14-1 IP Access Lists

Previous page
Table of content
Next page

  • Standard IP access lists can be used to match against a specific source address or range of source addresses.

  • Extended IP access lists can be used to match against source and destination addresses, protocols, source and destination port numbers , and Quality of Service parameters.

  • IP access lists can be defined by number or name . Numbered access lists cannot be edited and must be cleared and reentered if changes are needed. Named access lists can be edited by clearing specific lines.

  • Dynamic IP access lists can be used to maintain a dynamic or changing list of matching conditions.

  • Time range IP access lists can be used to apply matching conditions during a specified date and time period.

  • IP prefix lists can be used to match against a specific number or range of address bits, as the leftmost portion of the IP address.

Configuration

  1. Define a standard IP access list (source address only).

    1. Numbered access list: 

       (global)  access-list   acc-list  {  permit   deny  }  source  [  source-mask  ] [  log  ]

      -OR-

    2. Named access list: 

       (global)  ip access-list standard   name  (access-list) {  permit   deny  }  source  [  source-mask  ] [  log  ]

      IP access lists can be referenced by number or by name. The standard access list number acc-list is in the range of 1 to 99 or 1300 to 1999. For a named access list, a text string name is given. Only the source IP address source can be matched. The source-mask field is used to mask bits of the source address that do not need to be matched. A 1 bit in the mask indicates a don't-care address bit, and a 0 bit marks an address bit that must match exactly. (Think of the mask as the opposite of a subnet mask.) If all addresses are to be matched, you can replace the source and source-mask fields with the keyword any. If a specific host address is to be matched, you can replace the source and source-mask fields with the keyword host followed by its IP address.

      The log keyword can be used to cause the router to send messages to the console or other logging facilities. (See Section 1-5 for information about system logging configuration.) A log entry is made for the first packet that matches the access list command, whether it is permitted or denied . After that, the router sends log messages every 5 minutes with the total number of matching packets for that time interval.

      A text-string comment can be added to a numbered access list using the access-list acc-list remark remark command. It can be added to a named access list by using the remark remark command.

  2. Define an extended IP access list (source and destination addresses and other parameters).

    1. Numbered access list: 

       (global)  access-list   acc-list  [  dynamic   dyn-name  [  timeout   minutes  ]]   {  permit   deny  }  protocol   source   source-mask   destination   destination-mask  [  precedence   precedence  ] [  dscp   dscp  ] [  tos   tos  ]   [  fragments  ] [  log   log-input  ] [  time-range   time-range-name  ]

      -OR-

    2. Named access list: 

       (global)  ip access-list extended   name  (access-list) [  dynamic   dyn-name  [  timeout   minutes  ]] {  permit   deny  }  protocol source source-mask destination destination-mask  [  precedence   precedence  ] [  dscp   dscp  ] [  tos   tos  ] [  fragments  ]   [  reflect   reflect-list  [  timeout   seconds  ]] [  log   log-input  ]   [  time-range   time-range-name  ]

      IP access lists can be referenced by number or by name. The extended access list number acc-list is in the range of 100 to 199 or 2000 to 2699. For a named access list, a text string name is given. Both the source and destination IP addresses can be matched. The source-mask and destination-mask fields are used to mask bits of the address that do not need to be matched. A 1 bit in the mask indicates a don't-care address bit, and a 0 bit marks an address bit that must match exactly. (Think of the mask as the opposite of a subnet mask.) If all addresses are to be matched, you can replace the address and mask fields with the keyword any. If a specific host address is to be matched, you can replace the address and mask fields with the keyword host followed by its IP address.

      The dynamic and timeout keywords can be used to make this access list operate as a dynamic or Lock and Key access list. (See Section 13-4 for more information.) In a named access list, the reflect keyword and an optional timeout value can be used to create a reflexive access list. (See Section 13-5 for more information.)

      The protocol field specifies which IP protocol will be used to match. The protocol can be one of ip (any IP protocol), tcp, udp, eigrp (EIGRP routing protocol), gre (Generic Routing Encapsulation), icmp (Internet Control Message Protocol), igmp (Internet Group Management Protocol), igrp (IGRP routing protocol), ipinip (IP-in-IP tunnel), nos (KA9Q Network Operating System compatible IP over IP tunnel), ospf (OSPF routing protocol), or an IP protocol number (0 to 255).

