write the ACL with the access-listcommand Apply the ACL with the ip access-group command. You must

specify the direction of the packets to which the ACL will be applied -either in(bound) or out(bound).

Using the ACL we just wrote, traffic sourced from the 172.12.12.0 /24network is accepted by the first and only line of the ACL. All other trafficis stopped by the implicit deny.

A great rule of thumb when determining the effect of an ACL:

"If traffic isn't explicitly permitted, it's implicitly denied."

Adding Remarks

Access lists can become quite large and intricate. If one admin writes anACL and another admin comes in six months later to troubleshoot anissue, that second admin may have no idea what the ACL was trying to

accomplish. Believe me, when you see a convoluted 70-line ACL that justdoesn't make sense to you, you'll wish there was some kind of basicexplanation!

Its professional courtesy to add a remarkline or two to describe what anACL was written for. To do so, use the remarkACL command:

R1(config)#access-list 5 ? deny Specify packets to reject permit Specify packets to forward remark Access list entry comment

R3#conf tR3(config)#access-list 5 permit 172.12.12.0 0.0.0.255R3(config)#access-list 5 remark Permit network 172.12.12.0 only.

Using Host and Any for Wildcard Masks

It is acceptable to configure a wildcard mask of all ones or all zeroes. Awildcard mask of 0.0.0.0 means the address specified in the ACL linemust be matched exactly; a wildcard mask of 255.255.255.255 means thatall addresses will match the line.

Wildcard masks have the option of using the word host to represent awildcard mask of 0.0.0.0. Consider a configuration where only packets


7/29

from IP source 10.1.1.1 should be allowed and all other packets denied.The following ACLs both do that.

R3#conf tR3(config)#access-list 6 permit 10.1.1.1 0.0.0.0R3(config)#conf tR3(config)#access-list 7 permit host 10.1.1.1

The keyword any can be used to represent a wildcard mask of255.255.255.255. Both of the following lines permit all traffic.

R3(config)#access-list 15 permit any

R3(config)#access-list 15 permit 0.0.0.0 255.255.255.255

There's no "right" or "wrong" decision to make when you're configuringACLs in the real world. For your exam, though, I'd be very familiar withthe proper use ofhostand any.

The Order Of The ACL Lines Is Vital

There's definitely a "right" or "wrong" decision to make when it comes tothe order of the ACL lines, though! Getting just two lines in the wrongorder can wreck everything you're trying to do with the ACL. Here's aexample of a short ACL where the intent is to deny traffic from172.18.18.0 /24, but allow traffic sourced from any other subnet.

Pop quiz! Which of the following ACLs should we use?

R3(config)#access-list 15 deny 172.18.18.0 0.0.0.255R3(config)#access-list 15 permit anyR3(config)#access-list 15 permit anyR3(config)#access-list 15 deny 172.18.18.0 0.0.0.255

R3(config)#access-list 15 deny 172.18.18.0 255.0.0.0R3(config)#access-list 15 permit any

R3(config)#access-list 15 permit anyR3(config)#access-list 15 deny 172.18.18.0 255.0.0.0

We can eliminate the bottom two choices, because they have wildcardmasks of 255.0.0.0. That would match only on the 2nd, 3rd, and 4th


8/29

octets, which isn't what we need. We're matching on the 1st, 2nd, and 3rdoctets of 172.18.18.0, so the proper wildcard mask is 0.0.0.255.

Here are the two remaining possibilities:

R3(config)#access-list 15 deny 172.18.18.0 0.0.0.255

R3(config)#access-list 15 permit any

R3(config)#access-list 15 permit anyR3(config)#access-list 15 deny 172.18.18.0 0.0.0.255

One of the basic ACL rules is that the ACL is matched against packetsone line at a time, top to bottom. The top choice will deny all packetssourced from 172.18.18.0 first. Traffic that does not match that line dropsto the second line, which permits all traffic. That's what we're trying to do!

What about the second choice? The very first line is permit any,so it'simpossible for any traffic not to match that line, including the traffic we're

trying to block! The second line will never be run, since the first linematches all possible traffic. The permit any statement does negate theimplicit deny, but watch where you put it in the ACL!

If thepermit anystatement is at the top of any ACL, it doesn't matter howmany deny statements follow it. They'll never be read.

Extended Access Control Lists

Extended ACLs allow both the IP source and destination address to bematched. Actually, they requireit. Even if you don't want to use either ofthose two criteria for matching, you still have to put any for the one youdon't want to use.

The source port, destination port, and protocol type can also be matched.These are trulyoptional options - you don't have to specify a value for anyof those options if you're not using them to match traffic.

In the next example, packets sourced from network 172.50.50.0 /24should not be permitted if they are destined for network172.50.100.0 /24. All other packets should be allowed.

