ACL - access control list

by default all ip packets on router will be routed . their are no restriction

- access list work on network ( l3) and the transport (l4) layer (layer and can be
used for two different things )
1.filtering 2.classification

1.filtering :- its used to permit or deny traffic reaching curtain part of our
network
without filtering traffic can go anywhere

2.classification :- classification does not droop packets does like filtering but
be use it to select traffic

in the picture above we have a vpn that encrypted between to routers . when we
create a vpn we can use and access list to select what traffic should be
encrypted . perp i want traffic from network 10.1.1.0/24 to be encrypted but
traffic from 20.1.1.0/24 not . we can use access list to select traffic this is
called classification

inbound
inbound ............> (router)
ip packets

outbound (router)

one example of what and access list look like

*r1# show access list
standard ip access list 1
10 permit 10.1.1.0 wild bits 0.0.0.255
20 permit 20.1.1.0 ,wild bits 0.0.0.255
30 permit 30.1.1.0 , wild bits 0.0.0.255

in above example there are three statements numbering with 10,20,30

order of this statements are very important whenever a packets hits the access list
this is what will happened

- access list are processed top to down so we must check if the packet change
statement 10
- if doesn't match statement 10 we will check in if it match as statement 20
- if as doesnt match statement 20 we will check if it is match as statement 30
- if is doesn't match statement 30 , the packet will be droop

*if a packet does match a certain statement then is a immediate action . the packet
will a either be permited (forword) or deny (discard).
for example if we have a packet that matches statement 10 then the router will not
check if it also match as statement 20

at the bottom of every access list there is a deny any .

which means if you did not explicitly permit something it will be drooped any way .
thought you don t see this deny statement but it is there
there two types of access list we can use
1. STANDARED ACCESS LIST = this access list is very basic since it can only check
for source ip . we cannot do more specific then that (1-99 or 1300-1999)
2.EXTANDARED ACCESS LIST = it give us many more options .
not only can you check for sources and destination ip address but you can also
match on transport layer information like tcp and udp port numbers (100-199 or
2000-2699)

if you don t like numbers you can also use named access list by choosing a name .
this work for both standard and extended access list

*some important guidelines

1.first we create globally and then we a sing it to interface
2. you can only single acl per direction , so it is impossible to have 2 inbound
access list
3.put the most specific statement at the top of your access list because if a
packet matches a statement the router doesn't check if it match is any other
statement
4.dont forget the last statement is deny any

*wild card bits - this are just opposite subnet mask

ex- subnet mask wild card bits
255.255.255.0 0.0.0.255

for an example our management wants

1. 10.1.1.0/24 should not access the server 192.168.0.1
2. but 10.1.1.0/24 should be able to access to server 192.168.0.1/24
3. network 20.1.1.0/24 should be able to access both server

note - standard access list should always be applied near to destination

*configuration of access list

1. first we have to make a access list globally . to make a access list we have to
methods 1.numberd 2. named
a. numbered acl - r2(config)#access-list 10
permit/deny abcd host any
access-list 10 deny 10.1.1.0 0.0.0.255
access-list 10 permit any
2. now we have to applied this acl on a interface
as we know standard acl must be applied near to destination so we do according
r2(config)#interface fa0/1
r2 #ip access-group 10 out

b. named access list -

r2(config)#ip access-list standard xyz
(config-std-nacl)#5 deny/permit a.b.c.d host any
permit any any
r2(config)#int fa0/1
#ip access-group xyz out

* NOTE - named access list is easy to use because we can edit statement and there
sequence number in named access list in while numbered acl we can not edit
statements

2.EXTANDARD Acl - now what our management wants

a. both network must not use http services of both server

b. network 10.1.1.0/24 should not reach https services of server 192.168.0.1
c. both network should not use ping services of both server

NOTE - extended acl should be applied close to source

- now according to our requirement we will make a acl in that we will use some
settlements that fulfil our conditions and we will applied that acl in interface
fa0/0 for outbound

a. numbered extended list

r1(config)#access-list 100 permit tcp/udp/icmp/eigrp/ospf source network
destination network eq( port number )

* to fulfil our first requirement we can make a easy statement for example - access
list 100 deny any any
if we dont want to easy statement , we have to make 4 specific statement

r1(config)#access-list 100 permit/deny tcp/udp source network destination eq port

no

- to fulfill our second requirement

r1(config)#access-list 100 deny tcp 10.1.1.0 0.0.0.255 host 192.168.0.1 eq 443

- to fulfil our third requirement

r1(config)#access-list 100 deny icmp 10.1.1.0 0.0.0.255 host 192.168.0.1 echo
r1(config)#access-list 100 deny icmp 10.1.1.0 0.0.0.255 host 192.168.1.1 echo
r1(config)#access-list 100 deny icmp 20.1.1.0 0.0.0.255 host 192.168.0.1 echo
r1(config)#access-list 100 deny icmp 20.1.1.0 0.0.0.255 host 192.168.1.1 echo
r1(config)#acccss-lis 100 permit ip any any

r1(config-if)#ip access group 100 out

* named extended list -

r1(config)#ip access-list extended abc
r1(config-ext-nacl)#sq. permit/deny tcp/udp/icmo/ospf some network destination
network eq port number