Access-Lists

Introduction to Cisco IOS Access-Lists

In a perfect world where we can trust anyone and nobody makes a mistake we don’t need
security. In real life however bad things happen to our network so we’ll need to protect it.

This lesson is an introduction to access-lists and you’ll learn the difference between
standard and extended access-lists.

An access list is a sequential series of filters. Each filter comprises some sort of matching
criteria and an action. The action is always either permit or deny. The matching criteria
might be as simple as a source address; alternatively, they might be a more complex
combination of source and destination addresses, protocol types, ports or sockets, and
specifications of the state of certain flags, such as the TCP ACK bit.

A packet is "dropped into" the top of the stack of filters. (See Figure B-2.) At each filter, the
matching criteria are applied. If a match occurs, the specified permit or deny action is
executed. If a match does not occur, the packet "drops down" to the next filter in the stack,
and the matching process is applied again.

Figure B-2. An access list is a sequential list of filters, each of which

defines a matching criterion and an action.

In Figure B-2, a permit means that the packet will be allowed to exit on interface E0; a deny
means that the packet will be dropped. For instance, a packet with a source address of
HOST A will be dropped at the first filter. Suppose the packet's source address is Host D of
Subnet 2 of Network 5. The first filter specifies a match criteria of Host A, so the packet will
not match and will drop to the second layer.
The second filter specifies Subnet 3again, no match. The packet drops to the third filter,
which specifies Network 5. This matches; the action at layer three is permit, so the packet is
allowed to exit interface E0.

Implicit Deny Any

What happens if a packet drops through all the filters and a match never occurs? The router
must know what to do with a packet in this situation; that is, there must be a default action.
The default action can be either to permit all packets that don't match or to deny them.
Cisco chose to deny them: Any packet that is referred to an access list and does not find a
match is automatically dropped.

This default can be overridden by making the last line of the list an explicit permit any. The
implication here is that packets dropping through all the other filters will match the permit
any before they get to the default deny any.

Sequentiality
Access lists are executed sequentially, from the top down. This concept is important: Perhaps,
the most common cause of malfunctioning access lists is putting the individual filtering lines in
the wrong sequence. The first match encountered in the sequenced access list is always taken.
After the first match is made, the rest of the access list is ignored.

Subnet 10.23.147.0/24 should be denied and the rest of network 10.0.0.0 should be
permitted. The list on the left is out of sequence; network 10.0.0.0, including its subnet
10.23.147.0, will match the first line and will be permitted. Packets with the subnet to be
denied will never reach the second line.
The list on the right is correct. Subnet 10.23.147.0 matches the first line and is denied,
whereas all other subnets of 10.0.0.0 drop to the next line and are permitted.
Access-lists work on the network (layer 3) and the transport (layer 4) layer and can be used
for two different things:

 Filtering
 Classification

Filtering is used to permit or deny traffic reaching certain parts of our network. Without
filtering traffic can go anywhere, if you look at the picture above you probably don’t want IP
packets from the internet to freely enter your network. You can also use an access-list to
block IP packets from 3.3.3.0 /24 going to 1.1.1.0 /24 or something else.

Classification does not drop IP packets like filtering does but we use it to “select” traffic. 
Let’s take a look at an example:
In the picture above we have a VPN that encrypts traffic between the two routers.
Whenever we create a VPN we can use an access-list to “select” what traffic should be
encrypted. Perhaps I want traffic from network 192.168.2.0 /24 to be encrypted but traffic
from 172.16.2.0 /24 not. We can use an access-list to “select” traffic, this is called
classification.

Let’s take a closer look at filtering. After creating an access-list there are 3 spots where you
can place them:

You can put them inbound on the interface which means that all packets that reach your
router will hit the access-list and will have to be checked against the access-list.

Another option is to put the access-list outbound. In this case IP packets will go through
the router and once they are leaving the interface they will be checked against the access-
list. When you place an access-list outbound, this is what your router will do:
 1. IP Packets will enter your router.
2. Your router will check if it knows about the destination by looking in its routing table.
3. If there is no entry in the routing table the IP packet will be discarded.
4. If there is an entry in the routing table it will select the correct outgoing interface.
5. If there is no access-list the IP packet will be sent out of the interface.
6. If there is an access-list we’ll have to check our IP packet and compare it with the
access-list.
7. If the IP packet is permitted it will be forwarded, otherwise it will be discarded and go
to IP heaven.

Both inbound and outbound get the job done, they filter packets. It depends on the scenario
which one you might want to use. For example, let’s say you have a router with 4 interfaces:

* 1x WAN interface that connects to the Internet

* 3x LAN interface

Let’s say you want to restrict internet traffic from your LAN to the Internet. You could attach
the same access-list INBOUND on all three LAN interfaces, or you can attach the access-
list OUTBOUND on your WAN interface. Both get the job done, the only difference is you
have to apply it once instead of on three interfaces.

You can also look at this from the other way around. Let’s say you want to restrict traffic
from the Internet to your LAN. You could create an access-list and attach it INBOUND on
your WAN interface, or you attach it OUTBOUND on all three LAN interfaces.

Both will get the job done, but adding it to the WAN interface INBOUND is probably easier
since you only have to attach it once. Also, it prevents the traffic from going anywhere else
since you filter it right away on where it enters the router.
The third option is applying it to the VTY line. We can use this to secure telnet and/or SSH
traffic.

Let me give you an example of what an access-list looks like:

Router#show access-lists

Standard IP access list 1

10 permit 192.168.1.0, wildcard bits 0.0.0.255

20 permit 192.168.2.0, wildcard bits 0.0.0.255

30 permit 172.16.0.0, wildcard bits 0.0.255.255

Access-lists work by using statements. In the picture above you can see access-list
number 1 has 3 statements, number 10, 20 and 30. Whenever a packet hits the access-list
this is what will happen:

 Access-lists are processed top-down so we first check if the packet matches

statement 10.
 If it doesn’t match statement 10, we’ll check if it matches statement 20.
 If it doesn’t match statement 20, we’ll check if it matches statement 30.
 If it doesn’t match statement 30, the packet will be dropped.

