Chapter 10 Managing Traffic with Access Lists Objectives Configure IP standard access lists Configure IP extended access lists Configure Named access lists Monitor verify access lists Access Control Lists ACLs are lists of instructions you apply to a router s interface These lists tell the router what kinds of packets to accept and what kinds of packets to deny Any traffic going through the interface is tested against certain conditions that are part of the ACL Access Lists Purpose Used to permit or deny packets moving through the router Permit or deny Telnet VTY access to or from a router Other security tools lack the flexibility of basic traffic filtering Create dial on demand DDR interesting traffic that triggers dialing to a remote location Reasons to Create ACLs Limit network traffic and increase network performance Provide traffic flow control Provide a basic level of security for network access Decide which types of traffic are forwarded or blocked at the router interfaces Caution adding complex access lists to an interface can increase latency Important Rules to Remember Packets are compared to each line of the assess list in sequential order Packets are compared with lines of the access list only until a match is made Once a match is made acted upon no further comparisons take place An implicit deny is at the end of each access list If no matches have been made the packet will be discarded Important Rules to Remember If you create a condition statement that permits all traffic no statements added later will ever be checked If you need additional statements in a standard or extended ACL you must delete the ACL and re create it with the new condition statements This is why it s a good idea to edit a router s configuration on a PC using a text editor and then TFTP the configuration to the router or use Notepad and cut and paste Packet and Upper Layer Headers You can create an ACL for each protocol you want to filter for each router interface There can be only one access list per protocol per interface Cisco IOS ACLs check the packet and upper layer headers What are Access Lists Types of Access Lists Standard Access List Filter by source IP addresses only Extended Access List Filter by Source IP Destination IP Layer 3 sub protocols ICMP IGMP etc Layer 4 TCP UDP Port Number Application Layer Application of Access Lists Inbound Access Lists Packets are processed before being routed to the outbound interface Outbound Access Lists Packets are routed to the outbound interface then processed through the access list The Man in the Router Out Packets leaving the router s interface s and going to the network In Packets arriving at the router s interface s from the network ACL Guidelines One access list per interface per protocol or per direction End ACLs with a permit any command Create ACLs then apply them to an interface ACLs do not filter traffic originated from the router More specific tests at the top of the ACL New tests are placed at the bottom of the ACL Put Standard ACLs close to the destination Individual lines cannot be removed Put Extended ACLs close to the source Standard IP Access Lists Router config t Enter configuration commands one per line End with CNTL Z Router config access list 1 99 IP standard access list 100 199 IP extended access list 1000 1099 IPX SAP access list 1100 1199 Extended 48 bit MAC address access list 1200 1299 IPX summary address access list 1300 1999 IP standard access list expanded range 200 299 Protocol type code access list 2000 2699 IP extended access list expanded range 300 399 DECnet access list 600 699 Appletalk access list 700 799 48 bit MAC address access list 800 899 IPX standard access list 900 999 IPX extended access list Standard IP Access Lists Creating a standard IP access list Router config access list 10 deny Specify packets to reject permit Specify packets to forward Permit or deny Router config access list 10 deny Hostname or A B C D Address to match any any source host host A single host address Using the host command Router config access list 10 deny host 172 16 30 2 Classroom Example Example say you want to only permit Workstation 2 to access the 223 8 151 0 yellow network access list 20 permit host 192 5 5 12 The ip access group command links an existing access list to an interface Only one access list per interface per protocol per direction is allowed access list number Indicates the number of the access list to be linked to this interface in out Selects whether the access list is applied to the incoming or outgoing interface If in or out is not specified out is the default Step 1 Create the Access list Lab C config t Lab C config access list 10 permit 192 5 5 12 0 0 0 0 Implicit deny any do not need to add this access list 10 deny 0 0 0 0 255 255 255 255 Step 2 Apply the Access group to interface s Lab C config interface e 0 Lab C config if ip access group 10 Step 3 Verify Lab C show ip interface allows you to view the placement of an access list Lab C show access lists display the contents of all ACLs NOTE To remove an access list first enter the no ip access group command including list number for each interface where the list had been used then enter the no access list command with list number Wildcards What are they Used with access lists to specify a Host Network Part of a network That the access list pertains to IP access lists use wildcard masking Wildcard masking for IP address bits 0 or 1 used to identify how to treat the corresponding IP address bits A wildcard mask bit 0 means check the corresponding bit value A wildcard mask bit 1 means do not check ignore that corresponding bit value Example 172 16 30 5 0 0 0 255 The 0 s tell the router to match the 1st three octets exactly The 255 tells the router the 4th octet can be any value This shows how a full subnet 172 16 30 0 is specified An Online Wildcard Calculator What if we wanted Router A to Permit entire sales network and just the 172 16 50 2 station to get to the Administrative network Sample Network Sybex Figure 10 1 Router A Router B E0 Router C E0 Administrative Network E0 Sales Network 172 16 10 2 24 172 16 30 2 Engineering Network 24 172 16 50 2 24 Using Wildcard Masks RouterA config access list 11 permit 172 16 30 0 0 0 0 255 RouterA config access list 11 permit 172 16 50 2 0 0 0 0 172 16 30 0 0 0 0 255 0 check make sure first octet is 172 0 check make sure second octet is 16 0 check make sure third octet is 30 255 don t check permit any …