Access Lists

Previous page
Table of content
Next page


Access lists are essentially lists of conditions that control packet flow across router interfaces. They’re powerful tools that control access both to and from network segments. They can be used for many purposes, but the two most common (and perhaps powerful) are

  • Limit or control the amount of traffic on network segments by filtering unwanted or unnecessary packets.

  • Implement basic security by preventing packets disallowed by policy from being forwarded or received.

With the right combination of access lists, a network manager is armed with the power to enforce nearly any access policy he or she can invent.

All access lists work similarly—they are packet filters that packets are compared to, categorized by, and acted upon by. Once the lists are built, they can be applied to either inbound or outbound traffic on any interface. Applying an access list causes the router to analyze every packet crossing that interface in the specified direction and to take action accordingly.

There are a few important rules that a packet follows when it’s being compared to an access list:

  • It is always compared to each line of the access list in sequential order; it starts with line 1, then line 2, then line 3, and so on.

  • It is compared to lines of the access list only until a match is made. Once the packet matches a line of the access list, it’s acted upon, and no further comparisons take place.

  • There is an implicit deny at the end of each access list. This means that if a packet doesn’t match up to any lines in the access list, it will be denied.

Access lists can permit or deny packets based on a number of criteria. The most common reasons to allow or deny a packet are

  • Protocol type

  • Source address

  • Destination address

  • Upper layer protocol port or socket

Individual types of access lists may have additional specific capabilities to filter on additional criteria. For example, extended IP access lists can filter any of the following IP protocols:

RouterA(config)#access-list 110 permit ?   <0-255>  An IP protocol number   ahp      Authentication Header Protocol   eigrp    Cisco's EIGRP routing protocol   esp      Encapsulation Security Payload   gre      Cisco's GRE tunneling   icmp     Internet Control Message Protocol   igmp     Internet Gateway Message Protocol   igrp     Cisco's IGRP routing protocol   ip       Any Internet Protocol   ipinip   IP in IP tunneling   nos      KA9Q NOS compatible IP over IP tunneling   ospf     OSPF routing protocol   pcp      Payload Compression Protocol   tcp      Transmission Control Protocol   udp      User Datagram Protocol

If you wish, you can permit all TCP traffic and deny all Internet Control Message Protocol (ICMP) traffic. To get even more granular in your control, you could permit or deny specific TCP ports, as follows:

RouterA(config)#access-list 110 permit tcp host     172.16.50.2  host 172.16.10.2 eq ?   <0-65535>    Port number   bgp          Border Gateway Protocol (179)   chargen      Character generator (19)   cmd          Remote commands (rcmd, 514)   daytime      Daytime (13)   discard      Discard (9)   domain       Domain Name Service (53)   echo         Echo (7)   exec         Exec (rsh, 512)   finger       Finger (79)   ftp          File Transfer Protocol (21)   ftp-data     FTP data connections (used infrequently,      20)   gopher       Gopher (70)   hostname     NIC hostname server (101)   ident        Ident Protocol (113)   irc          Internet Relay Chat (194)   klogin       Kerberos login (543)   kshell       Kerberos shell (544)   login        Login (rlogin, 513)   lpd          Printer service (515)   nntp         Network News Transport Protocol (119)   pim-auto-rp  PIM Auto-RP (496)   pop2         Post Office Protocol v2 (109)   pop3         Post Office Protocol v3 (110)   smtp         Simple Mail Transport Protocol (25)   sunrpc       Sun Remote Procedure Call (111)   syslog       Syslog (514)   tacacs       TAC Access Control System (49)   talk         Talk (517)   telnet       Telnet (23)   time         Time (37)   uucp         Unix-to-Unix Copy Program (540)   whois        Nicname (43)   www          World Wide Web (HTTP, 80)

As you can see, access lists give you a great deal of control over IP traffic. Access lists for protocols other than IP offer similar features.

As mentioned earlier, access lists can apply to either outbound or inbound traffic on any given interface. This means that you can have separate policies for packets leaving and entering your network. For example, consider an Ethernet network with both users and servers. You can implement an access list that prevents your users from accessing web servers on the Internet (inbound traffic), but allows users on the Internet to access your web servers on the Ethernet network (outbound traffic).

This outbound and inbound terminology can get a bit confusing. It helps to remember that the command is being applied to the router, not to the network, so the outbound and inbound designations refer to the router’s perspective, not that of the nodes on the network. To the router, outbound means packets leaving their interface(s) and going out to the network; inbound means packets arriving at the router’s interface(s) from the network.

Access lists can be optimized by moving the most frequently used lines to the top of the access list. This means that fewer comparisons are necessary before a packet matches a specific line. This can save CPU cycles, but be careful when optimizing lists. It is possible to significantly change the function of an access list by simply changing the order of the statements.

It is also possible to enable the logging of individual lines in some access lists. This function is useful if you are using access lists for security purposes, because it provides a log of attempts to violate your security policy. These logs contain several pieces of useful information about the packet, including

  • Access list number

  • Time

  • Protocol

  • Source address

  • Source port

  • Destination address

  • Destination port

  • Number of packets

By default, the log files will be directed to the router console. However, all of this log information could be redirected to the Syslog server and stored for security purposes.

There are many types of access lists available in Cisco’s IOS. In IOS versions 11.2 and later, you can use text names for IP access lists. In earlier IOS versions, and with other protocols, access lists are numbered, and the number of the access list indicates the protocol and type of the access list. Here is a list of access list numbers:

RouterA(config)#access-list ?   <1-99>       IP standard access list   <100-199>    IP extended access list   <1000-1099>  IPX SAP access list   <1100-1199>  Extended 48-bit MAC address access list   <1200-1299>  IPX summary address access list   <200-299>    Protocol type-code access list   <300-399>    DECnet access list   <600-699>    Appletalk access list   <700-799>    48-bit MAC address access list   <800-899>    IPX standard access list   <900-999>    IPX extended access list


Previous page
Table of content
Next page
CCDA. Cisco Certified Design Associate Study Guide
CCDA: Cisco Certified Design Associate Study Guide, 2nd Edition (640-861)
ISBN: 0782142001
EAN: 2147483647
Year: 2002
Pages: 201
Authors: Todd Lammle, Andy Barkl
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
Managing Enterprise Systems with the Windows Script Host
101 Microsoft Visual Basic .NET Applications
Information Dashboard Design: The Effective Visual Communication of Data
Python Standard Library (Nutshell Handbooks) with
Python Programming for the Absolute Beginner, 3rd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy