Here you will learn how to create and apply access lists to control both traffic flow and network security. You will review the use and rules of access lists. You will be introduced to the creation of standard and extended IP access lists. After learning the proper techniques for creating access lists, you will review how to apply such lists to router interfaces. Finally, you will learn how to monitor and verify access lists.
Access lists are permit or deny statements that filter traffic based on the source address, destination address, and protocol type of a packet. (Another way to say this is that packets can be checked by the router based on IP address, port number, or packet type). This is all available for IP, IPX, AppleTalk, and many other protocols.
Sample Network
The basic structure of an access list to block access from Network 4 to Network 1:
Access-list 1 deny Network 4
Access-list permit any
All access list end with an implicit deny any, which block all packets that do not meet the requirements of the access list. Access-list 1, if applied to the interface of RouterA connected to Network 1, blocks only the traffic coming from Network 4 to Network 1. If you wanted to deny traffic from Network 3 and Network 4 the conceptual access list syntax would then become the following:
access-list 1 deny Network 3
access-list 1 deny Network 4
access-list 1 permit any
The final permit any statement is necessary because all access lists end with an implicit deny any. If you apply the access list to the interface of RouterA that is connected to Network 1, it blocks traffic from Networks 3 and 4, while allowing all other network traffic to access Network 1.
NOTE: The above access-list statements are not the exact Cisco IOS syntax for the access list command. Actual IOS syntax will be covered later in these notes.
PROBLEMS WITH ACCESS LISTSOne of the most common problems associated with access lists is a lack of planning. Before you even begin the process of creating access lists on your router, you must plan exactly what needs to be filtered and where it needs to be filtered.
Another troublesome area is the sequential nature in which you must enter the lists into the router. You cannot move individual statements once they are entered. When making changes, you must remove the list, using the no access-list command, and then retype the commands.
Finally, many new network administrators find themselves in trouble when they Telnet into a router and begin applying an access list. Access list begin working the second they are applied to an interface. It is very possible that many new administrators will find themselves inadvertently blocked from the very router on which they are applying an access list.
ACCESS LIST RULESRegardless of the type of access list you create, standard or extended, you must follow certain rules. For instance, you must create and apply access lists sequentially. Also, as stated earlier, access lists end with an implicit deny.
RouterA(config)#access-list 1 deny 172.22.5.2 0.0.0.0
RouterA(config)#access-list 1 deny 172.22.5.3 0.0.0.0
RouterA(config)#access-list 1 permit any
The previous example is a standard IP access list that denies the hosts 172.22.5.2 and 172.22.5.3, while allowing all other traffic. The list is applied sequentially from the top down as the router checks the packets arriving at the interface where this access list is applied, in order to check if the packets match the permit and deny statements.
In the process of applying access lists, the router first checks an arriving packet to determine if it matches the deny 172.22.5.2 0.0.0.0 statement. If it does, the router discards the packet. If it does not, the router applies the second statement, deny 172.22.5.3 0.0.0.0. If the packet matches the second statement, the router discards the packet. Once again, if the packet does not meet the rules of the first two lines, the router applies the final permit any statement, and the packet is forwarded through the interface.
If you wish to remove an access-list, you use the no access-list (list #) command. For example, to remove the above list, you enter global configuration mode and type the no access-list command. The information below shows the correct procedure for typing this command.
NoAccessList command
This command will remove the entire list. You cannot remove a particular line in an access list. As a general rule, you should place first in the lists the lines with the most potential matches so that packets will not undergo unnecessary processing. You should also avoid unnecessarily long access lists. A very long access list will consume large sums of CPU processing time and could cause your router to act as a bottleneck on your network.
After you create access list, you must apply them to interfaces so they can begin filtering traffic. You apply a list as either an outgoing or an incoming filter. To determine how to apply the list, you have to look through the eyes of "The Man in the Router." Traffic coming in to the man in the router, through any of the interfaces, is considered inbound and needs to be filtered using incoming traffic filters.
You would apply the access list to an interface as the below example shows:
RouterA>enable
RouterA#config t
RouterA(config)# int e0
RouterA(config-if)#ip access-group 1 in
Notice that the final step is to apply the access list to one or more interfaces. Once the traffic gets to the "The man in the router," he must push it out to one of the interfaces. Access list to block his outward delivery much be applied as outbound filters. You would use the command similar to the one below.
ip access-group 1 out
Outbound is the default, if the direction is not specified in the command. The final rule that access list must follow states that an interface cannot have more than one inbound or outbound list, per protocol, assigned to it. This means that a router can have no more than one inbound Internet Protocol (IP) access list and one outbound applied at the same time. Multiple lists are allowed only if the lists are different protocols.
In summary, all access lists follow these rules:
· Routers apply lists sequentially in the order in which you type them into the router.
· Routers apply lists to packets sequentially, from top down, one line at a time.
· Packets are processed only until a match is made and then they are acted upon based on the access list criteria contained in the access list statements.
· Lists always end with an implicit deny. Routers discard any packets that do not match any of the access list statements.
· Access lists must be applied to an interface as either inbound or outbound traffic filters.
· Only one list, per protocol, per direction can be applied to an interface.
Standard IP Access Lists Standard IP access lists filter network traffic based on the source IP address. Using a standard IP access list, you can filter traffic by a host IP, subnet, or a network address. In order to configure standard IP access lists, you must create the list and then apply it to an interface using the syntax following this paragraph. A detailed explanation of each item is contained in the subsequent bulleted list. The parenthesis in each command syntax are not part of the command; they group items that are replaced within each specific entry.
Access-list (list #) (permit deny) (source address) (source wildcard mask)
· (list #) - Standard IP access lists are represented by a number in the range of 1-99 (in IOS versions 11.2 and greater, they can also be represented by text names).
· (permit deny) - Used to specify the nature of the access list line. It is either a permit or a deny statement.
· (source address) - The IP address of the source.
· (source wildcard mask) - A wildcard mask applied to determine which bits of the source address are significant.
Wildcard mask bits are one of the most important concepts in IP access lists. Routers use them to determine which bits in an address will be significant. Unlike subnet masks, 0's are placed in bit positions deemed significant (they must match), and 1's are placed in positions that are not significant (ignore). Consider these addresses and wildcard mask bits:
172.22.5.2 0.0.0.0 - All bit positions must match exactly. Therefore, the access list line will only be applied to host 172.22.5.2
172.22.5.0 0.0.0.255 - Bit positions in the first three octets must match exactly, but the last octet can be any valid number. The access list line will apply to all hosts in the 172.22.5.0 subnet.
172.22.1.0 0.0.254.255 - The first two octets must match exactly, as must the least significant bit position in the third octet. The last octet can be any valid number. This mask would allow you to permit or deny odd subnets from the 172.22.0.0 major network. The example assumes a subnet mask of 255.255.255.0 for a Class B network.
These three examples are converted to binary below for a better explanation.
Wildcard masking example matching a single host
IP address:
Decimal 172.22.5.2
Binary 10101100.00010110.00000101.00000010
Wildcard Mask:
Decimal 0.0.0.0
Binary 00000000.00000000.00000000.00000000
All bit positions occupied by a 0 in the wildcard mask are significant and must match when a packet is examined by the router for access list criteria. Therefore, if you had an access list with a deny 172.22.5.2 0.0.0.0 (IP address and then wildcard mask), the router would deny all packets that matched the IP address 172.22.5.2.
Since 0's represent significant bits, you can see that in the above wildcard mask of 0.0.0.0 requires that the source address match exactly.
Wildcard masking example matching a complete subnet
IP Address
Decimal 172.22.5.0
Binary 10101100.00010110.00000101.00000000
Wildcard Mask
Decimal 0.0.0.255
Binary 00000000.00000000.00000000.11111111
All bit positions occupied by a 0 in the wildcard mask are significant and must match when a packet is examined by the router for access list criteria. This wildcard mask requires that the first three octets match exactly. Since the final octet is all 1's, the final octet is not significant. It can be any valid value from 1 to 254.
If you remember that 0's represent significant bits, you see that the first three octets must match. The final octet of the wildcard mask consists of 1s and signifies that the value of the fourth octet is not significant.
Third and more difficult example
This final example of wildcard masking is a bit tougher and requires examining two IP addresses to fully understand it. This first example illustrates an odd subnet.
IP address
Decimal 172.22.1.0
Binary 10101100.00010110.00000001.00000000
Wild card Mask
Decimal 0.0.254.255
Binary 00000000.00000000.11111110.11111111
This wildcard mask requires that the first two octets and the final bit position of the third octet match the IP address in the access list. The values in the last octet are not significant. Since the final bit positions in the third octet of the IP address in the access list are turned on (set to 1), all packets that the access list will permit or deny must have a 1 in the final bit position of the third octet.
In the above example, the first two octets must match exactly. Also, the final bit place in the third octet must match; it must be a 1! Therefore, an access list that states access-list 1 permit 172.22.1.0 0.0.254.255 will allow traffic from any odd-numbered subnet to pass. Even-numbered subnets are blocked because their last bit position in the third octet is a 0.
If you use a source of 172.22.1.0 and a wildcard mask of 0.0.254.255, any packet that the list will act upon must have a 1 in the least significant bit position of the third octet. If a packet with the IP address of 172.22.2.1 is examined by the access list in the previous paragraph, the router ignores it because the least significant bit of the third octet (see below) is a 0, not a 1. The next example shows why this is true.
Since the least significant bit positions do not match, any address within the subnet 172.22.2.0 is out of the required range of the access list and is thus discarded (or ignored, depending on the function of the access list).
IP Address
Decimal 172.22.2.1
Binary 10101100.00010110.00000010.00000001
Wildcard Mask
Binary 00000000.00000000.11111110.11111111
This wildcard mask requires that the first two octets and the final bit position of the third octet match the IP address in the access list. The values in the last octet are not significant. Since the final bit position in the third octet of the examined IP address and the IP address in the access list do not match (one is a 0 and the other is a 1), any line in an access list with a permit or deny 172.22.1.0 0.0.254.255 would not apply to the address 172.22.2.1. In fact, no even subnet could be affected because all even subnets would have a value of 0 in the last bit position of the third octet.