If a packet does match a certain statement then there is immediate action. The packet will
either be permitted (forward) or denied (discarded). For example, if we have a packet that
matches statement 10 then the router will not check if it “also” matches statement 20.
At the bottom of every access-list there is a deny any which means if you didn’t explicitly
permit something it will be dropped anyway. You don’t see this deny any but it’s there!

Access-lists work in a similar way as if you are at the airport. If you are looking at the
departures sign you’ll check all the information for your flight number.

Once you have spotted your flight number you will take action by going to the correct gate
and you won’t look if you see your flight number somewhere else on the display.

Don’t forget about the deny any at the bottom of this access-list! It’s just like checking your
flight number on the departure sign, if you don’t see your flight you are going nowhere!

There are two types of access-lists we can use:

 Standard access-lists
 Extended access-lists

Let’s start with the standard access-list:

The standard access-list is very basic since it can only check for source IP addresses.
You can’t do anything more specific than that.

Our extended access-list gives us many more options. Not only can you check
for source and destination IP addresses but you can also match on transport layer (layer
4) information like TCP or UDP port numbers.
Does this mean that standard access-lists suck? Well no since sometimes source IP
addresses are all we care about…If you want an access-list to select which networks should
be translated with your VPN then a standard access-list will do the trick just fine.

How can we recognize the standard and extended access-list? Let me show you the table
below:

If you want a standard access-list you need to use a number between 1-99 or 1300-1999.
For the extended access-list you need to pick a number between 100-199 or 2000-2699.

If you don’t like numbers you can also use named access-lists by choosing a name, this
works for both standard and extended access-lists.

Before we continue let me give you some guidelines when setting up access-lists:

 First we create an access-list globally and then we assign it to an interface.

 You can only have a single ACL per direction, so it’s impossible to have 2 inbound
access-lists.
 Put the most specific statements at the top of your access-list because if a packet
matches a statement the router doesn’t check if it matches any other statements.
 Don’t forget the last statement is deny any. You don’t see it but it is there.

.access-list 1 permit 1.1.1.0 0.0.0.255

.access-list 2 permit 2.2.2.0 0.0.0.255

.interface fa0/0
access-group 1 in
access-group 2 in

Once you apply access-list 2 on the interface, 1 will be removed. You can’t have two
inbound or two outbound access-lists.
The first thing you have to decide is whether you are creating a standard or extended
access-list. The next decision to make is whether you wanted to use an access-list number
or an access-list name. In the examples you gave, you chose to use named access-lists for
both (out_acsz_in). Also, in your example, we must be using extended access-lists
(because you specified the destination of the traffic you are permitting).

Let’s look at your two examples, and reconfigure them so they are using the proper syntax.
Your first example is this:

(Config)#access-list out_acz_in permit any 10.0.32.10

The correct syntax for this would be:

(config)#ip access-list extended out_acz_in

(Config-nacl)#permit ip any host 10.0.32.10

Here’s the difference between what you wrote, and what I wrote:

1. The keyword “ip” must be used before “access-list” if you are using a named access-
list. If you plan to use access-list numbers instead, this is not needed
2. Named access-lists have to told whether they are standard or extended, hence the
keyword “extended”
3. Named access-lists require you press ENTER after you give the name. The IOS then
takes you to a new submenu, (config-nacl)# where you can type all of your permit or
deny lines one by one
4. After the word “permit” or “deny” a protocol has to specify for an extended access-
list. In this case, I chose “ip” which means any type of traffic, since you didn’t specify
a port at the end
5. The keyword “host” tells the access list that the next address you type in is supposed
to be that specific ip. Think of “host” as a shortcut. Instead of typing 10.0.32.10
0.0.0.0, you can just type host 10.0.32.10. Both lines are acceptable and both do the
same thing.

Now, let’s compare the correct syntax for both of your examples and go over the difference:

Example 1

.ip access-list extended out_acz_in

.permit ip any host 10.0.32.10

Example 2

.ip access-list extended out_acsz_in

.permit udp any 10.0.32.10 eq h323

Example 2 allows only the UDP ports associated with the H.323 protocol from anywhere to
reach 10.0.32.10.
Example 1 allows ALL traffic from anywhere to 10.0.32.10.
As you can see, Example 2 is much more restrictive than Example 1. As to what is the
default type, there really isn’t a “default.” How you write the access-list determines its
behavior.

Why standard ACL need to be placed near the destination and extended ACL need to be
placed near source?

The standard access-list only allows you to filter source addresses. If you place it close to
the source, it’s possible that you filter too much (unwanted) traffic.

The extended access-list is very specific…you can filter source + destination address and
source + destination ports. Since it’s so specific, it’s best to place it as close to the source
as possible so you can drop unwanted traffic right away.

As a function there is are no difference between the Named and the Numbered AC, so both
function the same way as to what you have learned in our lessons.
The only difference is that on the named ACL’s you can put a better descriptive rather than
putting numbers. For example, if you want to deny http traffic than you can name the named
ACL something like:

.ip access-list extended Deny_HTTP

This can give to your as an administrator a better idea of what this ACL is doing.

Another point is that in the old IOS it wasn’t possible to edit numbered ACLs, so if you
wanted to change an entry then you had to remove the whole ACL and make it again, while
on the named ACLs editing was & still possible. Nowadays both numbered and named
ACLs can be edited without the need to change the whole configuration from the router.

The last point is that number ACLs are limited with range of numbers for both standard &
extended while named ACL’s are not.

Wildcard Bits explained

Let’s take a look at an example access-list:

Router#show access-lists

Standard IP access list 1

10 permit 192.168.1.0, wildcard bits 0.0.0.255

 20 permit 192.168.2.0, wildcard bits 0.0.0.255

30 permit 172.16.0.0, wildcard bits 0.0.255.255

Access-lists don’t use subnet masks but wildcard bits. This means that in binary a “0” will
be replaced by a “1” and vice versa.

Two easy method’s to calculate the wildcard.

1. 255 - Subnet mask = wildcard.

For example, netmask 255.255.255.128. The wildcard will be (255-255=) 0. (255-
255=)0. (255-255=) 0. (255-128=) 127.
2. Ip-addresses-in-subnet - 1
for example, the 255.255.255.192. This netmask has 64 ip addresses per subnet,
the wildcard will be 0.0.0.(64-1=)63

Standard access-list example on Cisco

Router
There are two ways to enter access lists. One format of a standard access list line is

access-list access-list-number {deny | permit} source[source-wildcard]

The other way to configure the access list is to enter a global access-list command, which
takes you into access-list configuration mode. In the access-list configuration mode, packets
are permitted or denied, sequence numbers are specified and remarks are made:

ip access-list standard {access-list-number | name}

This puts you into the access-list configuration mode. Further configuration options for
standard IP access lists are

[sequence-number] {{{deny | permit} source [source-wildcard]} | {remark up-to-100-

characters-of-a-remark}}

This command specifies the access list number, which according to Table B-1 is between 1
and 99, and between 1300 and 1999; the action (permit or deny); a source IP address; and
the wildcard (or inverse) mask.
Let’s configure some access-lists so I can demonstrate to you how this is done on Cisco
IOS routers. In this lesson we’ll cover the standard access-list. Here’s the topology:

Two routers and each router has a loopback interface. I will use two static routes so that the
routers can reach each other’s loopback interface:

R1 (config) #ip route 2.2.2.0 255.255.255.0 192.168.12.2

R2 (config) #ip route 1.1.1.0 255.255.255.0 192.168.12.1

If you choose to use a routing protocol to advertise networks, be careful that your access-
list doesn’t block your RIP, EIGRP or OSPF traffic…

Now let’s start with a standard access-list! I’ll create something on R2 that only permits
traffic from network 192.168.12.0 /24:

R2 (config) #access-list 1 permit 192.168.12.0 0.0.0.255

This single permit entry will be enough. Keep in mind at the bottom of the access-list is a
“deny any”. We don’t see it but it is there. Let’s apply this access-list inbound on R2:

R2 (config) #interface fastEthernet 0/0

R2 (config-if) #ip access-group 1 in

Use the ip access-group command to apply it to an interface. I applied it inbound with

the in keyword.

R2#show ip interface fastEthernet 0/0

FastEthernet0/0 is up, line protocol is up

Internet address is 192.168.12.2/24

Broadcast address is 255.255.255.255

Address determined by setup command

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is not set

Inbound access list is 1

You can verify that the access-list has been applied with the show ip interface command.
Above you see that access-list 1 has been applied inbound.

Now let’s generate some traffic…

R1#ping 192.168.12.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

Our ping is successful; let’s check the access-list:

R2#show access-lists

Standard IP access list 1

 10 permit 192.168.12.0, wildcard bits 0.0.0.255 (27 matches)

As you can see the access-list shows the number of matches per statement. We can use
this to verify our access-list. Let me show you something useful when you are playing with
access-lists:

R1#ping 192.168.12.2 source loopback 0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

U.U.U

Success rate is 0 percent (0/5)

When you send a ping you can use the source keyword to select the interface. The source
IP address of this IP packet is now 1.1.1.1 and you can see these pings are failing because
the access-list drops them.

R2#show access-lists

Standard IP access list 1

10 permit 192.168.12.0, wildcard bits 0.0.0.255 (27 matches)

You won’t see them with the show access-list command because the “deny any” is dropping
them.

What if I wanted something different? Let’s say I want to deny traffic from network
192.168.12.0 /24 but permit all other networks? I can do something like this:

R2 (config) #access-list 2 deny 192.168.12.0 0.0.0.255

R2 (config) #access-list 2 permit any

Let’s say I want to remove the statement above.

R2 (config) #no access-list 2 deny 192.168.12.0 0.0.0.255

I’ll type no access-list and this is what you’ll discover:

R2#show access-lists 2

The whole access-list is gone…ouch! You can’t use no access-list to remove a statement.
Your router will just accept “no access-list 2” and remove the whole access-list.

You can add or remove statements as below:

To do this you have to use the “ip access-list” command instead of the “access-list”
command. Here’s an example:

R1#show access-lists
Standard IP access list MY_ACL
10 permit 192.168.1.0, wildcard bits 0.0.0.255
20 permit 192.168.2.0, wildcard bits 0.0.0.255
30 permit 192.168.4.0, wildcard bits 0.0.0.255

Let’s say I want to add an entry for 192.168.3.0 in between, I can do it like this:

R1 (config) #ip access-list standard MY_ACL

R1 (config-std-nacl) #21 permit 192.168.3.0 0.0.0.255

Here it is:

R1#show access-lists
Standard IP access list MY_ACL
10 permit 192.168.1.0, wildcard bits 0.0.0.255
20 permit 192.168.2.0, wildcard bits 0.0.0.255
21 permit 192.168.3.0, wildcard bits 0.0.0.255
30 permit 192.168.4.0, wildcard bits 0.0.0.255

And you can delete statements too…let’s get rid of 10 + 20:

R1 (config) #ip access-list standard MY_ACL

R1 (config-std-nacl) #no 10
R1 (config-std-nacl) #no 20

Now it looks like this:

R1#show access-lists
Standard IP access list MY_ACL
 21 permit 192.168.3.0, wildcard bits 0.0.0.255
30 permit 192.168.4.0, wildcard bits 0.0.0.255

Access-list are configured for host and subnet and inverse mask is what allows the
specification of this range of addresses with a single line.

access-list 1 permit 172.22.30.6 0.0.0.0

It permits only host 172.22.30.6.

access-list 1 permit 172.22.0.0 0.0.31.255

It permits all hosts with addresses in the range of 172.22.0.1 to 172.22.31.255.

