Sunday, 6 April 2014

Access List Notes


                Wouldn’t it be nice if all of the information that flows through your network could be controlled?  Wouldn’t it be nice if you could look into the heart of the information flowing around your network and decide where that information was allowed to go?  With Cisco routers you can, and this control is accomplished with Access Lists.  Access Lists are used to identify what traffic can pass through a router and better yet they can differentiate data not only on where it’s coming from or going to, they can also differentiate on the protocol being used. 

What Is An Access List


                An access list is similar to the old basic programs for early computers.  It is a sequential list of statements that the router reads from top to bottom, each statement being an instruction to the router in how to process traffic coming into or leaving a particular port.  In use access lists can be thought of a doorman who decides who can enter and leave the building.

Why Do You Need Access Lists


                The control that access lists give you is all very well, but why would you want this control on your network?  Well there are a variety of reasons:
·         Managing traffic
·         Maximising Bandwidth Potential
·         Security

Managing Traffic


              When the first networks were linked there was not a great deal of traffic between them, however as networks grew in size and complexity they also began to generate more and more traffic.  This growth is mirrored in many organisations today who start out with a single LAN environment and then the company expands and these LAN’s become linked.  Pretty soon the traffic between these sites becomes unmanageable.  Access lists can be the first step in controlling the flow of data between sites and managing the variety of traffic between them.  Another way in which they manage traffic is in temporary links between sites such as an ISDN router that is only used to provide DDR (Dial On Demand Routing) communication on an ad hoc basis. You can set an access list up so that only meant to cross over the connection is deemed “Interesting” enough to cause the router to dial up and establish the temporary link.

Maximising Bandwidth Potential


                The cost of communication over a WAN is still relatively expensive, even for larger companies.  This cost is directly related to the bandwidth used on those links, with many telecommunication companies giving a fairly heavy premium if a company exceeds their bandwidth quota.  Access lists help you maximise your bandwidth potential by managing your traffic, thereby limiting unnecessary traffic on your wan links and saving your company money. 

Security


                Although not their prime or intended function access lists can also be used as a security measure.  Imagine you have a sensitive research facility that needs to be able to communicate with other parts of the network that may not be so secure.  With access lists you can prevent any traffic going into the facility but not traffic going out, you can even differentiate between traffic that has been initiated from within the sensitive area.



Numbered IP Access List Types


            There are two types of access lists Standard and Extended.  They can be defined by the way in which they identify traffic.

Standard IP Access Lists – (1 – 99)


Standard IP Access Lists can be used to permit or deny traffic based on the source address of the traffic.  They can only permit or deny traffic on a range of addresses and therefore block all traffic for that protocol suite.  Although limited in function, standard access lists are still useful for situations requiring no granularity in the control of a particular protocol suite.

Standard IP Access List Command Format


Router(config)# access-list  [number] [permit/deny] [source] [mask]

Parameters

·         [access-list] – primary command
·         [number] – specifies standard access list number in the range 1-99
·         [permit/deny] – specifies whether entry permits or denies against listed condition
·         [source] – source ip-address of the traffic
·         [source mask] – identifies which bits in the address field will be checked


Standard IP Access List Example:
The following example will only allow traffic from the subnet 192.168.0.0 out of ports   S 0/0  and S 0/1. 



Birmingham(config)# access-list 10 permit 192.168.7.0 0.0.255.255
Birmingham(config)# Int S 0/0
Birmingham(config-if)# ip access-group 10 out
Birmingham(config-if)int s 0/1
Birmingham(config-if)# ip access-group 10 out


Extended IP Access Lists – (100 – 199)


Extended Access Lists can be used to permit or deny traffic bases on not only the source address but also the destination address: protocol type and port number.  This gives much greater control and granularity when specifying what traffic can pass through a router.  Although more powerful than Standard Access Lists, care should be taken when using them as it is very easy to find yourself blocking traffic that should otherwise be let through.

Wild Card Bits:


Being able to specify a single address is great for granularity and fine control over the traffic on your network but it can soon become tedious if you have to write an access list permit or deny statement for every single address on your network.  This is where wild card bits come in handy, they allow you to specify a range of addresses or even an entire subnet.

To understand wildcard bits you need to delve back into the realm of binary.
Lets examine the following subnet id
192.168.7.0 = 11000000.10101000.00000111.00000000
If we wanted to match only certain bits we would have to mask them off and we mask them off by putting a 0, if we wish to ignore a bit for matching purposes we would use a 1.
If we wanted to specify traffic only from subnet 192.168.7.0 we would use the following wildcard mask.

IP Address                          11000000.10101000.00000111.00000000
Wild Card Mask 00000000.00000000.00000000.11111111
                                                Must Match         Must Match       Must Match      Any Combination
Wild Card Mask         0        .        0        .       0         .      255 

Keywords for wildcard masks:
Any  = 0.0.0.0 0.0.0.0  (check all bits on all subnet ID’s)
Host =  when this precedes an ip address it indicates all bits should be checked for example:   172.30.16.29 0.0.0.0 can be replaced with host 172.30.16.29
Note* depending on whether you use a permit or deny statement you may be allowing traffic to a range of ip addresses or allowing traffic from a range.


