Standard IP access lists filter network traffic by examining the source IP address in a packet. You create a standard IP access list by using the access-list numbers 19 or 13001999 (expanded range). Access list types are generally differentiated using a number. Based on the numbers used when the access list is created, the router knows which type of syntax to expect as the list is entered. By using numbers 199 or 13001999, you’re telling the router that you want to create a standard IP access list, so the router will expect syntax specifying only the source IP address in the test lines.
The following is an example of the many access-list numbers ranges that you can use to filter traffic on your network (the protocols for which you can specify access lists depend on your IOS version.):
Corp(config)#access-list ? <1-99> IP standard access list <100-199> IP extended access list <1100-1199> Extended 48-bit MAC address access list <1300-1999> IP standard access list (expanded range) <200-299> Protocol type-code access list <2000-2699> IP extended access list (expanded range) <700-799> 48-bit MAC address access list Compiled Enable IP access-list compilation Dynamic-extended Extend the dynamic ACL absolute timer Rate-limit simple rate-limit specific access list
Let’s take a look at the syntax used when creating a standard access list:
Corp(config)#access-list 10 ? Deny specify packets to reject Permit specify packets to forward
Remark Access list entry comment
As we said, by using the access-list numbers 199 or 13001999, you’re telling the router that you want to create a standard IP access list.
After you choose the access-list number, you need to decide whether you’re creating a permit or deny statement. For this example, you will create a deny statement.
Corp(config)#access-list 10 deny ? Hostname or A.B.C.D address to match Any any source host Host A single host address
The next step requires a more detailed explanation. There are three options available. You can use any parameter to permit or deny any host or network, you can use an IP address to specify either a single host or a range of them, or you can use the host command to specify a specific host only. The any command is pretty obvious any source address matches the statement, so every packet compared against this line will match. The host command is relatively simple. Here’s an example using it:
Corp(config)#access-list 10 deny host ? Hostname or A.B.C.D Host address Corp(config)#access-list 10 deny host 172.16.30.2
This tells the list to deny any packets from host 172.16.30.2. the default parameter is the host.
In other words, if you type access-list 10 deny 172.16.30.2, the router assumes you mean host 172.16.30.2.
But there’s another way to specify either a particular host or a range of hosts you can use wildcard masking. In fact, to specify any range of hosts, you have to use wildcard masking in the access list.
What’s wildcard masking? You’ll learn all about it using a standard access list example, as well as how to control access to a virtual terminal, in the following sections.
Wildcards are used with access lists to specify an individual host, a network, or a certain range of a network or networks. To understand a wildcard, you need to understand what a block size is; it’s used to specify a range of addresses. Some of the different block sizes available are 64, 32, 16, 8 and 4.
When you need to specify a range of addresses, you choose the next largest block size for your needs. For example, if you need to specify 34 networks, you need a block size of 64. If you want to specify 18 hosts you need a block size of 32. If you only specify 2 networks, then a block size of 4 would work.
Wildcards are used with the host or network address to tell the router a range of available addresses to filter. To specify a host, the address would look like this:
The four zeros represent each octet of the address. Whenever a zero is present, it means that octet in the address must match exactly. To specify that an octet can be any value, the value of 255 is used. As an example, here’s how a /24 subnet is specified with a wildcard:
This tells the router to match up the first three octets exactly, but the fourth octet can be any value.
Now, that was the easy part. What if you want to specify only a small range of subnets? This is where the block size comes in. you have to specify the range of values in block size. In other words, you can’t choose to specify 20 networks. You can only specify the exact amount as the block size value. For example, the range would have to be either 16 or 32, but not 20.
Let’s say that you want to block access to part of the network that is in the range from 172.16.8.0 through 172.16.15.0. this is a block size of 8. Your network number would be 172.16.8.0, and the wildcard would be 0.0.7.255. whoa! What is that? The 7.255 is what the router uses to determine the block size. The network and wildcard tell the router to start at 172.16.8.0 and go up a block size of eight addresses to network 172.16.15.0.
Seriously it really is easier than it looks really! We could certainly go through the binary math for you, but no one needs that. Actually, all you have to do is to remember that the wildcard is always one number less than the block size. So, in our example, the wildcard would be 7 since our block size is 8. If you used a block size of 16, the wildcard would be 15. Easy, huh?
But just in case, we’ll go through some examples to help you nail it. The following example tells the router to match the first three octets exactly but that the fourth octet can be anything:
Corp(config)#access-list 10 deny 172.16.10.0 0.0.0.255
The next example tells the router to match the first two octes and that the last two octets can be any value:
Corp(config)#access-list 10 deny 172.16.0.0 0.0.255.255
Try to figure out this next line:
Corp(config)#access-list 10 deny 172.16.16.0 0.0.3.255
This configuration tells the router to start at network 172.16.16.0 and use a block size of 4. The range would then be 172.16.16.0 through 172.16.19.0.
The following example shows an access list starting at 172.16.16.0 and going up a block size of 8 to 172.16.23.0:
Corp(config)#access-list 10 deny 172.16.16.0 0.0.7.255
The next example starts at network 172.16.32.0 and goes up a block size of 16 to 172.16.47.0:
Corp(config)#access-list 10 deny 172.16.32.0 0.0.15.255
The next example starts at network 172.16.64.0 and goes up a block size of 64 to 172.16.127.0:
Corp(config)#access-list 10 deny 172.16.64.0 0.0.63.255
The last example starts at network 192.168.160.0 and goes up a block size of 32 to 192.168.191.255:
Corp(config)#access-list 10 deny 192.168.160.0 0.0.31.255
Here are two more things to keep in mind when working with block sizes and wildcards:
- Each block size must start at 0 or a multiple of the block size. For example, you can’t say that you want a block of size 8 and then start at 12. You must use 07, 815, 1623, etc. for a block size of 32, the ranges are 031, 3263, 6495, etc.