      If the protocol is icmp, additional fields can be used for further filtering. One or more of icmp-type, icmp-type icmp-code, or icmp-message can be added to the command line. The icmp-type field is the ICMP message type (0 to 15), and the icmp-code is an optional ICMP message code (0 to 255). The icmp-message field is a text string name, chosen from the following: administratively- prohibited , alternate-address, conversion-error, dod-host-prohibited, dod-net-prohibited, echo, echo-reply, general-parameter-problem, host-isolated, host-precedence-unreachable, host-redirect, host-tos-redirect, host-tos-unreachable, host-unknown, host-unreachable, information-reply, information-request, mask-reply, mask-request, mobile-redirect, net-redirect, net-tos-redirect, net-tos-unreachable, net-unreachable, network-unknown, no-room-for-option, option-missing, packet-too-big, parameter-problem, port-unreachable, precedence-unreachable, protocol-unreachable, reassembly-timeout, redirect, router-advertisement, router-solicitation, source-quench, source-route-failed, time-exceeded, timestamp-reply, timestamp-request, traceroute, ttl-exceeded, and unreachable.

      If the protocol is igmp, an additional IGMP message type field can be added for further filtering, chosen from the following: dvmrp, host-query, host-report, pim, and trace.

      The precedence keyword can be used to match the IP precedence value, given as a number (0 to 7) or as a text string. Available values are critical (5), flash (3), flash-override (4), immediate (2), internet (6), network (7), priority (1), and routine (0).

      The dscp keyword can be used to match the Differentiated Services Code Point (DSCP) bits contained in the Differentiated Services (DS) byte of an IP packet. The dscp value can be given as a number (6 bits: 0 to 63) or as a text string name. Available names are default (000000), ef (101110), af11 (Assured Forwarding [AF], 001010), af12 (001100), af13 (001110), af21 (010010), af22 (010100), af23 (010110), af31 (011010), af32 (011100), af33 (011110), af41 (100010), af42 (100100), af43 (100110), cs1 (Class Selector [CS], precedence 1, 001000), cs2 (precedence 2, 010000), cs3 (precedence 3, 011000), cs4 (precedence 4, 100000), cs5 (precedence 5, 101000), cs6 (precedence 6, 110000), and cs7 (precedence 7, 111000).

      The tos keyword matches the type of service level (0 to 15). Available values are max-reliability, max-throughput, min-delay, min- monetary -cost, and normal.

      The fragments keyword can be used to match packets that are not initial fragments.

      For protocol types tcp and udp, the command syntax is changed slightly to allow the matching of TCP or UDP source and destination port numbers. The syntax becomes 

       ... {  permit   deny  } {  tcp   udp  }  source   source-mask  [  operator  [  source-port  ]]  destination destination-mask  [  operator  [  dest-port  ]] ...

      You can specify an operator to determine how the source and destination port numbers are to be matched. You can use the operators lt (less than), gt (greater than), eq (equal to), neq (not equal to), or range (within a range given by two port number values). The source and destination ports are given as a number (0 to 65535) or as a text string port name.

      Available TCP names are bgp, chargen, daytime, discard, domain, echo, finger, ftp, ftp-data, gopher, hostname, irc, klogin, kshell, lpd, nntp, pop2, pop3, smtp, sunrpc, syslog, tacacs-ds, talk, telnet, time, uucp, whois, and www (actually HTTP, port 80). In addition, the established keyword can be used to match packets from established connections, or packets that have either the RST or ACK bits set.

      Available UDP names are biff, bootpc, bootps, discard, dns, dnsix, echo, mobile-ip, nameserver, netbios-dgm, netbios-ns, ntp, rip, snmp, snmptrap, sunrpc, syslog, tacacs-ds, talk, tftp, time, who, and xdmcp.

      A permit or deny statement in an extended IP access list can be applied during a time range using the time-range keyword. A time range must first be defined with a time-range-name using the following commands. The time-range-name must also be applied to the extended access list. 

       (global)  time-range   time-range-name  (time-range)  periodic   days-of-the-week hh:   mm   to  [  days-of-the-week  ]  hh:   mm  (time-range)  absolute  [  start   time date  ] [  end   time date  ]

      Time ranges can be specified as one or more periodic definitions. The days-of-the-week field can be daily (Monday through Sunday), weekdays (Monday through Friday), weekend (Saturday and Sunday), Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, or Sunday. The time hh: mm is given in 24- hour format. The router should be configured with NTP or have its clock and calendar set accurately.

