You are on page 1of 6

Access Control Lists Overview

Access lists allow Cisco routers to function as a packet filter and are
supported for several protocols, some of them are listed in the
following table:

Protocol Range

1 to 99 (and 1300 to 1999 in IOS 12.0 and


IP Standard
higher)
IP Extended 100-199 (and 2000 to 2699 in IOS 12.0 and
higher)
Ethernet type code 200-299

DecNet 300-399

XNS 400-499

Extended XNS 500-599

AppleTalk 600-699

Ethernet address 700-799

IPX Standard 800-899

IPX Extended 900-999

IPX SAP 1000-1099

Access lists are lists of rules that either permit or deny certain inbound or
outbound traffic from particular hosts. The list is applied to one or more interfaces
on the router. When the router routes traffic in and out these interfaces, the rules
in the list are processed sequential, looking for a matching rule permitting the
traffic to pass. When there is not matching rule permitting the traffic to pass it is
denied because of the implicit deny any at the end of each rule. For example, if
you deny telnet traffic to host 172.16.22.139 using the rule:
access-list 110 deny TCP any host 172.16.22.139 eq TELNET

and this would be the only rule in the access list you would deny any IP traffic
from entering or leaving the router's interface.

The implicit deny all, for many, is a confusing part of access lists and often
forgotten in practice, while in fact it is very logical; if you want to protect a
network using a packet filter you would typically start out with denying
everything and from there permit certain traffic or hosts to communicate.
However, instead of protecting private networks from external intruders, access
lists are also commonly used to manage network traffic, for example, if you do
not want certain protocols or services available in particular subnets you can
block only those ports but permit all other traffic. This is also used as an effective
way to prevent traffic such as ICMP messages and routing updates from traveling
over certain links.

Standard IP Access Lists


Standard IP access lists are used to permit/deny traffic from or to one or more IP
addresses.

Use the global exec access-list command to create access lists:


router(config)#access-list number deny|permit source|any [log]

Use the Interface config mode access-group command to bind the access list to
an interface:
router(config-if)#ip access-group number in|out

For example, to deny host C from sending traffic to the WAN in the network
depicted in the diagram below, use the following commands.
router(config)#access-list 10 deny 192.168.23.11
router(config)#access-list 10 permit any
router(config)#interface ethernet 0
router(config-if)#ip access-group 10 in

When traffic is send to the router's Ethernet interface the rules in access list 10
are processed, if the traffic is send by host C the router drops the packets and
stops processing the rules. The rule access-list 10 permit any is included because
of the implicit deny. There must be at least one "permit" rule otherwise the
protocol is completely disabled for the interface as soon as you bind it.

Wildcard Masks/Inverse Masks


Instead of specifying a single IP address you can also permit or
deny networks/subnets completely or partly using wildcard masks,
also known as inverse masks. To understand this concept it helps a
lot if you have some basic understanding of subnetting.

The first example is simple: if you want to deny access to all hosts
in the network 172.16.23.0 with subnet mask 255.255.255.0 you
would use 172.168.23.0 0.0.0.255as the source in the access-
list command. When the router checks if the addressing information
of an incoming packet matches the denied address specified in the
access list, it only cares about the part of the address where the
corresponding bits in the inverse mask are 0. The part of the
address where the corresponding bits in the inverse mask are set to
1 can be anything (in this example 0 to 255).

In other situations, where you want to specify a range of addresses


that does not have the boundary between 0s and 1s exactly
between octets, you might need to convert it all to binary to
determine the inverse mask. For example, you want to specify the
network 172.18.16.0 with the subnet mask 255.255.240.0. When
you convert this mask to binary it shows that in this subnet mask
the first 20 bits are set to 1
11111111.11111111.11110000.00000000, so the inverse mask
would have the first 20 bits set to
00000000.00000000.00001111.11111111 which is 0.0.15.255 in
decimal notation. This would specify the address range 172.18.16.0
to 172.18.31.255.

If you want the source or destination to be any host from any


network you could use the address 0.0.0.0 with the inverse mask
255.255.255.255, but to save you from pressing so much keys you
can use the keyword any instead.

