- Nov 20, 1999
- 22,994
- 780
- 126
I remember someone here a week or so ago (i think it was here) who asked for a some good info on how access lists worked:
"Access Lists
Access Lists are a method of implementing some level of security on your
network. They essentially work as filters, inspecting traffic as it enters or exits an
interface. You may for intance, choose to inspect traffic originating from a
particular IP address and only allow the router to pass that traffic if it is destined for
a specific server. For the CCNA exam you need to be familiar with IP Access
Lists and IPX Access Lists. Though there are other types of access lists, this
document will only focus on these.
Access List Fundamentals
Each router can have many access lists. It can have numerous access lists of the
same type even. The access lists are not created for a specific interface. Rather
they are independent of the interfaces. After they have been created, however, you
assign an access list to a particular interface, thus placing the access list into
operation.
As mentioned, there are many types of access lists that can be created and you
can have many access lists of each type. The router keeps track of these access
lists by allowing each to be assigned a number. You get to pick the number, but
the number also defines type type of access list you create. So, to create a
particular type of access list, such as a standard IP access list, you simply assign
a number within a give range that the router has set aside for that particular type.
The table below lists each type of access list and the range you can use when
assigning a number.
Range
Type
1-99
Standard IP
100-199
Extended IP
200-299
Protocol type-code
300-399
DECnet
600-699
Appletalk
700-799
Standard 48-bit MAC Address
800-899
Standard IPX
900-999
Extended IPX
1000-1099
IPX SAP
1100-1199
Extended 48-bit MAC Address
1200-1299
IPX Summary Address
When an access list is assigned to an interface it is specified as either an inbound
filter or an outbound filter. This can often lead to confusion because it is easy to
think of the filters from the perspective of the interface (is the packet coming into
the interface or exiting the interface). This is the thinking, though, that causes the
confusion. To understand this correctly, you must think of access lists from the
perspective of the router (is the packet entering the router from the network, or is
the packet exiting the router to the network).
An inbound access list then is one that filters packets entering the router from the
network. Conversely, an outbound access list is one that filters packets as they
exit the router onto the network.
Looking at the figure above, consider that Mr. Router Cop is monitoring all traffic.
An access list assigned as an inbound filter on interface e0 would cause Mr.
Router Cop to inspect all traffic originating from segment A into the router. On the
other hand, an outbound filter assigned to e0 would cause Mr. Router Cop to
examine all traffic destined for Segment A as it leaves the router.
When you define an access list you tell Mr. Router Cop to either permit a packet to
pass the interface or deny a packet from passing an interface. Each access list
can have a variety of criteria that it examines. For instance, one access list may
filter for all traffic coming from Bob as well as for all traffic coming from Alice. Mr.
Router Cop compares the packet against each criteria, starting from the top of the
list and working down. As soon as a match is found, Mr. Router Cop either allows
the packet to pass or discards the packet, depending on the configuration of the
list. All access-lists have an implicit DENY at the end of the list. Therefore if a
packet isn't matched with any of the preceding criteria the packet will be
discarded.
So now that we understand what an access list is and how it gets applied an
interface, let's look at how we actually create an implement access lists.
Standard IP Access Lists
We'll begin by first examining how you create a Standard IP Access List. All
access lists are created while in configuration mode. You'll then use the command
access-list to configure the list. The syntax for defining a Standard IP Access List
is as follows:
access-list {number from 1-99} {permit|deny} {source [mask]}
As you can see, the Standard Access List is pretty basic. It simply looks at the
source address of each packet and either allows it to pass the interface or
discards it. The mask is optional. We'll discuss that in a moment, for now though,
let's just ignore it.
Again using the graphic above, let's say you only want traffic to enter Segment B
only if it is coming from your administrative workstation (let's give it the address of
10.1.0.50) located on Segment A. You might create an access list as follows:
access-list 1 permit 10.1.0.50
This is really all that is required in the access list. We have decided to PERMIT
traffic coming from your IP address, 10.1.0.50. We can leave it at that since we
want all other traffic blocked, the implicit DENY will take care of the rest.
Where might we assign this list though? What would happen if we assigned it as
an INBOUND filter on interface e0? This would case Mr. Router Cop to look at all
packets coming from Segment A into the router. This wouldn't work for our access
list because it would result in blocking traffic going to segment C as well as
Segment B. In addition it would not inspect traffic origination from segment C
destined for segment B. Remember, we don't want any traffic to reach segment B
unless it comes from 10.1.0.50.
