IPX SAP Access Lists

You might recall from Chapter 8 that the ipx routing command also initiates the broadcasting of IPX SAP updates between routers. The information contained in SAP updates can be filtered using IPX SAP access lists, which use the numerical range 1000-1099. By properly implementing these access lists you can control the extent to which certain SAP broadcasts are propagated through an IPX network. Much like standard access lists, IPX SAP access lists should usually be implemented close to the source of SAP updates, in order to reduce unnecessary network traffic.

IPX SAP access lists are implemented using the access-list command. They specify the source network from which the broadcasts originate, the type of SAP broadcast we want to filter, and optionally, the name of the server whose broadcasts we wish to filter. Let’s walk through an example step-by-step to see how these access lists are implemented. The figure below outlines a network that includes three IPX networks – 101A, 101B, and 101C. Our goal is to stop print server updates from ServerB from being added to the SAP table on RouterA.

Figure: An inbound IPX SAP access list will ultimately deny ServerB’s print services broadcasts from being added to the router’s SAP table.

RouterA(config)#access-list 1099 deny ?
-1 Any IPX net
<0-FFFFFFFF> Source net
N.H.H.H Source net.host address
RouterA(config)#access-list 1099 deny 101B ?
<0-FFFF> Service type-code (0 matches all services)
N.H.H.H Source net.host mask

The command above specifies that we wish to deny IPX SAP traffic from network 101B. If we had pressed enter here, all IPX SAP broadcast traffic from network 101B would be denied. Instead, we’ll carry on to specify the service type code that we wish to deny. Recall from previous chapters that the type code associated with print servers is 7.

RouterA(config)#access-list 1099 deny 101B 7 ?
WORD A SAP server name
RouterA(config)#access-list 1099 deny 101B 7 ServerB

By specifying ServerB, we only deny SAP updates announcing print services from that particular server, as opposed to all servers on network 101B. After the command is issued, remember that the access list still ends in an implicit “deny all” statement, and still needs to be applied to an interface.

We’ll add a permit statement that allows all other IPX SAP traffic. This statement is fairly simple, as shown below.

RouterA(config)#access-list 1099 permit -1

The –1 in the permit entry is the equivalent to saying “allow all IPX SAP traffic from any network”.

The syntax to apply an IPX SAP filter to an interface is different than the access-group command that we used previously. Two different statements can be used to apply an IPX SAP access list to an interface, each with different results.

  • ipx input-sap-filter. This command will apply an IPX SAP access list to an interface, and stops incoming SAP updates from being added to a router’s SAP table.
  • ipx output-sap-filter. This command also applies an IPX SAP access list to an interface, but stops filtered entries from being broadcast from that interface.

In this case, since we only have a single router and don’t want the information about ServerB’s print services added to the router’s SAP table , we’ll use an input filter on interface E1. If we had wanted the SAP broadcasts about print services on ServerB to be denied to only network 101A, an output filter on interface E0 would have been more appropriate.

RouterA(config-if)#ipx input-sap-filter 1099

To view the IPX SAP access lists associated with an interface, use the show ipx interface command, as shown below. The output has been truncated to show only relevant information.

RouterA#sh ipx int e1
Ethernet0 is up, line protocol is up
IPX address is 101B.0060.5cc4.f41b, NOVELL-ETHER [up]
Delay of this IPX network, in ticks is 1 throughput 0 link delay 0
IPXWAN processing not enabled on this interface.
IPX SAP update interval is 60 seconds
IPX type 20 propagation packet forwarding is disabled
Incoming access list is 900
Outgoing access list is 850
IPX helper access list is not set
SAP GNS processing enabled, delay 0 ms, output filter list is not set
SAP Input filter list is 1099
SAP Output filter list is not set

Extended IPX Access Lists

In the same way that extended IP access lists give you a more granular level of control over IP traffic, extended IPX access lists allow you a finer level of control over IPX traffic. Extended IPX access lists not only allow you to filter traffic based on source and destination IPX addresses, but also IPX protocols and socket numbers. A variety of different IPX protocols and sockets exist, many of which were looked at in Chapter 4. The following example shows an extended IPX access list that denies all standard IPX ping traffic from moving from network 101A to network 101B. Recall that extended IPX access lists use the numerical range 900-999.

