10.

1 ROUTERS 435

con guration of several access lists to meet different organi a-

tional requirements.

n inan access list

Although there are considerable differences between routers

with respect to their use of access lists, most devices
operate very similarly with respect to two key operations.
First, they commonly compare packet elds sequentially
against the contents of the access list. This means that
the rst match determines if a router will accept or reject a
packet. #econdly, routers either have a default of permit or
deny. This means that unless an access list has entries to
override the default, the default condition will be applied to
all non-listed situations. As the best way to become familiar
with access lists is by example, let us do so. In doing so we will
use a generic command format for illustrative purposes that
may or may not be applicable to speci c routers.
For our rst example we will assume that a router’s access list
is applicable to incoming packets received on a WAN connection
and that the router using the list has only one LAN port. Thus,
the access list does not include a port speci cation. Figure 10.1
illustrates an example of the network con guration associated
with the router. In this example we will use an access list
to control access to computers on the internal Ethernet LAN
shown connected to the Internet.
Based upon the preceding, let us assume the format of
the access list is as follows:

Access-list EpermitFdeny) source address, port

In the preceding access list format, the port represents the

numeric associated with the TCP or UDP process and is
also referred to as the well-known port. Table 10.1 lists ten
examples
of well-known TCP/UDP ports.
If we assume that the asterisk is used as a wildcard in
IP address and port process value elds, two examples of
access list entries follow:

access-list permit 198.*.*.*, *

access-list deny *.*.*.*, 80
436 NETWORK SECURITY

Internet

Router

Web FTP
Server Server

By programming access lists based upon source and

destination address and well-known port, you can control
access to computers on your internal private network

Figure 10.1 Using a router access list to control packet ow from the Internet
onto a private Ethernet LAN

Table 10.1 Well-known TCP/UDP ports

Port number Use

20 FTP (data)
21 FTP (control)
23 Telnet
25 SMTP
43 Whois
53 DNS
69 TFTP
70 Gopher
79 3nger
80 HTTP

In the rst example any packet with a source address on a 198

network regardless of port value is permitted. In the
second example, incoming HTTP (port 80) from any address is
denied. Readers should note that the two access list entries
placed together in an access list would have the unintended
effect of allowing all packets from network 198 including HTTP
packets
to be permitted to ;ow through the router. Thus, if you wish to
deny HTTP from network 198 you could either move the second
access list entry to the top of the access list, or pre x the two
access list entries with the following entry:

Access-list deny 198.*.*.*, 80