Standard Access Lists

«« Previous
Next »»

Standard access lists are the oldest type of access lists, dating back as early as Cisco IOS Software Release 8.3. Standard access lists control traffic by comparing the source address of packets to the addresses configured in the access list.

In all software releases, the access list number for the standard IP access lists can be anything from 1 to 99. In Cisco IOS Software Release 12.0.1, standard IP access lists began using additional numbers from 1300 to 1999. These additional numbers are sometimes referred to as the expanded range. In addition to using numbers to identify access lists, Cisco IOS Software Release 11.2 and later added the ability to use names to define standard IP access lists. We will learn how to configure both numbered and named access lists as we proceed in this chapter.

Table 9-6 Access List Types and Corresponding Numbers

Access List Type Number Range 
IP Standard Access Lists  1-99 
IP Standard Access Lists (expanded range)  1300-1999 
IP Extended Access Lists  100-199 
IP Extended Access Lists (expanded range) 2000-2699 

You can differentiate between standard and extended access lists in the numbered format simply by looking at the access list number. Based on the number used when access list is created, the router also knows which type of syntax to expect as the list is entered. By using numbers 1 – 99 or 1300 – 1999, you are essentially telling the router that you want to create a standard IP access list.  Thus the router will expect the standard IP access list syntax specifying only the source IP address in access list entries.

Creating a Numbered Standard Access List

If you want to filter traffic using source IP address only, a standard access list is a simple and sufficient option. Probably the best way to show you how to configure a numbered standard access list is by showing you how to do it one step at a time:

R1(config)#access-list ?
<1-99>            IP standard access list
<100-199>         IP extended access list
<1100-1199>       Extended 48-bit MAC address access list
<1300-1999>       IP standard access list (expanded range)
<200-299>         Protocol type-code access list
<2000-2699>       IP extended access list (expanded range)
<700-799>         48-bit MAC address access list
dynamic-extended  Extend the dynamic ACL absolute timer
rate-limit        Simple rate-limit specific access list 

The command to create an access list, not surprisingly, is access-list entered in configuration mode. As we just discussed the number we use to identify an access list cannot be any arbitrary number. This number rather must belong to the range of numbers available for the type of access list you want to create. At the moment, we are interested in creating a standard numbered access list. So we can choose a number from the ranges 1-99 or 1300-1999.

R1(config)#access-list 1 ?
deny    Specify packets to reject
permit  Specify packets to forward
remark  Access list entry comment 

We chose to use 1 as our standard access list number and there are three keywords available now as you can see from above output. Let’s first add a user-friendly remark in order to make our access list more readable as we return to it at a later point in time. A remark of upto 100 characters can precede or follow an access control entry. We will add a remark before the entry though you can choose to add remarks following access list entries. You should be consistent throughout your configuration whether you choose to add remarks before or after access control entries.

R1(config)#access-list 1 remark Give access to Bob 

As you may have guessed from the remark, we are going to create an access control entry that would allow all traffic sourced from Bob’s IP address 172.16.23.3. We use the wildcard mask 0.0.0.0 in order to match all bits in the source IP address. If the source wildcard mask is omitted, a wildcard mask of 0.0.0.0 is assumed. So, in this case we may even have omitted the wildcard mask of 0.0.0.0 but it is good practice to always explicitly mention the wildcard mask to make configuration readily understandable. Keep in mind that good configuration is one that is easy to read and understand, not one that is cryptic and unnecessarily complex.

R1(config)#access-list 1 permit 172.16.23.3 0.0.0.0 

Exactly the same result can be achieved using the host keyword.

R1(config)#access-list 1 permit host 172.16.23.3 

We can use either of the two formats just described to have exactly the same effect. Let’s move on to create our next access control entry denying access to Max.

R1(config)#access-list 1 remark Don’t give access to Max and log any attempts 

Now that’s interesting as we intend to not only deny access to Max but also to log any access attempts made by him using the log keyword at the end of the statement.

R1(config)#access-list 1 deny 172.16.23.12 0.0.0.0 log

At this point, the access list has actually been created and the same can be verified. This access list would be visible in the running configuration of the router when you use the command show running-config using the include keyword to filter output showing only those lines in the running configuration that contain the access-list keyword.

