Access Lists

1
Access Lists
2
Access List Processing

• Each packet is compared with each line of the
  access list in order that the lines are entered
• When a match is found the packet is either
  processed or dropped
• no additional comparisons are made
• More specific statements should be placed earlier
  in the list
• There is an implicit deny all at the end of
  every access list
• A packet that doesnt explicitly match any line
  on the list is dropped
• Should usually include a permit any statement
  at the end of the list and include an explicit
  line for each condition you are concerned with

3
Types of IP Access Lists

• Standard access lists
• Only source IP address is used to filter packets
• List numbers between 1 and 99
• Extended access lists
• Filter on source and destination address,
  protocol and port number
• List numbers between 100 and 199

4
Inbound and Outbound Lists

• Inbound lists are compared with packets entering
  an interface
• Outbound lists are compared with packets leaving
  an interface
• Note that access lists do not filter packets that
  are created in the router such as router update
  packets or hello packets

5
Access Lists Rules

• One list per protocol, per direction, per
  interface
• Items added to a list are placed at the bottom of
  the list
• Only way to insert an item is to delete the list
  and reenter the list
• Can copy list to a text editor, edit it then
  paste it to the terminal program (only in some
  terminal programs)
• Named access lists are easier to edit
• Access lists must be applied to an interface
  before they become effective
• Same list can be used on multiple interfaces or
  directions

6
IP Access Lists Commands
Access-list 1-99 permitdeny source-addr
source-mask Access-list 100-199
permitdeny protocol source-addr source-mask
operator operand destination-addr
destination-mask operator operand
established IP access-group number inout
7
Masks

• Masks are used to construct wildcards for
  matching addresses
• Work like OSPF network masks
• Source mask bit is 0 the bits must match
  exactly
• Source mask bit is 1 functions as a wildcard

8
Source Masks
9
Standard Access Lists
10
Standard Lists

• Deny a specific host
• Access-list 10 deny host 12.130.32.2
• Deny an entire network
• Access-List 10 deny 2.0.0.0 0.255.255.255

11
Standard Lists

• Deny the 64 subnet with an interval of 32
• Access-List 10 deny 12.64.0.0 0.31.255.255
• Mask has 1s in all host bits
• Note that the subnet octet (second octet) in the
  mask is 1 less than the interval
• Deny everything
• Access-list 10 deny any
• Access-list 10 deny 0.0.0.0 255.255.255.255
• Equivalent to the implicit deny all at the end of
  every list

12
Standard Lists

• Standard access lists should be placed as close
  to the destination as possible since they are
  very restrictive
• Standard access lists deny ALL traffic from
  indicated hosts

13
Bugs Daffy
10.1.1.0
B
s1
s0
10.1.130.0
10.1.128.0
s0
A
C
s0
10.1.129.0
s1
s1
10.1.2.0
10.1.3.0
Sam 10.1.2.1
Emma 10.1.2.2
Elmer Red
14
Standard List Example

• Sam is not allowed access to Bugs or Daffy
• Hosts on 10.1.3.0 are not allowed access to hosts
  on 10.1.2.0
• All other combinations are allowed

15
Router at A
RouterA(config)Access-list 3 deny host
10.1.2.1 RouterA(config) Access-list 3 permit
any RouterA(config) Interface serial
0 RouterA(config-if) IP access-group 3 out
16
Router C
RouterC(config)Access-list 4 deny 10.1.3.0
0.0.0.255 RouterC(config) Access-list 4 permit
any RouterC(config) Interface serial
1 RouterC(config-if) IP access-group 4 out
17
Alternate Solution
RouterC(config)Access-list 3 deny host
10.1.2.1 RouterC(config) Access-list 3 permit
any RouterC(config)interface e0 RouterC(config-if
) IP access-group 3 out RouterA(config)Access
-list 4 deny 10.1.3.0 0.0.0.255 RouterA(config)
Access-list 4 permit any RouterA(config)
Interface e0 RouterA(config-if) IP access-group
4 out
18
Extended Access Lists
19
Extended Access Lists

• Extended access lists are more versatile and are
  used
• When you need to specify a destination
• You want to restrict traffic based on application
• Require more processing time
• Should be placed as close to the source as
  possible
• Keeps traffic off network

