450 Chapter 12: IP Access Control List Security
The logic that Cisco IOS software uses with a multiple-entry ACL can be summarized as follows:
1.The matching parameters of the access-list statement are compared to the packet.
2.If a match is made, the action defined in this access-list statement (permit or deny) is performed.
3.If a match is not made in Step 2, repeat Steps 1 and 2 using each successive statement in the ACL until a match is made.
4.If no match is made with an entry in the access list, the deny action is performed.
Table 12-9 summarizes the different fields that can be matched with an extended IP ACL, as compared with standard IP ACLs.
Table 12-9 |
Standard and Extended IP Access Lists: Matching |
|
|
|
|
|
Type of Access List |
What Can Be Matched |
|
|
|
|
Both Standard and Extended ACLs |
Source IP address |
|
|
|
|
|
Portions of the source IP address using a wildcard mask |
|
|
|
|
Only Extended ACLs |
Destination IP address |
|
|
|
|
|
Portions of the destination IP address using a wildcard |
|
|
mask |
|
|
|
|
|
Protocol type (TCP, UDP, ICMP, IGRP, IGMP, and |
|
|
others) |
|
|
|
|
|
Source port |
|
|
|
|
|
Destination port |
|
|
|
|
|
All TCP flows except the first |
|
|
|
|
|
IP TOS |
|
|
|
|
|
IP precedence |
|
|
|
Foundation Summary 451
Table 12-10 lists several sample access-list commands, with several options configured and some explanations.
Table 12-10 Extended access-list Commands and Logic Explanations
access-list Statement |
What It Matches |
|
|
access-list 101 deny ip any host 10.1.1.1 |
Any IP packet, any source IP |
|
address, with a destination |
|
IP address of 10.1.1.1. |
|
|
access-list 101 deny tcp any gt 1023 host 10.1.1.1 eq 23 |
Packets with a TCP header, |
|
any source IP address, with a |
|
source port greater than (gt) |
|
1023. The packet must have a |
|
destination IP address of |
|
10.1.1.1 and a destination port |
|
of 23. |
|
|
access-list 101 deny tcp any host 10.1.1.1 eq 23 |
The same as the preceding |
|
example, but any source port |
|
matches, because that |
|
parameter is omitted in this |
|
case. |
|
|
access-list 101 deny tcp any host 10.1.1.1 eq telnet |
The same as the preceding |
|
example. The telnet keyword is |
|
used instead of port 23. |
|
|
access-list 101 deny udp 1.0.0.0 0.255.255.255 lt 1023 any |
A packet with a source in |
|
network 1.0.0.0, using UDP |
|
with a source port less than (lt) |
|
1023, with any destination IP |
|
address. |
|
|
Figure 12-8 and Example 12-11 demonstrate a sample configuration of a numbered extended IP ACL. In this case, Bob is denied access to all FTP servers on R1’s Ethernet, and Larry is denied access to Server1’s web server.
452 Chapter 12: IP Access Control List Security
Figure 12-8 Network Diagram for Extended Access List
Server1 |
|
|
|
|
|
|
|
|
|
Larry |
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
S0 R2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SW2 |
|
|
|
E0 |
SW12 |
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|||||||
|
|
|
|
|
|
|
S0 |
S1 |
|
172.16.2.10 |
|||||
|
|
|
|
|
|
|
|
||||||||
172.16.1.100 |
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
E0 R1 |
|
|
|
|
|
|
|
|
Server2 |
|
|
|
SW1 |
|
|
|
|
Bob |
||||||
|
|
|
|
S1 |
S1 |
|
|
|
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
S0 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SW3 |
|
|
|
R3 |
E0 |
SW13 |
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
172.16.3.10 |
|||||
|
|
|
|
|
|
|
|
|
|
||||||
172.16.1.102
Jimmy Jerry
172.16.3.8 172.16.3.9
Example 12-11 R1’s Extended Access List
interface Serial0
ip address 172.16.12.1 255.255.255.0 ip access-group 101 in
interface Serial1
ip address 172.16.13.1 255.255.255.0 ip access-group 101 in
access-list 101 remark Stop Bob to FTP servers, and Larry to Server1 web access-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp access-list 101 deny tcp host 172.16.2.10 host 172.16.1.100 eq http access-list 101 permit ip any any
Cisco makes the following general recommendations, as mentioned in the ICND course:
■Create your ACLs using a text editor outside the router, and copy and paste the configurations into the router.
■Place extended ACLs as close to the source of the packet as possible to discard the packets quickly.
■Place standard ACLs as close to the destination of the packet as possible, because standard ACLs often discard packets that you do not want discarded when placed close to the source.
■Place more-specific statements early in the ACL.
■Disable ACLs from their interfaces (using the no ip access-group command) before making changes to the ACL.
454 Chapter 12: IP Access Control List Security
Figure 12-9 Network Diagram for Questions 10 Through 12
Andy Opie
180.3.5.13180.3.5.14
|
Subnet 180.3.5.0/24 |
|
Mayberry |
s0 |
|
|
Frame Relay |
|
Full Mesh |
Subnet 180.3.6.0/24 |
|
s0 |
s0 |
Mount Pilot |
Raleigh |
Subnet 180.3.7.0/24 |
Subnet 144.155.3.0/24 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Beatrice |
|
Floyd |
Barney |
|
Governor |
||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
144.155.3.99 |
|||||
Example 12-12 Access List at Mayberry
access-list 44 permit 180.3.5.13 0.0.0.0
!
interface serial 0
ip access-group 44 out
9.Describe the types of packets that this filter discards, and specify at what point they are discarded.
10.Does the access list shown in Example 12-12 stop packets from getting to web server Governor? Why or why not?
Q&A 455
11.Referring to Figure 12-9, create and enable access lists so that access to web server Governor is allowed from hosts at any site and so that no other access to hosts in Raleigh is allowed.
12.Name all the items that a standard IP access list can examine to make a match.
13.Name all the items that an extended IP access list can examine to make a match.
14.True or false: When you use extended IP access lists to restrict vty access, the matching logic is a best match of the list rather than a first match in the list.
15.In a standard numbered IP access list with three statements, a no version of the first statement is issued in configuration mode. Immediately following, another access list configuration command is added for the same access list. How many statements are in the list now, and in what position is the newly added statement?
16.In a standard named IP access list with three statements, a no version of the first statement is issued in configuration mode. Immediately following, another access list configuration command is added for the same access list. How many statements are in the list now, and in what position is the newly added statement?
17.Name all the items that a named standard IP access list can examine to make a match.
18.Configure a named IP access list that stops packets from subnet 134.141.7.0 255.255.255.0 from exiting serial 0 on a router. Allow all other packets.
19.Configure a named IP access list that allows only packets from subnet 193.7.6.0 255.255.255.0, going to hosts in network 128.1.0.0 and using a web server in 128.1.0.0, to enter serial 0 on a router.
20.List the types of IP access lists (numbered standard, numbered extended, named standard, named extended) that can be enabled to prevent Telnet access into a router. What commands would be used to enable this function, assuming that access-list 2 was already configured to match the right packets?
21.What command lists the IP extended access lists enabled on serial 1 without showing other interfaces?
22.Name all the items that a named extended IP access list can examine to make a match.
