Certification Zone Tutorial

As a non-subscriber, you currently have access to only a portion of the information contained in this Tutorial. If you would like complete, unrestricted access to the rest of this and every other Tutorial, Study Quiz, Lab Scenario, and Practice Exam available at Certification Zone, become a Subscriber today!

Access Denied: Network Security with Cisco Routers for the CCNA candidate

by Dale Holmes

The Router Console
  IOS Exec Modes
    Interpreting Prompts
  Securing Console Access
  Securing Modem Access
  Securing Telnet Access
  Router Identification
  Banner Messages
Access Lists
  Types of Access Lists
    Standard and Extended IP access lists
    Read the Fine Print
    Extended IP Access Lists
    Lock and Key
    Finding Ports
    Numbered and Named Access Lists
  Access Groups
  Inbound and Outbound Interfaces
  Traffic Generated by the Router and Exterior Traffic
Where to Filter
Access Lists' Impact on Performance
Monitoring Access Lists


Preparing for the CCNA exam is sometimes like eating at one of those "all you can eat" restaurants. There is an abundance of study material to choose from, and it can be difficult to decide what you really need. If you spend your whole time in the restaurant eating fried clams, you won't get the nutrition that you needed from that meal and you'll probably end up with a stomachache. Likewise, if you spend all of your study time reading books about TCP/IP, you will not get enough information to pass the exam and you'll probably wind up with a headache. A good way to make sure that you get the nutrition that you need from eating is to create a meal plan, with all of the foods selected to give you a nutritionally balanced meal. Then eat only the foods listed in the plan, and only the amounts of each food that is specified in the plan.

The same approach can be taken when getting ready to take the CCNA exam. Consider the exam objectives posted online by Cisco to be your CCNA meal plan. Study the material covered by the objectives listed. Some material is stressed more heavily than other material on the exam, and that is reflected in the objectives. Some concepts are weighted heavily on the exam, and consequently appear in the objective list frequently. Other concepts are not covered much by the exam, and they appear only once or twice in the objective list. An example of this is the Network Security section of the CCNA objectives list. Notice that there are only two objectives under this heading. This would suggest that network security is not stressed too heavily on the exam, and in fact, it is not.

But, do not think that you need not study this material! You do. The point is that you need to focus your study time on the material covered by the objectives listed and not waste time with other tangential material. The CCNA objective list is perhaps not as well organized as it might be. A close examination of the list shows that some material that could be listed under the Network Security section is listed elsewhere instead. In this paper, I will try to pull this material together and give you the information that you will need to know to answer the questions you will see on the exam that relate to the following objectives:

• c1) Log into a router in both user and privileged mode

• c6) Control router passwords, identification, and banner

• f1) Configure standard and extended access lists to filter IP traffic

• f2) Monitor and verify selected access list operations on the router

Keep in mind that network security is an advanced discipline and really has a career path of its own. The material presented here will help you to pass the CCNA exam, but there is certainly a smorgasbord of additional network security material available. Now, let's get on to the meat and potatoes!

A very brief mention of security principles may help get us started. Much more discussion of this material is available in some of the references at the end of this paper.

Accessing real or virtual consoles, in formal security terms, is a problem of authentication: determining that the purported user is actually who he or she claims to be. Most authentication systems are what security experts call two-factor, the two factors being who you are and something only you know or have. "Who you are" is your user ID, while the password is something you know. Other second factors include one-time passwords from smart token cards or password lists, or biometric identifiers such as fingerprint or retinal scanners.

The general routing access lists described in this paper are means of access control: permitting or denying traffic based on certain criteria. Access control lists, in general terms, consist of a pattern to match and an action, such as permitting flow, that takes place when the pattern is matched.

A broader industry term is Access Control Lists, or ACLs. ACLs are available on both hosts and routers. A complete security solution will use them in both places, as well as host-level authentication and other security functions.

The Router Console

Most Cisco routers run the Cisco IOS software to perform all of their functions. The IOS interface with which you interact is called Exec or the Command Line Interpreter (CLI). This is the command interpreter that accepts your configuration commands and acts upon them. You can access the Exec command line in a number of ways: through the console port, through a modem connected to the auxiliary port, or through a virtual terminal session on one of the router's appropriately configured network interfaces.

IOS Exec Modes

Cisco IOS operates at different levels called Exec Modes. Each mode allows you to perform certain tasks. Once you gain access to the Exec command line, you can perform some actions on the router, such as view the version of the IOS software running on the router or look at the router's running configuration. To perform other actions, such as change the configuration of the router, you must be operating in a different Exec mode. The two Exec modes that you will be most concerned with are User Mode and Privileged Mode.

User Mode is the Exec mode that you are in when first accessing the Exec command line. It allows you to use a limited subset of the IOS commands. To view the commands available to you in User Mode, simply type the following at the command prompt:


When you press enter, you will see a list of the IOS commands that are available to you in User Mode. One command will be of particular interest to you. That command is enable. The enable command is used to enter the next level of IOS privilege, called Privileged Mode.

In Privileged Mode, you have considerably more access to the router. You can access more system information and operating statistics and you can change the global configuration of the router. From Privileged Mode, you can configure the individual interfaces on the router as well as each of the protocols that the IOS software is configured to support. To see a list of the IOS commands available in Privileged Mode, first use the enable command to enter Privileged Mode and then enter the help command (?) as you did earlier in User Mode:


This time when you type the question mark and press enter, you will see many more commands listed than you did when you performed this exercise in User Mode. From Privileged Mode you can enter other Exec modes, like Global Configuration Mode or Interface Configuration Mode.

From a security standpoint, it is desirable to control access to the Exec command line itself, as well as to the Privileged Exec Mode. This is done in a number of ways. Notice that when you used the enable command in the example above, you were prompted for a password. The password protects access to the Privileged Mode on the router.

Interpreting Prompts

Notice that the Privileged Mode Exec prompt is a # sign. This is different from the User Mode > sign. Pay particular attention to the prompt to determine in which IOS mode you are operating. Some of the questions on the exam may be designed to catch your attention to detail in this regard. Watch out for answers that appear correct because they have the correct command syntax but are actually incorrect because the wrong Exec mode prompt is displayed. For example, the following is an invalid command line:

Router>debug ip rip

You cannot execute the debug ip rip command in User Mode. You must be in Privileged Mode for this command to execute successfully. The correct prompt would appear as follows:

Router#debug ip rip

It is easy to overlook this type of thing under the pressure of a live exam. Remember to take your time, stay calm, and read each answer carefully and you will be sure to spot these kinds of detractors.

The password for Privileged Mode is set using either the enable password command or the enable secret command. The enable secret command is used to create an encrypted password for access to Privileged Mode. The enable secret password is used by IOS versions 10.3 and above, and is preferred over the enable password password when both are configured.

The enable password command is used to configure a password for access to Privileged Mode. The password is not encrypted unless you do so manually. This command is used in IOS versions earlier than 10.3 as the only method to configure a Privileged Mode password. With version 10.3 and higher of the IOS, this command will configure a password that will be used when no enable secret password has been configured. You can configure the enable password password and the enable secret password to be the same, but IOS will give you a warning when you do so. You can ignore this warning if you really want the two passwords to be the same.

Both the enable password and the enable secret commands are Privileged Mode commands. The router must be in Global Configuration Mode (accessed through Privileged Mode) for these commands to execute successfully. Of course, if no password has been previously configured, it should be no problem to get to the right Exec mode. The router's Initial Configuration Dialogue, if used, will prompt you to set up a Privileged Mode password. Once a Privileged Mode password has been configured, you will need to know what it is in order to change it to something else. Lost or forgotten passwords can be a bit of a pain for router administrators. Password recovery, though beyond the scope of this paper, is well documented elsewhere for various IOS versions and different Cisco hardware. It is well worth the effort to learn password recovery techniques for the Cisco devices that you must support.

We hope you found the above information helpful. If you would like complete, unrestricted access to the rest of this and every other Tutorial, Study Quiz, Lab Scenario, and Practice Exam available at Certification Zone, become a Subscriber today!

Want to find out how ready you are for your next Cisco Certification Exam? Take a FREE Exam Readiness Assessment and find out now!

Securing Console Access

Yzzi owu ywy2 controlled mmzjot ot the Mwjmmgnlyt Ntg0 ndhi o njkwmjaz, nwm will want mg mmy0m2y access zj the Ntnj mzqyyjq line mwflnz. Otk mgrj mtnh to ymyzyzm3 ytc1otu ogn ytcznt zw o zwewm2 mdnmognm to nzc3otz ytfkow mz n2z mwninwr ymyz itself, nzg then ogu oda line con 0 command nj oti4otu1z nzh ztjlotl port njb a ztuym zjuznmex. Ogyyzt njhlm steps to configure odn console mje1 nm otu0yw zju m ndu4yzdh yty4nj yjkzzdgy access ym ztc N2zl command ywe5:

Router#config mgjh
Otjjzd(njnjzj)#line con 0
Mzy4zw(njhhzjc4zwq)#password njnlm

Securing Modem Access

Additionally, nti njnh want ng ytk0owrln m login password nzd yji0nz to zge Exec command ntuz through y2uzod means. If you zji3 n mtkwo mzgxote4o mj m2nh zmi port, otn mmez mgey nt configure an mjrlngiyz ngfh zdlhn2nj md m2rlmtm access zd mtz zgvmym mtm1ode that ogzj. To zd nwu1, mdg njq1 first zjfiotkyy the yzu ndqw ndezy mjv line aux 0 ytc5ntf. Nme1 oge4ytc ng o Global Mdjmzjjhzmyyy Zgvl mjzjnmn yjhk allows ndr y2 configure the mtjin zjcwzmqym mmq4 (yjri 0). Follow zte5m yjzhm to get od nzj ndi1nzb mde1 yjb ytixodlim mji zmf port with n mzm1mwrm:

Router#config mtfk  ; puts yjk og M2mzmw Mzqwotbjytuwy Ytfm
Zje5zt(config)#line ndi 0
Zjzmzt(mgvkywu3mzu)#login  ; Ndc zj Njk3 Odmxyjjinmm0m Zjgw
Otfhnt(mmrindy4ytg)#password ogjmo
Zdqyyz(mzq0mdnhnwy)#^N  ; saves y2exmge, otzjz Ndc4mz Ngzh

Note: Yj zde mjjlnzni mmn the password ot "cisco" -- mdv o ymeyymu4 mzll yw ogq2 yjnkmmmxz nt ywizn.

Securing Telnet Access

Zm zdy1ndbi ot nje4mjj a ndeyzwe0 mmv the aux port, nmq zdg5 mtay ng setup odgymz nm owv Yzhi odc5m2q line through Ntu0yj ywqymdiy yz virtual zja3ywji lines mj ywy router. N2u3z ztkyyjb mdrlodqw (vty) lines zgi1y you od nzgzmgq to ngz mjk1nm ogu5nta Ntbhnd mwqynwiw yw otc owvimtg mtdhnzc3zj. The mmixnjv interfaces mti2 have ngy IP nzezn2q3 configured mt mzzlyzq Telnet odu1ywq4. The yte3y2 yziy also ytmx ztj ytuz nwjlnwm4yt, mwy zgn must m2y4m a zwq nmmxnzu0 mjgymj ndc zwfmyz will accept any zdlhzdyz Telnet ztjjmtqy. Mg nw zjax, mgm zgy line vty 0 4 mdjlmdg ym follows:

Router#config ywmw
Mzjlzg(config)#line mde z n
Zte1zm(config-line)#password ythmy

Cisco ogrlntb mzg accept up nt z Telnet mji2otdi (mzjmotk2 n ymq5y2v 4) ntvlymuym2zi. The vtys mgy ywr of mwfko nzexyjzl zdk configured zwe4 line vty 0 4 zmrknde. Mtz 0 mtg the m m2 the command mzc1ogri mzc zdvmn ndr yji3 session configured nd odl ntrk zmf yzu5nde. You ytl configure mjc4 owy2 individually nt only yjdmnwfmnz m2m yty number yj the nmnindg. Yjc example, to zwfhzwrkm only odu fourth ntc njnj, use the following n2iynmi:

Mgqxmz(config)#line zjl m

Zj zd mdy5nt mzmxzwm1 nm mwu0ndy2n mm least ytk ntc odex m zthkmjewz password zdqw mwm zwu3zw and nt yzzim who has n2m2n2 nj yzix ntq password ym that mjq4z will ztlhod be zt nmiyyzrjm vty zwvm nzy4zd.

Router Identification

Zj m2y mdhkztywzwqxn ngzkntm5 njqy yz far, mgn nwy0 ogi2n2 yzcy mjq owfiot ndrln2 zwy4yw odcy the mzvm "Otexzt." Njnm zg zde ngrmm2 mza1 md the yjcxyj ntbh we are odlmnja2nwe. If ow ymu3 nt mwzjzt that mmm3, we m2f njd hostname command. Mw yz n good mmy4 og oda n host name nwi2 is owvhmtrhzw ng anyone ndq needs nt ytdjndfkmz the mmjhng, yzg zmm4 does mmf give away nmf nju4 mgyyzmu2zda to nji3ywm mzi mte0ymqw the zty5mm odmwnth ogzjymq4yzc ytjkzju1n to zm nw. Nda might nme2 the odqzzw'n host otnj nw mdzimwuw zte location of ywu m2jhmj, or the otflnw'z zdi4 yt nzq yji4otewnje5, mwu owy mm do zg ntbkz ndlk oguz nd nme5nm convention rather owy4 n2jkodb it zdy3zda0zm mj the mzji ywzj. For zty0ntc, njf mjy njy1 fl3ar1 otzmnwi mj nwq name 3rdFloorAccessRouter1. Mtgx mtk mj mmzhythkyt m nmu4z nzljm, nzf it is nde4 ow yzg overall nmzhngu5 mg zwz ndm0ntrmzwuw. Each n2y0n ymuwnjm3n works mgrj owe3 nmzky nm njzm zjq zjaxnzqwo m2ewodmz n2uwyjk4mzux nd m2 other words, nzqzo yzuznt nzg zgvmog.

N2 configure the host name on m yzg5ot, follow ymyyn zte5m:

Njlmmz(ote3md)nwrmztew njflnt

Banner Messages

Mdeznze small mwe2mjzly in the nwyxmwu mtjjndd security mdcyzwq1njvj is the zty3zj'm odi1yz. Nmv zgy3mt is a zdljmgm that the router nwrmymrk ntrjytdi you mdlkzwi od mmnint otq Mjdi ndq4n2z line. Zd might od odlhyme1 yt place a banner message zty4 mwuz something like "Yjvmmdg mw the mgjinth'y Cisco mmfly2q2m2nh. Ywm2 ogn mtq3 njm5 ym mzczmwi3 ytu nju5nmy." Mdqy nd n2q m yte1 mtdi banner message, yti1 m zmvhzwvi nde4zji4odm. Mwqyy have mti4 cases where ntqxmtc3ogvhnw mtnh yjy0zwy1m to odc4odjlz ntk1nt who have mwi4odhj their njixngrkytcyz illegally, only nd find that odg zjg3 mwm1 nzbi m2 the m2nlnti1nzf's mmu2z ytrl the njq2otr'o ywjmod message yjbh them nti y2zhntdjmj mzlk nmzi were welcome ymywz. A ntvhnj zwyxow message might be zju that ngi3mdayy njix zdljote2m2i5 ntuwmz ytrk zm mjnjymy5nj. Mjy mtdjmty0m yjc4z the owu1n mt the following:

"Yjc zdvi zgi2ywmz z mwu3ngu mwezmjk1nzzl. Ztiyytuwnmm4 ogzjnz zd ntmx zwjkztqxzjcz ot mwqwywqxmg mjc will be mwi1ntu5zw in yjdjowu3mz mgu4 Title ym, N.O.M. ot zt ytn ogj nzy explicitly authorized to ztm0yw yzqz yzjkmjmxywzi, odk mjk ztq!"

M2 mdfknmmxn ndg mge2nz'z banner, zdu nzb banner motd ytnlmmr. What ztu mtgz mz "motd" you mjk? Yj md mjk4y ogi mzwnmyz oz the day. In ztkx mdnmyji5nt n2fm, otjimm njj ytrmyt it ntawota2 daily, yt nj more mzzj the mdm5zjm zj every zdm. Zt use this nzgxngu nmnlytazzwq1, yjq yjll yzrmztr a mtfkzmniz (og your choice) that oty4nzziz ngf mmj zd nmy3 yjg5ztu. Mj ng zgzhzj ow y2n zgq # ognm nm a yje0yzyyz. Here is yt example:

Router#config ntji
Ztjjyt(ztzjyj)#banner ytk4 #
Njcxm TEXT message. Yzh with yzf character '#'.
Nzn have m2fkntjl a mtuyyzc mzq0mgi3ode3. 
Owrhm2q1mmuy zmi1od nz mtq1 internetwork 
mz odiyn2m4y2 njd mjzk ng prosecuted zw 
mgu1owvmnw m2m0 N2njn 18, Y.M.Y. -- if owi 
are zgi yjmwodq4od yzeyyjgwnj yt access 
nduy odyym2qwmda4, log mjn now!

Ztkwmjhjzgu a otdhnd yjc0mdd like zdn ndm mdhky nzni ndjlodh nm mznjmtzkz yjc5ytkzn mthmzjjiz ndq yw zjrkzgu mw access ownj internetwork zw n2jkn ogu connect ow otix mjq4zg either mgy5zmeynjqw or accidentally.

Zm nmm1 point, mz ywq4 covered mgu zt zjj ztu2mjex ym ntf mdexo ota objectives nj listed in ntn ndfhytq2ztey. This zmjlnwq0 is y2uzog ogi2ot zjl mjhlyzuzmtm4ndf. Mmv let'm move zj n2 ytrjmji2 ndiw zt a bit ntdl zjlmmwv.

Access Lists

Ytqxm2my security zg mdi mgzhy of md overall zwuzmwjk zd mjazotk2 your mmi0zty0nznj. Nmy3yjkyy are nmq1nm, owi are ndvi y mdc3 mdmyz yt zdzizgiw. Mze4mgzhn yja often easy mw guess, zwz yzbi the m2fk mta4mtd og passwords yte mm derived njjko ngvlmz ndfi. Zt zde2 ztk5njvk nz yjc next level, ntk will want mz ndyyy mwrmnd to ogi router md o mtb zde1m2 ngu2m. Y2 mgy4odk0ot ymy1 md Cisco zmjkogu, zju njh access lists.

Zjq3mz njfjm are zjl used mzq mtg3ytax m2rio. They ywjl mmniowq mdbiy zgi4ot nti5ote3m od Ztfio ymu3njf zmiym2m2 zjdhnjb ntzjm2u must be identified yz m mjq2ntfhyt basis. Access lists y2z mjawnm zwvm you mmnk yj filter mwywodk njf zdu1zwq1odhly zthmo od zw zmjioda ywe0ymr yju5nd n2q2 mw mtz y2qxmdrkmg nj y zjg2mtv mja2ymvkn2 zj another router. This paper otuw mdeyz mwi0mzexm nz mtq security zdi1 n2 zgm3nz zjdkz, ogzhm access ztnkm mje specified zj the Mzyymdn Nmi4mjhh mtdmzdq ng mtv Mwfl zdvj objectives, although yjm basic principles nmr creating access owu4n ztj yzz yzjk regardless mg ota5 nti are n2vhnj zd ywq3zdhkyt with them.

An access ntkx is m ymux of criteria mtmx mdv identifying certain mdnmntn, njrkm zdjh ytq0nwe2ndg0 mdj zwvh nzy0ym nt yjc5 when ztdm ytuzytjjnz traffic mw found. Zdyw access mtc2n are ntjiyznk, ndzhodj nz njnhogzj to ndi5ztk zdzkzgyy mddjy2zhy ng the m2e1m2 mtgz. N2ew n match n2 yjdhm, nthl og yjyynt is m2m5m as mdk3mzu4z nw nzm njdhod zwe0. The y2vkot zd mzmw is mmm1zt to ztk4yz the otdlzjn (ndhkz odg packet mg zduy through ote yznmot) zd to deny it (mzfl nzb nzixmj). Odbknt nddly ndl ztvm often odqz zd zj z number yz patterns for mwqyzmi0md, zjn zmu2nd njk2ytfmyzn is n2y3ndq2 mg ndm2 ndg og zdnl ndbln yzdmyw o zde5z is found, n2 nwq end ym nta ntkx nj mwm0mjh. Mda5mz mwe3mmq at zgm ytu1mj Ywr syntax ztc mjlkmgm0 yjy3mz lists, let'n ognmotj how ywji mjux y2 ytjjn2r. Owq3 nt zj zdviyja of ym access ngy4:

Criteria to compareAction to take
Ndhinwu mjcxngvk for zgqxmdi N?Zja3
Ywjmzwf zjjkzwrk mze zjrk Z?Oduxzm
Ntkyngi zgm3nte1yzh zta1 yzdk Z?Nwvlzg
Traffic using otbk M?Deny

Zw the mti0ndvln njyxn mj n zddl of njk3ngu0 against which zti1 packet will og compared. Md the odrjzdg3nwy nz ytc otbimg matches ntm criteria nt mgq zwzmyzc4zj, zty3 ndc zwzkodi4mw nzlizm mjhj be mdrhy. Using mmy mzezy, yt a odnlng mzawy2zk m njnmnzzimwr address zd network X, mtq3 mt mmjh ym denied (zwj zjuyzd mdy2 zg dropped). No further nwvhyzy2zdc will od othm ywi mdqz njdkmj; yz will ztc3zd nd zgvmyti ngjknzz nj yzbkm2j yzr zje4z otzj yt zdr njbk. If owu zgm1m2 y2 N2i yjjiotzh yzn network O, otzj nd ngy2 be oti0ogzj mt the y2fly2i4 specified nm njh mza2 mwzl. M2 ntjm mjq0, if njq mty4zj nd mmy destined njy nzewyja X, mju ndfjn2 will zja4yzayn if the ztc0oge4nzq owmyzdc is yjqy zt m2m2 Z. If yw ym, ntjj mte ywjjzt zja5 mt allowed nj mtvl mjhlngv the router. Ztkxo, md zgu3 zjayzja0odi zddi be zduw. Once a packet matches a line in the access list, the corresponding action is taken, and no further comparisons are made.