Extended ACLs give us quite a few options where standard ACLs reallydon't give us any. Let's use IOS Help to take a look at these options inthe access-listcommand.R1(config)#access-list 150 ? deny Specify packets to reject dynamic Specify a DYNAMIC list of PERMITs or DENYs

permit Specify packets to forward remark Access list entry comment


9/29

Along with the deny, permit,and remarkchoices we saw with the standardACLs, we've got a dynamicoption as well. We'll talk about that option laterin this section.R1(config)#access-list 150 deny ? An IP protocol number

ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol igrp Cisco's IGRP routing protocol ip Any Internet Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling ospf OSPF routing protocol pcp Payload Compression Protocol pim Protocol Independent Multicast tcp Transmission Control Protocol udp User Datagram Protocol

We can match by protocol name or by number. We'll keep it simple hereand select IP. If we planned to use port numbers for matching, we'd needto specify TCP or UDP here. Now you know why you need to know thosewell-known port numbers you learned in the Intro section!R1(config)#access-list 150 deny ip ? A.B.C.D Source address any Any source host host A single source host

We're going to specify the 172.50.50.0 /24 network as the source, but if we

wanted any source to match on this line, we could use the anyoption. Ifwe wanted to specify one and only one source IP address, we could usethehostoption followed by that one IP address.R1(config)#access-list 150 deny ip 172.50.50.0 ? A.B.C.D SourcewildcardbitsR1(config)#access-list 150 deny ip 172.50.50.0 0.0.0.255

Just a reminder --ACLs use wildcard bits!R1(config)#access-list 150 deny ip 172.50.50.0 0.0.0.255 ? A.B.C.D Destination address any Any destination host host A single destination host

Now we'll define the destination address. We have the same anyand hostoptions here, but we'll define the 172.50.100.0 /24 network.R1(config)#$150 deny ip 172.50.50.0 0.0.0.255 172.50.100.0 0.0.0.255

Notice the dollar sign next to the pound sign prompt? That's what you seewhen your command runs too long to be shown in its entirety on thescreen! That does end the command, so I'll press Enter and go fromthere. The next and final line of the ACL will negate the implicit deny.Since this is an extended ACL, we have to enteranytwice - once for the

source and the second time for the destination. This line allows all traffic.R1(config)#access-list 150 permit ip any any


10/29

To verify your ACLs and the order of the lines, run show access-list.R1#show access-listExtended IP access list 150 deny ip 172.50.50.0 0.0.0.255 172.50.100.0 0.0.0.255 permit ip any any

Another rule of extended ACLs - both the source and destination mustmatch the line for the action to be carried out. In this case, a packetsourced from 172.50.50.0 /24 is only denied IF the destination is on the172.50.100.0 /24 subnet. If either the source or destination IP addressdoes not match the line, there is no match.

Finally, the ACL is applied to the interface with the ip access-groupcommand.R1(config)#int e0R1(config-if)#ip access-group 150% Incomplete command.R1(config-if)#ip access-group 150 in

And yes, you do still have to define whether the ACL should be applied toincoming or outgoing traffic!

Two rules regarding the direction of the ACL:

A single interface can have two ACLs applied to it for each protocol - onefor outbound traffic and the other for inbound traffic. To illustrate whathappens when you configure two ACLs in the same direction and for thesame protocol, I've created another extended ACL that matches any TCPtraffic, regardless of source or destination IP address, as long as thedestination port is port 80.R1(config)#access-list 160 deny tcp any any eq 80R1(config)#access-list 160 permit ip any any

I'll use the show ip interface command to verify that ACL 150 iscurrently configured on Ethernet0, both inbound and outbound.

R1#show ip interface eth0Ethernet0 is up, line protocol is up Internet address is 172.23.23.2/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is 150 Inbound access list is 150

< output truncated for clarity >

Just to see what happens, I'll add ACL 160 to filter inbound traffic and see

what happens when we have two ACLs applied to the same interface andin the same direction filtering the same protocol


11/29

R1(config)#int e0R1(config-if)#ip access-group 160 in

No warning from the router -- what does show ip interfaceshow?R1#show ip interface ethernet0

Ethernet0 is up, line protocol is up Internet address is 172.23.23.2/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is 150 Inbound access list is 160

The latest ACL to be configured for inbound traffic, ACL 160, is theeffective ACL for that interface. The running config also reflects this.interface Ethernet0ip address 172.23.23.2 255.255.255.0ip access-group 160 inip access-group 150 out

So now we know that we're limited to two ACLs per protocol on aninterface - one inbound and one outbound - and what happens when wetry to "bend" that rule!

I'm sure you'll be happy to know the second rule is much shorter. It's veryrare that you'd want to apply the same ACL to inbound and outboundtraffic, but you can do so, as shown here:R1(config)#int e0R1(config-if)#ip access-group 150 inR1(config-if)#ip access-group 150 out

Named Access Lists

Named ACLs are just that rather than using a number to identify them,names are used. Consider a router with 75 ACLs. If the routers are givenintuitive names, it can be much easier to see what the author of the listwas trying to do - especially if they don't leave remarks with theirnumbered ACLs!

The syntax of a named ACL is slightly different than the numbered type,but the operation is the same, as is the use ofhostand any.