What we need to do is assign the list as an OUTBOUND filter on interface e1. This
will cause Mr. Router Cop to inspect all packets attempting to reach segment B,
regardless of origin.
Let's take a look at how we assign this access list to the interface. You'll first need
to enter configuration mode (e.g. config t) and then choose the appropriate
interface (e.g. int e1). You then use the following syntax to assign the access list:
ip access-group {access list number} {in|out}
So, for our access list we would do the following:
ip access-group 1 out
That's it. Your standard IP access list is now operational.
Now remember, we said we would discuss the mask portion of the syntax. I'm
going to make the assumption here that you already understand subnet masking
pretty well. This "mask" really doesn't have anything to do with subnets per se, but
it works in a similar manner. The mask is composed of a 32 bit binary number. But
like a subnet mask it is divided into 4 octets and written in decimal. Here the 1 bits
define insignificant bits. In other words, when Mr. Router Cop examines the source
address, he'll only look at those bits that correspond to zero's in the mask. If the
mask is omitted, it is assumed to be 0.0.0.0. In other words, all bits are significant
and a precise match will be required for the entry to be acted upon.
So, let's say that instead of allowing just your workstation at 10.1.0.50 through to
segment 2, you wanted to allow the entire subnet. In this case, you want everything
in the 10.1.0.0 subnet to be allowed. You could create an access list that permitted
each computer individually but that would be rather cumbersome and would mean
that you needed to update your access list each time a new computer was added
to the network. Instead, you use a mask. Consider the following example:
access-list 1 permit 10.1.0.0 0.0.255.255
This list will now allow any traffic to cross the interface as long as it begins with
10.1. Mr. Router Cop won't care what the last two octets are.
Now suppose you wanted to do just the opposite. You want to allow any access
except from 10.1.0.0. It's clear we want to deny 10.1.0.0, but how to we allow all
others? Remember, there is an implied deny at the end of the list. Fortunately
there is a special keyword "any" that is essentially like specifying a mask of
255.255.255.255. It is used in place of both the source address and the mask and
essentially means that none of the bits really matter. For instance:
access-list 1 deny 10.1.0.0 0.0.255.255
access-list 1 permit any
access-list 1 deny any
In this example, Mr. Router Cop will first check a packet against the first entry. If the
packet came from 10.1.x.x it will be discarded. Otherwise it will be checked
against the second entry. All remaining packets will match and will therefore be
passed. The third entry isn't really necessary, it is in effect the implicit deny that all
lists have. I included it here simply for illustrative purposes.
Extended IP Access Lists
Now that you understand Standards IP Access Lists, the other types should not be too
difficult to understand. An Extended IP Access list is simply a finer filter. The syntax is as
follows:
access-list {number from 100-199} {permit|deny } {protocol} {source [mask]} {destination [mask]} {match type} {port}
Here's an explanation of each component of the syntax:
As with standard access lists, a number to identify the list.
Permit or Deny, again, as in standard access lists.
Protocol refers to the IP protocol number. You can also specify some protocols by
name, for instance EIGRP, ICMP, IGMP, IGRP, IP (would be like specifying any IP
protocol), TCP, UDP. There are others, typing a "?" after permit or deny should
display the full list.
Source is pretty much the same as in a standard access list though you may see the
word "host" in front of the IP address indicating this is for a specific host. Basically the
same thing as a mask of 0.0.0.0. You may also seek the keyword "any" which, like in a
standard access list, is the same as a mask of 255.255.255.255.
Destination refers to the destination IP address. It otherwise works just like the source
allow an optional mask or the keyword "any".
Match Type and Port work together and are both optional. If desired you can filter
traffic down to the port level. The Match Type refers to how the match will be made.
For instance, "eq" looks for matches equal to a specific port number, "lt" looks for
matches less than the port number, "gt" looks for matches greater than the port number,
"range" allows a range port numbers to be specified, etc. The complete list can be
obtained by entering a "?" at this point and pressing [RETURN].
Port number is the port number that goes with the Match Type. It can be listed as any
specific port from 0 - 65535 or a range of ports. There are several well known ports
that can be entered by name, such as "domain" for DNS, "ftp", "gopher", "lpd", "nntp",
"pop3", "telnet", "www", etc. Again, use "?" for the full list.
