Managing Traffic with Access Lists

1

• Managing Traffic with Access Lists

2
Topics

• Designing access lists to meet user
  specifications
• Implementing access lists
• Troubleshooting access lists
• Evaluate rules for packet control

3
Access Lists

• Permit or deny packets to move through a router
• Permit or deny Telnet (VTY) access to or from a
  router
• Create Dial-on Demand Router (DDR) traffic that
  triggers dialing to a remote location

4
Important Rules

• Packets are compared to each line of the assess
  list in sequential order
• Packets are compared with lines of the access
  list only until a match is made
• no further comparisons take place afterward
• An implicit deny ends each access list
• If no matches are made, the packet is discarded

5
Types of Access Lists

• Standard Access List
• Filter by source IP addresses only
• Extended Access List
• Filter by Source IP, Destination IP, Protocol
  Field, Port Number
• Named Access List
• Functionally the same as standard and extended
  access lists
• Referred to differently

6
Application of Access Lists

• Inbound Access Lists
• Packets are processed before being routed to the
  outbound interface
• Outbound Access Lists
• Packets are routed to the outbound interface and
  then processed by the access list

7
ACL Guidelines

• One Access Control List (ACL) per interface, per
  protocol, or per direction
• More specific tests at the top of the ACL
• New lists are placed at the bottom of the ACL
• Individual lines cannot be removed

• End ACLs with a permit any command
• Create ACLs then apply them to an interface
• ACLs do not filter traffic originated from the
  router
• Put Standard ACLs close to the destination
• Put Extended ACLs close the the source

8
Standard IP Access Lists

• Filter traffic by packet source IP address
• Use access-list numbers between 1-99 and
  1300-1999
• permit or deny options forward or reject packets
• Hostname or IP address, any, or host address are
  used to specified who

9
Standard ACL Examples

• access-list 10 deny host 172.16.30.2
• access-list 1320 permit any
• access-list 98 deny Marketing

10
Wildcards

• Are used with access lists to specify a host,
  network, or part of a network to filter
• Block sizes must be considered when specifying a
  range of IP addresses that will have restricted
  access to a router
• Common block sizes are 4, 8, 16, 32, and 64

11
Wildcard Rules

• Each block size must start at 0
• A 0 in a wildcard means that that octet must
  match exactly
• A 255 in a wildcard means that that octet can
  be any value
• The command any is the same thing as writing out
  the wildcard 0.0.0.0 255.255.255.255
• When specifying a range of addresses, choose the
  closest, but larger block size

12
Specifying a Range of Subnets using Block Sizes

• Restrict access from 172.16.8.0 through
  172.16.15.0
• A block size 8 is appropriate
• Network number 172.16.8.0
• Wildcard 0.0.7.255
• since the wildcard is always one number less than
  the block size

13
Controlling Telnet Access

• Why?
• Without an ACL any user can Telnet into the
  router and gain access
• Controlling access
• Create a standard IP access list
• Permitting only the host/hosts authorized to
  Telnet into the router
• Apply the ACL to the VTY line with the
• access-class command

14
Example Denying Telnet Access

• Lab_A(config)access-list 50 permit 172.16.10.3
• Lab_A(config)line vty 0 4
• Lab_A(config-line)access-class 50 in
• (implied deny)

15
Extended IP Access Lists

• Allows you to choose...
• IP Source Address
• IP Destination Address
• Protocol
• Port number

16
Extended IP ACLs

• Router(config)access-list ?
• lt1-99gt IP standard access list
• lt100-199gt IP extended access list
• lt1000-1099gt IPX SAP access list
• lt1100-1199gt Extended 48-bit MAC address access
  list
• lt1200-1299gt IPX summary address access list
• lt200-299gt Protocol type-code access list
• lt300-399gt DECnet access list
• lt600-699gt Appletalk access list
• lt700-799gt 48-bit MAC address access list
• lt800-899gt IPX standard access list
• lt900-999gt IPX extended access list
• Router(config)access-list 110 ?
• deny Specify packets to reject
• dynamic Specify a DYNAMIC list of PERMITs or
  DENYs
• permit Specify packets to forward

17
Extended IP ACLs

• Router(config)access-list 110 deny ?
• lt0-255gt An IP protocol number
• ahp Authentication Header Protocol
• eigrp Cisco's EIGRP routing protocol
• esp Encapsulation Security Payload
• gre Cisco's GRE tunneling
• icmp Internet Control Message Protocol
• igmp Internet Gateway Message Protocol
• igrp Cisco's IGRP routing protocol
• ip Any Internet Protocol
• ipinip IP in IP tunneling
• nos KA9Q NOS compatible IP over IP
  tunneling
• ospf OSPF routing protocol
• pcp Payload Compression Protocol
• tcp Transmission Control Protocol
• udp User Datagram Protocol
• Router(config)access-list 110 deny tcp ?
• A.B.C.D Source address

18
Creating an Extended ACL

• 1 Create the access list (all steps in router
  config mode)
• access-list 110
• 2 Decide on deny or permit
• access-list 110 deny
• 3 Choose the protocol type
• access-list 110 deny tcp
• 4 Choose source IP address of the host or
  network
• access-list 110 deny tcp any
• 5 Choose destination IP address
• access-list 110 deny tcp any host 172.16.30.2
• 6 Choose the type of service, port, logging
• access-list 110 deny tcp any host 172.16.30.2 eq
  23 log

19
Implementation Steps

• To block Telnet on a specific host and log access
  attempts
• access-list 110 deny tcp any host 172.16.30.2 eq
  23 log
• To override implicit deny
• access-list 110 permit ip any 0.0.0.0
  255.255.255.255
• To apply the access list to an interface
• ip access-group 110 in
• or
• ip access-group 110 out

20
Named Access Lists

• Another way to create standard and extended
  access lists.
• Allows the use of descriptive names to ease
  network management.
• Syntax changes
• ip access-list standard BlockSales
• deny 172.16.40.0 0.0.0.255
• permit any

21
Monitoring IP Access Lists

• Display all access lists their parameters
• show access-list
• Show only the parameters for the access list 110
• show access-list 110
• Shows only the IP access lists configured
• show ip access-list
• Shows which interfaces have access lists set
• show ip interface
• Shows the access lists which interfaces have
  access lists set
• show running-config