IPv4 access control lists (standard, extended, time-based)
The mask address 0.0.0.255 specifies that the first three octets should match the given IP address (in this case 192.168.1) to permit the ip traffic. 255 in the last octet indicates that the router can ignore the last octet of the IP address being filtered.
If you add an access list to an interface and you do not have at least one permit statement, then you will effectively shut down the interface because of the implicit deny any at the end of every list.
The following statements permits access to VTYs (Router command prompt) from the 192.168.1.0/24 netblock while denying access from everywhere else:
RTA(config)#access-list 1 permit 192.168.1.0 0.0.0.255
RTA(config)#line vty 0 4
RTA(config-line)#access-class 1 in
Standard ACLs: Standard ACLs control traffic by the comparison of the source address of the IP packets to the addresses configured in the ACL.
This is the command syntax format of a standard ACL.
access-list access-list-number {permit|deny}
{host|source source-wildcard|any}
In all software releases, the access-list-number can be anything from 1 to 99. In Cisco IOS Software Release 12.0.1, standard ACLs begin to use additional numbers (1300 to 1999). These additional numbers are referred to as expanded IP ACLs. After the ACL is defined, it must be applied to the interface (inbound or outbound).
Extended ACLs: Extended ACLs control traffic by the comparison of the source and destination addresses of the IP packets to the addresses configured in the ACL. In all software releases, the access-list-number can be 100 to 199. In Cisco IOS Software Release 12.0.1, extended ACLs begin to use additional numbers (2000 to 2699). These additional numbers are referred to as expanded IP ACLs.
An example configuration for extended ACL is given below. Note that www is a TCP protocol.:
access-list 100 deny tcp host 10.0.0.2 host 10.0.1.2 eq www
access-list 100 permit ip any any
interface fastEthernet 0/0
ip access-group 100 in
Observe that the command "ip access-group 100 in" applies the access list to the interface fe 0/0.
IP Named ACLs: The standard and extended ACLs to be given names instead of numbers
This is the command syntax format for IP named ACLs.
ip access-list {extended|standard} name
IPv6 traffic filter
Here we see that the IPv6 access list called "acltest" is being applied to incoming VTY connections to the router. IPv6 access list has just one entry, which allows only the single IPv6 IP address of 2001:DB8:0:4::32 to connect using SSH only.
Wild card masking: Wild card masking is used to permit or deny a group of addresses. For example, if we have a source address 185.54.13.2 and want all the hosts on the last octet to be considered, we use a wild card mask, 185.54.13.255.
Special cases : Host 185.54.13.2 is same as 185.54.13.2 with a wild card mask of 0.0.0.0, considers only specified IP.
Any is equivalent to saying 0.0.0.0 with a wild card mask of 255.255.255.255. This means none of the bits really matter. All IP addresses need to be considered for meeting the criteria.
The syntax for configuring ipv6 ACL is as given below:
deny | permit <protocol>
{ source-ipv6-prefix / prefix-length | any | host source-ipv6-address } [ operator [ port-number ]] {destination-ipv6-prefix/ prefix-length | any |
host destination-ipv6-address } [ operator [ port-number ]]
[ dscp value ] [ fragments ] [ log ] [ log-input ] [ sequence value ] [ time-range name ]
The command "permit tcp any host 2001:DB8:10:10::100 eq 25" command permits traffic from any host to an SMTP server on network 2001:DB8:10:10::/64
Some of the widely used port numbers are given below:
| Port Number | Description |
| 21 | FTP |
| 22 | SSH |
| 23 | Telnet |
| 25 | Simple mail Transfer Protocol |
The following are the key similarities and differences between ipv4 and ipv6 ACLs:
1. Ipv4 uses both numbered and named access lists whereas Ipv6 uses named access lists only.
2. IPv4 ACLs are typically written as a sequence of permit statements that include an implicit deny clause as their last line. Although this implicit deny is also present on IOS IPv6 ACLs, there are a couple of things to be aware of:
There are other implicit permit statements designed to allow two of the main Neighbor Discovery (ND) messages: permit icmp any any nd-na (which handles Neighbor Advertisement messages) and permit icmp any any nd-ns (which takes cares of Neighbor Solicitation messages).
