Creating and Applying an IP Standard Access List

The network shown in Figure 10.7 is used to illustrate IP standard access lists.

In this example, suppose you want to permit the following devices to have access to network 172.16.4.0:

• Any device on network 172.16.14.0

• Any device on network 172.16.3.0 except 172.16.3.5

• Only the device with the IP address of 172.16.12.4 on network 172.16.12.0

Applying an IP standard access list to a router interface involves two steps. The first step is to create the access list to indicate all the source addresses that are permitted or denied access. The second step is to apply the access list to the interface on which you are restricting either outbound or inbound traffic. By applying the access- group command to interface Ethernet 0, you can restrict access to network 172.16.4.0. The commands to create this access list are as follows :

 NFLD#configure terminal NFLD(config)#access-list 5 permit 172.16.14.0 0.0.0.255 NFLD(config)#access-list 5 deny 172.16.3.5 0.0.0.0 NFLD(config)#access-list 5 permit 172.16.3.0 0.0.0.255 NFLD(config)#access-list 5 permit 172.16.12.4 0.0.0.0 NFLD(config)#access-list 5 deny 0.0.0.0 255.255.255.255 

These commands restrict and permit the traffic detailed in the requirements. The first access-list entry permits access to all users from network 172.16.14.0 to pass through the access list on Ethernet 0. Note that the source-wildcard of 0.0.0.255 indicates that every host ID in the last octet can be ignored, thus allowing all IP addresses between 172.16.14.0 and 172.16.14.255 access. The second access-list command denies host ID 172.16.3.5 to pass through the access list. Note that the source-wildcard of 0.0.0.0 indicates that only the source address specified (172.16.3.5) is denied access. The third access-list command permits all users on network 172.16.3.0 to pass through the access list. Note that host ID 172.16.3.5 will still not be allowed to pass through the access list, because any traffic from this host was dropped by the previous deny command. The order in which a permit or deny command is placed in an access list is extremely important.

When adding new entries to existing access lists, it is sometimes necessary to reorder the access list so that it will filter traffic correctly. Often, the best way to reorder the entries is to copy all the entries into a text file, add or remove the required entries, and reorder them in that text file. After you have them ordered correctly, add them all to the router configuration.

The fourth access-list entry permits only user 172.16.12.4 to pass through the access list. Finally, the last access-list command is implicit whenever an access list is created; therefore, any packet not generated by the router with the access list that does not match one of the permit entries is dropped. You do not have to configure this deny entry.

Before these access list entries can filter traffic, they must be applied to the interface as an access group. The access lists are going to be applied to outbound packets on Ethernet 0. Therefore, any packet attempting to travel out interface Ethernet 0 must match one of the entries in access group 5. The steps to configure an outbound access list on Ethernet 0 are as follows:

 NFLD#config t Enter configuration commands, one per line. End with CNTL/Z. NFLD(config)#interface ethernet 0 NFLD(config-if)#ip access-group 5 out 

Here, access-group 5 has been applied to the outbound Ethernet 0 interface. Now, every packet that is sent out the Ethernet 0 interface will be checked to see if it matches.

More complicated scenarios for restricting access through an interface exist. Sometimes a network administrator wants to permit only a range of IP addresses through an access list. However, it is more complicated to permit access to a range of IP addresses that do not fall exactly on octet bit boundaries. A second example follows to illustrate this scenario.

Continue to use the network provided in Figure 10.7; however, in this case, you want to allow devices to have access only to network 172.16.4.0. Therefore, you want to permit access to any device with the IP address between 172.16.3.32 and 172.16.3.39.

For this scenario, you must determine the proper source-wildcard mask to apply to allow access to devices in the IP address range 172.16.3.32 through 172.16.3.39. Start with the IP address 172.16.3.32 to create this access list.

Next, apply a network mask that allows eight incremental bits in the fourth octet. Table 10.10 illustrates the proper source IP address and source wildcard in binary and decimal format for this example.

Table 10.10 illustrates that by applying the source-wildcard mask of 0.0.0.7, a range of IP addresses that do not fall on an octet boundary has been allowed.

Table 10.10a. Applying a Source-wildcard Mask to a Source IP Address in Binary Format

Each permitted address is determined by taking the bits indicated as ignored bits by the source-wildcard mask and listing the possible permutations . Here are a few good rules to know:

• When you're grouping IP addresses, the group size is always a power of 2 (2, 4, 8, 16, and so forth).

• Any time IP addresses are grouped together, the first IP address in the group is divisible by the size of the group. For example, a group of eight IP addresses can start only on multiples of eight (8, 16, 24, and so forth).

• The wildcard mask is always one less than the group size. For example, a group of eight has a wildcard mask of seven. A group of 64 has a wildcard mask of 63.

Although IP standard access lists provide a powerful set of tools for restricting access, they can only restrict access based on the source IP address. IP extended access lists increase the variables that can be used to restrict access through an interface.

IP Extended Access Lists

IP standard access lists filter traffic based on the source IP address only; therefore, administrators can use this tool to restrict access to specific users only. Because administrators wanted more control of the traffic that could travel through interfaces, Cisco responded with IP extended access lists, which perform the same basic function as standard access lists (permitting and denying IP packets through an interface) but extend the types of IP traffic that can be filtered. Consequently, IP extended access lists allow for more precise filtering of IP traffic. Whereas IP standard access lists allow only source IP address filtering, IP extended access lists provide source and destination IP address filtering. In addition, IP extended access lists filter on Layer 4 protocols, such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP); look into the TCP or UDP header; and allow filtering on TCP/UDP port numbers .

In addition, IP extended access lists allow filtering based on the IP precedence field, TOS field, icmp-type, icmp-code, icmp-message, igmp-type, and TCP-established connections. This book covers only source and destination address, IP protocol, and TCP/UDP port numbers.

IP Extended Access List Commands

The steps taken to create and apply an IP extended access list are the same as those used for an IP standard access list. First, create the access list entries. Second, apply the access list group to the interface where you want to filter traffic.

It is important to enter IP extended access list entries in the correct order. Also, an implicit deny all traffic entry is at the end of every IP extended access list.

The command to create an IP extended access list is very similar to the command used to create an IP standard access list. However, the additional filtering capabilities require some additional fields in the command. The command to create an access list is as follows:

 access-list  access-list-number  {denypermit}  protocol source   source-wildcard [operator port [port]]  destination [destination-   wildcard] [operator port [port]]  

Because how to read the command list was covered in the IP standard access list section, only the additional fields are discussed here. The first noticeable difference is the addition of the protocol field. This field is typically filled with TCP or UDP (other possibilities exist, but these are beyond the scope of this book and the CCNA exam). The operator port [port] field is used to indicate the TCP/UDP port or range of ports for the source and source-wildcard fields. In addition, the destination and destination-wildcard fields are added with their corresponding operator port [port] field. Basically, the fields necessary to filter traffic on source and destination addresses, the IP protocol (TCP or UDP), and port numbers have been added. In addition, the access-list-number field must now be a number between 100 and 199, as indicated in Table 10.8. A complete list of all of the fields in the IP extended access list command is provided in Table 10.11.

Table 10.11. Access List Command Field Descriptions

To apply an IP extended access list, use the same IP access group command that is used for standard access lists. Simply apply the access list to the interface where you want to filter traffic.

Creating and Applying an IP Extended Access List

To illustrate the use of the IP extended access list functionality, continue to use the network shown in Figure 10.7. In this example, you want to extend the types of traffic being filtered. Suppose you want to permit the following traffic to pass through your access list:

• Any device on network 172.16.14.0 is permitted to communicate with any device on network 172.16.4.0 using IP, TCP, and port number 23 (Telnet).

• Device 172.16.14.2 is permitted to communicate with device 172.16.4.4 using IP, UDP, and UDP port number 69 (TFTP).

• Device 172.16.14.3 is permitted to communicate with any device on any network using IP and TCP for any port number.

The following commands create this access list:

 NFLD#configure terminal NFLD(config)#access-list 105 permit tcp 172.16.14.0 0.0.0.255 172.16.4.0 0.0.0.255 eq 23 NFLD(config)#access-list 105 permit udp host 172.16.14.2 host 172.16.4.4 eq 69 NFLD(config)#access-list 105 permit tcp host 172.16.14.3 any any NFLD(config)#access-list 105 deny any any 

Let's discuss these access list entries. The first entry performs the extended functionality by indicating that only TCP traffic from any device on network 172.16.14.0 (indicated by the source-wildcard mask of 0.0.0.255) is permitted to communicate with 172.16.4.0 (indicated by the destination-wildcard of 0.0.0.255) using the TCP port number (indicated by the operator eq and the port number 23). The operator eq stands for "equal to." A subset of the different possible operators is supplied in Table 10.12.

Table 10.12. Extended Access List Command Field Descriptions

The second entry introduces the word "host" into the command; this is a short way of indicating the wildcard mask 0.0.0.0. However, the "host" word precedes the IP address, versus the traditional trailing wildcard mask. So, in this entry, only the device with the IP address 172.16.14.2 has been allowed to communicate with device 172.16.4.4 using the UDP for the port number 69 (TFTP).

The third entry introduces the word "any" into the command. Similar to the word "host" in the preceding condition, the "any" word is a short way of indicating any source or destination address with the wildcard mask 255.255.255.255. This mask indicates that all IP addresses are being described; therefore, it does not matter what source or destination IP address is specified. In this case, all destination addresses have been described. So, in this entry, the device with IP address 172.16.14.3 has been allowed to communicate with any device using the TCP for any port number.

The last entry in italics is the implicit deny all statement. It is not necessary to add this entry, because it is always there.

The second step is applying the access list to the interface that you are restricting. Specify whether you are filtering outbound or inbound traffic by adding the keyword "out" or "in" to the end of the command. In this example, apply the access list to Ethernet 1 to illustrate the ability of IP extended access lists to filter traffic based on destination address as well as source address. The command to apply the access group to the interface is as follows:

 NFLD#config t Enter configuration commands, one per line. End with CNTL/Z. NFLD(config)#interface ethernet 1 NFLD(config-if)#ip access-group 105 in 

Notice that once you have entered configuration mode, you may only enter one command per line. Also notice that you leave configuration mode by pressing Cntl+Z. These two aspects of configuration mode have been favorite test questions.

In summary, extended access lists are used to increase the preciseness of your filtering. The steps performed to create and apply access lists do not change.