more than one ACL for one interface 1

[jablko]

Hello everybody.

I use Cisco Router 2600, but I haven't got many experience in using routers, so I would like to ask about ACL.
As I know, there is 'deny' condition at the end of each access list. I constructed access lists like these:

access list 101 permit tcp 131.108.140.0 0.0.0.255
131.108.110.0 0.0.0.255 eq 21 log
access list 102 permit tcp 131.108.140.0 0.0.0.255
131.108.110.0 0.0.0.255 eq 80 log
access list 103 permit tcp 131.108.140.0 0.0.0.255
131.108.110.0 0.0.0.255 eq 23 log

and I added all of them to interface Ethernet0/0. It works ! My access lists permit only www, telnet and ftp packets.
Could You explain how does it work ? In my opinion, 'deny' condition in '101 ACL should drop packtes and don't allow 102 and 103 ACL to check packtes.
I will be grateful to you for helping me.

 

[tmCCNA]

First I'll start with the definition of an ACL. An ACL is a group of statements that define how packets enter inbound interfaces, relay through the router, and exit outbound interfaces. The order in which you place ACL statements is important. When the router is deciding whether to forward or block a packet, the Cisco Internetwork Operating System (IOS) software tests the packet against each condition statement, in the order in which the statements were created. By matching the first test, a packet is denied access to the destination. It is discarded and dropped, and it is not exposed to any ACL tests that follow. If the packet does not match conditions of the first test, it drops to the next statement in the ACL.


Travis McGuire
CCNA, Network+, A+

 

[bierhunter]

Also, you can only have one access list per direction (in/out) per port. You can have one inbound and one outbound at the same time, but not more than one in the same direction. You will need to consolidate your 102 and 103 lines into ACL 101.

Like this:
access-list 101 permit tcp 131.108.140.0 0.0.0.255
131.108.110.0 0.0.0.255 eq 21 log
access-list 101 permit tcp 131.108.140.0 0.0.0.255
131.108.110.0 0.0.0.255 eq 80 log
access-list 101 permit tcp 131.108.140.0 0.0.0.255
131.108.110.0 0.0.0.255 eq 23 log

The implied 'deny all' will block the rest.

 

[jablko]

I use 'syslog' to report traffic by Ethernet0/0 only for ports 21, 23 and 80. What's more, I have to know which port is used by each packet. I recognize packets and ports by number of the ACL (ACL 101 for 21 port, ACL 102 for 80 port, ACL 103 for 23 port), so I can't consolidate my three access lists into one.

 

[bierhunter]

Syslog will still show packets and port differences when using one ACL.

Perhaps I don't understand your problem. But you can only have "one" ACL assigned to a port in a certain direction at one time. You can't assign all 3 ACLs to the port at the same time.

Maybe I'm not understanding what you are saying.

 

[jablko]

As I understood, You think, that I can't assign 3 ACLs to ONE port at the same time. But I assigned one ALC for port number 80, one ALC for port number 21 and one ALC for port number 23. So I use ONE ALC for one port at the same time. Syslog has returned something like this:

%SEC-6-IPACCESSLOGP: list 101 permitted tcp 131.108.140.2
(1052) -> 131.108.110.2(21), 14 packets
%SEC-6-IPACCESSLOGP: list 102 permitted tcp 131.108.140.2
(1061) -> 131.108.110.2(80), 15 packets
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 131.108.140.2
(1068) -> 131.108.110.2(23), 3 packets

But Your solution (one ALC with three conditions) seems better. I suppose, that I'll get something like his:

%SEC-6-IPACCESSLOGP: list 101 permitted tcp 131.108.140.2
(1052) -> 131.108.110.2(21), 14 packets
%SEC-6-IPACCESSLOGP: list 101 permitted tcp 131.108.140.2
(1061) -> 131.108.110.2(80), 15 packets
%SEC-6-IPACCESSLOGP: list 101 permitted tcp 131.108.140.2
(1068) -> 131.108.110.2(23), 3 packets

Please answer if I didn't uderstand You well.

 

[bierhunter]

What's confusing me is that I'm thinking you're saying that you're applying the 3 different lists to the same interface at the same time.

As in:

int e0/0
ip access-group 101 in
ip access-group 102 in
ip access-group 103 in

Which, according to Cisco, isn't permitted. Unless they've changed something in a recent IOS release that I'm not familiar with.

That's why I'm saying to combine them into one. Then it would look like this and cover everything at once.

int e0/0
ip access-group 101 in

Or, I may be misunderstanding, and you're actually only applying them one at a time as needed. In which case, they would work just fine.

It looks like you're getting the information you need though.

 

[Speaker]

You can have a bunch of ACLs defined on your router at a time, but only ONE of them can be IN EFFECT on a given interface at any given time. If you combine your three ACLs into one, they'll all be logged, and you can query the syslog file for the three ports.

Hope I'm not confusing the issue more.

 

[jablko]

I'll try to combine my ACLs into one tommorow or on Friday, and I'll write obout my rezults.

 

[jablko]

I got:

%SEC-6-IPACCESSLOGP: list 101 permitted tcp 131.108.140.2
(1052) -> 131.108.110.2(21), 14 packets
%SEC-6-IPACCESSLOGP: list 101 permitted tcp 131.108.140.2
(1061) -> 131.108.110.2(80), 15 packets
%SEC-6-IPACCESSLOGP: list 101 permitted tcp 131.108.140.2
(1068) -> 131.108.110.2(23), 3 packets

so like I supposed.

I wolud like to ask about another thing... I notice, that logs are display on console with big delay. is it possible to receive them immediately ? is there any parameter to set to set receiving logs without delay ?

 

[wybnormal]

Send the logs to a syslog server instead of the console. THe dumping of logs to the console adds alot of overhead to the processing of packets. The router can a few of the results in memory but it really helps just to use the syslog server.

You can download Kiwi from our download page and it's freeware for the basic functions. You pay a small amount for the more advanced functions.

http://www.packetattack.com/downloads.html

MikeS
Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu