Chapter 10

1010 1010

CHAPTERCHAPTERONEONE

Access ListsAccess Lists

ObjectivesObjectives

• Describe the usage and rules of access lists• Establish standard IP access lists• Produce extended IP access lists• Develop standard IPX access lists• Create extended IPX access lists• Define IPX SAP filters• Apply access lists to interfaces• Monitor and verify access lists

Access Lists: Usage and RulesAccess Lists: Usage and Rules

• Network traffic flow and security influence the design and management of computer networks

• Access lists solve many of the problems associated with these two tasks

• Access lists are permit or deny statements that filter traffic based on the source address, destination address, protocol type, and port number of a packet

Access List UsageAccess List Usage

• Implicit deny any– Blocks all packets that do not meet requirements of the access list

Figure 10-1: Sample network

Problems with Access ListsProblems with Access Lists

• One of the most common problems associated with access lists is a lack of planning

• Another troublesome area is the sequential nature in which you must enter the list into the router

• Many new network administrators find themselves in trouble when they Telnet into a router and begin applying an access list

Access List RulesAccess List Rules

Figure 10-2: No access-list command


• Inbound– Direction parameter used when applying an access

list– Direction is into the router

• Outbound– Direction parameter used when applying an access

list– Direction is out of the router


Figure 10-3:The man in the router


• Routers apply lists sequentially in the order in which you type them into the router

• Routers apply lists to packets sequentially

• Packets are processed only until a match is made and then they are acted upon based on the access list criteria contained in access list statements


• Lists always end with an implicit deny

• Access lists must be applied to an interface as either inbound or outbound traffic filters

• Only one list, per protocol, per direction can be applied to an interface

• Access list are effective as soon as they are applied

Standard IP Access ListsStandard IP Access Lists

• Standard IP Access Lists– Filter network traffic based on the source IP address

only

– Using a standard IP access list, you can filter traffic by a host IP, subnet, or a network address

• Wildcard mask– Also called inverse mask– Applied to IP addresses to determine if an access list

line will act upon a packet


Table 10-1: Wildcard mask examples


Figure 10-4: Wildcard masking example matching a single host


Figure 10-5: Wildcard masking example matching a complete subnet


• Partial masking– When an octet in a wildcard mask contains a mix of binary 1s and 0s

Figure 10-6: Wildcard masking example using partial masking


Figure 10-7: Wildcard masking example without match

Standard IP Access List ExamplesStandard IP Access List Examples

Figure 10-8: Sample IP network


Figure 10-9: Creating a standard IP access list


Figure 10-10: Sample IP network with two Ethernet interfaces on RouterB


Figure 10-11: Show access-lists and show ip access-lists commands


Figure 10-12: Show ip interface command


Figure 10-13: Removing an ip access list from an interface


Figure 10-14: Show ip interface after removal of access list 1 from e0


Figure 10-15: Creation and application of standard IP access list


Figure 10-16: Show access-list and show ip interface commands


Figure 10-17: Access list that blocks multiple subnets

Monitoring Standard IP Access Monitoring Standard IP Access ListsLists

• Three main commands are available for monitoring access lists on your router:– Show access-lists– Show ip access-lists– Show interfaces or show ip interfaces

• It is a good idea to run each of these commands after creating and applying access lists

Extended IP Access ListsExtended IP Access Lists

• IP access lists that filter traffic by:– Source IP address– Destination IP address– Protocol type– Port number

Extended IP Access List ExamplesExtended IP Access List Examples

Figure 10-18: Sample IP network with a Web server


• Unlike standard IP access lists, extended access lists do not have a default wildcard mask of 0.0.0.0– You must specify the wildcard mask for the source IP

address

• The host keyword is short for a wildcard mask of 0.0.0.0– The line will only be applied to packets that match the one

source address specified with host keyword


Figure 10-19: Extended IP access list example


Figure 10-19 (cont.): Extended IP access list example


Figure 10-20: Extended IP access list example continued


Figure 10-20 (cont.): Extended IP access list example continued


Figure 10-21: Applying an extended ip access list to an interface


Figure 10-22: Removing an extended ip access list from an interface

The “Established” ParameterThe “Established” Parameter

• Network administrators often want to block all TCP/IP traffic outside their network from coming into their network