A router with a Serial interface that should allow no traffic from network175.56.56.0 /24 to leave that interface regardless of destination, butshould allow all other traffic, would be configured as follows. Note that fornamed ACLs, the command is ip access-list, not access-list.

R3#conf tR3#ip access-list extended NO_NETWORK56_OUTR3(config-ext-nacl)#deny ip 175.56.56.0 0.0.0.255 anyR3(config-ext-nacl)#permit ip any any

A few details to note from that configuration:


12/29

Use the ip access-listcommand to create named ACLs The named ACL has to be defined as standard or extended

I personally like to put underscores in the named ACL's name to make thename easier to read, but that's certainly optional.

All ACL rules we've discussed to this point apply to named ACLs as well.Named ACLs are also applied to an interface in the same fashion asnumbered ACLs - with the ip access-group command. As you'd expect,the direction of packets affected by the ACL must be defined as well.R3#conf tR3(config)#interface serial0R3(config-if)#ip access-group NO_NETWORK56_OUT out

Using An ACL To Limit Telnet Access

In another section of the course, you learned how to configure a passwordon a router or switch's VTY lines to control access only to those who knowthe password. That might not be enough, though, as you may want tocontrol Telnet access according to the IP address of the host attempting toconnect. We can do that with an ACL and the access-classcommand.

The ACL is used to indicate what host or hosts can telnet to a router. Thesyntax of the ACL is the same, but it is applied in a slightly differentmanner. The ACL is applied to the vty lines with the access-class

command.

Let's say that you want to restrict Telnet access to a host with the IPaddress 20.17.17.17, and that user must know that the password is ccna.Here's how we'd do that:

R3(config)#access-list 55 permit host 20.17.17.17R3(config)#R3(config)#line vty 0 4R3(config-line)#password ccnaR3(config-line)#loginR3(config-line)#access-class 55 in

Make sure to keep the access-class and ip access-group commandsstraight in your mind. access-class is used on the VTY lines, ip access-groupis used on interfaces.R1(config-line)#access-class ? IP access list IP expanded access list WORD Access-list name

Where Should An ACL Be Placed?

The #1 rule of ACLs in the real world is to prevent traffic from traveling

across a WAN when that traffic is going to be blocked from getting to itsfinal destination in the first place. Lets take a look at such an example.


13/29

If we want to prevent that PC from accessing the server on the other sideof the WAN, logic dictates that we'd use an extended ACL and place the

ACL as close to that PC as possible.

Using the extended ACL allows us to specify a source AND destination IPaddress, as opposed to a standard ACL, which only allows you to filter onthe source IP address.

Placing the ACL as close to the source of the traffic prevents unnecessarytraffic from going across the WAN in the first place. If the traffic is notgoing to be allowed to reach the email server, why let it go across theWAN to begin with? Using an extended ACL in this situation stops theunwanted traffic from crossing the WAN and unnecessarily using

bandwidth and the remote router's resources.

If you have to use a standard ACL, put it on the interface closest to thedestination. We can't put the standard ACL at the same point at which wecould apply an extended ACL, because that would block all traffic sourcedfrom that PC.

In the real world, theres no way you would ever use a standard ACL inthis case. If you were out of numbered extended ACLs, which doeshappen, youd simply write a named extended ACL. But keep in mindthat since you can only filter on source IP addresses with a standard list,youd need to put it as close to the destination as possible.

Placement can also be affected when you consider how inbound andoutbound ACLs handle traffic.


14/29

Outbound ACLs are applied afterpackets have already been sent tothe outbound interface by the routing engine, but before they're put inthe transmissions queue.

In contrast, inbound ACLs are applied before the routing enginehandles them.

All things being equal, the router's better off by blocking traffic with aninbound ACL as opposed to an outbound ACL. However, sometimes -like when you're stuck using a standard ACL to block traffic - the ACL hasto go on the outbound interface.

To Block Or Not To Block - Pings, That Is

Blocking pings is simple enough - just write an ACL that blocks ICMPecho packets and allows everything else. Here, we've got R2 and R3 onthe same Ethernet segment, and R2 has no problem pinging R3.

R2#ping 172.23.23.3

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.23.23.3, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

To block pings coming in on R3's ethernet interface, we simply write anextended ACL specifying ICMP as the protocol and specifying echoat theend of the line. If we wanted to block ping responses, we'd configureecho-replyat the end of this line.

R3(config)#access-list 101 deny icmp any any ?

ICMP message type administratively-prohibited Administratively prohibited alternate-address Alternate address conversion-error Datagram conversion dod-host-prohibited Host prohibited dod-net-prohibited Net prohibited dscp Match packets with given dscp value echo Echo (ping)

echo-reply Echo reply

< readout truncated for clarity >

After applying the ACL to R3, R2 can no longer successfully ping R3.

R3(config)#access-list 101 deny icmp any any echoR3(config)#access-list 101 permit ip any anyR3(config)#int e0R3(config-if)#ip access-group 101 in

R3#show access-listExtended IP access list 101 deny icmp any any echo permit ip any any

R3#show ip access-list 101Extended IP access list 101 deny icmp any any echo

permit ip any any

R2#ping 172.23.23.3


15/29

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.23.23.3, timeout is 2 seconds:.....Success rate is 0 percent (0/5)

Interestingly enough, the show access-listand show ip access-listcommands willshow you how many matches each line of the ACL has had.

