Access Lists

1

Access ListsAccess Lists

• Network traffic flow and security influence the design and management of computer networks

• Access lists are permit or deny statements that filter traffic both to and from a network segment based on – the source address, – destination address, – protocol type, – and port number of a packet.

Access Lists

2

Problems with Access ListsProblems with Access Lists

• One of the most common problems associated with access lists is a lack of planning

• Another troublesome area is the sequential nature in which you must enter the list into the router

• Many new network administrators find themselves in trouble when they Telnet into a router and begin applying an access list

Access Lists

3

Access List RulesAccess List Rules

• Access List are first created, and then they are s are applied to interfaces

• Inbound: Direction is into the router• Outbound: Direction is out of the router

Access Lists

4

Access List RulesAccess List Rules

• Routers apply lists sequentially in the order in which you type them into the router

• Routers apply lists to packets sequentially• Packets are processed only until a match

is made and then they are acted upon based on the access list criteria contained in access list statements

• Implicit deny any– Blocks all packets that do not meet

requirements of the access list unless permit any command is used at the end of the list

Access Lists

5

Access List RulesAccess List Rules

• Access lists must be applied to an interface as either inbound or outbound traffic filters

• Only one list, per protocol, per direction can be applied to an interface

• You cannot remove one line from an access list.

• Access list are effective as soon as they are applied

Access Lists

6

Standard IP Access ListsStandard IP Access Lists

• Standard IP Access Lists– Filter network traffic based on the

source IP address only– Using a standard IP access list, you

can filter traffic by a host IP, subnet, or a network address

• Wildcard mask– Also called inverse mask– Applied to IP addresses to determine if

an access list line will act upon a packet

Access Lists

7

Wildcard maskWildcard mask

• Used to specify part of network• Block size: 64, 32, 18, 8, 4• Examplesdeny 172.16.10.0 0.0.0.255deny 172.16.0.0 0.0.255.255deny 172.16.16.0 0.0.3.255

deny 172.16.16.0 0.0.7.255

deny 172.16.32.0 0.0.31.255

Access Lists

8

Standard IP Access List ExamplesStandard IP Access List Examples

Access Lists

9

Monitoring Standard IP Access Monitoring Standard IP Access ListsLists• Three main commands are available

for monitoring access lists on your router:– Show access-lists– Show ip access-lists– Show interfaces or show ip interfaces

• It is a good idea to run each of these commands after creating and applying access lists

Access Lists

10

LabLab

Access Lists

11

Extended IP Access ListsExtended IP Access Lists

• IP access lists that filter traffic by:– Source IP address– Destination IP address– Protocol type– Port number

• Type R(config)#acces-list ?• Type R(config)#acces-list 110 ?• Type R(config)#acces-list 110 deny ?• Type R(config)#acces-list 110 deny tcp ?• Type R(config)#acces-list 110 deny tcp any ?• Type R(config)#acces-list 110 deny tcp any host 172.16.30.2 ?• Type R(config)#acces-list 110 deny tcp any host 172.16.30.2

eq ?

Access Lists

12

Extended IP Access ListsExtended IP Access Lists

Interpret these commands R(config)#acces-list 110 deny tcp host 172.16.20.10 host 172.16.30.2 eq 80

R(config)#acces-list 110 deny tcp host 172.16.20.10 any eq 80

R(config)#acces-list 110 deny tcp any any eq 80

Access Lists

13

Extended IP Access List ExamplesExtended IP Access List Examples

Acme# config terminal

Acme(config)# access-list 110 deny tcp any host 172.16.10.5 eq 21Acme(config)# access-list 110 deny tcp any host 172.16.10.5 eq 23 Acme(config)# access-list 110 permit ip any any Acme(config)# int e0

Acme(config-if)# ip access-group 110 out.

Access Lists

14

Extended IP Access List ExamplesExtended IP Access List Examples

Type commands to block host 172.22.5.2 from accessing Web Services on server 172.22.2.2

Access Lists

15

Monitoring Extended IP Access Monitoring Extended IP Access ListsLists

Access Lists

16

Standard IPX Access ListsStandard IPX Access Lists

• Very similar to their IP cousins– One distinct difference

• Can filter based on source and destination addresses– Standard IP access lists can only filter

based on source addresses

• In all other aspects, they act just like standard IP access lists

Access Lists

17

Standard IPX Access List Standard IPX Access List ExamplesExamples

Access Lists

18

Extended IPX Access ListsExtended IPX Access Lists

• Allow you to filter based on source and destination network or node address, IPX protocol type, or IPX socket number

Access Lists

19

Extended IPX Access ListsExtended IPX Access Lists

Access Lists

20

IXP SAP FiltersIXP SAP Filters

• Limit SAP traffic on order to control what resources on the IPX network will be visible to IPX clients– Allows you to limit the “advertising” of

particular servers and services to a particular IPX network segment

– Since SAP advertisements are broadcast, limiting them reduces network traffic

• IPX input SAP filters reduce the number of SAP entries that are placed into a router’s SAP table

Access Lists

21

IPX SAP Filter ExampleIPX SAP Filter Example