Professional Documents
Culture Documents
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-2
Why Use Access Lists?
Token
Ring
FDDI
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-3
Why Use Access Lists?
172.16.0.0
Token Internet
Ring
FDDI
172.17.0.0
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-4
Access List Applications
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-5
Other Access List Uses
Queue
List
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-6
Other Access List Uses
Queue
List
Dial-on-demand routing
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-7
Other Access List Uses
Queue
List
Dial-on-demand routing
Route filtering
Routing
Table
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-8
What Are Access Lists ?
Standard
Checks Source address
Generally permits or denies entire protocol suite
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-9
What Are Access Lists ?
Standard
Checks Source address
Generally permits or denies entire protocol suite
Extended
Checks Source and Destination address
Generally permits or denies specific protocols
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-10
What Are Access Lists ?
Standard
Checks Source address
Generally permits or denies entire protocol suite
Extended
Checks Source and Destination address
Generally permits or denies specific protocols
Inbound or Outbound
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-11
Outbound Access Lists
Packet
Choose S0
Inbound Interface
Y
Interface Outbound
Packets Interfaces
Routing
Table
Entry
?
N Access N
List
?
Y
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-12
Outbound Access Lists
Packet
Choose S0
Inbound Interface
Y Outbound
Interface
Packets Test Interfaces
Routing
Access List
Table E0
Statements
Entry
? Packet
N Access N
List Y
? Permit
?
Y
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-13
Outbound Access Lists
Packet
Choose S0
Inbound Interface
Y Outbound
Interface
Packets Test Interfaces
Routing
Access List
Table E0
Statements
Entry
? Packet
N Access N
List Y
? Permit
?
Y
N
Discard Packet
Notify Sender
Packet Discard Bucket
Match
First
Packets to interfaces Test
in the access group Y ? Y
Deny Permit
Destination
Interface(s)
Packet
Discard Deny
Bucket
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-15
A List of Tests: Deny or Permit
Match
First
Packets to Interface(s) Test
in the Access Group Y ? Y
N
Deny Permit
Match
Y Y
Deny Next Permit
Test(s) Destination
?
Interface(s)
Packet
Discard Deny
Bucket
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-16
A List of Tests: Deny or Permit
Match
First
Packets to Interface(s) Test
in the Access Group Y ? Y
N
Deny Permit
Match
Y Y
Deny Next Permit
Test(s) Destination
?
N
Interface(s)
Y Match Y
Deny Last Permit
Test
?
Packet
Discard Deny
Bucket
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-17
A List of Tests: Deny or Permit
Match
First
Packets to Interface(s) Test
in the Access Group Y ? Y
N
Deny Permit
Match
Y Y
Deny Next Permit
Test(s) Destination
?
N
Interface(s)
Y Match Y
Deny Last Permit
Test
?
N Implicit
Deny
Packet
Discard Deny If no match
Bucket deny all
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-18
Access List Configuration Guidelines
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-19
Access List Command Overview
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-20
Access List Command Overview
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-21
How to Identify Access Lists
IP Standard 1-99
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-22
How to Identify Access Lists
IP Standard 1-99
Extended 100-199
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-23
How to Identify Access Lists
IP Standard 1-99
Extended 100-199, 1300-1999, 2000-2699
Named Name (Cisco IOS 11.2 and later)
Frame
Header Packet Segment
(IP header) (for example, Data
(for example,
HDLC) TCP header)
Source
Address Use
access
list statements
1-99
Deny Permit
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-25
Testing Packets with
Extended Access Lists
Port
Number
Protocol
Source Use
Address access
Destination list statements
Address 1-99 or 100-199 to
test the
Deny packet Permit
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-26
Wildcard Bits: How to Check the
Corresponding Address Bits
Octet bit position and
128 64 32 16 8 4 2 1 address value for bit
Examples
check all address bits
0 0 0 0 0 0 0 0 = (match all)
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-27
Wildcard Bits to Match a Specific IP
Host Address
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-28
Wildcard Bits to Match Any IP
Address
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-29
Wildcard Bits to Match IP Subnets
0 0 0 1 0 0 0 0
Wildcard mask: 0 0 0 0 1 1 1 1
|<---- match ---->|<----- don’t care ----->|
0 0 0 1 0 0 0 0 = 16
0 0 0 1 0 0 0 1 = 17
0 0 0 1 0 0 1 0 = 18
: :
0 0 0 1 1 1 1 1 = 31
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-30
Configuring Standard IP
Access Lists
Router(config)#
access-list access-list-number {permit|deny} source [mask]
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-32
Standard IP Access List Configuration
Router(config)#
access-list access-list-number {permit|deny} source [mask]
Router(config-if)#
ip access-group access-list-number { in | out }
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-33
Standard IP Access List
Example 1
Non-
172.16.3.0 172.16.0.0 172.16.4.0
S0
172.16.4.13
E0 E1
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-34
Standard IP Access List Example 1
Non-
172.16.3.0 172.16.0.0 172.16.4.0
S0
172.16.4.13
E0 E1
interface ethernet 0
ip access-group 1 out
interface ethernet 1
ip access-group 1 out
Non-
172.16.3.0 172.16.0.0 172.16.4.0
S0
172.16.4.13
E0 E1
Non-
172.16.3.0 172.16.0.0 172.16.4.0
S0
172.16.4.13
E0 E1
Non-
172.16.3.0 172.16.0.0 172.16.4.0
S0
172.16.4.13
E0 E1
interface ethernet 0
ip access-group 1 out
Non-
172.16.3.0 172.16.0.0 172.16.4.0
S0
172.16.4.13
E0 E1
Non-
172.16.3.0 172.16.0.0 172.16.4.0
S0
172.16.4.13
E0 E1
interface ethernet 0
ip access-group 1 out
console e0
0 1 2 34
Console port (direct connect) Physical port e0 (Telnet)
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-42
How to Control vty Access
e0
0 1 2 34
Physical port (e0) (Telnet)
Router#
Virtual ports (vty 0 through 4)
Router(config)#
Router(config-line)#
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-44
Virtual Terminal Access Example
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-45
Configuring Extended IP
Access Lists
Standard Extended
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-47
Extended IP Access List
Configuration
Router(config)#
access-list access-list-number { permit | deny } protocol source
source-wildcard [operator port] destination destination-wildcard
[ operator port ] [ established ] [log]
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-48
Extended IP Access List
Configuration
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-49
Extended Access List
Example 1
Non-
172.16.3.0 172.16.4.0
172.16.0.0
S0
172.16.4.13
E0 E1
Non-
172.16.3.0 172.16.4.0
172.16.0.0
S0
172.16.4.13
E0 E1
Non-
172.16.3.0 172.16.4.0
172.16.0.0
S0
172.16.4.13
E0 E1
interface ethernet 0
ip access-group 101 out
Non-
172.16.3.0 172.16.4.0
172.16.0.0
S0
172.16.4.13
E0 E1
Non-
172.16.3.0 172.16.4.0
172.16.0.0
S0
172.16.4.13
E0 E1
Non-
172.16.3.0 172.16.4.0
172.16.0.0
S0
172.16.4.13
E0 E1
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-56
Using Named IP Access Lists
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-57
Using Named IP Access Lists
S0
E0 B
S0
E0 S1
C
A S1 E0
To0 Token D E0
Ring
E1
Recommended:
• Place extended access lists close to the source
• Place standard access lists close to the destination
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-60
Verifying Access Lists
wg_ro_a#show ip int e0
Ethernet0 is up, line protocol is up
Internet address is 10.1.1.11/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 1
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
<text ommitted>
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-61
Monitoring Access List Statements
wg_ro_a#show access-lists
Standard IP access list 1
permit 10.2.2.1
permit 10.3.3.1
permit 10.4.4.1
permit 10.5.5.1
Extended IP access list 101
permit tcp host 10.22.22.1 any eq telnet
permit tcp host 10.33.33.1 any eq ftp
permit tcp host 10.44.44.1 any eq ftp-data
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-62
Summary
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-63
Review Questions
© 2003, cdaga tech, Inc. All rights reserved. Course acronym #-64