access-list

Access-list

 

access-list-example

There are 2 types of access-list

  1. Standard
  2. Extended
  3. Named (it’s not new type, think of it as the advanced version of Strandard named/Extended named)

Facts about access-lists

  • contain a statements of permit or deny and each statement is 1 line.
  • each line has a permit or deny statement.
  • each line has a sequence number. starting from 10,20,30 .
  • each line you add will take the next sequence number.
  • the matching will start from line 1 then line 2 , line 3 and so on.
  • Named mode enable you to squeeze statements on the middle.
  • work the same as if/else programming statements, if : first line match then apply/ else : go next line.
  • if a match found the access-list will upon that match and will not continue to the lines after that.
  • there is an implicit deny at the end of any access-list.
  • Tip : Better put the most-specific route on the top.
  • traffic is filtered on passing though the router, not created on the router.
  • it has no effect until you apply it.
  • use access-group to apply on interface ,,, access-class to apply to VTY lines (telnet sessions ).

you can assign only one access-list inpound and one access-list outpound  for an interface.

inpound is going into interface , outpount is going out of interface


Standard access-list

 

  • Matching only based on Source address .
  • range number : (1-99) or the extended range (1300-1999).
  • cannot be edited,of course you can add a line but if you want to remove a line you have to remove the whole access-list then apply it again. (you can use a note pad)
  • applied as close as possible to the destination .
    • look at the diagram and imagine that you set the standard access-list at R1 to prevent a computer on accounting to reach Sales. you will end up blocking this IP from going any where .
    • so to avoid  so set that on R2 f0/0 out

declaration

R1(config)#access-list 20 permit any (permit any IP)
R1(config)#access-list 20 permit 0.0.0.0 255.255.255.255 (permit any IP)
Both are the same meaning  
R1(config)#access-list 20 deny host 172.16.0.2 (deny the source IP 172.16.0.2)
R1(config)#access-list 20 deny 172.16.0.2 (deny the source IP 172.16.0.2)
R1(config)#access-list 20 deny 172.16.0.2 0.0.0.0 (deny the source IP 172.16.0.2)
all give the same meaning 
R1(config)#access-list 20 permit 172.16.0.2 0.0.0.255 (permit network 172.16.0.2/24)

applying

R1(config)#interface fastethernet 0/1
R1(config-if)#ip access-group 20 out (or in)


Extended access-list

 

  • Matching based on
    • source IP address
    • destination IP address + destination Port numbers
  • range number : ( 100 – 199) or the extended range ( 2000- 2699)
  • editing is the same as standard type.
  • applied as close as possible to the source
  • because you don’t need the traffic to travel across the whole network, and it get blocked at the end, the will consume unnecessary bandwidth.

declaration

R10(config)#access-list 110 permit ip any any
R10(config)#access-list 110 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
Both are the same,and both will appear on the routing table as any any . 
permit any ip going to any ip.
R10(config)#access-list 110 deny ip 172.16.64.0 0.0.31.255 172.16.96.0.0 0.0.31.255
this will block net 64 from reaching 96. 
R10(config)#access-list 110 deny tcp any host 172.16.50.5 eq 80 
deny any TCP HTTP traffic going to host 172.16.50.5(the webserver).

applying

R10(config)#interface fastethernet 0/1
R10(config-if)#ip access-group 20 out (or in)

Named ACL

 

well, as you can see 110 and 20 . imagine a company with a lot of access-lists , this will be a nightmare .

it’s like what was 110 for ? and that’s where the use of named access-list

  • You can edit any existing normal access-lists using this mode (so existing numbered ACL can be treated as named ACL)
    • example : standard 19 , R1(config)#ip access-list standard 19 … add and remove what you like.
    • in the running config it will still appear as access-list not IP access-list
  • it’s the same as before but instead of numbers we are going to give the access-list a name. (the name can be number)
  • can be edited by removing a line or adding a line between the lines .
  • to use this mode we just add IP before access-list.
  • you can use a number as a name.
R10(config)#ip access-list standard BlockSales
R10(config-std-nacl)#

and when applying

R10(config-if)#ip access-group BlockSales out (or in)

very easy to understand what this ACL do from it’s name.


approaches with access-lists

  1.  permit what should be permitted and deny anything else.
    • (Much better but harder since you have to be familiar with all the ranges you are going to use)
  2. Deny what should be denied and permit anything else.
  3. between those are editing, like applying a permit for a host on denied network and insert it before the deny.

