1 of 48

1

Access Control List

2 of 48

Agenda

Overview
Standard Access List
Extended Access List

2

3 of 48

Access Lists: Usage and Rules

Access lists are

“permit or deny statements that filter traffic based on the source address, destination address, protocol type, and port number of a packet”

3

s0

Block traffic from Network 3 to access Network 1

4 of 48

Access Lists: Usage and Rules

Step 1: Create the rules

“Block all traffic form Network 3”
(Implicit “Allow the others”)

Step 2: Assign the rule to an interface

Assign the rule to interface S0 of Router A

4

s0

Block traffic from Network 3 to access Network 1

5 of 48

Access List Command Overview

IP access lists are numbered 1-99 or 100-199.

5

Step 1: Set parameters for this access list test �statement (which can be one of several statements).

Step 2: Enable an interface to use the specified �access list.

Router(config-if)# {protocol} access-group �access-list-number {in | out}

Router(config)# access-list access-list-number �{permit | deny} {test conditions}

Layer 2 of 2

Emphasize: Layer 2—Adds the general form of the interface command. This links the previously specified interface to a group that will handle its packet for the protocol in the manner specified by the global access list statements.

It can help student understanding to learn a generalized command as a simplified template, common to most access list processes. However, the details for specific access lists vary widely.

As you present the global access list command material that follows in this chapter, return to the template term “test conditions” if it helps your students associate variations to the general elements of this model.

Emphasize that “test conditions” is an abstraction for this course. Use this abstraction as a generalization to assist teaching and learning. The words “test conditions” are not a Cisco IOS argument or parameter.

Cisco IOS software also offers many variations for the second interface command. As you present these variations, refer your students to the template term “access group” and emphasize how each variation performs a link of the access list test conditions met and the interfaces that packets can use as a result.

6 of 48

A List of Test: Permit

6

access-list 1 permit {test condition}

Packets to Interface(s)

of the assigned

the Access Group

Y

Match

First

Test

?

Permit

N

Packet �Discard

Bucket

Deny

Interface(s)

Destination

7 of 48

A List of Test: Deny

7

access-list 1 deny {test condition}

Packets to Interface(s)

of the assigned

the Access Group

Deny

Y

Match

First

Test

?

N

Packet �Discard

Bucket

Deny

8 of 48

A List of Tests: Deny or Permit

8

access-list 1 deny / permit {test condition}

Packets to Interface(s)

of the assigned

the Access Group

Y

Deny

Y

Match

First

Test

?

Permit

N

Packet �Discard

Bucket

Deny

Interface(s)

Destination

9 of 48

Access List Command Overview

Implicit deny any

(access-list 1 deny any)
Blocks all packets that do not meet requirements of the access list

9

Figure 10-1: Sample network

Block traffic from Network 3 to access Network 1

RouterA(config)# access-list 1 deny Network3

RouterA(config)# access-list 1 permit any

s0

10 of 48

A List of Tests: Deny or Permit

Router(config)# access-list access-list-number {permit | deny} {test conditions}

10

Router(config)# access-list 1 permit {test condition-1}

Router(config)# access-list 1 deny {test condition-2}

Router(config)# access-list 1 permit {test condition-3}

Router(config)# access-list 1 deny {test condition-4}

…

Router(config)# access-list 1 deny {test condition-n}

(Implicit Deny)

11 of 48

A List of Tests: Deny or Permit

11

Packets to Interface(s)

in the Access Group

Packet �Discard

Bucket

Y

Interface(s)

Destination

Deny

Y

Match

First

Test

?

Permit

N

Deny

Permit

Match

?

Deny

Match

Last

Test�?

Y

N

Y

Permit

Implicit

Deny

If No Match,

Deny All

(Implicit Deny)

Deny

N

12 of 48

Inbound and Outbound

Packet pass through 2 interfaces
Access List can be assigned to one of them.

12

Block traffic from Network 3 to access Network 1

RouterA(config)# access-list 1 deny Network3

RouterA(config)# access-list 1 permit any

Router(config-if)# {protocol} access-group �access-list-number {in | out}

s0

f0

13 of 48

Inbound and Outbound

Inbound -- in

Direction is into the router
Apply before looking up the routing table

13

Outbound -- out

Direction is out of the router
Apply after choosing the outgoing interface

Block traffic from Network 3 to access Network 1

RouterA(config)# access-list 1 deny Network3

RouterA(config)# access-list 1 permit any

in

out

Router(config-if)# {protocol} access-group �access-list-number {in | out}

14 of 48

Access List Command Overview

14

Figure 10-1: Sample network

Block traffic from Network 3 to access Network 1

RouterA(config)# access-list 1 deny Network3

RouterA(config)# access-list 1 permit any

Option 1

RouterA(config)# int s0

RouterA(config-if)# ip access-group 1 in

Option 2

RouterA(config)# int f0

RouterA(config-if)# ip access-group 1 out

s0

f0

Option 2

Option 1

15 of 48

Type of Access Lists

15

Two major types of test conditions for IP protocol suit

Standard Access List

Checks source host (network) address
Generally permits or denies entire protocol suite

Extended Access List

Checks source and destination host (network) address
Generally permits or denies specific protocols

Outgoing

Packet

E0

S0

Incoming

Packet

Access List Processes

Permit?