Standard IP Access List Example
Standard IP access lists permit or deny packets based only upon the source address. These addresses that the router checks to see if packets should be processed can be a single host address, a subnet address, or a full network address. Consider the following example.
AccessListExample
Using the example above you can create a standard IP access list that blocks host 172.22.5.2 from accessing subnet 172.22.2.0. The commands you need to do this are given below.
RouterB#config t
Enter configuration commands, one per line. End with CNTL/Z.
RouterB(config)#access-list 1 deny 172.22.5.2
RouterB(config)#access-list 1 permit 0.0.0.0 255.255.255.255
RouterB(config)#int e0
RouterB(config-if)#ip access-group 1 out
Monitoring Standard IP Access ListsThree main commands are available for monitoring access lists on your router. The first two, show access-lists and show ip access-lists, display the exact syntax of all access lists and IP access lists, respectively. The show interface or show ip interface command is used to verify that an access list has been successfully applied to an interface. Show ip interface will show you where access lists have been set. It is a good idea to run each of these commands after creating and applying access lists, to visually inspect and verify that statements were typed in correctly and that the lists will function as entered.
Extended IP Access ListsStandard IP access list are limited to filtering by source IP addresses only. Extended IP access lists, on the other hand, can filter by source IP address, destination IP address, protocol type, and application port number. This allows you to design extended IP access lists that permit or deny a single type of IP protocol, such as TCP, and then filter by a particular port of a particular protocol, port 21 or FTP, for example.
In order to configure extended IP access lists, you must create the list and then apply it to an interface using the following syntax (a detailed explanation of each item is contained in the list below.
Access-list (list#) (permit deny) (source IP address) (source wildcard mask) (destination IP address) (destination wildcard mask) (operator) (port) (log)
· (list #) - Extended IP access lists are represented by a number in the range of 100-199 (in IOS versions 11.2 and greater, they can also be represented by text names).
· (permit deny) - Used to specify the nature of the access list line. It is either a permit or a deny statement.
· (protocol) - The IP protocol to be filtered can be IP (which includes all protocols in the TCP/IP suite) TCP, UDP, ICMP, or others.
· (source address) - The IP address of the source
· (source wildcard mask) - A wildcard mask, or inverse mask, applied to determine which bits of the source address are significant
· (destination address) - The IP address of the destination
· (destination wildcard mask) - A wildcard mask, or inverse mask, applied to determine which bits of the destination address are significant
· (operator) - Can contain lt (less than), gt (greater than), eq (equal to), or neq (not equal to). It is used if an extended list filters by a specific port number.
· (port) - If necessary, the port number of the protocol to be filtered
· (log) - Turns on logging of access list activity
Extended IP Access List ExampleWith extended IP access lists, you should determine what the list will filter before you create the list itself. Using the sample below the paragraph will discuss how to block host 172.22.5.2 from accessing Web service on server 172.22.2.2. This extended IP access list example shows how to block WWW and how to apply a list that blocks WWW access.
Use the following steps to accomplish the blocking of WWW access.
RouterC>enable
Password:
RouterC#config t
RouterC(config)#access-list 100 deny tcp host 172.22.5.2 host 172.22.2.2 eq www
RouterC(config)#access-list 100 permit ip any any
RouterC(config)#int e0
RouterC(config-if)#ip access-group 100 in
Once an extended IP access list is created, it must be applied to an interface, just like a standard list. The difference is the placement of the list. Standard IP access lists examine the source address only. As a result, you must place them as close to the destination as possible to avoid blocking traffic bound for another interface/network. On the other hand, extended IP access list are able to filter based on source and destination. Therefore, they are placed as close to the source as possible.
In the above sample, the list is best placed as in inbound filter on the Ethernet0 interface of RouterC. Traffic from host 172.22.5.2 destined for the Web server at 172.22.2.2 will be blocked before it has a chance to even enter the network. Because of their placement, extended access lists create less traffic across the internetwork. The above sample displays the proper commands for adding the extended access list as an inbound list on interface Ethernet0.
Access Lists Short CutsThe following access lists do the same thing and it works for both standard and extended access lists.
access-list 1 deny 172.22.2.2 0.0.0.0
or
access-list 1 deny host 172.22.2.2
The word "host" is short for a wildcard mask of 0.0.0.0, but notice that when this is used the word "host" comes before the IP address.
access-list 1 permit 0.0.0.0 255.255.255.255
or
access-list 1 permit any
Instead of typing 0.0.0.0 255.255.255.255, the administrator can use the word any by itself as the keyword.
Monitoring Extended IP Access ListsThe same commands used to monitor standard IP access lists are used to monitor extended IP access lists. If you wish to view the access lists configured on your router, you use the show access-lists or show ip access-lists command.
Standard IPX Access ListsStandard IPX access lists are very similar to their IP cousins, but they have one distinct difference. While standard IP access lists only filter based on source addresses, standard IPX access lists can filter based on source and destination nodes or on networks. In all other respects, they act just like standard IP access lists. Standard IPX access lists are represented by a number in the range of 800-899.
