Name access list

Submitted To, Submitted by,

Mr. Parvesh Mor Anil Sharma

Reg: 11107936

Introduction:

An access list is essentially a list of

conditions that categorize packets. They can

be really helpful when you need to exercise

control over network traffic. An access list

would be your tool of choice for decision

making in these situation. One of the most

common and easiest to understand uses of

access list is filtering unwanted packet when

implementing security policies. For

example, you can set them up to make very

specific decisions about regulating traffic

pattern so that they will allow only certain

host to access web resources on the internet

while restricting others. With the right

combination of access list, network

managers arm themselves with the power to

enforce any security any policy they can

invent. Some important points under access

list

• Powerful tools that control access

both to and from network segments

• Can filter unwanted packets

• Can be used to implement security

• Powerful tools that control access

both to and from network segments

• Can filter unwanted packets

• Can be used to implement security

Permit or deny statements that filter

traffic based on the source address,

destination address, protocol type,

and port number of a packet

Available for IP, IPX, AppleTalk,

and many other protocols

Access List Usage: • You can create a standard access list

that examines a packet for the

packet’s source header information

• deny any statement

– Implicitly blocks all packets

that do not meet the

requirements of the access

list

– Exists even though it is not

shown as part of the access

list

• With careful planning, you can

create access lists that control which

traffic crosses particular links And

which segments of your network will

have access to others

Problems with Access Lists: • Lack of planning is one of the most

common problems associated with

access lists

• The need to enter the list sequentially

into the router also presents

problems

– You cannot move individual

statements once they are

entered

– When making changes, you

must remove the list, using

the no access-list [list

number] command, and then

retype the commands

• Access lists begin working the

second they are applied to an

interface

Access List Rules:

• Example of the structure of a

standard IP access list:

RouterA(config)#access-list 1 deny

172.22.5.2 0.0.0.0

RouterA(config)#access-list 1 deny

172.22.5.3 0.0.0.0

RouterA(config)# access-list 1 permit

any

• Router applies each line in the order

in which you type it into the access

list

• The no access-list [list #] command

is used to remove an access list

• As a general rule, the lines with the

most potential matches should be

first in the list

– So that packets will not

undergo unnecessary

processing

• You should avoid unnecessarily long

access lists

• After you create access lists, you

must apply them to interfaces so they

can begin filtering traffic

– You apply a list as either an

outgoing or an incoming

filter

• In summary, all access lists follow

these rules:

– Routers apply lists

sequentially in the order in

which you type them into the

router

– Routers apply lists to packets

sequentially, from the top

down, one line at a time

– Packets are processed only

until a match is made

– Lists always end with an

implicit deny

– Access lists must be applied

to an interface as either

inbound or outbound traffic

filters

– Only one list, per protocol,

per direction can be applied

to an interface

– Access lists are

effective as soon as they are

applied

Standard IP Access Lists: • Standard IP access lists

– Filter network traffic based

on the source IP address only

– Using a standard IP access

list, you can filter traffic by a

host IP, subnet, or a network

address

• Configure standard IP access lists:

– access-list [list #]

[permit|deny] [source

address] [source wildcard

mask]

• Routers use wildcards to determine

which bits in an address will be

significant

Wildcard mask example:

Wildcard masking example

matching a single host:

Standard IP Access List

Examples: • Standard IP access lists permit or deny

packets based only on the source

address

– Addresses can be a single

host address, a subnet

address, or a full network

address

• Correct placement of a list is

imperative

• To view the access lists defined on

your router, use the show access-lists

command

– For IP access lists you could

also use the show ip access-

lists command

• If you decide that an access list

needs to be removed from an

interface

– You can remove it with the

no ip access-group [list #]

command

•

• Application of the list as an

outbound filter on FastEthernet0/0

– See Figure 10-15

• Use the show access-lists or show ip

access-lists command followed by

the show ip interface command

– To verify that the list has

been entered and applied

correctly

Monitoring Standard IP Access

Lists: • Three main commands are available

for monitoring access lists on your

router

– show access-lists

– show ip access-lists

– show interfaces or show ip

interface

• Use the no access-list [list #]

command to remove the list

• Use the no ip accessgroup [list

#][direction] command to remove

the application of the list

Extended IP Access Lists:

• Extended IP access lists

– Can filter by source IP

address, destination IP

address, protocol type, and

application port number

– This granularity allows you

to design extended IP access

lists that:

• Permit or deny a

single type of IP

protocol

• Filter by a particular

port of a particular

protocol

• To configure extended IP access

lists, you must create the list and

then apply it to an interface using the

following syntax

– access-list [list #]

[permit|deny] [protocol]

[source IP address] [source

wildcard mask] [operator]

[port] [destination IP

address] [destination

wildcard mask] [operator]

[port] [log]

Using Named Lists: • Named access lists

– In Cisco IOS versions 11.2

and above, names instead of

numbers can be used to

identify lists

• To name a standard IP access list,

use the following syntax:

RouterC(config)#ip access-list

standard [name]

• To name an extended IP access list,

use the following syntax:

RouterC(config)#ip access-list

extended [name]

• Once the list is named, the permit or

deny statement is entered

• The commands follow the same

syntax as unnamed lists

– The beginning part of the

command is not included

• To apply a standard IP named list to

an interface, the syntax is:

RouterC(config-if)#ip access-group

[name] [in | out]

Advantages: – Allows you to maintain

security by using an easily

identifiable access list

– Removes the limit of 100

lists per filter type

– With named access lists lines

can be selectively deleted in

the ACL

– Named ACLs provide greater

flexibility to network

administrators who work in

environments where large

numbers of ACLs are needed

Controlling VTY Line Access: • Access lists are used for both traffic

flow and security

• One useful security feature of access

lists is restricting access to telnet on

your router

– By controlling VTY line

access

• You must first create a standard IP

access list that permits the

management workstation

RouterA(config)#access-list 12

permit 192.168.12.12 0.0.0.0

• Then, it must be applied to the VTY

lines access-class [acl #] in | out

• To apply access list 12 to the VTY

lines, use the following command:

RouterA(config)#line vty 0 4

RouterA(config-line)#access-class

12 in

• The commands to restrict access to

the VTY lines to network

192.168.12.0/24 only are:

RouterA(config)#access-list 13

permit 192.168.12.0 0.0.0.255

RouterA(config)#line vty 0 4

RouterA(config-line)#access-class

13 in

Using Security Device Manager to

Create Access Control Lists: • Using the SDM, an administrator can

accomplish all the tasks that

formerly required use of the CLI

interface

• SDM allows you to easily create a

standard or an extended access list

or, as it is known in the SDM, an

Access Control List (ACL)

Topology:

Router1:

E0:- 10.0.0.1 E1:-11.0.0.1

Router2:

E0:-11.0.0.2 E1:12.0.0.1

Router3: E0:- 12.0.0.2

E1:-13.0.0.1

Router 4: E0:- 13.0.0.2

E1:-14.0.0.1

Router 5:

E0/0:-

14.0.0.2 E0/1:-14.0.0.1

E0/2:-16.0.0.1

Router 6:

E0:-15.0.0.2

E1:-16.0.0.2

Router 7: E0:-17.0.0.1

E1:-18.0.0.1

Router 8 :- E0:-18.0.0.2

E1:-19.0.0.1

Pc1

E0:- 10.0.0.2

Pc3:

E0:-15.0.0.2

Pc5:

E0:-19.0.0.3

Pc2:

E0:-10.0.0.3

Pc4:

E0:-19.0.0.2

Switch1

F/E 0/1

SWITCH2

F/E0/1 15.0.0.2

10.0.0.4 SWITCH3

FE/E0/1 19.0.0.4

Reference: http://en.wikipedia.org/wiki/Access_c

ontrol_list

Book – CCNA(Todd Lammle)

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.2/addr_serv/command/reference/b_ipaddr_cr42asr9k_chapter_01.html