Access List

An access list is essentially a list of conditions that categorize packets. They can be really helpful when you need to exercise control over network traffic. An access list would be your tool of choice for decision making in these situations. One of the most common and easiest to understand uses of access lists is filtering unwanted packets when implementing security policies. For example, you can set them up to make very specific decisions about regulating traffic patterns so that they’ll allow only certain hosts to access web resources on the Internet while restricting others. With the right combination of access lists, network managers arm themselves with the power to enforce nearly any security policy they can invent.

There are a few important rules that a packet follows when it’s being compared with an access list:

It’s always compared with each line of the access list in sequential order—that is, it’ll always start with the first line of the access list, then go to line 2, then line 3, and so on.

It’s compared with lines of the access list only until a match is made. Once the packet matches the condition on a line of the access list, the packet is acted upon and no further comparisons take place. There is an implicit “deny” at the end of each access list—this means that if a packet doesn’t match the condition on any of the lines in the access list, the packet will be discarded.

Each of these rules has some powerful implications when filtering IP packets with access lists, so keep in mind that creating effective access lists truly takes some practice.

These are main types of access lists:

  • Standard access lists

    These use only the source IP address in an IP packet as the condition test. All decisions are made based on the source IP address. This means that standard access lists basically permit or deny an entire suite of protocols. They don’t distinguish between any of the many types of IP traffic such as web, Telnet, UDP, and so on.

    Standard IP access lists filter network traffic by examining the source IP address in a packet.

    You create a standard IP access list by using the access-list numbers 1–99 or 1300–1999(expanded range). Access-list types are generally differentiated using a number. Based on the number used when the access list is created, the router knows which type of syntax to expect as the list is entered. By using numbers 1–99 or 1300–1999, you’re telling the router that you want to create a standard IP access list, so the router will expect syntax specifying only the source IP address in the test lines.

    The following is an example of the many access-list number ranges that you can use to filter traffic on your network (the protocols for which you can specify access lists depend on your IOS version):

    Corp(config)#access-list ?
    < 1-99 >IP standard access list
    < 100-199 >IP extended access list
    < 1100-1199 >Extended 48-bit MAC address access list
    < 1300-1999 >IP standard access list (expanded range)
    < 200-299 > Protocol type-code access list
    < 2000-2699 >IP extended access list (expanded range)
    < 700-799 >48-bit MAC address access list
    compiled	Enable IP access-list compilation
    dynamic-extended  Extend the dynamic ACL absolute timer
    rate-limit	 Simple rate-limit specific access list

    Corp(config)#access-list 10 ?
    deny    Specify packets to reject
    permit  Specify packets to forward
    remark  Access list entry comment

    Corp(config)#access-list 10 deny ?
    Hostname or A.B.C.D  Address to match
    anyAny source host
    host                 A single host address

    Corp(config)# access-list 10 deny host ?
    Hostname or A.B.C.D Host address
    Corp(config)# access-list 10 deny host

    This tells the list to deny any packets from host The default parameter is host.

    In other words, if you type access-list 10 deny

    Wildcard Masking

    Wildcards are used with access lists to specify an individual host, a network, or a certain range of a network or networks. To understand a wildcard, you need to understand what a block-size is; it’s used to specify a range of addresses. Some of the different block sizes available are64, 32, 16, 8, and 4.When you need to specify a range of addresses, you choose the next-largest block size for your needs. For example, if you need to specify 34 networks, you need a block size of 64. If you want to specify 18 hosts, you need a block size of 32. If you only specify 2 networks, then a block size of 4 would work. Wildcards are used with the host or network address to tell the router a range of available addresses to filter. To specify a host, the address would look like this:

    The four zeros represent each octet of the address. Whenever a zero is present, it means that octet in the address must match exactly. To specify that an octet can be any value, the value of 255 is used. As an example, here’s how a /24 subnet is specified with a wildcard:

    This tells the router to match up the first three octets exactly, but the fourth octet can be any value.