Remarks can also be added to a standard IP access list for easy

understanding:

access-list 1 remark permit the 2 management hosts

access-list 1 permit 172.22.30.6 0.0.0.0
access-list 1 permit 172.22.30.95 0.0.0.0
access-list 1 remark deny everyone else on the subnet
access-list 1 deny 172.22.30.0 0.0.0.255
access-list 1 permit 172.22.0.0 0.0.31.255

It can also be configured using the router's access-list configuration mode.

ip access-list standard 1
remark permit the 2 management hosts
10 permit 172.22.30.6 0.0.0.0
15 permit 172.22.30.95 0.0.0.0
remark deny everyone else on the subnet
20 deny 172.22.30.0 0.0.0.255
permit 172.22.0.0 0.0.31.255
Extended Access-List example on Cisco Router
Extended IP access lists provide far more flexibility in the specification of what is to be
filtered. The basic syntax of the extended IP access list line follows:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny |

permit} protocol source source-wildcard destination destination-wildcard [precedence
precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments]

Some of the features here are familiar, and some are new:

 access-list-number, for extended IP access lists, is between 100 and 199, or 2000
and 2699.
 dynamic identifies this list as a dynamic access list. Dynamic access lists are used
by the "Lock-and-Key" security feature. A user uses Telnets to access the router,
gets authenticated by an authentication server such as TACACS+ or RADIUS, and
then is permitted or denied access based on the source and destination information
in the dynamic entry.
 timeout defines the maximum amount of time, in minutes, a temporary entry can
remain in a dynamic list. The default is not to time out the entry at all. It remains
forever.
 protocol is a new variable that looks for a match in the protocol field of the IP packet
header. The keyword choices are eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos,
ospf, tcp, or udp. An integer in the range 0 to 255 representing an IP protocol
number can also be used. ip is a generic keyword, which matches any and all IP
protocols, in the same way inverse mask 255.255.255.255 matches all addresses.
 Notice that both the source and destination packet addresses are examined for
matches; each has its own inverse mask.
 precedence and tos are optional variables that look for a match in the Precedence
and Type of Service fields of the IP packet header. Precedence can be an integer
from 0 to 7, and TOS can be an integer from 0 to 15, or either field can be described
by one of several keywords. Refer to the Cisco documentation for a list of available
keywords.
 log is an optional specification that turns on informational logging. The router
attempts to include the list number or name that logged the match, source and
destination address, upper layer port number, and number of packets logged.
 log-input adds the input interface and source MAC address or virtual circuit number
to the log output.
 time-range creates temporary access lists. Time-range defines the time interval that
the access-list entry is valid. The time-range parameter in the extended access list
references a global time-range command. The global time-range defines the actual
time parameters.
 fragments keyword defines how fragmented packets are handled by the access-list
entry. Fragments are handled in different ways depending upon if Layer 3 or Layer 3
and Layer 4 information is specified in the access-list entry, and depending upon if
the entry is to permit or deny the packet. The default behavior (no fragments
keyword specified) for entries that contain Layer 3 (IP addresses, IP port numbers)
 information is to apply the entry to all nonfragmented packets, initial fragments, and
noninitial fragments of packets. For entries that contain Layer 3 and 4 (TCP or UDP
port numbers in addition to IP addresses) information, the entry is applied to
nonfragments and initial fragments. The entry is also applied to noninitial fragments
in the following way: If the noninitial fragment's Layer 3 information matches the
Layer 3 information of the entry (the IP addresses, IP port number), and it is a permit
statement, the fragment is permitted. If the entry is a deny statement, the next
access-list entry is processed. If fragments is specified, the entry is applied only to
noninitial fragments. The fragments keyword cannot be configured for entries that
contain Layer 4 information, such as TCP or UDP port numbers.

The decision flow of an extended IP access list.

Now it’s time to take a look at the extended access-list. This is the topology we’ll use:

Besides applying an access-list inbound or outbound you can also apply them to the VTY
lines. This is useful if you want to secure telnet or SSH access to your router. Let’s
configure R1 so telnet access is only allowed from network 192.168.12.0 /24:

R1 (config) #access-list 3 permit 192.168.12.0 0.0.0.255

R1 (config) #line vty 0 4

R1 (config-line) #access-class 3 in

Above you can see that I created access-list 3 but I used the access-class command on
the VTY lines. On interfaces we use the “access-group” command but on VTY lines you
need to use “access-class” to apply them.

Let’s try to use telnet:

R2#telnet 192.168.12.1

Trying 192.168.12.1 ... Open

Password required, but none set

[Connection to 192.168.12.1 closed by foreign host]

It says “open” which means that it connects. The connection is closed because I didn’t
configure a password for telnet but the access-list should work:

R1#show access-lists

Standard IP access list 3

10 permit 192.168.12.0, wildcard bits 0.0.0.255 (2 matches)

Using the extended access-list we can create far more complex statements. Let’s say we
have the following requirement:

 Traffic from network 1.1.1.0 /24 is allowed to connect to the HTTP server on R2, but
they are only allowed to connect to IP address 2.2.2.2.
 All other traffic has to be denied.
Now we need to translate this to an extended access-list statement. Basically they look like
this:

[Source] + [source port] to [destination] + [destination port]

Let’s walk through the configuration together:

R2 (config) #access-list 100?

Deny Specify packets to reject

Dynamic Specify a DYNAMIC list of PERMITs or DENYs

permit Specify packets to forward

remark Access list entry comment

First of all we need to select a permit or deny. By the way you can also use a remark. You
can use this to add a comment to your access-list statements. I’ll select the permit…

R2(config)#access-list 100 permit ?

<0-255> An IP protocol number

ahp Authentication Header Protocol

eigrp Cisco's EIGRP routing protocol

esp Encapsulation Security Payload

gre Cisco's GRE tunneling

icmp Internet Control Message Protocol

igmp Internet Gateway Message Protocol

ip Any Internet Protocol

ipinip IP in IP tunneling
 nos KA9Q NOS compatible IP over IP tunneling

ospf OSPF routing protocol

pcp Payload Compression Protocol

pim Protocol Independent Multicast

tcp Transmission Control Protocol

udp User Datagram Protocol

Now we have a lot more options. Since I want something that permits HTTP traffic we’ll
have to select TCP. Let’s continue:

R2(config)#access-list 100 permit tcp ?

