Access Lists

1
Access Lists

• Used for traffic management
• define the type of traffic that should be allowed
  or restricted from crossing a router
• filter packet flow in or out router interfaces
• security
• reduced traffic

2
Access Lists

• Also
• Prioritisation (on basis of protocols)
• Restrict or reduce the contents of routing
  updates
• Identify Telnet access allowed to router virtual
  terminals
• Identify packets for encryption
• Extra security on IP traffic

3
Access Lists

• Two main types
• Standard Access Lists
• check source address of packets
• permits/denies output for the entire IP protocol
  suite based on the network/subnet/host address
• Extended Access Lists
• check for both source and destination address of
  packets
• permits/denies output based on source and
  destination addresses
• can check protocols, port numbers

4
ACLs

• ACL statements operate in sequential, logical
  order
• They evaluate packets from top to down
• implicit deny Packets matching none of the
  conditions are dropped.

5
ACLs

• Syntax
• Router(config)access-list access-list-number
  permit deny test conditions
• To activate ACLs on an interface
• Router(config-if)protocol access-group
  access-list-number

6
ACLs - Identifiers

• IP Standard 1-99
• IP Extended 100-199
• Named(Cisco IOS 11.2 )
• AppleTalk 600-699
• IPX Standard 800-899
• IPX Extended 900-999
• Named(Cisco IOS 11.2F )

7
TCP/IP Access-lists

• Wildcard Mask
• 0 check
• 1 ignore
• e.g.
• 00000000 - check all address bits
• 11111111 - do not check address
• 00001111 - ignore last (check first) four
• address bits

8
TCP/IP Access-lists

• Wildcard mask
• 0.0.15.255
• is
• 00000000 check all address bits in octet nb 1
• 00000000 check all address bits in octet nb 2
• 00001111 check first four bits in octet nb 3
• 11111111 ignore all bits in octet nb 4

9
TCP/IP Access-lists

• Example
• You are using a class B address with a subnet
  mask 255.255.255.0. How would you check subnet
  addresses 172.30.16.0 to 172.30.31.0?

10
TCP/IP Access-lists

• Answer
• check the first two octets - 0.0.?.?
• Ignore the final octet - 0.0.?.255
• Octet 3 Check that the bit for 16 is on and all
  higher ones are off. Lower ones do not matter -
  0.0.15.255

11
TCP/IP Access-lists

• Using words
• Matching any IP address
• 0.0.0.0 255.255.255.255 or just any
• Matching a specific host address
• 172.30.16.29 0.0.0.0 or host 172.30.16.29

12
TCP/IP Access-lists

• Standard Access Configuration
• Router(config)access-list access-list-number
  permit deny test conditions
• Router(config)interface e 0
• Router(config-if)ip access-group
  access-list-number inout
• (out is default)

13
TCP/IP Standard Access-lists

• Permit one network only
• access-list 1 permit 172.16.0.0 0.0.255.255
• (implicit deny all not visible in the list)
• (access-list 1 deny 0.0.0.0 255.255.255.255)
• int e 0
• ip access-group 1 out
• int e 1
• ip access-group 1 out

14
TCP/IP Standard Access-lists

• Deny a specific host
• Block traffic from 172. 20.8.15
• access-list 1 deny 172. 20.8.15 0.0.0.0
• access-list 1 permit 0.0.0.0 255.255.255.255
• int e 0
• ip address-group 1 out

15
TCP/IP Standard Access-lists

• Deny a specific subnet (172.20.8.0)
• access-list 1 deny 172. 20.8.0 0.0.0.255
• access-list 1 permit any
• int e 0
• ip access-group 1 out

16
TCP/IP Extended Access-lists

• Syntax
• Router(config)access-list access-list-number
  permit deny protocol source source mask
  destination destination mask operator operand
  established
• Router(config)interface e 0
• Router(config-if)ip access-group
  access-list-number inout

17
TCP/IP Extended Access-lists

• Protocol - IP, TCP, UDP, ICMP, GRE, IGRP
• operator and operand - lt, gt, eq, neq
• Example
• Deny FTP for E0

18
TCP/IP Extended Access-lists

• Answer
• access-list 101 deny tcp 172.20.4.0 0.0.0.255
  172.20.3.0 0.0.0.255 eq 21
• access-list 101 deny tcp 172.20.4.0 0.0.0.255
  172.20.3.0 0.0.0.255 eq 20
• access-list 101 permit ip 0.0.0.0 255.255.255.255
  172.20.3.0 0.0.0.255
• (implicit deny all)

19
TCP/IP Extended Access-lists

• int e 0
• ip access-group 101 out
• One access-list per port per protocol is allowed

20
TCP/IP Extended Access-lists

• Deny only telnet out of e 0
• access-list 101 deny tcp 172.20.4.0 0.0.0.255 any
  eq 23
• access-list 101 permit ip any any
• (implicit deny all)
• int e 0
• ip access-group 101 out