An access listis essentially a list of conditions that categorize packets. They can be really helpful when you need to exercise control over network traffic. An access list would be your tool of choice for decision making in these situations.
One of the most common and easiest to understand uses of access lists is filtering unwanted packets when implementing security policies.
It’s compared with lines of the access list only until a match is made. Once the packet matches the condition on a line of the access list, the packet is acted upon and no further comparisons take place.
There is an implicit “deny” at the end of each access list—this means that if a packet doesn’t match the condition on any of the lines in the access list, the packet will be discarded.
Each of these rules has some powerful implications when filtering IP packets with access lists, so keep in mind that creating effective access lists truly takes some practice.
Introduction to Access Lists
Once you create an access list, it’s not really going to do anything until you apply it. Yes,they’re there on the router, but they’re inactive until you tell that router what to do with them.
To use an access list as a packet filter, you need to apply it to an interface on the router where you want the traffic filtered. And you’ve got to specify which direction of traffic you want the access list applied to. There’s a good reason for this—you may want different controls in place for traffic leaving your enterprise destined for the Internet than you’d want for traffic coming into your enterprise from the Internet. So, by specifying the direction of traffic, you can—and frequently you’ll need to—use different access lists for inbound and outbound traffic on a single interface:
Inbound access lists
When an access list is applied to inbound packets on an interface, those packets are processed through the access list before being routed to the outbound interface.
Any packets that are denied won’t be routed because they’re discarded before the routing process is invoked.
Outbound access lists
When an access list is applied to outbound packets on an interface,those packets are routed to the outbound interface and then processed through the access list before being queued.
There are some general access-list guidelines that should be followed when you’re creating and implementing access lists on a router:
Extended access lists
Extended access lists can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. They can evaluate source and destination IP addresses, the protocol field in the Network layer header, and the port number at the Transport layer header. This gives extended access lists the ability to make much more granular decisions when controlling traffic.
Extended Access Lists
Extended access list will hook you up. That’s because extended access lists allow you to specify source and destination address as well as the protocol and port number that identify the upper layer protocol or application. By using extended access lists, you can effectively allow users access to a physical LAN and stop them from accessing specific hosts—or even specific services on those hosts.
Extended IP access lists
filter network traffic by examining the source and destination IP address in a packet.
You create a extended IP access list by using the access-list numbers 100–199 or 2000–2699(expanded range). Access-list types are generally differentiated using a number. Based on the number used when the access list is created, the router knows which type of syntax to expect as the list is entered. By using numbers 100–199 or 2000–2699, you’re telling the router that you want to create a standard IP access list
Wildcards are used with access lists to specify an individual host, a network, or a certain range of a network or networks. To understand a wild card, you need to understand what a block size is; it’s used to specify a range of addresses. Some of the different block sizes available are 64, 32, 16, 8, and 4.When you need to specify a range of addresses, you choose the next-largest block size for your needs. For example, if you need to specify 34 networks, you need a block size of 64. If you want to specify 18 hosts, you need a block size of 32. If you only specify 2 networks, then a block size of 4 would work.Wildcards are used with the host or network address to tell the router a range of available addresses to filter. To specify a host, the address would look like this:
We make access list ON ROUTER 2
(config) # access list 101 deny ip host 126.96.36.199 host 188.8.131.52
(config) # access list 101 permit ip any any
(config) # interface fastethernet 1/0
(config-if) # ipaccess-group 101 out
For TELNET We make access list ON ROUTER 2
(config) # access list 102 deny tcp any host 10.1.23.3
(config) # access list 102 permit tcp any any
(config) # interface fastethernet 1/0
(config-if) # ip access-group 102 out