Filters source IP addresses or IP network numbers – not destination. In this way, a router can deny a connected host access to specific destination addresses, or ranges of addresses. Access lists are managed in config mode.
Use the “deny” and “permit” options to configure access lists. When you deny access to a specific IP address, all attached devices are denied access to that address. Therefore, you must then issue “permit” commands to all certain devices access, while keeping others denied.
Access lists are simply that – “access” lists. They have no entries that deny. They are comprised of entries of acceptance. A packet’s destination address must exist in the list or it is denied (discarded).
When an access list is created, it typically will have multiple “deny” entries (lines of text). The router will inspect the destination address of every incoming packet (except packets coming from the direction of the denied IP address). When a packet arrives :
it is compared with each line in the access list, sequentially, line-by-line
once a single line is found that matches that packet’s destination address – it is accepted and the processing stops – no more lines are inspected in the list for that packet
by default, the packet must match a “permit” entry in the list or it will be discarded. This is why lists are comprised of one or more deny statements and one “permit any” statement. The trick is to have all packets permitted with the “permit any”, and then selctively deny packets
Here we cover the basicss of 2 types of access lists:
Standard IP access lists - use only the source IP address for filtering. IPX standard lists use both source and destination.
Extended IP access lists - checks source and destination address in the network layer, the protocol and the port type (number, such as 23 for tcp) in the transport layer. IPX extended lists use source, dest, network layer protocol fields, and transport layer socket numbers
New entries are place at the bottom of the list
unless you use “named” accesss lists, you cannot remove just one line – the whole list will be removed. Therefore it is best to edit the list in a text editor.
*** at the end of every list there is an invisible, implicit “deny all”. By default, if a packet does not match any entries in the list it will be discarded. Therefore you need at least one permit entry per list – preferably at the bottom.
Once a list is created, you then issue a command to apply it to an interface as being either inbound or outbound – then the list is established as either an “inbound” or “outbound” list.
Inbound list – incoming packets (from the inbound interface) are processed through the list before being routed to the outbound interface
Outbound list – outgoing packets (packets that have been routed to the outbound interface) are processed through the list before actually being sent
NOTE: you can only have one two access lists per interface per protocol – one inbound and one outbound. So, for a single interface, you could have 4 lists – two IP lists and two IPX lists.
Strandard IP access lists 1-99
Extended IP access lists 100-199
config t
access-list # [permit/deny] source_address 0.0.0.0 - add entry to access list number #
int e0
ip access-group # out - “MUST BE IN int MODE !! - assign access list to an interface
access-list 10 permit any - allow all traffic to pass, except for any deny entries in the list
NOTE1: the command to create and add lines to an access list does not need “ip” as the first parameter, because the number of the list that you select tells the router that it is an ip list. However, when assigning the list to an interface, there are no numbers and so you must type in the protocol at the beginning of the command ( ip acceess-group # out)
NOTE2: the “any” command is the same as typing the range: 0.0.0.0 255.255.255.255
So the above permit command could also be typed as:
access-list 10 permit 0.0.0.0 255.255.255.255
To remove access list: no access-list 10
, to add entries to the standard IP access list, using list 10 (the IP access lists are numbered from 1 to 99) :
access-list 10 deny 172.16.50.2 0.0.0.0 - denies traffic from host 172.16.50.2
access-list 10 permit any - this allows all other IP addresses
int e0
ip access-group 10 out - assign list 10 to e0
Wildcards - the 0.0.0.0 in the access-list command is 4 flags, one for each octet. The value of “0” tells the router that the octet must be an exact match. If you want to allow a packet to be considered a match with wildcards (i.e. for a given octet, it can be anything) use 255 for that octet. For example, 0.0.0.255 tells the router to match exactly the first three octets, but the fourth octet can be any value (so that entire Class C rabge is included).
Wildcards with “block sizes” – you may need to allow any for a portion of an octet – not the entire octet. To do this you need two access-list commands with wildcards. For blocks of size “n”, they are define oddly with “n-1” in the 3rd octet, and 255 in the fourth octet. For example, if you want to deny all users from 172.16.16.0 through 172.16.19.0, you can see that you need to include a block size = 4 in the third octet. So instead of simply using 4 in then third octet you would use 3 (which is 4-1) and then 255 in the fourth, as follows:
access-list 10 deny 172.16.16.0 0.0.3.255
- checks source and destination address in the network layer, and the port number in the transport layer. IP extended access l;ists are numbered from 100 to 199.
access-list # [deny/permit] protocol source_addr dest_addr eq port_type
*** the addresses are shown as either: any or host address
and the word “any” is shorthand for the range: 0.0.0.0 255.255.255.255
*** remember, Standard lists only use one IP interface, the source - Extended lists use two IP interfaces, the source and the destination, in that order
*** extended lists are also much more flexible, and therefore require extra input on the command line. For example, you now have to tell the router if a source/dest address is either “any” address, or a “host” address (just one address). The word “any” must be used by itself, or the word “host” must precede the address. The descriptor of the port type goes “after” the address, such as “eq 23” (equal to port 23 – which is telnet)
- deny a telnet from host 172.16.11.2 to host 172.16.20.2
access-list 110 permit ip any 0.0.0.0 255.255.255.255 (same as “any any” )
with standard IP access lists we do not need “ip” or the numbers. For extended IP access lists,
int s0
ip access-group 110 in - since we are stopping incoming router 172.16.11.2 telnet packets
from being routed, we are acting on the “inbound” interface,
hence the “in” option. SAME FORMAT AS STANDARD LISTS
Example 2 – deny a range of IP addresses from using FTP from:
210.93.105.0 to 223.8.151.0
access-list deny tcp 210.93.105.0 0.0.0.255 223.8.151.0 0.0.0.255 eq ftp
- we used wildcards to follow the addresses – this tells the router that these are not simply source and dest addreses, but are instead defining a range
Since extended lists cause the Transport layer protocol and port number to be checked, you must include the layer 4 protocol, tcp. In this example we included the port type (telnet) instead of the number (23), but either could be used. eq means “equals”.
- Standard IPX access lists are numbered from 800-899
- Extended IPX access lists are 900-999
- IPX SAP access lists are 1000-1099 (they cut down on SAP broadcasts)
access-list # [permit/deny] source_addr dest_addr (where “addr” is the
For example:
access-list 810 deny 50 10 - stop all network 50 IPX packets from reaching network 10
int e0
ipx access-group 810 out
access-list 810 permit –1 -1
NOTE: the address used in the example is just the 4-byte IPX “network (0050 and 0010, with zero’s dropped), not an interface. If you are adding an IPX interface to the access list, it will be the full IPX address which includes the MAC address:
for example, the IPX address: 0000.7C80.0000.8609.33E9