• If you use deny statements to deny all traffic coming in, no one will be able to browse the Web, ping, or other network activities that involve a response to a request

• The easiest way around this problem is to use an extended ip access list with an established parameter

Monitoring Extended IP Access Monitoring Extended IP Access ListsLists

Figure 10-23: Show ip access-lists command

Monitoring Extended IP Access Monitoring Extended IP Access ListsLists

Figure 10-24: Clear access-list counters command

Standard IPX Access ListsStandard IPX Access Lists

• Very similar to their IP cousins– One distinct difference

• Can filter based on source and destination addresses– Standard IP access lists can only filter based on

source addresses

• In all other aspects, they act just like standard IP access lists

Standard IPX Access List Standard IPX Access List ExamplesExamples

Figure 10-25: Sample IPX network

Standard IPX Access List Standard IPX Access List ExamplesExamples

Figure 10-26: Standard IPX access-list configuration

Monitoring Standard IPX ListsMonitoring Standard IPX Lists

Figure 10-27: Show access-list command

Extended IPX Access ListsExtended IPX Access Lists

• Allow you to filter based on source and destination network or node address, IPX protocol type, or IPX socket number

Figure 10-28: Configuring extended IPX access-lists

Extended IPX Access ListsExtended IPX Access Lists

Figure 10-28 (cont.): Configuring extended IPX access-lists

Monitoring Extended IPX Access Monitoring Extended IPX Access ListsLists

Figure 10-29: show access-lists command

IXP SAP FiltersIXP SAP Filters

• Limit SAP traffic on order to control what resources on the IPX network will be visible to IPX clients– Allows you to limit the “advertising” of particular

servers and services to a particular IPX network segment

– Since SAP advertisements are broadcast, limiting them reduces network traffic

• IPX input SAP filters reduce the number of SAP entries that are placed into a router’s SAP table

IXP SAP Filter ExampleIXP SAP Filter Example

Figure 10-30: IPX SAP filter example

IXP SAP Filter ExampleIXP SAP Filter Example

Figure 10-31: Applying an IPX SAP filter to an interface

Monitoring IXP SAP FiltersMonitoring IXP SAP Filters

• Like all other access lists, the show access-lists command displays all lists including all SAP filters defined on the router

• To make sure the list was applied successfully to the interface, use the show ipx interface command

• To remove the sap filter, use the no access-list [list #] command

• To remove the applications of sap filter from an interface, use the no ipx input-sap-filter [list #] or no ipx output-sap-filter [list #] command

Using Named ListsUsing Named Lists

• In Cisco versions 11.2 and above, you can use names instead of numbers to identify your lists– These are known as named access lists

• You cannot use the same name for multiple lists– Even different types of lists cannot have the same

name

• The naming feature allows you to maintain security by using an easily identifiable access list

Chapter SummaryChapter Summary

• Access lists are one of the most important IOS tools for controlling network traffic and security

• Access lists are created in a two-step process• All access lists are created sequentially and applied

sequentially to all packets that enter an interface where the list is applied

• Access lists, by default, always end in an implicit deny any

• Only one access list per direction per protocol can be applied to an interface


• Standard IP access lists filter traffic based on the source IP address of a packet

• Extended IP access lists filter traffic based on the source, destination, protocol type, and application type

• Standard IPX access lists are more complex that standard IP lists

• Extended IPX lists allow you to filter based on IPX protocol type and IPX parameters

• IPX SAP filters allow you to limit the amount of SAP traffic passed by your routers


• Ranges of numbers represent all access lists

Table 10-2: Access list number ranges

Technology

Chapter 10