Professional Documents
Culture Documents
Access lists are essentially lists of conditions that control access. Theyre powerful tools that control access both to and from network segments. They can filter unwanted packets and be used to implement security policies. With the right combination of access lists, network managers will be armed with the power to enforce nearly any access policy they can invent.
Implementation
Once you create an access list, you apply it to an interface with either an inbound or outbound list. Inbound access lists Packets are processed through the access list before being routed to the outbound interface. Outbound access lists Packets are routed to the outbound interface and then processed through the access list
list guidelines that should be followed when creating and implementing access lists
You can only assign one access list per interface, per protocol, or per direction. This means that if you are creating IP access lists, you can only have one inbound access list and one outbound access list per interface. Organize your access lists so that the more specific tests are at the top of the access list. Anytime a new list is added to the access list, it will be placed at the bottom of the list. You cannot remove one line from an access list. If you try to do this, you will remove the entire list. It is best to copy the access list to a text editor before trying to edit the list. The only exception is when using named access lists. Unless your access list ends with a permit any command, all packets will be discarded if they do not meet any of the lists tests. Every list should have at least one permit statement, or you might as well shut the interface down. Create access lists and then apply them to an interface. Any access list applied to an interface without an access list present will not filter traffic. Access lists are designed to filter traffic going through the router. They will not filter traffic originated from the router. Place IP standard access lists as close to the destination as possible. Place IP extended access lists as close to the source as possible.
RouterA(config)#access-list 110 deny tcp any ? A.B.C.D Destination address any Any destination host eq Match only packets on a given port number gt Match only packets with a greater port number host A single destination host lt Match only packets with a lower port number neq Match only packets not on a given port number range Match only packets in the range of port numbers In the example below, any source IP address that has a destination IP address of 172.16.30.2 has been denied. RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 ? eq Match only packets on a given port number established Match established connections fragments Check fragments gt Match only packets with a greater port number log Log matches against this entry log-input Log matches against this entry, including input interface lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value range Match only packets in the range of port numbers tos Match packets with given TOS value Now, you can press Enter here and leave the access list as is. However, you can be even more specific: once you have the host addresses in place, you can specify the type of service you are denying. The following help screen gives you the options. You can choose a port number oruse the application or even the program name. RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq ? <0-65535> Port number bgp Border Gateway Protocol (179) chargen Character generator (19) cmd Remote commands (rcmd,514) daytime Daytime (13) discard Discard (9) domain Domain Name Service (53) echo Echo (7) exec Exec (rsh,512) finger Finger (79) ftp File Transfer Protocol (21) gopher Gopher (70) hostname NIC hostname server (101) ident Ident Protocol (113) irc Internet Relay Chat (194) klogin Kerberos login (543) kshell Kerberos shell (544) login Login (rlogin,513) lpd Printer service (515) nntp Network News Transport Protocol (119) pop2 Post Office Protocol v2 (109) pop3 Post Office Protocol v3 (110) smtp Simple Mail Transport Protocol (25) sunrpc Sun Remote Procedure Call (111) syslog Syslog (514) tacacs TAC Access Control System (49) talk Talk (517) telnet Telnet (23) time Time (37) uucp Unix-to-Unix Copy Program (540) whois Nicname (43) www World Wide Web HTTP,80)
It is important to be able to verify the configuration on a router. The following commands can be used to verify the configuration: show access-list Displays all access lists and their parameters configured on the router. This command does not show you which interface the list is set on. show access-list 110 Shows only the parameters for the access list 110. This command does not show you the interface the list is set on. show ip access-list Shows only the IP access lists configured on the router. show ip interface Shows which interfaces have access lists set. show running-config Shows the access lists and which interfaces have access lists set.