9. Standard Access Control List
Let us perform the lab tasks with the ACL. What we want to do here is that we have this lab setter first of all and you can see the IP addresses like that. We have done the configuration over these interfaces. These IP addresses are there, all the devices including the loop back addresses, they are running EIGRP and all the networks are advertised. So now, if I go to R three and if I check these loop backs are reachable or not, it should be reachable. Then what is the task? First of all, we’ll block all the loop back. It should be loop back, say all the loop back, whatever loop back we have starting from 00:24 from R one to Reach to R three with the ACL and then we’ll go and play around with the odd and even methodology means even will allow and all the odd will block with a single ACL statement. All right, so let me quickly show you. If I go to r three, and if I do show IP route for EAGP, you can see that I have the network that I’m getting from R one.
And if I go and do the ping so here you can see that I’m able to ping two, one, and then three one, and then four one as well. So all the loop addresses are reachable. Okay, great. So now what I want to do that I want to create access list and again we have option, we can create number ACL. We can go and create named ACL as well. So here what I will do. First of all, I want to deny one of the loop back just to show you. So deny 10 and then we should give the wildcard bit and then I’ll go and permit rest. So we’ll go and do the permit for 1010, 200-0255 like that. And now they should be applied to the interface. If I go and apply this to interface, what will happen? So here you can see the problem IP access group ten and in the inward direction that in the receiving end I’m applying you’ll see that with this the EIGRP will also go down. Why? Because you’re applying this policy coming inside here and then you are blocking the EIGRP advertisements as well. So let’s go back and see.
Here you can see EIGRP is down, I don’t have the EIGRP neighbor. So what we can do here that first of all, let me show you the access list. We have these statements. So I can go and create one more access list set in. And I’ll do permit any at the moment, I’ll do permit any next time we’ll go and see this thing, how we can play around this with the extended ACL, because in extended ACL, we can go and give the permission and that’s highly tunable. So now you can see that I am getting the EIGRP never back and we are getting this 1011 as well. But if you go and ping basically we are looking for these loop back network. You can see this 1010 eleven that is coming from R. One is not reachable. But if I go and check 1010 two, three and four, those are reachable. So let me quickly do the ping.
Four, two one and three one. These are reachable. Now what we have to do here first of all, let me quickly show you the ACL. So this is the ACL. And if you want to convert this in the name based ACL, you should go and use IP access list standard. And then you can give the name say loop back router one. Then you can go and give the same thing like permit or deny whatever. So you can go and give deny this then permit rest of the network. Okay? So this is one of the way that you can use it. Although I’m not applying this. But you can see that you can go and use the named waste ACL as well. Not only that, but here you can see that we have a remark option as well. This is our one loop back. So what will happen with this that in future if you go and check this, you’ll find that okay, you have the remark as well. So let me show you this how we can check the remark. And they should become inside the ACL actually ACL. So here you can see that you can go and check the remarks as well.
10. Extended Access Control List
Now let us learn about the Extended ACL. So what I’ll do, I’ll go and create few loopbacks here, say 2021 dot zero slash 24 2022 dot zero slash 24 and we’ll create a rule that 1010 10 and will communicate only with 20210. Likewise, three and four will go and communicate only with 20220. That’s the rule. That means 10 will not communicate, 3420 will not communicate with one two. Like that, we can go and create the Extended ACL. Although we are going to give only the permission related to source IP destination IP, but we can go and use or we can go and give TCP UDP or certain application permissions as well. Okay, so let’s go to the R three and meanwhile I’ll go and create view of the loop back, say 2002 1125-525-52550 and then loop back to 2002 two 1255-255-2550.
Now, if I go ahead and check in R one show IP route, you should get this 20 network. So if I ping, say 2021 one with the source of ten dot one dot one one, it should work. And if I ping with two one, it should work. But after the policy three dot one and four one should not work. Okay, so this is the policy we want to apply. Now when we are talking with respect to R one, I can go and apply this policy here in the inward direction where I’m learning those network over the fast Ethernet zero. So let’s do it. And we can go and use the named based Extended ACL as well. So I can go here and I can use IP access extended say look back to look back what I want, I want to permit the IP and who is the source, who is the destination.
So for example, the traffic with the source, say 2021 one, this is the source and the destination is say 1021 one, this is permitted. Then two one is permitted. Okay, then permit IP host and we have options. We can use host or I can go and use Wild card as well. Say 21000 is nothing but the host again, I can go and use say 1010. Likewise, I can go and use four dot. So what this access list is telling that you have permission from this host to this 21 one can access with these two IP and two one can access with these IP. We know that we have implicit denied to all. So that means apart from that, if we have any other traffic which is coming related to these IPS, they are going to be blocked, correct?
All right, so what I will do, I’ll go and apply this policy to F inward direction. So let’s go here and fast Ethernet F zero zero IP Access group say loop back to loop back inward direction. All right? So once we apply this and let’s see, because apart from these statements, all other statements are denied or implicitly denied. So we can go and check show IP EIGRP neighbor, so you can see that neighbor is down. Why? Because we are not giving EIGRP related statement here. So what I can do here that I should go to this statement and again, you can check the access list. Now, at this point of time, you can learn how to edit as well.
