Introduction to Access Lists

 An access list is essentially a list of conditions that categorize

packets.

 Used to filter unwanted packets when implementing

security policies.

 Creating access lists is really a lot like programming a series

of if-then statements—if a given condition is met, then a

given action is taken. If the specific condition isn‘t met,

nothing happens and the next statement is evaluated.

 Access control lists (ACLs) can be used for two purposes :

To filter traffic

To identify traffic

 Access lists are a set of rules, organized in a rule table.

 Each rule or line in an access-list provides a condition, either

permit or deny:

 When using an access-list to filter traffic, a permit statement is

used to ―allow‖ traffic, while a deny statement is used to ―block‖
traffic.
 Filtering traffic is the primary use of access lists.

 When filtering traffic, access lists are applied on interfaces.

 As a packet passes through a router, the top line of the rule list is

checked first, and the router continues to go down the list until a

match is made.

 Once a match is made, the packet is either permitted or denied.

 There is an implicit ‗deny all‘ at the end of all access lists.

You don‘t create it, and you can‘t delete it. Thus, access lists

that contain only deny statements will prevent all traffic.

 Access lists are applied either inbound (packets received on an
interface, before routing), or outbound (packets leaving an
interface, after routing).

 Only one access list per interface, per protocol, per direction is
allowed.
 Cont.
 Once the lists are built, they can be applied to either inbound or
outbound traffic on any interface.

 Applying an access list causes the router to analyze every packet

crossing that interface in the specified direction and take the
appropriate action.

 You can use ACL when you need to filter traffic to deny and allow
packets based on specific features.

 There are three important rules that a packet follows when it‘s
being compared with an access list
 Rules
 The packet is always compared with each line of the access
list in sequential order—it will always start with the first
line of the access list.

 The packet is compared with lines of the access list only

until a match is made.

 There is an implicit ―deny‖ at the end of each access list i.e.

if a packet doesn‘t match the condition on any of the lines in
the access list, the packet will be discarded.
 Types of ACL
 There are two categories of access lists: numbered and named.
 Numbered access lists are broken down into several ranges,
each dedicated to a specific protocol:
1–99 IP standard access list
100-199 IP extended access list
200-299 Protocol type-code access list
1300-1999 IP standard access list (expanded range)
2000-2699 IP extended access list (expanded range
 Remember, individual lines cannot be
removed from a numbered access list.
 The entire access list must be deleted and
recreated.
 All new entries to a numbered access list
are added to the bottom.
 Named access lists provide a bit more flexibility.
 Descriptive names can be used to identify your
access-lists.
 Additionally, individual lines can be removed from a
named access-list.
 However, like numbered lists, all new
entries are still added to the bottom of the access
list.
 Wild Card Mask
IP access-lists use wildcard masks to determine two things:

1. Which part of an address must match exactly

2. Which part of an address can match any number

 This is as opposed to a subnet mask, which tells us what part of an

address is the network (subnet), and what part of an address is the
host.

 Wildcard masks look like inversed subnet masks.

Consider the following address and wildcard mask:

Address: 172.16.0.0
Wild Card Mask: 0.0.255.255
 The above would match any address that begins ―172.16.‖ The
last two octets could be anything.

Rules of Access Lists:

1. If a bit is set to 0 in a wild-card mask, the corresponding bit

in the address must be matched exactly.

2. If a bit is set to 1 in a wild-card mask, the corresponding bit

in the address can match any number.
 we‘ll convert both the address and the wildcard
mask into binary:
Address: 10101100.00010000.00000000.00000000
Wild Card Mask: 00000000.00000000.11111111.11111111
 Any 0 bits in the wildcard mask, indicates that the corresponding
bits in the address must be matched exactly.
 Thus, looking at the above example, we must exactly match the
following in the first two octets:
10101100.00010000 = 172.16
 Any 1 bits in the wildcard mask indicates that the corresponding
bits can be anything. Thus, the last two octets can be any number,
and it will still match this access-list entry.
 If wanted to match a specific address with a wildcard mask we
have to use 0.0.0.0 as wild card mask.

 A 0 indicates it must match exactly, a 1 indicates it can match

anything. The above wildcard mask has all bits set to 0, which
means we must match all four octets exactly.

Example:

Address: 172.16.1.1
Wild Card Mask: 0.0.0.0
Written out in binary, that looks like:
Address: 10101100.00010000.00000001.00000001
Wild Card Mask: 00000000.00000000.00000000.00000000
 There are actually two ways we can match a host:
1. Using a wildcard mask with all bits set to 0 – 172.16.1.1
0.0.0.0
2. Using the keyword ―host‖ – host 172.16.1.1
How would we match all addresses with a wildcard mask?
Address: 0.0.0.0
Wild Card Mask: 255.255.255.255
There are actually two ways we can match all addresses:
I. Using a wildcard mask with all bits set to 1 – 0.0.0.0
255.255.255.255
II. Using the keyword ―any‖ – any
1. Standard access lists
 These ACLs use only the source IP address in an IP
packet as the condition test.

 All decisions are made based on the source IP address.