In Extended Access lists the keyword host can be used to replace


the 0.0.0.0 inverse mask. Instead of specifying a single address
with 192.168.23.11 0.0.0.0 you can use host 192.168.23.11.

Extended IP Access Lists


Extended IP access lists give more detailed control compared to
standard lists which only allow you to deny or permit traffic from a
certain source. Extended lists allow you to permit or deny particular
TCP/IP traffic based on the Transport protocol being used (TCP or
UDP) and the service or application (e.g. SMTP, Telnet) from source
addresses AND destination addresses.

Use the global exec access-list command to create access lists, this
command supports numerous arguments, most of them are beyond
the scope of the CCNA exam. Cisco explains the complete syntax at
it's web site. Nevertheless, here's the most important part:
router(config)#access-list number deny|permit protocol source|any
destination|any

When TCP or UDP is used as the protocol argument two other important
arguments are operator port. The port argument can be a TCP or UDP port
number or name (e.g. 21 or FTP, 23 or TELNET, 123 or NTP), the operator is
usually eq which means equal, other options include lt (less than) and gt (greater
than).
Use the Interface config mode access-group command to apply the access list to
an interface:
router(config-if)#ip access-group number in|out

Take a look at the diagram below for example:

You can prevent SMTP traffic originating from the WANs from
traveling over link A by putting an outbound extended IP access list
on the Serial 0 interface of RouterX. Use the following commands on
RouterX:
router(config)#access-list 105 deny TCP any host 172.16.11.253 eq SMTP
router(config)#access-list 105 permit IP any any
router(config)#interface serial 0
router(config-if)#ip access-group 105 out

Here's another example using the same diagram above. It shows


how you can use extended access lists to control ICMP traffic (used
for utilities such as ping and trace). For example, to deny the hosts
in the Ethernet network attached to RouterY to use ICMP to
communicate with hosts on the other side of the router, use the
following commands on RouterY:
router(config)#access-list 102 deny icmp 192.168.115.0 0.0.0.255 any
router(config)#access-list 102 permit IP any any
router(config)#interface serial 1
router(config-if)#ip access-group 102 out

Remove access list from interface:


router(config-if)#no ip access-group number|name in|out
For example:
router(config-if)#no ip access-group 102 out

Delete access-list from configuration:


router(config)#no access-list number|name

For example:
router(config)#no access-list 102

Named Access Lists


If your router is running IOS 11.2 or higher, you can
create named access lists. Instead of choosing a number between
1-99 for standard IP access lists, you can use a custom name,
which allows for more lists.
The commands to create a named access list are different from
those mentioned above.

To create a list use the following command in global configuration


mode:
router(config)#ip access-list {standard | extended} name

This command will take you into access-list configuration mode


where you can define the deny and permit rules. For example to
create a named access list with the name wwwfilter and permit only
access from the networks 192.168.132.0, 172.17.0.0 and 10.0.0.0
use the following commands:
router(config)#ip access-list standard wwwfilter
router(config-std-nacl)#permit 192.168.132.0 0.0.0.255
router(config-std-nacl)#permit 172.17.0.0 0.0.255.255
router(config-std-nacl)#permit 10.0.0.0 0.255.255.255

Use the exit command to exit access-list configuration mode.

A named list is applied to an interface in the same way as with


numbered lists:
router(config-if)#ip access-group wwwfilter out

VTY Lines
You can also use standard access lists to limit access to VTY lines.
For example:
router(config)#access-list 5 permit 192.168.23.8
router(config)#line 0 5
router(config)#access-class 5 in

Monitoring and Verifying


The following commands are useful for monitoring and verifying the
operation of access lists

The show ip interface command displays which access lists are


applied to the specified interface, for example:
router(config)#show ip interface serial 1

The following command displays the contents of an access list, and if applied to
an interface, the number of matches per permit/deny rule:
router(config)#show access-lists number|name

If you don't specify an access-list number or name, all the current access lists will
be displayed. You can also use the show ip access-lists command to display one
or all the current IP access lists.