NET 224: Advanced Routers and Routing

Chapter 10: Managing Access Lists

Objectives:
 

This chapter introduces concepts about managing a Cisco environment:

  1. Developing access lists
  2. Implementing access lists
  3. Troubleshooting access lists
  4. Evaluating rules for access lists
Concepts:

Access lists provide a method to allow and deny access to resources on and off your network. The text offers an example: we can use access lists to manage who is allowed to use the Internet from our network, and who is not allowed to do so.

Access lists can be applied to traffic on ports, to traffic from a specific protocol, and to other filtering uses.

The text tells us that an access list is like a series of if-then statements. (It would be very unlike our author to actually give an example of what he means at this stage, so he does not.) If you understand this kind of programming, you may find it is more like an if-then-elseif structure.

An explanation of how an access list is offered:

  • The access list is a series of rules
  • Packets are evaluated against each rule, from the top of the list to the bottom, until a rule matches the packet being evaluated
  • If a rule matches the packet, the action for that rule is taken, and the packet is not checked against any other rules in the list
  • If no rule matches the packet, the packet is discarded. This is called an implicit deny. The packet is denied (discarded) unless there is a rule for what to do with it.

Access lists come in two types: standard and extended. Both types include a variation called named access lists.

  • standard access lists - only evaluate packets based on their source IP address. In other words, we can allow or deny traffic based on the IP address of the sender/requester
  • extended access lists - can evaluate packets based on source address, destination address, port address, and protocol.

To make the subject more confusing, the text reveals that an access list can also be called inbound or outbound, based on which kind of packets it is applied to. Several key rules are stated:

  • You can have one access list for each protocol, (but the CCNA test only cares about IP) on each interface, in each direction (inbound and outbound)
  • You should plan access list evaluation order: each rule you add to an access list is added to the bottom of it
  • You can't remove one rule from a list unless it is a named list
  • Lists can end with the command permit any, which will allow any packet that did not match a rule in the list
  • If lists do not end with permit any, then the implicit deny is applied to any packet that did not match a rule in the list
  • Access lists are not applied to packets sent by the router itself

The text discusses standard access lists:

  1. To create a standard access list, create a rule for it: enter configuration mode for an interface, and use the command access-list
  2. The access-list command is followed by a number. For a standard IP access list, the number must be in one of two ranges: 1-99 or 1300-1999.
  3. The second argument to the access-list command should be permit or deny, depending on what kind of rule you are making
  4. The next argument to the access-list command can be an IP address, a hostname, any (which means what it sounds like), or a complicated description of a range. For example:
    access-list 5 deny host 10.25.32.11
    This line would drop all IP packets from the host at the stated address. Note: the keyword host is optional; you do not have to use it.

access-list 5 permit 10.25.32.0 0.0.0.255
This command will allow IP packets to pass through if they are from the 10.25.32.0 subnet. The last series of numbers is called a wildcard mask. A wildcard mask is not a subnet mask. (Say it three times.) The wildcard mask shown means that the source IP address on packets compared to this rule must match the first three octets exactly (0.0.0) and may have any value in the fourth octet (255). To carry this idea forward, any bit turned on in a wildcard mask marks a wildcard position. Any bit turned off marks a position that must match the starting value (the address in the previous argument).

The confusing part involves ranges of subnets or hosts. (The Cisco article is different. Some of it is a bit clearer.)

You change the wildcard mask to include a number indicating how many subnets (or hosts) to apply the rule to. Unfortunately, you can't always use the exact number you want. You are restricted to specific numbers. Trying to explain this concept, the text redefines the phrase "block size". The number you use will represent a block size which must be one of these powers of two: 4, 8, 16, 32, or 64. The correct block size is the one that is either the same as your desired number, or the next block size larger than your desired number. (So, if you wanted to represent a range of 6 subnets, your block size would be 8. If you wanted to represent a range of 10 subnets, your block size would be 16.) Whichever block size is correct, the number you use is one less than that block size. Let's look at an example.