RouterA(config)#access-list 900 deny ?
<0-255> Protocol type number (DECIMAL)
any Any IPX protocol type
ncp NetWare Core Protocol
netbios IPX NetBIOS
rip IPX Routing Information Protocol
sap Service Advertising Protocol
spx Sequenced Packet Exchange

After the deny statement, an extended IPX access list expects an IPX protocol type to be entered. For the purpose of illustration, I have chosen the entry for any, which would be similar to choosing ip in an extended IP access list.

RouterA(config)#access-list 900 deny any ?
<0-FFFFFFFF> Source net
N.H.H.H Source net.host address
any Any IPX net
log Log matches against this entry
RouterA(config)#access-list 900 deny any 101A ?
<0-FFFFFFFF> Source Socket HEXIDECIMAL
all All sockets
cping Cisco ipx ping
diagnostic Diagnostic packet
eigrp IPX Enhanced Interior Gateway Routing Protocol
log Log matches against this entry
ncp NetWare Core Protocol
netbios IPX NetBIOS
nlsp NetWare Link State Protocol
nping Standard IPX ping
rip IPX Routing Information Protocol
sap Service Advertising Protocol
trace Trace Route packet

After the source address has been entered, the access list expects a source socket to be specified. An IPX socket is similar to a TCP or UDP port. In this case, I want to deny standard IPX pings from network 101A to network 101B, so I chose nping (which is socket number 9086, incidentally), as shown below.

RouterA(config)#access-list 900 deny any 101A nping ?
<0-FFFFFFFF> Destination net
N.H.H.H Destination net.host address
any Any IPX net
log Log matches against this entry

The destination network is specified next, followed by the destination socket number.

RouterA(config)#access-list 900 deny any 101A nping 101B ?
<0-FFFFFFFF> Destination Socket HEXIDECIMAL
all All sockets
cping Cisco ipx ping
diagnostic IPX Diagnostic packet
eigrp IPX Enhanced Interior Gateway Routing Protocol
log Log matches against this entry
ncp NetWare Core Protocol
netbios IPX NetBIOS
nlsp NetWare Link State Protocol
nping Standard IPX ping
rip IPX Routing Information Protocol
sap Service Advertising Protocol
trace IPX Trace Route packet
RouterA(config)#access-list 900 deny any 101A nping 101B nping

After the command has been entered, this access list consists of one deny statement. Recall that we’ll still need some type of permit statement to allow all other traffic to pass. The statement below will allow all other traffic to pass through the access list.

RouterA(config)#access-list 900 permit any any all any all

If you take a look at the previous example, the meaning of the statement above should become clearer. The first two any statements represent protocols and source networks. The first all statement represents all sockets. The final any all statement is equivalent to saying “any destination network, all sockets”. Don’t forget to apply the access list to an interface – in this case, we’ll apply it close to the source network (that’s how extended access lists are usually applied), as an inbound access list on interface E0.

RouterA(config-if)#ipx access-group 900 in

To view all of the ipx access lists defined on the router, use the show ipx access-list command.

RouterA#show ipx access-list
IPX standard access list 850
deny 101A 101B
permit FFFFFFFF FFFFFFFF
IPX extended access list 900
deny any 101A 9086 101B 9086
permit any any all any all

For the most part, you probably shouldn’t concentrate on memorizing the syntax of extended IPX access lists. However, you should be familiar with the ways in which they are capable of filtering traffic (source address, destination address, protocol, and socket numbers) and the numeric range (900-999) that they are identified by.

Standard IPX Access Lists

In the same way that access lists can be used to permit or deny IP-based traffic from passing through a router, IPX access lists control the flow of IPX traffic. A standard IPX access list is a little different that a standard IP access list. The standard IPX variety allows traffic to be filtered based on both source and destination addresses, rather than just source addresses alone.

To define a standard IPX access list, you can also use the access-list command from global configuration mode. Recall that the numeric range of standard IPX access lists is 800-899. While IPX access lists can also define individual hosts (or ranges of hosts with wildcard masks), they are more commonly implemented by specifying source and destination network numbers. Consider the figure below. The small network depicted consists of one router connecting three networks – 101A, 101B, and 101C. Our goal is to deny traffic originating from network 101A from reaching network 101B, while allowing all other traffic to pass. Our access list number for this example will be 850.