A.B.C.D Source address

any Any source host

host A single source host

Now we have to select a source. I can either type in a network address with a wildcard or I
can use the any or host keyword. These two keywords are “shortcuts”, let me explain:

 If you type “0.0.0.0 255.255.255.255” you have all networks. Instead of typing this we
can use the any keyword.
 If you type something like “2.2.2.2 0.0.0.0” we are matching a single IP address.
Instead of typing the “0.0.0.0” wildcard we can use the keyword host.

I want to select network 1.1.1.0 /24 as the source so this is what we will do:

R2(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 ?

A.B.C.D Destination address

any Any destination host

eq Match only packets on a given port number

 gt Match only packets with a greater port number

host A single destination host

lt Match only packets with a lower port number

neq Match only packets not on a given port number

range Match only packets in the range of port numbers

Besides selecting the source we can also select the source port number. Keep in mind
that when I connect from R1 to R2’s HTTP server that my source port number will
be random so I’m not going to specify a source port number here.

R2(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 ?

ack Match on the ACK bit

dscp Match packets with given dscp value

eq Match only packets on a given port number

established Match established connections

fin Match on the FIN bit

fragments Check non-initial fragments

gt Match only packets with a greater port number

log Log matches against this entry

log-input Log matches against this entry, including input interface

lt Match only packets with a lower port number

neq Match only packets not on a given port number

precedence Match packets with given precedence value

psh Match on the PSH bit

 range Match only packets in the range of port numbers

rst Match on the RST bit

syn Match on the SYN bit

time-range Specify a time-range

tos Match packets with given TOS value

urg Match on the URG bit

<cr>

We will select the destination which is IP address 2.2.2.2. I could have typed “2.2.2.2
0.0.0.0” but it’s easier to use the host keyword. Besides the destination IP address we can
select a destination port number with the eq keyword:

R2(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq 80

This will be the end result. Before we apply it to the interface I will add one useful extra
statement:

R2(config)#access-list 100 deny ip any any log

Using the statement above I can make that invisible “deny any” visible. The log keyword will
output all denied packets to the console.

Now let’s apply it and give it a test run!

R2(config)#interface fastEthernet 0/0

R2(config-if)#ip access-group 100 in

We’ll apply it to the interface inbound. Don’t forget to enable the HTTP server:

R2(config)#ip http server

Now let’s generate some traffic:

R1#telnet 2.2.2.2 80

Trying 2.2.2.2, 80 ...

% Destination unreachable; gateway or host down

I don’t need a web browser to test if the HTTP server is running. I can use telnet to connect
to TCP port 80. The traffic above is denied as you will see on the console of R2:

R2# %SEC-6-IPACCESSLOGP: list 100 denied tcp 192.168.12.1(55419) -> 2.2.2.2(80), 1

packet

Or we can take a look at the matches on the access-list:

R2#show access-lists

Extended IP access list 100

10 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq www

20 deny ip any any log (1 match)

The packet was denied because the source IP address was 192.168.12.1. Let’s connect
from IP address 1.1.1.1:

R1#telnet 2.2.2.2 80 /source-interface loopback 0

Trying 2.2.2.2, 80 ... Open

There we go! It now says open which means that it connected. When we use telnet we can
select the source interface. The packet is now allowed because it matches the first
statement of the access-list.

If I want to remove a single statement from my access-list I have two options:

 Copy your access-list to notepad, edit it and paste it back to your router and use a
new access-list..
  Use the access-list editor.

The access-list editor sounds easier right? This is how it works:

R2(config)#ip access-list extended 100

Use the ip access-list command to create new access-list or modify current ones. Your
console will look like this:

R2(config-ext-nacl)#

Now we can add or remove statements:

R2(config-ext-nacl)#?

Ext Access List configuration commands:

<1-2147483647> Sequence Number

default Set a command to its defaults

deny Specify packets to reject

dynamic Specify a DYNAMIC list of PERMITs or DENYs

evaluate Evaluate an access list

exit Exit from access-list configuration mode

no Negate a command or set its defaults

permit Specify packets to forward

remark Access list entry comment

Let’s remove statement 20 from access-list 100:

R2(config-ext-nacl)#do show access-list 100

Extended IP access list 100

10 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq www (21 matches)

20 deny ip any any log (1 match)

This is what it looks like now…

R2(config-ext-nacl)#no 20

Type no in front of the sequence number and it will be gone:

R2(config-ext-nacl)#do show access-list 100

Extended IP access list 100

10 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq www (21 matches)

Voila it’s now gone.

Last but not least we can also create a named access-list. Let’s create something that
denies ICMP traffic from R2 to R1’s loopback0 interface but allows everything else:

R1(config)#ip access-list extended DROPICMP

R1(config-ext-nacl)#deny icmp host 192.168.12.2 1.1.1.0 0.0.0.255

R1(config-ext-nacl)#deny icmp host 2.2.2.2 1.1.1.0 0.0.0.255

R1(config-ext-nacl)#permit ip any any

R1(config-ext-nacl)#exit

This is what the access-list will look like. I’ll call it “DROPICMP”. The first statement will drop
ICMP traffic from IP address 192.168.12.2 and the second line is for IP address 2.2.2.2. All
other traffic is permitted. Let’s apply it to the interface:

R1(config)#interface fastEthernet 0/0

R1(config-if)#ip access-group DROPICMP in

Now let’s test it:

R2#ping 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

R1#show access-lists

Extended IP access list DROPICMP

10 deny icmp host 192.168.12.2 1.1.1.0 0.0.0.255 (15 matches)

20 deny icmp host 2.2.2.2 1.1.1.0 0.0.0.255

30 permit ip any any

The first ping is failing as it should…

R2#ping 1.1.1.1 source loopback 0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 2.2.2.2

.....

Success rate is 0 percent (0/5)

R1#show access-lists

Extended IP access list DROPICMP

10 deny icmp host 192.168.12.2 1.1.1.0 0.0.0.255 (15 matches)

20 deny icmp host 2.2.2.2 1.1.1.0 0.0.0.255 (15 matches)

30 permit ip any any

And the second ping fails too…

Let’s do something crazy to get a match on the last statement:

R2#telnet 1.1.1.1

Trying 1.1.1.1 ...

R1#show access-lists

Extended IP access list DROPICMP

10 deny icmp host 192.168.12.2 1.1.1.0 0.0.0.255 (27 matches)

20 deny icmp host 2.2.2.2 1.1.1.0 0.0.0.255 (18 matches)

30 permit ip any any (12 matches)

I didn’t configure telnet on R1 but my packets will hit the last statement anyway. That’s all I
wanted to show you about extended access-lists. It will take some time to get used to
reading and creating these access-lists. Just make sure you practice a lot and it will become
easy.

TCP Access Lists

The syntax for an extended access list line that examines a TCP segment follows:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} tcp source source-wildcard
[operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log | log-
input] [time-range time-range-name] [fragments]
Notice that the protocol variable is tcp. Probably the most significant feature here is that
the access list can examine the source and destination port numbers in the TCP
segment header. As a result, you have the option of filtering packets not only to and
from a particular address, but also to and from a particular socket (an IP
address/application port combination).

The features of the TCP access list that have not yet been explained are operator and
port:

 operator specifies a logical operand. The options are eq (equal to), neq (not
equal to), gt (greater than), lt (less than), and range for specifying an inclusive
range of ports. If the range operator is used, two port numbers are specified.
 port specifies the application layer port to be matched. A few common port
numbers are for Telnet2 (3), FTP (20 and 21), SMTP (25), and SNMP (169).
What happens if you implemented an access list to prevent TCP sessions from being
established into your network, but you want to ensure that the access list passes the
responses if your network establishes a TCP session? The established keyword allows
this event by checking the ACK and RST flags in the TCP segment header. If one of
these flags is set, a match occurs. If neither bit is set, the source is trying to establish a
TCP connection to the destination, and a match will not occur. The packet will be denied
on a subsequent line of the access list.

A sample TCP access list is displayed in Example B-13.

Example B-13. This TCP access list permits established sessions and
permits certain addresses access for SMTP and Telnet.
access-list 110 permit tcp any 172.22.0.0 0.0.255.255 established
access-list 110 permit tcp any host 172.22.15.83 eq 25
access-list 110 permit tcp 10.0.0.0 0.255.255.255 172.22.114.0 0.0.0.255 eq 23

The following is an explanation of the lines in Example B-13:

 Line 1 Permit TCP packets from any source to network 172.22.0.0 if the
connection was established from that network.
 Line 2 Permit TCP packets from any source if the destination is port 25 (SMTP)
of host 172.22.15.83.
 Line 3 Allow any TCP packet with a source address from network 10.0.0.0 to
telnet (port 23) to any address on subnet 172.22.114.0/24.

All other packets will be dropped by the implicit deny any.

UDP Access Lists
The syntax for an extended access list line that examines a UDP segment follows:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny |
permit} udp source source-wildcard [operator [port]] destination destination-wildcard
[operator [port]] [precedence precedence] [tos tos] [log | log-input] [time-range time-
range-name] [fragments]

This format is similar to the TCP format, except that the protocol variable now is udp.
The other difference is that there is no established keyword. The reason is that UDP is
a connectionless transport service, and no connections are established between hosts.

ICMP Access Lists

The syntax for an extended access list line that examines an ICMP packet follows:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny |

permit} icmp source source-wildcard destination destination-wildcard [icmp-type[icmp-
code] | icmp-message] [precedence precedence] [tos tos] [log | log-input] [time-range
time-range-name] [fragments]

icmp is now in the protocol field. Notice that there are no source or destination ports
here; ICMP is a network layer protocol. This line can be used to filter all ICMP
messages, or you can use the following options to filter specific ICMP messages:

 icmp-type is a number between 0 and 255.

 The granularity of filtering can be increased by specifying icmp-code. An ICMP
code specifies a subset of ICMP packet types; the codes are a number between
0 and 255 and are also found in RFC 1700.
 Instead of an ICMP type and ICMP code, an ICMP message name can be
entered.

Example B-15. This ICMP access list denies specific packets and
permits all others.
access-list 111 deny icmp 172.22.0.0 0.0.255.255 any 0
access-list 111 deny icmp 172.22.0.0 0.0.255.255 any 3 9
access-list 111 deny icmp 172.22.0.0 0.0.255.255 any 3 10
access-list 111 deny icmp 172.22.0.0 0.0.255.255 any traceroute
access-list 111 permit ip any any

The following is an explanation of the lines in Example B-15:

Line 1 Deny ICMP ping responses (Echo Reply, ICMP type 0) from network 172.22.0.0
to any destination.
Line 2 Deny ICMP destination unreachable packets (type 3) with a code number of 9
(Network Administratively Prohibited) from network 172.22.0.0 to any destination.
Line 3 Deny ICMP destination unreachable packets (type 3) with a code number of 10
(Host Administratively Prohibited) from network 172.22.0.0 to any destination.
Line 4 Deny ICMP traceroute from network 172.22.0.0 to any destination.
Line 5 Permit all other IP packets.

Calling the Access List

An access list does nothing unless packets are sent to it by a calling command, which
defines how the access list is to be used. One such command is

ip access-group access-list-number {in | out}

This command is configured on an interface to create security or traffic filters and can
be applied to incoming or outgoing traffic. If neither the in nor the out keyword is
specified, the filter defaults to outgoing. The access list number, of course, is the access
list to which this command will send packets. Figure B-9 shows two configurations of
this command.

Figure B-9. The ip access-group command uses the specified access

list to create a filter on an interface for either incoming or outgoing
packets.

Access list 1 in Figure B-9 filters incoming IP packets on interface E0. It has no effect on
outgoing IP traffic and no effect on packets originated by other protocols, such as IPX.
Access list 2 filters IP packets going out interface S3. It has no effect on incoming IP
packets and no effect on packets originated by other protocols. Denying as much as
possible on the inbound access list instead of the outbound list alleviates the need for
the router to perform work on traffic that will be dropped.

Multiple interfaces can make calls to the same access list, but any one interface can
have only one incoming and one outgoing access list for each protocol.
In Figure B-10, the TCP, UDP, and ICMP access lists given earlier as examples are
used as filters. Access list 110, from the previous two examples, has been applied to
the Ethernet 0 interface to check incoming traffic. Access list 111 is applied to the same
interface to check outgoing traffic. Analyze the two access lists carefully, including their
interrelationship, and consider the following:
 A ping response from 172.23.12.5 to 10.64.32.7 wants to exit interface Ethernet
0. Will it be allowed to pass?
 Someone on 172.22.67.4 wants to ping a device at 10.64.32.20, exiting Ethernet
0. Will the ping be successful?

Figure B-10. Access list 110 is used here to filter incoming packets on
the Ethernet interface. Access list 111 is used here to filter outgoing
packets on the same interface.

The ping response from 172.23.12.5 will be allowed to exit interface Ethernet 0. Ping
responses are denied for packets from 172.22.0.0/16, not 172.23.0.0/16. The ping from
172.22.67.4 to 10.64.32.20, exiting Ethernet 0, will not be successful. The ping request
will successfully exit the interface, but the response will be denied by the inbound
access list.

Cisco IOS Time Based Access-List

Sometimes it might be useful to block certain traffic on specific days or during business
hours. For example, maybe you want to block all facebook traffic from monday to friday
between 9:00 – 17:00.
We can achieve this by using time ranges in our access-lists. When you use these, the
statement in the access-list will only be active during the time range that you specified. Let’s
take a look at an example!

Configuration

To demonstrate the time based access-list I will use the following topology:

We have three routers, imagine that R1 is a user on a computer and R3 is some webserver.
We want to prevent access from R1 to the webserver on R3 on business days between
9:00 – 17:00. We will configure the time based access-list on R2.

The time range command relies on the clock so make sure the time and date is correct:

R2#clock set 12:48:00 14 July 2015

Normally it would be better to use NTP but for this example I’ll configure it manually. Now
we can configure a time range:

R2(config)#time-range WORK_HOURS

R2(config-time-range)#periodic ?

Friday Friday
 Monday Monday

Saturday Saturday

Sunday Sunday

Thursday Thursday

Tuesday Tuesday

Wednesday Wednesday

daily Every day of the week

weekdays Monday thru Friday

weekend Saturday and Sunday

There are quite some options, we can select a specific day or you can use some ranges like
weekdays, weekend, etc. Let’s go for the weekdays:

R2(config-time-range)#periodic weekdays 09:00 to 17:00

We now have a time range called “WORK_HOURS” for business hours. Let’s create an
access-list:

R2(config)#ip access-list extended NO_FACEBOOK

R2(config-ext-nacl)#deny tcp any host 192.168.23.3 eq 80 time-range WORK_HOURS

R2(config-ext-nacl)#permit ip any any

The access-list above has a statement that blocks traffic to TCP port 80 on 192.168.23.3
but only for the time range that we specified. Let’s activate it on the interface:

R2(config)#interface FastEthernet 0/0

R2(config-if)#ip access-group NO_FACEBOOK in

Now we can try to connect to R3 from R1:

R1#telnet 192.168.23.3 80

Trying 192.168.23.3, 80 ...

% Destination unreachable; gateway or host down

We can’t connect to the webserver on R3. Is this because of our time range? Let’s find out:

R2#show access-lists

Extended IP access list NO_FACEBOOK

10 deny tcp any host 192.168.23.3 eq www time-range WORK_HOURS (active) (3

matches)

20 permit ip any any

Above you can see that the time range is currently active and that we have some matches
on the access-list. Just for fun, let’s change the clock so that we are operating outside of
business hours:

R2#clock set 21:00:00 14 July 2015

Now we can try to connect again:

R1#telnet 192.168.23.3 80

Trying 192.168.23.3, 80 ... Open

We are now able to connect to R3. Let’s check the access-list:

R2#show access-lists

Extended IP access list NO_FACEBOOK

 10 deny tcp any host 192.168.23.3 eq www time-range WORK_HOURS (inactive) (3
matches)

20 permit ip any any (4 matches)

The time range is now inactive.

An incoming filter is invoked before the routing process, whereas an outgoing filter is
invoked after the routing process (Figure B-13). If most packets passing through the
routing process are to be denied by the access list, an incoming filter might save some
processing cycles.
IP Prefix Lists
IP prefix lists provide mechanisms to match two components of an IP route:

■ The route prefix (the subnet number)

■ The prefix length (the subnet mask)

The redistribute command cannot directly reference a prefix list, but a route map can
refer to a prefix list by using the match command. A prefix list itself has similar
characteristics to a route map. The list consists of one or more statements with the
same text name. Each statement has a sequence number to allow deletion of individual
commands, and insertion of commands into a particular sequence position. Each
command has a permit or deny action—but because it is used only for matching
packets, the permit or deny keyword just implies whether a route is matched (permit)
or not (deny).

The generic command syntax is as follows:

ip prefix-list list-name [ seq seq-value ] { deny network / length | permit network /

length }[ ge ge-value ] [ le le-value ]

The sometimes tricky and interesting part of working with prefix lists is that the meaning
of the network/length, ge-value, and le-value parameters changes depending on the
syntax. The network / length parameters define the values to use to match the route
prefix. For example, a network / length of 10.0.0.0/8 means “any route that begins with a
10 in the first octet and has a /8 mask.” The ge and le options are used for comparison
to the prefix length—in other words, to the number of binary 1s in the subnet mask. For
example, ge 20 le 22 matches only routes whose masks are /20, /21, or /22. So, prefix
list logic can be summarized into a two-step comparison process for each route:

1. The route’s prefix must be within the range of addresses implied by the prefix-list
command’s network / length parameters.
2. The route’s prefix length must match the range of prefixes implied by the prefix-list
command.