Extended IP Access List Command Format:

router(config)# access-list [number] [permit/deny] [protocol] [source] [source mask] [operator] [port] [destination] [destination wildcard] [operator] [port] [established] [log]
Parameters

·         access-list – primary command
·         [number] – specifies extended access list number in the range 100 – 199
·         [permit/deny] - specifies whether entry permits or denies against listed condition
·         [protocol] – specifies the protocol to be permitted or denied
·         [source] – identifies the source ip address of the traffic
·         [source mask] – specifies the wildcard bits to use against the traffic source
·         [operator] – specifies a logical operator to be tested against the port number (see table)
·         [port] – specifies the port number
·         [destination] - identifies the destination ip address of the traffic
·         [destination mask] – identifies the wildcard bits to use against the destination ip address
·         [established] – allows traffic to bypass access lift if it has the ack bit set indicating that the session is already established.
·         [log] – sends a message to the console


Table Of Port Numbers and Operators Used With Extended Access Lists:


There are many port numbers, the ones listed here are commonly used ones along with the operators that may be used in conjunction with them.

Port Number
Protocol

20
FTP – Data
TCP
21
FTP – Control
TCP
23
Telnet
TCP
25
SMTP
TCP
53
DNS
TCP/UDP
69
TFTP
UDP
80
HTTP
TCP



Operator
Meaning

lt
Port numbers less than specified port

gt
Port numbers greater than specified port

eq
Port number specified

neq
Port numbers other than the specifed port



Extended IP Access List Example:


The following access list will deny all telnet traffic from network 192.168.7.0 out of interface s 0/1.
Router(config)# access list 111 deny tcp 192.168.7.0 0.0.0.255 any eq 23
Router(config)#access list 111 permit ip any any
Router(config-if)# ip access-group 111 out
Note* the any  keyword is a short way of saying all ip addresses and all subnet masks

Named Access Lists

If your router is using Cisco IOS 11.2 or later you can use named access lists.  These access lists allow you associate a standard or extended access list with a name.  This has the advantages of allowing you to easily remember your access lists and it also allows you to delete individual entries from an access list without having to re-enter the entire access list.  
Like numbered access lists, named access lists can be standard or extended and follow the same filtering rules as their numbered counterparts.  There are no particular naming conventions attached to access lists however you do have the option to chose either a name or a number.  If you chose a number the same rules will apply as if creating a named access list your just using the same number ranges you did with numbered access lists!! Confusing!!!

The ip access-list command:
ip access-list [standard/extended] [number/name]

EX:
R1(config)#  ip access-list standard 35  “this is a numbered example but a name could be used”
R1(config-std-nacl)#permit 45.2.3.0 0.0.0.255 
R1(config-std-nacl)#permit 45.2.4.0 0.0.0.255


Editing Access Lists:


It is possible to edit both numbered and named access lists, as long as they were created with the “ip access-list” command and not the “access-list” command.

In order to edit or remove an access-list statement in either a numbered or named access list you must first show the access list with the “show ip access-list” command.  Then you have a choice, to edit the statement simply reference the access-list statement by line number in the access-list sub configuration mode, or to delete an entire line simply ad the no statement in front of that statement and number.  To add an additional statement between two other statements simply insert a new number between them.

Inbound Or Outbound Mode


Access lists are no good unless they are applied to a specific interface.  When you apply an access list you can apply it in one of two modes: inbound or outbound.

Inbound Access Lists
           

Inbound access lists apply to traffic coming into the router.  Inbound access lists are more efficient because the traffic is tested against an access list before being routed to an outbound interface.  

Outbound Access Lists


                Outbound access lists apply to traffic leaving the router.  Outbound Access Lists are less efficient because they require the overhead of internally routing the traffic before it is checked against an access list. 

Applying An Access List:


For an access list to work you need to apply it to an interface as either an outbound or inbound access list.  The command for doing this is as follows:

Router(config-if)# [ip] [access-group] [number] [in/out]

·         [ip] – indicates an ip access list.
·         [access-group] indicates a group of statements with a common access list number.
·         [in/out] – indicates whether the access list is applied to inbound or outbound traffic.

Applying Access Lists to VTY Lines:


You can also use standard access lists to limit access to VTY lines. For example:

router(config)#access-list 4 permit 172.16.35.4
router(config)#line vty 0 4
router(config)#access-class 4 in

Access List Rules and Regulations:


·         Access lists are parsed top to bottom and if a packet matches against a criteria it is forwarded so it is imperative that a deny statement meant for a particular packet type is put before any permit statement that would pass it – a good rule of thumb is to place all of your deny statements at the top of your access list and all of your permit statements at the bottom.
·         The access list contains an implicit deny all – this means that if a packet does not match any of the criteria you have set it will be discarded automatically.  This can cause you serious problems if you place an access list denying traffic on a remote router only to find you have locked yourself out.
·         Place the most frequent test criteria at the top of your access list, this will save on processing overhead making your list more efficient.
·         Check your access list before entering it, you cannot go back and delete or add a line, to change it you will have to delete it and re-enter the entire list.  The exception to this rule is a named access list, which allows you to delete a line.
·         When placing extended access lists place them close to the source
·         When placing standard access lists place them close to the destination
·         Only one access list per interface is allowed


Other IP Access List Commands:


To remove an IP access list you use the following command in global configuration mode:

[no] [access-list] [number]

Parameters:

·         [no] indicates the following is not required any longer
·         [access-list] specifies an access-list
·         [number] specifies the access-list number

To remove an IP access list from an interface use the following command in interface configuration mode:

no ip access-group [number] [in/out]
To verify access list operations the following commands are useful:
router# show ip interface
The output from this command will show what access lists are configured against one or more interfaces.
router# show access-lists
The output from this command will list all access lists configured on the router or only the list specified if you add an access list number.
Access Lists and Debugging:
It is possible to combine an access list and debug commands.  Why would you want to do this?  Imagine a scenario where you want to examine packets flowing between hosts, create an access list that finds this flow interesting and then issue the following command:
router#debug ip packet X [detail]
  • X = access list you are referencing
  • Detail = keyword to provide detailed logging information
Caution:  debug commands take resources and can bring a system to a halt so be selective and turn off when needed.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)