Introduction to access-lists part 1
Today I would like to take some time and talk about security. I want to discuss access-lists, extended access-lists, reflexive access-lists, and CBAC or content based access control. Learning how to properly use access-lists is so crucial to becoming a good network administrator. They are vital to securing your network and as you progress with your studies you will find that access-lists are used quite extensively in routing, QoS, and other important things.
Access-lists are used to match traffic and can be applied in either the in or out direction. It is important to note that the direction is from the perspective of the interface. For instance on a switch port IN would be coming into the switch or traffic being sent to the switch, whereas OUT would be the traffic the switch sends to the device connected to the port. So think of it like this: OUT means traffic flowing out of the switch, while IN means traffic flowing into the switch. See I knew you would get it, it’s very easy stuff.
There are two basic kinds of access-lists extended and standard. Access-lists over 100 inclusive are extended access lists, while access-lists numbered 99 and less are standard access-lists. Standard access lists can only filter based on ip address, while extended access-lists can filter based on layer 3 protocols such as tcp, udp, gre, and others. They can also filter based on tcp/udp port numbers. Lets take a look at an access list :
access-list 1 permit any any
access-list 2 permit host 127.0.0.1 0.0.0.255 any
access-list 3 deny 10.0.0.0 0.0.0.254 any
access-list (1-99) (permit/deny) (source) (destination)
All of these are standard access-lists, let*s take them apart in detail. The first part is the command access-list this is followed by either a permit/deny the next entry is the source and can be any, it can be a individual ip host x.x.x.x or it can be a network 192.168.1.0 0.0.0.255 The last part is a wild card mask which is the opposite of a subnet mask. Remember that standard access-lists can only filter based on source and or destination, but not any other information. If you want to filter on more than source and destination you can choose extended access-lists. Extended access-lists can filter on much more and take a slightly different format.
Access-list 101 permit tcp any any eq 443
Access-list 101 deny udp any any eq 500
Access-list 101 permit gre any any
Lets have a look at some of the possible options that the Cisco IOS gives you to match packets, if you don’t understand all of the options or know how to use them at first, don’t worry. These kind of things look useless or seldom used at first, however as you progress you will make use of most of these options.
#access-list 102 ?
deny Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit Specify packets to forward
remark Access list entry comment
!
#access-list 102 permit ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
!
#access-list 102 permit tcp any any ?
ack Match on the ACK bit
dscp Match packets with given dscp value
eq Match only packets on a given port number
established Match established connections
fin Match on the FIN bit
fragments Check non-initial fragments
gt Match only packets with a greater port number
log Log matches against this entry
log-input Log matches against this entry, including input interface
lt Match only packets with a lower port number
neq Match only packets not on a given port number
option Match packets with given IP Options value
precedence Match packets with given precedence value
psh Match on the PSH bit
range Match only packets in the range of port numbers
rst Match on the RST bit
syn Match on the SYN bit
time-range Specify a time-range
tos Match packets with given TOS value
urg Match on the URG bit
<cr>
!
#access-list 102 permit tcp any any eq 80 ?
ack Match on the ACK bit
dscp Match packets with given dscp value
established Match established connections
fin Match on the FIN bit
log Log matches against this entry
log-input Log matches against this entry, including input interface
option Match packets with given IP Options value
precedence Match packets with given precedence value
psh Match on the PSH bit
rst Match on the RST bit
syn Match on the SYN bit
time-range Specify a time-range
tos Match packets with given TOS value
urg Match on the URG bit
<cr>
!
This has been a brief intro to access lists. In the next Installment we will talk a little bit about named access-lists and how they can be used to construct reflexive access lists. Reflexive access-lists can be used to create dynamic entries in an access-list based on some event or matching criteria, and can be really important tool for securing a network. Also named access-lists allow you to easily manage a large access-list more easily by allowing you to change an entry or change the order of the acl without rewriting removing and rewriting the entire access-list.
One last thing*. Access-lists are applied to an interface by using the following command:
#Config t
(config )# Int fastethernet 0/1
(Config int)# Ip access-group in
Or
(Config int)# Ip access-group out