There are 2 types of access-list
- Named (it’s not new type, think of it as the advanced version of Strandard named/Extended named)
Facts about access-lists
- contain a statements of permit or deny and each statement is 1 line.
- each line has a permit or deny statement.
- each line has a sequence number. starting from 10,20,30 .
- each line you add will take the next sequence number.
- the matching will start from line 1 then line 2 , line 3 and so on.
- Named mode enable you to squeeze statements on the middle.
- work the same as if/else programming statements, if : first line match then apply/ else : go next line.
- if a match found the access-list will upon that match and will not continue to the lines after that.
- there is an implicit deny at the end of any access-list.
- Tip : Better put the most-specific route on the top.
- traffic is filtered on passing though the router, not created on the router.
- it has no effect until you apply it.
- use access-group to apply on interface ,,, access-class to apply to VTY lines (telnet sessions ).
you can assign only one access-list inpound and one access-list outpound for an interface.
inpound is going into interface , outpount is going out of interface
- Matching only based on Source address .
- range number : (1-99) or the extended range (1300-1999).
- cannot be edited,of course you can add a line but if you want to remove a line you have to remove the whole access-list then apply it again. (you can use a note pad)
- applied as close as possible to the destination .
- look at the diagram and imagine that you set the standard access-list at R1 to prevent a computer on accounting to reach Sales. you will end up blocking this IP from going any where .
- so to avoid so set that on R2 f0/0 out
R1(config)#access-list 20 permit any (permit any IP) R1(config)#access-list 20 permit 0.0.0.0 255.255.255.255 (permit any IP) Both are the same meaning
R1(config)#access-list 20 deny host 172.16.0.2 (deny the source IP 172.16.0.2) R1(config)#access-list 20 deny 172.16.0.2 (deny the source IP 172.16.0.2) R1(config)#access-list 20 deny 172.16.0.2 0.0.0.0 (deny the source IP 172.16.0.2) all give the same meaningR1(config)#access-list 20 permit 172.16.0.2 0.0.0.255 (permit network 172.16.0.2/24)
R1(config)#interface fastethernet 0/1 R1(config-if)#ip access-group 20 out (or in)
- Matching based on
- source IP address
- destination IP address + destination Port numbers
- range number : ( 100 – 199) or the extended range ( 2000- 2699)
- editing is the same as standard type.
- applied as close as possible to the source
- because you don’t need the traffic to travel across the whole network, and it get blocked at the end, the will consume unnecessary bandwidth.
R10(config)#access-list 110 permit ip any any R10(config)#access-list 110 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Both are the same,and both will appear on the routing table as any any . permit any ip going to any ip.R10(config)#access-list 110 deny ip 172.16.64.0 0.0.31.255 172.16.96.0.0 0.0.31.255 this will block net 64 from reaching 96.R10(config)#access-list 110 deny tcp any host 172.16.50.5 eq 80 deny any TCP HTTP traffic going to host 172.16.50.5(the webserver).
R10(config)#interface fastethernet 0/1 R10(config-if)#ip access-group 20 out (or in)
well, as you can see 110 and 20 . imagine a company with a lot of access-lists , this will be a nightmare .
it’s like what was 110 for ? and that’s where the use of named access-list
- You can edit any existing normal access-lists using this mode (so existing numbered ACL can be treated as named ACL)
- example : standard 19 , R1(config)#ip access-list standard 19 … add and remove what you like.
- in the running config it will still appear as access-list not IP access-list
- it’s the same as before but instead of numbers we are going to give the access-list a name. (the name can be number)
- can be edited by removing a line or adding a line between the lines .
- to use this mode we just add IP before access-list.
- you can use a number as a name.
R10(config)#ip access-list standard BlockSales R10(config-std-nacl)#
and when applying
R10(config-if)#ip access-group BlockSales out (or in)
very easy to understand what this ACL do from it’s name.
approaches with access-lists
- permit what should be permitted and deny anything else.
- (Much better but harder since you have to be familiar with all the ranges you are going to use)
- Deny what should be denied and permit anything else.
- between those are editing, like applying a permit for a host on denied network and insert it before the deny.
Working with sequence numbers
- you have to know that access-lists don’t reserve their sequence numbers like prefix-lists.
- so when you reboot the router the list-order will remain the same but the sequence number will change to the default.
- you can adjust the default sequence start and the period between the sequences.(in case 10 edit’s is not enough)
R10(config)#ip access-list standard Block-all R10(config-std-nacl)#permit any (this seq 10 was there so we are going to remove it) R10(config-std-nacl)#deny 172.16.64.0 0.0.31.255 (Sales) seq 20 R10(config-std-nacl)#deny 172.16.96.0 0.0.31.255 (accounting)seq 30 R10(config-std-nacl)#no 10 R10(config)#do show ip access Standard IP access list Block-all 20 deny 172.16.64.0, wildcard bits 0.0.31.255 30 deny 172.16.96.0, wildcard bits 0.0.31.255
now a week later we want to add between the lines
R10(config-std-nacl)#21 permit 172.16.96.1 0.0.0.0 (Permit this IP from Accounting) R10(config-std-nacl)#22 deny 172.16.32.0 0.0.31.255 (security) R10(config-std-nacl)#permit 172.16.64.1 (permit this IP from Sales this will take seq 40) R10(config-std-nacl)#do show ip access-list Standard IP access list Block-all 21 permit 172.16.96.1 (wrong place ?) 40 permit 172.16.64.1 (wrong place ?) 20 deny 172.16.64.0, wildcard bits 0.0.31.255 22 deny 172.16.32.0, wildcard bits 0.0.31.255 30 deny 172.16.96.0, wildcard bits 0.0.31.255
well about the wrong placement , this an automatic feature of the IOS to put host routes on the TOP. ( only with standard access-lists) don’t depend on that and use srq numbers .. seq 22 went to the right place since it network IP
R10#show ip access-lists Standard IP access list Block-all 10 permit 172.16.96.1 20 permit 172.16.64.1 30 deny 172.16.64.0, wildcard bits 0.0.31.255 40 deny 172.16.32.0, wildcard bits 0.0.31.255 50 deny 172.16.96.0, wildcard bits 0.0.31.255
New sequence numbers but the list still in the same order.
now what if you can’t reboot your router, and you have to make more than 10 edit’s .
R10(config)#ip access-list resequence Block-all 30 20 (start from 30,period) R10#show ip access-list Standard IP access list Block-all 30 permit 172.16.96.1 50 permit 172.16.64.1 70 deny 172.16.64.0, wildcard bits 0.0.31.255 90 deny 172.16.32.0, wildcard bits 0.0.31.255 110 deny 172.16.96.0, wildcard bits 0.0.31.255
well,even if you applied the same range it will just re-arrange them, and start squeeze what you want, with out rebooting.
Using the log option
R10(config-std-nacl)#deny any log log any match to this line
Using the remarks
- remarks are like descriptions for each line on the list .
here is the diagram again so you don’t scroll up.
you can achieve this by many way’s. well, i will just go with what came into my mind.
let’s use extended access-list and i will put it close to the source on the f0/0
create an access list for each router for flow between vlans and another access-list for telnetting.
R2(config)#ip access-list extended FlowRules R2(config-ext-nacl)#deny ip any 172.16.64.0 0.0.31.255 R2(config-ext-nacl)#deny ip any 172.16.32.0 0.0.31.255 R2(config-ext-nacl)#deny tcp any any eq 80 443
R2(config)#ip access-list extended PreventTelnetting R2(config-ext-nacl)#deny tcp 172.16.64.0 0.0.63.255 any eq 23 i denied Both networks in one statement, but i over-exceed the target and they will not be able to telnet any where.
R2(config-if)#ip access-group FlowRules in R2(config)#line vty 0 15 R2(config-line)#access-class PreventTelnetting in
R2#show ip access-list Extended IP access list FlowRules 10 deny ip any 172.16.64.0 0.0.31.255 20 deny ip any 172.16.32.0 0.0.31.255 30 deny tcp any any eq www 443 40 permit ip any any Extended IP access list PreventTelnetting 10 deny tcp 172.16.64.0 0.0.63.255 any eq telnet