Here's an example extended access list entry that allows only world wide web traffic to reach
a destination on segment C.
access-list 101 permit tcp any 10.3.0.25 eq www
Standard IPX Access Lists
A Standard IPX Access lists filters on source and destination IPX addresses. The syntax is as
follows:
access-list {800-899} {permit|deny} {source} {destination}
By this point it hopefully isn't necessary to go into detail. However, it is worth noting that
masks aren't necessary with IPX. IPX addresses have a consistent division between network
and host addresses so if you want to filter an entire network you simply just enter the network
address. Also, the IPX access lists don't use the "any" keyword, instead you use a "-1" (don't
you sometimes wonder why IOS is often so inconsistent?). Consider the following example:
access-list 801 deny 23 43
access-list 801 permit -1 -1
This access list denies traffic from network 23 destined for network 43 but permits all other
traffic.
Extended IPX Access Lists
Extended IPX Access Lists are just like standard IPX access lists except they also allow you
to specify an specific IPX protocol and an IPX socket. The syntax is as follows:
access-list {900-999} {permit|deny} {source} {destination} {protocol} {socket}
Protocol Type would be NCP, RIP, SAP, SPX, NetBIOS, or "any". The socket number is
similar to a port in TCP or UDP. However, unlike TCP or UDP sockets don't designate a
particular service so it isn't often used. One additional feature of extended IPX lists are their
ability to allow masks. This can't be done with standard access lists. The masks here look a
little different than IP masks simply because of the convention of writing IPX addresses in
HEX. Otherwise they work the same.
access-list 901 deny any 100 000000FF
This access list denies all traffic from any source destined for destination networks 100, 101,
110, and 111. This may be a bit more clear if the optional leading zeros are placed in the
source:
access-list 901 deny any 00000100 000000FF
Essentially, all networks beginning "000001" will match the filter. The "F" (all binary 1's in
HEX) tells Mr. Router Cop which digits to ignore, in this case its the last two.
IPX SAP Access Lists
This brings us to the final portion of this document. I won't detail SAP here, you should
already be familiar with SAP and how and why it is used. I will simply point out that these
filters are used to control how SAP updates are distributed in your network and allow you to
specify which SAP services you will allow or disallow to be included in outgoing or incoming
SAP updates. Here is the basic syntax for entering a SAP filter:
access-list {number from 1000-1099} {permit|deny} {source} {service type}"
"Access Lists
Access Lists are a method of implementing some level of security on your
network. They essentially work as filters, inspecting traffic as it enters or exits an
interface. You may for intance, choose to inspect traffic originating from a
particular IP address and only allow the router to pass that traffic if it is destined for
a specific server. For the CCNA exam you need to be familiar with IP Access
Lists and IPX Access Lists. Though there are other types of access lists, this
document will only focus on these.
Access List Fundamentals
Each router can have many access lists. It can have numerous access lists of the
same type even. The access lists are not created for a specific interface. Rather
they are independent of the interfaces. After they have been created, however, you
assign an access list to a particular interface, thus placing the access list into
operation.
As mentioned, there are many types of access lists that can be created and you
can have many access lists of each type. The router keeps track of these access
lists by allowing each to be assigned a number. You get to pick the number, but
the number also defines type type of access list you create. So, to create a
particular type of access list, such as a standard IP access list, you simply assign
a number within a give range that the router has set aside for that particular type.
The table below lists each type of access list and the range you can use when
assigning a number.
Range
Type
1-99
Standard IP
100-199
Extended IP
200-299
Protocol type-code
300-399
DECnet
600-699
Appletalk
700-799
Standard 48-bit MAC Address
800-899
Standard IPX
900-999
Extended IPX
1000-1099
IPX SAP
1100-1199
Extended 48-bit MAC Address
1200-1299
IPX Summary Address
When an access list is assigned to an interface it is specified as either an inbound
filter or an outbound filter. This can often lead to confusion because it is easy to
think of the filters from the perspective of the interface (is the packet coming into
the interface or exiting the interface). This is the thinking, though, that causes the
confusion. To understand this correctly, you must think of access lists from the
perspective of the router (is the packet entering the router from the network, or is
the packet exiting the router to the network).
An inbound access list then is one that filters packets entering the router from the
network. Conversely, an outbound access list is one that filters packets as they
exit the router onto the network.
Looking at the figure above, consider that Mr. Router Cop is monitoring all traffic.
An access list assigned as an inbound filter on interface e0 would cause Mr.