If your environment requires Router Advertisement (RA) and Router Solicitation (RS) messages to be allowed, these lines will need to be configured explicitily (in the same way as the regular permits).
In the event you add an explicit deny as the last line of the ipv6 ACL, this statement will take precedence over the implicit permits earlier described (for nd-na and nd-ns).
Both ipv4 and ipv6 ACLs can match on specific values unique to ipv4 and ipv6 header respectively. Note that Ipv4 can not match values on Ipv6 header and vice versa.
Ipv4 ACLs can match only on Ipv4 packets, and Ipv6 ACLs can match only on Ipv6 packets.
Ipv6 configuration looks like this
interface FastEthernet0/1
ipv6 traffic-filter Deny_Subnet_A_IPv6 out
ipv6 access-list Deny_Subnet_A_IPv6
deny ipv6 2001:DB8:0:100::/64 any
permit ipv6 any any
Unicast 6to4 addresses (2002::/16) are used to communicate between two IPv6/IPv4 nodes over the IPv4 Internet. A 6to4 address combines the prefix 2002::/16 with the 32 bits of the public IPv4 address of the node to create a 48-bit prefix - 2002:WWXX:YYZZ::/48, where WWXX:YYZZ is the colon-hexadecimal representation of w.x.y.z, a public IPv4 address.
The syntax for configuring ipv6 ACL is as given below:
deny | permit <protocol>
{ source-ipv6-prefix / prefix-length | any | host source-ipv6-address } [ operator [ port-number ]] {destination-ipv6-prefix/ prefix-length | any |
host destination-ipv6-address } [ operator [ port-number ]]
[ dscp value ] [ fragments ] [ log ] [ log-input ] [ sequence value ] [ time-range name ]
The command "deny tcp any any eq telnet" command restricts any host telnetting to any destination host
IP access lists are a sequential list of permit and deny conditions that apply to IP addresses or upper-layer protocols. Access Control Lists are used in routers to identify and control traffic.
There are two types of IP access lists:
1. Standard IP Access Lists: These have the format,
access-list [number] [permit or deny] [source_address]
Keep in mind that:
Place standard access lists as near the destination as possible and extended access lists as close to the source as possible.
Access lists have an implicit deny at the end of them automatically. Because of this, an access list should have at least one permit statement in it; otherwise the access list will block all remaining traffic.
Access lists applied to interfaces default to outbound if no direction is specified.
2. Extended IP Access Lists: IP Extended Access lists have the format,
access-list {number} {permit or deny} {protocol} {source} {destination} {port}
With extended IP access lists, we can act on any of the following:
- Source address
- Destination address
- IP protocol (TCP, ICMP, UDP, etc.)
- Port information (WWW, DNS, FTP, etc.)
The permitted numbers for some important access-lists are:
1-99 : IP standard access list
100-199 : IP extended access list
800-899 : IPX standard access list
900-999 : IPX extended access list
1000-1099 : IPX SAP access list
1100-1199 : Extended 48-bit MAC address access list
Unicast reverse path forwarding (uRPF)
uRPF(Unicast Reverse Path Forwarding): uRPF is used to prevent common spoofing attacks. The router will actually rely on the CEF table to perform lookups. uRPF works in 2 modes strict mode and loose mode.
Strict Mode: In this mode the router verifies the source of the IP packet arrives on the same interface the router would use to reach that source address. Beware of asymmetric routing.
Loose Mode: In this mode the router simply verifies the source IP can be reached via the CEF table using any interface.
ip verify unicast source reachable-via rx configures URF in strict mode
ip verify unicast source reachable-via any configures URF in loose mode
The allow-default option may be used with either the rx or any option to include IP addresses not specifically contained in the routing table. The allow-self-ping option should not be used because it could create a denial of service condition. An access list such as the one that follows may also be configured to specifically permit or deny a list of addresses through Unicast RPF
Ex: interface FastEthernet 0/0
ip verify unicast source reachable-via {rx | any} [allow-default]
[allow-self-ping] [list]
