Acess-List In Network Security

Packets are compared to the access lists sequentially until a match is found. If no match is found, the packet is discarded. Access lists filter content going through the router, not the traffic originated by the router. You should place standard IP access lists as close to the destination as possible, whereas extended IP access lists should be as close from the source as possible. You can only assign two access lists per interface, one in each direction.

 

To define a standard IP access list (00<number<99):

config t

access-list number deny/permit sourcehostname/(address matching- range)/any/(host address)

The number will determine what protocol and type of access list it is. It is dependant on the IOS you are using.

When using address matching-range, the matching-range is defined by a set of wildcards corresponding to the number of addresses-1. The number of addresses are restricted to the power of two (1, 2, 4, 8, 16, 32, 64, 128, 256) thus the matching-range is restricted to (0, 1, 3, 7, 15, 31, 63, 127, 255). The address must also start at a multiple of the block size. For example, to allow 172.10.32.0 to 172.10.63.255, you would use the command:

access-list 10 permit 172.10.32.0 0.0.31.255. You would not be able to choose to permit from 172.10.35.0 to 172.10.66.255.

To define an extended IP access list (100<number<199):

config t

access-list number deny/dynamic/permit protocol (sourceaddress matching- range)/any/(host sourceaddress)

[(destaddress matching- range)/any/(host destaddress)] [(eq/neq/gt/lt port#)/(range port#start port#end)] [log/log-input]

where protocol must be transport layer (tcp, udp or icmp) if you desire to filter out ports names. port# can also be a well known port name.

To define a standard IPX access list (800<number<899):

config t

access-list number deny/permit sourceaddress destaddress (where –1 defines any.)

To define an extended IPX access list (900<number<999):

config t

access-list number deny/permit protocol sourceaddress sourcesocket destaddress destsocket

To define an IPX SAP filter list (1000<number<1099):

config t

access-list number deny/permit sourceaddress servicetype

To set an access list on an interface, once it has been defined:

int e0

ip access-group number in/out

To set an access list on a VTY line to control Telnet access:

line vty 0 4

access-class number in/out

To apply an IPX SAP filter to an interface, use:

ipx input-sap-filter/output-sap-filter number : stop SAP entries from being entered in the SAP table or from being propagated out.

Other access list commands:

show access-list [number]: displays all or a specific access list, but does not show what interface(s) it is applied to.

show ip access-list : shows only IP access lists on the router but doesn’t indicate which interface (if any) they apply to.

show ipx access-list: shows only the access lists and SAP filters but doesn’t indicate which interface (if any) they apply to.

show ip interface: shows which interfaces have access lists applied to.

show ipx interface [interface/brief]: shows the IPX address of all or one interface, as well as its access list and inbound/outbound SAP filters.

show running-config: shows the access lists and what interfaces they are applied to.

clear access-list counters: resets the counters that keep the number of packets filtered at each line of an access-list