Extended IP Access Lists

Extended IP access lists provide far more flexibility in the specification of what is to be filtered. The basic format of the extended IP access list line is

access-list access-list-number { deny permit } protocol source source-wildcard destination destination-wildcard [ precedence precedence ][ tos tos][ log ]

Some of the features here are familiar, and some are new.

• access-list-number , for extended IP access lists, is between 100 and 199.

• protocol is a new variable that looks for a match in the protocol field of the IP packet header. The keyword choices are eigrp , gre , icmp , igmp , igrp , ip , ipinip , nos , ospf , tcp , or udp . An integer in the range 0 to 255 representing an IP protocol number may also be used. ip is a generic keyword, which will match any and all IP protocols, in the same way inverse mask 255.255.255.255 will match all addresses.

• Notice that both the source and destination packet addresses are examined for matches; each has its own inverse mask.

• precedence and tos are optional variables that look for a match in the Precedence and Type of Service fields of the IP packet header. Precedence may be an integer from 0 to 7, and TOS may be an integer from 0 to 15, or either field may be described by one of several keywords. Refer to the Cisco documentation for a list of available keywords.

• log is an optional specification that turns on informational logging.

An example of an extended IP access list is:

 
 access-list101permitip172.22.30.60.0.0.010.0.0.00.255.255.255 
 access-list101permitip172.22.30.950.0.0.010.11.12.00.0.0.255 
 access-list101denyip172.22.30.00.0.0.255192.168.18.270.0.0.0 
 access-list101permitip172.22.0.00.0.31.255192.168.18.00.0.0.255 
 access-list101denyip172.22.0.00.0.255.255192.168.18.640.0.0.63 
 access-list101permitip0.0.0.0255.255.255.2550.0.0.0255.255.255.255 
 

Line 1: IP packets with a source address of 172.22.30.6 and with a destination address that belongs to network 10.0.0.0 are permitted.

Line 2: IP packets with a source address of 172.22.30.95 and with a destination address that belongs to subnet 10.11.12.0/24 are permitted.

Line 3: IP packets with a source address that belongs to subnet 172.22.30.0/24 and with a destination address of 192.168.18.27 are dropped.

Line 4: IP packets with source addresses between 172.22.0.0 and 172.22.31.255 and with a destination address that belongs to network 192.168.18.0 are permitted.

Line 5: IP packets with a source address that belongs to network 172.22.0.0 and with a destination address whose first 26 bits are 192.168.18.64 are dropped.

Line 6: IP packets from any source to any destination are permitted.

Figure B.7 shows two shortcuts that may be used when writing extended IP access lists. Recall that standard IP access lists have a default mask of 0.0.0.0. This default does not apply to extended access lists; there would be no way for the router to interpret it correctly. An alternative exists for extended lists, however. In Figure B.7(a), packets are permitted if their source is host 172.22.30.6 and their destination is host 10.20.30.40. Any time the mask in an extended IP access list is 0.0.0.0, it may be replaced by adding the keyword host before the address.

The example in Figure B.7(b) permits any IP packets from any source to any destination. Just as with standard access lists, the any keyword may be used in place of the 0.0.0.0 255.255.255.255 address/inverse mask combination for the source, the destination, or both.

Extended access lists may be more powerful than standard access lists because the former examine more than the packet's source address, but everything has a price. The price you pay with extended lists is increased processing (Figure B.8). Because each line of the access list is examining multiple fields within the packet, multiple CPU interrupts can occur. If the access list is very large or the router is very busy, this requirement may affect performance adversely.

Keeping access lists as small as possible reduces the processing burden on the router. Also notice that when a match occurs, the specified action is invoked and processing stops. Therefore, if you can write your lists so that most matches occur in the first few lines, performance will be improved. This approach isn't always feasible , but it is something to keep in mind when designing access lists.

As an exercise, try making the access list given as an example at the beginning of this section more elegant. That is, rewrite the list with as few lines as possible without losing any of its functionality. (Hint: A list with the same functionality can be written with only three lines.)

TCP Access Lists

The format for an extended access list line that examines a TCP segment is:

access-list access-list-number { deny permit } tcp source source-wildcard [ operator port [ port ]] destination destination-wildcard [ operator port [ port ]] [ established ][ precedence precedence ][ tos tos][ log ]

Notice that the protocol variable is tcp . Probably the most significant feature here is that the access list can examine the source and destination port numbers in the TCP segment header. As a result, you have the option of filtering packets not only to and from a particular address but also to and from a particular socket (an IP address/application port combination).

