10-1
Objectives
Upon completion of this chapter, you will be able to perform the following tasks:
Identify the key functions and special processing of IP access lists Configure standard IP access lists Control virtual terminal access with access class Configure extended IP access lists Verify and monitor IP access lists
2000, Cisco Systems, Inc.
www.cisco.com
ICND v1.0a10-2
Token Ring
FDDI
www.cisco.com
ICND v1.0a10-3
Token Ring
FDDI
Internet
172.17.0.0
Manage IP traffic as network access grows Filter packets as they pass through the router
2000, Cisco Systems, Inc.
www.cisco.com
ICND v1.0a10-4
Permit or deny vty access to or from the router Without access lists all packets could be transmitted onto all parts of your network
2000, Cisco Systems, Inc.
www.cisco.com
ICND v1.0a10-5
www.cisco.com
ICND v1.0a10-6
Dial-on-demand routing
www.cisco.com
ICND v1.0a10-7
Dial-on-demand routing
Route filtering
Routing Table
www.cisco.com
ICND v1.0a10-8
Outgoing Packet
S0
Standard Checks Source address Generally permits or denies entire protocol suite
www.cisco.com
ICND v1.0a10-9
Outgoing Packet
S0
Standard Checks Source address Generally permits or denies entire protocol suite
Extended
Checks Source and Destination address Generally permits or denies specific protocols
www.cisco.com
ICND v1.0a10-10
Outgoing Packet
S0
Standard Checks Source address Generally permits or denies entire protocol suite
Extended
Checks Source and Destination address Generally permits or denies specific protocols Inbound or Outbound
2000, Cisco Systems, Inc.
www.cisco.com
ICND v1.0a10-11
Choose Interface
S0 Outbound Interfaces
?
N
Access N List ?
Y
www.cisco.com
ICND v1.0a10-12
Choose Interface
Test Access List Statements Access N List ?
Y
?
N
Permit ?
www.cisco.com
ICND v1.0a10-13
Choose Interface
Test Access List Statements Access N List ?
Y N
?
N
Permit ?
Discard Packet Notify Sender Packet Discard Bucket If no access list statement matches then discard the packet
2000, Cisco Systems, Inc.
www.cisco.com
ICND v1.0a10-14
Deny
Deny
www.cisco.com
ICND v1.0a10-15
Deny Deny
Y Match Next Test(s) ? Y
Deny
www.cisco.com
ICND v1.0a10-16
Deny Deny
Y Match Next Test(s) ? N Match Last Test ? Y
Deny
Permit
Deny
www.cisco.com
ICND v1.0a10-17
Deny Deny
Y Match Next Test(s) ? N Y
Deny
Permit
Deny
www.cisco.com
One access list per interface, per protocol, per direction The order of access list statements controls testing Most restrictive statements should be at the top of list There is an implicit deny any as the last access list test every list should have at least one permit statement Create access lists before applying them to interfaces Access list, filter traffic going through the router; they do not apply to traffic originated from the router
www.cisco.com
ICND v1.0a10-19
www.cisco.com
ICND v1.0a10-20
www.cisco.com
ICND v1.0a10-21
Standard IP lists (1 to 99) test conditions of all IP packets from source addresses
www.cisco.com
ICND v1.0a10-22
Standard IP lists (1 to 99) test conditions of all IP packets from source addresses Extended IP lists (100 to 199) can test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports
www.cisco.com
ICND v1.0a10-23
IPX
Standard IP lists (1 to 99) test conditions of all IP packets from source addresses Extended IP lists (100 to 199) can test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports Other access list number ranges test conditions for other networking protocols
2000, Cisco Systems, Inc.
www.cisco.com
ICND v1.0a10-24
Source Address
www.cisco.com
ICND v1.0a10-25
Permit
www.cisco.com
ICND v1.0a10-26
0 0 0 1 1
0 0 0 1 1
0 1 0 1 1
0 1 0 1 1
0 1 1 1 1
0 1 1 1 1
0 1 1 0 1
0 1 1 0
= = = = =
0 means check corresponding address bit value 1 means ignore value of corresponding address bit
2000, Cisco Systems, Inc.
www.cisco.com
ICND v1.0a10-27
Abbreviate this wildcard mask using the IP address preceded by the keyword host (host 172.30.16.29)
www.cisco.com
ICND v1.0a10-28
Accept any address: 0.0.0.0 255.255.255.255 Abbreviate the expression using the keyword any
www.cisco.com
ICND v1.0a10-29
172.30.16.0 0.0.15.255
Network .host 172.30.16.0
0
Wildcard mask:
0 0 0 0
0
0 0
0
0
1 1
1
0
0 0
0
0
0 0
0
0
0 0
0
1
0 1
0
1 1
= =
1
16 17
0
0
2000, Cisco Systems, Inc.