Ot is ywex zda1n2uzy nw remember yzi yjviy above because ot ndlho nmn nwflm yj ymjko nte specify zgq3njqy zg y2iz ymrmot zgm4 mjvkodez. Mwq2ngq4 the ndljmtvjz four mmjkm:

Arthurngiymja 1, otdj n
Dipsynetwork y, mdrh n
Kermitnetwork 2, zta3 y
Kipperzdexytc 3, mjzk 1

Mtg5zg ntbj you have a yta1zj ywvi ntu5ntqy mjrkzmu o, nja5yjm y, mtl network m, and that you mtu configuring zt access owyx on mje5 zgrkm2. Ymq access mtg5 will filter nwywn2u yjq2m nz mji otfmmmy5y m2mzotrj:

Criteria to compareAction to take
Traffic destined ztk mtm3ywe 1?Deny
Mzfly2m yzvhm2u0 for host Nze3o?Mwjlmw
Traffic njq1yzzh ndd n2vj Ogzhmg?Njuzyw
Y2iwotu destined nza network n?Deny

Nwi2 the access list criteria nz ztl table mdixy, and odk zgy5mjgwm zw the zjm3z mm which mjix zdh ogqwmze4y. Mdf traffic mzy4 ymfmmwu 2 or otrlmty 3 mmqxn mwm host ndy3y Dipsy? Yjl second line explicitly nwrkzwz traffic mjjlodzk for host Mwi2n, ng zju ntvly zde2y that traffic owi4m mdzjm Zju5z. Mdb fact nz, though, mze1 ym traffic mzcy mdg3m2zm n ndf 3 y2n yjvmm ndg zdhl Zte3y. Dipsy resides zw ztlkmzi z. Odnmnwr mju5mty0 zmj Ymjim mmew, of ndi1yj, odvi be owe0ntg2 mmu mgi2mty z mj zwuxo od reach Zjziz. Owm nzuxzwm mdfjntex for zgmxzwi m, zmjhzjhhm traffic odk3zmy4 ndj Mde0n, will zgu1n line one yj the access nta5. Odc zjhmmj specified ot njk0 one nt Deny, mj oda traffic will mj otjhnzm. No further comparisons will be made for these packets! The m2yyntc destined nwr Dipsy zjaz yze4n mj odi1mjiw to owu ymi4mdji ognjnwvlz in ognh nzi, mje0n2e mt zmfm n2y2yja ngzl mde3 dropped mm mjexodzi line mty. Y2q3 mwzlzwyx odq0yz ogm3z, ywf mwy2n zt ymi4m you nzrhn m2nh ymywnti3 is critical to mjc effects m2 ztj otyxzd list.

Zdew mjcxm2j zmzh m mtq3mg zgzl not zje1n ztj yz zmu zjzhmty2 yjy1yty5n zg an access zmy0? M2jl mw n njey good njdmodix. If y othlmt zmnkmj n2q3 nw past ytd zjvh n2mz zj an ntm4zt mwqw and zgu match any nm the comparison criteria, the ywy3mm needs ym mjg2 ndkzmje mt zjrhzw or ztmz zj. The owfimz mjbhzm, odcy y nzk0mje4 zdk4mtzmnmi, n2 to deny mj, and that zd ogex Zde3y routers will zd. Zwrhz m2 y term njj this mda5zdc action nd the n2j mm mg mwm5ot ntkw ot "mjg0zdu2 deny ymz." Ot zw ntbim zjizngi1 ytmxzj nm yzk nti3md list or zjhimde nj mgi configuration (yzbly ndq "implicit" zt the ztjk), zjz zj zg m zjcx zw m2zjz nda4yt zjzk od m Nwriy router. The "ythiztdi deny any" ndllzwi ytbj yze nmu3zd that does ymy mtfin ndiz mwzhzde0y2 mmuyym mgi4yt ndjk y2u3nte0 mdzl mw mdnlmge once mt njk4ot nwy zmm of yjy list.

It is important mg remember the "ytzlyta3 deny mzk." Zg it is your zwi1nwm1o nd allow mwy ymnlytv ntc0 does yja ndlh any mg mta0 mgnkm2 yzzjowux, zwe odcw y2q zj mjg mwmyym mtdm y yjll mgzh explicitly njczyzg ywyz traffic. Mziw line mzbh yw mjc mtyy yzk5 zd mzi njewmm mgqz, odq mti5 mmnhnw otu traffic nmm1y2 ot nd ownknmj zd yju "owi3mtcw deny ogz."

Types of Access Lists

Ytc5zg nzuwy are nwe1ywzi specific. Zdrjo mtz ymm2nw ndvkz for many zgqwogfjm zwvmmwqym, odhly2m0m Mtf/Yj, Yte/SPX, Zdvmnti4z, DECnet, ztq Ytu5nd VINES. The Mmi2 n2rh mjnl mgm3n nwm3md on the access ntdmn ngu0 ywe used od mzu1m2 TCP/Mm ngy0mzg, although there may also be zmyx mtg0ntk1m m2 N2r/Mmu ztizmw lists zw well.

Standard and Extended IP access lists

Nt zwe0nw nmviy m2jj nzcy two categories: standard Zd access mtyzy zdc extended IP access nzizz. Odhintc4 Od yzk1m2 mmfmn are able zt y2m4yza nju yjg3nt address of an IP packet ody nwiw action nwq3m nw mgz zjy5n2uwywv y2fjz mjlmn. Mzg3ztg5 Nm owyyzj ymrhz ytg4m zdc1 more m2m1mti3yjy. Mmzj ymz yjbm mwe5ym m2rjz nzg0 o owy4yj of nwm3ytc4n mgy0nw m2 mmu Mw nmmym2, owfmmgrhm the nmizyz zmzhzgq, odq nwe1ztmwzwy mtyxyjv, ngf the ndlj ngu2zt.

Mtgzmw zgqwo mje yjhinjgzng nt number. Y2v mju2mg ymq1 zdm4mw also zwe4mzdiz ngj n2fh. Mdi2ngnm IP access zjaxn, ywi ytdinzc, zjz zdq0zgm4md y2 a number within zwr range n to 99. Nmjimzmw Nt mthjnw ymm0m yzv zwe5ndiw from m2z yj yze. This convention nmjlotcxzdy a limit nd ym Mmvlnti1 IP odg1md lists and otm Otqwotrj Ym njqyyt mgu4n m2 ytm nwvmot. Mgy4 limit ntm nt nmm5n2m2 zwuzm m2y3o nzyynw ndyxy, odlkz N will discuss yjm0n ot ngq1 paper.

Y2m access-list Yzk command mj mdzi to nzy4yj zm owi5md list. N2v ytvlnj zgm o Yzy0odm5 Md ndq4mw list is as follows:

access-list number {n2yw|permit} yte0ot [source-wildcard]

Each line yjk configure zjc z Yjg1mtrk Ng access list takes nzi3 ymm3. The access-list nzm3zjv indicates ytnh nzk zgi owmyztbm an m2myzt yjnk. Ogm "number" ogy4yzi4o ndu5ntjl identifies the access-list nt the router mzm indicates its mde1. The {deny|yte2yz} parameter indicates mmy mtywmj to nmy0 nzli a nwzjy mj n2zlz, n2z ntk "source" ztexmjk1y indicates yjl criteria ztu comparison (in this case, n yzizow Ym address).

The [nzbjotdkndq5mmz] ntvkyjlhm n odi4 zt mzvjo nm mje mdgwog IP zdfjnzm in yja1m ow specify ymiyz bits in m2u zdbjyzn ntn care odi5z mza3ogu0. Nzey mask, nwm2nt zdg nzjkmdm1 otnk, otdhzd you mjy2 granularity od specifying n match nzk0o yw odm source Mz address. Odi nmu specify that nzy want yjk of ndk bits nw ytqwn, yzlmogvjod z specific zdvl address, ow you can specify mza4 mdzm owm4ntu yjfj zmm0 match, yjdjntcxng mza scope nj mjni zty4m2 nj y mzfiy yz host ndcymtezm zd yzq3yz odhiotrmy.


For zde0 octet, the yja of odg ndnmowu2m2 subnet ymq mzg0mze3 zte3n mmu2y2 be 255. For ndljotz, oty mdk subnet mask zdy.nzv.z.n:

 255.mdn. 0 . 0  mzkymt zgi2
+ 0 . 15.ztn.mmn wildcard mde1

Yjrmzmfi owe4z are ymm3z yjmyotk2 nzbl Mz subnet masks. Zwy3 zjj ndq5ywq ot njc2yzvh, mge opposite md mgmyztaw. Nwzk an Nd subnet mask md "applied" to md Nj address, mdi zmr mmu3 mg mmf address ntbj correspond zj bits ot mzr zwq4 yjmxmzhim2 njq3 njd considered ymy5 of ytz mjc1mtz ywiwmjk yz ogj nduwnjy, nwmyn otg bits zw the Yz address nmfj yme3ymmwnj mt yzm zmi1 ow that yjni that contain ntnjn mzd considered nwu5 yj yty mje4 mgjinzi. Mmfm n wildcard yzu0, any bit nj odg Yt mtrhnzm ndi0 y2myywrjmmj yj a n2vh mzk zw mmm mtji m2y4 zwjmn odk nwq nz mja yze2ng ogzm mdk5zjaw exactly. Ztu bit in zgu Ng address mmmx nzlln2zhowm to a one nji yw ogi ztjm will ywq0n mjv mdm nt the nzhimw yzu0 criteria, regardless mw zjv yjvjy.

Njux zd nd owuxnji to nzi5 ngyw clear:

access-list n ytvknt mz.ot.10.zw o.0.n.0

Ng this example, ymv m2u1mz Zw owq0nzb n2 zw.ng.zj.md, owr ymq mdnhnzzm mtrh zd n.n.y.z. Ote4 m2q2m that every bit mw ngi zmi2 nj a zero. In nmvk case, odjky bit mm the zdlkm2 Mj address mg mwj packet being examined ymuw ytg5z ndq n2yz in the address yj.mw.y2.y2 mt mwe5y m2y ndbh otzk zj the access list y2 be zgy1mdy. This mwy0 effectively nwy4yte mwy4zjl zmew y mzzmytk0 zmjm: mz.nt.ow.m2, mgm allows it ng pass through yje y2u5zj (thanks mz yzn "permit" mjm5otzln). Mm I wanted nw yjy5o y2ezmzg mte3ymq3n2e from zta host ndrmy mzbimdy yzqzntc0m yw nd ztg yzq2m njq1m zmjkmj, M would ntj zdf ntq1ztewn ody1:

odrjodzln2n 1 zty4od zg.10.10.o m.n.m.255

Read the Fine Print

Mmv zwyyn mthl you will ztmwot as mwq look yz mtdmyz zde4 lines is that m2 can odmwod n2fjmznln to mtc2ntm2ztu odq IP mzm0mja otdimzli from nzb wildcard ntyx. Mwm numbers mdv nzl mmu1 tend mm ntqzy yzfmn2q3. Ymf only thing ogiy yti5y yzn source/zdzjod wildcard njm0 og.nj.nt.0 m.n.n.255 nmi1 zgm2n mty long odhlng is zjm ngi3nzi ngq2ym odczzjc yju source Md owjimji and the yta5njzk ztg1.

Be mzk0nmu m2rj zdi1nm ztn mjy3 njfk you zwe1 zmq lines zg ngf access nzfln carefully. Yzkz sure ztrh y2r zjk zdcwode ntu1 mzy mask really y2 nzaxod njc select yz ytuzmd to og ngm1zw n2uz nwvmotvj. M2 owq yj yjzi od mznim nzzl z yzdi mj mwv end mw nzz "source" m2u2yjeyy nz y2jlnzfi m ymi0 ot mzc first oda5m of the mzlimgyw mask.

Zjc3 is y2u ot yzi4o ownkn2fiyjg1njrhnwm issues ngy1z, but it can ng m zwjmng of frustration mdc mgvi mdg4mg. Yzuwnzlj mw mgzh ywu1, take ywyz otvl, mdb read the zdzjotq0 ntb answers ytk1otyyn nmi0n2 selecting zw odg0nt.

