Cisco Networking Academy
Internetworking Technologies
Instructor: Prabul, CCNA
 
  [Prev] [Index] [Next]

6. Access Control Lists (ACLs)

Top 10 Graphics:

  1. What are Access Lists?
  2. How Access Lists Work
  3. A Lists of Tests: Deny or Permit
  4. Testing Packets with Access Lists
  5. Key Concepts for IP Access Lists
  6. Standard Access List - Example 1
  7. Standard Access List - Example 2
  8. Standard Access List - Example 3
  9. Extended Access List - Example 1
  10. Where to Place IP Access Lists

Access Lists perform serveral functions within a cisco router, including:

  • Implement security / access procedures
  • Act as a protocol "firewall"

Extended Access Lists allow filtering on address, protocol, and applications. Access lists are used to limit broadcast traffic.

Why use Access Lists:

  • Deny traffic you do not want based on packet tests
    (for example, addressing or traffic type)
  • Identify packets for priority or custom queuing
  • Restrict or reduce the contents of routing updates
  • Provide IP traffic dynamic access control with enhanced user authentication using the lock-and-key feature
  • Identify packets for encryption
  • Identify Telnet access allowed to the router virtual terminals
  • Specify packet traffic for dial-in remote sites using dial-on-demand routing (DDR)

Dial-on-demand routing (DDR) - technique whereby a Cisco router can automatically initiate and close a circuit-switched session as transmitting stations demand. The router spoofs keepalives so that end stations treat the session as active. DDR permits routing over ISDN or telephone lines using an external ISDN terminal adaptor or modem.

The two main types of access lists are:

  1. Standard access lists
    • Standard access lists for IP check the 'source address' of packets that could be routed.
    • The result permits or denies output for an 'entire protocol' suite, based on the network/subnet/host address.
  2. Extended access lists
    • Extended access lists check for both 'source' and 'destination' packet addresses. They also can check for 'specific protocols', 'port numbers', and other parameters.
    • Packets can be 'permitted' or 'denied' output based on where the packet originated and on its destination.
    • Generally permits or denies 'specific protocols'

Access lists express the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. Access lists do not act on packets that originates in the router itself.

Access list statements operate in sequential, logical order. They evaluate packets from the top down. If a packet header and access list statement match, the packet skips the rest of the statements. If a condition match is true, the packet is permitted or denied. There can be only one access list per protocol per interface.

NOTE: For logical completeness, an access list must have conditions that test true for all packets using the access list. A final implied statement covers all packets for which conditions did not test true. This final test condition matches all other packets. It results in a deny. Instead of proceeding in or out an interface, all these remaining packets are dropped.

Access List command overview

Step 1: Set parameters for this access list test statement (which can be one of several statements). The access list process contains global statements:

  • This global statement identifies the access list, usually an access list number. This number refers to the type of access list this will be. In Cisco IOS Release 11.2 or newer, access lists for IP may also use an access list name rather than a number.
  • The permit or deny term in the global access list statement indicates how packets that meet the test conditions will be handled by Cisco IOS. Permit usually means the packet will be allowed to use one or more interfaces that you will specify later.
  • The final term or terms specifies the test conditions used by this access list statement. The test can be as simple as checking for a single source address, but usually test conditions are extended to include several test conditions. Use several global access list statements with the same identifier to stack several test conditions into a logical sequence or list of tests.

Router(config)# access-list acl-number {permit|deny} {conditions}

Step 2: Enable an interface to become part of the group that uses the specific acces list. The access list process uses an interface command. All the access list statements identified by the access-list number associate with one or more interfaces. Any packets that pass the access list test conditions can be permitted to use any interface in the access group of interfaces.

