Chapter 10 Access Lists
IP Access Lists IP Access Lists IP Access Lists
Security) IP Access Lists Access Lists (Network
router
For example, RouterA can use an access list to deny access from Network 4 to Network 1; both networks are shown in Fig. 10-1.
With the following conceptual syntax, you create the standard access list to block access from Network 4 to Network 1: access list 1 deny Network 4 access list 1 permit any
If you wanted to deny traffic from Network 3 and Network 4, the access list conceptual syntax are: access list 1 deny Network 3 access list 1 deny Network 4 access list 1 permit any
IP Access Lists Lists IP Lists IP IP Standard Access IP Extended Access
IP Standard Access Control Lists (ACL) Concepts For example, we assume that Bob is not allowed to access Server1, but Larry is.
IP Standard Access Lists ( ) Filtering logic could be configured on any of the three routers and on any of their interfaces.
Here are some key features of Cisco access lists: Packets can be filtered as they enter an interface, before the routing decision. Packets can be filtered before they exit an interface, after the routing decision.
Here are some key features of Cisco access lists: (cont.) Deny implies that the packets will be filtered. Permit implies that the packets will not be filtered.
Here are some key features of Cisco access lists: (cont.) The filtering logic is configured in the access list. At the end of every access list is an implied that deny all traffic statement.
Access Lists have two major steps in their logic: matching and action. Look the packets with Bob s So the access List for source IP address and preventing Bob s traffic to the server might go something like: the Server1 s destination IP address. When you see them, discard them. If you see any other packets, do not discard them.
IP Standard Access Lists ( ) 1~99
IP Standard Access Lists ( ) IP Access-list access-list-number [permit deny] source [source wildcard mask]
IP Standard Access Lists ( ) ip access-group access-list-number [in out]
IP Standard Access Lists ( ) Source address Wildcard Mask Wildcard Mask 0 don t care 1 need match 0.0.0.0
Source address Wildcard Mask ( )
Source address Wildcard Mask ( )
Source address Wildcard Mask ( ) Source: 203.66.47.1 Wildcard Mask : 0.0.0.255 203.66.47.0
Source address Wildcard Mask ( ) Source: 203.66.47.50 Wildcard Mask : 0.0.0.0 203.66.47.50 IP
Wildcard mask examples Consider the IP addresses and wildcard mask shown in Table 1.
Wildcard mask examples (cont.) An access-list that states access-list 1 permit 172.22.1.0 0.0.254.255 Will allow traffic from any odd-numbered subnet to pass.
Wildcard mask examples (cont.)
Wildcard mask examples (cont.)
Wildcard mask Eg. 1: The following example tells the router to match the first three octets exactly but the fourth octet can be anything. access-list 10 deny 172.16.10.0 0.0.0.255
Wildcard mask Eg. 2: The following example tells the router to match the first two octets and that the last two octets can be anything. access-list 10 deny 172.16.0.0 0.0.255.255
Wildcard mask Eg. 3: The following example tells the router to start at network 172.16.16.0 and use a block size of 4. The blocking range would then access-list be 172.16.16.0 10 deny through 172.16.19.0. 172.16.16.0 0.0.3.255
Wildcard mask Eg. 4: The example shows an access list starting at network 172.16.16.0 and going up a block size of 8 to 172.16.23.0. access-list 10 deny 172.16.16.0 0.0.7.255
Wildcard mask Eg. 5: The following example starts at network 172.16.32.0 and goes up a block size of 32 to 172.16.63.0. access-list 10 deny 172.16.32.0 0.0.31.255
Wildcard mask Eg. 6: The last example starts at network 172.16.64.0 and goes up a block size of 64 to 172.16.127.0. access-list 10 deny 172.16.64.0 0.0.63.255
Wildcard mask Please keep in mind when working with block size and wildcards: Each block size must start at 0 or a multiple of the block size.
Wildcard mask For example, you can t say that you want a block size of 8 and then start at 12. You must use 0-7, 8-15, 16-23, etc. For a block size of 32, the ranges are 0-31, 32-63,
Standard IP Access List Examples Standard IP access list permit or deny packets based only on the source address. These address can be a single host address, a subnet address, or a full network address.
Using the sample network in Fig. 10-8, you can create a standard IP access list that blocks host 172.22.5.2 from accessing subnet 172.22.2.0.
Fig. 10-9 shows the commands you would enter on RouterB to accomplish this task.
Standard IP ACL Examples (cont. Correct placement of a list is imperative. If the list were placed on RouterB s access list 1 deny 172.22.5.2 S1 interface as an inbound access list 1 permit any list, it would work with the int s1 sample network. ip access-group 1 in
Standard IP ACL Examples (cont. However, if RouterB had another Ethernet interface, as shown in Fig. 10-10, placing the access list on S1 would inadvertently block traffic to the 2nd Ethernet interface, E1.
Standard IP ACL Examples (cont. You should apply the standard IP access list as close to the destination as possible. Otherwise, you will inadvertently block access to portions of your network.
Standard IP ACL Examples (cont. To view the access list defined on your routers, use show access-lists command and show ip access-lists command.
Standard IP ACL Examples (cont. To view which interfaces have IP access lists set, use show ip interface command.
Standard IP ACL Examples (cont. You can remove the access list with the no ip access-group [list #].
Standard IP ACL Examples (cont. Now assume that instead of blocking a single host from subnet 172.22.5.0, you want to block all traffic from this subnet to subnet 172.22.2.0.
Standard IP ACL Examples (cont. Finally, assume that you want to block access to the 172.22.2.0 subnet from all hosts on subnets 172.22.4.0 and 172.22.5.0.
Monitoring Standard IP Access Lists Three main commands are available for monitoring access lists on your router. show access-lists show ip access-lists show ip interface
Sam is not allowed access to Bugs or Daffy Hosts on the Seville Ethernet are not allowed access to hosts on the Yosemite Ethernet All other combined are
( )
IP Extended Access Lists 100~199 IP Extended Access Lists
192.72.37.0 FTP S0 192.72.37.0 192.72.36.0 E0
( ) access-list 105 deny tcp 192.72.37.0 0.0.0.255 192.72.36.0 0.0.0.255 eq 20 access-list 105 deny tcp 192.72.37.0 0.0.0.255 192.72.36.0 0.0.0.255 eq 21
( ) access-list 105 permit IP interface e0 192.72.37.0 0.0.0.255 192.72.36.0 0.0.0.255 ip access-group 105
IP Extended Access Lists ( ) TCP UDP FTP 21 Telnet 23 port SMTP name 25 HTTP 80 POP3 110 NNTP 119 PPTP 1723 L2TP 1701 TFTP 69 BOOTPS 67 BOOTPC 68 TCP UDP port number
drivers\etc services IP Extended Access Lists ( ) %systemroot%\system32\
IP Extended Access Lists ( )
Extended IP ACL Examples Using Fig. 10-18 as an example, this section discuss how to block host 172.22.5.2 from accessing Web services on server 172.22.2.2.
Extended IP ACL Examples (cont.)
Standard and Extended IP Access Lists: Matching
Extended access-lists Commands
Extended access-lists Commands
ACL Implement. Considerations Create your ACLs using a text editor outside the router, and copy and paste configuration into the router.
ACL Implement. Consider. (cont.) Place Standard ACLs as close to the packet s destination as possible.
ACL Implement. Consider. (cont.) Place Extended ACLs as close to the source of the packet as possible to discard the packets quickly.
IP Access Lists IP Access Lists IP Access Lists
(conf) ip access-group 10 out IP Access Lists access-lists accessgroup conf ter (conf) access-list 10 deny (conf) int fa0/0 190.168.1.20 0.0.0.0 (conf) access-list 10 permit any
P Access Lists ( ) conf ter (conf) access-list 11 deny (conf) int fa0/0 190.168.1.1 0.0.0.255 (conf) access-list 11 permit any (conf) ip access-group 11 out
IP Access Lists ( ) show interface fa0/0
IP Access Lists ( ) access-lists access-group 190.168.1.0 Telnet conf ter (conf) access-list 111 deny tcp any 190.168.1.0 0.0.0.255 eq telnet
IP Access Lists ( ) access-lists access-group ( ) (conf) access-list 111 permit (conf) int fa0/0 ip any any (conf) ip access-group 111 out
IP Access Lists ( ) access-lists show ip access-list
IP Access Lists ( ) Bob is denied access to all FTP servers on R1 s Ethernet Larry is denied access to Server1 s Web server All other combined are allowed.