Figure: An outbound standard IPX access list applied to the router’s E1 interface denies traffic from network 101A from reaching network 101B.

RouterA(config)#access-list 850 deny 101A 101B

That was certainly simple enough. The statement above identifies the access list entry as belonging to standard IPX access list 850, which denies traffic from source network 101A from reaching the destination network (101B). Our next step involves permitting all other traffic, which is imperative since all access lists end with the implicit “deny all” statement. I have used the help function to demonstrate how the syntax of an IPX access list differs when you wish to specify that “any” traffic should be allowed to pass.

RouterA(config)#access-list 850 permit ?
-1 Any IPX net
<0-FFFFFFFF> Source net
N.H.H.H Source net.host address
RouterA(config)#access-list 850 permit -1 -1

Notice that standard IPX access lists don’t use the any keyword to reference all hosts. Instead, their syntax differs in that –1 is used to represent any IPX network. The statement above would be the same as saying “permit any traffic from any network”. Again, this access list does nothing until applied to an interface using the access-group command. In this case, the syntax varies slightly, since it is an IPX access list that we’re dealing with.

RouterA(config)#int e1
RouterA(config-if)#ipx access-group 850 out

To view all IPX access lists defined on a router, use the show ipx access-list command. To view only a specific access list, follow the command with the access list number is question.

RouterA#sh ipx access-list
IPX standard access list 850
deny 101A 101B
permit FFFFFFFF FFFFFFFF

The IPX access lists associated with a given interface can be viewed using both show run and show ipx int followed by the interface number. I’ve truncated the output below to show only the relevant information.

RouterA#show ipx int e1
Ethernet1 is up, line protocol is up
IPX address is 101B.0060.5cc4.f41b, NOVELL-ETHER [up]
Delay of this IPX network, in ticks is 1 throughput 0 link delay 0
IPXWAN processing not enabled on this interface.
IPX SAP update interval is 60 seconds
IPX type 20 propagation packet forwarding is disabled
Incoming access list is not set
Outgoing access list is 850

Remember that any given interface may have only one incoming and one outgoing access list assigned per protocol.

Extended IP Access Lists

Unlike standard IP access lists (which only allow you to filter packets based on their source IP address), extended IP access lists allow a much more granular level of control. Extended IP access lists allow filtering not only on source addresses, but also on destination addresses, protocols, and even applications, based on their port number. For example, you might choose to permit or deny a group of hosts from accessing a particular server, limit access to a telnet server to only a single host, or similar. Recall that extended IP access lists are identified through their use of the 100-199 numerical range.

The syntax of an extended IP access list is similar to that of a standard IP access list, though obviously a little longer, based on the additional filtering options available.

access-list access-list-number { deny | permit} ip|tcp|udp|icmp} source [source-mask] dest [dest-mask] lt|gt|eq|neq dest-port log

Although the command looks quite complex, you won’t be required to remember every option. The syntax of the command is actually the same as the syntax of a standard IP access list up until the permit or deny statement. That statement is followed by the protocol type you wish to specify, and then the source and destination addresses. The end of the statement allows you to specify the port number(s) for which the rule applies.

For example, let’s say that we want to deny all hosts on network 192.168.20.0/24 from accessing ServerA via telnet, as shown in the figure below. The command to add this entry to access list 102 is shown below, using help to walk through the command step-by-step.

Figure: An inbound extended IP access list on RouterA interface E0 denies hosts on network 192.168.20.0/24 from accessing ServerA via telnet.

RouterA(config)#access-list 102 deny ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
igrp Cisco's IGRP routing protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol

The help function lists the different protocols on which packets can be filtered. Because telnet functions over TCP port 23, we’ll choose tcp as our protocol.

RouterA(config)#access-list 102 deny tcp ?
A.B.C.D Source address
any Any source host
host A single source host

The next step is specifying the source host address, followed by a wildcard mask. In this case, we want our list to apply to all hosts on network 192.168.20.0/24, so our wildcard mask is 0.0.0.255.

RouterA(config)#access-list 102 deny tcp 192.168.20.0 0.0.0.255 ?
A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
RouterA(config)#access-list 102 deny tcp 192.168.20.0 0.0.0.255 192.168.99.1 ?
A.B.C.D Destination wildcard bits

The next step is specifying our destination host address. I chose to enter the destination IP address followed by the wildcard mask of 0.0.0.0. Recall that the host keyword can also be used when specifying a single host.

RouterA(config)#$ 102 deny tcp 192.168.20.0 0.0.0.255 192.168.99.1 0.0.0.0 ?
ack Match on the ACK bit
eq Match only packets on a given port number
established Match established connections
fin Match on the FIN bit
gt Match only packets with a greater port number
log Log matches against this entry
log-input Log matches against this entry, including input interface
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
psh Match on the PSH bit
range Match only packets in the range of port numbers
rst Match on the RST bit
syn Match on the SYN bit
tos Match packets with given TOS value
urg Match on the URG bit

Notice the $ sign that appears next to the prompt above. This is simply a placeholder that makes you aware that the command entered is too long to appear on a single line.

One additional caveat at this point – if we had pressed enter after entering the destination wildcard mask, our access list entry would be accepted. However, it would also deny all TCP traffic from network 192.168.20.0/24 to host 192.168.99.1. The last step in configuring our extended access list is specifying the TCP port number (or protocol name) that we wish to deny – in this case port 23. By using the eq (equal to) operator, we can specify that this access list entry applies to port 23 only. You can also specify certain protocols by name, as shown below.

RouterA(config)#$t tcp 192.168.20.0 0.0.0.255 192.168.99.1 0.0.0.0 eq ?
<0-65535> Port number
bgp Border Gateway Protocol (179)
chargen Character generator (19)
cmd Remote commands (rcmd, 514)
daytime Daytime (13)
discard Discard (9)
domain Domain Name Service (53)
echo Echo (7)
exec Exec (rsh, 512)
finger Finger (79)
ftp File Transfer Protocol (21)
ftp-data FTP data connections (used infrequently, 20)
gopher Gopher (70)
hostname NIC hostname server (101)
ident Ident Protocol (113)
irc Internet Relay Chat (194)
klogin Kerberos login (543)
kshell Kerberos shell (544)
login Login (rlogin, 513)
lpd Printer service (515)
nntp Network News Transport Protocol (119)
pim-auto-rp PIM Auto-RP (496)
pop2 Post Office Protocol v2 (109)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
sunrpc Sun Remote Procedure Call (111)
syslog Syslog (514)
tacacs TAC Access Control System (49)
talk Talk (517)
telnet Telnet (23)
time Time (37)
uucp Unix-to-Unix Copy Program (540)
whois Nicname (43)
www World Wide Web (HTTP, 80)
RouterA(config)#$tcp 192.168.20.0 0.0.0.255 192.168.99.1 0.0.0.0 eq 23

After issuing the completed command, our extended IP access list now includes a single entry, which denies hosts on network 192.168.20.0/24 from sending telnet traffic destined for host 192.168.99.1 through the router. Remember, however, that the access list doesn’t actually filter traffic until applied to an interface. Also recall that all access lists end with the implicit deny statement. As such, we should add an entry that allows all other traffic to be forwarded by the router, and apply the list to an interface. To allow all other traffic to pass, we will need to add another entry to access list 102.

RouterA(config)#access-list 102 permit ip any any

Notice the syntax of the command. It adds an entry to extended IP access list 102, telling it to permit all IP traffic from any source to any destination. This is a common statement, and will meet our needs. To view access list 102, use the show ip access-list 102 command.

RouterA#show ip access-list 102
Extended IP access list 102
deny tcp 192.168.20.0 0.0.0.255 host 192.168.99.1 eq telnet
permit ip any any

Even though we didn’t specify a protocol name in our original access list entry, the router still recognizes TCP port 23 as being a telnet port.

Our final step is applying this access list to an interface, and specifying whether it will be applied inbound or outbound. Extended IP access lists should always be applied close to the source network rather than the destination. This helps to ensure that unnecessary traffic does not need to traverse a large portion of the network prior to being blocked. In this case, we’ll apply access list 102 as an inbound access list on port Ethernet0, using the ip access-group command.

RouterA(config-if)#ip access-group 102 in

The show ip access-list command will show us all IP access lists defined on the router, including how many times each condition listed has been matched.

