Demystifying Cisco Access Control Lists
|
By Peter Morrissey
Anyone who has managed a large network knows that control can be a wonderful thing. This is why routers are still so popular, in spite of the flat network craze. Routers can confine problems like excessive broadcasts, duplicate IP addresses, unauthorized DHCP servers and misbehaving Windows NT and Novell servers to a local network. In turn, fewer users are affected and the problems are easier to troubleshoot.
Sometimes, though, standard routing capabilities aren't enough. That's why Bay Networks, Cisco Systems and 3Com Corp. have added filtering capabilities, such as access control lists, to their routers. At Network Computing's lab at Syracuse University, we've been
using these capabilities in our Cisco routers for the past five years to help us control some of the more difficult problems with our IP, Novell and AppleTalk networks.
Although access lists won't turn your router into a full-fledged firewall, they can be a powerful means of controlling your IP network. We'll focus here on the IP version of Cisco's access control lists, also known as extended access lists. You can apply these basic concepts to your Bay and 3Com routers, and possibly even your firewall. We've gathered extended access list information from various Cisco manuals and thrown in some tips we've learned along the way. To verify the syntax presented here, we configured one of our routers to run Cisco Internetwork Operating System (IOS) version 10.3(10). You can count on the syntax to work with that version or later versions. The text notes any features that are available only in higher versions of the IOS.
What They're All About
The access list is a group of statements. Each statement d
efines a pattern that would be found in an IP packet. As each packet comes through an interface with an associated access list, the list is scanned from top to bottom--in the exact order that it was entered--for a pattern that matches the incoming packet. A permit or deny rule associated with the pattern determines that packet's fate. You also can use a mask, which is like a wild card, to determine how much of an IP source or destination address to apply to the pattern match. The pattern statement also can include a TCP or UDP (User Datagram Protocol) port number (see The "Anatomy of an Access List" graphic, in Acrobat format.)
Access list statements are entered one line at a time, and the list is scanned for a match in that same order. If you must make a change, you have to re-enter the entire list. Also, keep in mind that once you associate the list with an interface, any packet not processed by the list is dropped by default.
Once the access list is entered, you must associate it with the interface on the router where yo
u want to apply the filtering. You can apply the list to incoming packets, (an "in" access list) or outgoing packets (an "out" access list). In most cases, either list will work. For out access lists, you need to set up the filter only on the one outgoing interface rather than on the individual incoming interfaces. This improves performance because only the network you are protecting will force a lookup on the access list.
|
REPORTS
ANALYTICS
Follow 
