Introduction to access-lists part 1

Today I would like to take some time and talk about security. I want to discuss access-lists, extended access-lists, reflexive access-lists, and CBAC or content based access control. Learning how to properly use access-lists is so crucial to becoming a good network administrator. They are vital to securing your network and as you progress with your studies you will find that access-lists are used quite extensively in routing, QoS, and other important things.

Access-lists are used to match traffic and can be applied in either the in or out direction. It is important to note that the direction is from the perspective of the interface. For instance on a switch port “IN” would be coming into the switch or traffic being sent to the switch, whereas “OUT” would be the traffic the switch sends to the device connected to the port. So think of it like this:  OUT means traffic flowing out of the switch, while IN means traffic flowing into the switch. See I knew you would get it, it’s very easy stuff.

There are two basic kinds of access-lists extended and standard. Access-lists over 100 inclusive are extended access lists, while access-lists numbered 99 and less are standard access-lists. Standard access lists can only filter based on ip address, while extended access-lists can filter based on layer 3 protocols such as tcp, udp, gre, and others. They can also filter based on tcp/udp port numbers. Lets take a look at an access list :


access-list 1 permit any any
access-list 2 permit host 127.0.0.1 0.0.0.255  any
access-list 3 deny 10.0.0.0 0.0.0.254  any
access-list (1-99) (permit/deny) (source) (destination)

All of these are standard access-lists, let’s take them apart in detail. The first part is the command “access-list” this is followed by either a “permit/deny” the next entry is the source and can be “any”, it can be a individual ip “host x.x.x.x” or it can be a network “192.168.1.0 0.0.0.255” The last part is a wild card mask which is the opposite of a subnet mask. Remember that standard access-lists can only filter based on source and or destination, but not any other information. If you want to filter on more than source and destination you can choose extended access-lists. Extended access-lists can filter on much more and take a slightly different format.

Access-list 101 permit tcp any any eq 443
Access-list 101 deny udp any any eq 500
Access-list 101 permit gre any any

Lets have a look at some of the possible options that the Cisco IOS gives you to match packets, if you don’t understand all of the options or know how to use them at first, don’t worry. These kind of things look useless or seldom used at first, however as you progress you will make use of most of these options.

#access-list 102 ?

  deny              Specify packets to reject
  dynamic       Specify a DYNAMIC list of PERMITs or DENYs
  permit          Specify packets to forward
  remark        Access list entry comment

!

#access-list 102 permit ?

  <0-255>  An IP protocol number
  ahp      Authentication Header Protocol
  eigrp    Cisco's EIGRP routing protocol
  esp      Encapsulation Security Payload
  gre      Cisco's GRE tunneling
  icmp     Internet Control Message Protocol
  igmp     Internet Gateway Message Protocol
  ip       Any Internet Protocol
  ipinip   IP in IP tunneling
  nos      KA9Q NOS compatible IP over IP tunneling
  ospf     OSPF routing protocol
  pcp      Payload Compression Protocol
  pim      Protocol Independent Multicast
  tcp      Transmission Control Protocol
  udp      User Datagram Protocol

!


#access-list 102 permit tcp any any ?

  ack          Match on the ACK bit
  dscp         Match packets with given dscp value
  eq           Match only packets on a given port number
  established  Match established connections
  fin          Match on the FIN bit
  fragments    Check non-initial fragments
  gt           Match only packets with a greater port number
  log          Log matches against this entry
  log-input    Log matches against this entry, including input interface
  lt           Match only packets with a lower port number
  neq          Match only packets not on a given port number
  option       Match packets with given IP Options value
  precedence   Match packets with given precedence value
  psh          Match on the PSH bit
  range        Match only packets in the range of port numbers
  rst          Match on the RST bit
  syn          Match on the SYN bit
  time-range   Specify a time-range
  tos          Match packets with given TOS value
  urg          Match on the URG bit
  

!


#access-list 102 permit tcp any any eq 80 ?

  ack          Match on the ACK bit
  dscp         Match packets with given dscp value
  established  Match established connections
  fin          Match on the FIN bit
  log          Log matches against this entry
  log-input    Log matches against this entry, including input interface
  option       Match packets with given IP Options value
  precedence   Match packets with given precedence value
  psh          Match on the PSH bit
  rst          Match on the RST bit
  syn          Match on the SYN bit
  time-range   Specify a time-range
  tos          Match packets with given TOS value
  urg          Match on the URG bit
  

!

This has been a brief intro to access lists. In the next Installment we will talk a little bit about named access-lists and how they can be used to construct reflexive access lists. Reflexive access-lists can be used to create dynamic entries in an access-list based on some event or matching criteria, and can be really important tool for securing a network. Also named access-lists allow you to easily manage a large access-list more easily by allowing you to change an entry or change the order of the acl without rewriting removing and rewriting the entire access-list.

One last thing…. Access-lists are applied to an interface by using the following command:

#Config t
(config )# Int fastethernet 0/1
(Config int)# Ip access-group in
Or 
(Config int)# Ip access-group out

Tags: , , ,

One Response to “Introduction to access-lists part 1”

  1. Time Based Access Control Lists | Defending against lameness since 2008 Says:

    […] Introduction to access-lists part 1 […]

Leave a Reply

You must be logged in to post a comment.

Categories
Support Our site