Router(config-if)# {protocol} access-group acl-number

Access lists are numbered (for IP, numbered or named)

How to identify Access Lists: 


* IP Standard		1 - 99
* IP Extended		100-199
			Named (Cisco IOS 11.2 and later)

* IPX Standard		800 - 899
* IPX SAP filters	1000 - 1099

* Apple Talk		600 - 699

* Number identifies the protocol and type
* Other number ranges for most protocols

For TCP/IP packet filters, Cisco IOS access lists check the packet and upper-layer headers for:

  • Source IP addresses using standard access lists; identify these with a number in the range 1 to 99.
  • Destination and source IP addresses or specific protocols using extended access lists; identify these with a number in the range 100 to 199.
  • Upper-level TCP or UDP port numbers in addition to the other tests in extended access lists; also identify these with a number in the range 100 to 199.
  • For all of these TCP/IP access lists, after a packet is checked for a match with the access list statement, it can be denied or permitted to use an interface in the access group.

Key Concepts for IP Access Lists:

  • Standard lists (1-99) test conditions of all IP packets from source address
  • Extended lists (100-199) can test conditions of:
    • Source and destination address
    • Specific TCP/IP-suite protocols
    • Destination ports
  • Wildcard bits indicate how to check the corresponding address bits (0=check, 1=ignore)

Wildcard mask - 32-bit quantity used in conjunction with an IP address to determine which bits in an IP address should be ignored when comparing that address with another IP address. A wildcard mask is specified when setting up access lists.

  • A wildcard mask bit 0 means "check the corresponding bit value."
  • A wildcard mask bit 1 means "do not check (ignore) that corresponding bit value."

NOTE: Wildcard masking for access lists operates differently from an IP subnet mask. A zero in a bit position of the access list mask indicates that the corresponding bit in the address must be checked; a one in a bit position of the access list mask indicates the corresponding bit in the address is not 'interesting' and can be ignored.

How to use Wildcard mask bits -

  • IP access list test conditions:
    Check for IP subnets: 172.30.16.0 to 172.30.31.0
    * address and wildcard mask: 172.30.16.0 0.0.15.255
  • Test condition: Ignore all the address bits (match any)
    Accept any address: 0.0.0.0 255.255.255.255 (ignore all)
    * abbreviate the expression using the key word "any"
  • Test condition: Check all the address bits (match all)
    Check for an IP host: 172.30.16.29 0.0.0.0 (check all bits)
    * Abbreviate the wildcard using the key word "host" followed by the IP address

Standard IP Access List configuration

Access list -

  1. List kept by Cisco routers to control access to or from the router for a number of services (for example, to prevent packets with a certain IP address from leaving a particular interface on the router).
  2. Command that creates an entry in a standard traffic filter list.
  • Standard access lists filter based on a 'source address' and mask.
  • Standard access lists permit or deny the entire TCP/IP protocol suite.

Router(config)# access-list acl-number {permit|deny} source [mask]
  • Sets parameters for this list entry
  • IP standard access list 'acl-number' uses 1 - 99
  • permit|deny - does this entry allow or block the specified address
  • source - source IP addresses
  • mask - 0s = must match, 1s = don’t care positions

IP access-group - Command that links an existing access list to an outbound interface.

Router(config-if)# ip access-group acl-number {in|out}
  • Activates the list on an interface
  • acl-number - the number of the access list to be linked to this interface
  • in|out - Selects whether the access list is applied to the incoming or outgoing interface. If in or out is not specified, out is the default

NOTE: To remove an access list, first enter the 'no ip access-group' command, including 'list number', for each interface where the list had been used, then enter the 'no access-list' command (with list number).

Standard Access List examples:

(1.) Allow only traffic from a specific source network 


Router(config)# access-list 1 permit 172.16.0.0 0.0.255.255

  (implicit deny any - not visable in the list)
  (access-list 1 deny 0.0.0.0 255.255.255.255)

Router(config)# interface ethernet 0
Router(config-if)# ip access-group  1 out
Router(config)# interface ethernet 1
Router(config-if)# ip access-group  1 out

(2.) Deny a specific host 


Router(config)# access-list 1 deny host 172.16.4.13
Router(config)# access-list 1 permit 0.0.0.0 255.255.255.255

  (implicit deny any - not visable in the list)
  (access-list 1 deny 0.0.0.0 255.255.255.255)

Router(config)# interface ethernet 0
Router(config-if)# ip access-group  1

(3.) Deny a specific subnet 


Router(config)# access-list 1 deny 172.16.4.0 0.0.0.255
Router(config)# access-list 1 permit any

  (implicit deny any - not visable in the list)
  (access-list 1 deny 0.0.0.0 255.255.255.255)

Router(config)# interface ethernet 0
Router(config-if)# ip access-group  1

Extended IP Access List configuration

Allow more precise filtering conditions:

  • Check source and destination IP address
  • Specify an optional IP (TCP or UDP) protocol port number
  • Use access list number range 100 - 199

Well-Known IP Protocol Port Numbers (Decimal):

20 - File Transfer Protocol (FTP) data
21 - FTP program
23 - Telnet
25 - Simple Mail Transport Protocol (SMTP)
69 - Trivial File Transfer Protocol (TFTP)
53 - Domain Name System (DNS) 


Router(config)# access-list acl-number {permit|deny} protocol 
                source source-mask destination destination-mask 
                [operator operand] [established]
  • Sets parameters for this list entry
  • IP uses a acl-list number in range 100 - 100
  • permit|deny - does this entry allow or block the specified address
  • protocol - IP, TCP, UDP, ICMP, GRE, IGRP
  • source and destination - source and destination IP addresses
  • masks - Wildcard mask; 0s = must match, 1s = don’t care positions
  • operator and operand - lt, gt, eq, neq (not equal), and a port number
  • established - Allows TCP traffic to pass if packet uses an established connection (for example, has ACK bits set)

IP access-group - Command that links an existing access list to an outbound interface. Only one access list per port per protocol is allowed.


Router(config-if)# ip access-group acl-number {in|out}
  • Activates the extended list on an interface
  • acl-number - the number of the access list to be linked to this interface
  • in|out - Selects whether the access list is applied to the incoming or outgoing interface. If in or out is not specified, out is the default

Extended Access List examples:

(1.) Deny FTP for E0 


Router(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 
                172.16.3.0 0.0.0.255 eq 21
Router(config)# access-list 101 permit ip 172.16.4.0 0.0.0.255 
                0.0.0.0 255.255.255.255

  (implicit deny any - not visable in the list)
  (access-list 101 deny ip 0.0.0.0 255.255.255.255 
                           0.0.0.0 255.255.255.255)

Router(config)# interface ethernet 0
Router(config-if)# ip access-group  101

(2.) Allow only SMTP for E0 


Router(config)# access-list 101 permit tcp 172.16.4.0 0.0.0.255 
                any eq 25

  (implicit deny any - not visable in the list)
  (access-list 101 deny ip 0.0.0.0 255.255.255.255 
                           0.0.0.0 255.255.255.255)

Router(config)# interface ethernet 0
Router(config-if)# ip access-group  101

Using Named IP Access Lists

A feature for Cisco IOS Release 11.2 or newer, Named IP access lists can be used to delete individual entries from a specific access list. This enables you to modify your access lists without deleting and then reconfiguring them. Use named IP access lists when:

  • You want to intuitively identify access lists using an alphanumeric name
  • You have more than 99 simple and 100 extended access control lists to be configured in a router for a given protocol.

NOTE: Most of the commonly used IP access list commands accept named IP access lists.


Router(config)# ip access-list {standard|extended} name
* Alaphanumeric name string must be unique

Router(config {std-|ext-}nacl)# 
  {permit|deny} {ip access list text cond}
Router(config {std-|ext-}nacl)# 
  {permit|deny} {ip access list text cond}
Router(config {std-|ext-}nacl)# 
  no {permit|deny} {ip access list text cond}
* Permit or deny statements have no prepended number
* "no" removes the specified tests from the named access list

Router(config-if)# ip access-group {name|1-199 {in|out}}
* Activate the IP named access list on an interface

Where to 'place' IP Access Lists

An access lists can act as a firewall. A firewall filters packets and eliminates unwanted traffic at a destination. Where the administrator places an access list statement can reduce unnecessary traffic. Traffic that will be denied at a remote destination should not use network resources along the route to that destination.