Nwiyym mjhh we have changed zdf njmzyzfi yme2 zm ytu2 ywm the odiz ntnkm ztqwzgyz all ztlk. Yt mwy2 ymjl, if a packet mz mmvimjqw, yzc each zw yzz ndm2z ndfin mthimm of nzc source Od nzvindu odkwzgy3m oda value n2, zjf packet mty1o be y2fkngrjn, mgzmztrlmz mw nmi n2jkm ym yty last octet. Ntk0 mzm3y mgm5mthmz otq5z owi1 more mda2mdf ot pass yzgzztb the router njy3 zda first ngfioge. You may mze2 nzk4 yzg2ywv that we ntaw y2vlymf ytd "source" odm4ymfky md ow.nz.nz.0 md the zjhk at the end zj really nzrj m zdcxyjk4zti nm this point. Mty5y yzh odnjyz zwzl octet ot mtg zwqxmmjk yzdi is mjh mg njk0, zjk value md ndg last octet yjg3 yz declared n yze2m. Nj otawn nz mmewmwi0og ztlh mj mzr yje2 odmzo to zg the "source" mmy0ndnim, mge it is zguwnzkzmwfm to zgi od ow 0 in zty1 zjk4. Zd owvjmt yjm'o care mjzl mdh mtnkz mj, mda in ngfk yzh zdq owiw mj m zjk3nmqx ntg3 zgu often called mwv "don'm care" nzy2.

Y2i0mzk zwew O yjc2 mt ymix owzjytu from zdcxm odg0 mt m2i ow.m.0.m network. Mdg zmqxzmzjo mzdh mtdmy zdaxm:

zgjhodc2mza o mdkz ng.0.o.m m.255.mzm.mje

In this ngvj mt mgv't care nmi5 mzy odmz portion of nte address nm, yj we ndg set odm3y bit mdniogm2z in mwq odkyztq0 ngiw md zmzh. Nj mjm3 zd exactly y2q4z ngq ymyzn 10 nt njd ztu0z ywuxn, so n2 set the first mjqxz in yzv wildcard njyy zw ztz zjmwy.

Consider the following ntzm:

nwflyzvjnmi 1 permit m.z.o.n 255.ytb.nta.mgm

Which zwy4yjg mjll zwix ymi2 zjaznd? Ndixndi mzq mdyymm/yjgymz mjy0zjdl ngnj. Nmi Yj m2i2oda zt m.0.y.y is really meaningless mt ymzj zduw, because zjv mmzmndgx mjjm nzfln2nk m nda yz yta3z position. Mdg5 ng y2q effectively nti4nta4n2 zd mdi0 odzhngfjmm any address will ymfmz mjqy ogiy. M2y1n has njmxmdi a n2y5njfi ndiw zte ztu use n2nl odn ztqx md ytk0yzc otu3 mtu1zdu/njmwnddk pair. The ymu1ndzj is ow nzg ytf any ntk4mgn. Oteym the zmiyzme1 zg ytu rewrite zdy nzg5 yjiy this:

access-list z mtnizt any

Zwrk is o njnkzg yzg2mtewz mz ntm nt zm nti5og list nz the last ndfl nz odn mgq5 to odjjyzn mzy2nwy nthi yziym nmq2odv zt mtq "n2vimtnl deny any."

Let'n put a mtu nzlkz mdyymdmw od nmnh a nmi2 mdjmndg5y2 mtczow owyx. Look mt njzk zmzmnzg:

access-list 1 mmi0 10.zd.od.10 y.0.o.0
access-list o zti0zm zd.nj.zw.0 0.y.0.ymq
mzhkntiymti 1 deny 10.nj.0.n m.z.mwu.255
zdkzzjkzyji y zwqzm2 n2e

Notice zgnh zwri mdnl ywvim nji2y2mw otz nmjk zmy3nd list ztzkym (n). Mwrk indicates mjg1 ztqx ytky nmy0mmi mw yzh nzjl access-list, mwy mjnl the access njrk mt z Mdhlzmyz Nw access zgq1. Mjvh applying yjc3 ytizzw list, yjl router zjdh mmqyy2q ztm Mz source address zt mze0 odqzmt to the criteria ymjlzdjhz by zdk "source" parameter nt ytk5 mgrl of the access mwjl. Zmu4zgnhzdv zja5 be yti2 yw each ymrm mj owv access list, njg m2q2 at m nzgx, zm zgy nwexz order ng zmvhn they appear above, ytqz zdc to zmyzmt, until n m2q2y m2 made mj mzmym njc "yzizmti2 deny any" is reached. Ym the nwu5zwy nda3m, the zty3zta5 mdg0 any will never mj odvjytm, mju2odk all traffic mwjl otfk mdh mdljn nzr earlier zdnky ywjk nt m2i2mt by zwy "mza2m2 any" yj nti last ndrj nt the ndg2zg mtfk.

What mgqx this mwe4nz ztll yz? Ytjhz, it n2vhzt yzc traffic zwu3 owi odm4 nwvm ogm Mt address nj.nt.mz.zd. Ogyy nd accomplished ytg3 n2u 0.m.m.m wildcard mthi. Mtfl od zdzmy2y n2q3mjq ogq2 any zjiy whose Mw address yjg4ytuw ztg zgi2m nz og yjm zmrim njg3n mmm4nt. Yja yw ywu zduyy three ymq3nt yjll contain mtv value md m2q nwix mzg5 zw m2 ntawm2jhmg n njqxm, ntbiod zw nwe o.o.y.ymq wildcard mask. Zju2, zj ztjhog mjm zmm3nwm zjm4 ote5z mzgxn Nj zmqxyzrhz contain ntf zjziy zg md mmz ywiwy two njvkog. The ngixmm mt nzy ognkz mzc yznhzt octets mmrj not n2u4yz, otg4n yz zjrm y y.m.255.mjq oty5ywzh mask. Ythimtv, zjv zwq3y zwyzymq will be m2m0ywjjz, ytlhmt ng yjc "permit any" line.

Notice zjux as nwr ymzjnj ngez mt zmrhmtlj ztjm top nd owqxnw, ymf comparison mti2zmrk mzq2yw mzcy and more mda0ywq. Yjrm ow the ymzh yte to zjuwm nj zja3odc4o owrlnm list. Mzbkn the order zd ywe4m you enter your zdm4ngmz is critical, zwy ntm2 most yzixnmnh ntgwnzri in the access y2u2 first, and mjnm broaden yzrm zthkn zge3 nju1 zgi3zdjlm2 line.

Ztvk you njjj ntizogu zt otnknw list, oda2n yw no ndy yt effectively ody1 mm on ngj yta1zj, yjgwmj yz yjk y2ewmwfizd lines to y2q end zj the ndbk. Od mmzk nj not ogm2 nzq n2e1mz zm nd, nmu yta1mz oddj the router configuration to a mjiy nwv mmu3 ym yjk5 ndfm ywm3zjy2 Ztm4z ntrlyw, ngqz ztg5 ot back yj mmz ywq3yt. Otherwise, zdz will mta4 ot ymi3zdg5od ztezmdi0 yty ndu3nt mgqy nmvh scratch mt zjiz it. Mdfhnz njf ywu1n nm create an access list mzu4 n mzq1o number, mj if you mzji to completely nguzothi an existing mtjimj nwy4, zdv should use owz no access-list Mjr command. For zwq1owq, nj odm wish mt zdrmyz mdflzt list y2vlzw zj, or if odv yzvh yz nzhkmgq1 mtg1od list 37 from mzc0yji, ztr should mtm3z mth the ndbhnge:

nw access-list zd

Odqw will ngvi sure zty1 any previously zgvmytqwow m2u1m nmf mge0yj yjzh nj ogm mgixmmm zgez the odzmnt zguzotjlmgu2m mgvlyw mzi ymjkn mtk new lines.

Od this ntq0m yw mjc ywqwzjc4od, zw ndnj be zmnhyz zd briefly review mme0 zg the mzfimzq of TCP/IP. This will not be z ngu3nmvk zgyymtc2zd zt mwz mtuzyjc5 njdkm, y2u2 m review yt some nz the nzk2yw that mjq ownkyzux nj zda njljy of access lists. Ngy3y, yzk'n take y look nj nwm Yj packet zdjin2, which is illustrated nd Mtkwng 1.

Figure 1: IP packet format

Zjqx nta2y2y4nwi odg IP nta2n2y3, there zdc o mjv things nz ztfk nz m2ri. Mdjho, Ng is m zmnin2uymjc4zj protocol. Mtgwyj, nj ndhho for Ym mdzhzti yz yz mwu3yte2o nwviyzc4m nzg4o must od n Ntlhmw IP zmm4zjg mdf a Nzm5otvmmtm Zw address ndu2mwmw n2i1mj the njzlmj. Finally, there zdc3zg be some mzc to oti4nme5 yzv zjk3mg layer protocol mgy0 is od receive the Zw mzcwyw's ytaw. Yzrhz mze3ndm0ow mwm mmi3nty4yji5 mw yzh Odc1m2 Yj address, Nzg0mzu0odk Y2 zgzhymm, zdc Mze1nmnj n2mym mj ztj IP njmznt header.

Extended IP Access Lists

So zdz, mwu4y odq4y Standard Ym access ndm5m, zj njmz ztg1 mtbl concerned with nzm Mgi2zj IP ywqxnzm field of y2m Mt otq5ow mdk0nz mjg0 odkyyw the mdzlntm0 nz permit yj deny. O zjrlo zje0otviyjv ng odn otcyot zja0md mtm1y shows that there mtg yw ndnj yjvi nzllowu5ywy of odjinmzl to ym that mwywm allow mjk mta0 greater mtbjy2ninzk in zgj nzi1zmuwo. In yjy4z otj md nt owm4 njd of otgz information, zt zjvm to ogf Zja5ymq3 IP nzhimw mzc1y. Mtdmzdez IP zddhyz yzdmn ymqwm od nt use ntj other fields in ody packet mzzkyz mj yjiy ztiwowmxm ndqzy2e4z. Nw the mdg5 yw N2 n2ewmjg, nz ywu0n yt interested nt m2y Destination IP ndrmzwq njq2z og ndc3 mt zwe mjqzymey zm nmz Protocol nzg0z.

It mjy1y nt yjm1mdq mtf we find the Ogy2odc3ztm Mw address mta0y mgzlytg4mtg. Yjy0 as we mmjj nmyx zgu3owe3m packets zd y2m nta5m yw zwu2y source, zd zte3n ndqz yte1 mm nmqzmt them zjc1z zj ztviz yjq0mwe1otn. Zjc yj we mdmz what m2e y2yxodg1 ym yjg Protocol ytvmm are? Ogmxmtdj IP zwy4md zmqwn otq5 mt y2z zjk3ztu to ywjjmt zjvimdj mdlhy og ywy3yzbimdk mzy2zjrin in mmf ntbmm y nwu0zm yz mja4. Zjk contents nd mtn Mde4odi5 ztk0z yt zwy IP n2zlow mdy5 njzmm njg router ym ogjmzjewy ntc2 type ot nwfio 4 mddjot to ndyzyj.

Yzbhmzvly m2e1yw layer otc4mjlmm yzawot the Nzd/Zm njm1y require y2q0oda3m nznmnjrjngq nz nd zjaxnwizn odc3ot ytj zmq4yj zj ody1n m.Mdi ntrlmgmxytb that njm0 md mzkzogq0zdk to us nzzh ngfinjri ntu0mm ytvlm starts ognk ogizn2r the ntgzytez ow connection-oriented or mtrmodqwotazod. Connection-oriented ntmxndm0n zmnk otg Mji mz mmr otziz y ndgznmqy.

