8/14/2019 Managing Ip Traffic With Access List
1/39
2002, Cisco Systems, Inc. All rights reserved. 1
Managing IP Traffic with
Access ListsModule 6
8/14/2019 Managing Ip Traffic With Access List
2/39
2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-2
2002, Cisco Systems, Inc. All rights reserved. 2
Access Lists and Their
Applications
8/14/2019 Managing Ip Traffic With Access List
3/39
2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-3
Manage IP traffic as network access grows
Filter packets as they pass through the router
Why Use Access Lists?
8/14/2019 Managing Ip Traffic With Access List
4/39
2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-4
Permit or deny packets moving through the router.
Permit or deny vty access to or from the router.
Without access lists, all packets could be transmitted onto allparts of your network.
Access List Applications
8/14/2019 Managing Ip Traffic With Access List
5/39
2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-5
Special handling for traffic based on packet tests
Other Access List Uses
8/14/2019 Managing Ip Traffic With Access List
6/39
2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-6
Standard
Checks source address
Generally permits or denies entire protocol suite Extended
Checks source and destination address
Generally permits or denies specific protocols
Types of Access Lists
8/14/2019 Managing Ip Traffic With Access List
7/39 2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-7
How to Identify Access Lists
Standard IP lists (1-99) test conditions of all IP packets fromsource addresses.
Extended IP lists (100-199) test conditions of source and destinationaddresses, specific TCP/IP protocols, and destination ports.
Standard IP lists (1300-1999) (expanded range).
Extended IP lists (2000-2699) (expanded range).
Other access list number ranges test conditions for other
networking protocols.
8/14/2019 Managing Ip Traffic With Access List
8/39 2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-8
Testing Packets withStandard Access Lists
8/14/2019 Managing Ip Traffic With Access List
9/39 2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-9
Testing Packets withExtended Access Lists
8/14/2019 Managing Ip Traffic With Access List
10/39 2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-10
Outbound ACL Operation
If no access list statement matches, then discard the packet.
8/14/2019 Managing Ip Traffic With Access List
11/39 2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-11
A List of Tests: Deny or Permit
8/14/2019 Managing Ip Traffic With Access List
12/39 2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-12
0 means check value of corresponding address bit.
1 means ignore value of corresponding address bit.
Wildcard Bits: How to Check theCorresponding Address Bits
8/14/2019 Managing Ip Traffic With Access List
13/39 2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-13
For example, 172.30.16.29 0.0.0.0 checks all theaddress bits.
Abbreviate this wildcard mask using the IP addresspreceded by the keyword host (host 172.30.16.29).
Check all the address bits (match all).
Verify an IP host address, for example:
Wildcard Bits to Match a Specific IPHost Address
8/14/2019 Managing Ip Traffic With Access List
14/39 2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-14
Accept any address: any
Abbreviate the expression using thekeyword any.
Test conditions: Ignore all the address bits (match any).
An IP host address, for example:
Wildcard Bits to Match Any IP Address
8/14/2019 Managing Ip Traffic With Access List
15/39 2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-15
Check for IP subnets 172.30.16.0/24 to 172.30.31.0/24. Address and wildcard mask:
172.30.16.0 0.0.15.255
Wildcard Bits to Match IP Subnets
8/14/2019 Managing Ip Traffic With Access List
16/39 2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-16
Summary
Access lists offer a powerful tool for network control.These lists add the flexibility to filter the packet flow intoor out of router interfaces. Such control can help limitnetwork traffic and restrict network use by certain users ordevices.
An IP access list is a sequential list of permit and denyconditions that apply to IP addresses or upper-layer IPprotocols. Access lists filter traffic going through therouter, but they do not filter traffic originated from the
router. Access lists are optional mechanisms in Cisco IOS
software that you can configure to filter or test packets todetermine whether to forward them to their destination ordiscard them.
8/14/2019 Managing Ip Traffic With Access List
17/39 2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-17
Summary (Cont.)