Router Cop to inspect all traffic originating from segment A into the router. On the
other hand, an outbound filter assigned to e0 would cause Mr. Router Cop to
examine all traffic destined for Segment A as it leaves the router.
When you define an access list you tell Mr. Router Cop to either permit a packet to
pass the interface or deny a packet from passing an interface. Each access list
can have a variety of criteria that it examines. For instance, one access list may
filter for all traffic coming from Bob as well as for all traffic coming from Alice. Mr.
Router Cop compares the packet against each criteria, starting from the top of the
list and working down. As soon as a match is found, Mr. Router Cop either allows
the packet to pass or discards the packet, depending on the configuration of the
list. All access-lists have an implicit DENY at the end of the list. Therefore if a
packet isn't matched with any of the preceding criteria the packet will be
discarded.
So now that we understand what an access list is and how it gets applied an
interface, let's look at how we actually create an implement access lists.
Standard IP Access Lists
We'll begin by first examining how you create a Standard IP Access List. All
access lists are created while in configuration mode. You'll then use the command
access-list to configure the list. The syntax for defining a Standard IP Access List
is as follows:
access-list {number from 1-99} {permit|deny} {source [mask]}
As you can see, the Standard Access List is pretty basic. It simply looks at the
source address of each packet and either allows it to pass the interface or
discards it. The mask is optional. We'll discuss that in a moment, for now though,
let's just ignore it.
Again using the graphic above, let's say you only want traffic to enter Segment B
only if it is coming from your administrative workstation (let's give it the address of
10.1.0.50) located on Segment A. You might create an access list as follows:
access-list 1 permit 10.1.0.50
This is really all that is required in the access list. We have decided to PERMIT
traffic coming from your IP address, 10.1.0.50. We can leave it at that since we
want all other traffic blocked, the implicit DENY will take care of the rest.
Where might we assign this list though? What would happen if we assigned it as
an INBOUND filter on interface e0? This would case Mr. Router Cop to look at all
packets coming from Segment A into the router. This wouldn't work for our access
list because it would result in blocking traffic going to segment C as well as
Segment B. In addition it would not inspect traffic origination from segment C
destined for segment B. Remember, we don't want any traffic to reach segment B
unless it comes from 10.1.0.50.
What we need to do is assign the list as an OUTBOUND filter on interface e1. This
will cause Mr. Router Cop to inspect all packets attempting to reach segment B,
regardless of origin.
Let's take a look at how we assign this access list to the interface. You'll first need
to enter configuration mode (e.g. config t) and then choose the appropriate
interface (e.g. int e1). You then use the following syntax to assign the access list:
ip access-group {access list number} {in|out}
So, for our access list we would do the following:
ip access-group 1 out
That's it. Your standard IP access list is now operational.
Now remember, we said we would discuss the mask portion of the syntax. I'm
going to make the assumption here that you already understand subnet masking
pretty well. This "mask" really doesn't have anything to do with subnets per se, but
it works in a similar manner. The mask is composed of a 32 bit binary number. But
like a subnet mask it is divided into 4 octets and written in decimal. Here the 1 bits
define insignificant bits. In other words, when Mr. Router Cop examines the source
address, he'll only look at those bits that correspond to zero's in the mask. If the
mask is omitted, it is assumed to be 0.0.0.0. In other words, all bits are significant
and a precise match will be required for the entry to be acted upon.
So, let's say that instead of allowing just your workstation at 10.1.0.50 through to
segment 2, you wanted to allow the entire subnet. In this case, you want everything
in the 10.1.0.0 subnet to be allowed. You could create an access list that permitted
each computer individually but that would be rather cumbersome and would mean
that you needed to update your access list each time a new computer was added
to the network. Instead, you use a mask. Consider the following example:
access-list 1 permit 10.1.0.0 0.0.255.255
This list will now allow any traffic to cross the interface as long as it begins with
10.1. Mr. Router Cop won't care what the last two octets are.
Now suppose you wanted to do just the opposite. You want to allow any access
except from 10.1.0.0. It's clear we want to deny 10.1.0.0, but how to we allow all
others? Remember, there is an implied deny at the end of the list. Fortunately
there is a special keyword "any" that is essentially like specifying a mask of
255.255.255.255. It is used in place of both the source address and the mask and
essentially means that none of the bits really matter. For instance:
access-list 1 deny 10.1.0.0 0.0.255.255
access-list 1 permit any
access-list 1 deny any
In this example, Mr. Router Cop will first check a packet against the first entry. If the
packet came from 10.1.x.x it will be discarded. Otherwise it will be checked
against the second entry. All remaining packets will match and will therefore be
passed. The third entry isn't really necessary, it is in effect the implicit deny that all
lists have. I included it here simply for illustrative purposes.