RouterA#sh ip access-list
Extended IP access list 102
deny tcp 192.168.20.0 0.0.0.255 host 192.168.99.1 eq telnet
permit ip any any (404 matches)
deny tcp 192.168.20.0 0.0.0.255 host 192.168.99.1

Access List Wildcard Masks

In the standard IP access list that we looked at in the previous example, you learned how to define a rule that would permit or deny access to a single host. In reality, you will probably wish to permit or deny access to a range of hosts rather than just one. Perhaps you’ll want to control access for all of the hosts on a subnet, or maybe just a subset of hosts. Either way, the ability to control access for a group of hosts is accomplished using what is known as a wildcard mask.

A wildcard mask is different than a subnet mask. Defining a wildcard mask is really no more difficult, but the approach is somewhat different. The purpose of the wildcard mask is to specify which group of addresses an access list entry should apply to. For example, imagine that we wanted to create a standard IP access list that would deny inbound access on interface E0 to all hosts on network 192.168.20.0/24. The access list entry would be:
RouterA(config)#access-list 40 deny 192.168.20.0 0.0.0.255

I know that the wildcard mask looks a little confusing. In this case, the wildcard mask is 0.0.0.255. The binary 0s in the mask tell the router that the associated bits in the source address much match exactly. Since the first 3 octets in the wildcard mask are set to binary 0, the router knows that the first three octets must match 192.168.20. The binary 1s in the mask tell the router to match any possible value. Since the last octet in the wildcard mask is all binary 1s, the router knows that any value in the last octet is a match. So, any source address beginning with 192.168.20 would match the access list, and in this case, be denied.

In the same way, consider the example below. It tells the router to permit traffic from hosts with any address that starts with 10.10. Since the last two octets are masked, any source address starting with 10.10 will be a match. In this case, all hosts from 10.10.0.1 to 10.10.255.254 would be permitted access.

RouterA(config)#access-list 40 deny 10.10.0.0 0.0.255.255

Recall that a single host can be specified in an access list using either the host command, or a wildcard mask of all 0s. The wildcard mask of all 0s means “match all octets exactly”. In the example below, only host 192.168.1.100 would be denied access.

RouterA(config)#access-list 40 deny 192.168.1.100 0.0.0.0

Things get a bit trickier when you want to block only a certain range of hosts, but not necessarily an entire network or subnet. Before looking at the masking, there is an important rule to remember. When you wish to block only a certain group of hosts, the multiple and starting values must be powers of 2. For example, you can block 2, 4, 8, 16, 32, 64, or 128 hosts, but not, for example, 26. If you think back, this is similar to the rules associated with subnetting.

Defining a custom wildcard mask is different that subnetting, in that those binary ones move in the opposite direction. Remember that the 1s in a wildcard mask specify the bits that the router should pay attention to in the source address. For example, imagine if we wanted to deny access to a group of 4 addresses starting with 192.168.1.4. In effect, that means that we want to deny access for addresses between 192.168.1.4 and 192.168.1.7, or 4 addresses total. In this case, the wildcard mask would be 0.0.0.3. At this point, I agree that number looks confusing. A quick look at things in binary will help to make things clearer.

Remember that we want to start at 192.168.1.4 and include 4 addresses. The wildcard mask specifies the bits that the router should consider when attempting to determine which hosts to permit or deny. In this case, the mask is 0.0.0.3, which is the equivalent to the following in binary:

00000000 00000000 00000000 00000011

Notice that only the last two bits are set to 1. What this means is “start at 192.168.1.4, and include any values for those last two bits”. The figure below outlines what all of the possible values would be for those last two octets.

Figure: Matching address values for when a source address of 192.168.1.4 is specified with a wildcard mask of 0.0.0.3

The only possible addresses that apply are 192.168.1.4, 192.168.1.5, 192.168.1.6, and 192.168.1.7. In other words, our wildcard mask tells the router that starting with address 192.168.1.4, allow the last two address bits to be set to any value, and use this as the range to permit or deny traffic.

If you’re looking for an easier way to remember wildcard mask values, you’re in luck. Recall what I said earlier. When grouping ranges of addresses, they must be a valid power of 2. The associated wildcard mask number will always be one less that the value of the range. So, if you want to group 128 addresses together, the associated wildcard mask value would be 127. To group 64 addresses, the wildcard mask value would be 63, and so forth. These values are outlined in the table below:

Address Grouping

128

64

32

16

8

4

2

1

Wildcard Mask

127

63

31

15

7

3

1

0

Let’s take a closer look at the table. Notice that for a single address, the wildcard mask value is 0. This is consistent with our example of creating a wildcard mask for a single host of 0.0.0.0.

