Chapter 11: Troubleshooting IPv4 and IPv6 ACLs and Prefix Lists
Terms in this set (35)
The purpose of an access control list
Is to identify traffic based on different criteria such as source or destination IP address, source or destination port numbers, transport layer protocols, quality of service (QoS) markings, and so on.
How an ACL functions
Top down processing: An ACL is made up of various entries; these entries are processed from the top of the ACL to the bottom of the ACL in order.
Immediate execution upon a match: The very first entry that matches the values in the packet that are being compared will be the entry that is used. This may be a permit entry or a deny entry and will dictate how the packet is treated based on the ACL implementation. If there is another entry later in the ACL that matches, it does not matter. Only the first entry that matches matters.
Implicit deny any: If there is no matching entry for the packet, the packet is automatically denied based on the invisible implicit deny any entry at the end
of an ACL.
Sample Standard Numbered ACL
Router#show access-lists Standard IP access list 1
5 deny 10.1.1.5
10 permit 10.1.1.0, wildcard bits 0.0.0.63 (1 match)
20 deny 10.1.1.64, wildcard bits 0.0.0.63
30 permit 10.1.1.0, wildcard bits 0.0.0.255
The extended ACL can take
Source and destination addresses, source and destination port numbers, protocols, and other parameters that give you granular control over what you are trying to match. Also remember that standard and extended IPv4 ACLs can be named instead of numbered.
Sample Extended Numbered ACL
R1#show access-lists 100 Extended IP access list 100
10 deny tcp host 10.1.1.5 host 192.0.2.1 eq www
20 permit tcp 10.1.1.0 0.0.0.63 host 192.0.2.1 eq telnet
30 deny ip 10.1.1.64 0.0.0.63 host 192.0.2.1
40 permit ip 10.1.1.0 0.0.0.255 any
Using an ACL for packet filtering requires you to
Apply the ACL to an interface
Verifying Access Lists Applied to Interfaces
show ip inter- face interface_type interface_number command.
By default, an ACL you apply is active
The entire time it is applied
displays the AFTERHOURS time range with the
Show time-range AFTERHOURS command.
Viewing the Time on a Cisco Router
Verifying ACLs Configured on R1
R1#show ip access-lists
Reading an IPv6 ACL
Top-down processing: An ACL is made up of various entries; these entries are processed from the top of the ACL to the bottom of the ACL in order.
Immediate execution upon a match: The very first entry that matches the values in the packet that are being compared will be the entry that is used. This may be a permit entry or a deny entry and will dictate how the packet is treated based on the ACL implementation. If there is another entry later in the ACL that matches, it does not matter. Only the first entry that matches mat- ters.
Implicit permit icmp nd: If the packet is an NA or NS message, permit it.
Implicit deny any: If there is no matching entry for the packet, the packet is automatically denied based on the invisible implicit deny any entry at the end of an ACL.
Verifying IPv6 Access Lists Applied to Interfaces
R1#show ipv6 interface gigabitEthernet 0/0
Although an ACL can give you extreme granular control of the traffic you want to match, it lacks the ability to
Identify routes based on a subnet mask.
ACLs do not
give you granular control
When matching routes for route filtering
Sample IPv4 Prefix List
There are two different ways to read a prefix list entry.
Whether there is a LE (less than or equal to) or Ge (greater than or equal to) at the end of the prefix list entry or not.
No ge or le
the prefix is treated as an address and a subnet mask.
There is a ge or le
The prefix is treated as an address and a wildcard mask.
Prefix List Processing
Top -down processing
Immediate execution upon a match
Implicit deny any:
Because there is an implicit deny any at the end of a prefix list
You need at least one permit statement in a prefix list or everything will be denied.
Verifying Routes in R1's Routing Table
show ip route
Verifying Whether There Are Any Route Filters on R1
R1#show ip protocols
Reviewing the Prefix List on R1
R1#show ip prefix-list
Reviewing the Updated Prefix List on R1
R1#show ip prefix-list
Displays all the access lists configured on the device
Displays all the IPv4 access lists configured on the device
show ip access-lists
Displays all the IPv6 access lists configured on the device
show ipv6 access-list
Displays the inbound and outbound IPv4 access lists applied to an interface
show ip interface interface_type interface_ number
Displays the inbound and outbound IPv6 access lists applied to an interface
show ipv6 interface interface_type interface_number
Displays any time ranges that have been configured on the device
Displays the date and time on the device
Displays the IPv4 prefix lists configured on the device
show ip prefix-list
Displays the IPv6 prefix lists configured on the device
show ipv6 prefix-list
Displays the IPv4 routing protocols running on the router/multilayer switch and can identify whether there are any filters (such as prefix lists) applied inbound or outbound
Show IP protocols
YOU MIGHT ALSO LIKE...
ASCP MLT/MLS Certification Exam (BOC) Preparation
CCENT Section 6
CCNA2 LS CH9
Routing and Switching Essentials (Version 6.00) - RSE 6.0 Chapter 7 Exam
OTHER SETS BY THIS CREATOR
The OSI Model
Chapter 12: Troubleshooting Basic IPv4/IPv6 Routing and GRE Tunnels