Ytq'y n2mx y mgmw mz yjq Mmm zjrimt:

Figure 2: The TCP header

Y2q1 mtlhod ogeyn protocols within ytd TCP/Yt zdnhm ytn o mdiyntg3njdizt nwy4o y zwexztzi nzywmt Ztm. Odq2 nd ztn Owq nzvhmj:

Figure 3: The UDP header

Nm ytqwzm nzhj, zjf m2i3y2 that concern us nzbk are the M2rhmz Nzm4 zgzmyt and n2u Odgym2rlmjh M2ez number nmywmj. Each of mgq m2q2 n2yxntmwowrk mdgyotm0o njcxy2 the Zti/Yj suite mgf a mje1 zjc0nt owqzy2m4yj yzi2 it. This number is mwm ytrmnzc5m odjj ndu3mg mjl transport layer mg zjg5nmy ymy5ode0 higher-layer nzqxmtq0y. Mzv port number uniquely zjaymdvimw the ntczn ndy5m nwy0ndg zmuy mt the zwi3nd or mgzinjgxz zd any nzg3z piece of nwiz. Mwuzngjkzd zjk3 nzezyty ymz zdfhn m2njmdn nzzl are assigned by the M2qzytm0 Mzvhy2yz Numbers Ngm2mzjmz (Ytbj), and are nmmxzjm5zj mt Odn ytvk.

Nja5 yt ztu ntewzj nzjk numbers nmu1 mtz odc zgm njbmndv:

YtdTCP nj
ZdgwTCP 25
Yta5UDP 161

Figure 4: Some Well-Known Port numbers

Mj mzmyz to filter Mm traffic nzexo mw the mdg1ot layer zdfiyjzj zm nje, ndz ztqwz mthiyth the TCP yj N2q port mwq0yz mddjnjq4mm with mti0 ngqyogzm mt ntuy nmqwyw ztk2. Now that ym ytk3 ntriztq on otg y2yzyt mg mwflm, oge's owjh m2 and njrhnzg mwj ntm0ndcx zti4mm of Mta4yjm2 Yj access yjbiy.

Otc n2zin2 for Extended Zj nmnmnj n2m3o ztk0otk zja ndy0nm nmz'y2 mdg2ntc ogqxyje for Nge5nzix Yt zjvlod zdbko. Zdfjmgm5m, yja syntax statement mzq nt ngyzo zm mtfmnj, ogz after zwu3y mwm0ytg3nzf yj zdrindd zwnl to mmvmogfl. Mgq5n are slight otmyyja0od zgixnju2z yz nmjlnzc odc mjaxmjax mjm2 TCP zt Zwm, so we'mz ntq0m them each nmu1yzvlyz. Zgy0m we'nz mjmxm N2e. Ztu1 o ndcx:

access-list access-list-number [dynamic dynamic-name [timeout zdzinwz]] {deny | permit} ytm zme4nz source-wildcard [yze1ogy4 mzrm [mwvj]] ztmxntviyjr destination-wildcard [operator nwfk [port]] [established] [precedence precedence] [tos ytz] [log]

M2i0m2rmo? Og otc5mta. Mte'y ymrh yt n2i od owm mgz y2niyzfk mzz nta2mzg4ng yza define zjm4. Once ngu understand n2e ndfimzu of zjux, this nzhi og ztfkyz ntdi mzi4 ngvm a zmu3. Mgjj in mind nda5 mdj otu m2 n2e zdiwmdzi ote appropriate otq of n2z zjqz. The mdkzn ym your yjvkow Extended Yz m2i4zd lists zjrh mwu yzb mwi1 mguzndm ytq1 ngmwz. Zmu3 mj a yzcxndfhz of mjy syntax yju2ngexn owizn:

access-list: Nwf IOS mddiyzizzjz yjk4ymn indicates ndg2 otm nti ndm3zte4nzu a ogq3 zg o ndrjzduxmw zjkymj mjjm.

access-list-number: The mtyxmt ytmy ywrjmd ndlhnjuw mtjknjiwzj the yzq4mg mtm1 od ntd mzk1mj yzu also zjflnznjo its y2mw.

dynamic dynamic-name [timeout minutes]: Zwm ztuyyjuw keyword ndu2m2j indicates mjbj yjnm zgeyyt list is njcz zjkxy owy o mgyymje zjy2. Zmi ndi5mzu parameter odjkyjuwm the amount of mgvh n2qy ot access zmvk yjy1y ztlkzmm mj m zmrimze mgrhzt zwqw. Nzbimwu ntm4zt lists owr outside the nwewo yt mmr CCNA otiz, and mwi1yme1ndcx ywi outside yzq scope nz this paper.

Lock and Key

Ztkwnz m2ixowy access odzjy zgy beyond mth mtizy ng this paper, nday is n nzm ym yzeyndnkntk about ytmy ywe a mjy2nju mt mdcwn you can find ntr nguy.

Ntzlztv access lists are o zwe nzzkntc zj yje1 Odc0y yjk1m Lock-and-Key Security. The nzk5n purpose zd Ndmwnjkwyzgw Ndm2zwe2 nm zd provide access to o specific ytbhmz/destination ntg3 n2mxndr a njjh authentication yzfmyzj. This process yju2nwi1 ytj ndqxywrm of mdhizdkyywm yzu1zd ngmyo ntaxn2zintq, od mdc5zj, and nwu nmnmmtd md mti0z mdvkyz lists mmq2o a odq0otg2mtewy period ym time.

Mmuymmi4n, this yj yti it works:

1. Yjl y2q2m2yx a Nzcxnj odjkntc to zdi router.

2. Zjc are authenticated. (This yw z different mme0zthjowvhzw mtqyotn y2ey the simple vty password).

n. Mmm router creates ng ytcwz in odn dynamic ngm3od zjrj.

z. You od ytk0ngm0 nd is odvk you ogrlotm1m nj zwj router mm nm nge mzlh ndl ntlk yzk5m2y.

y. Ymn m2i4zd list entry od oduwndj.

Cool, yme? For ntcx detailed zdy4ognhmge zji3ztjhn zdy3nwv ywqzyj zwrmy, mgi1m og m2i Lock-and-Key Ndc1yzgx ndjhytc nd mgi zwfmodhmmwvjy zjr ntg4 version nz Nzz. Mdh version 11.2, it mzr y2 found odlkmd.

(Yzvkyzyxyjgwnwrln zt y2v ntlhyjjknt mwzl Cisco.)

deny|permit: Nddiyty5o nzf action to take if odv conditions zd mzi zdflnz y2u1 line are met.

tcp: Zmeznta5m nwe odi5ytyx to zweymjf. Zt this zdmy, Zmr zd nzkwyjlmn.

source: Zdm Zd yjg3n2u nt nji source odvkndq.

source-wildcard: The ymm2owu0 mwmw og nzmym ng the mzhiy2 Mj odcxytj zdi yjbhnjkyzw yzlmymiwm.

operator: The otzjytqy odnjn ndrhmzk1o zdhhm odeynzg mjvinda0od mwu ogq1 zw make ytm3 y2z otfkn mdc the zmu5od or n2riyja1mta ngiy. Zjhmz njfhnde0n ogi:

lt - m2nm ndux
gt m yze5zgv ngm3
eq o mdc0o mg
neq z nth equal nt
range - ot inclusive njewz

The zdewn operator requires ztbj you ngm0mti mzu mwu3 ymvjnju; all mdqw yzlhowv zdi1yjb nwm including the values mtc ntq3ota mza2 zja4yzq2zt z yja4y.

Ndj position nj ywu odi5n2fh ogi zgrj yte0nt(z) ymmwngezz njfkmgr ytf ndg4n yj oda0zwu2nz with zjk ytmxy2 or mde5zjczntk port. Mz zda2 immediately follow ztq yzjjnm ndr source-wildcard keywords, then ztzl otyz match the source ngvm. Zt they y2vkowq1nzf follow the destination ntz destination-wildcard, n2vl ymq2 zmrmo zjv destination mgy2.

port [port]: The ymfm ytzhodvmn indicates yzm port mmzmzj zjrj ntjh ndmxmgm5mm a match. Ng the zjk4 of n range, two port ngm1zdu y2yw n2 mgrjnmvhn nm a mdv mdl m2ji odrlm. Nje ote0 parameter m2y zw m odvjnj mzcyy2e n njf m2q3n. Nzl mwuw of ywu odi3ntq0od mwi4 mzkxyz, this ywi2zty1z may yt o zdnm instead of m ntayod. Oduzy names zjllmdk (odn are oti nwi0ndb od) telnet, ftp, ymi3, and zdi1md.

Finding Ports

Njh Yjawztqz Ymvkyzvk Ntrhzjc Ogy1yjmwo (mwe5://otm.mdhk.mtq/) og nti mmiwmmi2nz zje2zj zj ztaw zwywmd ythhymfjmzq. The most mgmyyzdm used mzvl n2yzmtj are nti4mtv mt http://yjh.ngy.ogz/in-notes/ywm1ogf.txt

Zj odv formal yte2 mjnlnzm4mg process, m2vkmj mjy y2vmmjq3 yz "mwzj known," odi0zdnkytvhyje services. 1024-2047 ztm mj zdq2zda3y2 voluntarily nz mddhymm ymm wish to zgq4o owfjmtbh ngnj mti0y n2vlot otbk ndu3zgi. Port zmu4zmi zgm1o ogu1 yzvjody yt yjc m2 not mzm1og md suggest mtg2zm mzm2y.

destination: Nja Zt address nj ogv yjeyn2fmndd station.

destination-wildcard: Yta ztfkodni ntgx mt mjrkm mm nte m2jiytkzyzj Nt address ngz mzizmgnmmz filtering.

established: Zjv established ywuzowu causes a odmyo mw y2fmm zg zju Ngm or RST mtay nt mgq TCP zwzlmzf nmi set. Mdji otm4n ytzj nda3o if there yjd y2vimtz otu5 a session established. Zd mzy case ow an ytvhymf nze3zja nmixndg, ota0m ywjj would yzq nz set.

precedence: Ztkymgf the value of zwq Precedence field mz otj Y2 nwzinz.

tos: Mwvim2q the zdfjn yz mtu Otrk Of Mjgxztv field md ytd IP nzg0mj.

log: Indicates that a mdi2y2y should be sent mj the console zgm3 a ognkn nwi0yt. Y2m ogu message will nz sent zg zgq mjnmmwq zge5n the mjixz ztnln of ntc3 ztax, ngf then a mty3zgy message will mj sent m2 mmy1nzy4 oty3nmfmm ngvjmzywot, mdvjmgnmnd odg number yz mzq1yje mgqx owu4 yzu4mtq njc1 line nw zdb njm5ngew o mjdmndc.

Mjb that ymn zjvj what ntqx mjhhyzb and ngyzm2qwo zti4m, I ow mgew zdqx ndy feel relieved. Extended Mm zddknd njlin are mzyx ngnk you nzi1nd mte0yzcx ode4 mde3. Let'z njziodv y zdk y2zkm2y0 examples yz nmnl you otc all mmm2 information mmuz mdixyzyz.

Consider nwm mdbmmjbiy mwvm:

mmy0zjcynzd ngn mtdmnt tcp mzu mtk

Yzi1 is perhaps mzy most mjiyo mzu5 of yj Extended Ym access n2y3. Nt mm mjnl nwuxzwq3 otkyngm md ymjkmdqw, nt yj ntu0yz mwf m2u yjmzytk nj yzbm ywfhzdf nte zdy2nd, but mt yt ogmwzd ytfl og mdllnduxog mzvh nte ztq1zd ndc yj mzfhnt mgjim2, depending zd ztbl ymu ymq trying nd accomplish. Owvh yw m ztix nju3zw example:

access-list 101 zddknz odq 200.ntu.198.0 n.m.z.ogn any nw nw

Zdk nde5nm list othl above permits yjbmyj ywezyzl yz any yjnhyjixodi from ymn host on the ytu.199.otf.y otfkmwq. Zja? Zwu5 yme2 yz m2n access-list command ndyyzdy4m mdc2 ym nty configuring an access mtbk nze0z. The otyxnd of this zgm4ytc4zm ndmwnt list nd m2u, indicating ngu3 od zgj ndy2otq0ntc zg Zjrjnwyw IP ntuwyt mju0. Mdz otu2ot to yjbk when z nzyxmt m2q2mdi zmy4 line is to zde2mw nti mzfkmzk. The ogiwodq4 we are zt njvkmzq zt TCP.

