Configurating Access List  Directory

The filtration of IP packets

Setting up standard and extended IP access list

Applying the access list to the interface

The examples of the extended accesslist

The filtration of IP packets

The filtration of packets helps to control the data package movement in the networks. These controls can help to limit the network transmission and to limit the network usage through certain users or devices. In order to make the data packets effective or useless on the corss-designated interface, the router of our company provides access list. The user can use the access list via the following means:

l          Controlling the transmission of packets data on the interface

l          Controlling the access to virtual terminal line

l          Limiting the content-updating of the router

This section summarizes how to set up IP access list and how to apply them.

IP access list is an orderly collection of permissive and prohibitive conditions of applying IP address. The ROS software of the router of our company tests the address according to the rules one by one in the access list. The first matching decides whether this software accepts or deny this address. Because after the first matching, this software ceases the rules for matching, so the sequence of the conditions is important. If there is no rule for matching, it will deny the address.

Two following steps shall be taken for using access list:

First    Setting up access list by designating the name of access list and conditions for access.

Second      Applying the access list on the interface.

The following sections detail the operations of the two steps.

 

Setting up standard and extended IP access list

Use a character string to set up IP access list.

Notice: The standard access list and extended access list can not use the same name.

In order to set up standard access list,  the following command under global configuration model shall be executed:

Step

Command

Function

1 .

ip access-list standard name

Using name to define a standard IP access list.

2 .

deny {source [source-mask] | any}[log] orpermit {source [source-mask] | any}[log]

Under the mode of standard access list configuration, defining one or more permissive and prohibitive conditions.  which decide whether this data packet can pass or not.

3 .

Exit

Exit the model of access list configuration.

 

In order to set up extended access list, the following command under global configuration model shall be executed:

Step

command

Function

1 .

ip access-list extended name

Using name to define an extended IP access list.

2 .

{deny | permit} protocol source source-mask destination destination-mask [precedence precedence] [tos tos] [established] [log]{deny | permit} protocol any any

Under the model of extended access list configuration, defining one or more permissive and prohibitive conditions, which decide whether this data packet  can pass or not. precedence stands for ip data package priorityTOS stands for Type of Service

3.

Exit

Exit the model of access list configuration.

 After initially setting up access list, any subsequent increase (it can be keyed in the terminal) will be put in the end of the list. In other words, you can not select to increase command line of access list from the designated access list. But, you can use command “no permit” and “no deny” to delete items from the name access list.

Notice: When setting up accessing list, the concealed sentence “deny” that contained at the end of access list shall be remembered under default status. . Moreover, for the standard access list, if the mask is omitted in access list of the related IP host address, then 255.255.255.255 is supposed to be the mask.

After the access list is set up, it should be applied to the line or interface. Just as described in the next section “applying the access list to the interface”.

 

Applying the access list to the interface

After the access list is set up, it can be applied on one or more interfaces under following two circumstances:

The folowing command shall be used under interface configuration model:

command

Function

ip access-group name {in | out}

Applying the accessing list to the interface

 The access list can be applied either on the outgoing interface or on the incoming interface. For standard incoming access list, when it receives a data packet, it compares with the access list to check the source address of the data packet. Regarding extended access list, this router also checks destination address. If the access list accepts this address, the software continues to process the data package. If the access list does not accept this address, the software discards the data packet and feedbacks a “Host-Unreachable” ICMP packet.

Regarding standard outcoming access, after it receives a data packet routed to the interface, the soft will check the source address of data packet with a reference to the access list . For extended access list, the router also checks destination address with the access list. If the access list is accepted, the software will transmit the data packet. If the access list does not permit this address, the software discards the data packet and feedbacks a “Host-Unreachable” ICMP packet.

If the appointed access list does not exist, all data package will be allowed to pass.

 

The examples of the extended accesslist

In the following examples, the first line permits any new-arrived TCP to connect with target port greater than 1023. The second line permits new-coming TCP to connect with the SMTP port of the host 130.2.1.2.

ip access-list extended aaa

  permit tcp any 130.2.0.0 255.255.0.0 gt 1023

  permit tcp any 130.2.1.2 255.255.255.255 eq 25

interface ethernet 1/0

ip access-group aaa in

 

Here is another example for using the extended accessing list. It is supposed that there is one network connected to the Internet, you expect any host computer on the ethernet to be able to establish TCP connection to any host computer on the internet. But, you do not expect the host computers on the Internet to establish TCP connection with the host computers on the ethernet, unless the connections with the SMTP port of the mail server.

SMTP connection uses TCP port 25 as one end and uses one a random TCP port as another end. In the course of connection, it uses two identical port numbers. The mail packet from the Internet will have a target port numbered 25. The outcoming packet will have a reversed port number. Actually, the security system behind the router will always receive the mail packets connected on the port 25, this is the reason why it can independently control the incoming service and outgoing service. The access list not only can configure the outgoing service, but the incoming service as well.

In the following examples, a ethernet is a B type network with the address of 130.20.0.0; the mail server address is 130.20.1.2. The key word “established” only applies to TCP protocol, standing for an established connection. If TCP data packet has set ACK or RST bit, matching emerges, showing that this data packet belongs to an existing link.

ip access-list aaa

permit tcp any 130.20.0.0 255.255.0.0 established

permit tcp any 130.20.1.2 255.255.255.255 eq 25

interface ethernet 1/0

ip access-group aaa in