Configurating Access List Directory
Setting up standard and extended IP access list
Applying the access list to the interface
The examples of the extended accesslist
The filtration of packets helps to control the data
package movement in the networks. These controls can help to limit the network
transmission and to limit the network usage through certain users or devices. In
order to make the data packets effective or useless on the corss-designated
interface, the router of our company
provides access list. The user can use the access list via the following means:
l
Controlling the transmission of packets
data on the interface
l
Controlling
the access to virtual terminal line
l
Limiting
the content-updating of the router
IP access list is an orderly collection of permissive and prohibitive conditions of applying IP address. The ROS software of the router of our company tests the address according to the rules one by one in the access list. The first matching decides whether this software accepts or deny this address. Because after the first matching, this software ceases the rules for matching, so the sequence of the conditions is important. If there is no rule for matching, it will deny the address.
Two following steps shall be taken for using access list:
First Setting
up access list by designating the name of access list and conditions for access.
Second
Applying the access list on the interface.
Setting
up standard and extended IP access list
Use a character string to set up IP access list.
Notice: The standard access list and extended access list can not
use the same name.
In order to set up standard access list, the following command under global configuration model shall
be executed:
Step |
Command |
Function |
1 . |
ip
access-list standard
name |
Using
name to define a standard IP access list. |
2
. |
deny
{source [source-mask]
| any}[log] orpermit {source [source-mask] | any}[log] |
Under
the mode of standard access list configuration, defining one or more
permissive and prohibitive conditions. which
decide whether this data packet can pass or not. |
3
. |
Exit
|
Exit
the model of access list configuration. |
In order to set up extended access list, the following command under global configuration model shall be executed:
Step |
command |
Function |
1 . |
ip
access-list extended
name |
Using
name to define an extended IP access list. |
2
. |
{deny
| permit} protocol source source-mask destination
destination-mask [precedence precedence] [tos tos]
[established] [log]{deny | permit} protocol any
any |
Under
the model of extended access list configuration, defining one or more
permissive and prohibitive conditions, which decide whether this data
packet can pass or not. (precedence
stands for ip data package priority,TOS
stands for Type of Service) |
3. |
Exit |
Exit
the model of access list configuration. |
After initially setting up access list, any subsequent
increase (it can be keyed in the terminal) will be put in the end of the list.
In other words, you can not select to increase command line of access list from
the designated access list. But, you can use command “no permit” and “no
deny” to delete items from the name access list.
Notice: When setting up accessing list, the concealed sentence “deny” that contained at the end of access list shall be remembered under default status. . Moreover, for the standard access list, if the mask is omitted in access list of the related IP host address, then 255.255.255.255 is supposed to be the mask.
After the access list is set up, it should be applied to the line or interface. Just as described in the next section “applying the access list to the interface”.
Applying the access list to the interface
After the access list is set up, it can be applied on one or more
interfaces under following two circumstances:
The folowing command shall be used under interface configuration model:
command |
Function |
ip
access-group name
{in | out} |
Applying the
accessing list to the interface |
The access list can be applied either on the outgoing interface or on the incoming interface. For standard incoming access list, when it receives a data packet, it compares with the access list to check the source address of the data packet. Regarding extended access list, this router also checks destination address. If the access list accepts this address, the software continues to process the data package. If the access list does not accept this address, the software discards the data packet and feedbacks a “Host-Unreachable” ICMP packet.
Regarding standard outcoming access, after it receives a data packet routed to the interface, the soft will check the source address of data packet with a reference to the access list . For extended access list, the router also checks destination address with the access list. If the access list is accepted, the software will transmit the data packet. If the access list does not permit this address, the software discards the data packet and feedbacks a “Host-Unreachable” ICMP packet.
If the appointed access list does not exist, all data package will be allowed to pass.
The examples of the extended accesslist
In the following examples, the first line permits any new-arrived TCP to connect with target port greater than 1023. The second line permits new-coming TCP to connect with the SMTP port of the host 130.2.1.2.
ip access-list extended aaa
permit tcp any 130.2.0.0 255.255.0.0 gt 1023
permit tcp any 130.2.1.2 255.255.255.255 eq 25
interface ethernet 1/0
ip access-group aaa in
Here is another example for using the extended accessing list. It is supposed that there is one network connected to the Internet, you expect any host computer on the ethernet to be able to establish TCP connection to any host computer on the internet. But, you do not expect the host computers on the Internet to establish TCP connection with the host computers on the ethernet, unless the connections with the SMTP port of the mail server.
SMTP connection uses TCP port 25 as one end and uses one a random TCP port as another end. In the course of connection, it uses two identical port numbers. The mail packet from the Internet will have a target port numbered 25. The outcoming packet will have a reversed port number. Actually, the security system behind the router will always receive the mail packets connected on the port 25, this is the reason why it can independently control the incoming service and outgoing service. The access list not only can configure the outgoing service, but the incoming service as well.
In the following examples, a ethernet is a B type network with the address of 130.20.0.0; the mail server address is 130.20.1.2. The key word “established” only applies to TCP protocol, standing for an established connection. If TCP data packet has set ACK or RST bit, matching emerges, showing that this data packet belongs to an existing link.
ip access-list aaa
permit tcp any 130.20.0.0 255.255.0.0 established
permit tcp any 130.20.1.2 255.255.255.255 eq 25
interface ethernet 1/0
ip access-group aaa in