Access - List

K K Singh, DGM(DX), ALTTC 1
What is Access List ?

• Access Lists are part of security policy of
any network security mechanism
• Access Lists are filters to permit or deny
access of packets into, out of, or through
a router
• Use of Access lists fall into three
categories
– Security Filters
– Traffic Filters
– Packet Identification

Security Filters
• Security filters protect the integrity of the
router and the network to which it is
passing traffic. Typically, a security filter
permits the passage of few, well-
understood packets and denies the
passage of everything.
Deny
Permit
Deny

Traffic Filters
• Traffic Filters prevent unnecessary
packets from passing onto limited-
bandwidth links. These filters look and
behave much like security filters, but the
logic is generally inverse. Traffic filters
deny the passage of a few unwanted
packets and permit everything else.

Packet Identification
• Routers must be able to identify certain
packets to function properly. Access lists
may belinked to these and other tools to
provide packet identification function.
TCP
UDP
ICMP
RIP

How Access List Works ?
• An Access list is a sequential series of
filters. Each filter comprises some sort of
matching criteria and an action. The action
is always either permit or deny.
• The matching Criteria may be –
– Source address
– Source and destination addresses
– Protocol type
– Source and destination ports or sockets
– Certain flags like TCP ACK bit etc.

How Access List Work ?
• A packet is “dropped into” the top of the
stack of filters. At each filter, the matching
criteria is applied. If a match occurs, the
specific permit or deny action is executed.
If a match does not occur, the packet
“drops down” to the next filter in the
stack, and the matching process is
applied again.

How Access list works ?
Packet
HOST A Deny
Subnet 3 Permit
Interface
Network 5 Permit E0
Protocol X Deny
“Bit
Bucket”

Implicit Deny
• What happens if a packet drops through
all the filters and a match never occurs ?
• The router should must know what to do
with a packet in this situation; that is,
there must be a default action.
• Default action could be permit or deny.
• Most of the Routers have deny as the
default action, and it is called implicit deny

Implicit Deny
HOST A Deny HOST A Deny
Subnet 3 Permit Subnet 3 Permit
Network 5 Permit Network 5 Permit
Protocol X Deny Protocol X Deny
Everything Deny
Source
Host C, Subnet 4, Network 7
Protocol Y ?
Sequentiality
• Access lists are executed sequentially,
from top down.
• Wrong sequence of filters may result in
undesirable functioning of Access list.
• Most common cause of malfunctioning
access list is putting the individual
filtering lines in wrong sequence.

Sequentiality
Source Source
10. 23. 147. 00 10. 23. 147. 00
Network Permit Subnet Deny

10. 0. 0. 0 10. 23. 147. 0
Subnet Deny Network Permit

10. 23. 147. 0 10. 0. 0. 0
Everything Deny Everything Deny
Wrong sequence Correct sequence
“Bit
Bucket”

Access List Types
• For Internet protocol Access lists can be
of different types;
– Standard IP access list
– Extended IP access list
– Named Standard IP access list
– Named Extended IP access list

Standard IP Access Lists
• Standard access lists can match only by
examining the source IP address field in the
packet’s IP header. Any bit positions in the 32 bit
source IP address can be compared to the access
list statements. Standard access list can have
nos from 1-99.
• A wildcard mask defines the subnet of the 32 bit
in the IP address that must be matched.
• Mask bits of value binary 0 imply that the same
bit position must be matched. Mask bit value
binary 1 are wildcards; the corresponding bit
positions in the address are considered to match,
regardless of values.

• The format of a standard access list is :
access-list access-list-number [deny|permit] source [source-wildcard]
• An example of a standard access list is :

access-list 1 permit 172.22.30.6 0.0.0.0
access-list 1 deny 172.22.30.0 0.0.0.255
access-list 1 deny 172.22.0.0 0.0.255.255

• Standard Ip access lists can be written in
different ways also.Default mask for
standard IP Access List is 0.0.0.0, if it is
not specified it is taken as default.
Access-list 1 permit 172.22.30.6 0.0.0.0
Access-list 1 permit 172.22.30.6
Access-list 1 permit 0.0.0.0 255.255.255.255
Access-list 1 permit any

E F
Access Criteria
• A is not allowed access to E and F
Subnet 10.1.1.0 •Hosts on Bangalore Ethernet are not
e0 allowed access to Host on the Pune
Delhi Ethernet.
s0 s1 • All other combinations are allowed
s0 s0
Pune s1 Subnet 10.1.129.0 s1 Bangalore
Subnet 10.1.2.0 e0 e0 Subnet 10.1.3.0
A B C D
10.1.2.1 10.1.2.2

Pune Configuration Alternative Configuration at Pune
Interface serial 0 Interface serial 0