R3#show access-listExtended IP access list 101 deny icmp any any echo (5 matches) permit ip any anyR3#show ip access-listExtended IP access list 101 deny icmp any any echo (5 matches) permit ip any any

So why do we even worry about blocking or allowing pings? Manynetworks block pings and / or ping replies on their border router's outsideinterface to prevent network attacks.

As others have said before me, don't go wild blocking pings on the inside

of your network. As you've learned, pings are the first thing we use whennetwork connectivity is compromised, and if pings are blocked that canlead to "false negatives" - that is, we think a device is down when itdoesn't return pings, but it's actually up and the ACL is blocking the pings.

Advanced ACL Types

Standard and extended ACLs fit the bill perfectly in many situations, butwhen you come right down to it, they're hardcore when it comes topermitting and denying. Either you're permitted to do something or you'renot - there's no grey area with these ACL types.

This is networking, and we're always going to need some kind ofexception to the rule. The following are more advanced ACLs than thestandard and extended ones we generally use, and even if you don't seethem on your CCNA exam, you'll definitely see them in productionnetworks.

And if you do see them on your CCNA exam, you'll be happy you knewabout them!

Commonly referred to as "lock-and-key", dynamic ACLsallow the creationof a dynamic extended access list. Certain Telnet users will be able

to authenticate as usual, but this access to their intended destination isstrictly temporary. Once their access time has elapsed, the access isterminated. It's just like giving someone a key to the lock on your front


16/29

door, and when they leave, you lock the door right behind them.

Here are the basic steps for lock-and-key:

The remote user telnets to the router, just as we've seen in earlier labs.

The router authenticates the user, and then creates an entry in thedynamic ACL that allows this particular host access to networks that we'vepreviously defined.

The natural question is "How long does the remote host have access tothe specified network?" That's up to us as the network admins, and thereare two different kinds of timeouts we can set:

an absolute timeout,where the remote host has "x" minutes ofaccess, and that's it

an idle timeout,where the connection is terminated once no data isexchanged for "x" minutes

Finally, you may want to prevent or allow certain types of traffic accordingto the time. Time-based ACLscan be set to deny or permit traffic - youguessed it - on the basis of time. To write a time-based ACL, you mustfirst define the times this ACL will be applied. You can do this on a per-day basis or choose daily, weekdays, orweekendas shown by IOS Help.

R1(config)#time-range NOTELNETR1(config-time-range)#periodic ? Friday Friday Monday Monday Saturday Saturday Sunday Sunday Thursday Thursday Tuesday Tuesday Wednesday Wednesday daily Every day of the week weekdays Monday thru Friday weekend Saturday and Sunday

We'll choose weekendand then define an hourly time range.

R1(config-time-range)#periodic weekend 8:00 to 19:00


17/29

Then when you write the ACL, you specify the protocol and port numberas you normally would, and then add the time-range option at the end ofthe command.

R1(config)#access-list 101 deny tcp any any eq telnet time-range NOTELNETR1(config)#access-list 101 permit ip any any

R1#show access-list 101Extended IP access list 101 10 deny tcp any any eq telnet time-range NOTELNET (inactive) 20 permit ip any any

R1(config)#int s0/0R1(config-if)#ip access-group 101 in

And you're all set! When the router's internal clock falls into the timerange we configured, you'll see (active)in that show access-listoutput.

Commonly Blocked And Allowed Port Numbers

You know that IOS Help will show you a list of TCP and UDP portnumbers, but the exam may not be as kind! It's a good idea for examroom and server room success to know the following port numbers. Wewent over these earlier in the course, but it never hurts to review!

Some Common TCP Ports:

FTP - File Transfer Protocol - Uses TCP ports 20 and 21. SSH - Secure Shell - Uses TCP port 22. Telnet uses TCP port 23. SMTP - Simple Mail Transfer Protocol - uses TCP port 25. HTTP - HyperText Transfer Protocol - uses TCP port 80. POP3 - Post Office Protocol 3 - uses TCP port 110. SSL - Secure Socket Layer - uses TCP port 443.

Some Common UDP Ports:

DHCP - Dynamic Host Control Protocol - uses UDP ports 67 and 68. TFTP - Trivial File Transfer Protocol - uses UDP port 69. SNMP - Simple Network Management Protocol - uses UDP port 161.

Protocols Using Both TCP And UDP Ports

DNS - Domain Name Service - uses UDP and TCP port 53. The port number 24 is reserved in both UDP and TCP for private

mail systems

We're going to step away from ACLs for a few minutes, and take a look atroute summarization. Summarization is a vital skill for both the CCNAexam and working with real-world networks. When you have a structuredapproach, you'll find that summarization is actually one of the easiestthings you'll ever do - but you must practice this skill to develop thatapproach!

