Extended Access Lists

Extended access lists range from 100 through 199 and 2000 through 2699. Alternatively, you can use a named access list with Cisco IOS release 12.0 or later. As mentioned earlier in this chapter, extended access lists can be applied to both source and destination addresses, as well as to filter protocol types and port numbers. Following are some examples of extended access lists that allow you to filter several different types of traffic.

For Internet Control Message Protocol (ICMP) traffic, use the syntax shown in Example 3-35.

Example 3-35 Access List Syntax for ICMP Traffic access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] [icmp-message] [precedence precedence] [tos tos] [log]

For Internet Group Management Protocol (IGMP) traffic, use the syntax shown in Example 3-36.

Example 3-36 Access List Syntax for IGMP Traffic access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log]

For TCP traffic, use the syntax shown in Example 3-37.

Example 3-37 Access List Syntax for TCP Traffic access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} tcp source source-wildcard [operator port [port]] destination destination-wildcard [operator port [port]] [established] [precedence precedence] [tos tos] [log]

For User Datagram Protocol (UDP) traffic, use the syntax shown in Example 3-38.

Example 3-38 Access List Syntax for UDP Traffic access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} udp source source-wildcard [operator port [port]] destination destination-wildcard [operator port [port]] [precedence precedence] [tos tos] [log]

As you can see, extended access lists have a range of options to suit any requirement. The most often used extended access list options are as follows:

■ access-list-number—Provides a number ranging from 100 through 199 that defines an extended access list. Extended Access Lists also range from 2000 through 2699.

■ deny—Denies access if the conditions are matched.

■ permit—Permits access if the conditions are matched.

■ protocol—Specifies the protocol you are filtering. Some common options include eigrp, gre, icmp, igmp, igrp, ip, ospf, tcp, and udp. You can also define the protocol number with a valid protocol value.

■ source—Specifies the source address.

■ source-wildcard—Specifies the source wildcard mask.

■ destination—Identifies the destination network.

■ destination-wildcard—Identifies the destination wildcard mask.

You are expected to demonstrate your understanding of standard and extended access lists. You are not expected to memorize the available options in an extended access list. The options are provided in this chapter for your reference only. When constructing access lists, the built-in help feature (?) is extremely useful.

Here are a few more complex examples of access lists.

Example 3-39 Extended Access List Example access-list 100 permit tcp any any eq smtp

! Permits Simple Mail Transfer Protocols access-list 100 permit udp any any eq domain

! Permits DNS queries access-list 100 permit icmp any any echo

! Permits ICMP ping requests access-list 100 permit icmp any any echo-reply

! Permits ICMP replies

Example 3-39 Extended Access List Example (Continued)

access-list 100 permit ospf any any

! Permits OSPF packets access-list 100 permit tcp any any eq bgp

! Permits BGP to any device

In Example 3-39, the access list numbered 100 is not concerned with specific host addresses or networks, but rather ranges of networks.

The any keyword is shorthand for 0.0.0.0 255.255.255.255, which means that the device's address is irrelevant. This address can be entered in shorthand as any. If any IP packet arrives to the router and does not match the specified criteria, the packet is dropped.

The Cisco CD-ROM documentation provides additional quality examples of access lists. You should take some time to study the Cisco examples available on the CD-ROM and at Cisco.com under the Technical Documentation quick link.

Access lists are difficult to manage because you cannot explicitly delete a specific line; you must first remove the entire access list and re-enter the new access list with the correct order for numbered access lists. For a large access list that might contain over 1000 lines of code, any variations are completed on a TFTP server and copied to the startup configuration. I have worked with some access lists that were 2500 lines in length and took over 5 minutes to load on Cisco routers. On the other hand, named access lists allow you to determine where in the access list the new line will be placed. In a named access list, you must first delete the lines up to where you want to add the new lines and then re-add the lines you deleted. Simply search for the keywords "IP named access lists" for more configuration details on named access lists at Cisco.com.

IP Named Access Lists might be a likely scenario for the CCIE security lab exam, so ensure that you are fully comfortable with named and numbered access lists for the laboratory exam.

Now that you are familiar with some of the best practices used in securing Cisco IOS routers, the next section presents the best practices used in Layer 2 switched networks, in particular Cisco Catalyst switches.

NOTE As you may have noticed, the CCIE Security blueprint at times is a little difficult to understand. Having taken the CCIE Security examination a number of times has made me aware of exactly how the blueprint topics actually match up to examination content. It is the aim of the next few sections to ensure that you have the information you need to answer possible questions about security on switches. Having covered routing security, it is imperative to concentrate on the new content, namely securing Layer 2 devices in a Cisco-powered network.

0 0

Post a comment