Consider the command above: access-list 5 permit 10.25.32.0 0.0.0.255
What if we want to apply this command to a block of 8 networks/subnets? That would be 10.25.32.0 through 10.25.39.0. The text tells us that if we want to match a block of 8 subnets, we use 7 for the mask in the octet we are matching. Access-list 5 permit 10.25.32.0 0.0.7.255

The 7 in the third byte means to match the starting value for the leftmost five bits of that byte, but to allow any values in the rightmost three bit positions. Consider the binary version of the numbers 32 through 39, shown below. The leftmost 5 bits are all identical (shown in white boxes), but the rightmost 3 bits vary (shown in green boxes):

32 =
0 0 1 0 0 0 0 0
33 =
0 0 1 0 0 0 0 1
34 =
0 0 1 0 0 0 1 0
35 =
0 0 1 0 0 0 1 1
36 =
0 0 1 0 0 1 0 0
37 =
0 0 1 0 0 1 0 1
38 =
0 0 1 0 0 1 1 0
39 =
0 0 1 0 0 1 1 1

In this range of eight numbers, the bits vary only in the rightmost three positions. The given mask says to match any values in the rightmost three bits. This makes it clearer that 7 (111) marks a block size of 8: a range of 8 addresses. 15 (1111) would mark a block size of 16, a range of 16 addresses, and so on. This also makes it clearer why you can't have a block size that is not a power of 2. You have to mark off all the bits that vary. In other words, you turn on all the bits to the right of the block size. The block size is always a power of two, and the marker number is always one less than that power of two.

The access list must be linked to an interface to work. This is done with an access-group command. (Which the text does not explain.) Think of it this way: write all the lines you want in your access list, then select the interface you will apply the rules to, then use an access-group command to apply the list to inbound or outbound traffic. Example, assume we have used the command above to write access list 5. We can continue like this:
int e1
ip access-group 5 out
This would apply the rules in access list 5 to the outbound traffic from port e1.

Telnet access to a router can be controlled by an access list applied to the VTY line, which is a logical connection regardless of what physical port is actually used. When you link the access list to the VTY line, you use the access-class command instead of the access-group command.

The text continues with a discussion of extended access lists. Remember that a standard IP access list can only filter on the source IP address, while an extended access list can evaluate packets based on source address, destination address, port address, and protocol.

Template:
access-list number permit/deny/dynamic protocol source destination service_type_number

  1. We can begin creating an extended access list by giving it a number from 100 through 199, or 2000 through 2699.
  2. The creation command continues with an option: permit, deny, or dynamic.
  3. We continue with the protocol to filter, the source address and wildcard information, the destination address and wildcard information, and the type of service we are permitting or denying.

The service type is specified by a port number. To make it more confusing, we can specify one port number, port numbers less than or greater than a reference number, a range of numbers, any number other than a reference number, and more.

An alternative web discussion of this material that may clarify things for you is here. This paper was submitted by a student studying this material.

The concept of a named access list is just to give it a meaningful name. The execution of the concept took a left turn: they changed the syntax for named lists.

  1. Begin the command sequence with ip access-list instead of access-list.
  2. Continue the command with either standard or extended.
  3. Instead of a number, give the list a name.
  4. In the text, the example shows the creation of a standard named list. After typing the list's name, pressing enter will take you to a data entry interface. In other words, you are now entering command lines in the access list, and you enter the command exit to close the interface.

The text reviews several variations on the show command that let you review your access lists:

  • show access-list
    Shows all access lists currently on the router. Does not show which interfaces the access lists affect.
  • show access-list number
    Shows a specific access list. Does not show which interfaces the access lists affect.
  • show ip access-list
    Shows only access lists affecting IP traffic.
  • show ip interface
    Shows interfaces using IP, including which of them have access lists linked to them.
  • show running-config
    Shows the access lists, and which interfaces are linked to access lists (among other things).