IP Access Lists ( ) ( )
IP Access Lists ( ) R1 s Extended Access List int s0 ip addr 172.16.12.1 255.255.255.0 ip access-group 101 in int s1 ip addr 172.16.13.1 255.255.255.0 ip access-group 101 in
IP Access Lists ( ) ( ) ccess-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp ccess-list 101 deny tcp host 172.16.2.10 host 172.16.1.100 eq http p access-group 101 permit ip any any
IP Access Lists ( ) Bob is denied access to all FTP servers on R1 s Ethernet -> R3 R3 Larry is denied access to Server1 s Web server -> R2 R2
ccess-list 101 permit ip any any IP Access Lists ( ) R3 s Extended Access List Stopping Bob from Reaching FTP Servers int e0 ip addr 172.16.3.1 255.255.255.0 ip access-group 101 in ccess-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.0 eq ftp
acess-list 101 permit ip any any IP Access Lists ( ) R2 s Extended Access List Stopping Larry from Accessing int e0 Web Servers ip addr 172.16.2.1 255.255.255.0 ip access-group 101 in access-list 101 deny tcp host 172.16.2.10 172.16.1.100 0.0.0.0 eq http
IP Access Lists ( ) ICMP access-list 101 deny icmp host 172.22.5.2 host 172.22.2.2 echo-replay ip access-group 101 permit ip any any
IP Access Lists ( ) ICMP (conf) int e0 (conf) ip access-group 101 in
IP Access Lists ( ) Server ping echo access-list 101 deny icmp 172.22.5.0 0.0.0.255 host 172.22.2.2 echo-replay ip access-group 101 permit ip any any
If you want to remove a list from a list from an interface, you can use the no ip-access-group [list #] [in out] command. (see Fig. 10-22)
IP Access Lists ( ) Controlling VTY line Access Telnet conf ter (conf) access-list 12 permit 192.168.1.1 0.0.0.0 or (conf) access-list 12 permit host 192.168.1.1
IP Access Lists ( ) Telnet ( ) (conf) line vty 0 4 (conf-line) access-class 12 in
IP Access Lists ( ) Telnet (conf) access-list 13 permit (conf) line vty 0 4 192.168.1.0 0.0.0.255 (conf-line) access-class 13 in
IP Access Lists IP Access Lists IP Access Lists
IP Access Lists Ans: B Which one of the following is a range of standard IP access list? A. 0~99 B. 1~99 C. 100~199 D. 200~299 E. None of the above
Ans: A IP Access Lists ( ) Which one of the following command assigns a number and condition for the list? A. access-list B. access-group C. access-number D. list-number E. None of the above
Which one of the following command will you use to display access lists set in IP interface? A. show int ip B. show ip access-list C. show ip list D. show ip int E. None of the above Ans: D
Which one of the following command will you use to display all access-lists on Serial 0? A. show all access-list B. show access-list ser0 C. show ip ser 0 access-list D. show ip int ser0 E. None of the above Ans: D
Ans: A IP Access Lists ( ) Which one of the following command will you use to permit all SNMP? A. access-list 123 permit tcp any any eq SNMP B. access-list 123 permit SNMP C. access-list 123 deny all D. access-list 123 deny SNMP all
Ans: A IP Access Lists ( ) What does any mean in access-list command? A. 0.0.0.0 255.255.255.255 B. 1.1.1.1 255.255.255.255 C. 255.255.255.255 0.0.0.0 D. 0.0.0.0 255.255.255.0 E. 0.0.0.0 0.0.0.0
IP Access Lists Ans: C Which one of the following wildcard mask will you use to match the range 180.80.32.0~180.80.63.255? A. 0.0.0.0 B. 255.255.255.255 C. 0.0.31.255 D. 0.0.0.255 E. 0.0.255.255
IP Access Lists Which of the following wildcard masks is most useful for matching all IP packets in subnet 10.1.128.0, mask 255.255.255.0? A. 0.0.0.31 B. 0.0.0.240 C. 0.0.0.255 D. 0.0.255.255
IP Access Lists Which of the following wildcard masks is most useful for matching all IP packets in subnet 10.1.128.0, mask 255.255.240.0? A. 0.0.0.31 B. 0.0.0.240 C. 0.0.0.255 D. 0.0.15.255