Inbound access lists process incoming packets beforethey are routed to an outbound interface, whileoutbound access lists process packets to an outbound
interface. The Cisco IOS software executes access list statements
in sequential order, so the first statement is processed,then the next, and so on.
Address filtering occurs using access list addresswildcard masking to identify how to check or ignorecorresponding IP address bits.
8/14/2019 Managing Ip Traffic With Access List
18/39 2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-18 2002, Cisco Systems, Inc. All rights reserved. 18
Configuring IP Access Lists
8/14/2019 Managing Ip Traffic With Access List
19/39 2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-19
Access List Configuration Guidelines
Access list numbers indicate which protocol is filtered.
One access list per interface, per protocol, per directionis allowed.
The order of access list statements controls testing. Place the most restrictive statements at the top of list.
There is an implicit deny any statement as the last accesslist test. Every list needs at least one permit statement.
Create access lists before applying them to interfaces. Access lists filter traffic going through the router; they do
not apply to traffic originating from the router.
8/14/2019 Managing Ip Traffic With Access List
20/39 2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-20
Step 1: Set parameters for this access list teststatement (which can be one of several statements).
Step 2: Enable an interface to use the specifiedaccess list.
Router(config-if)#{protocol} access-groupaccess-list-number{in | out}
Access List Command Overview
Standard IP lists (1-99)
Extended IP lists (100-199)
Standard IP lists (1300-1999) (expanded range)
Extended IP lists (2000-2699) (expanded range)
Router(config)#access-list access-list-number
{permit | deny} {test conditions}
8/14/2019 Managing Ip Traffic With Access List
21/39
2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-21
Activates the list on an interface
Sets inbound or outbound testing
Default = outbound
no ip access-group access-list-number removes access list from
the interface
Router(config-if)#ip access-groupaccess-list-number {in | out}
Sets parameters for this list entry
IP standard access lists use 1 to 99
Default wildcard mask = 0.0.0.0
no access-list access-list-number removes entire access list
remark option lets you add a description for the access list
Router(config)#access-list access-list-number
{permit | deny | remark} source [mask]
Standard IP Access List Configuration
8/14/2019 Managing Ip Traffic With Access List
22/39
2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-22
Permit my network only.
Standard IP Access ListExample 1
8/14/2019 Managing Ip Traffic With Access List
23/39
2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-23
Deny a specific host.
Standard IP Access ListExample 2
8/14/2019 Managing Ip Traffic With Access List
24/39
2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-24
Deny a specific subnet.
Standard IP Access ListExample 3
8/14/2019 Managing Ip Traffic With Access List
25/39
2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-25
Router(config-if)#ip access-group access-list-number {in | out}
Extended IP Access List Configuration
Activates the extended list on an interface
Sets parameters for this list entry
Router(config)#access-list access-list-number{permit | deny}protocol source source-wildcard[operatorport] destination destination-wildcard[operator port][established] [log]
8/14/2019 Managing Ip Traffic With Access List
26/39
2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-26
Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0.
Permit all other traffic.
Extended Access ListExample 1
8/14/2019 Managing Ip Traffic With Access List
27/39
2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-27
Deny only Telnet from subnet 172.16.4.0 out of E0.
Permit all other traffic.
Extended Access ListExample 2
8/14/2019 Managing Ip Traffic With Access List
28/39
2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-28
Router(config)#ip access-list {standard | extended} name
Router(config {std- | ext-}nacl)#{permit | deny}
{ip access list test conditions}{permit | deny} {ip access list test conditions}no {permit | deny} {ip access list test conditions}
outer(config-if)#ip access-group name {in | out}
Using Named IP Access Lists
Alphanumeric name string must be unique.
Permit or deny statements have no prepended number.
no removes the specific test from the named access list.
Activates the IP named access list on an interface.
8/14/2019 Managing Ip Traffic With Access List
29/39
2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-29
Five virtual terminal lines (0 through 4).
Filter addresses that can access into the routers
vty ports.
Filter vty access out from the router.
Filtering vty Access to a Router
8/14/2019 Managing Ip Traffic With Access List
30/39
2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-30
How to Control vty Access
Set up an IP address filter with a standard access list
statement.
Use line configuration mode to filter access with the
access-class command.
Set identical restrictions on every vty.
8/14/2019 Managing Ip Traffic With Access List
31/39
2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-31
Enters configuration mode for a vty or vty range
Restricts incoming or outgoing vty connections for
address in the access list
Router(config-line)#access-class access-list-number{in | out}
Router(config)#line vty {vty#| vty-range}
vty Commands
8/14/2019 Managing Ip Traffic With Access List
32/39
2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-32
Permits only hosts in network 192.168.1.0 0.0.0.255 toconnect to the router vty
access-list 12 permit 192.168.1.0 0.0.0.255
(implicit deny all)!line vty 0 4access-class 12 in
Controlling Inbound Access
vty Access Example
8/14/2019 Managing Ip Traffic With Access List
33/39
2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-33
Access List Configuration Principles
The order of access list statements is crucial.
Recommended: Use a text editor on a PC to create theaccess-list statements, then cut and paste them into therouter.
Top-down processing is important.
Place the more specific test statements first.
No reordering or removal of statements.
Use the no access-list number command to remove theentire access list.
Exception: Named access lists permit removal of individualstatements.
Implicit deny all will be applied to any packets that do notmatch any access-list statement.
Unless the access list ends with an explicit permit any
statement.
8/14/2019 Managing Ip Traffic With Access List
34/39
2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-34
Place extended access lists close to the source.
Place standard access lists close to the destination.
Where to Place IP Access Lists
8/14/2019 Managing Ip Traffic With Access List
35/39
2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-35
wg_ro_a#show ip interfaces e0Ethernet0 is up, line protocol is upInternet address is 10.1.1.11/24Broadcast address is 255.255.255.255Address determined by setup commandMTU is 1500 bytesHelper address is not set
Directed broadcast forwarding is disabled Outgoing access list is not setInbound access list is 1Proxy ARP is enabledSecurity level is defaultSplit horizon is enabledICMP redirects are always sentICMP unreachables are always sentICMP mask replies are never sentIP fast switching is enabledIP fast switching on the same interface is disabledIP Feature Fast switching turbo vectorIP multicast fast switching is enabledIP multicast distributed fast switching is disabled
Verifying Access Lists
8/14/2019 Managing Ip Traffic With Access List
36/39
2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-36
Monitoring Access List Statements
wg_ro_a#show access-listsStandard IP access list 1
permit 10.2.2.1permit 10.3.3.1permit 10.4.4.1permit 10.5.5.1
Extended IP access list 101permit tcp host 10.22.22.1 any eq telnetpermit tcp host 10.33.33.1 any eq ftppermit tcp host 10.44.44.1 any eq ftp-data
wg_ro_a#show {protocol} access-list {access-list number}
wg_ro_a#show access-lists {access-list number}
8/14/2019 Managing Ip Traffic With Access List
37/39
2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-37
Summary
Well-designed and implemented access lists will addan important security component to your network.
To configure standard IP access lists on a Ciscorouter, you will create a standard IP access list and
activate an access list on an interface.
Similarly, to configure extended IP access lists on aCisco router, you will create an extended IP accesslist range and activate an access list on an interface.
The named access list feature allows you to identifyIP standard and extended access lists with analphanumeric string (name) instead of the currentnumeric (1 to 199 and 1300 to 2699) representations.
8/14/2019 Managing Ip Traffic With Access List
38/39
2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-38
Summary (Cont.)
For security purposes, you can deny Telnet accessto the router, or you can permit Telnet access to therouter but deny access to destinations from that
router. Restricting Telnet access is primarily atechnique for increasing network security.
Access lists are used to control traffic by filteringand eliminating unwanted packets. Proper placementof an access list statement can reduce unnecessarytraffic.
When you finish the access list configuration, youcan verify it using the show commands.
8/14/2019 Managing Ip Traffic With Access List
39/39