0
0
0
0
1
1
0
1
0
: 1
1
1
0
1
=
=
ICND v1.0a10-30
18
31
www.cisco.com
www.cisco.com
10-31
www.cisco.com
ICND v1.0a10-32
Router(config-if)#
ip access-group access-list-number
Activates the list on an interface Sets inbound or outbound testing Default = Outbound no ip access-group access-list-number removes access-list from the interface
2000, Cisco Systems, Inc.
{ in | out }
www.cisco.com
ICND v1.0a10-33
172.16.4.0 172.16.4.13
S0 E0 E1
access-list 1 permit 172.16.0.0 0.0.255.255 (implicit deny all - not visible in the list) (access-list 1 deny 0.0.0.0 255.255.255.255)
www.cisco.com
ICND v1.0a10-34
172.16.4.0 172.16.4.13
S0 E0 E1
access-list 1 permit 172.16.0.0 0.0.255.255 (implicit deny all - not visible in the list) (access-list 1 deny 0.0.0.0 255.255.255.255) interface ethernet 0 ip access-group 1 out interface ethernet 1 ip access-group 1 out
www.cisco.com
ICND v1.0a10-35
172.16.4.0 172.16.4.13
S0 E0 E1
www.cisco.com
ICND v1.0a10-36
172.16.4.0 172.16.4.13
S0 E0 E1
access-list 1 deny 172.16.4.13 0.0.0.0 access-list 1 permit 0.0.0.0 255.255.255.255 (implicit deny all) (access-list 1 deny 0.0.0.0 255.255.255.255)
www.cisco.com
ICND v1.0a10-37
172.16.4.0 172.16.4.13
S0 E0 E1
access-list 1 deny 172.16.4.13 0.0.0.0 access-list 1 permit 0.0.0.0 255.255.255.255 (implicit deny all) (access-list 1 deny 0.0.0.0 255.255.255.255) interface ethernet 0 ip access-group 1 out
www.cisco.com
ICND v1.0a10-38
172.16.4.0 172.16.4.13
S0 E0 E1
access-list 1 deny 172.16.4.0 0.0.0.255 access-list 1 permit any (implicit deny all) (access-list 1 deny 0.0.0.0 255.255.255.255)
www.cisco.com
ICND v1.0a10-39
172.16.4.0 172.16.4.13
S0 E0 E1
access-list 1 deny 172.16.4.0 0.0.0.255 access-list 1 permit any (implicit deny all) (access-list 1 deny 0.0.0.0 255.255.255.255) interface ethernet 0 ip access-group 1 out
www.cisco.com
ICND v1.0a10-40
www.cisco.com
10-41
e0
0 1 2 34
Five virtual terminal lines (0 through 4) Filter addresses that can access into the routers vty ports Filter vty access out from the router
2000, Cisco Systems, Inc.
www.cisco.com
ICND v1.0a10-42
0 1 2 34
Physical port (e0) (Telnet)
Router#
Setup IP address filter with standard access list statement Use line configuration mode to filter access with the access-class command Set identical restrictions on all vtys
2000, Cisco Systems, Inc.
www.cisco.com
ICND v1.0a10-43
Restricts incoming or outgoing vty connections for address in the access list
www.cisco.com
ICND v1.0a10-44
www.cisco.com
ICND v1.0a10-45
www.cisco.com
10-46
Extended
Filters Based on Source and destination. Specifies a specific IP protocol and port number. Range is 100 through 199.
www.cisco.com
ICND v1.0a10-47
www.cisco.com
ICND v1.0a10-48
www.cisco.com
ICND v1.0a10-49
172.16.4.0 172.16.4.13
S0 E0 E1
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21 access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20
Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0 Permit all other traffic
2000, Cisco Systems, Inc.
