ICND1 (#6) Access Control Lists

How are access lists processed?

Access lists are processed in sequential, logical order, evaluating packets from the top down, one statement at a time. As soon as a match is made, the permit or deny option is applied, and the packet is not applied to any more access list statements. Because of this, the order of the statements within an access list is significant.

What is at the end of each access list?

An implicit deny any statement is at the end of each access list. An implicit deny statement denies any packet that is not matched in the access list.

What are dynamic access lists?

Dynamic access lists (lock-and-key) dynamically create access list entries on the router to allow a user who has authenticated to the router through Telnet to access resources that are blocked behind the router. Dynamic access lists depend on the user authenticating to the router and on extended access lists. Considered lock-and-key, the configuration starts with an extended ACL that blocks traffic through the router. A user who wants to traverse through the router is blocked by the extended ACL until he authenticates to the router through Telnet with a username and password. After the user is authenticated, the Telnet connection is dropped, and a single-entry dynamic ACL entry is added to the extended ACL to permit the user to traverse through the router.

What criteria do extended IP access lists use to filter packets?

Extended IP access lists use any combination the source address, destination address, and protocols to filter packets. If the protocols specified in the extended access lists are TCP or UDP, port numbers can be included in the criteria. If ICMP is the protocol specified, specific ICMP message types can be filtered.

You have a router that has its Gigabit Ethernet interface G0/0 connected to the network 192.168.1.0/24. As the network administrator, you want to block all Telnet traffic originating from the network 192.168.1.0/24 while permitting all other IP traffic. You create the following access list and apply it to Gigabit interface 0/0: access-list 101 deny tcp 192.168.1.0 0.0.0.255 any eq 23 After you apply the access list, hosts connected to the router's Gigabit interface cannot communicate to remote networks. Why might this be?

Hosts attached to network 192.168.1.0/24 cannot communicate with remote networks because the access list is denying all IP traffic. At the end of each access list is a deny all statement. Thus access list 101 is not only denying Telnet traffic but is also denying all IP traffic as well. To resolve the problem, the access list needs to be configured as follows: access-list 101 deny tcp 192.168.1.0 0.0.0.255 any eq 23 access-list 101 permit ip any any

In what two ways can IP access lists be applied to an interface?

IP access lists can be applied inbound or outbound. Inbound access lists process packets as they enter a router's interface and before they are routed. Outbound access lists process packets as they exit a router's interface and after they are routed.

How any access lists can be applied to an interface on a Cisco router?

Only one access list per protocol, per direction, per interface can be applied on a Cisco router. Multiple access lists are permitted per interface, but they must be for different protocols or applied in different directions.

What are reflexive access lists?

Reflexive access lists allow IP packets to be filtered based on upper-layer session information. They allow outbound traffic and limit inbound traffic in response to sessions that originate from a network inside the router. Reflexive ACLs contain only temporary entries that are created when a new IP session begins and are removed when the session ends. Reflective ACLs are not applied directly to an interface, but are "nested" within an extended named IP ACL that is applied to an interface.

What criteria do standard IP access lists use to filter packets?

Standard IP access lists filter packets by the source IP address. This results in the packets being permitted or denied for the entire protocol suite based on the source network, subnet, or host IP address.

What does the following access list do? Click here to view code image access-list 110 deny ip host 172.16.0.2 any access-list 110 permit ip any any

The access list denies any traffic from the host 172.16.0.2 and permits all other traffic.

What is the IOS command syntax that creates a standard IP access list?

The command syntax that creates a standard IP access list is as follows: Click here to view code image access-list access-list-number {permit | deny} source-address [wildcard-mask] In this syntax, access-list-number is a number from 1 to 99 or 1300 to 1999. For example: RouterA(config)# access-list 10 deny 192.168.0.0 0.0.0.255 This command creates access list number 10, which denies any IP address between 192.168.0.0 and 192.168.0.255.

What are six common types of IP access lists that can be configured on a Cisco router?

The following are common types of IP access lists: numbered (including standard and extended), named, dynamic, reflexive, and time-based access lists.

What are the number ranges that define standard and extended IP access lists?

The number ranges that define standard and extended IP access lists are as follows: Image Standard IP access lists: 1 to 99 and 1300 to 1999 (expanded range) Image Extended IP access lists: 100 to 199 and 2000 to 2699 (expanded range)

What things should one should consider when configuring access lists?

