Home |
10 Things to know about ACLs |
Adding Remarks |
Anatomy of ACLs
ACL Tutorial with Q&A |
Demystifying ACLs |
ACL Wildcards
ACL PowerPoint 1 |
ACL PowerPoint 2 |
Cisco ACL paper
Access Control Lists Overview
Access lists allow Cisco routers to function as a packet filter and are
supported for several protocols, some of them are listed in the following table:
Protocol
|
Range
|
IP Standard
|
1 to 99 (and 1300 to 1999 in IOS 12.0 and higher)
|
IP Extended
|
100-199 (and 2000 to 2699 in IOS 12.0 and higher)
|
Ethernet type code
|
200-299
|
DecNet
|
300-399
|
XNS
|
400-499
|
Extended XNS
|
500-599
|
AppleTalk
|
600-699
|
Ethernet address
|
700-799
|
IPX Standard
|
800-899
|
IPX Extended
|
900-999
|
IPX SAP
|
1000-1099
|
Access lists are lists of rules that either permit or deny certain
inbound or outbound traffic from particular hosts. The list is applied to
one or more interfaces on the router. When the router routes traffic in
and out these interfaces, the rules in the list are processed sequential,
looking for a matching rule permitting the traffic to pass. When there is
not matching rule permitting the traffic to pass it is denied because of
the implicit deny any at the end of each rule. For example, if you deny
telnet traffic to host 172.16.22.139 using the rule:
access-list 110 deny TCP any host 172.16.22.139 eq TELNET
and this would be the only rule in the access list you would deny any IP traffic from
entering or leaving the router's interface.
The implicit deny all, for many, is a confusing part of access lists and often forgotten in
practice, while in fact it is very logical; if you want to protect a
network using a packet filter you would typically start out with denying
everything and from there permit certain traffic or hosts to communicate.
However, instead of protecting private networks from external intruders,
access lists are also commonly used to manage network traffic, for
example, if you do not want certain protocols or services available in
particular subnets you can block only those ports but permit all other
traffic. This is also used as an effective way to prevent traffic such as
ICMP messages and routing updates from traveling over certain links.
Standard IP Access Lists
Standard IP access lists are used to permit/deny traffic from or to one or more IP addresses.
Use the global exec access-list command to create access lists:
router(config)#access-list number deny|permit source|any [log]
Use the Interface config mode command to bind the access list to an interface:
router(config-if)#ip access-group number in|out
For example, to deny host C from sending traffic to the WAN in the network depicted in the diagram below, use the following commands.
router(config)#access-list 10 deny 192.168.23.11
router(config)#access-list 10 permit any
router(config)#interface ethernet 0
router(config-if)#ip access-group 10 in
When traffic is send to the router's Ethernet interface the rules in access
list 10 are processed, if the traffic is send by host C the router drops the packets
and stops processing the rules. The rule access-list 10 permit any
is included because of the implicit deny. There must be at least one "permit"
rule otherwise the protocol is completely disabled for the interface as soon as you bind it.
Wildcard Masks/Inverse Masks
Instead of specifying a single IP address you can also permit or deny networks/subnets completely or partly
using
wildcard masks, also known as
inverse masks. To understand this concept it helps a
lot if you have some basic understanding of subnetting.
The first example is simple: if you want to deny access to all hosts in the network 172.16.23.0 with subnet
mask 255.255.255.0 you would use 172.168.23.0 0.0.0.255 as the source in the access-listcommand.
When the router checks if the addressing information of an incoming packet matches the denied address specified in the access list,
it only cares about the part of the address where the corresponding bits in the inverse mask are 0.
The part of the address where the corresponding bits in the inverse mask are set to 1 can be anything (in this example 0 to 255).
In other situations, where you want to specify a range of addresses that
do not have the boundary between 0s and 1s exactly between octets, you might need to
convert it all to binary to determine the inverse mask. For example, you want to
specify the network 172.18.16.0 with the subnet mask 255.255.240.0. When you convert
this mask to binary it shows that in this subnet mask the first 20 bits are set to 1.
11111111.11111111.11110000.00000000, so the inverse mask would have the first 20 bits
set to 0.
00000000.00000000.00001111.11111111, which is 0.0.15.255 in decimal notation.