  • Place standard access lists close to the destination
  • Place extended access lists close to the source

Firewall - Router or access server, or several routers or access servers, designated as a buffer between any connected public networks and a private network. A firewall router uses access lists and other methods to ensure the security of the private network.


Router> show ip interface 

* Command that displays IP interface information and indicates 
  whether any access lists are set. (Monitor Access Lists)

Router> show access-lists 

* Command that displays the contents of all access lists. 
  This Cisco IOS command provides more details about the 
  access list statements. By entering the access list name 
  or number as an option for this command, you can see a 
  specific list. (Monitor Access List statements)


Reserved TCP Port Numbers
--------------------------------------------------
Decimal Keyword 	Description 
------- ------------    --------------------------
0			Reserved 
1-4			Unassigned 
5 	RJE 		Remote Job Entry 
7 	ECHO 		Echo 
9 	DISCARD  	Discard 
11 	USERS  		Active Users 
13 	DAYTIME  	Daytime 
15 	NETSTAT  	Who is Up or NETSTAT 
17 	QUOTE  		Quote of the Day 
19 	CHARGEN  	Character Generator 
20 	FTP-DATA  	File Transfer Protocol (data) 
21 	FTP  		File Transfer Protocol 
23 	TELNET  	Terminal Connection 
25 	SMTP  		Simple Mail Transfer Protocol 
37 	TIME  		Time of Day 
39 	RLP  		Resource Location Protocol 
42 	NAMESERVER  	Host Name Server 
43 	NICNAME  	Who Is 
53 	DOMAIN  	Domain Name Server 
67 	BOOTPS  	Bootstrap Protocol Server 
68 	BOOTPC  	Bootstrap Protocol Client 
69 	TFTP  		Trivial File Transfer Protocol 
75   			Any Private Dial-out Service 
77   			Any Private RJE Service 
79 	FINGER 		Finger 
95  	SUPDUP  	SUPDUP Protocol 
101 	HOSTNAME  	NIC Host Name Server 
102 	ISO-TSAP 	ISO-TSAP 
113 	AUTH  		Authentication Service 
117 	UUCP-PATH  	UUCP Path Service 
123 	NTP  		Network Time Protocol 
133-159   		Unassigned 
160-223   		Reserved 
224-241   		Unassigned 
242-255   		Unassigned 

Reserved UDP Port Numbers
--------------------------------------------------
Decimal Keyword 	Description 
------- ------------    --------------------------
0   			Reserved 
1-4   			Unassigned 
5 	RJE 		Remote Job Entry 
7 	ECHO 		Echo 
9 	DISCARD		Discard 
11 	USERS  		Active Users 
13 	DAYTIME		Daytime 
15 	NETSTAT  	Who is Up or NETSTAT 
17 	QUOTE  		Quote of the Day 
19 	CHARGEN  	Character Generator 
20 	FTP-DATA  	File Transfer Protocol (data) 
21 	FTP  		File Transfer Protocol 
23 	TELNET  	Terminal Connection 
25 	SMTP  		Simple Mail Transfer Protocol 
37 	TIME  		Time of Day 
39 	RLP  		Resource Location Protocol 
42 	NAMESERVER  	Host Name Server 
43 	NICNAME  	Who Is 
53 	DOMAIN  	Domain Name Server 
67 	BOOTPS  	Bootstrap Protocol Server 
68 	BOOTPC  	Bootstrap Protocol Client 
69 	TFTP  		Trivial File Transfer Protocol 
75   			Any Private Dial-out Service 
77   			Any Private RJE Service 
79 	FINGER 		Finger 
123 	NTP  		Network Time Protocol 
133-159   		Unassigned 
160-223   		Reserved 
224-241   		Unassigned 
242-255   		Unassigned
[Prev] [Index] [Next]
    [E-mail] aprabul@yahoo.com
Copyright © 2003
1