There are three basic types of IP access lists: standard, extended, and dynamic extended. Standard access lists use source addressing for applying rules and provide very basic forms of filtering. Extended access lists use both source and destination addresses for filtering and even allow filtering by protocol type. This allows a more granular method of controlling data flow. Finally, dynamic extended access lists grant access to destinations on a per-user basis, through an authentication process.
The router uses a wildcard mask (sometimes known as an inverse mask), along with the source or destination IP address, to identify a range of addresses to match. Just as a subnet mask tells the router which bits of the IP address belong to the network number and which belong to the host address, the wildcard mask tells the router how many bits of the IP address it needs to examine in order to make a matching determination. This address mask pair allows us to specify a range of IP addresses with just two 32-bit numbers.
Standard type
So how do you use standard access lists? Easy! For example, suppose we want to create an access list number 1, which will deny and log all requests from all addresses, except 192.168.1.25. We’ll start out using the help feature by running the following at the configuration prompt:
core(config)#access-list 1 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
core(config)#access-list 1 permit ?
Hostname or A.B.C.D Address to match
any Any source host
host A single host address
core(config)#access-list 1 permit 192.168.1.25 ?
A.B.C.D Wildcard bits
log Log matches against this entry
And here we actually enter the commands to set up the access list:
core(config)#access-list 1 deny 192.168.1.25
core(config)#access-list 1 deny any log
core(config)#exit
core#show access-lists 1
Standard IP access list 1
permit 192.168.1.25
deny any log
After an access list is created, any additions to that list number are placed at the end. Unfortunately, this means that you can’t selectively add or remove items. The only removal that can be done is to remove the entire access list, which can obviously be a nuisance if you have extensive lists.
Extended and dynamic extended type
Extended IP access lists allow you to control traffic at a more granular level. Extended IP uses both the source and destination addresses when it tries to match up packets to your list, and you can optionally use protocol type information for even finer control.
A lot of the rules you learned from standard IP access lists are the same in Extended IP access lists, such as the rule that we cannot selectively add or remove from a list, and that at the end of the list there is an implicit deny all statement (by default). The syntax for adding extended IP access lists is a bit more complex, though it is similar to the standard one. From the configuration prompt, run:
core(config)#access-list 101 ?
deny Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit Specify packets to forward
remark Access list entry comment
core(config)#access-list 101 permit ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco’s EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco’s GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
igrp Cisco’s IGRP routing protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
core(config)#access-list 101 permit ip ?
A.B.C.D Source address
any Any source host
host A single source host
Let’s say, for example, that we would like to block and log all TCP and UDP connections to the port 12345, and everything else should be passed through. Here is how this would be accomplished:
core#configure terminal
core(config)#access-lists 101 deny tcp any any eq 12345 log
core(config)#access-lists 101 deny udp any any eq 12345 log
core(config)#access-lists 101 permit ip any any
core(config)#exit
core#show access-lists 101
Extended IP access list 101
deny tcp any any eq 12345 log
deny udp any any eq 12345 log
permit ip any any
Named type
To finish, let’s turn to the named access list. It is new in IOS version 11.2, and it is not backward-compatible with older releases. With named lists, you can identify IP access lists, whether standard or extended, with an alphanumeric name instead of a number. This allows you to exceed the previous limit of 99 characters for standard and 100 for extended. You should not, however, assume that all access lists that use a number can also use a name. If you choose to use this method, you should know that the mode and command syntax are a little different. Also, as of now, only packet and route filters can use a named list.
Not Satisfied ? Just search & get the result
Related posts:
- 10 things About Cisco Access list
- Router Commands
- BRI ISDN Configuration On Cisco Router
- Communication Devices in Computer Network
- NAT and PAT Configuration on Cisco Router
Tagged as:
access,
Access list types,
access-list,
accomplished,
adding,
additions,
address,
ahp,
allows,
along,
alphanumeric,
applying,
assume,
authentication,
backward-compatible,
basic,
basis,
belong,
bits,
block,
characters,
choose,
cisco,
command,
comment,
compatible,
complex,
compression,
config,
configuration,
connections,
control,
core,
create,
data,
datagram,
default,
deny,
destination,
determination,
different,
done,
dynamic,
easy,
eigrp,
else,
encapsulation,
enter,
entire,
entry,
eq,
esp,
everything,
examine,
example,
exceed,
except,
exit,
extended,
Extended and dynamic extended type,
extensive,
feature,
filtering,
finally,
finer,
finish,
flow,
following,
forms,
forward,
gateway,
grant,
granular,
gre,
header,
help,
host,
hostname,
icmp,
identify,
igmp,
igrp,
implicit,
independent,
information,
instead,
internet,
inverse,
ios,
ip,
ipinip,
items,
ka9q,
known,
learned,
level,
limit,
list,
log,
lot,
mask,
match,
means,
message,
method,
mode,
multicast,
named,
Named type,
needs,
network,
nos,
nuisance,
number,
obviously,
older,
optionally,
order,
ospf,
packets,
pair,
passed,
payload,
pcp,
per-user,
permit,
pim,
placed,
port,
previous,
process,
prompt,
protocol,
provide,
range,
reject,
releases,
remark,
remove,
requests,
router,
routing,
rules,
running,
security,
selectively,
similar,
single,
sometimes,
source,
specify,
standard,
Standard type,
start,
statement,
subnet,
suppose,
syntax,
tcp,
tells,
terminal,
traffic,
transmission,
tries,
tunneling,
turn,
type,
udp,
unfortunately,
user,
uses,
version,
wildcard
Access list types
by Nideesh C on January 21, 2011 · 0 comments
in Networking
The router uses a wildcard mask (sometimes known as an inverse mask), along with the source or destination IP address, to identify a range of addresses to match. Just as a subnet mask tells the router which bits of the IP address belong to the network number and which belong to the host address, the wildcard mask tells the router how many bits of the IP address it needs to examine in order to make a matching determination. This address mask pair allows us to specify a range of IP addresses with just two 32-bit numbers.
