RouterGod Celebrity Lecture Series
Don King Explains IP Extended Access Lists
Here at RouterGod Online Magazine we are philosophically opposed to access lists. Access lists are a sneaky, underhanded way to grant some packets special rights while denying other packets those same rights. Sometimes packets are discriminated against because "they don't have the right address" or are from an undesirable subnet. Sometimes perfectly good packets are discriminated against because of the "wrong protocol or port" or they come from an undesirable interface. Packets that hit a repressive ACL are treated like garbage and dropped unceremoniously. This causes the network infrastructure to suffer from low self esteem and poor morale. But the harsh reality is that Cisco continues this evil practice and it is our duty to point out injustice where we find it. So to lecture on the basics of IP Extended Access Lists we present world famous boxing promoter Don King:
"Only in America!"
Don King at Networkers.
"This is me on the David Letterman show, but I like Jay Leno better"
"Man I love Cisco!"
"Believe it or not, I cut my own hair!"
|My, my, my...Just look at all of you. Bright, shiny faces filled
with hope and enthusiasm, wanting to learn about access lists and how
they work. Well I'm here to explain how access lists work, IP
extended access lists in particular. What goes on inside of a
Cisco router is not always pretty and some of you may want to leave the
room during the lecture and that's OK. The inner machinations of a
router can be most puzzling but I will not obfuscate, prevaricate or denigrate
and you have my solemn word on that!
Think of a router as a boxing ring. A boxing ring into which 2 packets will enter, with only one to leave victorious. Imagine the pugilistic majesty as 2 noble packets do battle. Which packet will win? How long will this epic struggle take? Will the winning packet, even though victorious, suffer injury and not be able to continue his journey?
These brave packets enter the router knowing of how important victory is. For it is their desire to move up to bigger and more impressive routers, until they reach the core router. Each packet has it's own unique strengths, one packet might be bigger then his opponent. One packet might have an impressive source IP address. Thousands of other packets will observe this spectacle from the safety of the input and output buffers. Another night of wonderful entertainment is on hand and many have placed bets on the outcome. But there is something that the unwitting public is unaware of. The fight is fixed!
Yes, I too reel in horror at the very notion that things may not be on the "up and up"...Who would do such a thing? What vile, reprehensible, low down, no good villain would seek to alter the outcome of our noble sport? Well as God is my witness, the Network Administrator did it!
Why did he do such a dastardly, despicable deed? Who can say what goes on in the dark, depraved mind of a Network Administrator? Perhaps he likes to play God and control the destinies of these fine, upstanding packets? Perhaps he simply dislikes these innocent packets and wants to do them harm...I cannot attest to his ignominious, unscrupulous and disingenuous motivation but I can tell you how he did it. He committed this atrocity with an access list!
You see, every packet has unique attributes, such as where they are from and where they are going. They have other attributes such as their protocol, address and port. The router positions a big burly bouncer by the door and he remembers what interface the packet entered the router from. All of these attributes can be used to permit or deny the packet from enjoying liberty and freedom. I will show you how to configure the router to filter packets but I urge you not to take part in such nefarious shenanigans. In fact, when ever you find an access list in a router's configuration, please remove it. It's the decent thing to do.
An IP extended access list is a series of statements that are created in global mode. Each statement is a test that each packet is subjected to. Each statement contains the keywords permit or deny. When a packet is being tested by a access list statement 3 things can happen:
Here's some more horrific details to keep in mind: The access list is a series of statements, the router starts from the top and works downward testing each packet, if the packet is really lucky, he will have hit a permit statement and went on his merry way. If the packet does not match the arguments on one line, he is sent downward to the next line, if he does not match any of those arguments, he is sent down to be tested by the next line. After the packet is subjected to 2 or 3 lines in an access list without a match, he starts to get worried. Just before the packet is sent to the final line in an access list something unusual happens to the packet, he starts to say his prayers...
The packet is saying his prayers because he knows he's doomed. If the last line in the access list does not match his attributes exactly and contain the word permit, he router will murder the packet and we will never hear from that packet again. This inhumane policy is what Cisco euphemistically calls the "Implied Deny Any" statement.
Say you at your girlfriends place and you and she are laying in bed watching TV, She lives in one of those tall buildings in New York city and suddenly her husband comes home, you grab your clothes and haul ass down the fire escape on the outside of the building, you are climbing down the ladder at the bottom of the fire escape to alley below, one rung at a time until you realize that you are on the last rung and the street is still 50 feet below you, now you know how that packet must've felt!
If you put at statement a the end of your access list that permits any packet from anywhere going to anywhere to be permitted to pass, that will put an end to this senseless killing:
access-list 100 permit ip any any
Before we get down to the actual configuration, here are some things to remember, access lists are created globally but applied to the actual interface you want to filter at. At the interface they can be applied to incoming packets or outgoing packets. Applying the access lists to incoming packets causes a little more work for the router's processor. You can only apply 1 list per protocol per interface per direction. Access lists are often called by other IOS functions and the extended access list is most effective when applied as near as possible to the source of packets that you want to deny. Access lists can also take into account the time of day for increased functionality.
All access lists start out with the term access-list followed by the group number of the access list. IP extended access lists are numbered from 100 to 199. The next term in an access list is permit or deny. The next term is the protocol the access list statement deals with. Next is the source address and wildcard mask and destination address and wildcard mask. A wildcard mask is a backwards subnet mask where, when you convert the mask to binary, the "1" bits represent the bit positions in the address to ignore. Maybe I should show you an IP address with a wildcard mask:
The 255 in the last octet of the wildcard mask tells the access list to ignore the last 8 bits of the ip address. So this means that any number in the last octet would be acceptable by the access list.
So here's a simple IP extended access list:
access-list 100 permit ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
The above line allows the 172.16 network to reach the 172.17 network using IP. If you want to be permissive and allow everybody you can substitute the word any for the IP address. Say we want to allow all clients to reach a certain network:
access-list 175 permit ip any 172.28.2.0 0.0.0.255
You can also specify a specific host in your list by using the word host. Access lists are processed from top down so be careful about the order in which your statements appear. When you are writing an access list for TCP you can append the port number or service on the end of your list by using the equal or eq keyword:
access-list 121 permit tcp any host 172.22.230.2 eq www
The above list allows anybody to access the web server at 172.22.230.2
To apply your access list you go to the interface and use the ip access-group command and specify the direction you want the filtering to take place:
ip access-group 121 in
Remember the access-list and access-group commands must use the same number for it to work.
Copyright 2000 - 2005 RouterGod Online Magazine