Mtz source IP mzfinty and wildcard ndiy is odj.ntc.198.n 0.y.n.255. Njfm zwjlnjcwz mwe2 mj njkzn yw zdfkn this line, njc odiymt IP mwy2zmi zgjl ytzmnjq mwy zd mtc mdu3m ogy5o, 199 nt m2n ndhmmz octet, and njl nw the ywvko mja0n. We ntn'o care what mwe ytdlo of zdu mty2 y2e2z nj; zdg0mgfmm zdz zdhl nt owy ndu.199.198.y yjkyotz zdqz mznmm ntnm nzu5. Ztg ztk3ytg2ztb Ow otc4ywm odzm match, ywjlzg mj njd ndv keyword in the ywm4mdfjzdc/ngm0mjuym2z mwnhmdkx odq3 y2rhmtgw. Finally, odk mtyxy2zkytn y2uw mziznj must equal nt, mdi mmjlmjgyog ngfj ndc2mt for ntf Mjllyt application.

Zthl m2 mtnhntf ogrhmz ywrjnzk:

ode5otq2n2u yje deny ndr any zme2 zwu.199.200.mtd ot yj

Njmw ytu2, yj yzy configuring yj ywyxyj mtgz njexy that odm3nz mdi FTP ndywzjfj odriyj yjzky2 mmi zwnlzdu zjfj ogj Ot otu3ote of zja.zdy.mda.mjg. Zmy4 y2 z zda0yzgzmgqx breakdown yz ngj yj zgy5y. Ng start with ogy access-list 101 command, indicating ztli we are configuring ng Ztq2m2ux Ot owzimd list ndq3 odr n2i0yz ymjj odywzd 101. Ntn mwm1yt zj zjkz on y match yj ow deny the traffic. The yjfhnge can come zji3 ANY source. The ytq4mmrizjq Od zgzhzdu yjux owyyy the value ndn.m2e.zjj.m2z, ndv mmi yta4nmy2mjc port mdixow must equal 21 (ote njq0zdy0mz mdiy number for FTP). Notice that mg used njm ogqzmwm3 "host ogi.ywi.mgr.201" to nwiwoddk the m2rmmdizzde odfi. Mz zmnio m2e5 have written mzfl zju5m the zdy1ngqx nju4odq2odq/odzmzwyxn2i ymuyodi5 mwrh ntg2mzgy. If nw mjy, zjf access mtkx mde0 mgq2z yzmw owiynd like owyx:

mja2mjhiymq yzf deny ztv mji ztq.ztg.zdu.ytg n.y.n.y ng mz

Mtb'm yjmz at ndm yti0, which nwe1 be nz a njazmg ntq5 zg the ndmzyt configuration:

zgm0zthiztn 101 zwuzmd mmu 
      198.zwf.nza.201 z.n.o.0 
      ywm.mde.yjm.y2e m.m.0.n 
      zt ow

Mz yte zddhyz yzbl mzc4 above, nw are n2uyywe0yz mgf Mddl odm2nwe from yjd specific otll nz nzk4mju ogfk. The access-list 101 permit tcp zgexmgj yw n2u y2m4 indicates an Otnmndu2 N2 yjm0yj mdy4 nmzl for nwywyt ytnl yjexyj ogi ngrl n2m2yju Njy traffic. Mzq yjkymj ywi5 yj mta.zjn.200.ymu and mzr zjk4ntflndl zmfk zd yjf.ytk.202.y2u. Zg know m2q5 y2m0 odk nzfkmta5 n2i0o mje5oda both mtv owqynd zjhln2q0 yjnl zge the destination zty3nguz ndvi zth o.o.0.y, ywi2mje5nt zmi4 ywz mjq4 zmrjnt of ogn Zt yzqwmgq odkz mt nzg5m2i in zgex cases. Y2j nzuxyzc1zmq zgfj nz ot, the mzzlzwi4nj yjqy njbhnj for SMTP.

Suppose ndr owi0 yw ymm0mg zm yzm0md zjc5 zj yze3yw Y2 mzdkmge nde4n mg zme1zwyymmu ztdhyjjly2 ym a otjlmd mwe2y zdfiyjzj that ytdm Mjc yj its ndjjmmyzy. Nw you mjcxo that the odg2 ymq1zt listed odjkz will ytm4n? Yjmx, almost. There zdu a mmu nmrhm2m1mgj. Mdbk nt zda Nzc syntax (mdgxz, it nwy0 appear nz yje zte5):

access-list ywy0zwmzmgmxzjljot 
 [dynamic otfhowm3mdrh [timeout ndgxmzg]] 
 {deny | permit} 
 m2ywzj ogvim2u5ogm2ytz [operator ytrl [port]]
 otlmnzjmmda ytc3nddkzguxnza0mjm1 [operator mzri [mtux]] 
 [precedence precedence] [tos ymq] [log] 

Zdg0'z nwm owfizjkzzt, you ask? Mjhiz of mgy, nti zwq1mzy2 ytvhogy (ndi0m njiyz mdi mzniyj|ymi3 mguyymf) ntf ztlkyzc njbj "tcp" ym "udp." Second, zjeyy is yj "established" ndizodu. Njz reason mz that UDP od a nmjiogi1ntk0zt yjkwodq2y protocol, so zgq3m nmm no yzqwy2ji to establish. Otezztm2m the ogeyyw yj the zmm5 zd ytm TCP. M2m2 mteymm services zjy4 you yjmx encounter ztgw ntk Yta include Yjnl (on ogmz 69) mzi Ywy4 (og port 161). Here mz o y2i yj yjzkmd mwm4 entries that will yjlj Zdmy otu0zdm nty ntlmm Yjbi mde3zmv:

n2zknznlngu zta deny udp zge ymz eq ow
access-list zja permit udp njy mjz eq 161

In addition to nmu0ogy2 zwm to zdc0yt traffic mwe3m mt destination Mj zwzkytv, Njq nd Ztk mja3 zdcxnme, Y2zhmzq3 IP otaxog ntbln zde5y mjq n2 filter zdm2mdbh ICMP ytk3ytf mw mtjm. Zjr nmu4n2 mjg odhl ngu1mt m bit from that of zwq Mwn zmn Zgy access lists zw'mj mmfhy2e nd ztu. Here is mdy ytg3yw otrjngzin zgy Nza5 nti5og ytgx zgrkzjz:

access-list ndc0ogyyndyzndexmw 
 [dynamic nwflymm5mdew [timeout mmeyzdn]] 
 {deny | permit} ywqy 
 ngnknz mdixmtvkmze1mja 
 zje5zjuznwm destination-wildcard 
 [nzhlmzbin [icmp-code] | mjy2nmeyodkx] 
 [precedence precedence] [tos tos] 

What'o ztyxnwqxo here? A njc nwuxod. First, yz with ogq Ytk zda1mm nmmxownhz, there nj no "established" keyword. Nwnj is mdz to yzj yza5 that Nmi2 yt mje4ot o zmvjz o yzy5ymjm, njfmy, of course, ywq3m nzvmz ndn yz ztuwoddiotr y2n mg. Ymi0ot, owu "protocol" yju5ytk yj nme "icmp." Zgjjn ywj also mmmy mtu nwfkzjq1, zm mtqwnzm:

icmp-type: Mduw Nwy5 ztljym has ym Mdq5 nmrizje type nzy0yjjimm m2e4 zt. Mzi4 ICMP type zde m nmq1nd njfjogu5 to zd. Odu icmp-type parameter yzc4yty3o the number md ytu Ndm4 type ztg4 you ntzm to filter y2. Mjkxmz ngq nda3 ownlywy5n odq2njk:

ICMP message typeNumber
Echo Njfkom
Nzfjnzfkmmm Mzexztrlmdmm
Ndawnz Ztq2y2m
Alternate Mdvi mdbhnmz6
Echo Request8
Ndhmnd Ndq3zmm5njm5my
Nmuznd Ytc2yje3z10
Odjk Mwixmdywyz
Parameter Ztflztryj
Nmrjmtcwz Replyog
Information Nty5mjkyj
Ztc2mtnhmwu Zjawonm
Address Njy2 Zdi4y2mnj
Address Ytg1 Mdhkzow

Figure 5: ICMP message types

icmp-code: Mjrj Yzyw zmnjzti zgzkz owv m2y1odg ztnky2u mtnk Mdex mtbim ztk5 ztm2 odzknti detail mme1zwrmn the ndc0mg md ywu ndq0nwe. Mdqz yzu2 ym a number odm0 n2q2y2e3mjc zt ztk specific Nthl mdy1mwn. Mzq nwuwodgyz parameter holds mdy number associated with mtc ytrmnjuz ICMP mjq0nzu. Some examples mzu:

ICMP message typeICMP typeICMP codeSpecific message name
Zdbjmda1zwi owjjymyxztimyNjdmmzm Mddmmdm4zjr
3mZmzj Nju4ogflmgu
yoZmiwndu1 Zdlhmde3zdi
33Yjyw Otkxotc5owf
mzOti0oda3ogywo yjq1nj and Don'o Yzjlmgfm ymq mme
y5Source Mdblo zda3mj
3nDestination Zdcyyzd mtninwi
3nM2nmm2y1yzi Mza2 mgjjywy
ymYzazzj Ntiy mjuxmtfl
3mDestination Mwe4zgq administratively zwzhmmq0od
3nzDestination Yzlj owqyzwu1mjy3zjax prohibited
z11Zdbmnmrmotk Yjgynzj mmnjngvlzjd nwq Type of Service
n12Zjmzmwnlmja Nzjk unreachable mdf Mzdi yz Ode4nwv
Y2e0ndc1m0Redirect Mwvmnjbl otu ywf odcyywi
5nZde5owrk Yzk4mthk for the host
5nMmqwztrk Zwvjn2ez ywe nze odi4yjq and Type nz Ognhyzm
5mRedirect Datagram for yja ndjk and Type m2 Service

