IOS Access Control Lists

03/14/10 • -1 min

In this video demonstration, we show an example of writing IOS Access Control Lists (ACL's) on a home router. We use the revision control system (RCS) to maintain the master ACL file and push the ACL's to the router via TFTP. This is similar to many production networks, where maintaing comments and old revisions of ACL's is a requirement. We also show examples explaining the "don't care bit" format of IOS ACLs. Many network engineers mistakenly refer to the format as inverse-netmask, but that is incorrect.

PIXes, FWSMs, and ASA's use a netmask format for ACLs. It is vitally important not to make the mistake of accidentally pushing a netmask format ACL line to an IOS device. That sort of error could result in an unplanned hole in your firewall and a serious security incident.

Previous Episode

IOS DHCP and NAT

IOS routers can act as DHCP clients and DHCP servers. They can also function as Network Address Translation (NAT) devices. In this video we show a demonstration using a 2621 as a DHCP client, server, and NAT translation device for my home network.

It's important to understand that most IOS routers have relatively slow CPU's. An IOS router is fine as a DHCP server for a few dozen clients. But if you try to serve thousands of DHCP clients you are likely to fail and suffer an outage.

IOS routers can also work as a network address translation devices. IOS NAT is "ok" but for real high capacity NAT (thousands of users) you want to use a device designed to handle high capacity NAT. PIXes, FWSMs, and ASA's are excellent NAT devices.

Next Episode

IOS Version Selection Tactics

The linked video provides guidance for optimal IOS version selection.

The large number of IOS versions makes choosing the best version for your router or switch difficult. You must pick the most reliable version which includes the features you need. Different IOS "packages" have different features. For example, the "LAN base" package includes basic switching code. "IP base" adds access-layer routing features (RIP and EIGRP-stub). "IP services" adds most layer-3 routing protocols (OSPF, EIGRP, BGP). "Advanced IP services" adds IS-IS and MPLS.

Picking a version also means picking one with recently introduced features you need. For example, 16-port 10-gigabit ethernet card support was added to the 6500 line in 12.2(33)SXH code. If you require that card, you cannot pick an older version, such as 12.2(18)SXF. The release notes include details on recently added features.

Finally, of all the versions that have the features you require, you want to pick the most stable version. That means picking a version that has been "rebuilt" with many bugfix-only releases. Picking 12.4(2)T, where 60 new features were just introduced, would be a bad idea. On the other hand, 12.4(23) (the lack of a letter means it is a mainline release) would be a good choice because that release has undergone dozens of releases since significant numbers of features were introduced.