This would specify the address range 172.18.16.0 to 172.18.31.255.
If you want the source or destination to be any host from any network you
could use the address 0.0.0.0 with the inverse mask 255.255.255.255, but to save you
from pressing so much keys you can use the keyword any instead.
In Extended Access lists the keyword
host can be used to replace the 0.0.0.0 inverse mask.
Instead of specifying a single address with 192.168.23.11 0.0.0.0 you can use host 192.168.23.11.
Extended IP Access Lists
Extended IP access lists give more detailed control compared to standard
lists which only allow you to deny or permit traffic from a certain source. Extended
lists allow you to permit or deny particular TCP/IP traffic based on the Transport
protocol being used (TCP or UDP) and the service or application (e.g. SMTP, Telnet)
from source addresses AND destination addresses.
Use the global exec access-list command to create
access lists, this command supports numerous arguments, most of them are beyond the
scope of the CCNA exam. Cisco explains the complete syntax at it's web site.
Nevertheless, here's the most important part:
router(config)#access-list number deny|permit protocol source|any destination|any
When TCP or UDP is used as the
protocol
argument two other important arguments are
operator
port. The port argument can be a TCP or UDP port number or
name (e.g. 21 or FTP, 23 or TELNET, 123 or NTP), the operator is usually
eq which means equal, other options include lt (less
than) and gt (greater than).
Use the Interface config mode access-group command to apply the access list to an interface:
router(config-if)#ip
access-group number in|out
Take a look at the diagram below for example:
You can prevent SMTP traffic originating from the WANs from traveling over link A by putting an outbound
extended IP access list on the Serial 0 interface of RouterX. Use the following commands on RouterX:
router(config)#access-list 105 deny TCP any host 172.16.11.253 eq SMTP
router(config)#access-list 105 permit IP any any
router(config)#interface serial 0
router(config-if)#ip access-group 105 out
Here's another example using the same diagram above. It shows how you can
use extended access lists to control ICMP traffic (used for utilities such as ping and
trace). For example, to deny the hosts in the Ethernet network attached to RouterY to
use ICMP to communicate with hosts on the other side of the router, use the following
commands on RouterY:
router(config)#access-list 102 deny icmp 192.168.115.0 0.0.0.255 any
router(config)#access-list 102 permit IP any any
router(config)#interface serial 1
router(config-if)#ip access-group 102 out
Remove access list from interface:
router(config-if)#no ip access-group number|name in|out
For example:
router(config-if)#no ip access-group 102 out
Delete access-list from configuration:
router(config)#no access-list number|name
For example:
router(config)#no access-list 102
Named Access Lists
If your router is running IOS 11.2 or higher, you can create
named
access lists. Instead of choosing a number between 1-99 for standard IP
access lists, you can use a custom name, which allows for more lists.
The commands to create a named access list are different from those mentioned above.
To create a list use the following command in global configuration mode:
router(config)#ip access-list {standard | extended} name
This command will take you into access-list configuration mode where you
can define the deny and permit rules. For example to create a named access list with
the name
wwwfilter and permit only access from the networks 192.168.132.0,
172.17.0.0 and 10.0.0.0 use the following commands:
router(config)#ip access-list standard wwwfilter
router(config-std-nacl)#permit 192.168.132.0 0.0.0.255
router(config-std-nacl)#permit 172.17.0.0 0.0.255.255
router(config-std-nacl)#permit 10.0.0.0 0.255.255.255
Use the exit command to exit access-list configuration mode.
A named list is applied to an interface in the same way as with numbered lists:
router(config-if)#ip access-group wwwfilter out
VTY Lines
You can also use standard access lists to limit access to VTY lines. For example:
router(config)#access-list 5 permit 192.168.23.8
router(config)#line 0 5
router(config)#access-class 5 in
Monitoring and Verifying
The following commands are useful for monitoring and verifying the operation of access lists.
The show ip interface command displays which
access lists are applied to the specified interface, for example:
router(config)#show ip interface serial 1
The following command displays the contents of an access list, and if applied to an interface, the number of matches per permit/deny rule:
router(config)#show access-lists number|name
If you don't specify an access-list number or name, all the current access
lists will be displayed. You can also use the show ip access-lists
command to display one or all the current IP access lists.
Top