Extended Access Lists

Extended access lists range from 100 through 199 and 2000 through 2699. Alternatively, you can use a named access list with IOS release 12.0 or later. As mentioned earlier in this chapter, extended access lists can be applied to both source and destination addresses, as well as filter protocol types and port numbers. Look at some examples of extended access lists that allow you to filter several different types of traffic.

For Internet Control Message Protocol (ICMP), use the syntax shown in Example 4-35.

Example 4-35 Access List Syntax for ICMP Traffic access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny I permit} icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] [icmp-message] [precedence precedence] [tos tos] [log]

For Internet Group Management Protocol (IGMP), use the syntax shown in Example 4-36.

Example 4-36 Access List Syntax for IGMP Traffic access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny I permit} igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log]

For TCP, use the syntax shown in Example 4-37.

Example 4-37 Access List Syntax for TCP Traffic access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny I permit} tcp source source-wildcard [operator port [port]] destination destination-wildcard [operator port [port]] [established] [precedence precedence] [ tos tos] [ log]

For User Datagram Protocol (UDP), use the syntax shown in Example 4-38.

Example 4-38 Access List Syntax for UDP Traffic access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny I permit} udp source source-wildcard [operator port [port]] destination destination-wildcard [operator port [port]] [precedence precedence] [tos tos] [log]

As you can see, extended access lists have a range of options to suit any requirement. The most often used extended access list options are as follows:

• access-list-number—Provides a number ranging from 100 through 199 that defines an extended access list. Also numbers ranging from 2000 through 2699.

• deny—Denies access if the conditions are matched.

• permit—Permits access if the conditions are matched.

• protocol—Specifies the protocol you are filtering. Some common options include eigrp, gre, icmp, igmp, igrp, ip, ospf, tcp, and udp.

• source—Specifies the source address.

• source-wildcard—Specifies the wildcard mask.

• destination—Identifies the destination network.

• destination-wildcard—Identifies the destination mask.

You are expected to demonstrate your understanding of standard and extended access lists. You are not expected to memorize the available options in an extended access list. The options are provided in this chapter for your reference only. When constructing access lists, the built-in help feature (?) is extremely useful.

Here are a few more complex examples of access lists.

Example 4-39 permits Domain Naming System (DNS) packets, ICMP echo and echo replies, OSPF, and BGP packets. (BGP runs over TCP using port 179.)

Example 4-39 Extended Access List Example access-list 100 permit tcp any any eq smtp ! Permits Simple Mail Transfer Protocols access-list 100 permit udp any any eq domain ! Permits DNS queries access-list 100 permit icmp any any echo ! Permits ICMP ping requests access-list 100 permit icmp any any echo-reply

! Permits ICMP replies access 100 permit ospf any any

! Permits OSPF packets access 100 permit tcp any any eq bgp

! Permits BGP to any device

In Example 4-39, the access list numbered 100 is not concerned with specific host addresses or networks, but rather ranges of networks.

The any keyword is shorthand for 0.0.0.0 255.255.255.255, which means that the device's address is irrelevant. This address can be entered in shorthand as any. If any IP packet arrives to the router and does not match the specified criteria, the packet is dropped.

The Cisco CD documentation provides additional quality examples of access lists. You should take some time to study Cisco's examples available on the CD and at www.cisco.com under the technical documents link.

Access lists are difficult to manage because you cannot explicitly delete a specific line; you must first remove the entire access list and re-enter the new access list with the correct order for numbered access lists. For a large access list that might contain over 1000 lines of code, any variations are completed on a TFTP server and copied to the startup configuration. I have worked with some access lists that were 2500 lines in length and took over 5 minutes to load on Cisco routers. On the other hand, named access-lists lists allow you to determine where in the access list the new line will be placed. For more detail on named access-list, please visit, www.cisco.com/en/US/customer/products/sw/iosswrel/ps1831/products_configuration_guide _chapter09186a00800d9817.html.

It might be a likely scenario for the CCIE security lab exam so please ensure you are fully comfortable with named and numbered access lists for the laboratory exam.

0 0

Post a comment