20
Extended Access Lists

• access-list 101 deny tcp any host 10.1.1.1 eq 23
• Packet with any source address to destination
  with address 10.1.1.1 and destination tcp port 23
• access-list 101 deny tcp any host 10.1.1.1 eq
  telnet
• Same thing
• access-list 101 deny tcp any eq telnet host
  10.1.1.1
• Packet with any source address and source tcp
  port 23 destined to host 10.1.1.1

21
Extended Access Lists

• access-list 101 deny udp 1.0.0.0 0.255.255.255 lt
  1023 any
• Packet from any host on network 1.0.0.0/8 with a
  well known source port number destined anywhere
• access-list 101 deny udp 1.0.0.0 0.255.255.255 lt
  1023 44.1.2.3 0.0.255.255
• Packet from any host on network 1.0.0.0/8 with a
  well known source port number destined for any
  host on network 44.1.0.0/16

22
Extended Access Lists

• access-list 101 deny ip 33.1.2.0 0.0.0.255
  44.1.2.3 0.0.255.255
• All IP packets from hosts on network 33.1.2.0/24
  destined to hosts on network 44.1.0.0/16
• Note the use of IP rather than TCP or UDP
• access-list 101 deny icmp 33.1.2.0 0.0.0.255
  44.1.2.3 0.0.255.255 echo
• ICMP echo requests from hosts 33.1.2.0/24 to
  hosts in 44.1.0.0/16

23
Extended Access Lists

• access-list 101 permit tcp any any
• This permits any TCP packet which is not the same
  as permitting any IP packet
• Pay attention to the specific protocol you are
  trying to address

24
Bugs Daffy
10.1.1.0
B
s1
s0
10.1.130.0
10.1.128.0
s0
A
C
s0
10.1.129.0
s1
s1
10.1.2.0
10.1.3.0
Sam 10.1.2.1
Emma 10.1.2.2
Elmer Red
25
Extended List Example

• Sam is not allowed access to Bugs or Daffy
• Hosts on 10.1.3.0 are not allowed access to hosts
  on 10.1.2.0
• All other combinations are allowed

26
Router at A
RouterA(config)Access-list 110 deny ip host
10.1.2.1 10.1.1.0
0.0.0.255 RouterA(config) Access-list 110 permit
ip any any RouterA(config) Interface ethernet
0 RouterA(config-if) IP access-group 110 in
27
Router C
RouterC(config)Access-list 110 deny ip 10.1.3.0
0.0.0.255
10.1.2.0 0.0.0.255 RouterC(config)
Access-list 110 permit ip any any RouterC(config
) Interface ethernet 0 RouterC(config-if) IP
access-group 110 in
28
Named Access Lists
29
Named Access Lists

• Named access lists allow you to attach a name
  rather than a number to the list
• These are more versatile
• Names can be used to indicate the purpose of the
  access list so they are easy to debug/edit in the
  future
• Can delete individual lines
• No limit to the number of access lists

30
Named Access Lists
ip access-list extendedstandard
name permitdeny protocol source-addrsource-ma
sk operator operand destination-addr
destination-mask operator operand
established Ip access-group name inout
31
Named Access Lists
RouterA(config)ip access-list extended
MyList RouterA(config-ext-nacl)deny tcp host
10.1.1.1 any eq 80 RouterA(config-ext-nacl)permit
tcp host 10.1.1.2 host 172.16.1.1 eq
telnet RouterA(config-ext-nacl)permit any
any Router(config)Interface Ethernet
0 Router(config-if)ip access-group MyList in
32
Controlling Telnet Access
33
Controlling Telnet Access

• Blocking telnet access to the router can be done
  with conventional extended access lists
• Increases processing load on the router because
  every packet must be processed against the list
• Better to apply a list to the vty lines

34
Controlling Telnet Access
RouterA(config)ip access-list 50 deny
10.1.0.1 RouterA(config)ip access-list 50 permit
any RouterA(config)line vty 0
4 RouterA(config-line)access-class 50 in
35
IOS Commands to Know

• Show Interface
• Shows access lists enabled on interfaces
• Show Access-List
• Very useful for debugging extended access-lists
  because it shows the number of hits on each item
• Show IP Access-List
• Very useful for debugging extended access-lists
  because it shows the number of hits on each item
• Show ip interface
• IP access-list
• IP access-group
• IP access-class