Access Lists on Cisco Routers

By default, a Cisco router permits all IP and TCP traffic unless an access list is defined and applied to the appropriate interface. Figure 4-4 illustrates the steps taken if an access list is configured on a Cisco router.

Figure 4-4 Access List Decision Taken by a Cisco Router

Drop Packet

No

Process IP Packet

If an incoming IP packet is received on a router and no access list is defined, the packet is forwarded to the IP routing software. If an access list is defined and applied, the packet is checked against the access list, and the appropriate permit or deny action is taken. The default action taken by any access list is to permit any explicitly defined statements and explicitly deny everything else. You will not see the explicitly deny statement when you issue the show ip access-lists because that is the default behavior.

NOTE If the keyword out or in is not applied by the administrator when defining an IP filter on an interface, the default action is to apply the filter on the outbound traffic. Standard IP access lists range from 1 through 99 and 1300 through 1999. Extended IP access lists range from 100 through 199 and 2000 through 2699.

Standard IP access lists filter on the source address only. The Cisco IOS syntax is as follows:

access-list access-list-number {deny I permit} [source-address] [ source-wildcard]

Table 4-6 describes the purpose of each field.

Table 4-6 Standard IP access-list Command Syntax Description

Command Field

Description

access-list-number

A number from 1 through 99 that defines a standard access list number. Versions of IOS 12.0 or later also have standard access lists ranging from 1300-1999.

deny

IP packet is denied if a match is found.

permit

IP packet is permitted if it matches the criteria, as defined by the administrator.

source-address

Source IP address or network. Any source address can be applied by using the keyword any.

source-wildcard (optional)

Wildcard mask that is to be applied to the source address. This is an inverse mask, which is further explained with a few examples later in this section. The default is 0.0.0.0, which specifies an exact match.

After creating the access list as described in Table 4-6, you must apply the access list to the required interface using the following command:

ip access-group {access-list-number I name} {in I out}

Table 4-7 describes the purpose of each field.

Table 4-7 ip access-group Command Syntax Description

Table 4-7 describes the purpose of each field.

Table 4-7 ip access-group Command Syntax Description

Command Field

Description

access-list-number

A number in the range from 1 through 99 and 1300 through 1999 that defines a standard access list number.

name

If you are using named access lists, that name will be referenced here.

in

Keyword that designates the access list as an inbound packet filter.

out

Keyword that designates the access list as an outbound packet filter. This is the default action.

The wildcard mask previously mentioned in the access-list command matches the source address. When the wildcard mask is set to binary 0, the corresponding bit field must match; if it is set to binary 1, the router does not care to match any bit or it is an insignificant bit. For example, the mask 0.0.255.255 means that the first two octets must match, but the last two octets do not need to match—hence, the commonly used phrases care bits (0s) and don't care bits (1s).

For further clarification, look at some examples of using access lists.

Suppose you have found a faulty NIC card with the address 141.108.1.99/24. You have been asked to stop packets from being sent out Serial 0 on your router but to permit everyone else. In this situation, you need to deny the host address 141.108.1.99 and permit all other host devices. Example 4-32 displays the access list that fulfills this requirement.

Example 4-32 Access List Configuration access-list 1 deny 141.108.1.99 0.0.0.0 access-list 1 permit 141.108.1.0 0.0.0.255

Next, you would apply the access list to filter outbound (the keyword out is supplied) IP packets on the Serial 0 interface. Example 4-33 applies the access list number 1 to the Serial interface (outbound packets). You can be a little wiser and filter the incoming packets on the Ethernet interface. This ensures that the packet is immediately dropped before it is processed by the CPU for delivery over the serial interface. Both examples are displayed in Example 4-33.

Example 4-33 Applying the Access-list

Interface Ethernet0 ip access-group 1 in interface Serial 0 ip access-group 1 out

Now look at a more complex example of using a standard access list. Suppose you have 16 networks ranging from 141.108.1.0 to 141.108.16.0, as shown in Figure 4-5.

You have assigned even subnets (2, 4, 6, 8, 10, 12, 14, and 16) to the Accounting department and odd subnets (1, 3, 5, 7, 9, 11, 13, and 15) to the Sales department. You do not want the Sales department to access the Internet, as shown in Figure 4-5. To solve this issue, you configure a standard access list. Figure 4-5 displays a simple requirement to block all odd networks from accessing the Internet.

You could configure the router to deny all the odd networks, but that would require many configuration lines.

NOTE Access lists are CPU-process-intensive because the router has to go through every entry in the access list for each packet until a match is made. If you want to determine the actual effect an access list has on your router, compare the CPU processes before and after activating an access list. Remember to check on a regular basis to see the big picture.

Figure 4-5 Standard Access List Example

Sales Department

Figure 4-5 Standard Access List Example

Sales Department

access-list permit 141.108.2.0 0.0.254.255

Instead, permit only even networks (2, 4, 6, 8, 10, 12, 14, and 16) with one IOS configuration line. To accomplish this, convert all networks to binary to see if there is any pattern that you can use in the wildcard mask.

Table 4-8 displays numbers 1 through 16 in both decimal and binary format.

Table 4-8 Example Calculation of Numbers in Binary

Table 4-8 displays numbers 1 through 16 in both decimal and binary format.

Table 4-8 Example Calculation of Numbers in Binary

Decimal

Binary

1

00000001

2

00000010

3

00000011

4

00000100

5

00000101

6

00000110

7

00000111

8

00001000

Table 4-8 Example Calculation of Numbers in Binary (Continued)

Decimal

Binary

9

00001001

10

00001010

11

00001011

12

00001100

13

00001101

14

00001110

15

00001111

16

00010000

Notice that odd networks always end in the binary value of 1, and even networks end with 0. Therefore, you can apply your access lists to match on the even network and implicitly deny everything else. Even numbers will always end in binary 0. You do not care about the first seven bits, but you must have the last bit set to 0. The wildcard mask that applies this condition is 111111110 (1 is don't care and 0 is must match; the first 7 bits are set to 1, and the last bit is set to 0).

This converts to a decimal value of 254. The following access list will permit only even networks:

access-list 1 permit 141.108.2.0 0.0.254.255

The preceding access list will match networks 2, 4, 6, 8, 10, 12, 14, and 16 in the third octet. The default action is to deny everything else, so only even networks will be allowed, and odd networks are blocked by default. Next, you would apply the access list to the outbound interface. Example 4-34 describes the full configuration.

Example 4-34 Applying the Access List

Hostname R1

interface Serial0/0

ip access-group 1 out

access-list 1 permit 141.10

3.2.0

9.0.254.255

0 0

Post a comment