top of page
Search

Acess-List In Network Security

Jun 21, 20183 min read

Updated: Jan 22


Packets are compared to the access lists sequentially until a match is found. If no match is found, the packet is discarded.


Access lists filter content going through the router, not the traffic originated by the router. You should place standard IP access lists as close to the destination as possible, whereas extended IP access lists should be as close from the source as possible.


You can only assign two access lists per interface, one in each direction.


Custom alt text


1. Standard IP Access List (00<number<99)

A Standard IP ACL is used to permit or deny traffic based on source IP address only. You can define it as follows:


config t access-list <number> deny/permit <source-address> <wildcard-mask> [any | host <destination-address>]

Example:


config t access-list 10 permit 172.10.32.0 0.0.31.255

  • This command allows traffic from 172.10.32.0 to 172.10.63.255 (i.e., block size of 31.255 in the wildcard mask).

Wildcard Mask Explanation:

  • The wildcard mask defines a range for matching IP addresses. The number of addresses must be a power of two, such as 1, 2, 4, 8, 16, etc.

  • For example, if you want to match 172.10.32.0 to 172.10.63.255, you can use the wildcard 0.0.31.255.

2. Extended IP Access List (100<number<199)

An Extended IP ACL is used to filter traffic based on source and destination IP addresses, as well as protocol and port number (e.g., TCP, UDP, ICMP).

Syntax:


config t access-list <number> deny/permit <protocol> <source-address> <wildcard-mask> [any | host <destination-address>] [eq <port-number>]


Example:


config t access-list 110 permit tcp 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80

  • This command permits TCP traffic from 192.168.1.0/24 to 10.10.10.0/24 on port 80 (HTTP).

Protocol Options:

  • You can use transport layer protocols such as tcp, udp, or icmp.

  • The eq option can be used to specify the port number or a well-known port name (e.g., http, ftp).

3. Standard IPX Access List (800<number<899)

An IPX Standard ACL is used to control traffic based on the source and destination IPX addresses.


config t access-list <number> deny/permit <source-address> <destination-address>

Example:


config t access-list 800 permit 0.0.0.0 0.0.0.0

  • This command allows traffic from any source IPX address to any destination IPX address.

4. Extended IPX Access List (900<number<999)

An Extended IPX ACL provides more control, allowing filtering based on both the source IPX address and source socket, as well as the destination IPX address and destination socket.



config t access-list <number> deny/permit <protocol> <source-address> <source-socket> <destination-address> <destination-socket>

Example:


config t access-list 900 permit ipx 0.0.0.0 0 0.0.0.0 0

  • This command allows all IPX traffic.

5. IPX SAP Filter List (1000<number<1099)

An IPX SAP Filter List is used to filter SAP (Service Advertisement Protocol) entries.


config t access-list <number> deny/permit <source-address> <service-type>

Example:


config t access-list 1000 permit 0.0.0.0 0

  • This command permits all SAP entries.

6. Applying ACLs to Interfaces

After defining an ACL, you can apply it to an interface to filter traffic either inbound or outbound.


int <interface> ip access-group <access-list-number> in/out

Example:


int e0 ip access-group 10 in

  • This applies access list 10 to incoming traffic on the Ethernet interface e0.

7. Applying ACLs to VTY Lines (Telnet Access)

To control Telnet access to the router, you can apply an ACL to the VTY lines.


line vty 0 4 access-class <access-list-number> in/out

Example:



line vty 0 4 access-class 10 in

  • This command restricts Telnet access based on access list 10.

8. IPX SAP Filter on Interfaces

To prevent SAP entries from being added or propagated via IPX, use the following commands:


ipx input-sap-filter <number> ipx output-sap-filter <number>

Example:


ipx input-sap-filter 1000 ipx output-sap-filter 1000

  • This prevents any SAP information from being entered into or propagated from the interface.

9. Common Access List Commands

  • Display Access Lists:

    • show access-list <number> – Displays a specific access list.

    • show ip access-list – Displays all IP access lists.

    • show ipx access-list – Displays IPX access lists.

  • Display Applied Interfaces:

    • show ip interface – Displays interfaces with applied IP ACLs.

    • show ipx interface <interface> – Displays IPX interface details.

  • Clear Access List Counters:

    • clear access-list counters – Resets the packet counters for all access lists.

  • Show Running Configuration:

    • show running-config – Displays the running configuration, including access lists and applied interfaces.

10. Troubleshooting and Optimization Tips

  • Always verify that your wildcard mask and network addresses are correctly configured.

  • Ensure you apply the ACL on the correct interface and direction (in or out).

  • Check logs and counters regularly using show access-list and clear access-list counters for troubleshooting.

  • Use verbose commands like show ip access-list or show ipx access-list to verify the ACL rules before applying them.

Tags:

2 views0 comments

Recent Posts

See All

WLC interview questions and answers

WLC interview questions and answers Wireless Interview Questions & Answers — Q1. What is Wi-Fi and what is WIMAX? Wi-Fi: Wireless...

0 comments

ospf scenario

ospf scenario Highest IP address ABR routes convert the type7 into type 5. Default route is not generated by default in area nssa unless...

0 comments

TAgs

Categorys

bottom of page