The examples in the next section show you how to apply routesummarization to a network running OSPF, EIGRP, and RIP. While this is


18/29

a common way to apply your summarization skills, you'll also findsummarization handy when you're configuring ACLs.

ACL Sequence Numbers

I do recommend that when you're writing an ACL, you first write it out inNotepad or your favorite word processing software and then check out thetop-to-bottom logic. It's amazing how many headaches that can save you.

Sooner or later, though, you'll write an ACL on the router and then realizeyou forgot a line. Take the following for example:

R1(config)#access-list 45 deny 172.12.0.0 0.0.255.255R1(config)#access-list 45 deny 172.14.0.0 0.0.255.255R1(config)#access-list 45 deny 172.16.0.0 0.0.255.255R1(config)#access-list 45 permit any

After writing the ACL, you realize you meant to deny the 172.12.13.0 /24

network as well. In the good old days, you'd have to delete that ACL andtype it in all over again. The Cisco IOS now assigns each line in an ACL asequence number, and you can use those sequence numbers to youradvantage in this situation. Let's run show ip access-list 45.

R1#show ip access-list 45Standard IP access list 45 10 deny 172.12.0.0, wildcard bits 0.0.255.255 20 deny 172.14.0.0, wildcard bits 0.0.255.255 30 deny 172.16.0.0, wildcard bits 0.0.255.255 40 permit any

Note the sequence numbers at the far left. We didn't enter those, the

numbers were assigned to each statement by the IOS. Let's say we wantto enter a line into this ACL that denies 172.13.0 /24, and we want it to bethe very first line. We need to assign it a sequence number between 1and 9, so we'll take the middle ground and assign it a sequence number of5. We have to enter ACL config mode with the ip access-listcommand.

R1(config)#ip access-list standard 45R1(config-std-nacl)#?Standard Access List configuration commands: Sequence Number

default Set a command to its defaults deny Specify packets to reject exit Exit from access-list configuration mode

no Negate a command or set its defaults permit Specify packets to forward remark Access list entry comment

R1(config-std-nacl)#5 deny 172.13.0.0 0.0.255.255

The change is verified with show access-list 45.

R1#show access-list 45Standard IP access list 45 5 deny 172.13.0.0, wildcard bits 0.0.255.255 10 deny 172.12.0.0, wildcard bits 0.0.255.255 20 deny 172.14.0.0, wildcard bits 0.0.255.255 30 deny 172.16.0.0, wildcard bits 0.0.255.255

40 permit any

You can remove a line in this mode as well. If we decided not to block


19/29

access to 172.14.0.0 /16, we'd use the nooption to do so.

R1(config)#ip access-list standard 45R1(config-std-nacl)#no ? Sequence Number deny Specify packets to reject permit Specify packets to forward

R1(config-std-nacl)#no 20 ?

R1(config-std-nacl)#no 20

R1#show access-list 45Standard IP access list 45 5 deny 172.13.0.0, wildcard bits 0.0.255.255 10 deny 172.12.0.0, wildcard bits 0.0.255.255 30 deny 172.16.0.0, wildcard bits 0.0.255.255 40 permit any

That really beats rewriting an entire ACL! This feature was introduced

with IOS version 12.3, so there's a good chance you'll run into routers inthe field that do not allow this line-by-line addition or removal.

Route Summarization

Route summarization is a technique used to keep routing tables ascompact as possible while keeping an accurate picture of the networktopology. Your ability to summarize routes will be tested on the CCNAexam, and when you practice this skill, you will solve every questionregarding summarization that Cisco or anyone else asks you.

When the router looks for a given destination in the routing table, it willlook at all possible routes in search of the longest match for thedestination in question. The larger the table, the more time this takes.Large routing tables are also a drain on router memory.

RIP, EIGRP, and OSPF all use different commands to perform routesummarization, but the concept is the same. We'll look at the RIP- andEIGRP-specific commands for route summarization later in this section,but first let's go through the actual summarization process. (OSPF routesummarization techniques will be covered in your CCNP BSCI studies.)

In the following example, R2 is sending a routing update to R3 for the

networks 100.4.0.0 /16, 100.5.0.0 /16, 100.6.0.0 /16, and 100.7.0.0 /16.Without route summarization, R2 will send an update containing the fourindividual routes.

To configure a single route summary for these networks, write the networknumbers out in binary.


20/29

Moving left to right, determine what bits each network number have incommon.

Each of the network has the first 14 bits in common. The resulting

network number is the summary for the network. Here, the networksummary address is 100.4.0.0.

Simple, right? Right! But - we're not quite done!

The subnet mask for the summary must now be determined. The maskis determined by putting 1 in for each of the common bits of thesummary network number, and 0 for the dont care bits. In thisexample, the binary mask would be 11111111 11111100 0000000000000000, resulting in a mask of 255.252.0.0.

The final summary address is 100.4.0.0 255.252.0.0, or 100.4.0.0 /14.Watch that on both the exam and in network documentation - those twosummaries are the same.

