Extended IP Access Lists

Extended IP access lists provide far more flexibility in the specification of what is to be filtered. The basic syntax of the extended IP access list line follows:

  access-list access-list-number [dynamic dynamic-name [timeout minutes]]       {deny | permit} protocol source source-wildcard       destination destination-wildcard [precedence precedence] [tos tos]       [log | log-input] [time-range time-range-name] [fragments]

You can configure extended access-lists using the global access-list configuration mode in the same way it is done with standard lists.

Sequence numbers can also be used with extended access lists. They are entered the same way as standard lists. Reflexive access lists can be configured only using the global access list configuration mode and can be configured only with named IP access lists. Reflexive access lists are discussed in a later section of this appendix.

Some of the features here are familiar, and some are new:

• access-list-number, for extended IP access lists, is between 100 and 199, or 2000 and 2699.

• dynamic identifies this list as a dynamic access list. Dynamic access lists are used by the "Lock-and-Key" security feature. A user uses Telnets to access the router, gets authenticated by an authentication server such as TACACS+ or RADIUS, and then is permitted or denied access based on the source and destination information in the dynamic entry.

• timeout defines the maximum amount of time, in minutes, a temporary entry can remain in a dynamic list. The default is not to time out the entry at all. It remains forever.

• protocol is a new variable that looks for a match in the protocol field of the IP packet header. The keyword choices are eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp. An integer in the range 0 to 255 representing an IP protocol number can also be used. ip is a generic keyword, which matches any and all IP protocols, in the same way inverse mask 255.255.255.255 matches all addresses.

• Notice that both the source and destination packet addresses are examined for matches; each has its own inverse mask.

• precedence and tos are optional variables that look for a match in the Precedence and Type of Service fields of the IP packet header. Precedence can be an integer from 0 to 7, and TOS can be an integer from 0 to 15, or either field can be described by one of several keywords. Refer to the Cisco documentation for a list of available keywords.

• log is an optional specification that turns on informational logging. The router attempts to include the list number or name that logged the match, source and destination address, upper layer port number, and number of packets logged.

• log-input adds the input interface and source MAC address or virtual circuit number to the log output.

• time-range creates temporary access lists. Time-range defines the time interval that the access-list entry is valid. The time-range parameter in the extended access list references a global time-range command. The global time-range defines the actual time parameters.

• fragments keyword defines how fragmented packets are handled by the access-list entry. Fragments are handled in different ways depending upon if Layer 3 or Layer 3 and Layer 4 information is specified in the access-list entry, and depending upon if the entry is to permit or deny the packet. The default behavior (no fragments keyword specified) for entries that contain Layer 3 (IP addresses, IP port numbers) information is to apply the entry to all nonfragmented packets, initial fragments, and noninitial fragments of packets. For entries that contain Layer 3 and 4 (TCP or UDP port numbers in addition to IP addresses) information, the entry is applied to nonfragments and initial fragments. The entry is also applied to noninitial fragments in the following way: If the noninitial fragment's Layer 3 information matches the Layer 3 information of the entry (the IP addresses, IP port number), and it is a permit statement, the fragment is permitted. If the entry is a deny statement, the next access-list entry is processed. If fragments is specified, the entry is applied only to noninitial fragments. The fragments keyword cannot be configured for entries that contain Layer 4 information, such as TCP or UDP port numbers.

A sample extended IP access list is displayed in Example B-12.

Example B-12. An extended IP access list permits and denies packets in various ways.

access-list 101 permit ip 172.22.30.6 0.0.0.0 10.0.0.0 0.255.255.255 time-range morning access-list 101 permit ip 172.22.30.95 0.0.0.0 10.11.12.0 0.0.0.255 access-list 101 deny ip 172.22.30.0 0.0.0.255 192.168.18.27 0.0.0.0 access-list 101 permit ip 172.22.0.0 0.0.31.255 192.168.18.0 0.0.0.255 access-list 101 deny ip 172.22.0.0 0.0.255.255 192.168.18.64 0.0.0.63 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 time-range morning periodic weekdays 08:00 to 11:59

The following is an explanation of the lines in Example B-12:

• Line 1 IP packets with a source address of 172.22.30.6 and with a destination address that belongs to network 10.0.0.0 are permitted during a specific time range. The time range is defined in lines 7 and 8. During other times, the access-list entry is inactive. An inactive entry means that the entry is ignored as if it weren't in the list at all.

• Line 2 IP packets with a source address of 172.22.30.95 and with a destination address that belongs to subnet 10.11.12.0/24 are permitted.

• Line 3 IP packets with a source address that belongs to subnet 172.22.30.0/24 and with a destination address of 192.168.18.27 are dropped.

• Line 4 IP packets with source addresses between 172.22.0.0 and 172.22.31.255 and with a destination address that belongs to network 192.168.18.0 are permitted.

• Line 5 IP packets with a source address that belongs to network 172.22.0.0 and with a destination address whose first 26 bits are 192.168.18.64 are dropped.

• Line 6 IP packets from any source to any destination are permitted.

• Lines 7 and 8 The time range called "morning," which is referenced in line 1, is defined to be weekday mornings, from 08:00 to 11:59.

Figure B-7 shows two shortcuts that can be used when writing extended IP access lists. Recall that standard IP access lists have a default mask of 0.0.0.0. This default does not apply to extended access lists; there would be no way for the router to interpret it correctly. An alternative exists for extended lists, however. In Figure B-7(a), packets are permitted if their source is host 172.22.30.6 and their destination is host 10.20.30.40. Any time the mask in an extended IP access list is 0.0.0.0, it can be replaced by adding the keyword host before the address.

The example in Figure B-7(b) permits any IP packets from any source to any destination. Just as with standard access lists, the any keyword can be used in place of the 0.0.0.0 255.255.255.255 address/inverse mask combination for the source, the destination, or both.

Extended access lists can be more powerful than standard access lists because the former examine more than the packet's source address, but everything has a price. The price you pay with extended lists is increased processing (Figure B-8). Because each line of the access list is examining multiple fields within the packet, multiple CPU interrupts can occur. If the access list is large or the router is busy, this requirement can affect performance adversely.

Keeping access lists as small as possible reduces the processing burden on the router. Also notice that when a match occurs, the specified action is invoked and processing stops. Therefore, if you can write your lists so that most matches occur in the first few lines, performance will be improved. This approach isn't always feasible, but it is something to keep in mind when designing access lists.

Some router platforms support a function called "Turbo ACLs," which are compiled access lists. The configured access lists are compiled into a lookup table. The sequence of the entries is maintained, but the lookup time and CPU required for lookup is greatly reduced. Certain entries, such as time ranges, cannot be included in a compiled list. To configure the router to use turbo access lists, enter the command access-list compiled.

As an exercise, try making the access list given in Example B-12 more elegant. That is, rewrite the list with as few lines as possible without losing any of its functionality. (Hint: A list with the same functionality can be written with only four lines, not including the two time commands at the end.) An answer is given in the next paragraph. Try to rewrite the list before reading further.

Line 1 can be removed. Line 1 permits host 172.22.30.6 access to the 10.0.0.0/8 address, during the weekday mornings. Without this line, access from this host to the 10.0.0.0 address is still permitted by line 6, which permits anything that is not previously denied.

Line 2 can also be removed. The host 172.22.30.95 is also permitted access to 10.11.12.0/24 in line 6.

You might be tempted to think that line 4 can also be removed, but notice that line 5 denies a larger range of addresses that includes those permitted in line 4. Therefore, line 4 is necessary to permit a small subset of addresses before the rest of the addresses specified in line 5 are dropped.

TCP Access Lists

The syntax for an extended access list line that examines a TCP segment follows:

access-list access-list-number [dynamic dynamic-name [timeout minutes]]     {deny | permit} tcp source source-wildcard [operator [port]]     destination destination-wildcard[operator [port]] [established]     [precedence precedence] [tos tos] [log | log-input]     [time-range time-range-name] [fragments]

Notice that the protocol variable is tcp. Probably the most significant feature here is that the access list can examine the source and destination port numbers in the TCP segment header. As a result, you have the option of filtering packets not only to and from a particular address, but also to and from a particular socket (an IP address/application port combination).

The features of the TCP access list that have not yet been explained are operator and port:

• operator specifies a logical operand. The options are eq (equal to), neq (not equal to), gt (greater than), lt (less than), and range for specifying an inclusive range of ports. If the range operator is used, two port numbers are specified.

• port specifies the application layer port to be matched. A few common port numbers are for Telnet (23), FTP (20 and 21), SMTP (25), and SNMP (169). A complete listing of TCP port numbers can be found in RFC 1700.

What happens if you implemented an access list to prevent TCP sessions from being established into your network, but you want to ensure that the access list passes the responses if your network establishes a TCP session? The established keyword allows this event by checking the ACK and RST flags in the TCP segment header. If one of these flags is set, a match occurs. If neither bit is set, the source is trying to establish a TCP connection to the destination, and a match will not occur. The packet will be denied on a subsequent line of the access list.

A sample TCP access list is displayed in Example B-13.

Example B-13. This TCP access list permits established sessions and permits certain addresses access for SMTP and Telnet.

 access-list 110 permit tcp any 172.22.0.0 0.0.255.255 established  access-list 110 permit tcp any host 172.22.15.83 eq 25  access-list 110 permit tcp 10.0.0.0 0.255.255.255 172.22.114.0 0.0.0.255 eq 23

The following is an explanation of the lines in Example B-13:

• Line 1 Permit TCP packets from any source to network 172.22.0.0 if the connection was established from that network.

• Line 2 Permit TCP packets from any source if the destination is port 25 (SMTP) of host 172.22.15.83.

• Line 3 Allow any TCP packet with a source address from network 10.0.0.0 to telnet (port 23) to any address on subnet 172.22.114.0/24.

All other packets will be dropped by the implicit deny any.

UDP Access Lists

The syntax for an extended access list line that examines a UDP segment follows:

 access-list access-list-number [dynamic dynamic-name [timeout minutes]]     {deny | permit} udp source source-wildcard [operator [port]]     destination destination-wildcard [operator [port]]     [precedence precedence] [tos tos] [log | log-input]     [time-range time-range-name] [fragments]

This format is similar to the TCP format, except that the protocol variable now is udp. The other difference is that there is no established keyword. The reason is that UDP is a connectionless transport service, and no connections are established between hosts.

In Example B-14, three lines have been added to the previous TCP example.

Example B-14. This access list permits TCP and UDP packets.

 access-list 110 permit tcp any 172.22.0.0 0.0.255.255 established  access-list 110 permit tcp any host 172.22.15.83 eq 25  access-list 110 permit tcp 10.0.0.0 0.255.255.255 172.22.114.0 0.0.0.255 eq 23  access-list 110 permit udp 10.64.32.0 0.0.0.255 host 172.22.15.87 eq 69  access-list 110 permit udp any host 172.22.15.85 eq 53  access-list 110 permit udp any any eq 161

The following is an explanation of the lines in Example B-14:

• Line 4 Permit UDP packets from subnet 10.64.32.0/24 to the TFTP port (69) on host 172.22.15.87.

• Line 5 Permit UDP packets from any source to the Domain Name Server (port 53) on host 172.22.15.85.

• Line 6 Permit all SNMP packets (port 161) from any source to any destination.

The implicit deny any still drops all packets not finding a match in the list.

ICMP Access Lists

The syntax for an extended access list line that examines an ICMP packet follows:

 access-list access-list-number [dynamic dynamic-name [timeout minutes]]      {deny | permit} icmp source source-wildcard destination destination-wildcard      [icmp-type[icmp-code] | icmp-message] [precedence precedence] [tos tos]      [log | log-input] [time-range time-range-name] [fragments]

icmp is now in the protocol field. Notice that there are no source or destination ports here; ICMP is a network layer protocol. This line can be used to filter all ICMP messages, or you can use the following options to filter specific ICMP messages:

• icmp-type is a number between 0 and 255. All ICMP type numbers can be found in RFC 1700.

• The granularity of filtering can be increased by specifying icmp-code. An ICMP code specifies a subset of ICMP packet types; the codes are a number between 0 and 255 and are also found in RFC 1700.

• Instead of an ICMP type and ICMP code, an ICMP message name can be entered.

A sample of an ICMP access list is displayed in Example B-15.

Example B-15. This ICMP access list denies specific packets and permits all others.

 access-list 111 deny icmp 172.22.0.0 0.0.255.255 any 0  access-list 111 deny icmp 172.22.0.0 0.0.255.255 any 3 9  access-list 111 deny icmp 172.22.0.0 0.0.255.255 any 3 10  access-list 111 deny icmp 172.22.0.0 0.0.255.255 any traceroute  access-list 111 permit ip any any

The following is an explanation of the lines in Example B-15:

• Line 1 Deny ICMP ping responses (Echo Reply, ICMP type 0) from network 172.22.0.0 to any destination.

• Line 2 Deny ICMP destination unreachable packets (type 3) with a code number of 9 (Network Administratively Prohibited) from network 172.22.0.0 to any destination.

• Line 3 Deny ICMP destination unreachable packets (type 3) with a code number of 10 (Host Administratively Prohibited) from network 172.22.0.0 to any destination.

• Line 4 Deny ICMP traceroute from network 172.22.0.0 to any destination.

• Line 5 Permit all other IP packets.