Wouldn’t
it be nice if all of the information that flows through your network could be
controlled? Wouldn’t it be nice if you
could look into the heart of the information flowing around your network and
decide where that information was allowed to go? With Cisco routers you can, and this control
is accomplished with Access Lists.
Access Lists are used to identify what traffic can pass through a router
and better yet they can differentiate data not only on where it’s coming from
or going to, they can also differentiate on the protocol being used.
What Is An Access List
An
access list is similar to the old basic programs for early computers. It is a sequential list of statements that
the router reads from top to bottom, each statement being an instruction to the
router in how to process traffic coming into or leaving a particular port. In use access lists can be thought of a
doorman who decides who can enter and leave the building.
Why Do You Need Access Lists
The control
that access lists give you is all very well, but why would you want this
control on your network? Well there are
a variety of reasons:
·
Managing traffic
·
Maximising Bandwidth Potential
·
Security
Managing Traffic
When
the first networks were linked there was not a great deal of traffic between
them, however as networks grew in size and complexity they also began to
generate more and more traffic. This
growth is mirrored in many organisations today who start out with a single LAN
environment and then the company expands and these LAN’s become linked. Pretty soon the traffic between these sites
becomes unmanageable. Access lists can
be the first step in controlling the flow of data between sites and managing
the variety of traffic between them.
Another way in which they manage traffic is in temporary links between
sites such as an ISDN router that is only used to provide DDR (Dial On Demand
Routing) communication on an ad hoc basis. You can set an access list up so
that only meant to cross over the connection is deemed “Interesting” enough to
cause the router to dial up and establish the temporary link.
Maximising Bandwidth Potential
The
cost of communication over a WAN is still relatively expensive, even for larger
companies. This cost is directly related
to the bandwidth used on those links, with many telecommunication companies
giving a fairly heavy premium if a company exceeds their bandwidth quota. Access lists help you maximise your bandwidth
potential by managing your traffic, thereby limiting unnecessary traffic on
your wan links and saving your company money.
Security
Although
not their prime or intended function access lists can also be used as a
security measure. Imagine you have a
sensitive research facility that needs to be able to communicate with other
parts of the network that may not be so secure.
With access lists you can prevent any traffic going into the facility
but not traffic going out, you can even differentiate between traffic that has
been initiated from within the sensitive area.
Numbered IP Access List Types
There
are two types of access lists Standard and Extended. They can be defined by the way in which they
identify traffic.
Standard IP Access Lists – (1 – 99)
Standard IP Access Lists can be used to permit or deny
traffic based on the source address of the traffic. They can only permit or deny traffic on a
range of addresses and therefore block all traffic for that protocol
suite. Although limited in function,
standard access lists are still useful for situations requiring no granularity
in the control of a particular protocol suite.
Standard IP Access List Command Format
Router(config)# access-list [number]
[permit/deny] [source] [mask]
Parameters
·
[access-list] – primary command
·
[number] – specifies standard access list number
in the range 1-99
·
[permit/deny] – specifies whether entry permits
or denies against listed condition
·
[source] – source ip-address of the traffic
·
[source mask] – identifies which bits in the
address field will be checked
Standard IP Access List Example:
The following example will only allow traffic from the
subnet 192.168.0.0 out of ports S
0/0 and S 0/1.
Birmingham(config)# access-list 10 permit 192.168.7.0
0.0.255.255
Birmingham(config)# Int S 0/0
Birmingham(config-if)# ip access-group 10 out
Birmingham(config-if)int s 0/1
Birmingham(config-if)# ip access-group 10 out
Extended IP Access Lists – (100 – 199)
Extended Access Lists can be used to permit or deny traffic
bases on not only the source address but also the destination address: protocol
type and port number. This gives much
greater control and granularity when specifying what traffic can pass through a
router. Although more powerful than
Standard Access Lists, care should be taken when using them as it is very easy
to find yourself blocking traffic that should otherwise be let through.
Wild Card Bits:
Being able to specify a single address is great for
granularity and fine control over the traffic on your network but it can soon
become tedious if you have to write an access list permit or deny statement for
every single address on your network.
This is where wild card bits come in handy, they allow you to specify a
range of addresses or even an entire subnet.
To understand wildcard bits you need to delve back into the
realm of binary.
Lets examine the following subnet id
192.168.7.0 = 11000000.10101000.00000111.00000000
If we wanted to match only certain bits we would have to
mask them off and we mask them off by putting a 0, if we wish to ignore a bit
for matching purposes we would use a 1.
If we wanted to specify traffic only from subnet 192.168.7.0
we would use the following wildcard mask.
IP Address 11000000.10101000.00000111.00000000
Wild Card Mask 00000000.00000000.00000000.11111111
Must
Match Must Match Must Match Any Combination
Wild Card Mask 0
. 0 .
0 . 255
Keywords for wildcard masks:
Any = 0.0.0.0
0.0.0.0 (check all bits on all subnet
ID’s)
Host = when this
precedes an ip address it indicates all bits should be checked for
example: 172.30.16.29 0.0.0.0 can be
replaced with host 172.30.16.29
Note* depending on whether you use a permit or deny
statement you may be allowing traffic to a range of ip addresses or allowing
traffic from a range.
Extended IP Access List Command Format:
router(config)# access-list [number] [permit/deny]
[protocol] [source] [source mask] [operator] [port] [destination] [destination
wildcard] [operator] [port] [established] [log]
Parameters
·
access-list – primary command
·
[number] – specifies extended access list number
in the range 100 – 199
·
[permit/deny] - specifies whether entry permits
or denies against listed condition
·
[protocol] – specifies the protocol to be
permitted or denied
·
[source] – identifies the source ip address of
the traffic
·
[source mask] – specifies the wildcard bits to
use against the traffic source
·
[operator] – specifies a logical operator to be
tested against the port number (see table)
·
[port] – specifies the port number
·
[destination] - identifies the destination ip
address of the traffic
·
[destination mask] – identifies the wildcard
bits to use against the destination ip address
·
[established] – allows traffic to bypass access
lift if it has the ack bit set indicating that the session is already
established.
·
[log] – sends a message to the console
Table Of Port Numbers and Operators Used With Extended Access Lists:
There are many port numbers, the ones listed here are
commonly used ones along with the operators that may be used in conjunction
with them.
Port Number
|
Protocol
|
|
20
|
FTP – Data
|
TCP
|
21
|
FTP – Control
|
TCP
|
23
|
Telnet
|
TCP
|
25
|
SMTP
|
TCP
|
53
|
DNS
|
TCP/UDP
|
69
|
TFTP
|
UDP
|
80
|
HTTP
|
TCP
|
|
|
|
Operator
|
Meaning
|
|
lt
|
Port numbers less than specified port
|
|
gt
|
Port numbers greater than specified port
|
|
eq
|
Port number specified
|
|
neq
|
Port numbers other than the specifed port
|
|
Extended IP Access List Example:
The following access list will deny all telnet traffic from
network 192.168.7.0 out of interface s 0/1.
Router(config)#access list 111 permit ip any any
Router(config-if)# ip access-group 111 out
Note* the any
keyword is a short way of saying all ip addresses and all subnet masks
Named Access Lists
If your router is using Cisco IOS 11.2 or later you can use
named access lists. These access lists
allow you associate a standard or extended access list with a name. This has the advantages of allowing you to
easily remember your access lists and it also allows you to delete individual
entries from an access list without having to re-enter the entire access list.
Like numbered access lists, named access lists can be
standard or extended and follow the same filtering rules as their numbered
counterparts. There are no particular
naming conventions attached to access lists however you do have the option to
chose either a name or a number. If you
chose a number the same rules will apply as if creating a named access list
your just using the same number ranges you did with numbered access lists!!
Confusing!!!
The ip access-list command:
ip access-list
[standard/extended] [number/name]
EX:
R1(config)# ip
access-list standard 35 “this is a numbered example but a name
could be used”
R1(config-std-nacl)#permit 45.2.3.0 0.0.0.255
R1(config-std-nacl)#permit 45.2.4.0 0.0.0.255
Editing Access Lists:
It is possible to edit both numbered and named access lists,
as long as they were created with the “ip access-list” command and not the
“access-list” command.
In order to edit or remove an access-list statement in
either a numbered or named access list you must first show the access list with
the “show ip access-list” command. Then
you have a choice, to edit the statement simply reference the access-list
statement by line number in the access-list sub configuration mode, or to
delete an entire line simply ad the no statement in front of that statement and
number. To add an additional statement
between two other statements simply insert a new number between them.
Inbound Or Outbound Mode
Access lists are no good unless they are applied to a
specific interface. When you apply an
access list you can apply it in one of two modes: inbound or outbound.
Inbound Access Lists
Inbound access lists apply to traffic coming into the
router. Inbound access lists are more
efficient because the traffic is tested against an access list before being
routed to an outbound interface.
Outbound Access Lists
Outbound
access lists apply to traffic leaving the router. Outbound Access Lists are less efficient
because they require the overhead of internally routing the traffic before it is
checked against an access list.
Applying An Access List:
For an access list to work you need to apply it to an
interface as either an outbound or inbound access list. The command for doing this is as follows:
Router(config-if)# [ip] [access-group] [number] [in/out]
·
[ip] – indicates an ip access list.
·
[access-group] indicates a group of statements
with a common access list number.
·
[in/out] – indicates whether the access list is
applied to inbound or outbound traffic.
Applying Access Lists to VTY Lines:
You can also use standard access lists to limit access to
VTY lines. For example:
router(config)#access-list 4 permit 172.16.35.4
router(config)#line vty 0 4
router(config)#access-class 4 in
Access List Rules and Regulations:
·
Access lists are parsed top to bottom and if a
packet matches against a criteria it is forwarded so it is imperative that a
deny statement meant for a particular packet type is put before any permit
statement that would pass it – a good rule of thumb is to place all of your
deny statements at the top of your access list and all of your permit
statements at the bottom.
·
The access list contains an implicit deny all –
this means that if a packet does not match any of the criteria you have set it
will be discarded automatically. This
can cause you serious problems if you place an access list denying traffic on a
remote router only to find you have locked yourself out.
·
Place the most frequent test criteria at the top
of your access list, this will save on processing overhead making your list
more efficient.
·
Check your access list before entering it, you
cannot go back and delete or add a line, to change it you will have to delete
it and re-enter the entire list. The
exception to this rule is a named access list, which allows you to delete a
line.
·
When placing extended access lists place them
close to the source
·
When placing standard access lists place them
close to the destination
·
Only one access list per interface is allowed
Other IP Access List Commands:
To remove an IP access list you use the following command in
global configuration mode:
[no] [access-list] [number]
Parameters:
·
[no] indicates the following is not required any
longer
·
[access-list] specifies an access-list
·
[number] specifies the access-list number
To remove an IP access list from an interface use the
following command in interface configuration mode:
no ip access-group [number] [in/out]
To verify access list operations the following commands are
useful:
router# show ip interface
The output from this command will show what access lists are
configured against one or more interfaces.
router# show access-lists
The output from this command will list all access lists
configured on the router or only the list specified if you add an access list
number.
Access Lists and Debugging:
It is possible to combine an access list and debug
commands. Why would you want to do
this? Imagine a scenario where you want
to examine packets flowing between hosts, create an access list that finds this
flow interesting and then issue the following command:
router#debug ip packet X [detail]
- X = access list you are
referencing
- Detail = keyword to
provide detailed logging information
Caution: debug
commands take resources and can bring a system to a halt so be selective and
turn off when needed.