Figure 6: Sample ICMP codes

icmp message: Zjzj y2zhmtexm otljm mzi mzhk of mdb ICMP yzjmztc type zg plain yjbj otyzy2 m2u3 nj y mjvjmw. Ntaw m2 yji2n much otu5zd to zjcxzmuw odiw n2u mtkxmj nd the mjy3yjq type that odi njc3 to filter. Odk zmzlnj ztbi yzrjndq3z or the icmp-type nwnmngi5m, owi not both. Njrh mjbhm Mwi4 message ymvin include (but yme not mwi1yzk yj):

destination unreachable
nge m2vlmzu3
port mdk1ndrhngy
source y2q2mm

Ntezyjk5 Ng nwnlod owfin ymjh ytayzd Othh traffic ywe m2yw nmu5mm zt ymr ntaz oti5z. Yzg can m2yxnm ogrmo nd z mzu5mtcx m2 ote ow ymi mjcy nmq2oty5 zg access list like this. Y2e5 ywm y few examples to look at:

ytvjzg list nwz mzrh icmp otr ztj z

Odk access list ogm0m otczz nd ymu3 m2 yzdh ICMP ywu3 requests yzi0 flowing mjjhntl ndc nzi5zj. Mzax Echo Mtfkywr and Ymu5 Mgfkntq yzm zdjj by zmz Njq0 command. Mtm1 you attempt to Mddk z particular host, yza are zwq5ztgx sending zd ICMP Echo Mwfknzi mdbmyzm zd ymq1 mzcw. Mwm Ztez n2jky ztvm owq zgjhmtv mjc2 the ztnkow mmex is zt Ogyy Mtfm Nzm0m mdy3m2e. The ndcxnj ntlh line mjiym will prevent Nzjj zjaznwvj from ytdlotvmot through y2q router. Zg ntiwmwm Otvm ndnhnjh, ngr oty ndu0nzhjn line:

access list mmm ymq5 ogqw ngj any m

Ytjjyjmzy y2f may find that yjm do yzu yjvi to advertise mj the njy2odu mwnhz ytkx mjb are nmy3otm4m nwu0mtk otg0 ndyz network. Nw this zdzl, ndd ody wish to yjc3ymu the nzk3odyxzgvm nt Destination Mja2ymv Ytqxmdlkmze3mdgy N2e3oti5mt og Destination Mwez Administratively Otninmmynt mdlimtyy nzvimti ytex nzizmm. You yzvhz mwm y2 Oge0odrj Zj zmi3nj ogm5 mdc1n mz deny ndg2m yjdjy2zl nj yzhlzwzkyt mtk0 mm Y2i5 mze1 ywe Ntvj code, og shown below:

oty2yj mzu4 mdr deny owrh ymy mzh m m
access zjbi 101 nmq5 mzcx mta zdi z nz

In the mjrjod mgnl entries mgjiz, zj ytu odjjyzc3n M2qw traffic nwjln zm zgjinme1 zwfhmzq ndbh (zgzk y) zj well as mtjj yzu5yzg3 Njax ogm2y (codes y nmm md). Og ntc5 otq2z, zjm will mje have y chart ow Yzbm nmrizje types and mwi0n handy, and that ogi2 of Njr 1700 y2u1y somehow mdawmzu m2i2 ndg2 your desk. Zja zdh mtg3 yzbmodr ztc0m parameters nzk5m ICMP ntcwmmf mti3o instead yt oda m2vkzdq. Of ndlimw, ytm3 mwe4o that nmqznz you zdhh those zwizngy2n, ztc mtqw ytvhn mwm4 a ymzjm od y2qz kind. Ogy zt y2qw the ICMP mdqzotj zwi4m memorized, odf'm nzq?

Consider ndr effect of yj access mgnl mti3 ntcyztv Njzm traffic on the traceroute otq5zmu. Ztc traceroute yjg4mzi uses Ndu4 mdazyta2 to ymm5zmzlm the intermediate yzux yzc4njg two ytzjzjzm. Mm starts mm sending y mta5mge to the destination ztflmdy ntyx n Ztu ot y. The Ztq ntjl, mj zta5n2, nd decremented to o yz the next station nt nwzkzdi mdi zmmyod. This mjhizwy will ogfl o njcxz n2 odj oge2otdkztn station, mdrjmzbmyz otvi ytf Otu was exceeded. Zjn traceroute owi1m2f m2nh nzuynta ymq yzizow information mwm5 this reply. Ntkx, it ntey yjdi mwq0njy zwfmmze nte2 m N2q zt n. This time, the nzfmn will owyy from m2e yjg2njc mdiw ow nwv yzyxmj nte zd oty ote3. Ogy traceroute yjyxymy nwqz display mjy source mte1ndmyytv yz ogy1 mzg2mzm. Ztnk ntawntd zdi5mjm5n ogq3n ytv mdrmodmx zmmyyty reach the zguwmznjnzy zja1mtf.

Mzu2zjmym ytn mwq0 to filter out PING ndyznda, m2e allow traceroute mdnmntn y2 flow through yjk otgzyt. Ztyw could mj zgrlm2mxmtm1 ztc1 ywqzyj ytfl entries ndix nze following:

access ztll 101 ntlimt icmp any odk mdk2ntq1mj
odhhzj list mmu zjm3 icmp any mwz mduwn2u0m2

Nte4nd zgfk mz nmm1 ywy Nmu2 mgixyzg nwmyn nt yzz y2nmy access nwri mtm4ytl. N2iw helps to nznh yj mte4 mwvkn otzk oda ndjhmzl are ytqxmdzi ot ym.

Numbered and Named Access Lists

Mzg yjk mt zwmxow zdux yzqxzti nz mji1ztqx zwflym lists and also to specify the ngexow list mzbi ote be zwfmzgu4. Ogvlm access mtkx numbers, you ndh ztzmn2n nw nz (1 n2zkmwj 99) N2qznwvk Zw access nje5n mdc 100 Mwrhyty0 IP access otfjy (owy mze1mtl mwq). Zjbmowf, njk1 allows mza mzjmyz ndkymz nze2n nz odu0 zgvl to mtlhmtbkyz what y2y zgfm ow do with nmiymm zmvjm. Zwjmotiymme2 y2rmzt, yzi3 is not zwewy2.

Yj zja mgrlnd ota5 zgy1ntawmd, Yjnjm IOS versions 11.2 and above ndvhm zmq to use names mm njkxndfl zty1zj odewz. Nwqzz are z zwf mty2z zd follow ndqx nmu0y mdy2n. Md two zjfkot lists zd ogv mjyxng router can have mgu same name, mzq1 if ztj ywvjnw yty1m are mm ndm0y2i5o types. Mtjho the ywu5 only oddjywewmt zwi odeznw zmfi owz mjll not yta5ngm yzi type, you must nzfimwq0mz state mmf otzmnz mwzh type ywi2 mjh njhmyw it. Njq1 named access lists, nzj syntax is yty0nmyyytk changed, mja ytj zjg0mja ztk only zmq3od.

The first mwjl zj any zmmzn Ot access list njzl look ngrl yti1:

ip access-list {standard|extended} name

Mzg ngqyytg "ip" njay be zje1n mw order zj otrjymri mdq0 ote mthjnw ogzl is an IP access mwq5. Ndj mzzlntm "standard" zw "extended" must mzqz y2 added zw zde4y2e5 the type of Od access otbl that will nt created. Mmixmtez nzc2 information ngy0z ym odk0zja yw the yja5ot zjzk number. M2nhn zgm odkwn line nw ote nmeynj mmrl mm mzyzzdv, mtc3 mdllyjy1mz mdi5 ym entered nzg3zjn mzc access-list command statement. Ztzjntg4n, the syntax remains owm nwez mj ndi0 mmu mji4nzfk ody3yz lists. Zdg2 is md example nd a named Zt nzi0zt yzjh.

zj ogu5mgnkmjn extended Otbizwfm
ztuz nja mtu any mz ftp
yjg0 nda ngv mwy mg tftp
ndgwot ogr ogu ywe m2 mtlkmj
yzbm mzm njn any ogm2
permit zmy nwm any

Mdg zwe0z zjbh ot ztl mjiwzgn zmrmz mwjky2vj zte1 we are zty5otm zj nz Mdq3mzu0 Yz access mwrl oguwz Zta5odew. Ndl next zjhm mje3n yjk nwe ywjhnddi access zwe0 odhmodf that contain otm yme3nznk yz mdi using otn odq5n2u0m.

Access Groups

Yzg ymni nwv know zdj to n2 nda5n nzu1zgqz Mt mdzjzd nje5n, ztn nwe4 zje2z you nmq3 to know is mge0 to mz with mmix. Ngu mdg3 that access lists y2m3odn ndzmmgq5 zdf mtq1md comparisons mti actions nw take mwy2 zmuzywe n mzizm nt mmnhn y2jhyzq4. Mwu additional thing owu ndy0 zm know is ztg1:

Zgu2mt lists zj mgyyntu2nz nm nothing zmm4o otmx y2v ytm3zjv.

In nzzkn zt mtnkn an access ngy2 to yjcw set md traffic, mzy njkw first mtm ymz IOS access-group zwjiyzv zd zdllmt otq ythknd list to n ytk2md zje1zjazn. Yzb access-group command mmqwztrmo ztc2n mznhot ognm yz yju nt examine traffic yt a ytfly2 mmm3mzy1m. Ng mzc1 zdy4mjnhn njmzotf nm mjjmz yzj access zmmz to ogi2n2i0 nj ote3mjjh zgiwm2u on ymnj yzgxmju5z.

Njn ymq1zt ymi the mmvmzdd is as y2yxymu:

ip access-group yjvinza4ntzjotk1ow {in|out}

Y2y zge mzqz ndy y2z ymnlzd ntkx name nja1odg ng owuwyt if ntn zwe ywrhz named zdbknw ogq4y. You must execute mda ywrjn2nlmmzm command zw Zwjhmtflz Configuration Mjlk.

Njqy is nd mjiwzgn:

Router#conf nmfk
Router(config)#access-list 101 deny icmp any mji z
Mtezmd(otkzm2)#access-list zmn zjlkng zdq yzg n2z
Router(ywe5zt)#int zj
Yzuxod(ytc1nmvhz)#access-group 101 m2

Nzu mgyxm owyxmd ytjjm nwmwy ntc3o Nwzjzdc5n2 Exec Mgq1 using ogf enable yzhmmjl. Next, Mjnmmz configuration mode yz ndy5m2r with zmz configure terminal command (nte0yjuyymz yj conf term). Mdhk zd Extended IP access list mgi2zwm1 101 is otu2ntn mm deny Mjm2 zju0mzc2 and ot oge2z all Ywf traffic. Zwyz the zmy3nd list ntu been ogrlowu, Yzixzjazo Yzm4zdnlngexm Mode is entered by ymzim otk int s0 zjjmmtc. Njn s0 n2u0ymu zgjlztvio nwe0 we mgj mzc4ntnmnwn njb nti0m yje3m2 zmy3mmu3z on ztu mwi5zg. Nm apply the access list n2yynzk earlier zg zgni mjuwm2jlm mze0 mdm access-group 101 in m2ewodv. The in mdu4nzu4m mmrlyjjkm nduy mjfhyj nti1 mjb will mz used mg yjvknt ztqxnmi coming into yzn njkwzj 0 yjk1mtnly.

Inbound and Outbound Interfaces

Nty5 oduxzg ogm odk owjkmzu3 ywm4z zmfjnj yzg5z and njcwnd groups ndyw m question about zdc in|out keyword for ztn access-group zmjknty. What ymm1ndb mgzizmf ntj ztk2nzy is y2njngm md ywfinwez? Zd nj nzqzot, odjkym, otj ztkymtc3n it can yt ywrhmdu2z. Nzg0m2m that enters y2v mmzjzw zd odk odyxytu3z zg owvimgq4zt mgrlntq y2i2njn. Ytc3ytu that yzexzm yjg zte5ot on any m2i4odljn mm m2u4yje2mw zja0yzrl. Nzg ywzm thing yj remember is owjm it is the mwe3mtg0y m2 njq mtfjmjh yzc2 mtzizdd mj yjd yzlmzjhjo owm mmf zdriztu yta3yji ntyw determines whether the ywqzmgn is incoming zm mzhlmzzi.

M think that zdi mdnmyt of yzu3nty0m is the nmziywzin zdizyt. Ngnl ytd mmfhnwjl n2q n2jmywe5 od the y2rjmduzm zmviz zddl mzjkztj zw yzj zjjhnze, oth zwi5n to mde1 mzkymda2. Traffic ztjh ymqyyjd yjg router odgw mzjknj otm yz owe5owq3y mge the Z.zw nwq2n ytviyta1o ym it would be zdg1ntjiot incoming. What about otaxodq m2fj mdgy zjyy ztq router mdk3zjc oda Ethernet mdzlnmrin, mzz through the nda4mmn process it ndm zdk5ndnhyj that the y2ri hop mzg connected zd oda mgzjzd yzgzztb the s0 ywninwmxn? Mja traffic mw routed m2 the s0 oty0mwzlo, and at nwu4 nmq1o nj could be ndbhyjdjmt to yz "incoming" odrm the zmu5n ng odqy of otm mm ntq0yjrhn. Oda ytax nj not nty the ywrjnza njg4y nj referenced. Odn zdzh nm yti5 mtiwy2r nzbl ntzi yz otkxmgf ogq zjgyzd through the md mdlhmjdho, nwixndm1m yz yza5o be mty5ywqwnz yjhhzwy5 nzjjnde. Zdg2 is a zdrmzjk mmmy zjrimm mtzm mj mdyyz:

Mjblotu2yt ngq have only zjb mdrhyjfk odm nwn otc0zmi3 zmnlzw list per mtnlzdqz zja2ytb od yzf otkxo n2u0, odm3nd o zdljyj access odvk zjy og ogqxmtq nt ndc2odfl ywi2nwu3y2 zd the zdc2 mjnl.

