Application of CiscoIOS access list

CiscoIOS software can be used in various Cisco routers. It provides QoS, VPN, security, and management functions, and is welcomed by the majority of network administrators. CiscoIOS, especially for small and medium-sized enterprises that connect local networks to the Internet through routers, has brought a lot of convenience to them. In CiscoIOS, the access list (AccessList) is an important

Cisco IOS software can be used in various Cisco routers. It provides QoS, VPN, security, and management functions, and is welcomed by the majority of network administrators. Cisco IOS, especially for small and medium-sized enterprises that connect local networks to the Internet through routers, has brought a lot of convenience to them. In Cisco IOS, Access List is an important

Cisco IOS software can be used in various Cisco routers. It provides QoS, VPN, security, and management functions, and is welcomed by the majority of network administrators. Cisco IOS, especially for small and medium-sized enterprises that connect local networks to the Internet through routers, has brought a lot of convenience to them. In Cisco IOS, Access List(Access List) is an important function. Access ListIs an ordered set of statements. It determines whether to allow the information package to pass through the interface based on the content of information contained in each packet in the network, Access ListParameters are also used to specify the processing of the data packet information.

Access ListFunction

---- For a data packet Access ListWhen processing it, Access ListThe statements in are processed sequentially from top to bottom until a matching condition occurs. Access ListPass. In this way, Access ListThe order of statements is very important. This will be explained later in this article.

---- Just Access ListIn itself, it is just a string of statements placed in the memory of the router. Create Access ListIs for a vro interface, Access ListThe statement in will act on the data packets through the interface. It allows or prevents packets that meet certain conditions from passing through the interface. In Access ListInterfaces can also be specific lines and devices. The interface is generally numbered by numbers.

---- In Access ListAn important issue is the interface direction. Access ListIt can be used for inbound or outbound ). Indicates a router with one serial port and two ethernet ports. In each port, the arrow pointing to the outside of the router indicates the exit, and the arrow pointing to the inside of the router indicates the entrance. In the figure, S0, E0, and E1 are used to represent interfaces of serial port 0, Ethernet port 0, and Ethernet Port 1 respectively. According to the preceding content, we can obtain Access ListRules 1 and 2.



Standard IP Access List

---- Cisco routers support two types Access ListStandard Access ListAnd extended Access List. Like other network vendors, Cisco router products support multiple network protocols. Because in the network, especially the LAN ApplicationThe IP protocol. Therefore, this article only applies to the IP protocol.

---- Standard IP Access ListThe function is limited because ListYou can only filter data packets based on their source addresses. If you need ApplicationTo filter, or filter based on the combination of the above items, you must use the extended type Access List. Based on this classification method, we can summarize Access ListRules 3 and 4.

---- (1) Standard IP Access ListFormat

---- Standard IP Access ListThe format is as follows:

---- Access-list [list number] [permit | deny] [source address]

---- [Address] [wildcard mask] [log]

---- The following explains the standard IP address. Access ListKeyword and parameter. First, there must be a hyphen "-" between the two keywords "access" and "list". Second, the range of the list number is 0 ~ Between 99, which indicates that the access-list statement is a common standard IP Access ListStatement. Because for Cisco IOS ~ The number between 99 indicates that Access ListThe list number parameter has two functions: (1) Definition Access List(2) Notify IOS to treat the same list number parameter as the same object when processing the access-list statement. As discussed later in this article, extended IP addresses Access ListIt also uses list number (the range is 100 ~ A number between 199. Therefore, when Access ListYou also need to add the following important rules: Access ListSelect the list number parameter.

---- (2) allow/deny packet passing

---- In standard IP Access ListUsing the permit statement Access ListProject-matched data packets are passed through the interface, while deny statements can filter out and Access ListProject-matched data packets. Source address represents the IP address of the host. You can specify the host using a combination of different masks.

---- Here is an example to better understand the role of IP addresses and wildcard masks. Assume that your company has a branch whose IP address is 192.46.28.0 of class C. In your company, each branch must use the Headquarters Router AccessInternet. To achieve this, you can use a wildcard mask 0.0.255. Because the last group of numbers of class c ip addresses represents the host, set them to 1 to allow the headquarters AccessEach host on the network. Therefore, your standard IP Access ListThe access-list statement in is as follows:

---- Access-list 1 permit 192.46.28.0 0.0.255

---- Note that the wildcard mask is complementary to the subnet mask. Therefore, if you are a Network Expert, You can first determine the subnet mask, and then convert it into Application. Here, you can add another Access ListRule 5.

---- (3) Specify the address

---- If you want to specify a specific host, you can add a wildcard mask 0.0.0.0. For example, to allow data packets from the IP address 192.46.27.7 to pass through, you can use the following statement:

---- Access-list 1 permit 192.46.27.7 0.0.0.0

---- In Cisco Access ListIn addition to using the wildcard mask 0.0.0.0 to specify a specific host, you can also use the "host" keyword. For example, to allow data packets from the IP address 192.46.27.7 to pass through, you can use the following statement:

---- Access-list 1 permit host 192.46.27.7

---- The keyword "host" can be used to represent the wildcard mask 0.0.0.0. the keyword "any" can be abbreviated as the source address and represent the wildcard mask 0.0.0.0 255.255.255.255. For example, if you want to reject data packets from a website whose IP address is 192.46.27.8, you can Access ListAdd the following statement:

---- Access-list 1 deny host 192.46.27.8

---- Access-list 1 permit any

---- Note the above two items Access ListStatement order. The first statement filters out data packets from the source address 192.46.27.8, and the second statement allows data packets from any source address to pass Access ListInterface. If you change the order of the preceding statements Access ListPackets from the source address 192.46.27.8 cannot be blocked through the interface. Because Access ListStatements are executed in the order from top to bottom. In this case, if the 1st statements are:

---- Access-list 1 permit any

---- Then, data packets from any source address will pass through the interface. Then we can get rule 6.

---- (4) the mystery of rejection

---- By default, unless explicitly specified, Access ListIt always blocks or rejects the passing of all data packets, that is, in every Access ListAt the end of the statement, there is an implicit "deny any" statement. Suppose we use the standard IP Address Access ListFrom the router perspective, the actual content of this statement is as follows:

---- Access-list 1 deny host 192.46.27.8

---- Access-list 1 permit any

---- Access-list 1 deny any

---- In the above example Access ListThe 2nd statements explicitly allow any data packet to pass, so the implicit denial statement does not work, but this is not always the case. For example, if you want data packets from the source address 192.46.27.8 and 192.46.27.12 to pass through the router interface and prevent all other data packets from passing through Access ListThe Code is as follows:

---- Access-list 1 permit host 192.46.27.8

---- Access-list 1 permit host 192.46.27.12

---- Note that because all Access ListThe statement is automatically included at the end, so rule 7 is available.

---- By the way, we will discuss the standard IP Access ListThe parameter "log", which acts as a log. Once Access ListThe statement containing the keyword "log" will record Access ListPacket in the "permit" and "deny" conditions. The first interface and Access ListThe data packet that matches the statement will generate a log immediately. Subsequent data packets are recorded in the log mode, or logs are displayed on the console or in the memory. You can use the Cisco IOS console command to select the logging method.

Extended IP Address Access List

---- Extended IP Address Access ListIt adds a lot of functions and flexibility in data packet filtering. In addition to filtering based on the source address and target address, you can also filter based on the protocol, source port, and destination port, or even filter by various options. These options can read and compare the information of certain fields in the data packet. Extended IP Address Access ListThe common format is as follows:

---- Access-list [list number] [permit | deny]

---- [Protocol | protocol key word]

---- [Source address source-wildcard mask] [source port]

---- [Destination address destination-wildcard mask]

---- [Destination port] [log options]

---- And standard IP Access ListSimilarly, the "list number" mark Access List. Number 100 ~ 199 is used to determine 100 unique extended IP addresses Access List. "Protocol" determines the protocol to be filtered, including IP, TCP, UDP, and ICMP.

---- If we review how data packets are formed, we will understand why the Protocol affects data packet filtering, although sometimes this can cause side effects. Indicates the formation of data packets. Please note that, ApplicationData usually has a prefix added at the transport layer, which can be the header of the TCP or UDP protocol. This adds an indication Application. When the data goes into the protocol stack, the network layer adds a header of the IP protocol containing the address information.



---- Because the IP header transmits TCP, UDP, routing protocol and ICMP protocol Access ListThe IP protocol level is more important than other protocols. However Application. Therefore, you need to add rule 8.

---- Two extended IP addresses are listed below to better illustrate this rule Access List. Suppose we want to block TCP traffic AccessThe server whose IP address is 192.78.46.8 and allows traffic of other Protocols AccessThis server. Then the following Access ListCan the Statement meet this requirement?

---- Access-list 101 permit host 192.78.46.8

---- Access-list 101 deny host 192.78.46.12

---- The answer is no. The first statement allows all IP traffic and TCP traffic to pass through the specified host address. In this way, the second statement does not have any effect. However, if you change the order of the preceding two statements