Route summarization may include networks that dont exist (yet). Theprevious example is a clean route summarization; it includes only thefour specified networks and no others. What if the routes to besummarized were 100.1.0.0, 100.2.0.0, 100.3.0.0, and 100.4.0.0?

The four networks have their first 13 bits in common. The resulting

1stOctet 2ndOctet 3rdOctet 4thOctet100.4.0.0 01100100 00000100 00000000 00000000

100.5.0.0 01100100 00000101 00000000 00000000

100.6.0.0 01100100 00000110 00000000 00000000

100.7.0.0 01100100 00000111 00000000 00000000


100.5.0.0 01100100 00000101 00000000 00000000

100.6.0.0 01100100 00000110 00000000 00000000

100.7.0.0 01100100 00000111 00000000 00000000


100.2.0.0 0110100 00000010 00000000 00000000

100.3.0.0 0110100 00000011 00000000 00000000

100.4.0.0 0110100 00000100 00000000 00000000


21/29

network number is the summary for the network, 100.0.0.0. The subnetmask is determined by putting 1 in for each common bit and 0 for therest, resulting in a mask of 255.248.0.0. The final summary address is100.0.0.0 255.248.0.0.

This address and mask are accurate for the four networks given. A

routing issue could arise because this summary also includes networks100.5.0.0, 100.6.0.0, and 100.7.0.0:

This does not make the summary address wrong; it doesallow for routingproblems if these additional three networks were placed elsewhere on thenetwork. Once the summary address and mask have been determined,write out the next consecutive network number to see if the summaryaddress will also represent thataddress. If so, be aware of the potentialrouting issues of using that network number in another section of thenetwork.

Route Summarization With RIP

RIP uses the interface-level command ip summary-address rip toconfigure summary addresses.

In this example, R2 and R3 are running RIP version 2. R2 is advertisingthe following networks to R3: 172.16.8.0 /24, 172.16.9.0 /24,172.16.10.0 /24, and 172.16.11.0 /24.

To summarize these networks, convert them from dotted decimal tobinary, and determine the bits the networks have in common from left toright:


100.2.0.0 0110100 00000010 00000000 00000000

100.3.0.0 0110100 00000011 00000000 00000000

100.4.0.0 0110100 00000100 00000000 00000000

100.5.0.0 0110100 00000101 00000000 00000000

100.6.0.0 0110100 00000110 00000000 00000000

100.7.0.0 0110111 00000111 00000000 00000000

1stOctet 2ndOctet 3rdOctet 4thOctet172.16.8.0 10101100 00010000 00001000 00000000172.16.9.0 10101100 00010000 00001001 00000000


22/29

The networks have 22 bits in common. The resulting network number is

172.16.8.0.

Using 1s for the in-common bits and 0s for the rest, the resulting subnetmask is 11111111 11111111 11111100 00000000, which in dotteddecimal is 255.255.252.0.

The summary address is 172.16.8.0 255.255.252.0. With RIP, advertisethe summary address with the interface-level command ip summary-address rip.

Here's the original RIP configuration on R2.

R2(config-if)#router ripR2(config-router)#version 2R2(config-router)#no autoR2(config-router)#network 172.16.0.0

R3 has each individual route in its RIP routing table.R3#show ip route rip 172.16.0.0/24 is subnetted, 4 subnetsR 172.16.8.0 [120/1] via 172.23.23.2, 00:00:02, Ethernet0R 172.16.9.0 [120/1] via 172.23.23.2, 00:00:02, Ethernet0R 172.16.10.0 [120/1] via 172.23.23.2, 00:00:02, Ethernet0R 172.16.11.0 [120/1] via 172.23.23.2, 00:00:02, Ethernet0

The ip summary-address rip command is configured on ethernet0. That'sright - the summary address is configured on the interface that will beadvertising the route, not the RIP routing process itself.

R2#conf tR2(config)#int ethernet0R2(config-if)#ip summary-address rip 172.16.8.0 255.255.252.0

Instead of waiting for the next RIP update to see the changes on R3, I'llrun the command clear ip route *. That clears the routing table of all

dynamically learned routes, forcing the protocol to updateimmediately. R3 then has only one RIP route, and it's the summary routewe just configured!R3#clear ip route *R3#show ip route rip 172.16.0.0/22is subnetted, 1 subnetsR 172.16.8.0 [120/1] via 172.23.23.2, 00:01:24, Ethernet0

172.16.10.0 10101100 00010000 00001010 00000000

172.16.11.0 10101100 00010000 00001011 00000000


23/29

Route Summarization With EIGRP

EIGRP uses an interface-level command for route summarization as well.

R2 is advertising four routes to R3 via EIGRP: 100.0.0.0 /8, 101.0.0.0 /8,102.0.0.0 /8, and 103.0.0.0 /8.

To summarize the networks, convert them from dotted decimal to binary,and determine how many in-common bits exist from left to right.

The networks have six bits in common, resulting in the network number100.0.0.0. The summary mask is determined by placing 1s in the maskfor the in-common bits and 0s for the rest. The binary mask is 1111110000000000 00000000 00000000, which in dotted decimal is 252.0.0.0

The summary address and mask is 100.0.0.0 252.0.0.0. The interface-level command ip summary-address eigrpwill summarize the routes.

D 100.0.0.0/6[90/2297856] via 172.23.23.2, 00:02:33, Ethernet0

1stOctet 2ndOctet 3rdOctet 4thOctet

100.1.0.0 01100100 00000001 00000000 00000000

101.1.0.0 01100101 00000001 00000000 00000000

102.1.0.0 01100110 00000001 00000000 00000000

103.1.0.0 01100111 00000001 00000000 00000000

R2#conf tR2(config)#interface ethernet0R2(config-if)#ip summary-address eigrp 100 100.0.0.0 252.0.0.0

R3#show ip route eigrp


24/29

Determining and Configuring Variable-Length Subnet Masks

You are *not* going to have to do anything like the following on the CCNAexam. Obviously, this is a long exercise that takes a good deal of time. Itdoes give you some excellent practice of your subnetting skills, and I'vegotten quite a few emails from students who not only passed their CCNAexam, but could then go out and create VLSM schemes for theirnetworks.

Deciding on what VLSM scheme to use is simply a matter of determininghow many host bits will be needed for the required number of hosts, andcharting the VLSM configuration as this is done for each network.

Consider a network given the network 192.168.56.0. There will be foursubnets that require the following number of hosts:

While many production networks use subnet zero, some do not. For thisexample, we will assume that we have been asked by the networkmanagernotto use subnet zero.

The subnet number must have a zero in every bit that the subnet maskdoes. These are the host bits. When configuring VLSM, the question toask is, What is the smallest unused network number that can be createdwhen all host bits are 0?

The picture becomes much clearer when the subnet number and /30mask are converted to binary:

Only the last two bits of the subnet 192.168.56.0 have to be 0 in order tomatch the subnet mask. The question What is the smallest unusednetwork number that can be created when all host bits are 0? isanswered with the address 192.168.56.0.

Its good practice to keep a chart of VLSMs as they are created to ensureoverlapping does not take place.

Hosts RequiredNetwork A 2

Network B 15

Network C 30

Network D 48

1stOctet 2ndOctet 3rdOctet 4thOctetNetwork 192.168.56.0 11000000 10101000 00111000 00000000

/30 Subnet Mask 11111111 11111111 11111111 11111100

Subnet Network / Mask Network

Address

Valid

Hosts

Broadcast

Address< subnet zero,

not in use >

192.168.56.0 / 30 56.0 56.1, 56.2 56.3


25/29

Network A requires two hosts, so again two host bits will be needed. Thesame chart previously drawn is used again:

Again, only the last two bits of the network number have to be zero. Thequestion What is the smallest unused network number that can becreated while keeping the host bits at 0? has a different answer, though,since 192.168.56.0 has already been used.

By changing the last network bit (the 6th bit of the final octet) to1, ityields network number 192.168.56.4, and the last two bits of that networknumber are 0 as well:

This is the network number and subnet mask to use for Network A, and isadded to the VLSM table:

Network B requires 15 host addresses, which requires five host bits. (2 tothe 5th power is 32, yielding 30 host addresses. 2 to the 4th power is 16,but subtracting the network address and broadcast address only leaves14 valid host addresses.)

Convert the network number and a /27 mask to binary:

The question: What is the smallest unused network number that can becreated while leaving the host bits at 0?

The answer: The smallest value that can be created with the networkportion of the 4th octet (the first three bits) is 000, but that would yield

192.168.56.0, which has already been used. A binary value of 001 wouldyield 192.168.56.32, which has not yet been used. Use this network anda /27 subnet mask for Network B.


/30 Subnet Mask 11111111 11111111 11111111 11111100


/30 Subnet Mask 11111111 11111111 11111111 11111100

Subnet Network / Mask NetworkAddress

ValidHosts

BroadcastAddress

< subnet zero,

not in use >

192.168.56.0 / 30 56.0 56.1, 56.2 56.3

Network A 192.168.56.4 / 30 56.4 56.5, 56.6 56.7

1stOctet 2ndOctet 3rdOctet 4thOctetNetwork

192.168.56.0

11000000 10101000 00111000 00000000

/27 SubnetMask

11111111 11111111 11111111 11100000


26/29

Network C requires 30 host addresses; a mask of /27 will result in exactlythat many host addresses. Refer to the chart of the network number andthe /27 bit subnet mask:

The question What is the smallest unused network number that can becreated while leaving the host bits at 0? now has a different answer,since network 192.168.56.32 was just used. The next-smallest value thatcan be created with the network portion of the network number is 010 inbinary, or 64 in decimal, yielding the network number 192.168.56.64. Usethis network with a /27 bit mask for Network C.

Network D requires 48 host addresses; six host bits will be needed. (Twoto the sixth power is 64, leaving 62 valid host addresses.) Compare thenetwork number to a subnet mask of /26.

The question: What is the smallest unused network number that can becreated while leaving the host bits at zero? There are only two networkbits in the 4th octet, representing 128 and 64 from left to right. Thenetwork number 64 is used by Network C; the next smallest possible

value is 128. Use this network for Network D, along with a subnet maskof /26.


ValidHosts

BroadcastAddress

< subnet

zero,not in use >

192.168.56.0 / 30 56.0 56.1, 56.2 56.3

Network A 192.168.56.4 / 30 56.4 56.5, 56.6 56.7

Network B 192.168.56.32 /27

56.32 56.33 56.62

56.63

1stOctet 2ndOctet 3rdOctet 4thOctetNetwork

192.168.56.0

11000000 10101000 00111000 00000000

/27 Subnet

Mask

11111111 11111111 11111111 11100000


ValidHosts

BroadcastAddress

< subnet

zero,not in use >

192.168.56.0 / 30 56.0 56.1, 56.2 56.3

Network A 192.168.56.4 / 30 56.4 56.5, 56.6 56.7

Network B 192.168.56.32 /27

56.32 56.33 56.62

56.63

Network C 192.168.56.64 /27

56.64 56.65 56.94

56.95

1stOctet 2ndOctet 3rdOctet 4thOctetNetwork192.168.56.0

11000000 10101000 00111000 00000000

/26 SubnetMask

11111111 11111111 11111111 11000000


27/29

The VLSM configuration is complete, and the single network 192.168.56.0has been used to configure an entire networks IP addressing.

Classless InterDomain Routing

Classless InterDomain Routing (CIDR) is an IP address conservationmethodology used by Internet Service Providers (ISP). Frankly, CIDR issimply subnetting and summarization performed at the ISP level. If you're"configuring CIDR", all you're doing is - you guessed it - subnetting andsummarization.

Using Summarization In ACLs

Your summarization skills can really come in handy when you're writingACLs as well. Let's say you need to deny packets sourced from thefollowing four networks while permitting all other sources.

172.12.4.0 /24 172.12.5.0 /24 172.12.6.0 /24 172.12.7.0 /24

You could certainly write a five-line ACL, and there would be no problem:

access-list 23 deny 172.12.4.0 0.0.0.255access-list 23 deny 172.12.5.0 0.0.0.255access-list 23 deny 172.12.6.0 0.0.0.255access-list 23 deny 172.12.7.0 0.0.0.255access-list 23 permit any

But you can summarize that third octet and write this entire ACL with oneline:

172.12.4.0 10101100 00001100 00000100 00000000

172.12.5.0 10101100 00001100 00000101 00000000

172.12.6.0 10101100 00001100 00000110 00000000

172.12.7.0 10101100 00001100 00000111 00000000


ValidHosts

BroadcastAddress

< subnet

zero, not inuse >

192.168.56.0 / 30 56.0 56.1,

56.2

56.3

Network A 192.168.56.4 / 30 56.4 56.5,56.6

56.7

Network B 192.168.56.32 /

27

56.32 56.33

56.62

56.63

Network C 192.168.56.64 /27

56.64 56.65 56.94

56.95

Network D 192.168.56.128 /

26

56.128 56.129

56.190

56.191


28/29

Using the summarization skills you've developed, you'll quickly see thatthese four networks have their first 22 bits in common, resulting in asummary of 172.12.4.0. This is an ACL, so we need a wildcard mask.With the first 22 bits set to zero and the last ten set to one, we have awildcard mask of 0.0.3.255.

So while there's nothing technically wrong with the four-line ACL, we canwrite the following two-line ACL and it does the exact same thing - a littlefaster!

R1(config)#access-list 24 deny 172.12.4.0 0.0.3.255R1(config)#access-list 24 permit any

Not only does this skill impress your friends, it just might impress Cisco!

Hot Spots And Gotchas

Know your numeric ACL ranges and watch 'em on the exam!

R1(config)#access-list ? IP standard access list IP extended access list Extended 48-bit MAC address access list IP standard access list (expanded range) Protocol type-code access list IP extended access list (expanded range)

48-bit MAC address access list dynamic-extended Extend the dynamic ACL abolute timer rate-limit Simple rate-limit specific access list

Standard ACLs match on the source IP address only.

Outbound ACLs are applied after the packets have been routed and sentto the outbound interface, but before they're queued. In contrast, inbound

ACLs are applied before the packets get to the routing engine. If packetsaren't going to be allowed out any interfaces on the receiving router, goahead and block them with an inbound ACL.

The ip access-list command is used to create named ACLs. Standard andextended ACLs are created with the access-list command. Both areapplied to interfaces with the ip access-group command and to VTY lines

with the ip access-class command.

Know your common port numbers for blocking and allowing traffic withACLs.

Explicit deny statements do not override the implicit deny. If an ACLcontains only deny statements, that ACL is effectively denying all traffic.

Standard ACLs should be placed as closely to the destination aspossible. Extended ACLs should be placed as closely to the source aspossible, especially when WANs are involved.

To see all ACLs and the number of matches for each line, use showaccess-list. To view one specific list, follow that command with the ACL


29/29

Documents

08.ACLs and Route Summarization