|
|
NET 224: Advanced Routers and Routing
Chapter 10: Managing Access Lists
Objectives:
This chapter introduces concepts about managing a Cisco environment:
- Developing access lists
- Implementing access lists
- Troubleshooting access lists
- Evaluating rules for access lists
Concepts:
Access lists provide a method to allow
and deny access to resources on and
off your network. The text offers an example: we can
use access lists to manage who is allowed to use the
Internet from our network, and who is not allowed to
do so.
Access lists can be applied to traffic on ports, to
traffic from a specific protocol, and to other filtering
uses.
The text tells us that an access list is like a series of if-then
statements. (It would be very unlike our author to actually give an example
of what he means at this stage, so he does not.) If you understand this
kind of programming, you may find it is more like an if-then-elseif
structure.
An explanation of how an access list is offered:
- The access list is a series of rules
- Packets are evaluated against each rule, from the
top of the list to the bottom, until a rule matches
the packet being evaluated
- If a rule matches the packet, the action
for that rule is taken, and the packet is not checked against any other
rules in the list
- If no rule matches the packet, the packet is discarded.
This is called an implicit deny. The packet is denied
(discarded) unless there is a rule for what to do with it.
Access lists come in two types: standard
and extended. Both types include a variation called named
access lists.
- standard access lists - only evaluate packets based
on their source IP address. In other words, we can
allow or deny traffic based on the IP address of the sender/requester
- extended access lists - can evaluate packets based
on source address, destination address,
port address, and protocol.
To make the subject more confusing, the text reveals that an access list
can also be called inbound or outbound, based on which kind
of packets it is applied to. Several key rules are stated:
- You can have one access list for each protocol, (but the CCNA
test only cares about IP) on each interface, in each direction
(inbound and outbound)
- You should plan access list evaluation order: each rule you
add to an access list is added to the bottom of it
- You can't remove one rule from a list unless it is a named
list
- Lists can end with the command permit any, which will allow
any packet that did not match a rule in the list
- If lists do not end with permit any, then the implicit
deny is applied to any packet that did not match a rule in the list
- Access lists are not applied to packets sent by the router
itself
The text discusses standard access lists:
- To create a standard access list, create a rule for it: enter configuration
mode for an interface, and use the command access-list
- The access-list command is followed by a number. For a standard
IP access list, the number must be in one of two ranges: 1-99
or 1300-1999.
- The second argument to the access-list command should be permit or deny, depending on what kind of rule you are making
- The next argument to the access-list command can be an IP address,
a hostname, any (which means what it sounds like), or a
complicated description of a range. For example:
access-list 5 deny host 10.25.32.11
This line would drop all IP packets from the host at the
stated address. Note: the keyword host is optional; you do not have to
use it.
access-list 5 permit 10.25.32.0 0.0.0.255
This command will allow IP packets to pass through if they are
from the 10.25.32.0 subnet. The last series of numbers is called
a wildcard mask. A wildcard mask is not a subnet mask. (Say it three times.) The wildcard mask shown means that the source IP address on
packets compared to this rule must match the first three octets exactly (0.0.0)
and may have any value in the fourth octet (255). To carry
this idea forward, any bit turned on in a wildcard mask marks a wildcard position.
Any bit turned off marks a position that must match the starting value (the address in the previous argument).
The confusing part involves ranges of subnets or hosts.
(The Cisco
article is different. Some of it is a bit clearer.)
You change the wildcard mask to include a number indicating how
many subnets (or hosts) to apply the rule to. Unfortunately, you can't
always use the exact number you want. You are restricted to specific numbers. Trying to explain this concept, the text redefines
the phrase "block size". The number you use will represent
a block size which must be one of these powers of two: 4, 8,
16, 32, or 64. The correct block size is the
one that is either the same as your desired number, or the next
block size larger than your desired number. (So, if you wanted to represent a range of 6 subnets, your block size would be 8. If you wanted to represent a range of 10 subnets, your block size would be 16.) Whichever block size
is correct, the number you use is one less than that block size. Let's look at an example.
Consider the command above: access-list 5 permit
10.25.32.0 0.0.0.255
What if we want to apply this command to a block of 8 networks/subnets?
