Security and Access Lists
For the CCNA exam you should be familiar with the concept of access lists and how to
implement access lists on the Cisco router.
Access lists are similar to packet filtering on an NT server. They are lists of conditions that are
set by the administrator to control access to particular network segment by controlling access
to a specific router's interface. Access lists are used for controlling access to sensitive
networks, and for optimizing the network traffic. Access lists can be used to control inbound or
outbound traffic on the interface. It's important to understand that the direction (inbound or
outbound) is relative to the router's interface. For example, if the server is connected to one of
the router's interfaces, the packet addressed to that server is an outbound traffic for the
router's interface.
Once the access list is applied to the interface, all packets are analyzed and compared with
entries in the access list. If one of the conditions in the access list matches the packets
information (could be IP address, network address, port number, protocol type), the router
acts according to instructions in that access list.
Packet is compared with each line in the access list, starting with line 1, then line 2 ,
and so on.
Once the packet matches the condition on one of the lines in the access list, the router
acts upon that condition and no further comparisons take place
If the packet does not match any of the conditions on the access list, the packet is
discarded. This is the same as having deny any entry in the access list. This is
important to remember when creating the access list.
Access lists can be used to control IP and IPX traffic.
There are two types of access lists - standard and extended access lists. Standard access
list can analyze the packet based on the source IP address. Packets source IP address can be
used to either allow or deny access (either inbound or outbound) to the interface.
Extended access list can, in addition to source IP address, also include entries for:
Destination IP address
Port number
Protocol type
A router can have many different access lists, but only one access list is allowed per interface.
There are two steps in configuring access list (either standard or extended):
1. Create access list in global configuration mode
2. Apply the access list to the interface in interface configuration mode
Each access list must have a unique number. This number must be within a specific range,
depending on the type of access list. For the CCNA exam you must know the following access
list numbers:
Access list number Access list type
1-99 IP standard access list
100-199 IP extended access list
200-299 Protocol type-code access list
800-899 IPX standard access list
900-999 IPX extended access list
1000-1099 IPX SAP access list
Commands to configure access lists:
From the configuration mode type access-list [number] [permit or deny] [source address]
For example, access-list 10 deny 222.122.122.100 Will create an access list number 10
with the condition to deny packets with the source address of 222.122.122.100
It's important to remember that all access lists have implicit deny at the last line. So, when we
created our access list 10, it looks like this:
deny 222.122.122.100
deny any
This means that all traffic will be denied. This is not what we wanted to achieve. To correct
this problem, and deny only packets with source address 222.122.122.100, we need to add
another line to our access list. Once again, type access-list 10 permit any
Now our access list looks like this:
deny 222.122.122.100
permit any
deny any
The last line deny any will always be there because it is inserted automatically by the router,
but it will never be used because once the condition is met, (either deny 222.122.122.100,
or allow any), the router does not read any further lines in the access list.
When creating access list with a deny directive, it's important to add another line that allows
all or some traffic, or you will just shut down the router.
When creating an access list that includes an entire network or subnet, you should use
wildcard masking. Wildcard mask is somewhat similar to the subnet mask. Here is an
example:
access-list 12 permit 222.122.122.0 0.0.0.255
In this example we created access list that permits traffic from all hosts on a network
222.122.122.0. The wildcard mask of 0.0.0.255 tells the router that the first 3 octets must
match up exactly, and the last octet is any number from 0 to 255.
You can have many access lists on a router, but they don't do anything until you apply an
access list to an interface.
To apply an access list to an interface, you must first enter an interface configuration mode.
For example, from the config mode type int e0 The router prompt will change to
Router(config-if)#, indicating that all the changes made here will only be applied to an
interface e0. To apply an access list, type
Router(config-if)#ip access-group 10 [in or out]
For example to apply an access list 10 to control an outbound traffic, type ip access-group
10 out
To deactivate an access list type no ip access list 10 out
On a router with only 2 interfaces - one serial and one Ethernet, applying an access list for an
inbound traffic to the serial interface produces the same effect as applying the same access
list to the Ethernet interface for an outbound traffic. For multiport router you have to decide
whether to apply an access list to an inbound or outbound traffic based on the needs of the
network.
Extended access lists
Standard access lists are very simple to configure, but they can only filter the traffic based on
the source address. If you want to filter the traffic based on the source and destination
address, as well as port number, you need to use extended access lists. Extended access lists
also have one important function - logging.
Configuring extended access lists is similar to configuring standard access lists. You begin with
creating access list from a global configuration mode. Use numbers 100-199 for extended
access list. If you enter access-list 101 ? you will see a lot more parameters available to
configure. This is because the router knows by looking at the access list number that you are
working with an extended access list.
Router(config)#access-list 101 permit tcp 222.122.122.101 any tcp eq 23
This access list will permit tcp traffic on port 23 (telnet) from ip address 222.122.122.101 to
any ip number. Instead of using a port number, you can use the name of the tcp protocol,
telnet for example, or it could be dns, echo, ftp, or other tcp protocol.
You can use wildcard masks with extended access lists just like with standard access lists.
To log events triggered by the access list add log parameter to the access list. Like this:
access-list 101 permit ip 222.122.122.101 any tcp eg 23 log
The logging feature can be useful if you want to log the traffic going in or out of the particular
interface. To log all traffic, just create an access list that permits all traffic and add log
parameter to it.
IPX access lists
IPX access lists are similar to IP access lists. There are standard and extended IPX access lists.
Unlike IP access list, standard IPX access list can filter traffic based on source and destination
address.
The syntax for creating standard IPX access list is:
access-list [number] [permit/deny] [source] [destination]
Just like IP access list IPX access list is created from the global configuration mode
For example: access-list 801 permit 40 80
This access list will permit IPX traffic from network 40 to network 80. We use number 801
because IPX access list number must be between 800-899
In order to define any network in IPX access list you use -1 (minus one)
For example access-list 805 deny -1 -1 will deny IPX traffic from any network to any
network.
Just like in IP access list there is an implicit deny at the end of IPX access list.
To apply an IPX access list, first go to an interface configuration mode, then type
Router(config-if)#ipx access-group [number] [in or out]
For example: Router(config-if)#ipx access-group 801 in
Extended IPX access lists
With extended IPX access lists you can filter the traffic based on Source network/node
address, destination network/node address, IPX protocol (like SPX, SAP, NetBios, etc.), IPX
socket (similar to TCP port number).
The syntax for creating IPX extended access list is:
access-list [number] [permit/deny] [protocol] [source] [socket] [destination] [socket]
The [number] must be between 900-999 to tell the router that it's reading an extended IPX
access list.
Also, just like with IP access list, you can add log parameter to the end of IPX extended
access list to log events generated by the access list.
Example:
access-list 901 deny spx any sap any sap log
This access list will deny sap traffic from any network to any network and events will be
logged.
Another example:
access-list 902 deny rip 300 rip 600 log
This access list will deny all IPX rip (not the same as IP RIP) from entering from network 300
to network 600, and all events will be logged.
The procedure and syntax for applying the extended IPX access list to the interface is the
same as with standard IPX access list.
Monitoring access lists
There are several commands that you can use to view your access lists: from privileged mode
Show access-list will display all access lists configured on the router, access lists numbers and
all the lines in them.
To view IP access lists, use show ip interface (or sh ip int)
This will display ip interfaces configurations, including numbers of outgoing and inbound
access lists.
To view IPX access list you can use show ipx interface
This will show interfaces that are configured with IPX protocols, and IPX access lists associated
with them.
Another useful command to view access lists is show run entered from the privileged mode.
This will show running configuration, and will show access groups applied to particular
interfaces.