Let’s say that we want to group together 8 addresses starting at 192.168.20.17. Unfortunately we can’t. Why? Because you cannot start with the number 17 – the range must begin at a power of 2. So, let’s start at 192.168.20.16 instead. If we want to deny access to a group 16 addresses, then the wildcard mask will be one less – 15. In this case, the mask would be 0.0.0.15. This would deny access to all hosts between 192.168.20.16 and 192.168.20.31. If we wanted to add this entry to a standard IP access list, the command would be:

RouterA(config)#access-list 40 deny 192.168.20.16 0.0.0.15

The table above can also be used to block bigger ranges. For example, imagine if we wanted to permit access for 32 subnets, those from 192.168.32.0 up to 192.168.63.0. In this case, the wildcard mask must begin in the third octet. Because of this, the wildcard mask becomes 0.0.31.255. Notice that the third octet value is one less than the grouping, and that the last octet is 255. This tells the router that this access list entry applies to hosts with any value between 32 and 63 in the third octet, and any value in the fourth octet. The access list entry would be:

RouterA(config)#access-list 40 permit 192.168.32.0 0.0.31.255

As you’ll see shortly, wildcard masks can be used in both standard and extended IP access lists.

Standard IP Access Lists

As mentioned earlier, a standard IP access list provides basic packet filtering abilities, based on the source IP address of a packet only. As a general rule, apply standard IP access lists close to the destination network to which you wish to permit or deny access.

Consider the figure below – in this simple network, we wish to deny hosts on network 10.1.10.0/24 from accessing network 10.1.30.0/24. If an outbound access list were placed on RouterA interface E1, this would stop hosts on network 10.1.10.0/24 from accessing both networks 10.1.20.0 and 10.1.30.0. By placing the outbound standard access list on RouterB interface E1 instead, hosts on network 10.1.10.0/24 are only denied access to network 10.1.30.0.

Figure: The outbound access list applied to RouterB interface E1 denies access to hosts from network 10.1.10.0/24.

Recall that standard IP access lists fall into the numerical range 1-99. Implementing a standard access list involves two major steps. The first step involves adding rules to an access list. The second involves applying the access list to an interface.
IP standard access lists are created from global configuration mode, using the access-list command. The syntax of an access list can be a little confusing, so we’ll walk through our examples using the help feature of the Cisco IOS. The complete syntax for an IP standard access list is:

access-list access-list-number {deny | permit} source [source-wildcard] log

The access-list command is used to specify the creation of a new access list entry. The access-list-number is the number of the access list to which this rule will be added. It’s worth noting that if an access list of this number doesn’t exist, it will be created. If it does exist, the command will add another rule to the bottom of that access list. Then the deny or permit entry does what their names suggest – outlines the action to be carried out when the criteria specified in the rule is met. A permitted packet is allowed to pass, while a denied packet is dropped. The source section allows you to specify the source address of the host to which the rule applies. This might be a single host, or a group of hosts if a customized source-wildcard mask is specified (wildcard masking will be looked at in the next section). The log command is optional – if specified, the router will literally display a message on the console each time an access list entry is matched. While it may be interesting to see, I generally suggest leaving it turned off, especially on a production router.

The best way to begin is by creating an access list based on a scenario. In the figure below, our network consists of two subnets. Our goal is to deny traffic from host 192.168.1.100 from reaching network 192.168.2.0. All other traffic should be allowed to pass.

Figure: An outbound access list will be applied outbound on interface E1.

We’ll give the access list a number of 50, which I chose randomly. Remember that access lists are defined from global configuration mode.

RouterA(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1000-1099> IPX SAP access list
<1100-1199> Extended 48-bit MAC address access list
<1200-1299> IPX summary address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<300-399> DECnet access list
<600-699> Appletalk access list
<700-799> 48-bit MAC address access list
<800-899> IPX standard access list
<900-999> IPX extended access list

By using help, we know that the access-list command expects an access list number next. We’re using the number 50. Requesting help again yields the following:

RouterA(config)#access-list 50 ?
deny Specify packets to reject
permit Specify packets to forward

The next step is specifying whether this rule permits or denies traffic. The goal of our first rule is to deny access to host 192.168.1.100, so we’ll choose deny.