Ip access-group 3 Ip access-group 3
! !
Access list 3 deny host 10.1.2.1 Interface serial 1
Access list 3 permit any Ip access-group 3
!
Interface ehternet 0
Bangalore Configuration Ip access-group 4
!
Interface serial 1 Access-list 3 deny host 10.1.2.1
Ip access-group 4 Access-list 3 permit any
! !
Access-list 4 deny 10.1.3.0 0.0.0.255 Access-list 4 deny 10.1.3.0 0.0.0.255
Access-list 4 permit any
In case of link failure between Pune and Delhi, Pune will learn a route to 10.1.1.0/24
From Bangalore and packets from A to E&F will now leave Pune through s1 link
Without being filtered. Similarly Link failure between Bangalore and Pune will allow
Bangalore to send traffic via s0 without getting filtered.
Extended IP Access Lists
• Extended IP access lists are almost
identical to standard IP access lists in
their use.
• As with standard lists, extended access
lists are enabled for packet entering or
exiting an interface.
• Apart from source addresses extended
access list can match destination IP
address, source & destination port nos,
protocol etc.

• Access List number for extended IP
access lists, is between 100 and 199.
• Extended IP Access Lists provide far more
flexibility in the specification of what is to
be filtered. The basic format of the
extended IP access list line is
access-list access-list-number {deny|permit} protocol source
source-wildcard destination destination-wildcard [precedence
precedence][tos tos][log]

• An example of an extended IP access list
is:
access-list 101 permit ip 172.22.30.6 0.0.0.0 10.0.0.0 255.255.255.255
access-list 101 deny ip 172.22.30.0 0.0.0.255 192.168.18.27 0.0.0.0
access-list 101 deny ip 172.22.0.0 0.0.255.255 192.168.18.64 0.0.0.63

• The default mask 0.0.0.0 does not apply to
extended access lists; router can not
interpret it. An alternative exists for
extended lists.
Access-list 101 permit ip 172.22.30.6 0.0.0.0 10.20.30.40 0.0.0.0
Access-list 101 permit ip host 172.22.30.6 host 10.20.30.40
Access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
Access-list 101 permit ip any any

Decision flow of Extended Access list
Access List Statements
Examine no
Source Match ?
Address
yes
Examine no
Source Match ?
Address
yes
Go to
Next
Level
Examine no
Source Match ?
Address
yes
Examine no
Source Match ?
Address
yes
Schedule Specified
Action

TCP Extended Access Lists
• The format for an extended access list line
that examines a TCP segment is
access-list access-list-number {deny|permit} tcp source source-wildcard
[operator port[port]] destination destination-wildcard [operator port[port]]
[established] [precedence precedence] [tos tos] [log]
– Operator specifies a logical operand. The options
are eq (equal to), neq (not equal to), gt (greater
than), lt (less than), and range for specifying an
inclusive range of ports.
– Port specifies the application layer port to be
matched. Like Telnet(23), FTP (20 and 21), SMPT
(25), SNMP (169) etc.

TCP Extended Access List
• An example of a TCP access list line is:
access-list 110 permit tcp any 172.22.0.0 0.0.255.255 established
access-list 110 permit tcp any host 172.22.15.83 eq 25
access-list 110 permit tcp 10.0.0.0 0.255.255.255 172.22.114.0 0.0.0.255 eq 23

UDP Access Lists
• The format of an extended access list line
that examines a UDP segment is:
access-list access-list-number {deny|permit} udp source source-wildcard
[operator port[port]] destination destination-wildcard [operator port [port]]
[precedence precedence] [tos tos] [log]
Example :
Access-list 110 permit udp 10.64.32.0 0.0.0.255 host 172.22.15.87 eq 69
Access-list 110 permit udp any host 172.22.15.85 eq 53
Access-list 110 permit udp any any eq 161

ICMP Access Lists
• The format for an extended access list line
that examines an ICMP packet is :
access-list access-list-number {deny|permit} icmp source source-wildcard
destination destination-wildcard [icmp-type [icmp-code]] [precedence
precedence] [tos tos] [log]
Example :
access-list 111 deny icmp 172.22.0.0 0.0.255.255 any 0
access-list 111 deny icmp 172.22.0.0 0.0.255.255 any 3 9
access-list 111 deny icmp 172.22.0.0 0.0.255.255 any 3 10
access-list 111 permit ip any any

Calling The Access List
• An access list does nothing unless
packets are sent to it by a calling
command, which defines how an access
list is to be used.
• The command is configured on an
interface to create security or traffic filters
and may be applied to incoming and
outgoing traffic.
Example :
ip access-group access-list-number {in|out}

Calling the Access List
Interface serial 3
Interface ethernet 0 Ip access-group 2 out
Ip access-group 1 in

Calling the Access Lists
Access-list 110 permit tcp any 172.22.0.0 0.0.255.255 established
Access-list 110 permit tcp any host 172.22.15.83 eq 25
Access-list 110 permit tcp 10.0.0.0 0.255.255.255 172.22.114.0 0.0.0.255 eq 23
Access-list 110 permit udp 10.64.32.0 0.0.0.255 hist 172.22.15.87 eq 69
Access-list 110 permit udp any host 172.22.15.85 eq 53
Access-list 110 permit udp any any eq 161
Access-list 111 deny icmp 172.22.0.0 0.0.255.255 any 0

Access-list 111 deny icmp 172.22.0.0 0.0.255.255 any 3 10
Access-list 111 deny icmp 172.22.0.0 0.255.255.255 any 3 10
Interface ethernet 0 Access-list 111 permit ip any any
Ip access-group 110 in
Interface serial 0
Ip access-group 111 out

Calling the Access Lists
• Access-class command is used to
regulate telnet sessions to and from the
router’s virtual terminal lines, not for
packet filtering.
Example :
access-class access-list-number {in|out}
Vty Process
Line vty 0 4
Access-class 3 in
Access-class 4 out

Extended IP Access List Example
E F G H
10.1.1.130 10.1.1.1 10.1.1.2 10.1.1.28 Filtering Criteria
1. The web server (G) is available to all
NFS web 2. UDP based clients and servers on (F) are
are not available to hosts whose IP add
e0 are in the upper half of the valid addresses
Delhi in each subnet
3. Packets between hosts on the Pune Ethernet
s0 s1 and Bangalore Ethernet are allowed only if
packets are routed across the direct serial link
4. Clients E and H can connect to all hosts
except D
5. Any other connections are permitted
s0 s0
Pune s1 s1 Bangalore
e0 e0
A B C D
10.1.2.1 10.1.2.2 10.1.3.1 10.1.3.2

Pune Configuration
Interface serial 0
Ip access-group 110
!
Interface serial 1
Ip access-group 111
! Criterion 1 met with next statement
Access-list 110 permit tcp any host 10.1.1.2 eq www
Access-list 110 deny udp 0.0.0.128 255.255.255.127 host 10.1.1.1
Access-list 110 deny ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255
!

Bangalore Configuration
Interface serial 0
Ip access-group 110
!
Interface serial 1
Ip access-group 111
!
!

Delhi Configuration
Interface serial 0
Ip access-group 112
!
Interface serial 1
Ip access-group 112
!
! Criterion 4 met with next four statements
Access-list 112 deny ip host 10.1.1.130 host 10.1.3.2
Access-list 112 permit ip host 10.1.1.130 any
Access-list 112 permit ip host 10.1.1.28 any

Delhi Configuration (2nd solution, all access lists on Bangalore and Pune have
been removed)
Interface serial 0
Ip access-group 112
!
Interface serial 1
Ip access-group 112
!
! Next statement meets objective 1
Access-list 112 permit tcp host 10.1.1.1 eq www any
Access-list 112 deny udp host 10.1.1.1 0.0.0.128 255.255.255.127
! Next statements meet objective 3
! Next statements meet objective 4
Named IP Access Lists
• Named IP access lists allow the same logic to be
configured as with numbered standard and
extended access lists. The key differences
between named and numbered IP access lists are
:
– Names are more intuitive reminders of the function of
the list
– Names allow for more access lists than 99 standard and
100 extended, which is the restriction using numbered
lists
– Named access lists allow individual statements to be
deleted
– The actual names used must be unique across all
named lists of all protocols and types on an individual
router.

Named IP Access Lists
• The named IP access lists use a global
command, which moves the use into a
named IP access list submode, under
which the matching and permit/deny logic
is configured
• When a named matching statement is
deleted, only that one statement is
deleted. With numbered lists, the deletion
of any statement in the list deletes the
complete access list.

Named Access List Configuration
Router#
Router# conf t
Router(config)#
Router(config)# ip access-list extended bsnl
Router(config-ext-nacl)# permit tcp host 10.1.1.2 eq www any
Router(config-ext-nacl)# deny udp host 10.1.1.1 0.0.0.128 255.255.255.127
Router(config-ext-nacl)# deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255
Router(config-ext-nacl)# deny ip host 10.1.1.130 host 10.1.3.2
Router(config-ext-nacl)# deny ip host 10.1.28 host 10.1.3.2
Router(config-ext-nacl)# permit ip any any
Router(config-ext-nacl)# ^Z
Router(config)# interface serial 1
Router(config-int)# ip access-group bsnl
Router(config-int)# ^Z
Router(config)# ^Z
Router#

Filter Placement Considerations
• Security filters usually are incoming
filters.Filtering unwanted or untrusted
packets before they reach the routing
process, prevents spoofing attacks-
wherein packets fools the routing process,
into thinking it has come from somewhere
it hasn’t .
• Traffic filters on the other hand, usually
are outgoing filters so that unwanted
traffic should not occupy bandwidth on
outgoing links

Filter Placement Considerations
• An incoming filter is invoked before the routing
process, whereas an outgoing filter is invoked
after the routing process. If most packets passing
through the routing process are to be denied by
the access list, an incoming filter may save some
processing cycle.
• Access lists should be placed as close to the
source as possible to prevent wasting bandwidth
and CPU for transporting packets which will be
ultimately discarded. On the other hand the
complexity of extended lists means more of
processing burden. These tradeoffs must be
considered when deciding where on the network
to place a filter.
Access-List Lab Session
E F
10.1.1.3 10.1.1.2
Subnet 10.1.1.0/24 10.1.1.1

e0
Delhi
10.1.129.10/30 s0 s1 10.1.129.6/30
10.1.129.9/30 s0 10.1.129.5/30
s0
Pune s1 10.1.129.1/30 Bangalore
10.1.2.1 s1
10.1.3.1
10.1.129.1/30 e0
e0
Subnet 10.1.2.0/24 Subnet 10.1.3.0/24
A B C D
10.1.2.2 10.1.2.3 10.1.3.2 10.1.3.3

Access-List Lab Session
Filtering Criteria
No host on network 10.1.1.0/24 should be able to access network 10.1.3.0

Host 10.1.3.3 should not be able to access host 10.1.1.3
Host 10.1.2.2 should not be able to access host 10.1.3.3
Deny ftp traffic from 10.1.1.2 to 10.1.2.3
Deny telnet to delhi router

Access - List

Uploaded by

Copyright:

Available Formats

Access - List

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Access - List

Uploaded by

Copyright:

Available Formats

K K Singh, DGM(DX), ALTTC 1

What is Access List ?

K K Singh, DGM(DX), ALTTC 2

K K Singh, DGM(DX), ALTTC 3

K K Singh, DGM(DX), ALTTC 4

K K Singh, DGM(DX), ALTTC 5

K K Singh, DGM(DX), ALTTC 6

K K Singh, DGM(DX), ALTTC 7

K K Singh, DGM(DX), ALTTC 8

K K Singh, DGM(DX), ALTTC 9

HOST A Deny HOST A Deny

Subnet 3 Permit Subnet 3 Permit

Network 5 Permit Network 5 Permit

Protocol X Deny Protocol X Deny

K K Singh, DGM(DX), ALTTC 11

Network Permit Subnet Deny

Subnet Deny Network Permit

Everything Deny Everything Deny

Wrong sequence Correct sequence

K K Singh, DGM(DX), ALTTC 12

K K Singh, DGM(DX), ALTTC 13

K K Singh, DGM(DX), ALTTC 14

• An example of a standard access list is :

K K Singh, DGM(DX), ALTTC 15

Access-list 1 permit 172.22.30.6

Access-list 1 permit 0.0.0.0 255.255.255.255

Access-list 1 permit any

K K Singh, DGM(DX), ALTTC 16

Subnet 10.1.2.0 e0 e0 Subnet 10.1.3.0

K K Singh, DGM(DX), ALTTC 17

Interface serial 0 Interface serial 0

K K Singh, DGM(DX), ALTTC 19

K K Singh, DGM(DX), ALTTC 20

K K Singh, DGM(DX), ALTTC 21

Access-list 101 permit ip host 172.22.30.6 host 10.20.30.40

Access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

Access-list 101 permit ip any any

K K Singh, DGM(DX), ALTTC 22

K K Singh, DGM(DX), ALTTC 23

K K Singh, DGM(DX), ALTTC 24

K K Singh, DGM(DX), ALTTC 25

K K Singh, DGM(DX), ALTTC 26

K K Singh, DGM(DX), ALTTC 27

K K Singh, DGM(DX), ALTTC 28

K K Singh, DGM(DX), ALTTC 29

Access-list 111 deny icmp 172.22.0.0 0.0.255.255 any 0

K K Singh, DGM(DX), ALTTC 30

K K Singh, DGM(DX), ALTTC 31

K K Singh, DGM(DX), ALTTC 32

K K Singh, DGM(DX), ALTTC 33

K K Singh, DGM(DX), ALTTC 34

K K Singh, DGM(DX), ALTTC 35

K K Singh, DGM(DX), ALTTC 37

K K Singh, DGM(DX), ALTTC 38

K K Singh, DGM(DX), ALTTC 39

K K Singh, DGM(DX), ALTTC 40

Subnet 10.1.1.0/24 10.1.1.1

K K Singh, DGM(DX), ALTTC 42

No host on network 10.1.1.0/24 should be able to access network 10.1.3.0