 They don‘t distinguish between any of the many types of

IP traffic such as Web, Telnet, UDP, and so on.

 Should be placed closest to the destination network.

 You create a standard IP access list by using the access-list
numbers 1–99.

 Based on the number used when the access list is created, the
router knows which type of syntax to expect as the list is
entered.
access-list [1-99] [permit | deny] [source address] [wildcard mask]
Router(config)#Access-list acl-number {permit|deny}
source address wildcard mask
Router1(config)# access-list 11 deny 192.168.10.0
0.0.0.255
Router(config)# access-list 11 permit any

 This tells the list to deny any packets from network 192.168.10.0
Task 1:All traffic from student going to staff
should be blocked
 In order to block network 192.168.10.0 (Network 1,which
is student network) from accessing the 192.168.12.0
network(Network 3,which is staff network), we would
create the following access-list on Router 1:
 access-list [1-99] [permit | deny] [source address] [wildcard
mask]
Router1(config)# access-list 11 deny 192.168.10.0
0.0.0.255
Router1(config)# access-list 11 permit any

 Notice the wildcard mask of 0.0.0.255 on the first line. This

will match (deny) all hosts on the 192.168.10.x network.
 The second line uses a keyword of any, which will match
(permit) any other address.
How to apply ACL on interface
 To apply this access list, we would configure the following on
Router 1

Router1(config)#interface int –name

Router(config-if)#ip access-group acl-no in/out
Router1(config)# interface s0/0/0
Router1(config-if)# ip access-group 11 in
 To view all IP access lists configured on the router:

Router1# show ip access-list

 To view what interface an access-list is configured on

Router# show ip interface

Router# show running-config
 2. Extended access lists
 Extended access lists can evaluate many of the other fields in the layer 3
and layer 4 headers of an IP packet.
 They can evaluate source and destination IP addresses, the Protocol field
in the Network layer header, and the port number at the Transport layer
header.
access-list [100-199] [permit | deny] [protocol] [source address]
[wildcard mask] [destination address] [wildcard mask] [operator
[port]]
 Extended IP access-lists block based upon the source IP address,
destination IP address, and TCP or UDP port number.

 Extended access-lists should be placed closest to the source

network.
 Task 1;
 There is a webserver on the 192.168.12.x network with an IP
address of 192.168.12.12.

 In order to block network 192.168.10.0 from accessing anything

on the 192.168.12.0 network, EXCEPT for the HTTP port on
the web server.
To create extended ACL
Router2(config)#access-list 101 permit tcp 192.168.10.0 0.0.0.255 host
192.168.12.12 eq 80
Router2(config)#access-list 101 deny ip
192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255
Router2(config)#access-list 101 permit ip any
any

1. The first line allows the 192.168.10.x network access only to port 80 on the
web server.

2. The second line blocks 192.168.10.0 from accessing anything else on

the 192.168.12.0 network.

3. The third line allows 192.168.10.0 access to anything else.

 We could have identified the web server in one of two ways:
Router2(config)# access-list 101 permit tcp 192.168.10.0 0.0.0.255 host
192.168.12.12 eq 80
OR
Router2(config)# access-list 101 permit tcp 192.168.10
0.0.0.255 192.168.12.12 0.0.0.0 eq 80

To apply this access list, we would

configure the following on Router 2:
Router2(config)# interface s0/0/0
Router2(config-if)# ip access-group 101 out
We can use several other operators for
port numbers:

Eq Matches a specific port

gt Matches all ports greater than the port specified
lt Matches all ports less than the port specified
neq Matches all ports except for the port specified
range Match a specific inclusive range of ports
Named Access Lists
 Named access lists provide us with two
advantages over numbered access lists.
First, we can apply an identifiable name to an access list, for
documentation purposes.

Second, we can remove individual lines in a named

access-list, which is not possible with numbered access lists.
Task: All traffic from student going to staff should be blocked
Standard Named Access List
 To create a standard named access list, the syntax would be as
follows:
Router0(config)#ip access-list standard acl1
Router0(config-std-nacl)#deny 192.168.10.0
0.0.0.255
Router0(config-std-nacl)#permit any

Apply it to appropriate interface

Router0(config)#interface s0/0/0
Router0(config-if)#ip access-group acl1 in

To remove standard named Acl

Router0(config)#no ip access-list standard acl1
 Extended Named ACL

Task 1: In order to block student network (192.168.10.0) from

accessing anything on the staff network (192.168.12.0) ,EXCEPT for the
HTTP port on the web server.
Extended Named Access List
 To create a extended named access list, the
syntax would be as follows:
Router1(config)#ip access-list extended Ext1
Router1(config-ext-nacl)#permit tcp 192.168.10.0
0.0.0.255 host 192.168.12.12 eq 80
Router1(config-ext-nacl)#deny ip 192.168.10.0 0.0.0.255
192.168.12.0 0.0.0.255
Router1(config-ext-nacl)#permit ip any any

Apply it to appropriate interface

Router1(config)#interface s0/0/0
Router1(config-if)#ip access-group Ext1 out
To remove extended named Acl
Router1(config)#no ip access-list extended Ext1