The potentially tricky part of the logic relates to knowing the range of prefix lengths
checked by this logic. The range is defined by the ge-value and le-value parameters,
which stand for greater-than-or-equal-to and less-than-or-equal-to. Table 11-4
formalizes the logic, including the default values for ge-value and le-value. In the table,
note that conf-length refers to the prefix length configured in the network / prefix
(required) parameter, and route-length refers to the prefix length of a route being
examined by the prefix list.

Several examples can really help nail down prefix list logic. The following routes will be
examined by a variety of prefix lists, with the routes numbered for easier reference:

1. 10.0.0.0/8
2. 10.128.0.0/9
3. 10.1.1.0/24
4. 10.1.2.0/24
5. 10.128.10.4/30
6. 10.128.10.8/30

Next, Table 11-5 shows the results of seven different one-line prefix lists applied to
these six example routes. The table lists the matching parameters in the prefix-list
commands, omitting the first part of the commands. The table explains which of the six
routes would match the listed prefix list and why.
Basic Differences between access-list, prefix-list,
distribute-list, offset-list, route-map

Access-list is used to filter the traffic when applied on interface. It can also be used for route
filtering but it cannot be applied directly into any routing protocol. It is used to "match the
routes" which are going to advertised or blocked and then that access-list has to be called
into any distribute-list/route-map etc.(see detailed explanation below )

Prefix-list is mainly used to filter the Routes...Not user traffic. Hence used in routing
protocols only. The main difference in access-list and prefix-list is that access-list only
matches the bits specified by wildcard mask but prefix-list can also match sub-net mask and
we can specify a range of subnet masks which need to be matched to be permitted or
denied.

Distribute-list is mainly used for route filtering. Means to permit or block routes from being
advertised but it does not care what is the metric being advertised with those routes. (So, if
we want to modify the metric being advertised, then we can use Offset-list.)
Distribute-list is not a standalone list. Means it itself doesn't block or permit any route but it
will call an access-list or prefix-list and action will be taken based on whatever specified in
that access-list or prefix-list. So a distribute-list is used to control incoming or outgoing traffic

Offset-list can modify the metric which is being advertised (incoming or outgoing), for all
routes or selected routes. If you want to modify metric for specific routes, then select those
routes through access-list and call that access-list into offset-list. Offset-list doesn’t care if
that route is being advertised or not, it is just to modify the metric (for selected routes or all
routes.)
Offset-list command is used for distance vector routing protocols mainly, it doesn’t work with
ospf.

Detailed discussion with example:

(1) Access-list and Distribute-list

For example, if you want to block the traffic from PC1 to PC2, you can do it using Access-
list only as it can be directly applied on interface.
PC1 IP: 10.1.1.1, PC2 IP 20.1.1.1. You want to block all traffic from pc1 to pc2.you can
create 
access-list 10 deny 10.1.1.1 0.0.0.0
access-list 10 permit any

Now this access-list can be applied on incoming interface on R1 or outgoing interface on R4

(or any of the outgoing interface in the path which is selected by routing, that’s a different
discussion, where should be applied)

interface Fastethernet 1/1

ip access-group 10 in

But what if you want to filter the routes from being exchanged between any 2 routers.
Means, PC1 belong to 10.1.1.0/24 network. All routers are running EIGRP. You want
10.1.1.0/24 should not be advertised to R2 but it should be advertised to R3. So, now are
you are not blocking the traffic from PC1 to PC2, you just want that traffic should go via R3,
not R2 and for that you want PC1 subnet not to be advertised to R2. This is not directly
possible with JUST Access-list. Means, you cannot apply the same access-list to an
interface becoz it will block the traffic not routes. So, it has to be applied in a routing
protocol but there is no option to directly apply it. So, it has to be called in a Distribute-list or
Route-map (Route-map is used mainly during BGP route filtering or while doing
redistribution). For normal route filtering in EIGRP, distribute-list is used.

create similar access-list you created above:

access-list 10 deny 10.1.1.0 0.0.0.255
access-list 10 permit any

Now, call it in a distribute-list or route-map

router eigrp 1
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
distribute-list 10 out Serial 0/0
(10 is the number of access-list which it has to go through before sending routing update )
S0 now whenever EIGRP is announcing routing update, it will check against distribute-list
which will point to a access-list to find what routes to be permitted or denied (just route, not
traffic because not applied on interface)

(you can specify incoming/outgoing direction as well as interface. Don't specify interface if
you want to block/permit route for all neighbors)

so, as we saw above, access-list can be used to filter traffic. It can also be used to filter
routes but not directly, it has to be called into a distribute-list or Route-map).

Distribute can call an access-list or a prefix-list.

For example:
distribute-list prefix 10 out Serial 0/0
or
distribute-list prefix xyz out Serial 0/0

You need to use keyword prefix and then specify the number or name of the prefix-list.

2. Offset-list:

In the above example, as R1 is receiving routes both from R2 and R3 and you want one if
the route to be preferred over another, so you can increase the metric on one of routes
which are being advertised from R2 or R3.
Let’s say you want to increase the metric on all the routes which are being received on S0/1
through R2.

R1 (config) #router eigrp 1

R1 (config-router) #offset-list 0 in 100000 serial 0/1

In the above configuration 0 is the number given to offset-list. If you specify number 0, that
means it is going to modify the metric for all incoming routes.
As we did in above example of distribute-list, we can select specific routes and modify the
metric for those elected route also. If you want to do the same for any selected route, then
identify those route using an access-list and call that access-list in offset-list command with
the access-list number. So, in the above example, after offset-list keyword, use the actual
access-list number or if there is no selection, then mention "0" for all routes.

access-list 10 deny 20.1.1.0 0.0.0.255

access-list 10 permit any

R1(config)#router eigrp 1
R1(config-router)#offset-list 10 in 100000 serial 0/1

So, offset-list 0 = all routes.

       offset-list (number or name) = means for specific route which are specified in the
access-list number or named access-list.

Important to note that, Off-set list is not blocking or permitting the route, it is just modifying
the metric. Whatever metric we specify in offset-list command, it will get added to original
metric.