R1#show running-config | include access-list
access-list 1 permit 172.16.23.0 0.0.0.255
access-list 1 remark Block all traffic from network 172.16.23.0/24

Another useful command to verify access lists is show access-lists:

R1#show access-lists 1
Standard IP access list 1
10 permit 172.16.23.0, wildcard bits 0.0.0.255 

Though the access list has been created now but it is sitting idle, doing nothing as it has actually not been applied to any interface. Let’s go ahead and apply it to interface Fa0/0 in the inbound direction as depicted in Figure 9-2.

Figure 9-2 Standard Numbered Access List Example


The command to apply an access list to an interface is ip access-group entered in interface configuration mode:

R1(config)#int Fa0/0
R1(config-if)#ip access-group 1 ?
in   inbound packets
out  outbound packets

R1(config-if)#ip access-group 1 in
R1(config-if)#

As you can see, there are two options available while applying an access list to an interface, those are, in and out. We have applied the access list in the inbound direction filtering packets coming into the interface from outside. The access list is now applied comparing all packets received on interface Fa0/0 against entries in access list 1 and taking appropriate action.

Let’s run a final check verifying if the access list has been successfuly applied to the router interface:

R1#show ip interface FastEthernet0/0
FastEthernet0/0 is up, line protocol is up
Internet address is 192.168.1.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound  access list is 1
<Output omitted for brevity>
R1# 

Creating a Named Standard Access List

A standard named access list can be used if you need to filter on source address only. Ther is no difference between numbered and named access lists in terms of functionality, however each has its own syntax. We will define a standard named access list including one permit statement and one deny statement. The actual statements you use and their order would depend on your filtering requirements. You should define your permit and deny statments depending on what you want to allow or block.

Enter privileged exec mode using enable command, and move to the golbal configuration mode using configure terminal command. You can configure access lists from the global configuration mode just like any other configuration on Cisco devices.

R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z. 

The command used to define a named access list is ip access-list which has several options:

R1(config)#ip access-list ?
extended    Extended Access List
log-update  Control access list log updates
logging     Control access list logging
resequence  Resequence Access List
standard    Standard Access List 

We are specifically interested here in two of these options: standard and extended, used respectively to defined standard and extended access lists. We will proceed to define and standard access list named Corp.

R1(config)#ip access-list standard Corp 

Let’s now define access list statements preceded by remarks to make their meaning clear. The first access list entry denies the whole class B network 172.18.0.0 belonging to the Operations department and also logs any unsuccessful attempts using the log keyword.

R1(config-std-nacl)#remark deny Operations network
R1(config-std-nacl)#deny 172.18.0.0 0.0.255.255 log 

But the CEO has an IP address 172.16.3.24 and he still needs to have access, so we create a permit statement to do just the same.

R1(config-std-nacl)#remark Give access to CEO’s host
R1(config-std-nacl)#permit 172.16.3.24 0.0.0.0
R1(config-std-nacl)#end 

And that’s all! The access list has been created which can be verified using command show ip access-list.

R1#show ip access-list
Standard IP access list Corp
20 permit 172.18.3.24
10 deny   172.18.0.0, wildcard bits 0.0.255.255 log

Exam Concept – Use the show ip access-list command to verify an access list has been created, while use the show ip interface command to verify that the access list is applied to an interface.  Cisco now wants you to thoroughly understand how to use the show commands for troubleshooting on the CCNA 

And let’s have a look at the figure before applying the access list to an interface.

Figure 9-3 Standard, Named Access List Example


Let’s now finalize out configuration by applying the access list to router interface Fa0/1 in the inbound direction.

R1(config)#int fa0/1
R1(config-if)#ip access-group Corp in

You can now verify if access list has actually been applied to the interface Fa0/1 using command show ip interface.

R1#show ip interface FastEthernet0/1
FastEthernet0/1 is up, line protocol is up
Internet address is 192.168.1.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound  access list is Corp
<Output omitted for brevity>
R1#

«« Previous
Next »»

0 comments:

Post a Comment