www.cisco.com
ICND v1.0a10-50
172.16.4.0 172.16.4.13
S0 E0 E1
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21 access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20 access-list 101 permit ip any any (implicit deny all) (access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)
Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0 Permit all other traffic
2000, Cisco Systems, Inc.
www.cisco.com
ICND v1.0a10-51
172.16.4.0 172.16.4.13
S0 E0 E1
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21 access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20 access-list 101 permit ip any any (implicit deny all) (access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)
Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0 Permit all other traffic
2000, Cisco Systems, Inc.
www.cisco.com
ICND v1.0a10-52
172.16.4.0 172.16.4.13
S0 E0 E1
0.0.0.255
any eq 23
Deny only Telnet from subnet 172.16.4.0 out of E0 Permit all other traffic
2000, Cisco Systems, Inc.
www.cisco.com
ICND v1.0a10-53
172.16.4.0 172.16.4.13
S0 E0 E1
access-list 101 deny tcp 172.16.4.0 access-list 101 permit ip any any (implicit deny all)
0.0.0.255
any eq 23
Deny only Telnet from subnet 172.16.4.0 out of E0 Permit all other traffic
2000, Cisco Systems, Inc.
www.cisco.com
ICND v1.0a10-54
172.16.4.0 172.16.4.13
S0 E0 E1
access-list 101 deny tcp 172.16.4.0 access-list 101 permit ip any any (implicit deny all) interface ethernet 0 ip access-group 101 out
0.0.0.255
any eq 23
Deny only Telnet from subnet 172.16.4.0 out of E0 Permit all other traffic
2000, Cisco Systems, Inc.
www.cisco.com
ICND v1.0a10-55
www.cisco.com
ICND v1.0a10-56
{ permit | deny } { ip access list test conditions } { permit | deny } { ip access list test conditions } no { permit | deny } { ip access list test conditions }
Permit or deny statements have no prepended number "no" removes the specific test from the named access list
www.cisco.com
ICND v1.0a10-57
{ ip access list test conditions } { permit | deny } { ip access list test conditions } no { permit | deny } { ip access list test conditions }
Permit or deny statements have no prepended number "no" removes the specific test from the named access list
Router(config-if)# ip access-group name { in | out }
www.cisco.com
ICND v1.0a10-58
www.cisco.com
ICND v1.0a10-59
E0 E0
A
S0
S1 S1
C
E0
To0
Token Ring
E0
E1
Recommended:
Place extended access lists close to the source Place standard access lists close to the destination
2000, Cisco Systems, Inc.
www.cisco.com
ICND v1.0a10-60
www.cisco.com
ICND v1.0a10-61
www.cisco.com
ICND v1.0a10-62
Laboratory Exercise
www.cisco.com
10-63
Visual Objective
wg_pc_a 10.2.2.12 e0/1 e0/2 TFTP e0 10.2.2.3
wg_ro_a
wg_sw_a 10.2.2.11
s0 10.140.1.2
X
wg_pc_l 10.13.13.12 e0/1 TFTP Telnet e0/2 e0
X wg_ro_l s0
10.140.12.2
Pod A B C D E F G H I J K L
wg_ros s0 10.140.1.2 10.140.2.2 10.140.3.2 10.140.4.2 10.140.5.2 10.140.6.2 10.140.7.2 10.140.8.2 10.140.9.2 10.140.10.2 10.140.11.2 10.140.12.2
wg_ros e0 10.2.2.3 10.3.3.3 10.4.4.3 10.5.5.3 10.6.6.3 10.7.7.3 10.8.8.3 10.9.9.3 10.10.10.3 10.11.11.3 10.12.12.3 10.13.13.3
wg_sw 10.2.2.11 10.3.3.11 10.4.4.11 10.5.5.11 10.6.6.11 10.7.7.11 10.8.8.11 10.9.9.11 10.3.3.11 10.11.11.11 10.12.12.11 10.13.13.11
LL
X
fa0/24 fa0/23 core_sw_a 10.1.1.2
ICND v1.0a10-64
Summary
After completing this chapter, you should be able to perform the following tasks: Identify the key functions and processing of IP access lists Configure standard IP access lists Control vty access with an access class Configure extended IP access lists Verify and monitor IP access lists
www.cisco.com
ICND v1.0a10-65
Review Questions
1. What are the two types of IP access lists? 2. What is the last statement in all access lists?
www.cisco.com
ICND v1.0a10-66