• Operator specifies a logical operand. The options are eq (equal to), neq (not equal to), gt (greater than), lt (less than), and range for specifying an inclusive range of ports. If the range operator is used, two port numbers are specified.

• Port specifies the application layer port to be matched. A few common port numbers are for Telnet (23), FTP (20 and 21), SMTP (25), and SNMP (169). A complete listing of TCP port numbers can be found in RFC 1700.

  What happens if you have implemented an access list to prevent TCP sessions from being established into your network, but you want to ensure that the access list passes the responses if your network establishes a TCP session? The established keyword allows this event by checking the ACK and RST flags in the TCP segment header. If one of these flags is set, a match occurs. If neither bit is set, the source is trying to establish a TCP connection to the destination and a match will not occur. The packet will be denied on a subsequent line of the access list.

An example of a TCP access list line is:

 
 access-list110permittcpany172.22.0.00.0.255.255established 
 access-list110permittcpanyhost172.22.15.83eq25 
 access-list110permittcp10.0.0.00.255.255.255172.22.114.00.0.0.255eq23 
 

Line 1: Permit TCP packets from any source to network 172.22.0.0 if the connection was established from that network.

Line 2: Permit TCP packets from any source if the destination is port 25 (SMTP) of host 172.22.15.83.

Line 3: Allow any TCP packet with a source address from network 10.0.0.0 to telnet (port 23) to any address on subnet 172.22.114.0/24.

All other packets will be dropped by the implicit deny any .

UDP Access Lists

The format for an extended access list line that examines a UDP segment is:

access-list access-list-number { deny permit } udp source source-wildcard [ operator port [ port ]] destination destination-wildcard [ operator port [ port ]] [ precedence precedence ][ tos tos][ log ]

This format is very similar to the TCP format, except that the protocol variable now is udp . The other difference is that there is no established keyword. The reason is that UDP is a connectionless transport service, and no connections are established between hosts .

In the following example, three lines have been added to the previous TCP example:

 
 access-list110permittcpany172.22.0.00.0.255.255established 
 access-list110permittcpanyhost172.22.15.83eq25 
 access-list110permittcp10.0.0.00.255.255.255172.22.114.00.0.0.255eq23 
 access-list110permitudp10.64.32.00.0.0.255host172.22.15.87eq69 
 access-list110permitudpanyhost172.22.15.85eq53 
 access-list110permitudpanyanyeq161 
 

Line 4: Permit UDP packets from subnet 10.64.32.0/24 to the TFTP port (69) on host 172.22.15.87.

Line 5: Permit UDP packets from any source to the Domain Name Server (port 53) on host 172.22.15.85.

Line 6: Permit all SNMP packets (port 161) from any source to any destination.

The implicit deny any still drops all packets not finding a match in the list.

ICMP Access Lists

The format for an extended access list line that examines an ICMP packet is:

access-list access-list-number { deny permit } icmp source source-wildcard destination destination-wildcard [ icmp-type [ icmp-code ]][ precedence precedence ][ tos tos][ log ]

icmp is now in the protocol field. Notice that there are no source or destination ports here; ICMP is a network layer protocol. This line can be used to filter all ICMP messages, or you can use the following options to filter specific ICMP messages:

• icmp-type is a number between 0 and 255. All ICMP type numbers can be found in RFC 1700 and in this book in Table 2.5.

• The granularity of filtering may be increased by specifying icmp-code . An ICMP code specifies a subset of ICMP packet types; the codes are a number between 0 and 255 and are also found in RFC 1700 or in Table 2.5.

An example of an ICMP access list is:

 
 access-list111denyicmp172.22.0.00.0.255.255any0 
 access-list111denyicmp172.22.0.00.0.255.255any39 
 access-list111denyicmp172.22.0.00.0.255.255any310 
 access-list111permitipanyany 
 

Line 1: Deny ICMP ping responses (Echo Reply, ICMP type 0) from network 172.22.0.0 to any destination.

Line 2: Deny ICMP destination unreachable packets (type 3) with a code number of 9 (Network Administratively Prohibited) from network 172.22.0.0 to any destination.

Line 3: Deny ICMP destination unreachable packets (type 3) with a code number of 10 (Host Administratively Prohibited) from network 172.22.0.0 to any destination.

Line 4: Permit all other IP packets.