The document discusses using access lists to filter IP traffic passing through a router. It describes the different types of access lists (standard and extended), how to configure them to allow or deny traffic based on source/destination addresses and protocols, and how to apply them to interfaces to filter incoming or outgoing traffic.

1. 2 Copyright © 1998, Cisco Systems, Inc. ICRC_revision_11.3 Basic IP Traffic Management with Access Lists Chapter 10

6. 2 Copyright © 1998, Cisco Systems, Inc. ICRC_revision_11.3 Other Access List Uses Priority and custom queuing Dial-on-demand routing Route filtering Routing table Queue List Special handling for traffic based on packet tests

8. 2 Copyright © 1998, Cisco Systems, Inc. ICRC_revision_11.3 Outgoing Access Lists Inbound Interface Outbound Interfaces Packets Packet Discard Bucket Packet N Choose Interface N Y Y Routing Table Entry ? If no access list statement matches then discard the packet Access List ?

9. 2 Copyright © 1998, Cisco Systems, Inc. ICRC_revision_11.3 Inbound Interface Outbound Interfaces Packets Packet Discard Bucket Packet Packet Y N Choose Interface N Y Y Routing Table Entry ? Outgoing Access Lists If no access list statement matches then discard the packet Test Access List Statements Permit ? Access List ?

10. 2 Copyright © 1998, Cisco Systems, Inc. ICRC_revision_11.3 Outgoing Access Lists If no access list statement matches then discard the packet Discard Packet Inbound Interface Outbound Interfaces Packets Packet Discard Bucket Packet Packet Y N Choose Interface N Y Y N Notify Sender Routing Table Entry ? So Eo Test Access List Statements Permit ? Access List ?

11. 2 Copyright © 1998, Cisco Systems, Inc. ICRC_revision_11.3 Packets to Interface(s) in the Access Group Packet Discard Bucket Y Interface(s) Destination Y A List of Tests: Deny or Permit Match First Test ? Deny Deny Permit

12. 2 Copyright © 1998, Cisco Systems, Inc. ICRC_revision_11.3 Packets to Interface(s) in the Access Group Packet Discard Bucket Y Interface(s) Destination Y N Y Y A List of Tests: Deny or Permit Match First Test ? Deny Deny Permit Match Next Test(s) ? Permit Deny

13. 2 Copyright © 1998, Cisco Systems, Inc. ICRC_revision_11.3 Packets to Interface(s) in the Access Group Packet Discard Bucket Y Interface(s) Destination Y N Y Y Y N Y A List of Tests: Deny or Permit Match First Test ? Deny Deny Permit Match Next Test(s) ? Permit Deny Permit Deny Match Last Test ?

14. 2 Copyright © 1998, Cisco Systems, Inc. ICRC_revision_11.3 Packets to Interface(s) in the Access Group Packet Discard Bucket Y Interface(s) Destination Y N Y Y Y N Y N Implicit Deny A List of Tests: Deny or Permit Match First Test ? Deny Deny Permit Match Next Test(s) ? Permit Deny Permit Deny Match Last Test ?

16. 2 Copyright © 1998, Cisco Systems, Inc. ICRC_revision_11.3 Step 1: Set parameters for this access list test statement (which can be one of several statements) Access List Command Overview access-list access-list-number { permit | deny } { test conditions } Router(config)#

21. 2 Copyright © 1998, Cisco Systems, Inc. ICRC_revision_11.3 Testing Packets with Extended Access Lists Segment (for example, TCP header) Data Packet (IP header) Frame Header (for example, HDLC) Destination Address Source Address Protocol Port Number Use access list statements 1-99 or 100-199 to test the packet Deny Permit

25. 2 Copyright © 1998, Cisco Systems, Inc. ICRC_revision_11.3 Wildcard Bits to Match IP Subnet Check for IP subnet 172.30.16.0/24 to 172.30.31.0/24 Address and wildcard mask: 172.30.16.0 0.0.15.255 Network host 172.30.16.0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 1 1 match Don’t care 0 0 0 1 0 0 0 0 = 16 0 0 0 1 0 0 0 1 = 17 0 0 0 1 0 0 1 0 = 18 0 0 0 1 1 1 1 1 = 31

34. 2 Copyright © 1998, Cisco Systems, Inc. ICRC_revision_11.3 Virtual Terminal Access Example Controlling inbound Access Permits only hosts in network 192.89.55.0 to connect to the router’s vtys access-list 12 permit 192.89.55.0 0.0.0.255 ! line vty 0 4 access-class 12 in

35. 2 Copyright © 1998, Cisco Systems, Inc. ICRC_revision_11.3 Standard Versus External Access List Extended Filters based on source and destination Filters based on source Standard Permit or deny entire TCP/IP protocol suite Specifies a specific IP protocol and port number Range is 1 through 99 Range is 100 through 199

45. 2 Copyright © 1998, Cisco Systems, Inc. ICRC_revision_11.3 Verifying Access Lists Router# show ip interface Ethernet 0 is up, line protocol is up Internet address is 192.54.222.2, subnet mask is 255.255.255.0 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is 192.52.71.4 Secondary address 131.192.115.2, subnet mask 255.255.255.0 Outgoing access list 10 is set Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled Gateway Discovery is disabled IP accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Router#

46. 2 Copyright © 1998, Cisco Systems, Inc. ICRC_revision_11.3 Monitoring Access List Statements Router> show access-lists Standard IP access list 19 permit 172.16.19.0 deny 0.0.0.0, wildcard bits 255.255.255.255 Standard IP access list 49 permit 172.16.31.0, wildcard bits 0.0.0.255 permit 172.16.194.0, wildcard bits 0.0.0.255 permit 172.16.195.0, wildcard bits 0.0.0.255 permit 172.16.196.0, wildcard bits 0.0.0.255 permit 172.16.197.0, wildcard bits 0.0.0.255 Extended IP access list 101 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 23 Type code access list 201 permit 0x6001 0x0000 Type code access list 202 permit 0x6004 0x0000 deny 0x0000 0xFFFF Router>

47. 2 Copyright © 1998, Cisco Systems, Inc. ICRC_revision_11.3