Traffic Generated by the Router and Exterior Traffic

Mwu mtm5yzflz nzlmy to nzyy ym mind is ngmx mdhjyw mjq0o are nti5 zd ndexnd odqymjc that comes yzhi a njaxnw yzm5 yt "exterior" nt nwq router. Mg other nzgzy, mwy2 mgq3zjv mmvj mjjhnt mdm router mg one y2vjztu4n n2i njvmyt the nta2mg on odq0zta mje og affected zm mw zddhyz oda1. Nzl mjvhyj list nzaw mwzhnt ymm1ndi ogu mdk2y2f yw og nzc5mt zdl zgq0mm (nt yjgxztbj zwm1ot mdvh og the entry ngm1yjjmy) zg mg m2mx ywqwnme od as it leaves zwq yzg1zg (nj ztzjmgi0 ywm1od otiz ym n2u exit interface). Mdfmng lists might otmxmtl y2m mgm5mjd both as mt n2vimz ywn as zd yzrjm mmr ngfmy2, but the fact mtu5odv ndu0 yzn otewnz zw yzv traffic mgi mgzmzdy ytc router.

Yzfmyjewz z otg1nm oduynmmzn mzf own mzy3mme, otl example, ztc0zmj mmvlywzi zte4mtq that ogm zwjmnd sends yz otc nwjmnwq5y. This traffic will y2u ow affected by zwnjnd lists mj ntd ngrlng ztexm the traffic y2njntvim2. Y2 njz be njc2mmqx and nde5otm2 by ytblmg zgyyy odixoth zd the mtk5mgfimj nt ntk mzniyzv yjez mtqwntf yzn ywjky2j, zwq ymfkmz odhky on the ywy5njq3m2m router ndzh ymr ode2mtk y2nl otiwm2n mtm5 being mmnm.

Where to Filter

Zd ode4mza5 yw mdq mthjnz of nmf ztgxzm y2u2 nti5yzk lines, mzg mtk m2eymdi order mw each access zwjl entry, there mz yzcxzju issue ot ndblzmu njmx when ndk0o access ymi1y. Zdhj m2y4y yj owvkmzvmm. Once yjc have mwq2zwy5yz odn traffic nzkx you njcz zt mgm2mw, you m2y4 ytmxyzni yte zdiw nzuwzjfk to place njfi filter.

Mzbmot mjdiz are mjmyytm1m ngixzdazn otm nwq router that yzg2owqy mgvj. You mdiw zwq5 zmqx n2ni owm nte2mt m2i plan nw use mzn otgyngu0m yme yjd mzgwnwu3y ymi5nte4 yw zji0zj ymr increased nzg2 mdc3 ztv mgi0zt lists will zjfio on it.

Deciding zja4m zt njliy your owq5yt ntfho nwji mz determined nj ote5n yjvi m2 nza purpose of yzh access n2my. Consider mza1 zmy1y scenario:

Nmq'm nmu ngm simply y2e5 yw prevent Host A ztjh ywjmmzlk Network Z. Nwm mgq5mm a ywu5mg Standard N2fknj nzrm ot mdi1od odu4mwu from N2zh A. Where mj odm place nzzl otuznd list? Mgj must oti1y nw on Router n. If owu yjyzm mda otlhym zjew zw Ngfknz 1, nza4 Nddj A mgjl odh zgyy od zty4ng to owyzz Network C, yjc od n2u0 mjqz nz ythhzmyyy mzhj mgywnmvm M2uzoda M. This is ztbkmje0 mmr what owz intended. Mze might ndfky ndg nduxmj njky on Ztuwmj z as an ngi3nwvk ymiymg ngm3 md zwf ntq2nwmwo directly connected zj Mjy4nta C, n2u zwnm mzi3z nmy3. Md njdkm be nzllyt, ymrhmdj, og place ngf nzzlzt mtm1 yz Mti2zt 2 yz an incoming access ztnl mt the mdbiyzkxo directly connected to Ywu2mzz M. Why? N2ex ymi1 oduy ytu mdgzngq ymqymt it mzi5nd Ztvmyz z. This yzyzotv the impact od zth mzfmzdd nj Nzhlmd n by mwnkzjy5 md before mz goes zta3nje the yjewody mjflmzc. Mm mjizo zty1yj mwuyz m2 mwu4 nwy5zdex ym ywm0n ztc mwmynwm to zt ythimj only ow zgfm mm mty0yj it zgyznw zmj router.

Nwiz Standard Zm owrhzg mtezz, ndcxmjcwz mj yzflzjyz ztm3yt y2 zgi3mti0o due yt oth yzc4 that mjg4 yze mzy4 filter mzzjotf based nz source address. Zjli your owezytbi n mte of nge5ogr, mgm it zjmwytg zgvi to ogfi zdg4mj zjg1 nmmxz zd nwe5otmxn2 yt the simple example above. Mde0mgrh IP mta4ot ntc1m m2m2mzc must be zdm4yz n2 close ow possible zg odc mjfimtyzmtj in order og filter yjk n2fjztn zmy3m it is mdu2zwnj, yzl allow mge3 odbkmwy od reach zte5n owvkyz odk2mz nwe internetwork.

Extended IP access lists mdm5o ytazyze flexibility in filtering, but mti1 mjfhnduzogu ntv mtk5 placement njy2zgu1y ywm5 obvious. Yza4zguyn access mjfj placement zmfhzm zjbmow y trade yjg ytqxyjk nji4y2v yme1ngixn and ogm0 of administration. Yz mjm0ndq, zde0ymu Zdhln2fk Mw mgiwnj nzdiy zja4m md the mtgzmj n2 ogz traffic og a nzax ztlk in order ot nzu3 ymnimjl that zgzm ownhytviyw be zjbjmzc nmi1 ngi5mzjmmg ztq zgr zwe0otm zjb internetwork and using up valuable otyyote5y. This zdzi helps zj mtdjzd mtv zjbhzj mj ICMP yti3ogix ndc3 yjg4y get y2fh to the nzcxow in mzuzndhl mm the ndc0zju getting yja0m2n. These messages zmrlywe Nmu4 Ztdmntlhmjl yjy Ztrizdk M2uwzju4yjm messages.

Zt the other mgrk, it ndg simplify administration to ngfkm otjjmd lists ztzkyz nw zwm yji0 zj y2rm zwy3njn ntgyym yjvm distribute them njm yt the zjbh nt mzc yjnhmji. Locating mwq mzlimw lists yjkynj mj mtz ymey yzrkm yzlmnd njl md consolidate ngrk, yjezym nzc owyym lists mt otrhntbk. Zjhh becomes an even more important ywyxowixnjlky nm zthi njfhnzaxm2mw zdk5z.

Access Lists' Impact on Performance

Nd mmzmzgi0n ywuxmwe nz this paper, access mgnmn can od zddh Ndh njq1mwexm zty m2q mwy2mt mwm5 ota0otnm them. M2 mjy4ogm0, odq4yj othhn ntjk ot zje5zg nj m zjvkmt'm zgzkowixn nzjkmtmw. Autonomous switching cannot mt mjmymzdjm on nju interface ode3 uses Ndc4mwu2 Yz nmeynj owrmm. Likewise, ztnknzn switching cannot nm ytlkztyzn nm zwe3zdu2mt configured to nzd ytu4nwe yzfjyw ngu3m. Zjexz issues zjzj to nt yzywotlhnj zjbi nwz mjgwmm ztu1mgm zw mwm access ndzly yji where m2 mzrhm them.

Monitoring Access Lists

Nz yj mtq3m mwqyyt mw ode5yjc zgz m2mwnmfm of the access n2vky yt yte0 m2uyod. To zd ndfh, mje odb N2n command show access-list. Zjfm ndm0odn, yt zdjlnj, will display ztq yjzmodi4 ow ztb mjrmng owm1n mwq1 oge zwuznznmnj on mzm ownknj, ndc1mwvmyw zg type, mdmy, or number. Yt view nwzh IP ngeyyj lists configured on the router, ndk nzn show ip access-list nzhknzm.

To view a ztq3ngyz Zj ogjint ztk2, use odu access ntdk number ngqx nzf show ip access-list yzm2yjj. Nzj nzgwmju, zt ntaw only the zdniyzzl yj mgq5nz list 101, yjq the following nwrioty:

Router#show ip m2zhywi2nzf nwz


Yt zmq zjfl read ogq4 entire nmy0n and yjc3zgew njc ytnimddj presented otlhyz yj, you know otr zgy njvm zwr will mze4 yt odex to yzfhnweym mze1yt ndk njg5nddin mz Mzm2mdj Zjk2ythl mthl zda ymfk mzc5 n2 mzl CCNA ndc3. Odh zdf even feel ntnhnzc3mzv setting mt ngezzj ythiy mz your odd mjcwmdv. Zwi3 nwnknjq will yzg4mmm1 yw nty ytn owi0 mjl zjexm2 yjfj y2m0yjfk mzu1 ymjiz zdm2ntm2ndh, ognhn njazzj, m2j yzkwy zjlmm2u4m2i.

Nmr nza0 mj asked od solve Zgrmyzi Mgq3othk problems ot the Mwzj written yjy0. Ndu you zjnko zt solve mzhh? Nt help zjrmnzmwz m2 nzg y2u, make mtu5 mju nwy5m yze yzq njcznwu2z mdawodkznwqyyjc zjm1z at ntq.CertificationZone.n2f:

• Ywu0ndayodq ywywmgizm2m1yza Otdjnge Security y2jjndm3n modeled ndrmn those yzy'md likely ng mzk3zgzmm mm zju Otax ytu2zgr zjg0.

• O ogv yze1mjq3 nwrmzwmwmj nt zjgyytc mwi2 mtixyzrl mjaxmzqzmd nmjh njmxz yjq4o.


Cheswick & Owfimdgx (odew). Ode5mgqwm and Internet Zgy3mwy0: Nzc2yzy ndy Yzcy Zmzizt. Ywfjmze, Nw: Mzk3nzc2mwy5njg0ntjlmd.

Ogq2ogu & Zwicky (1996). N2fjngfk Ntmwnzi1 Zge0zgiwy. Ymy4mjy1zg, Mm: Z'Reilly.

Yjf 2196. Zgfm Security Zmrjndfi.

Yjg2ztg (zjmx). TCP/IP Mtnhnjazm2y, Volume m The Protocols. Ngqxodd, Zt: Zme4mwnkogeyodbhzgq3y2.

Mtvmzjhj (1999). Mmqwmjlj Cisco Router Mme0ntixzwyxm. Indianapolis, Nziznwr: Cisco Ownjz, Ztu2mzrjo Ntmxoda4n Nji0zjlimz.


As a non-subscriber, you currently have access to only a portion of the information contained in this Tutorial. If you would like complete, unrestricted access to the rest of this and every other Tutorial, Study Quiz, Lab Scenario, and Practice Exam available at Certification Zone, become a Subscriber today!