MORE

ACCESS CONTROL LISTS

EUMED - GRNET
 ACL Types

– ACLs come in many types. The access-list-

number specifies what types.
– The table below shows common access list types.

ACL Type ACL Number

IP Standard 1 to 99
IP Extended 100 to 199
AppleTalk 600 to 699
IPX Standard 800 to 899
IPX Extended 900 to 999
IPX SAP 1000 to 1099
Router(config)#access-list access-list-number {permit/deny}{test-conditions}
Standard ACL (1-99)

 Access-list list# {permit/deny} source IP [wildcard

mask]
 interface [router port]
 ip access-group [list#] in|out (out is the default)
 If a match is made, the action defined in this access list
statement is performed.
 If no match is made with an entry in the access list, the
deny action is performed (implicit deny)

 Should be put close to the destination address because

you can not specify the destination address.
Wildcard Mask

 32 bit long
 Mask bits of 0 imply that the same bit positions
must be compared
 Mask bits of 1imply that the same bit positions
are considered to match
 Extended ACL (100-199)

 Access-list list# {permit/deny} protocol source [source

mask] destination [destination mask] operator [port]

 Should be put close to the source

Correct Placement of Extended ACLs

 Since extended ACLs have destination information, you

want to place it as close to the source as possible.
 Place an extended ACL on the first router interface the
packet enters and specify inbound in the access-group
command.
Correct Placement of Extended ACLs

– In the graphic below, we want to deny network 221.23.123.0 from

accessing the server 198.150.13.34.
– What router and interface should the access list be applied to?
 Write the access list on Router C, apply it to the E0, and specify in
 This will keep the network free of traffic from 221.23.123.0 destined for
198.150.13.34 but still allow 221.23.123.0 access to the Internet
Example

 Configure an access list that blocks network

210.93.105.0 from exiting serial port s0 on some
router. Allow all other to pass.
 access-list 4 deny 210.93.105.0 0.0.0.255

access-list 4 permit any

interface s0
ip access-group 4
Example (continued)

 Same example but would like to block only the

first half IP of the network.
 access-list 4 deny 210.93.105.0 0.0.0.127

access-list 4 permit any

interface s0
ip access-group 4
Example (continued)

 Same example but would like to block only the

second half IP of the network.
 access-list 4 deny 210.93.105.128 0.0.0.127

access-list 4 permit any

interface s0
ip access-group 4
Example (continued)

 Same example but would like to block only the

even numbered IP of the network.
 access-list 4 deny 210.93.105.0 0.0.0.254

access-list 4 permit any

interface s0
ip access-group 4
Example (continued)

 Same example but would like to block only the

odd numbered IP of the network.
 access-list 4 deny 210.93.105.1 0.0.0.254

access-list 4 permit any

interface s0
ip access-group 4
Ex. Masking a Host Range

– To mask a range of host within a subnet, it is often

necessary to work on the binary level.
– For example, students use the range 192.5.5.0 to
192.5.5.127 and teachers use the range 192.5.5.128
to 192.5.5.255. Both groups are on network 192.5.5.0
255.255.255.0
– How do you write an ip mask and wildcard mask to
deny one group, yet permit another?
Masking a Host Range

– Let’s write the masks for the students.

 First, write on the first and last host address in binary. Since
the first 3 octets are identical, we can skip those. All their bits
must be “0”
– First Host’s 4th octet: 00000000
– Last Host’s 4th octet: 01111111
 Second, look for the leading bits that are shared by both (in
blue below)
– 00000000
– 01111111
– These “bits in common” are to be checked just like the common
bits in the 192.5.5 portion of the addresses.

Examples: Host Ranges 192.5.5.1 to .127 and .128 to .255

Masking a Host Range
 Third, add up the decimal value of the “1” bits in the last
host’s address (127)
 Finally, determine the ip mask and wildcard mask
– The ip mask can be any host address in the range, but
convention says use the first one
– The wildcard mask is all “0”s for the common bits
– 192.5.5.0 0.0.0.127
– What about the teachers? What would be their ip
mask and wildcard mask?
 192.5.5.128 (10000000) to 192.5.5.255 (11111111)
 Answer: 192.5.5.128 0.0.0.127
 Notice anything? What stayed the same? changed?