- The command any is the same thing as writing out the wildcard 0.0.0.0 255.255.255.255.
Standard Access List Example
Let’s see how to use a standard access list to stop specific users from gaining access to the Finance Department LAN.
In the following picture, a router has three LAN connections and one WAN connection to the Internet. Users on the sales LAN should not have access to the Finance LAN, but they should be able to access the internet and the marketing department. The marketing LAN needs to access the Finance LAN for application services.
On the router in the picture, the following standard IP access list is configured:
Lab_A#config t Lab_A(config)#access-list 10 deny 172.16.40.0 0.0.0.255 Lab_A(config)#access-list 10 permit any
It’s very important to know that any command is the same thing as saying the following using wildcard masking:
Lab_A(config)#access-list 10 permit 0.0.0.0 255.255.255.255
Since the wildcard mask says that none of the octets are to be evaluated, every address matches the test condition. So this is functionally the same as using any keyword.
At this point, the access list is configured to deny source addresses from the Sales LAN access to the Finance LAN and allow everyone else. But remember, no action will be taken until the access list is applied on an interface in a specific direction. But where should this access list be placed? If you place it as an incoming access list on E0, you might as well shut down the Ethernet interface because all of the Sales LAN devices will be denied access to all networks attached to the router. The best place to apply this access list is on the E1 interface as an outbound list:
Lab_A(config)#int e1 Lab_A(config-if)#ip access-group 10 out
This completely stops traffic from 172.16.40.0 from getting out Ethernet 1. It has no effect on the hosts from the sales LAN accessing the marketing LAN and the internet since traffic to those destinations doesn’t go through interface E1. Any packet trying to exit out E1 will have to go through the access list first. If there were an inbound list placed on E0, then any packet trying to enter interface E0 would have to go through the access list before being routed to an exit interface.
Let’s take a look at another example of a standard access list. The following picture shows an internetwork of two routers with three LANs and one serial WAN connection.
You want to stop the Accounting users from accessing the Human Resources server attached to the Lab_B router but will allow other users access to that LAN. What standard access list would you create and where would you place it?
The real answer is that you should use an extended access list and place it closest to the source, but the question specifies that you should use a standard access list. Standard access lists, by the rule of thumb, are placed closest to the destination in this example, Ethernet 0 outbound on the Lab_B router. Here is the access list that should be placed on the Lab_B router:
Lab_B#config t Lab_B(config)#access-list 10 deny 192.168.10.128 0.0.0.31 Lab_B(config)#access-list 10 permit any Lab_B(config)#interface Ethernet 0 Lab_B(config-if)#ip access-group 10 out
Before we move on to restricting Telnet access on a router, let’s take a look at one more standard access list example, but it will require some thought. In the following picture, you have a router with four LAN connections and one WAN connection to the Internet.
You need to write an access list that will stop access from each of the four LANs shown in the picture to the Internet. Each of the LANs shows a single host’s IP address, and from that, you need to determine the subnet and use wildcards to configure the access list.
Here is an example of what your answer should look like (starting with the network on E0 and working through to E3):
Router(config)#access-list 1 deny 172.16.128.0 0.0.31.255 Router(config)#access-list 1 deny 172.16.48.0 0.0.15.255 Router(config)#access-list 1 deny 172.16.192.0 0.0.63.255 Router(config)#access-list 1 deny 172.16.88.0 0.0.7.255 Router(config)#access-list 1 permit any Router(config)#interface serial 0 Router(config-if)#ip access-group 1 out
Okay, what would be the purpose of creating this list? If you actually applied this access list on the router, you’d effectively shut down access to the Internet, so what’s the purpose of even having an Internet connection? We wrote this exercise so you can practice how to use block sizes with access lists which is critical for your success when studying the CCNA objectives.
Controlling VTY (Telnet) Access
You’ll probably have a difficult time trying to stop users from telnetting to a large router because any active interface on a router is a fair game for VTY access. You could try to create an extended IP access list that limits Telnet access to every IP address on the router. But if you did that, you’d have to apply it inbound on every interface, and that really wouldn’t scale well to a large router with dozens, even hundreds, of interfaces, would it? Here’s a much better solution: Use a standard IP access list to control access to the VTY lines themselves.
Why does this work? Because when you apply an access list to the VTY lines, you don’t need to specify the Telnet protocol since access to the VTY implies terminal access. You also don’t need to specify a destination address since it really doesn’t matter which interface address the user used as a target for the Telnet session. You really only need to control where the user is coming from their source IP address.
To perform this function, follow these steps:
- Create a standard IP access list that permits only the host or hosts you want to able to telnet into the routers.
- Apply the access list to the VTY line with the access-class command.
Here is an example of following only host 172.16.10.3 to telnet into a router.
Lab_A(config)#access-list 50 permit 172.16.10.3 Lab_A(config)#line vty 0 4 Lab_A(config-line)#access-class 50 in
Because of the implied deny any at the end of the list, the access list stops any host from telnetting into the router except the host 172.16.10.3, regardless of which individual IP address on the router is used as a target.