Lack of planning What needs to be filtered? Where does it need to be filtered? An Access Control List is a filter that
can have multiple lines of instruction has lines of instructions that are applied sequentially until a match is found
Notepad.exe
Remove entire Access Control List Copy and paste entire new Access Control List
reload in [hh:] [mm] [month day | month day ] RouterB# reload in 00:30
Routers apply lists sequentially as they are configured. All new lines are added to the end of the list. Packets are processed only until a match is made. Lists always end with an implicit deny.
As a general rule, the lines with the most potential matches should be first in the list.
You should avoid unnecessarily long ACLs. After you create ACLs, you must apply them to interfaces so they can begin filtering traffic.
Only one list, per protocol, per direction can be applied to an interface. Access Control Lists are effective as soon as they are applied to the interface.
10
11
12
13
14
15
16
Wildcard Mask
0.0.0.0 (host) 0.0.0.255 0.0.255.255
Binary Version
00000000.00000000.00000000.00000000 00000000.00000000.00000000.11111111 00000000.00000000.11111111.11111111 00000000. 11111111.11111111.11111111
Description
The entire IP address must match Just the first 24 bits must match Just the first 16 bits must match Just the first 8 bits must match Dont even bother to compare; its automatically considered to match (0 bits need to match)
0.255.255.255
255.255.255.255 (any)
11111111. 11111111.11111111.11111111
0.0.15.255 0.0.3.255
00000000. 00000000.00001111.11111111
00000000. 00000000.00000011.11111111
17
18
19
20
21
Single IP
access-list 1 permit 192.168.10.1 0.0.0.0 access-list 1 permit 192.168.10.1 access-list 1 permit host 192.168.10.1 access-list 1 permit 192.168.10.0 0.0.0.255
Network
All packets
255.255.255.255
22
23
24
Outbound ACLs are generally more efficient than inbound. A router with an inbound ACL must check every packet to see whether it matches the ACL condition before switching the packet to an outbound interface. With inbound ACLs, the router can filter packets and protect itself before damage is inflicted.
25
26
27
28
29
30
31
32
33
34
Filter based on
35
access-list [list #] [permit|deny] [protocol] [source IP address] [source wildcard mask] [operator] [port] [destination IP address] [destination wildcard mask] [operator] [port] [log]
[list #]: Number in the range of 100199 [permit|deny]: Used to specify the nature of the Access Control List line [protocol]: The IP protocol to be filtered can be IP (which includes all protocols in the TCP/IP suite), TCP, UDP, ICMP, or others [source IP address]: The IP address of the source [source wildcard mask]: Determines which bits of the source address are significant
36
access-list [list #] [permit|deny] [protocol] [source IP address] [source wildcard mask] [operator] [port] [destination IP address] [destination wildcard mask] [operator] [port] [log] (continued)
[destination IP address]: The IP address of the destination [destination wildcard mask]: Determine which bits of the destination address are significant [operator]: Can contain lt (less than), gt (greater than), eq (equal to), or neq (not equal to) [port]: Port number of the protocol to be filtered [log]: Turns on logging of Access Control List activity
37
38
39
40
41
42
Permit traffic on the 15.0.0.0 network as long as long as the traffic originated from the 15.0.0.0 network access-list 100 permit tcp any 15.0.0.0 0.255.255.255 established
43
44
45
46
RouterC(config)# ip access-list standard [name] RouterC(config)# ip access-list extended [name] RouterC(config-std-nacl)# deny{source [sourcewildcard] | any} RouterC(config-std-nacl)# permit{source [sourcewildcard] | any} RouterC(config-if)# ip access-group [name] [in | out]
47
Individual hosts
RouterA(config)# access-list 12 permit 192.168.12.12 0.0.0.0 RouterA(config)# access-list 12 permit host 192.168.12.12 RouterA(config)# access-list 12 permit 192.168.12.0 0.0.0.255
Network access