    Corp(config)# access-list 10 deny

    Corp(config)# access-list 10 deny

    Corp(config)# access-list 10 deny

    This configuration tells the router to start at network and use a block size of 4.
    The range would then be through
    The following example shows an access list starting at and going up a block-size of 8 to
    Corp(config)# access-list 10 deny
    Here are two more things to keep in mind when working with block sizes and wildcards: Each block size must start at 0 or a multiple of the block size. For example, you can’t say that you want a block size of 8 and then start at 12. You must use 0–7, 8–15, 16–23, etc.

    For a block size of 32, the ranges are 0–31, 32–63, 64–95, etc.

    The command any is the same thing as writing out the wildcard

    Wildcard masking is a crucial skill to master when creating IP access lists.

    It’sused identically when creating standard and extended IP access lists.

    Standard Access List Example

    IP access list example with three LANs and a WAN connection On the router in the figure, the following standard IP access list is configured:
    Lab_A#config t
    Lab_A(config)#access-list 10 deny
    Lab_A(config)#access-list 10 permit any
    It’s very important to know that the any command is the same thing as saying the following using wildcard masking:
    Lab_A(config)#access-list 10 permit
    Lab_A(config)#int e1
    Lab_A(config-if)#ip access-group 10 out

    This completely stops traffic from from getting out Ethernet 1. Any packet trying to exit out E1 will have to go through the access list first. If there were an inbound list placed on E0, then any packet trying to enter interface E0 would have to go through the access list before being routed to an exit interface.

    Controlling VTY (Telnet) Access

    Use a standard IP access list to control access to the VTY lines themselves. When you apply an access list to the VTY lines, you don’t need to specify the Telnet protocol since access to the VTY implies terminal access. You also don’t need to specify a destination address since it really doesn’t matter which interface address the user used as a target for the Telnet session. You really only need to control where the user is coming from—their source IP address.

    To perform this function, follow these steps:
    1. Create a standard IP access list that permits only the host or hosts you want to be able to telnet into the routers.
    2. Apply the access list to the VTY line with the access-class command.

    Here is an example of allowing only host to telnet into a router:

    Lab_A(config)#access-list 50 permit
    Lab_A(config)#line vty 0 4
    Lab_A(config-line)#access-class 50 in
  • Extended access lists

    Extended access lists can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. They can evaluate source and destination IP addresses, the protocol field in the Network layer header, and the port number at the Transport layer header. This gives extended access lists the ability to make much more granular decisions when controlling traffic.

    Extended access list will hook you up. That’s because extended access lists allow you to specify source and destination address as well as the protocol and port number that identify the upper layer protocol or application. By using extended access lists, you can effectively allow users access to a physical LAN and stop them from accessing specific hosts—or even specific services on those hosts.

    Here’s an example of an extended IP access list:

    Corp(config)#access-list 110 ?
    deny Specify packets to reject
    dynamic  Specify a DYNAMIC list of PERMITs or DENYs
    permit Specify packets to forward
    remark Access list entry comment

    Once you choose the access-list type, you then need to select a protocol field entry.

    Corp(config)#access-list 110 deny ?
    < 0-255 >  An IP protocol number
    ahp      Authentication Header Protocol
    eigrp    Cisco's EIGRP routing protocol
    espEncapsulation Security Payload
    gre Cisco's GRE tunneling
    icmp    Internet Control Message Protocol
    igmp    Internet Gateway Message Protocol
    ipAny Internet Protocol
    ipinip   IP in IP tunneling
    nosKA9Q NOS compatible IP over IP tunneling
    ospfOSPF routing protocol
    pcpPayload Compression Protocol
    pimProtocol Independent Multicast
    tcpTransmission Control Protocol
    udpUser Datagram Protocol

    If you want to filter by Application layer protocol, you have to choose the appropriate layer 4 transport protocol after the permit or deny statement. For example, to filter Telnet or FTP, you choose TCP since both Telnet and FTP use TCP at the Transport layer. If you were to choose IP, you wouldn’t be allowed to specify a specific application protocol later.

