Managing Ip Traffic With Access List

8/14/2019 Managing Ip Traffic With Access List

1/39

2002, Cisco Systems, Inc. All rights reserved. 1

Managing IP Traffic with

Access ListsModule 6


2/39

2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-2

2002, Cisco Systems, Inc. All rights reserved. 2

Access Lists and Their

Applications


3/39


Manage IP traffic as network access grows

Filter packets as they pass through the router

Why Use Access Lists?


4/39


Permit or deny packets moving through the router.

Permit or deny vty access to or from the router.

Without access lists, all packets could be transmitted onto allparts of your network.

Access List Applications


5/39


Special handling for traffic based on packet tests

Other Access List Uses


6/39


Standard

Checks source address

Generally permits or denies entire protocol suite Extended

Checks source and destination address

Generally permits or denies specific protocols

Types of Access Lists


7/39 2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-7

How to Identify Access Lists

Standard IP lists (1-99) test conditions of all IP packets fromsource addresses.

Extended IP lists (100-199) test conditions of source and destinationaddresses, specific TCP/IP protocols, and destination ports.

Standard IP lists (1300-1999) (expanded range).

Extended IP lists (2000-2699) (expanded range).

Other access list number ranges test conditions for other

networking protocols.



Testing Packets withStandard Access Lists



Testing Packets withExtended Access Lists



Outbound ACL Operation

If no access list statement matches, then discard the packet.



A List of Tests: Deny or Permit



0 means check value of corresponding address bit.

1 means ignore value of corresponding address bit.

Wildcard Bits: How to Check theCorresponding Address Bits



For example, 172.30.16.29 0.0.0.0 checks all theaddress bits.

Abbreviate this wildcard mask using the IP addresspreceded by the keyword host (host 172.30.16.29).

Check all the address bits (match all).

Verify an IP host address, for example:

Wildcard Bits to Match a Specific IPHost Address



Accept any address: any

Abbreviate the expression using thekeyword any.

Test conditions: Ignore all the address bits (match any).

An IP host address, for example:

Wildcard Bits to Match Any IP Address



Check for IP subnets 172.30.16.0/24 to 172.30.31.0/24. Address and wildcard mask:

172.30.16.0 0.0.15.255

Wildcard Bits to Match IP Subnets



Summary

Access lists offer a powerful tool for network control.These lists add the flexibility to filter the packet flow intoor out of router interfaces. Such control can help limitnetwork traffic and restrict network use by certain users ordevices.

An IP access list is a sequential list of permit and denyconditions that apply to IP addresses or upper-layer IPprotocols. Access lists filter traffic going through therouter, but they do not filter traffic originated from the

router. Access lists are optional mechanisms in Cisco IOS

software that you can configure to filter or test packets todetermine whether to forward them to their destination ordiscard them.



Summary (Cont.)

Inbound access lists process incoming packets beforethey are routed to an outbound interface, whileoutbound access lists process packets to an outbound

interface. The Cisco IOS software executes access list statements

in sequential order, so the first statement is processed,then the next, and so on.

Address filtering occurs using access list addresswildcard masking to identify how to check or ignorecorresponding IP address bits.


18/39 2002, Cisco Systems, Inc. All rights reserved. ICND v2.06-18 2002, Cisco Systems, Inc. All rights reserved. 18

Configuring IP Access Lists



Access List Configuration Guidelines

Access list numbers indicate which protocol is filtered.

One access list per interface, per protocol, per directionis allowed.

The order of access list statements controls testing. Place the most restrictive statements at the top of list.

There is an implicit deny any statement as the last accesslist test. Every list needs at least one permit statement.

Create access lists before applying them to interfaces. Access lists filter traffic going through the router; they do

not apply to traffic originating from the router.



Step 1: Set parameters for this access list teststatement (which can be one of several statements).

Step 2: Enable an interface to use the specifiedaccess list.

Router(config-if)#{protocol} access-groupaccess-list-number{in | out}

Access List Command Overview

Standard IP lists (1-99)

Extended IP lists (100-199)

Standard IP lists (1300-1999) (expanded range)

Extended IP lists (2000-2699) (expanded range)

Router(config)#access-list access-list-number

{permit | deny} {test conditions}


21/39


Activates the list on an interface

Sets inbound or outbound testing

Default = outbound

no ip access-group access-list-number removes access list from

the interface

Router(config-if)#ip access-groupaccess-list-number {in | out}

Sets parameters for this list entry

IP standard access lists use 1 to 99

Default wildcard mask = 0.0.0.0

no access-list access-list-number removes entire access list

remark option lets you add a description for the access list

Router(config)#access-list access-list-number

{permit | deny | remark} source [mask]

Standard IP Access List Configuration


22/39


Permit my network only.

Standard IP Access ListExample 1


23/39


Deny a specific host.



24/39


Deny a specific subnet.



25/39


Router(config-if)#ip access-group access-list-number {in | out}

Extended IP Access List Configuration

Activates the extended list on an interface

Sets parameters for this list entry

Router(config)#access-list access-list-number{permit | deny}protocol source source-wildcard[operatorport] destination destination-wildcard[operator port][established] [log]


26/39


Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0.

Permit all other traffic.

Extended Access ListExample 1


27/39


Deny only Telnet from subnet 172.16.4.0 out of E0.

Permit all other traffic.

Extended Access ListExample 2


28/39


Router(config)#ip access-list {standard | extended} name

Router(config {std- | ext-}nacl)#{permit | deny}

{ip access list test conditions}{permit | deny} {ip access list test conditions}no {permit | deny} {ip access list test conditions}

outer(config-if)#ip access-group name {in | out}

Using Named IP Access Lists

Alphanumeric name string must be unique.

Permit or deny statements have no prepended number.

no removes the specific test from the named access list.

Activates the IP named access list on an interface.


29/39


Five virtual terminal lines (0 through 4).

Filter addresses that can access into the routers

vty ports.

Filter vty access out from the router.

Filtering vty Access to a Router


30/39


How to Control vty Access

Set up an IP address filter with a standard access list

statement.

Use line configuration mode to filter access with the

access-class command.

Set identical restrictions on every vty.


31/39


Enters configuration mode for a vty or vty range

Restricts incoming or outgoing vty connections for

address in the access list

Router(config-line)#access-class access-list-number{in | out}

Router(config)#line vty {vty#| vty-range}

vty Commands


32/39


Permits only hosts in network 192.168.1.0 0.0.0.255 toconnect to the router vty

access-list 12 permit 192.168.1.0 0.0.0.255

(implicit deny all)!line vty 0 4access-class 12 in

Controlling Inbound Access

vty Access Example


33/39


Access List Configuration Principles

The order of access list statements is crucial.

Recommended: Use a text editor on a PC to create theaccess-list statements, then cut and paste them into therouter.

Top-down processing is important.

Place the more specific test statements first.

No reordering or removal of statements.

Use the no access-list number command to remove theentire access list.

Exception: Named access lists permit removal of individualstatements.

Implicit deny all will be applied to any packets that do notmatch any access-list statement.

Unless the access list ends with an explicit permit any

statement.


34/39


Place extended access lists close to the source.

Place standard access lists close to the destination.

Where to Place IP Access Lists


35/39


wg_ro_a#show ip interfaces e0Ethernet0 is up, line protocol is upInternet address is 10.1.1.11/24Broadcast address is 255.255.255.255Address determined by setup commandMTU is 1500 bytesHelper address is not set

Directed broadcast forwarding is disabled Outgoing access list is not setInbound access list is 1Proxy ARP is enabledSecurity level is defaultSplit horizon is enabledICMP redirects are always sentICMP unreachables are always sentICMP mask replies are never sentIP fast switching is enabledIP fast switching on the same interface is disabledIP Feature Fast switching turbo vectorIP multicast fast switching is enabledIP multicast distributed fast switching is disabled

Verifying Access Lists


36/39


Monitoring Access List Statements

wg_ro_a#show access-listsStandard IP access list 1

permit 10.2.2.1permit 10.3.3.1permit 10.4.4.1permit 10.5.5.1

Extended IP access list 101permit tcp host 10.22.22.1 any eq telnetpermit tcp host 10.33.33.1 any eq ftppermit tcp host 10.44.44.1 any eq ftp-data

wg_ro_a#show {protocol} access-list {access-list number}

wg_ro_a#show access-lists {access-list number}


37/39


Summary

Well-designed and implemented access lists will addan important security component to your network.

To configure standard IP access lists on a Ciscorouter, you will create a standard IP access list and

activate an access list on an interface.

Similarly, to configure extended IP access lists on aCisco router, you will create an extended IP accesslist range and activate an access list on an interface.

The named access list feature allows you to identifyIP standard and extended access lists with analphanumeric string (name) instead of the currentnumeric (1 to 199 and 1300 to 2699) representations.


38/39


Summary (Cont.)

For security purposes, you can deny Telnet accessto the router, or you can permit Telnet access to therouter but deny access to destinations from that

router. Restricting Telnet access is primarily atechnique for increasing network security.

Access lists are used to control traffic by filteringand eliminating unwanted packets. Proper placementof an access list statement can reduce unnecessarytraffic.

When you finish the access list configuration, youcan verify it using the show commands.


39/39

Documents

Managing Ip Traffic With Access List