That would be 10.25.32.0 through 10.25.39.0. The text tells us that if
we want to match a block of 8 subnets, we use 7 for the mask in
the octet we are matching. Access-list 5 permit
10.25.32.0 0.0.7.255
The 7 in the third byte means to match the starting value for the leftmost five
bits of that byte, but to allow any values in the rightmost
three bit positions. Consider the binary version of the numbers
32 through 39, shown below. The leftmost 5 bits are all identical (shown in white boxes), but the rightmost 3 bits vary (shown in green boxes):
|
32 =
|
0 |
0 |
1 |
0 |
0 |
0 |
0 |
0 |
|
33 =
|
0 |
0 |
1 |
0 |
0 |
0 |
0 |
1 |
|
34 =
|
0 |
0 |
1 |
0 |
0 |
0 |
1 |
0 |
|
35 =
|
0 |
0 |
1 |
0 |
0 |
0 |
1 |
1 |
|
36 =
|
0 |
0 |
1 |
0 |
0 |
1 |
0 |
0 |
|
37 =
|
0 |
0 |
1 |
0 |
0 |
1 |
0 |
1 |
|
38 =
|
0 |
0 |
1 |
0 |
0 |
1 |
1 |
0 |
|
39 =
|
0 |
0 |
1 |
0 |
0 |
1 |
1 |
1 |
In this range of eight numbers, the bits vary only in the rightmost three
positions. The given mask says to match any values in the rightmost three
bits. This makes it clearer that 7 (111) marks a block size
of 8: a range of 8 addresses. 15 (1111) would mark a block size of 16, a range of 16 addresses, and so
on. This also makes it clearer why you can't have a block size that is not
a power of 2. You have to mark off all the bits that vary. In other words,
you turn on all the bits to the right of the block size. The block size is always a power of two, and the marker number is always one less than that power of two.
The access list must be linked to an interface to work. This is done with an access-group command. (Which the text does not explain.) Think of it this way: write all the lines you want in your access list, then select the interface you will apply the rules to, then use an access-group command to apply the list to inbound or outbound traffic. Example, assume we have used the command above to write access list 5. We can continue like this:
int e1
ip access-group 5 out
This would apply the rules in access list 5 to the outbound traffic from port e1.
Telnet access to a router can be controlled by an access list applied to the VTY line, which is a logical connection regardless of what physical port is actually used. When you link the access list to the VTY line, you use the access-class command instead of the access-group command.
The text continues with a discussion of extended access lists. Remember that a standard IP access list can only filter on the source IP address, while an extended access list can evaluate packets based
on source address, destination address, port address, and protocol.
Template:
access-list number permit/deny/dynamic protocol source destination service_type_number
- We can begin creating an extended access list by giving it a number from 100 through 199, or 2000 through 2699.
- The creation command continues with an option: permit, deny, or dynamic.
- We continue with the protocol to filter, the source address and wildcard information, the destination address and wildcard information, and the type of service we are permitting or denying.
The service type is specified by a port number. To make it more confusing, we can specify one port number, port numbers less than or greater than a reference number, a range of numbers, any number other than a reference number, and more.
An alternative web discussion of this material that may clarify things for you is here. This paper was submitted by a student studying this material.
The concept of a named access list is just to give it a meaningful name. The execution of the concept took a left turn: they changed the syntax for named lists.
- Begin the command sequence with ip access-list instead of access-list.
- Continue the command with either standard or extended.
- Instead of a number, give the list a name.
- In the text, the example shows the creation of a standard named list. After typing the list's name, pressing enter will take you to a data entry interface. In other words, you are now entering command lines in the access list, and you enter the command exit to close the interface.
The text reviews several variations on the show command that let you review your access lists:
- show access-list
Shows all access lists currently on the router. Does not show which interfaces the access lists affect.
- show access-list number
Shows a specific access list. Does not show which interfaces the access lists affect.
- show ip access-list
Shows only access lists affecting IP traffic.
- show ip interface
Shows interfaces using IP, including which of them have access lists linked to them.
- show running-config
Shows the access lists, and which interfaces are linked to access lists (among other things).
|