    Here, you’ll choose to filter an Application layer protocol that uses TCP by selecting TCP as the protocol. You’ll specify the specific TCP port later. Next, you will be prompted forthe source IP address of the host or network (you can choose the any command to allow anysource address):

    Corp(config)#access-list 110 deny tcp ?
    A.B.C.D  Source address
    any Any source host
    hostA single source host
    After the source address is selected, the destination address is chosen:

    Corp(config)#access-list 110 deny tcp any ?
    A.B.C.D  Destination address
    anyAny destination host
    eqMatch only packets on a given port number
    gtMatch only packets with a greater port number
    hostA single destination host
    ltMatch only packets with a lower port number
    neqMatch only packets not on a given port number
    range Match only packets in the range of port numbers
    In the following example, any source IP address that has a destination IP address of has been denied.

    Corp(config)#access-list 110 deny tcp any host ?
    ackMatch on the ACK bit
    dscp Match packets with given dscp value
    eqMatch only packets on a given port number
    established  Match established connections
    finMatch on the FIN bit
    fragments    Check non-initial fragments
    gtMatch only packets with a greater port number
    logLog matches against this entry
    log-inputLog matches against this entry, including input interface
    ltMatch only packets with a lower port number
    neqMatch only packets not on a given port number
    precedenceMatch packets with given precedence value
    pshMatch on the PSH bit
    rangeMatch only packets in the range of port numbers
    rstMatch on the RST bit
    syn Match on the SYN bit
    time-range Specify a time-range
    tosMatch packets with given TOS value
    urgMatch on the URG bit
    < cr >

    The following help screen shows you the available options. You can choose a port number or use the application or protocol name:

    Corp(config)#access-list 110 deny tcp any host eq ?
    < 0-65535 >    Port number
    bgpBorder Gateway Protocol (179)
    chargen      Character generator (19)
    cmd Remote commands (rcmd, 514)
    daytimeDaytime (13)
    discardDiscard (9)
    domainDomain Name Service (53)
    dripDynamic Routing Information Protocol (3949)
    echoEcho (7)
    execExec (rsh, 512)
    fingerFinger (79)
    ftpFile Transfer Protocol (21)
    ftp-dataFTP data connections (20)
    gopherGopher (70)
    hostname NIC hostname server (101)
    identIdent Protocol (113)
    irc Internet Relay Chat (194)
    klogin Kerberos login (543)
    kshellKerberos shell (544)
    loginLogin (rlogin, 513)
    lpdPrinter service (515)
    nntpNetwork News Transport Protocol (119)
    pim-auto-rpPIM Auto-RP (496)
    pop2Post Office Protocol v2 (109)
    pop3Post Office Protocol v3 (110)
    smtpSimple Mail Transport Protocol (25)
    sunrpcSun Remote Procedure Call (111)
    syslogSyslog (514)
    tacacsTAC Access Control System (49)
    talkTalk (517)
    telnetTelnet (23)
    timeTime (37)
    uucpUnix-to-Unix Copy Program (540)
    whoisNicname (43)
    www World Wide Web (HTTP, 80)

    Let’s block Telnet (port 23) to host only. If the users want to FTP,fine—that’s allowed. The log command is used to log messages every time the access list is hit.

    This can be an extremely cool way to monitor inappropriate access attempts. Here is how todo this:

    Corp(config)#access-list 110 deny tcp any host eq 23 log

    Corp(config)#access-list 110 permit ip any any

    Remember, the is the same command as any, so the command could look like this:

    Corp(config)#access-list 110 permit ip

    Corp(config-if)#ip access-group 110 in

    Or this:

    Corp(config-if)#ip access-group 110 out
  • Named access lists

    Named access lists are either standard or extended and not actually a new type. I’m just distinguishing them because they’re created and referred to differently than standard and extended access lists, but they’re functionally the same.

    Named access lists allow you to use names to both create and apply either standard or extended access lists.

    Lab_A(config)#ip access-list ?
    extended  ExtendedAcc
    logging   Control access list logging
    standard  Standard Access List

    ip access-list, not access-list. This allows me to enter a named access list. Next, I’ll need to specify that it’s to be a standard access list:

    Lab_A(config)#ip access-list standard ?
    < 1-99 >Standard IP access-list number
    WORD    Access-list name
    Lab_A(config)#ip access-list standard BlockSales
    Standard Access List configuration commands:
    default Set a command to its defaults
    deny Specify packets to reject
    exit Exit from access-list configuration mode
    no Negate a command or set its defaults
    permit Specify packets to forward

    Lab_A(config-std-nacl)#permit any
    Lab_A#show running-config
    ip access-list standard BlockSales
    permit any
    Lab_A#config t
    Enter configuration commands, one per
    line. End with CNTL/Z.
    Lab_A(config)#int e1
    Lab_A(config-if)#ip access-group BlockSales out

Once you create an access list, it’s not really going to do anything until you apply it. Yes,they’re there on the router, but they’re inactive until you tell that router what to do with them.

To use an access list as a packet filter, you need to apply it to an interface on the router where you want the traffic filtered. And you’ve got to specify which direction of traffic you want the access list applied to. There’s a good reason for this—you may want different controls in place for traffic leaving your enterprise destined for the Internet than you’d want for traffic coming into your enterprise from the Internet. So, by specifying the direction of traffic, you can—and frequently you’ll need to—use different access lists for inbound and outbound traffic on a single interface:

  • Inbound access lists

    When an access list is applied to inbound packets on an interface, those packets are processed through the access list before being routed to the outbound interface. Any packets that are denied won’t be routed because they’re discarded before the routing process is invoked.
  • Outbound access lists

    When an access list is applied to outbound packets on an interface,those packets are routed to the outbound interface and then processed through the access list before being queued.

There are some general access-list guidelines that should be followed when you’re creating and implementing access lists on a router:

You can assign only one access list per interface per protocol per direction. This means that when creating IP access lists, you can have only one inbound access list and one out-bound access list per interface. When you consider the implications of the implicit deny at the end of any access list, it makes sense that you can’t have multiple access lists applied on the same interface in the same direction for the same protocol. That’s because any packets that don’t match some condition in the first access list would be denied and there wouldn’t be any packets left over to compare against a second access list. Organize your access lists so that the more specific tests are at the top of the access list.

Any time a new entry is added to the access list, it will be placed at the bottom of the list.

Using a text editor for access lists is highly suggested.

You cannot remove one line from an access list. If you try to do this, you will remove the entire list. It is best to copy the access list to a text editor before trying to edit the list. The only exception is when using named access lists. Unless your access list ends with a permit any command, all packets will be discarded if they do not meet any of the list’s tests. Every list should have at least one permit statement or it will deny all traffic.

Create access lists and then apply them to an interface. Any access list applied to an interface without an access list present will not filter traffic. Access lists are designed to filter traffic going through the router. They will not filter traffic that has originated from the router.

Place IP standard access lists as close to the destination as possible. This is the reason we don’t really want to use standard access lists in our networks. You cannot put a standard access list close to the source host or network because you can only filter based on source address and nothing would be forwarded.

Place IP extended access lists as close to the source as possible. Since extended access list scan filter on very specific addresses and protocols, you don’t want your traffic to traverse the entire network and then be denied. By placing this list as close to the source address as possible, you can filter traffic before it uses up your precious bandwidth.

h4 ExamMATE

Online Personalised Exam Preparation Tool to score higher using Assessment, Analytics & Artificial Intelligence

Copyright ©2015, All Rights Reserved. h4 ExamMATEâ„¢ is registered trademark of Hub4tech Portal Services Pvt. Ltd.
All trademarks and logos appearing on this website are the property of their respective owners.
Need help? Ask h4 ExamMATE Bot