Standard and Extended ACL

Access Lists
Access lists are a collection of permit and deny rules that are applied to an IP address. They are also known is filters. STANDARD ACCESS LIST Standard IP access lists check the source address, for applying rules, of packets that could be routed. This provides the basic form of filtering. The result permits or denies the packet output for the entire protocol. The standard access list numbers are 1 through 99. Standard Access Lists are placed close to the destination. EXTENDED ACCESS LIST Extended IP access lists check for both source and destination, for filtering, packet addresses. They can also check for specific protocols, port numbers, and other parameters, which give administrators more flexibility in describing the packets being referenced. This allows for a more granular method of controlling data flow. The extended access list numbers are 100 through 199. Extended Access Lists are placed close to the source. DYNAMIC EXTENDED ACCESS LIST Dynamic Extended Access Lists grant access to destinations on a per-user basis, through an authentication process.

INBOUND ACCESS LIST Incoming packets are processed before being routed to an outbound interface. PERMIT: Continue to process the packet after receiving it on inbound interface. DENY: ***Discard Packet

OUTBOUND ACCESS LIST Incoming packets are routed to the outbound interface and then processed through the outbound access list before transmission. PERMIT: Send to buffer for processing. DENY: *** Discard Packet ***Discard packet Special Packet is sent to notify the sender that the Destination is unreachable.

IMPLICIT DENY ANY This is a statement at the end of every access list. Although this statement is not displayed in the router config, it is always active. Because of the implicit deny any, an access list should have at least one PERMIT statement in it; otherwise, the access list will block all traffic. ACLs use a Wildcard mask to check network numbers and to disregard network numbers. The Wildcard ZERO (0) checks each digit of an octet. A ONE disregards each digit of an octet. For example:

Standard and Extended ACL

NETWORK WILDCARD MASK 125.221.7.0 0.0.0.255 The Zeros check the 125.221.7 network number. The Ones (255) disregard all possible numbers of the 4th octet. This identifies all IP addresses between: 01111101. 11011101. 00000111. 00000000 01111101. 11011101. 00000111. 00000000 125.221.7.0 and 125.221.7.255 125.221.7.0 0.0.0.127 This Identifies IPs between 125.221.7.0 125.221.7.127 01111101. 11011101. 00000000. 01111111 125.221.7.0 0.0.0.63 This Identifies IPs between 125.221.7.0 125.221.7.63 01111101. 11011101. 00000000. 00111111 173.17.18.0 0.0.7.255 This Identifies IPs between 173.17.18.0 173.17.23.255 10101101. 00010001. 00010010. 00000000 10101101. 00010001. 00010111. 11111111

Standard and Extended ACL

Access list blocking traffic from an External Network. The below figure and example show an ACL applied to the interfaces Ethernet 0 and Ethernet 1 to prevent traffic that did not originate from the 172.16.0.0 network from being passed out those interfaces. Standard ACL to Block Non 172.16.0.0. traffic.

172.16.3.0 Non - 172.16.0.0

172.16.4.0

E0

E1

172.16.3.12

CISCO 2503 Router V11.0

172.16.4.13

Outbound ACL Router(config)#access-list 1 permit 1721600 00255255 Router(config)#interface Ethernet 0 Router(config-if)#ip access-group 1 out Router(config)#interface ethernet 1 Router(config-if)#ip access group 1 out 1 is the access list number, indicating a standard list permit indicates that traffic that matches selected parameters will be forwarded 1721640 is the IP address that will be used with the wild card mask to identify the source network. 00255255 is the wildcard mask. 0s indicate positions that must match; 1s indicate I dont care positions IP access-group 1 out links the access list to the interface as an outbound filter.

Standard and Extended ACL

Standard ACL to Block Traffic from a single host.

172.16.3.0 Non - 172.16.0.0

172.16.4.0

E0

E1

172.16.3.12

CISCO 2503 Router V11.0

172.16.4.13

Router(config)# access-list 1 deny 172.16.4.13 0.0.0.0 Router(config)# access-list 1 permit 0.0.0.0 255.255.255.255 Router(config)# interface ethernet 0 Router(config)# ip access-group 1 out ______________________________________________________________________________________ 1 = standard access list number deny = traffic that matches selected parameters will not be forwarded. 172.16.4.13 = IP address of host to be denied 0.0.0.0 = mask required to match all bits 1 = standard access list number permit = traffic that matches selected parameters will be forwarded. 0.0.0.0 = IP address if source host. 255.255.255.255 = wild card mask for I dont care condition ip access-group 1 out = links the access list to the interface as an outbound filter.

Standard and Extended ACL

ACL Blocking Traffic from a Single Subnet. This list blocks the 172.16.4.0 subnet but allows all other subnets out Ethernet 0. Notice that because the list is not applied to Ethernet 0 or Serial 0, it does not effect traffic traveling on those interfaces. Standard ACL to Block Traffic from a Single Subnet.

172.16.3.0 Non - 172.16.0.0

172.16.4.0

E0

E1

172.16.3.12

CISCO 2503 Router V11.0

172.16.4.13

router(config)# access-list 1 deny 172.16.4.0 0.0.0.255 router(config)# access-list 1 permit any

router(config)# interface ethernet 0

router(config)# ip access-group 1 out ______________________________________________________________________________________ 1 = standard access list number deny = traffic that matches selected parameters will not be forwarded 172.16.4.0 = IP address of the source subnet to be denied 0.0.0.255 = wildcard mask with I dont care conditions 1 = standard access list number permit = indicates that traffic that matches selected parameters will be forwarded. Any = abbreviation for source IP address, and implies 0.0.0.0 255.255.255.255 Ip access-group 1 out = links the access list to the interface as an outbound filter.

1. 2. 3.

What is the number range for IP extended access lists? What happens if a packet does not match any of the test conditions in an access list? Instead of typing 0000 255255255255 0000 255255255255, what keyword(s) can be used in an access list? Which command is used to verify that a list was applied to an interface? Which command allows you to view the access lists?

4. 5.

Standard and Extended ACL

Extended ACL Blocking FTP Traffic from a Specified Subnet. In order to block FTP traffic from subnet 172.16.4.0 to 172.16.3.0 and permit all other traffic out interface Ethernet 0, you could create an ACL as shown below and apply it as an outbound filter on Ethernet 0. Extended Access List to Deny TP Traffic from a Specified Subnet out a Specific Interface.
172.16.3.0 Non - 172.16.0.0

172.16.4.0

E0

E1

CISCO 2503 Router V11.0 172.16.3.12

172.16.4.13

FTP Traffic

Router(config)#access-list 101 deny tcp 1721640 000255 1721630 000255 eq 21 Router(config)#access-list 101 deny tcp 1721640 000255 1721630 000255 eq 20 Router(config)#access-list 101 permit ip any any Router(config)#interface ethernet 0 Router(config-if)#access-group 101 out 101 - is the access list number that indicates that this is an extended IP access list deny - indicates that traffic that matches selected parameters will be blocked. tcp - indicates the TCP protocol in the protocol number of the IP packet header. This is the transport protocol for FTG. 1721640 000255 is the source IP address and mask. 1721630 000255 is the destination IP address and mask. Eq21 - specifies the well-known port number for FTP control Eq20 - specifies the well-known port number for FTP data. Ip access-group 101 out links the access list 101 to interface E0 as an output filter. The deny statements deny FTP traffic from subnet 1721640 to subnet 1721630 The permit statement allows all other IP traffic out interface E0.