Standard type
So how do you use standard access lists? Easy! For example, suppose we want to create an access list number 1, which will deny and log all requests from all addresses, except 192.168.1.25. We’ll start out using the help feature by running the following at the configuration prompt:
core(config)#access-list 1 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
core(config)#access-list 1 permit ?
Hostname or A.B.C.D Address to match
any Any source host
host A single host address
core(config)#access-list 1 permit 192.168.1.25 ?
A.B.C.D Wildcard bits
log Log matches against this entry
And here we actually enter the commands to set up the access list:
core(config)#access-list 1 deny 192.168.1.25
core(config)#access-list 1 deny any log
core(config)#exit
core#show access-lists 1
Standard IP access list 1
permit 192.168.1.25
deny any log
After an access list is created, any additions to that list number are placed at the end. Unfortunately, this means that you can’t selectively add or remove items. The only removal that can be done is to remove the entire access list, which can obviously be a nuisance if you have extensive lists.
Extended and dynamic extended type
Extended IP access lists allow you to control traffic at a more granular level. Extended IP uses both the source and destination addresses when it tries to match up packets to your list, and you can optionally use protocol type information for even finer control.
A lot of the rules you learned from standard IP access lists are the same in Extended IP access lists, such as the rule that we cannot selectively add or remove from a list, and that at the end of the list there is an implicit deny all statement (by default). The syntax for adding extended IP access lists is a bit more complex, though it is similar to the standard one. From the configuration prompt, run:
core(config)#access-list 101 ?
deny Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit Specify packets to forward
remark Access list entry comment
core(config)#access-list 101 permit ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco’s EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco’s GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
igrp Cisco’s IGRP routing protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
core(config)#access-list 101 permit ip ?
A.B.C.D Source address
any Any source host
host A single source host
Let’s say, for example, that we would like to block and log all TCP and UDP connections to the port 12345, and everything else should be passed through. Here is how this would be accomplished:
core#configure terminal
core(config)#access-lists 101 deny tcp any any eq 12345 log
core(config)#access-lists 101 deny udp any any eq 12345 log
core(config)#access-lists 101 permit ip any any
core(config)#exit
core#show access-lists 101
Extended IP access list 101
deny tcp any any eq 12345 log
deny udp any any eq 12345 log
permit ip any any
Named type
To finish, let’s turn to the named access list. It is new in IOS version 11.2, and it is not backward-compatible with older releases. With named lists, you can identify IP access lists, whether standard or extended, with an alphanumeric name instead of a number. This allows you to exceed the previous limit of 99 characters for standard and 100 for extended. You should not, however, assume that all access lists that use a number can also use a name. If you choose to use this method, you should know that the mode and command syntax are a little different. Also, as of now, only packet and route filters can use a named list.
Not Satisfied ? Just search & get the result
Related posts:
Tagged as: access, Access list types, access-list, accomplished, adding, additions, address, ahp, allows, along, alphanumeric, applying, assume, authentication, backward-compatible, basic, basis, belong, bits, block, characters, choose, cisco, command, comment, compatible, complex, compression, config, configuration, connections, control, core, create, data, datagram, default, deny, destination, determination, different, done, dynamic, easy, eigrp, else, encapsulation, enter, entire, entry, eq, esp, everything, examine, example, exceed, except, exit, extended, Extended and dynamic extended type, extensive, feature, filtering, finally, finer, finish, flow, following, forms, forward, gateway, grant, granular, gre, header, help, host, hostname, icmp, identify, igmp, igrp, implicit, independent, information, instead, internet, inverse, ios, ip, ipinip, items, ka9q, known, learned, level, limit, list, log, lot, mask, match, means, message, method, mode, multicast, named, Named type, needs, network, nos, nuisance, number, obviously, older, optionally, order, ospf, packets, pair, passed, payload, pcp, per-user, permit, pim, placed, port, previous, process, prompt, protocol, provide, range, reject, releases, remark, remove, requests, router, routing, rules, running, security, selectively, similar, single, sometimes, source, specify, standard, Standard type, start, statement, subnet, suppose, syntax, tcp, tells, terminal, traffic, transmission, tries, tunneling, turn, type, udp, unfortunately, user, uses, version, wildcard