Standard IP access lists


Standard IP access lists filter the network by using the source IP address in an IP packet. You create a standard IP access list by using the access list numbers 1–99.

Here is an example of the access list numbers that you can use to filter your network. The different protocols that you can use with access lists depend on your IOS version.

RouterA(config)# access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1000-1099> IPX SAP access list
<1100-1199> Extended 48-bit MAC address access list
<1200-1299> IPX summary address access list
<200-299> Protocol type-code access list
<300-399> DECnet access list
<400-499> XNS standard access list
<500-599> XNS extended access list
<600-699> Appletalk access list
<700-799> 48-bit MAC address access list
<800-899> IPX standard access list
<900-999> IPX extended access list

By using the access list numbers between 1–99, you tell the router that you want to create a standard IP access list.

RouterA(config)# access-list 10 ?

deny Specify packets to reject
permit Specify packets to forward

After you choose the access list number, you need to decide if you are creating a permit or deny list. For this example, you will create a deny statement:

RouterA(config)# access-list 10 deny ?

Hostname or A.B.C.D ---- Address to match
any -------------------- Any source
host -------------------- host A single host address

The next step requires a more detailed explanation. There are three options available. You can use the any command to permit or deny any host or network, you can use an IP address to specify or match a specific network or IP host, or you can use the host command to specify a specific host only.

Here is an example of using the host command:

RouterA(config)# access-list 10 deny host 172.16.30.2

This tells the list to deny any packets from host 172.16.30.2. The default command is host. In other words, if you type access-list 10 deny 172.16.30.2, the router assumes you mean host 172.16.30.2.

However, there is another way to specify a specific host: you can use wildcards. In fact, to specify a network or a subnet, you have no option but to use wildcards in the access list.

Wildcards

Wildcards are used with access lists to specify a host, network, or part of a network. To understand wildcards, you need to understand block sizes.

Block sizes are used to specify a range of addresses. The following list shows some of the different block sizes available. When you need to specify a range of addresses, you choose the closest block size for your needs. For example, if you need to specify 34 networks, you need a block size of 64. If you want to specify 18 hosts, you need a block size of 32. If you only specify two networks, then a block size of 4 would work. Wildcards are used with the host or network address to tell the router a range of available addresses to filter. To specify a host, the address would look like this: 172.16.30.5 0.0.0.0

The four zeros represent each octet of the address. Whenever a zero is present, it means that octet in the address must match exactly. To specify that an octet can be any value, the value of 255 is used. As an example, here is how a full subnet is specified with a wildcard:
172.16.30.0 0.0.0.255

This tells the router to match up the first three octets exactly, but the fourth octet can be any value.

Block Sizes
64
32
16
8
4

Now, that was the easy part. What if you want to specify only a small range of subnets? This is where the block sizes come in. You have to specify the range of values in a block size. In other words, you can’t choose to specify 20 networks. You can only specify the exact amount as the block size value. For example, the range would either have to be 16 or 32, but not 20. Let’s say that you want to block access to part of network that is in the range from 172.16.8.0 through 172.16.15.0. That is a block size of 8. Your network number would be 172.16.8.0, and the wildcard would be 0.0.7.255. Whoa! What is that? The 7.255 is what the router uses to determine the block size. The network and wildcard tell the router to start at 172.16.8.0 and go up a block size of eight addresses to network 172.16.15.0.

It is actually easier than it looks. I could certainly go through the binary math for you, but actually all you have to do is remember that the wildcard is always one number less than the block size. So, in our example, the wildcard would be 7 since our block size is 8. If you used a block size of 16, the wildcard would be 15.

We’ll go through some examples to help you really understand it. The following example tells the router to match the first three octets exactly but that the fourth octet can be anything.

RouterA(config)# access-list 10 deny 172.16.10.0 0.0.0.255

The next example tells the router to match the first two octets and that the last two octets can be any value.

RouterA(config)# access-list 10 deny 172.16.0.0 0.0.255.255

Try to figure out this next line:

RouterA(config)# access-list 10 deny 172.16.16.0 0.0.3.255

The above configuration tells the router to start at network 172.16.16.0 and use a block size of 4. The range would then be 172.16.16.0 through 172.16.19.0.

The example below shows an access list starting at 172.16.16.0 and going up a block size of 8 to 172.16.23.0.

RouterA(config)# access-list 10 deny 172.16.16.0 0.0.7.255

The next example starts at network 172.16.32.0 and goes up a block size of 32 to 172.16.63.0.

RouterA(config)# access-list 10 deny 172.16.32.0 0.0.31.255

The last example starts at network 172.16.64.0 and goes up a block size of 64 to 172.16.127.0.

RouterA(config)# access-list 10 deny 172.16.64.0 0.0.63.255

Here are two more things to keep in mind when working with block sizes and wildcards:

Each block size must start at 0. For example, you can’t say that you want a block size of 8 and start at 12. You must use 0–7, 8–15, 16–23,etc. For a block size of 32, the ranges are 0–31, 32–63, 64–95, etc.

The command any is the same thing as writing out the wildcard 0.0.0.0 255.255.255.255.

Standard IP Access List Example: In this section, you’ll learn how to use a standard IP access list to stop certain users from gaining access to the finance-department LAN. In Figure 9.1, a router has three LAN connections and one WAN connection to the Internet. Users on the Sales LAN should not have access to the Finance LAN, but they should be able to access the Internet and the marketing department. The Marketing LAN needs to access the Finance LAN for application services.


On the Acme router, the following standard IP access list is applied:

Acme# config t
Acme(config)#access-list 10 deny 172.16.40.0 0.0.0.255
Acme(config)#access-list 10 permit any

It is very important to understand that the any command is the same thing as saying this:

Acme(config)#access-list 10 permit 0.0.0.0 255.255.255.255

At this point, the access list is denying the Sales LAN and allowing everyone else. But where should this access list be placed? If you place it as an incoming access list on E2, you might as well shut down the Ethernet interface because all of the Sales LAN devices are denied access to all networks attached to the router. The best place to put this router is the E0 interface as an outbound list.

Acme(config)#int e0
Acme(config-if)#ip access-group 10 out

This completely stops network 172.16.40.0 from getting out Ethernet 0, but it can still access the Marketing LAN and the Internet.

Controlling VTY (Telnet) Access

You will have a difficult time trying to stop users from telnetting into a router because any active port on a router is fair game for VTY access. However, you can use a standard IP access list to control access by placing the access list on the VTY lines themselves.

To perform this function:

Create a standard IP access list that permits only the host or hosts you want to be able to telnet into the routers.

Apply the access list to the VTY line with the access-class command.

Here is an example of allowing only host 172.16.10.3 to telnet into a router:

RouterA(config)#access-list 50 permit 172.16.10.3
RouterA(config)#line vty 0 4
RouterA(config-line)#access-class 50 in

Because of the implied deny any at the end of the list, the access list stops any host from telnetting into the router except the host 172.16.10.3.