So if I go to this particular access list, say IP access list extended loop back to loop, and instead of adding all the lines one by one, again, I can go to line number 50 and I can permit EIGRP again, if you know what exact IP, you can give that exact IP. But I will do permit EIGRP ne I can see the cigarette is back. All right, so that means that policy is done. And if I go and ping, they should be working. And they should be working, but as per our rule, they should not work. And four dot one should also not work. But this should be reachable with 2022 one. So if I go and change the destination, shipping is 2022 One, and the source is 1010 three one, this will work. And even four dot one will also work. Now, when we are talking about extended ACL, so here you can see that what are the other things you can match? So you can match EIGRP espgre ICMP IGMP IP and IP nos object group. We can create object group as well. We have these many options. And we know that TCP and UDP is huge, that TCP is huge because most of the applications they are using TCP. So if I go to TCP, and then if I give, say, for example, any, it will ask you that TCP, which port is it equal to? Greater than, less than, equal to, not equal to all these options we have. Now, suppose if I go and do equal to, then it will give me the option to 65,000 port numbers. And that’s the power and capability we have with the extended ACL, right? So this was the last related to a standard. And then we have done the extended SEO lab.
11. Control Plane Policy
Over the Cisco devices. We know that we have three different type of plane. We have the control plane, management plane and the data plane. Now how we are going to protect the control plane, that’s all about information about cop. So we are going to create a policy over the control plane and then we can apply that policy to protect the control plane. Related traffic means that we can limit the traffic because the end goal is that we should not break the control plane. So control plane we should limit that how much traffic is coming and heading to the control plane. Now you’ll find that you have one default policy already there in the controller. The name of that default control plane policy is policy default Autocop. Now this particular policy, if you go and check you’ll find that you have multiple class map and those are called inside policy map.
So what type of class map you have, we can see here, let me highlight a few of them. So I have class map match any and this is just the name. So class cop, ICMP redirect unreachable. So what I want, I want to limit the redirect IP redirect packets or ICMP redirect packets that is reaching towards control plan. Because these traffics are processed, are queried to the control plan and control plan should not be busy enough just to process or just to answer these packets. Apart from that you can see that you have the Glean receives option broadcast, multicast, ACL, SLB, MTU fail, TTL fail, app swooping. All these traffic that you are seeing here, that is termed inside the class map. And again these are just the name they are going to hit the control plane. And if they go and hit the control plane, so that means the process, the CPU cycle will increase and there are chances that the router will get crashed.
Now again you can see slide one, slide two slightly, they adjust the class map, but I have to call this class map inside the policy map and then I have to put the policy. So here you can see that I have one policy and again these are the default setting. So I have one policy called policy default Autocop inside that I am calling classmap with this and what I am doing, so I am telling that okay, pull this rate ten PPS burst for one packet, confirm action drop, exceed action drop. So what is happening say in terms of QS, in terms of quality of service, we know these terms that you have certain threshold. So you have B sub C, that is again you have B sub E, excessive burst and confirm burst. Now here you can see that you have confirmed burst and again you have the excessive action. So here you have options that you can transmit and again you have options that you can drop as well.
And if you transmit, then you can go and drop at the level of exclusion. So it’s up to us that at what level we want to process and we want to drop. If we want to give certain buffer in between B sub C and B sub A we can go and give. So here you can see that for different class map that we have for example cop multicast version six, the policy rate and the packets. Now it’s not necessary that although you have the class map and the policy map or the policy your router having these traffic, it’s not required. These classes are there. If those traffic are there, then they will get polished in the control plane. So my control plan will be protected. So maybe I’m not running IPV six but still I have IPV six related class map. If in case in future I will go and use IPV six then my control plane will be protected. So I have highlighted view of the class map and then you can see the burst action and the confirm action. Like that you have all the different classes that we have checked in earlier, three slides and their accessibility and the confirmed burst and what actions we have. This is here. So for example, let me go back if I can have the ICMP unreachable so here you can see that ICMP redirect unreachable for that transmit and then in x direction I am dropping. So I’m giving 100 PPS burst is ten packet and then it is transmitted but at the level of excessive it will go and get dropped.
Now how we can go and configure? I will show you in the lab that this is the default configuration. But if you know the system, if you know all these protocols and if you know all these class obviously in my system I know I can do the classification of traffic then I can go and do the configuration of Cop. How it can be, you can create the ACL. If you want to put those ACL inside the class map you can do it. Now, we already know that how we can go and create the ACL. So ACL estops we know from the previous section then I can go and create the class map and then I can match in the match option here you can see that I can go and match the IP precedence, I can go and match the access group that I have created on the top.
So these things you can match but again you can create the class map and then you can match the DSP. It’s up to us, that how we are going to create and apply the policy and the last thing is that you create the policy map and then you call the class and then you can go and apply the policy. So here you can see the policies and what is the exceed rate, what is the confirm action, the policy rate, et cetera. So once we create this policy, then we should go to the control plane. So from global config I can go to the control plane and then inside control plane I can go and use service policy input the service policy name that we have created. Now while we are doing this own customization, while we are creating the own control plane policy so we should now understand what important protocols that we are running.
So for example BGP then I can go and create BGP related control policies IGP here you can see the Eigrposp rep et cetera management protocols reporting protocols, monitoring options related to ICMP trace route critical application related control plane policies. Also we can create layer two protocols. Also we can go and add some undesirable traffic that we are getting or getting complained from somewhere that also we can put and then finally we have the default also so we can go and put the default control plane rate limit as well. Now, once we create the policy, then we have options that we can go and check the show policy map control plane, and then we can go and although this output is cut, but you can go and verify whatever. Classes class map you have. You can go and check the counters as well because we have done the setting for the policies, committed burst and excessive burst. So we can go and do that. All right, and then again if you want to see the drops so we have the show platform Qsip, we can go and check the ACL related to control plane SEO as well. All right, so this is the way that we can go and configure the cop policy. Let me stop here and in next section I will go log into the device and I’ll show you how you can build your own policy.