2

Permit or deny traffic Identify traffic based on

Protocol Source address Destination address Port number

Conceptual syntax to block access from network 4 to network 1

Access-list 1 deny network 4 Access-list 1 permit any

Implicit deny any

Lack of planning What needs to be filtered? Where does it need to be filtered? An Access Control List is a filter that

can have multiple lines of instruction has lines of instructions that are applied sequentially until a match is found

Access Control List changes

Make changes to a text editor

Notepad.exe

Remove entire Access Control List Copy and paste entire new Access Control List

Accidental telnet block Reload command

reload in [hh:] [mm] [month day | month day ] RouterB# reload in 00:30

Routers apply lists sequentially as they are configured. All new lines are added to the end of the list. Packets are processed only until a match is made. Lists always end with an implicit deny.

As a general rule, the lines with the most potential matches should be first in the list.

Packets will not undergo unnecessary processing.

You should avoid unnecessarily long ACLs. After you create ACLs, you must apply them to interfaces so they can begin filtering traffic.

You apply a list as either an outgoing or an incoming filter.

Only one list, per protocol, per direction can be applied to an interface. Access Control Lists are effective as soon as they are applied to the interface.

10

11

12

13

14

Filter network traffic based only on source address

access-list [list #] [permit|deny] [source address] [source wildcard mask]

[list #]: Standard IP Access Control Lists are represented by a number in the range of 199 [permit|deny]: Used to specify the action of the Access Control List line [source address]: The IP address of the source [source wildcard mask]: Determines which bits of the source address are significant

15

16

Wildcard Mask
0.0.0.0 (host) 0.0.0.255 0.0.255.255

Binary Version
00000000.00000000.00000000.00000000 00000000.00000000.00000000.11111111 00000000.00000000.11111111.11111111 00000000. 11111111.11111111.11111111

Description
The entire IP address must match Just the first 24 bits must match Just the first 16 bits must match Just the first 8 bits must match Dont even bother to compare; its automatically considered to match (0 bits need to match)

0.255.255.255
255.255.255.255 (any)

11111111. 11111111.11111111.11111111

0.0.15.255 0.0.3.255

00000000. 00000000.00001111.11111111
00000000. 00000000.00000011.11111111

Just the first 20 bits must match

Just the first 22 bits must match

17

18

19

20

21

Access Control List command examples

Single IP

access-list 1 permit 192.168.10.1 0.0.0.0 access-list 1 permit 192.168.10.1 access-list 1 permit host 192.168.10.1 access-list 1 permit 192.168.10.0 0.0.0.255

Network

All packets

access-list 1 permit 0.0.0.0 access-list 1 permit any

255.255.255.255

22

23

24

Outbound ACLs are generally more efficient than inbound. A router with an inbound ACL must check every packet to see whether it matches the ACL condition before switching the packet to an outbound interface. With inbound ACLs, the router can filter packets and protect itself before damage is inflicted.

25

26

27

28

29

30

31

32

33

show show show show

access-list ip access-list interfaces ip interfaces

34

Filter based on

Protocol type Source IP address Destination IP address Port number

ACL numbers 100 thru 199

35

access-list [list #] [permit|deny] [protocol] [source IP address] [source wildcard mask] [operator] [port] [destination IP address] [destination wildcard mask] [operator] [port] [log]

[list #]: Number in the range of 100199 [permit|deny]: Used to specify the nature of the Access Control List line [protocol]: The IP protocol to be filtered can be IP (which includes all protocols in the TCP/IP suite), TCP, UDP, ICMP, or others [source IP address]: The IP address of the source [source wildcard mask]: Determines which bits of the source address are significant

36

access-list [list #] [permit|deny] [protocol] [source IP address] [source wildcard mask] [operator] [port] [destination IP address] [destination wildcard mask] [operator] [port] [log] (continued)

[destination IP address]: The IP address of the destination [destination wildcard mask]: Determine which bits of the destination address are significant [operator]: Can contain lt (less than), gt (greater than), eq (equal to), or neq (not equal to) [port]: Port number of the protocol to be filtered [log]: Turns on logging of Access Control List activity

37

38

39

40

41

42

Permit traffic on the 15.0.0.0 network as long as long as the traffic originated from the 15.0.0.0 network access-list 100 permit tcp any 15.0.0.0 0.255.255.255 established

43

show show show show

access-list ip access-list interfaces ip interfaces

44

45

46

Cisco IOS version 11.2 and above Named ACL examples

RouterC(config)# ip access-list standard [name] RouterC(config)# ip access-list extended [name] RouterC(config-std-nacl)# deny{source [sourcewildcard] | any} RouterC(config-std-nacl)# permit{source [sourcewildcard] | any} RouterC(config-if)# ip access-group [name] [in | out]

47

Restricting access to telnet Access control examples

Individual hosts

RouterA(config)# access-list 12 permit 192.168.12.12 0.0.0.0 RouterA(config)# access-list 12 permit host 192.168.12.12 RouterA(config)# access-list 12 permit 192.168.12.0 0.0.0.255

Network access

Apply Access Control List to interface

RouterA(config)# line vty 0 4 RouterA(config-line)# access-class 12 in