Access List And Route Map Review Notes

2. access-lists 101-199 (extended access-lists) extend this functionality allowing you to permit/deny with more granularity, for example, specifying both source and destination address, Layer 4 protocols and port number (i.e. TCP/UDP), and Layer 3 protocols other than IP (i.e. ICMP).The syntax for standard access-lists is as follows:"My intent is to permit all IP traffic from host [host-ip-address]""My intent is to permit all traffic from [subnet] [wildcard-mask]" "My intent is to deny all IP traffic from host [host-ip-address]""My intent is to deny all traffic from [subnet] [wildcard-mask]"An example is you want to allow all IP traffic from 192.168.1.0/24. The access-list is simple:access-list [1-99] permit 192.168.1.0 0.0.0.255The syntax for extended access-lists is slightly different:"My intent is to [permit/deny] [type-of-traffic] going from [source-address] [source-wildcard-mask] to [destination-address] [destination-wildcard-mask] [optional port-number]"Let's say you would like to permit all Telnet traffic going from 192.168.1.0/24 to a device at 192.168.2.1.Telnet uses TCP port 23 and here is how you would write the extended access-list:"access-list [101-199] permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 23"In English, this access-list permits TCP from 192.168.1.0/24 to the host whose address is 192.168.2.1 where the TCP port number is 23.How to apply access-lists to route-mapsBelieve me there is nothing tricky about doing this. A route-map is a way of influencing the routing decision made by a routing device. The basic syntax of a route-map is as follows:

4. Host at 192.168.1.1 tries to Telnet to 192.168.2.1 and the packet is received on fa0/0 of our router.

5. Knock….Knock on door at fa0/0

6. Who’s there?

7. Route-map

8. Route-map Who?

9. MYMAP

10. To check the match criteria. The example above tells the router to check access-list 101.

11. The packet received matches access-list 101 so the router returns to the route-map

12. And set command tells it to forward this traffic out of Serial0/0What if there is no match found?If there is no match then the router will route the packet based on the contents of the routing table.

13. If a host at 192.168.3.1 tried to Telnet to 192.168.2.1 and the packet is received through fa0/0 of our router, the router will look into MYMAP, then at access-list 101, realise that access-list 101 does not match 192.168.3.1 as a source address and will return to the route-map looking for the next highest sequence number. In our example there is not another sequence number so the router will simply forward the traffic based upon the contents of its routing table (i.e. what it would do if there was no route-map applied to the fa0/0 interface).

14. How could we use route-maps to drop traffic?

15. If no match is found then the packet will be forwarded by the contents of the routing table so how can I influence that?Generally, you would drop traffic on an interface using an access-list applied directly to the interface, however, it can be done using a route-map. <br />Let's say you want to have control over all traffic coming in on fa0/0 of our router and want to drop anything that doesn't match our defined criteria. Let's say I have created access-lists 101-105 which specifies my criteria. My route-map would look as follows:route-map MYMAP permit 10match ip address 101 <---this line refers to access-list 101set interface Serial0/0route-map MYMAP permit 20match ip address 102 <---this line refers to access-list 102set interface Serial0/1route-map MYMAP permit 30match ip address 103 <---this line refers to access-list 103set interface Serial0/2route-map MYMAP permit 40match ip address 104 <---this line refers to access-list 104set interface Serial0/3route-map MYMAP permit 50match ip address 105 <---this line refers to access-list 105set interface Serial0/4Now I want to deny everything else. <br />Remember the Null0 interface, what I like to call Packet Garbage Disposal (as that is where packets that need to be dropped/get chopped up and sent down the drain)? <br />Examine this route-map statement out:route-map MYMAP permit 60 set interface Null0What happened there? Where has the match statement gone?<br />You don't need it. <br />