Source

and �(Destination)

Protocol

16 of 48

Standard IP Access List Configuration

Activates the list on an interface
Sets inbound or outbound testing
Default = outbound
“no ip access-group access-list-number” removes access list from �the interface

16

Router(config-if)# ip access-group �access-list-number {in | out}

Sets parameters for this list entry
IP standard access lists use 1 to 99
Default wildcard mask = 0.0.0.0
“no access-list access-list-number” removes entire access list

Router(config)# access-list access-list-number �{permit | deny} source [mask]

Layer 2 of 2

Purpose: This layer shows the ip access-group command.

Emphasize: The ip access-group command links an access list to an interface. Only one access list per interface, per direction, per protocol is allowed.

The ip access-group field descriptions are as follows:

list—Number of the access list to be linked to this interface.

direction—Default is outbound.

Note: Create the access list first before applying it to the interface. If it is applied to the interface before it is created, the action will be to permit all traffic. However, as soon as you create the first statement in the access list, the access list will be active on the interface. Since there is the implicit deny all at the end of every access list, the access list may cause most traffic to be blocked on the interface.

To remove an access list, remove it from all the interfaces first, then remove the access list. In older versions of Cisco IOS, removing the access list without removing it from the interface can cause problems.

17 of 48

Standard IP Access Lists

Standard IP Access Lists

Filter network traffic based on the source IP address + wildcard mask only
Using IP address + wildcard mask, you can filter traffic by a host IP, subnet, or a network address

Wildcard mask

Also called inverse mask
Applied to IP addresses to determine if an access list line will act upon a packet

17

Router(config)# access-list access-list-number �{permit | deny} source [mask]

18 of 48

Wildcard Bits: How to Check the Corresponding Address Bits

0 means check value of corresponding address bit.
1 means ignore value of corresponding address bit.

18

Do Not Check Address �(Ignore Bits in Octet)

=

0

1

128

64

32

16

8

4

2

1

=

0

=

0

1

=

1

0

=

1

Octet Bit Position and

Address Value for Bit

Ignore Last 6 Address Bits

Check All Address Bits

(Match All)

Ignore Last 4 Address Bits

Check Last 2 Address Bits

Examples

Purpose: This graphic describes the binary wildcard masking process.

Emphasize: Introduce the wildcard bit process. Tell students that the wildcard bit matching process is different than the IP subnet addressing mask covered earlier.

Illustrate how wildcard masking works using the examples shown in the graphic table.

The term wildcard masking is a nickname for this access list mask-bit-matching process. This nickname comes from an analogy of a wildcard that matches any other card in a poker game.

Emphasize the contrast between wildcard masks and subnet masks, stated in the Student Guide note. The confusion over wildcard and subnet masks can be a key obstacle to learning if students fail to understand the different uses of binary 0 and binary 1 in the two mask types.

Point out that the 1 bits in a wildcard mask need not be contiguous, while the 1 bits in a subnet mask need to be contiguous.

Wildcard is like the DOS “*” character.

19 of 48

Standard IP Access Lists

19

Wildcard masking example matching a single host

20 of 48

Standard IP Access Lists

CSC488 Rangsit University

20

Wildcard masking example matching a network

21 of 48

Standard IP Access Lists

Partial masking

When an octet in a wildcard mask contains a mix of binary 1s and 0s

21

Figure 10-6: Wildcard masking example using partial masking

22 of 48

Standard IP Access Lists

22

Figure 10-7: Wildcard masking example without match

23 of 48

Standard IP Access List Examples

23

X

Create Access List to

Deny host 172.22.5.2 to access 172.22.2.2

?

Where ?

?

24 of 48

Standard IP Access List Examples

If we apply access list 1 to Router B’s S1 (e.g., inbound direction), traffic to E0 will be blocked too.
Apply Standard IP Access List as close to the destination as possible.

24

X

25 of 48

Standard IP Access List Examples

25

Sample IP network

X

Answer

as close to the destination as possible

26 of 48

Standard IP Access List Examples

26

Creating a standard IP access list

Use

access-list 1 permit 0.0.0.0 255.255.255.255

or

access-list 1 permit any

to permit others

27 of 48

Standard IP Access List Examples

27

Figure 10-15: Creation and application of standard IP access list

Blocked all traffic from all hosts in subnet 172.22.5.0/24

28 of 48

Standard IP Access List Examples

28

Figure 10-17: Access list that blocks multiple subnets

Blocked all traffic from all hosts in subnets 172.22.4.0/24 and 172.22.5.0/24.