RouterA(config)#access-list 50 deny ?
Hostname or A.B.C.D Address to match
any Any source host
host A single host address

After specifying our deny statement, we are prompted to identify the host (or hosts) for which we wish to deny access. Notice that possible entries include a hostname (this would require a configured hosts table or DNS lookup), the IP address of the host, or use of the any keyword. Choosing any would deny access to all hosts in this case. Denying access to a single host can be accomplished in two different ways. The first method is by using the host keyword, as shown below.

RouterA(config)#access-list 50 deny host 192.168.1.100

Another way to accomplish the same thing is to specify what is known as a wildcard mask. For a single host, the wildcard mask is all 0s, as shown below. We’ll look at how to specify wildcard masks for groups of hosts shortly.

RouterA(config)#access-list 50 deny 192.168.1.100 0.0.0.0
RouterA(config)#

Pressing Enter completes the command (though the log keyword could have also been added). This adds a single rule to standard IP access list 50. We still need to add a second rule, specifying that all other traffic is permitted. This command is very straightforward:

RouterA(config)#access-list 50 permit any

The second rule simply specifies that all traffic is allowed to pass. It’s important to remember that this is the second rule on the list – rules are sequentially added to an access list, in the order they are specified. If we were to add another rule, it would be the third on the list, and so forth. There is no way to change the order of rules in the Cisco IOS. However, one popular way to edit the order of access lists is to save your configuration to a TFTP server, and then edit the saved configuration file in a text editor.

It’s also important that you think very carefully about the order in which you add access list entries. You want to make sure that the entries permit or deny traffic as per your intentions. For that reason, it is extremely important that more specific entries always be added towards the beginning of an access list. If not, a packet that you intended to deny may in fact be permitted by a more “generous” preceding entry. Remember – access lists are only evaluated until a match is found. If we had created our access list in the reverse order (with the access-list 50 permit any rule added first), the second rule would never be evaluated – all traffic would match the first rule.

To view the access lists that have been defined on a router, use the show run command. Though I’ve truncated the output below, access list entries appear towards the bottom of the configuration file.

RouterA#sh run
Building configuration...
Current configuration:
!
access-list 50 deny 192.168.1.100
access-list 50 permit any

With our simple standard IP access list defined, the next step is applying it to an interface. The command to apply a standard IP access list to an interface is ip access-group, followed by the number of the access list and a direction (inbound or outbound). Access lists are applied to an interface from interface configuration mode, as shown below.

RouterA#config t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#int e1
RouterA(config-if)#ip access-group ?
<1-199> IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD Access-list name

RouterA(config-if)#ip access-group 50 ?
in inbound packets
out outbound packets
RouterA(config-if)#ip access-group 50 out

Recall our original scenario. Our goal was to deny host 192.168.1.100 access to network 192.168.2.0/24. By configuring the access-list as outbound on the router’s E1 interface, only traffic from host 192.168.1.100 is denied the ability to exit interface E1. You might wonder why we didn’t just apply the access list as inbound on interface E0. If we had, it would have denied host 192.168.1.100 access to all networks, and not just network 192.168.2.0/24.

To view the IP access lists applied to an interface, use the show ip interface or show running-config commands. The show ip int e1 command is shown below, truncated to only include relevant output.

RouterA#sh ip int e1
Ethernet0 is up, line protocol is up
Internet address is 192.168.2.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is 50
Inbound access list is not set

To view all access lists applied to a router, use the show access-lists command. To view a particular IP access list, use the show ip access-list command, followed by the access list number. Examples of both are outlined below.

RouterA#show access-list
Standard IP access list 50
deny 192.168.1.100
permit any
RouterA#show ip access-list 50
Standard IP access list 50
deny 192.168.1.100
permit any

Because we only have one access list defined at this point, the output of both commands looks similar. However, the first command will ultimately list all access lists (including IPX or otherwise), while the second shows only the contents of a specific IP access list.
To remove an access list from an interface, you use the “no” version of the ip access-group command from interface configuration mode.

RouterA(config-if)#no ip access-group 50 out

To entirely remove an access-list from the router, use the no access-list command, followed by the number of the access list that you wish to delete from global configuration mode.

RouterA(config)#no access-list 50