access list and route map review notes
DESCRIPTION
Access List And Route Map Review NotesTRANSCRIPT
1
October 9, 2011 [ ]
Route Maps and Access-Lists
Access-lists contain very simple logic.
A) access-lists 1-99 (standard access-lists) will permit or deny all IP traffic from a particular source
B) access-lists 101-199 (extended access-lists) extend this functionality allowing you to permit/deny with more granularity, for example, specifying both source and destination address, Layer 4 protocols and port number (i.e. TCP/UDP), and Layer 3 protocols other than IP (i.e. ICMP).
The syntax for standard access-lists is as follows:
"My intent is to permit all IP traffic from host [host-ip-address]""My intent is to permit all traffic from [subnet] [wildcard-mask]" "My intent is to deny all IP traffic from host [host-ip-address]""My intent is to deny all traffic from [subnet] [wildcard-mask]"
An example is you want to allow all IP traffic from 192.168.1.0/24. The access-list is simple:
access-list [1-99] permit 192.168.1.0 0.0.0.255
The syntax for extended access-lists is slightly different:
"My intent is to [permit/deny] [type-of-traffic] going from [source-address] [source-wildcard-mask] to [destination-address] [destination-wildcard-mask] [optional port-number]"
Let's say you would like to permit all Telnet traffic going from 192.168.1.0/24 to a device at 192.168.2.1.
Telnet uses TCP port 23 and here is how you would write the extended access-list:
"access-list [101-199] permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 23"
In English, this access-list permits TCP from 192.168.1.0/24 to the host whose address is 192.168.2.1 where the TCP port number is 23.
How to apply access-lists to route-maps
Believe me there is nothing tricky about doing this. A route-map is a way of influencing the routing decision made by a routing device. The basic syntax of a route-map is as follows:
2
October 9, 2011 [ ]
As you build up your route-map you simply increase the sequence number for each match you want to do. Once you have created your route-map you must then apply it to a router interface e.g.
int fa0/0ip policy route-map [route-map-name] [in/out]
Match criteria.
1) There are a number of things that we can match on but what we will focus on is how we can influence traffic flows through a router.
match ip address [access-list-number] command.
The extended access-list in my earlier example called for allowing Telnet traffic from 192.168.1.0/24 to be able to reach host 192.168.2.1.
Let's take that example a bit further and say that we want to make all Telnet traffic going from 192.168.1.0/24 to host 192.168.2.1 which has entered my router's fa0/0 interface to leave my router's Serial0/0 interface. We could use that access-list and apply it to our route-map (I've called it MYMAP):
access-list 101 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 23
route-map MYMAP permit 10match ip address 101 <---this line refers to access-list 101set interface Serial0/0
int fa0/0ip policy route-map MYMAP in <---applies the MYMAP route-map inbound on fa0/0
route-map [route-map-name] [permit/deny] [sequence-number]match [condition]set [what-you-want-to-do-with-the-packet-if-it-matches-the-match-criteria]
3
October 9, 2011 [ ]
How does the router service the route-map?
Actually it is very logical.
A) Starts at the lowest sequence number until it finds a match.Let's take a tour.
a. Host at 192.168.1.1 tries to Telnet to 192.168.2.1 and the packet is received on fa0/0 of our router.
b. Knock….Knock on door at fa0/0i. Who’s there?
1. Route-mapii. Route-map Who?
1. MYMAPa. To check the match criteria. The example above tells
the router to check access-list 101.b. The packet received matches access-list 101 so the
router returns to the route-mapB) And set command tells it to forward this traffic out of Serial0/0
What if there is no match found?
If there is no match then the router will route the packet based on the contents of the routing table.
a. If a host at 192.168.3.1 tried to Telnet to 192.168.2.1 and the packet is received through fa0/0 of our router, the router will look into MYMAP, then at access-list 101, realise that access-list 101 does not match 192.168.3.1 as a source address and will return to the route-map looking for the next highest sequence number. In our example there is not another sequence number so the router will simply forward the traffic based upon the contents of its routing table (i.e. what it would do if there was no route-map applied to the fa0/0 interface).
4
October 9, 2011 [ ]
How could we use route-maps to drop traffic?
C) If no match is found then the packet will be forwarded by the contents of the routing table so how can I influence that?
Generally, you would drop traffic on an interface using an access-list applied directly to the interface, however, it can be done using a route-map.
Let's say you want to have control over all traffic coming in on fa0/0 of our router and want to drop anything that doesn't match our defined criteria. Let's say I have created access-lists 101-105 which specifies my criteria. My route-map would look as follows:
route-map MYMAP permit 10match ip address 101 <---this line refers to access-list 101set interface Serial0/0route-map MYMAP permit 20match ip address 102 <---this line refers to access-list 102set interface Serial0/1route-map MYMAP permit 30match ip address 103 <---this line refers to access-list 103set interface Serial0/2route-map MYMAP permit 40match ip address 104 <---this line refers to access-list 104set interface Serial0/3route-map MYMAP permit 50match ip address 105 <---this line refers to access-list 105set interface Serial0/4
Now I want to deny everything else.
Remember the Null0 interface, what I like to call Packet Garbage Disposal (as that is where packets that need to be dropped/get chopped up and sent down the drain)?
Examine this route-map statement out:
route-map MYMAP permit 60 set interface Null0
What happened there? Where has the match statement gone?
You don't need it.