29 of 48

Verify IP Access List

29

Figure 10-11: Show access-lists and show ip access-lists commands

30 of 48

Verify IP Access List

30

Figure 10-12: Show ip interface command

31 of 48

Standard IP Access List Examples

31

Figure 10-13: Removing an ip access list from an interface

32 of 48

Standard IP Access List Examples

32

Figure 10-14: Show ip interface after removal of access list 1 from e0

33 of 48

TCP / IP Majors Protocols

33

Network

Physical

Internet

Application

Transport

LLC / MAC

IP (Internet Protocol)

TCP

UDP

TELNET

FTP

SMTP

HTTP

TFTP

SNMP

ICMP

OSPF

34 of 48

Port Number

34

LLC/MAC

I P Protocol

TCP

telnet

FTP

WWW

(x1)

(x2)

(x3)

U data

SA

DA

H

SP

DP

Destination Port

When more than one application are running on the same machine. Special ID called “Port Number” is need to specify the application.

Source Port

35 of 48

Well-Known Port Number

35

Driver

IP

TCP

telnet server

FTP server

WWW server

(20)

(23)

(80)

U data

SA

DA

H

SP

DP

Servers are known by well-known ports number, e.g., FTP 20 + 21, TELNET 23, SMTP 25, HTTP 80

When more than one server are running on the same machine.

Client port numbers are dynamically assigned

(>1024).

36 of 48

Socket Number

36

IP

TCP

IP

TCP

telnet server

FTP server

WWW server

(20)

(23)

(80)

Any connection has a unique

socket number

(source IP, source Port Number

dest. IP, dest. Port Number)

telnet client

WWW client

(1050)

(1051)

IP

TCP

telnet client

(1050)

telnet client

240.148.240.105

(1051)

240.148.240.10

240.148.240.100

.

1.(240.148.240.100: 20, 240.148.240.105. 1050)

2.(240.148.240.100: 20, 240.148.240.105. 1051)

3.(240.148.240.100: 20, 240.148.240.10. 1050)

4.(240.148.240.100; 80, 240.148.240.10. 1051)

(1)

(2)

(3)

(4)

37 of 48

TCP Header

37

sequence number:32

acknowledgement number:32

window size:16

Options + padding

0 15 16 31

destination port:16

Offset:4

resv:6

flags:6

checksum :16

Urgent Pointer:16

source port:16

38 of 48

UDP header

38

0 15 16 31

destination port:16

length :16

checksum :16

source port:16

39 of 48

Extended IP Access Lists

An Example from a TCP/IP Packet

39

Destination

Address

Source

Address

Protocol (L3/L4)

Port

Number

Segment

(for Example, �TCP Header)

Data

Packet

(IP Header)

Frame

Header

(For Example, �HDLC)

Use

Access

List Statements

1-99 or 100-199 to �Test the

Packet

Deny

Permit

40 of 48

Extended IP Access List Configuration

40

Router(config-if)#ip access-group access-list-number {in | out}

Activates the extended list on an interface

Sets parameters for this list entry
The host keyword is short for a wildcard mask of 0.0.0.0

Router(config)#access-list access-list-number �{permit | deny} protocol source source-wildcard [operator port] destination destination-wildcard [operator port] [established] [log]

41 of 48

Extended Access List Example 1

Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0.

FTP 🡪 TCP protocol ports 20,21

Permit all other traffic.

41

access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21

access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20

access-list 101 permit ip any any

(implicit deny all)

(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)

interface ethernet 0

ip access-group 101 out

172.16.3.0

172.16.4.0

172.16.4.13

E0

S0

E1

Non-

172.16.0.0

42 of 48

Extended Access List Example 2

Deny only Telnet from subnet 172.16.4.0 out of E0.

telnet 🡪 TCP port 23

Permit all other traffic.

42

access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23

access-list 101 permit ip any any

(implicit deny all)

interface ethernet 0

ip access-group 101 out

172.16.3.0

172.16.4.0

172.16.4.13

E0

S0

E1

Non-

172.16.0.0

43 of 48

Extended Access List Example 3

43

Figure 10-18: Sample IP network with a Web server

X

Web traffic

Protocol = tcp

Port = 80

as close to the source as possible

access-list 101 deny tcp 172.22.5.2 0.0.0.0 172.22.2.2 0.0.0.0 eq 80

44 of 48

Extended Access List Example 3

44

Sample IP network with a Web server

X

Web traffic

Protocol = tcp

Port = 80

as close to the source as possible

access-list 101 deny tcp host 172.22.5.2 host 172.22.2.2 eq www

45 of 48

Extended Access List Example 3

45

46 of 48

Standard Versus Extended Access List

46

Standard

Extended

Filters based on�source

Filters based on�source and destination

Permits or denies entire TCP/IP protocol suite

Specifies a specific IP protocol and port number

Range: 100 through 199

Range: 1 through 99

47 of 48

Problem

47

172.16.3.0

192.168.1.0

192.168.1.5

E0

S0

E1

128.16.1.0

What Standard Access List is use to block PC 192.168.1.5 to access network 172.16.3.0?
What interface on the router must be applied this access-list?

48 of 48

Answer

48

172.16.3.0

192.168.1.0

192.168.1.5

E0

S0

E1

128.16.1.0

What Standard Access List is use to block PC 192.168.1.5 to access network 172.16.3.0?

What interface on the router must be applied this access-list?

access-list 1 deny 192.168.1.5 0.0.0.0�access-list 1 permit any

E0