Cisco® CCNP Route Exam Notes : Configure And Verify Router Security Features

5. Infrastructure Security

5.5 Configure and verify router security features

The access control list features enable to filter traffic depends on the information in an IP packet header. You can use the access control list on IPv4 as well as IPv6. You can configure the access list on the layer 3 switch or router to offer the basic security for the network. Suppose you did not configure the ACL, all the packets which flowing via the switch can be allowed in all parts of a network.

5.5.a IPv4 access control lists (standard, extended, time-based)

IP access lists are a sequential list of permit and deny conditions that apply to IP addresses or upper-layer protocols. Access Control Lists are used in routers to identify and control traffic.

There are three types of IP access lists:

1. Standard IP Access Lists:

This is the command syntax format of a standard ACL.

access-list <access-list-number> {permit|deny}{host|source source-wildcard|any}

Keep in mind that:

1. Place standard access lists as near the destination as possible and extended access lists as close to the source as possible.

2. Access lists have an implicit deny at the end of them automatically. Because of this, an access list should have at least one permit statement in it; otherwise the access list will block all remaining traffic.

3. Access lists applied to interfaces default to outbound if no direction is specified.

2. Extended IP Access Lists: Extended ACLs control traffic by the comparison of the source and destination addresses of the IP packets to the addresses configured in the ACL.

In all software releases, the access-list-number can be 100 to 199. In Cisco IOS Software Release 12.0.1, extended ACLs begin to use additional numbers (2000 to 2699). These additional numbers are referred to as expanded IP ACLs. IP Named ACLsIP Extended Access lists have the format,

access-list {number} {permit or deny} {protocol} {source} {destination} {port}

With extended IP access lists, we can act on any of the following:

Source address 
Destination address 
IP protocol (TCP, ICMP, UDP, etc.) 
Port information (WWW, DNS, FTP, etc.)

As seen from the syntax, the source ip address precedes the destination. Extended access lists are applied close to source where as standard access lists are applied close to destination.

The permitted numbers for some important access-lists are:

  • 1-99 : IP standard access list
  • 100-199 :IP extended access list
  • 800-899 : IPX standard access list
  • 900-999 : IPX extended access list
  • 1000-1099 : IPX SAP access list
  • 1100-1199 : Extended 48-bit MAC address access list

Using a named access list just replaces the number used when applying the list to the router's interface

Wild card masking: Wild card masking is used to permit or deny a group of addresses. For example, if we have a source address and want all the hosts on the last octet to be considered, we use a wild card mask,

Special cases: Host is same as with a wild card mask of, considers only specified IP.

Any is equivalent to saying with a wild card mask of This means none of the bits really matter. All IP addresses need to be considered for meeting the criteria

We can use the statement access-list <access-list #> [permit/deny] [protocol] host <source-ip-address> <destination-ip-address> <destination-wildcard-mask>

To permit or deny a specific host from accessing a network.

Note: if we use "host" command, source wild card mask is not required.

Access lists are primarily used for two purposes:

1. Controlling traffic through a router, and

2. Controlling VTY access to a router's VTY ports

An example configuration for extended ACL is given below. Note that www is a TCP protocol.

access-list 100 deny tcp host host eq www
access-list 100 permit ip any any

interface fastEthernet 0/0
ip access-group 100 in

Observe that the command "ip access-group 100 in" applies the access list to the interface fastethernet 0/0

3. Named ACLs : The standard and extended ACLs to be given names instead of numbers.

Numbered Access List have a major disadvantage, which is the ability to edit specific lines in the access-list. Unfortunately the only way to do that is to edit the lines in a text editor and completely remove and re-add the ACL. Named ACL's also have a big advantage of being descriptive in the name such as an ACL named "Deny_Telnet" its quite obvious that that ACL would be for denying telnet access.

This is the command syntax format for IP named ACLs

ip access-list {extended|standard} <name>

The following commands can be used to view access lists:

sh ip access-list

Given below are the sequence of commands that are used for configuring named access lists:

1. enable

2. configure terminal

3. ip access-list extended <name> 

4. deny protocol [source source-wildcard] {any | host {address | name} {destination [destination-wildcard] {any | host {address | name} [log]

5. permit protocol [source source-wildcard] {any | host {address | name} {destination [destination-wildcard] {any | host {address | name} | object-group object-group-name} [log]

The necessary configuration steps for doing the same are as given below:

R1#configure terminal 
Enter into global configuration mode
R1(config)#ip access-list extended
R1(config-ext-acl)#deny icmp host 
R1(config-ext-acl)#permit ip any any 

Notice that we have to explicit allow other traffic (access-list 101 permit ip any any) as there is an "deny all" command at the end of each ACL.

The following are the key similarities and differences between ipv4 and ipv6 ACLs:

1. IPv4 uses both numbered and named access lists whereas IPv6 uses named access lists only.

2. IPv4 ACLs are typically written as a sequence of permit statements that include an implicit deny clause as their last line. Although this implicit deny is also present on IOS IPv6 ACLs, note the following:

  • There are other implicit permit statements designed to allow two of the main Neighbor Discovery (ND) messages: permit icmp any any nd-na (which handles Neighbor Advertisement messages) and permit icmp any any nd-ns (which takes cares of Neighbor Solicitation messages).
  • If your environment requires Router Advertisement (RA) and Router Solicitation (RS) messages to be allowed, these lines will need to be configured explicitily (in the same way as the regular permits).
  • In the event you add an explicit deny as the last line of the ipv6 ACL, this statement will take precedence over the implicit permits earlier described (for nd-na and nd-ns).
  • Both ipv4 and IPv6 ACLs can match on specific values unique to ipv4 and ipv6 header respectively. Note that Ipv4 can not match values on IPv6 header and vice versa.
  • IPv4 ACLs can match only on IPv4 packets, and IPv6 ACLs can match only on Ipv6 packets.

Previous   Contents   Next

CCNP Route Cram Notes Contents
certexams ad

simulationexams ad