Examples: Host Ranges 192.5.5.1 to .127 and .128 to .255

 Time Savers: the any command

– Since ACLs have an implicit “deny any” statement at the

end, you must write statements to permit others through.
– Using our previous example, if the students are denied
access and all others are allowed, you would write two
statements:
 Lab-A(config)#access-list 1 deny 192.5.5.0
0.0.0.127
 Lab-A(config)#access-list 1 permit 0.0.0.0
255.255.255.255
– Since the last statement is commonly used to override the
“deny any,” Cisco gives you an option--the any command:
 Lab-A(config)#access-list 1 permit any
Time Savers: the host command

– Many times, a network administrator will need to write

an ACL to permit a particular host (or deny a host).
The statement can be written in two ways. Either...
 Lab-A(config)#access-list 1 permit 192.5.5.10
0.0.0.0
– or...
 Lab-A(config)#access-list 1 permit host
192.5.5.10
 Ext. ACL Misc
 Port accounting
 access-list 106 permit udp any any
– eq Match only packets on a given port number
– fragments Check non-initial fragments
– gt Match only packets with a greater port number
– log Log matches against this entry
– log-input Log matches against this entry, incl. input interface
– lt Match only packets with a lower port number
– neq Match only packets not on a given port number
– precedence Match packets with given precedence value
– range Match only packets in the range of port numbers
– tos Match packets with given TOS value


Router(config)#access-list access-list-number {permit/deny}{test-conditions}

 Ext. ACL Misc. cnt.
 TCP header fields
 access-list 106 permit udp any any
 ack Match on the ACK bit
 eq Match only packets on a given port number
 established Match established connections
 fin Match on the FIN bit
 fragments Check non-initial fragments
 gt Match only packets with a greater port number
 log Log matches against this entry
 log-input Log matches against this entry, incl. input interface
 lt Match only packets with a lower port number
 neq Match only packets not on a given port number
 precedence Match packets with given precedence value
 psh Match on the PSH bit
 range Match only packets in the range of port numbers
 rst Match on the RST bit
 syn Match on the SYN bit
 tos Match packets with given TOS value
 urg Match on the URG bit
 Naming ACLs

– One nice feature in the Cisco IOS is the ability to name ACLs. This
is especially helpful if you need more than 99 standard ACLs on the
same router.
– Once you name an ACL, the prompt changes and you no longer
have to enter the access-list and access-list-number
parameters.
– In the example below, the ACL is named over_and as a hint to how
it should be placed on the interface--out

Lab-A(config)# ip access-list standard over_and

Lab-A(config-std-nacl)#deny host 192.5.5.10
.........
Lab-A(config-if)#ip access-group over_and out
 Verifying ACLs

Show commands:
– show access-lists
 shows all access-lists configured on the router
– show access-lists {name | number}
 shows the identified access list
– show ip interface
 shows the access-lists applied to the interface--both inbound and
outbound.
– show running-config
 shows all access lists and what interfaces they are applied on
 Enhanced Access Lists

Cisco routers support several enhanced types of

access lists:
Time-Based—Access lists whose statements become
active based upon the time of day and/or day of the
week.
Reflexive—Create dynamic openings on the untrusted
side of a router based on sessions originating from a
trusted side of the router.
Dynamic (Lock and Key)—Create dynamic entries.
Context-Based Access Control (CBAC)—Allows for
secure handling of multi-channel connections based on
upper layer information.
Extended ACL

 Logging
–(config-ext-nacl)# permit tcp any any log-input
(config-ext-nacl)# permit ip any any log
 Time based
–(conf)# time-range bar
(conf-time-range)# periodic daily 10:00 to 13:00
(conf-time-range)# ip access-list tin
(config-ext-nacl)# deny tcp any any eq www time-range bar
(config-ext-nacl)# permit ipv6 any any
 IOS ACL Reflexive

 Reflect
–A reflexive ACL is created dynamically, when traffic matches a permit entry
containing the reflect keyword.
–The reflexive ACL mirrors the permit entry and times out (by default after 3
mins), unless further traffic matches the entry (or a FIN is detected for TCP
traffic).
–The timeout keyword allows setting a higher or lower timeout value.
–Reflexive ACLs can be applied to TCP, UDP, SCTP and ICMPv6.
 Evaluate
–Apply the packet against a reflexive ACL.
–Multiple evaluate statements are allowed per ACL.
–The implicit deny any any rule does not apply at the end of a reflexive ACL;
matching continues after the evaluate in this case.