Extended IP Access Lists
Now that you understand Standards IP Access Lists, the other types should not be too
difficult to understand. An Extended IP Access list is simply a finer filter. The syntax is as
follows:
access-list {number from 100-199} {permit|deny } {protocol} {source [mask]} {destination [mask]} {match type} {port}
Here's an explanation of each component of the syntax:
As with standard access lists, a number to identify the list.
Permit or Deny, again, as in standard access lists.
Protocol refers to the IP protocol number. You can also specify some protocols by
name, for instance EIGRP, ICMP, IGMP, IGRP, IP (would be like specifying any IP
protocol), TCP, UDP. There are others, typing a "?" after permit or deny should
display the full list.
Source is pretty much the same as in a standard access list though you may see the
word "host" in front of the IP address indicating this is for a specific host. Basically the
same thing as a mask of 0.0.0.0. You may also seek the keyword "any" which, like in a
standard access list, is the same as a mask of 255.255.255.255.
Destination refers to the destination IP address. It otherwise works just like the source
allow an optional mask or the keyword "any".
Match Type and Port work together and are both optional. If desired you can filter
traffic down to the port level. The Match Type refers to how the match will be made.
For instance, "eq" looks for matches equal to a specific port number, "lt" looks for
matches less than the port number, "gt" looks for matches greater than the port number,
"range" allows a range port numbers to be specified, etc. The complete list can be
obtained by entering a "?" at this point and pressing [RETURN].
Port number is the port number that goes with the Match Type. It can be listed as any
specific port from 0 - 65535 or a range of ports. There are several well known ports
that can be entered by name, such as "domain" for DNS, "ftp", "gopher", "lpd", "nntp",
"pop3", "telnet", "www", etc. Again, use "?" for the full list.
Here's an example extended access list entry that allows only world wide web traffic to reach
a destination on segment C.
access-list 101 permit tcp any 10.3.0.25 eq www
Standard IPX Access Lists
A Standard IPX Access lists filters on source and destination IPX addresses. The syntax is as
follows:
access-list {800-899} {permit|deny} {source} {destination}
By this point it hopefully isn't necessary to go into detail. However, it is worth noting that
masks aren't necessary with IPX. IPX addresses have a consistent division between network
and host addresses so if you want to filter an entire network you simply just enter the network
address. Also, the IPX access lists don't use the "any" keyword, instead you use a "-1" (don't
you sometimes wonder why IOS is often so inconsistent?). Consider the following example:
access-list 801 deny 23 43
access-list 801 permit -1 -1
This access list denies traffic from network 23 destined for network 43 but permits all other
traffic.
Extended IPX Access Lists
Extended IPX Access Lists are just like standard IPX access lists except they also allow you
to specify an specific IPX protocol and an IPX socket. The syntax is as follows:
access-list {900-999} {permit|deny} {source} {destination} {protocol} {socket}
Protocol Type would be NCP, RIP, SAP, SPX, NetBIOS, or "any". The socket number is
similar to a port in TCP or UDP. However, unlike TCP or UDP sockets don't designate a
particular service so it isn't often used. One additional feature of extended IPX lists are their
ability to allow masks. This can't be done with standard access lists. The masks here look a
little different than IP masks simply because of the convention of writing IPX addresses in
HEX. Otherwise they work the same.
access-list 901 deny any 100 000000FF
This access list denies all traffic from any source destined for destination networks 100, 101,
110, and 111. This may be a bit more clear if the optional leading zeros are placed in the
source:
access-list 901 deny any 00000100 000000FF
Essentially, all networks beginning "000001" will match the filter. The "F" (all binary 1's in
HEX) tells Mr. Router Cop which digits to ignore, in this case its the last two.
IPX SAP Access Lists
This brings us to the final portion of this document. I won't detail SAP here, you should
already be familiar with SAP and how and why it is used. I will simply point out that these
filters are used to control how SAP updates are distributed in your network and allow you to
specify which SAP services you will allow or disallow to be included in outgoing or incoming
SAP updates. Here is the basic syntax for entering a SAP filter:
access-list {number from 1000-1099} {permit|deny} {source} {service type}"
Facebook
Twitter