Access Lists

Lists of conditions that control access

Access Lists
Powerful tools that control access both to and from network segments Can filter unwanted packets Can be used to implement security

Applying Access Lists

Once Access Lists are built, they can be applied to either inbound or outbound traffic on any interface Applying an access list will then cause the router to analyse every packet crossing that interface in the specified direction and take action accordingly

Rules a Packet follows

Rules a packet follows when its being compared to an access list: It is always compared with each line of the access list I sequential order, i.e., it will always start with line 1, hen go to line 2, then line 3, and so on It is compared with lines of the access list only until a match is made. Once the packet matches a line of a list, it is acted upon, and no further comparisons take place There is an implicit deny at the end of each access list this means that if a packet doesn't match up to any lines in the access list, itll be discarded

Access List Types

Two types
Standard Extended

Standard Access List these only use the source IP address in an IP packet to filter the network. This basically permits or denies an entire suite of protocols Extended Access Lists these check for both source and destination IP address, protocol field in the network

Applying Access List

Access Lists applied to an interface with either an inbound or outbound list: Inbound Access Lists packets are processed through the access list before being routed to the outbound interface Outbound Access Lists packets are routed to the outbound interface and then processed through the access list

Access List Guidelines

Assign only one access list per interface, per protocol, or per direction i.e. one outbound and one inbound per interface Organise ACLs so that the more specific tests are at the top Anytime a new list is added to an ACL it is added to the bottom One line cannot be removed from an ACL the whole lot will need retyping ACLs should end with permit any, because all packets are discarded if they do not meet any of the criteria Every list should have at least one permit statement otherwise you might as well shut down the interface Create access lists and then apply them to an interface Access lists are designed to filter traffic going through a router. They will not filter traffic originating from the router Place IP standard access lists as close to the destination as possible Place IP extended lists as close to the source as possible

IP ACL example with 3 LANS and a WAN connection

Finance 172.16.10.0
Server 172.16.10.5

E0 E1 Marketing 172.16.30.0 E2 S0 Internet

Sales 172.16.40.0

Standard IP ACL (I)

Standard IP access lists filter the network by using the source IP address in an IP packet RouterA(config)#access-list ? <1-99> IP standard list <100-199> IP extented list

Using the numbers 1-99 tells the router that you want to create a standard IP access list. You then decide if you are creating a permit or deny statement.
RouterA(config)#access-list 10 ? Deny Specify packets to reject Permit Specify packets to forward

Standard ACL (II)

Next step:

Use any command to permit or deny any host or network Use an IP address to specify or match a specific network or IP host Use the host command to specify a specific host only
Example using the host command: RouterA(config)#access-list 10 deny host 172.16.30.2 This tells the list to deny any packets from host 172.16.30.2. The default Command is host Another way to specify a specific host is to use wild cards. There is no option if you wish to specify a network or subnet

Standard ACLs (III)

Wildcards are used with access list to specify a host, network, or part or a network To understand wildcards useful to work in block sizes:
64 32 16 8 4 When you specify a range of addresses, you choose the closest block size for your needs to specify 18 hosts need a block size of 32

The Wildcard Mask

A wildcard mask is written to tell the router what bits in the address to match and what bits to ignore. A 0 bit means means check this bit position. A 1 means ignore this bit position. This is completely different than the ANDing process we studied in Semester 1. Our previous example of 192.5.5.10 0.0.0.0 can be rewritten in binary as:
11000000.00000101.00000101.00001010 (Source address) 00000000.00000000.00000000.00000000 (Wildcard mask)

The Wildcard Mask

This table from the curriculum may help:

Masking Practice
On the next several slides, we will practice making wildcard masks to fit specific guidelines. Dont worry if you dont get it right away. Like subnetting, wildcard masking is a difficult concept that takes practice to master. Write an ip mask and wildcard mask to check for all hosts on the network: 192.5.5.0 255.255.255.0 Answer: 192.5.5.0 0.0.0.255 Notice that this wildcard mask is a mirror image of the default subnet mask for a Class C address. WARNING: This is a helpful rule only when looking at whole networks or subnets.

Masking Practice
Write an ip mask and wildcard mask to check for all hosts in the subnet: 192.5.5.32 255.255.255.224 If you answered 192.5.5.32 0.0.0.31 YOURE RIGHT!! 0.0.0.31 is the mirror image of 255.255.255.224 Lets look at both in binary: 11111111.11111111.11111111.11100000 (255.255.255.224) 00000000.00000000.00000000.00011111 (0.0.0.31) To prove this wildcard mask will work, lets look at a host address within the .32 subnet--192.5.5.55 11000000.00000101.00000101.00110111 (192.5.5.55) host address 11000000.00000101.00000101.00100000 (192.5.5.32) ip mask 00000000.00000000.00000000.00011111 (0.0.0.31) wildcard mask

Masking Practice
Notice in the previous example (repeated below), some bits were colored blue. These bits are the bits that must match. 11000000.00000101.00000101.00110111 (192.5.5.55) host address 11000000.00000101.00000101.00100000 (192.5.5.32) ip mask 00000000.00000000.00000000.00011111 (0.0.0.31) wildcard mask Remember: a 0 bit in the wildcard mask means check the bit; a 1 bit in the wildcard mask means ignore. The 0s must match between the address of the packet (192.5.5.55) being filtered and the ip mask configured in the access list (192.5.5.32) Write an ip mask and wildcard mask for the subnet 192.5.5.64 with a subnet mask of 255.255.255.192? Answer: 192.5.5.64 0.0.0.63

Masking Practice
Write an ip mask and wildcard mask for the subnet 172.16.128.0 with a subnet mask of 255.255.128.0? Answer: 172.16.128.0 0.0.127.255 Write an ip mask and wildcard mask for the subnet 172.16.16.0 with a subnet mask of 255.255.252.0? Answer: 172.16.16.0 0.0.3.255 Write an ip mask and wildcard mask for the subnet 10.0.8.0 with a subnet mask of 255.255.248.0? Answer: 10.0.8.0 0.0.7.255 By now, you should have the hang of ip mask and wildcard masks when dealing with a subnet. If not, go back & review.

Masking a Host Range

Masking will not be so easy during the Hands On final. Youll need to be able to deny a portion of a subnet while permitting another. To mask a range of host within a subnet, it is often necessary to work on the binary level. For example, students use the range 192.5.5.0 to 192.5.5.127 and teachers use the range 192.5.5.128 to 192.5.5.255. Both groups are on network 192.5.5.0 255.255.255.0 How do you write an ip mask and wildcard mask to deny one group, yet permit another?

Masking a Host Range

Lets write the masks for the students.
First, write on the first and last host address in binary. Since the first 3 octets are identical, we can skip those. All their bits must be 0
First Hosts 4th octet: 00000000 Last Hosts 4th octet: 01111111

Second, look for the leading bits that are shared by both (in blue below)
00000000 01111111 These bits in common are to be checked just like the common bits in the 192.5.5 portion of the addresses.
Examples: Host Ranges 192.5.5.1 to .127 and .128 to .255

Masking a Host Range

Third, add up the decimal value of the 1 bits in the last hosts address (127) Finally, determine the ip mask and wildcard mask
The ip mask can be any host address in the range, but convention says use the first one The wildcard mask is all 0s for the common bits 192.5.5.0 0.0.0.127

What about the teachers? What would be their ip mask and wildcard mask?
192.5.5.128 (10000000) to 192.5.5.255 (11111111) Answer: 192.5.5.128 0.0.0.127 Notice anything? What stayed the same? changed?
Examples: Host Ranges 192.5.5.1 to .127 and .128 to .255

Specify a small range of subnets

If you wish to block access to part of a network that is in the range from 172.16.8.0 through 172.16.15.0 That is a block size of 8 The wildcard would be 0.0.7.255

Wildcard is one less than the block number

Access List Example (I)

RouterA(config)#access-list 10 deny 172.16.10.0 0.0.0.255 This tells the router to match the first three octets and the last octet can be anything The next configuration tells the router to start at network 17.16.16.0 and use a block size of 4. The range would be 172.16.16.0 through 172.16.19.0 RouterA(config)#access-list 10 deny 172.16.16.0 0.0.3.255

The next example starts at network 172.16.32.0 and goes up a block size of 32 to 172.16.63.0
RouterA(config)#access-list 10 deny 172.16.32.0 0.0.31.255

IP ACL example with 3 LANS and a WAN connection

Finance 172.16.10.0
Server 172.16.10.5

E0 E1 Marketing 172.16.30.0 E2 S0 Internet

Sales 172.16.40.0

Applying a standard ACL

The example has three LAN connections One WAN connection to the internet Users on sales LAN should not have access to the Finance LAN Should have access to the internet and marketing Marketing needs to access the Finance LAN for application service

IP ACL example with 3 LANS and a WAN connection

Finance 172.16.10.0
Server 172.16.10.5

E0 E1 Marketing 172.16.30.0 E2 S0 Internet

Sales 172.16.40.0

Router ACL Config

Acme router the following standard IP access list is applied: Acme# config t Acme(config) #access-list 10 deny 172.16.40.0 0.0.0.255 Acme(confg)# acecess-list 10 permit any (same as 0.0.0.0 255.255.255.255) At this point the access list is denying the SALES Lan and allowing everyone else Where should it be placed? If you place it as an incoming access list on E2 might as well shut down the ethernet interface The best place to put is the router E0 interface out bound

Acme(config)# int e0 Acme(config-if) ip access-group 10 out

Extended IP Access List

The example IP ACL had to block the whole subnet from getting to the finance department What if you wanted them to gain access to only a certain server on Finance LAN, but not to other nework service for security reasons Need extended ACL Extended IP ACL allow: Choice of source and destination IP address Protocol and Port number (identifies upper layer protocol or application) Using extended IP access list you can allow users access to the physical LAN and stop them using certain services

Extended IP Access List

Use extended range from 100 to 199
RouterA(config)#access-list 110 Specify permit or deny RouterA(config)#access-list 110 deny Then choose a network layer protocol field entry RouterA(config)#access-list 110 deny tcp Then choose the source and destination address RouterA(config)#access-list 110 deny tcp any host 172.16.30.2

now going to match a given port number

RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log

Extended IP Access List

Keep in mind that the next line is an implicit deny any statement Therefore must place after: RouterA(config)#access-list 110 permit ip any 0.0.0.0 255.255.255.255

Once access list has been created you must apply it to an interface. Use the same command as the IP standard list RouterA(config-if)ip access-group 110 in or

RouterA(config-if)ip access-group 110 outRouterA(config-if)ip access-group 11

IP ACL example with 3 LANS and a WAN connection

Finance 172.16.10.0
Server 172.16.10.5

E0 E1 Marketing 172.16.30.0 E2 S0 Internet

Sales 172.16.40.0

Extended IP Access List Example

Using the same example Deny access to a server on the finance department LAN for both Telenet and ftp services on server 172.16.10.5 All other services on the LAN are acceptable for the sales and marketing departments to access

Extended IP Access List example

Acme#config t Acme(config)#access-list 110 deny tcp any host 172.16.10.5 eq 21 Acme(config)#access-list 110 deny tcp any host 172.16.10.5 eq 21 Acme(config)#access-list 110 permit ip any any After the lists are created, they need to b applied to the Ethernet 0 port This is because the other three interfaces on the router need access to the LAN However, if this list were created to only block sales, then we would want to put this list closest to the source on ethernet 2 Acme(config-if)ip access-group 110 out