Things one should consider when configuring access lists are Image The ACL type (standard or extended) determines the criteria used for filtering. Image Only one ACL per interface, per protocol, per direction is allowed. Image Access-list ordering is important during configuration. Poor ordering can create undesired results; therefore, always ensure that specific references to a subnet or network appear before those that are generalized. Also, when possible, place more often matched statements toward the top of an ACL and less frequent ones to the bottom of the list, to help with router CPU processing. Image Every ACL needs at least one permit statement because of the implicit "deny any any" at the end of each ACL. Image When placing an ACL, place extended ACLs close to the source. Standard ACLs should be placed close to the destination. Image An ACL can filter traffic going through a router when the ACL is applied to an interface or traffic to and from the router when the ACL is applied to a VTY line. Image By default, all new statements added to an access list are appended to the bottom, before the implicit deny, of the ACL. Image When applying an ACL to an interface, consider applying the ACL in the inbound direction to save processing through the routing table.

What are time-based access lists?

Time-based ACLs are an enhancement to extended access lists that additionally consider the time of day when making a filtering decision.

What two things must one do to activate an access list?

To activate an access list, you must perform the following steps: 1. Create the access list. 2. Apply or reference the access list.

Create a named access lists that only blocks pings from networks 172.16.0.0/22 to host 192.168.0.101.

To create a named access list that only blocks pings from networks 172.16.0.0/22 to host 192.168.0.101, enter the following: ip access-list extended block-ping deny icmp 172.16.0.0 0.0.3.255 host 192.168.0.101 echo ip permit any any When you create a named access list, you use the ip access-list extended name global configuration command. Issuing this command places you in named extended IP access list subcommand mode, which then allows you to enter the access list statements.

What is the Cisco IOS command syntax that creates an extended access list?

To create an extended access list in IOS, use the following command: Click here to view code image access-list access-list-number {permit | deny} protocol source-address source-wildcard-bits [operator port] destination-address destination-wildcard-bits [operator port] In this syntax, protocol examples include IP, TCP, User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), and generic routing encapsulation (GRE). The operator port value can be lt (less than), gt (greater than), eq (equal to), or neq (not equal to) and a TCP or UDP port number.

What IOS commands will create an extended access list that denies web traffic to network 192.168.10.0/24?

To create an extended access list that denies web traffic to network 192.168.10.0, enter the following: access-list 101 deny tcp any 192.168.10.0 0.0.0.255 eq www access-list 101 permit ip any any

What IOS command can you use to see whether an IP access list is applied to an interface?

To determine whether an IP access list is applied to an interface, enter the following command: show ip interface interface-type interface-number For example: RouterA# show ip interface s0 Serial0 is up, line protocol is up Internet address is 192.168.1.2/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is not set Inbound access list is 10 Proxy ARP is enabled Security level is default Split horizon is enabled --Text Omitted--

Which IOS command will display all the configured access lists on a Cisco router?

To display all access lists, enter the show running-config or the show access-list command, as follows: RouterA# show access-list Standard IP access list 10 deny 192.168.0.0, wildcard bits 0.0.0.255 Extended IP access list 101 permit tcp any any eq www permit udp any any eq domain permit udp any eq domain any permit icmp any any deny tcp 192.168.10.0 0.0.0.255 any eq www RouterA#

After you create a standard or extended IP access list, how do you apply it to an interface on a Cisco routers?

Use the ip access-group interface command, as follows: ip access-group access-list-number {in | out} For example: RouterA(config)# int g0/0/0 RouterA(config-if)# ip access-group 10 in This applies access list 10 to gigabit interface 0/0/0 as an inbound access list.

When implementing access lists, what are wildcard masks?

Wildcard masks define which of the 32 bits in the IP address must be matched. Wildcards are used with access lists to specify a host, network, or part of a network. In wildcard masks, when binary 0s are present, the corresponding bits in the IP address must match. Wildcard mask bits with a binary value of 1 do not require matching bits within the IP address. For example, if you have an IP address of 172.16.0.0 with a wildcard mask of 0.0.255.255, the first two octets of the IP address must match 172.16, but the last two octets can be in the range of 0 to 255.