|
Access lists are essentially lists of conditions that control packet flow across router interfaces. They’re powerful tools that control access both to and from network segments. They can be used for many purposes, but the two most common (and perhaps powerful) are
Limit or control the amount of traffic on network segments by filtering unwanted or unnecessary packets.
Implement basic security by preventing packets disallowed by policy from being forwarded or received.
With the right combination of access lists, a network manager is armed with the power to enforce nearly any access policy he or she can invent.
All access lists work similarly—they are packet filters that packets are compared to, categorized by, and acted upon by. Once the lists are built, they can be applied to either inbound or outbound traffic on any interface. Applying an access list causes the router to analyze every packet crossing that interface in the specified direction and to take action accordingly.
There are a few important rules that a packet follows when it’s being compared to an access list:
It is always compared to each line of the access list in sequential order; it starts with line 1, then line 2, then line 3, and so on.
It is compared to lines of the access list only until a match is made. Once the packet matches a line of the access list, it’s acted upon, and no further comparisons take place.
There is an implicit deny at the end of each access list. This means that if a packet doesn’t match up to any lines in the access list, it will be denied.
Access lists can permit or deny packets based on a number of criteria. The most common reasons to allow or deny a packet are
Protocol type
Source address
Destination address
Upper layer protocol port or socket
Individual types of access lists may have additional specific capabilities to filter on additional criteria. For example, extended IP access lists can filter any of the following IP protocols:
RouterA(config)#access-list 110 permit ? <0-255> An IP protocol number ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol igrp Cisco's IGRP routing protocol ip Any Internet Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling ospf OSPF routing protocol pcp Payload Compression Protocol tcp Transmission Control Protocol udp User Datagram Protocol
If you wish, you can permit all TCP traffic and deny all Internet Control Message Protocol (ICMP) traffic. To get even more granular in your control, you could permit or deny specific TCP ports, as follows:
RouterA(config)#access-list 110 permit tcp host 172.16.50.2 host 172.16.10.2 eq ? <0-65535> Port number bgp Border Gateway Protocol (179) chargen Character generator (19) cmd Remote commands (rcmd, 514) daytime Daytime (13) discard Discard (9) domain Domain Name Service (53) echo Echo (7) exec Exec (rsh, 512) finger Finger (79) ftp File Transfer Protocol (21) ftp-data FTP data connections (used infrequently, 20) gopher Gopher (70) hostname NIC hostname server (101) ident Ident Protocol (113) irc Internet Relay Chat (194) klogin Kerberos login (543) kshell Kerberos shell (544) login Login (rlogin, 513) lpd Printer service (515) nntp Network News Transport Protocol (119) pim-auto-rp PIM Auto-RP (496) pop2 Post Office Protocol v2 (109) pop3 Post Office Protocol v3 (110) smtp Simple Mail Transport Protocol (25) sunrpc Sun Remote Procedure Call (111) syslog Syslog (514) tacacs TAC Access Control System (49) talk Talk (517) telnet Telnet (23) time Time (37) uucp Unix-to-Unix Copy Program (540) whois Nicname (43) www World Wide Web (HTTP, 80)
As you can see, access lists give you a great deal of control over IP traffic. Access lists for protocols other than IP offer similar features.
As mentioned earlier, access lists can apply to either outbound or inbound traffic on any given interface. This means that you can have separate policies for packets leaving and entering your network. For example, consider an Ethernet network with both users and servers. You can implement an access list that prevents your users from accessing web servers on the Internet (inbound traffic), but allows users on the Internet to access your web servers on the Ethernet network (outbound traffic).
This outbound and inbound terminology can get a bit confusing. It helps to remember that the command is being applied to the router, not to the network, so the outbound and inbound designations refer to the router’s perspective, not that of the nodes on the network. To the router, outbound means packets leaving their interface(s) and going out to the network; inbound means packets arriving at the router’s interface(s) from the network.
Access lists can be optimized by moving the most frequently used lines to the top of the access list. This means that fewer comparisons are necessary before a packet matches a specific line. This can save CPU cycles, but be careful when optimizing lists. It is possible to significantly change the function of an access list by simply changing the order of the statements.
It is also possible to enable the logging of individual lines in some access lists. This function is useful if you are using access lists for security purposes, because it provides a log of attempts to violate your security policy. These logs contain several pieces of useful information about the packet, including
Access list number
Time
Protocol
Source address
Source port
Destination address
Destination port
Number of packets
By default, the log files will be directed to the router console. However, all of this log information could be redirected to the Syslog server and stored for security purposes.
There are many types of access lists available in Cisco’s IOS. In IOS versions 11.2 and later, you can use text names for IP access lists. In earlier IOS versions, and with other protocols, access lists are numbered, and the number of the access list indicates the protocol and type of the access list. Here is a list of access list numbers:
RouterA(config)#access-list ? <1-99> IP standard access list <100-199> IP extended access list <1000-1099> IPX SAP access list <1100-1199> Extended 48-bit MAC address access list <1200-1299> IPX summary address access list <200-299> Protocol type-code access list <300-399> DECnet access list <600-699> Appletalk access list <700-799> 48-bit MAC address access list <800-899> IPX standard access list <900-999> IPX extended access list
|