 


Working with sequence numbers

  • you have to know that access-lists don’t reserve their sequence numbers like prefix-lists.
  • so when you reboot the router the list-order will remain the same but the sequence number will change to the default.
  • you can adjust the default sequence start and the period between the sequences.(in case 10 edit’s is not enough)

example :

R10(config)#ip access-list standard Block-all
R10(config-std-nacl)#permit any (this seq 10 was there so we are going to remove it)
R10(config-std-nacl)#deny 172.16.64.0 0.0.31.255   (Sales) seq 20
R10(config-std-nacl)#deny 172.16.96.0 0.0.31.255   (accounting)seq 30
R10(config-std-nacl)#no 10

R10(config)#do show ip access
Standard IP access list Block-all
 20 deny 172.16.64.0, wildcard bits 0.0.31.255
 30 deny 172.16.96.0, wildcard bits 0.0.31.255

now a week later we want to add between the lines

R10(config-std-nacl)#21 permit 172.16.96.1 0.0.0.0 (Permit this IP from Accounting)
R10(config-std-nacl)#22 deny 172.16.32.0 0.0.31.255 (security)
R10(config-std-nacl)#permit 172.16.64.1 (permit this IP from Sales this will take seq 40)

R10(config-std-nacl)#do show ip access-list
Standard IP access list Block-all
 21 permit 172.16.96.1 (wrong place ?)
 40 permit 172.16.64.1 (wrong place ?)
 20 deny 172.16.64.0, wildcard bits 0.0.31.255
 22 deny 172.16.32.0, wildcard bits 0.0.31.255
 30 deny 172.16.96.0, wildcard bits 0.0.31.255

well about the wrong placement , this an automatic feature of the IOS to put host routes on the TOP. ( only with standard access-lists) don’t depend on that and use srq numbers .. seq 22 went to the right place since it network IP

Reboot :

R10#show ip access-lists
Standard IP access list Block-all
 10 permit 172.16.96.1
 20 permit 172.16.64.1
 30 deny 172.16.64.0, wildcard bits 0.0.31.255
 40 deny 172.16.32.0, wildcard bits 0.0.31.255
 50 deny 172.16.96.0, wildcard bits 0.0.31.255

New sequence numbers but the list still in the same order.

now what if you can’t reboot your router, and you have to make more than 10 edit’s .

R10(config)#ip access-list resequence Block-all 30 20 (start from 30,period)
R10#show ip access-list 
Standard IP access list Block-all
 30 permit 172.16.96.1
 50 permit 172.16.64.1
 70 deny 172.16.64.0, wildcard bits 0.0.31.255
 90 deny 172.16.32.0, wildcard bits 0.0.31.255
 110 deny 172.16.96.0, wildcard bits 0.0.31.255

well,even if you applied the same range it will just re-arrange them, and start squeeze what you want, with out rebooting.


Using the log option 

R10(config-std-nacl)#deny any log
log any match to this line 

Using the remarks

  • remarks are like descriptions for each line on the list .

Goals implementation 

here is the diagram again so you don’t scroll up.

access-list-example

 

you can achieve this by many way’s. well, i will just go with what came into my mind.

let’s use extended access-list and i will put it close to the source on the f0/0
create an access list for each router for flow between vlans and another access-list for telnetting.

R2(config)#ip access-list extended FlowRules
R2(config-ext-nacl)#deny ip any 172.16.64.0 0.0.31.255
R2(config-ext-nacl)#deny ip any 172.16.32.0 0.0.31.255
R2(config-ext-nacl)#deny tcp any any eq 80 443

telnetting list

R2(config)#ip access-list extended PreventTelnetting
R2(config-ext-nacl)#deny tcp 172.16.64.0 0.0.63.255 any eq 23
i denied Both networks in one statement, but i over-exceed the target
and they will not be able to telnet any where.

applying them

R2(config-if)#ip access-group FlowRules in

R2(config)#line vty 0 15 
R2(config-line)#access-class PreventTelnetting in

overview

R2#show ip access-list
Extended IP access list FlowRules
 10 deny ip any 172.16.64.0 0.0.31.255
 20 deny ip any 172.16.32.0 0.0.31.255
 30 deny tcp any any eq www 443
 40 permit ip any any
Extended IP access list PreventTelnetting
 10 deny tcp 172.16.64.0 0.0.63.255 any eq telnet
Standard

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.