      Time ranges can also be specified as one absolute definition, with optional start and end times. The time is specified in hh: mm 24-hour format. The date fields must be formatted as day month year, as in 1 April 1963.

  3. Define an IP prefix list (matches prefix address bits).

    1. Create an entry in a prefix list: 

       (global)  ip prefix-list   list-name  [  seq   seq-value  ] {  deny   permit   network/   length  } [  ge   ge-value  ] [  le   le-value  ]

      A match entry is added to the prefix list named list-name (text string). By default, prefix list entries are automatically numbered in increments of 5, beginning with the number 5. Match entries are evaluated in sequence, starting with the lowest sequence number. You can assign a specific sequence number to the entry by specifying the seq keyword, along with the seq-value (a positive number).

      The prefix list entry matches an IP address against the network (a valid IP network address) and length (the number of leftmost bits in the address) values. The ge (greater than or equal to a number of bits) and le (less than or equal to a number of bits) keywords can also be used to define a range of the number of prefix bits to match. A range can provide a more specific matching condition than the network/length values alone.

    2. Add a text description to a prefix list: 

       (global)  ip prefix-list   list-name   description   text

      The string text is added as a description line in the prefix list named list-name.

Examples

Standard IP access list 10 is used to permit traffic with a source address from any host on the 192.168.204.0 network. Traffic from the IP address 192.168.44.3 is also permitted.

The standard named IP access list 10 performs the same function as numbered access list 10. This is done to show the same function configured two different ways. 

  access-list 10 permit 192.168.204.0 0.0.0.255   access-list 10 permit host 192.168.44.3   ip access-list standard list10   remark This is the same as access-list 10 above   permit 192.168.204.0 0.0.0.255   permit host 192.168.44.3

Extended IP access list 105 is used to deny all DNS traffic. Telnet traffic between host 192.168.14.4 and any host on the 172.17.66.0 network is permitted. All IP packets with a DSCP value of ef (expedited forwarding) are permitted. All other UDP traffic is permitted (remember that DNS UDP traffic was denied earlier). Lastly, HTTP traffic from hosts on the 192.168.111.0 network to anywhere is blocked on weekdays from 8:00 a.m. to 5:00 p.m. through the use of a time range. Recall that every access list has an implicit deny all as a hidden command at the end of the list. Every permit or deny command you enter is placed above the deny all. 

  access-list 105 deny udp any any eq dns   access-list 105 permit tcp host 192.168.14.4 172.17.66.0 0.0.0.255 eq telnet   access-list 105 permit ip any any dscp ef   access-list 105 permit udp any any   access-list 105 deny tcp 192.168.111.0 0.0.0.255 any eq http time-range BlockHTTP   ip access-list extended List105   remark This does the same function as access-list 105 above   deny udp any any eq dns   permit tcp host 192.168.14.4 172.17.66.0 0.0.0.255 eq telnet   permit ip any any dscp ef   permit udp any any   deny tcp 192.168.111.0 0.0.0.255 any eq http time-range BlockHTTP   time-range BlockHTTP   periodic weekdays 8:00 to 17:00

IP prefix list MyNetworks is used to deny networks (or routes) of 192.168.0.0 containing 25 or more network bits in their masks. Routes are permitted for 192.168.0.0 if they contain from 16 to 24 network bits. Routes from 172.17.0.0 are permitted if they have exactly 24 network bits. 

  ip prefix-list MyNetworks deny 192.168.0.0/16 ge 25   ip prefix-list MyNetworks permit 192.168.0.0/16 le 24   ip prefix-list MyNetworks permit 172.17.0.0/16 ge 24 le 24

Previous page
Table of content
Next page
Cisco Field Manual[c] Router Configuration
Cisco Field Manual[c] Router Configuration
ISBN: 1587050242
EAN: N/A
Year: 2005
Pages: 185
BUY ON AMAZON
Agile Project Management: Creating Innovative Products (2nd Edition)
Qshell for iSeries
The .NET Developers Guide to Directory Services Programming
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
Comparing, Designing, and Deploying VPNs
GDI+ Programming with C#
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy