Documente Academic
Documente Profesional
Documente Cultură
Uses of access lists are filtering unwanted packets when implementing security policies.
Access lists can be used to permit or deny packets moving through the router, permit or deny Telnet
access to or from a router.
When we apply an access list on an interface it doesnt stop routing advertisements, it just controls their
content. Once lists are built, they can be applied to either inbound or outbound traffic on any interface.
There are a few important rules that a packet follows when its being compared with an access list1. Its always compared with each line of the access list in sequential order-i.e.; its always start
with the first line of the access-list, then go to line 2, then line 3, and so on.
Range
IP Standard
199
IP Extended
100199
13001999
20002699
Placement of ACLs
1. Standard ACLs should be placed as close to the destination devices as possible.
2. Extended ACLs should be placed as close to the source devices as possible.
There are some general access-lists guidelines:
1. We can assign only one access list per interface, per protocol, per direction. This means that
when creating IP access lists, we can only have one inbound access list and one outbound access
list per interface.
2. Organize your access lists so that the more specific tests are at the top of the access list.
3. Any time a new entry is added to the access list, it will be placed at the bottom of the list. Using a
text editor for access lists is highly suggested.
4. You cannot remove one line from an access list. If you try to do this, you will remove the entire
list. It is best to copy the access list to a text editor before trying to edit the list. The only
exception is when using named access list.
Host
The next step requires a more detailed explanation. There are three options available. You can use the
any parameter to permit or deny any host or network. You can use an IP address to specify either a
single host or range of them. Or you can use the host command to specify a specific host only. The any
0.0.0.0
The four zeros represent each octet of the address. Whenever a zero is present, it means that octet in
the address must match exactly. To specify that an octet can be any value, the value of 255 is used. As
an example heres how a /24 subnet is specified with a wildcard:
172.16.30.0
0.0.0.255
This tells the router to match up the first three octets exactly, but the fourth octet can be any value.
Lets say that you want to block access to part of network that is range from 172.16.8.0 through
172.16.15.0.
That is a bloc size of 8. Your network number would be 172.16.8.0, and the wild card would be
0.0.7.255. Woh!
What is that ? The 7.255 is what the router uses to determine the block size. The network and wild card
tell the router to start at 172.16.8.0 and go up a block size of eight addresses to network 172.16.15.0
Router (config)#access-list 10 deny 172.16.10.0 0.0.0.255
The following example tells the router to match first three octets exactly but that the fourth octet can
be anything.
Router (config)#access-list 10 deny 172.16.0.0 0.0.255.255
This example tells the router to match the first two octets and that the last two octets can be any value.
Router (config)#access-list 10 deny 172.16.16.0 0.0.3.255
Named ACLs
One of the disadvantages of using IP standard and IP extended ACLs is that you reference them by
number, which is not too descriptive of its use. With a named ACL, this is not the case because you can
name your ACL with a descriptive name. The ACL named DenyMike is a lot more meaningful than an ACL
simply numbered 1. There are both IP standard and IP extended named ACLs.
Another advantage to Named ACLs is that they allow you to remove individual lines out of an ACL. With
numbered ACLs, you cannot delete individual statements. Instead, you will need to delete your existing
access list and re-create the entire list.
Named access list are just another way to create standard and extended list.
Router (config) #ip access-list?
Notice that I started IP access-list, not access-list. This allows me to enter a named access list.
Router (config) #ip access-list standard block sales
Ive specified a standard access list, and then added a name: Block sales. Notice that I couldve used a
number for a standard access list, but intend, I chose to use a descriptive name.
#deny 172.16.40.0 0.0.0.255
#permit any
#exit
#int e1