Title: Chapter 10: Access Lists
1CCNA Guide to Cisco Networking
2Objectives
- Describe the usage and rules of access lists
- Establish standard IP access lists
- Produce extended IP access lists
- Apply access lists to interfaces
- Monitor and verify access lists
3Access Lists Usage and Rules
- Permit or deny traffic
- Identify traffic based on
- Protocol
- Source address
- Destination address
- Port number
4Access Lists Usage
- Conceptual syntax to block access from network 4
to network 1 - Access-list 1 deny network 4
- Access-list 1 permit any
- Implicit deny any
5Access Lists Usage (continued)
6Problems With Access Lists
- Lack of planning
- What needs to be filtered?
- Where does it need to be filtered?
- Access lists are filters that
- Can have multiple lines of instruction
- Each line of instruction is applied sequentially
until a match is found - Access list changes
- Make changes to a text editor
- Notepad.exe
- Remove entire access list
- Cut and paste entire new access list
7Problems With Access Lists (continued)
- Accidental telnet block
- reload command
- reload in hh mm month day month day
- Routerb reload in 0030
8Access List Rules
- Create and apply ACLs sequentially
- All new lines are added to the end of the list
- Apply the ACLs through the eyes of the
man-in-the-the-router - ip access-group 1 in
- ip access-group 1 out
- One ACL per direction, per protocol, per interface
9Access List Rules (continued)
- Access lists have the following rules
- Routers apply lists sequentially as they are
configured - Routers apply lists to packets sequentially, from
the top down, one line at a time - Packets are processed only until a match is made
- Lists always end with an implicit deny
- Access lists must be applied to an interface as
either inbound or outbound traffic filters
10Access List Rules (continued)
- Access lists have the following rules (continued)
- ACL numbers 1 thru 99
- Only one list, per protocol, per direction can be
applied to an interface - Access lists are effective as soon as they are
applied to the interface - Place standard ACLs close to destination
- Place extended ACLs close to source
11Access List Rules (continued)
12Access List Rules (continued)
13Standard IP Access Lists
- Filter network traffic based only on source
address - access-list list permitdeny source
address source wildcard mask - list Standard IP access lists are
represented by a number in the range of 199 - permitdeny Used to specify the action of the
access list line - source address The IP address of the source
- source wildcard mask Determine which bits of
the source address are significant
14Standard IP Access Lists (continued)
15Standard IP Access Lists (continued)
16Standard IP Access Lists (continued)
17Standard IP Access Lists (continued)
18Standard IP Access Lists (continued)
19Standard IP Access List Examples
- Access list command examples
- Single IP
- Access-list 1 permit 192.168.10.1 0.0.0.0
- Access-list 1 permit 192.168.10.1
- Access-list 1 permit host 192.168.10.1
- Network
- Access-list 1 permit 192.168.10.0 0.0.0.255
- All packets
- Access-list 1 permit 0.0.0.0 255.255.255.255
- Access-list 1 permit any
20Standard IP Access List Examples (continued)
21Standard IP Access List Examples (continued)
22Standard IP Access List Examples (continued)
23Standard IP Access List Examples (continued)
24Standard IP Access List Examples (continued)
25Standard IP Access List Examples (continued)
26Standard IP Access List Examples (continued)
27Standard IP Access List Examples (continued)
28Standard IP Access List Examples (continued)
29Standard IP Access List Examples (continued)
30Monitoring Standard IP Access Lists
- show access-list command
- show ip access-list command
- show interfaces command
- show ip interfaces command
31Extended IP Access Lists
- Filter based on
- Protocol type
- Source IP address
- Destination IP address
- Port number
- ACL numbers 100 thru 199
32Extended IP Access Lists (continued)
- access-list list permitdeny protocol
source IP address source wildcard mask
operator port destination IP address
destination wildcard mask operator port
log - list Number in the range of 100199
- permitdeny Used to specify the nature of the
access list line - protocol The IP protocol to be filtered can be
IP (which includes all protocols in the TCP/IP
suite), TCP, UDP, ICMP, or others - source IP address The IP address of the source
- source wildcard mask Determine which bits of
the source address are significant
33Extended IP Access Lists (continued)
- access-list list permitdeny protocol
source IP address source wildcard mask
operator port destination IP address
destination wildcard mask operator port
log (continued) - destination IP address The IP address of the
destination - destination wildcard mask Determine which bits
of the destination address are significant - operator Can contain lt (less than), gt
(greater than), eq (equal to), or neq (not equal
to) - port Port number of the protocol to be
filtered - log Turns on logging of access list activity
34Extended IP Access List Examples
35Extended IP Access List Examples (continued)
36Extended IP Access List Examples (continued)
37Extended IP Access List Examples (continued)
38Extended IP Access List Examples (continued)
39The Established Parameter
- Permit traffic on the 15.0.0.0 network as long as
long as the traffic originated from the 15.0.0.0
network - access-list 100 permit tcp any 15.0.0.0
0.255.255.255 established
40Monitoring Extended IP Access Lists
- show access-list command
- show ip access-list command
- show interfaces command
- show ip interfaces command
41Monitoring Extended IP Access Lists (continued)
42Monitoring Extended IP Access Lists (continued)
43Using Named Lists
- Cisco IOS version 11.2 and above
- Named ACL examples
- RouterC(config) ip access-list standard name
- RouterC(config) ip access-list extended name
- RouterC(config-std-nacl) denysource
source-wildcard any - RouterC(config-std-nacl) permitsource
source-wildcard any - RouterC(config-if) ip access-group name in
out
44Controlling VTY Line Access
- Restricting access to telnet
- Access control examples
- Individual hosts
- RouterA(config) access-list 12 permit
192.168.12.12 0.0.0.0 - RouterA(config) access-list 12 permit host
192.168.12.12 - Network access
- RouterA(config) access-list 12 permit
192.168.12.0 0.0.0.255 - Apply access list to interface
- RouterA(config) line vty 0 4
- RouterA(config-line) access-class 12 in
45Summary
- Access lists are one of the most important IOS
tools for controlling network traffic and
security - Access lists are created in a two-step process
- First, you create the list in global
configuration mode, using the specific syntax of
the type of list you want to create - Then, you apply the list to an interface in
interface configuration mode to make it active
46Summary (continued)
- All access lists are created sequentially and
applied sequentially to all packets that enter an
interface where the list is applied - By default, access lists always end in an
implicit deny any, which will drop any packet
that does not meet an access list criterion - Only one access list per direction (inbound or
outbound) per protocol can be applied to an
interface - Standard IP access lists allow you to filter
traffic based on the source IP address of a
packet - They should be applied to an interface as close
to the destination as possible to avoid
accidentally blocking valid traffic
47Summary (continued)
- Extended IP access lists filter traffic based on
source, destination, protocol type, and
application type - They allow for more specific control over network
traffic - They should be placed as close to the source as
possible to keep unnecessary traffic from getting
onto the internetwork
48Summary (continued)
- Access lists can be used to restrict telnet by
controlling VTY line access - This is usually done using a single permit access
list line - The list is applied using the access-class
command - The list is placed on the device to which telnet
is being restricted