Controlling Network Security For The Corporate Network Using Standard And Extended Cisco Router Access List
In a large network organization, building a computer network infrastructure securely is a must. A management of the information security is also developed by implementing a suitable set of controls in the form of policies, procedures, organizational structures, systems and functions to ensure that the security objectives of the organization are met.
One of the items concerned in collecting the data to build the secured network is about the endpoint security, securing the endpoint router with strong access list policy. Speaking about network security, typing a user-name and password to login to network would typically come to mind. This type of security is implemented in the upper-OSI layer above network layer in the OSI-model. Routers examine traffic and permit or deny services based on characteristics of the traffic such as address and protocol.
Controlling network security with access lists
Routers control network security by using access lists. An access list describes network traffic characteristics such as source and destination address and protocol. You can control the type of traffic sent and received by a router by creating an access list and applied it to an interface. The access list describes the traffic types that the router will accept of forward.
Router access list
Routers use access lists to control incoming or outgoing traffic with the following characteristic:
- Access lists describe the traffic type that will be controlled
- Access lists entries describe the traffic characteristics
- Access lists entries identify either permitted or denied traffic.
- Access lists entries can describe a specific traffic type, or allow or restrict all traffic
- When created, an access lists contain an implicit “deny all” entry
- Each access list applies only to a specific protocol
- Each router interface can have up to two access lists for each protocol, one for incoming traffic and one for outgoing traffic
- When an access list is applied to an interface, it identifies whether the list restricts incoming or outgoing traffic
- Access lists exist globally to the router, but filter traffic only to the interfaces to which they have been applied
- Each access list can be applied to more than one interface (however, each interface can only have one incoming and outgoing list
- Basic / standard access lists restrict traffic in the most common traffic characteristic (such as the specified protocol within the suite)
Note that when you create an access list, it automatically contains a “deny any” statement, although this statement does not appear in the list itself. For a list to allow any traffic, it must have at least one permit statement, either permitting a specific traffic type or permitting all traffic not specifically restricted.
Different access lists exist depending on the protocol type. Regardless of the protocol, use the following general steps to create and implement access lists.
- In the global configuration mode, create the list and add access list entries with the “access-list” command
- In interface mode, apply a specific list to the interface (typically with the “access-group” command).
Access lists are identified by number, although they can be assigned a name as well. The number identifies not only the specific access list, but the following characteristic as well
- Protocol suite
- If the list is a standard or extended list
Number ranges have been established for each protocol type, both standard and extended.
Access list number ranges
You should remember the following number values for identifying and creating access lists
| Number range | List type |
| 0-99 | Regular IP list |
| 100-199 | Extended IP list |
| 800-899 | Regular IPX list |
| 900-999 | Extended IPX list |
| 1000-1099 | SAP list |
For a list if all access list number ranges, type access-list ? at the router prompt.
Configuring IP Access Lists
When creating an IP access list, you can create either a standard or extended access list. The following compares two list types.
Use a standard list to filter on the Source hostname or host IP address
Use an extended list to filter on:
- Source IP protocol (IP, TCP, UDP, etc)
- Source hostname or host IP address
- Source or destination socket number
- Destination host name or host IP address
- Precedence or TOS values
Standard IP access lists
- Filter on source address
- Log events (optional)
Creating a standard IP access list
Create most access list using the following process. Remember that the standard IP access lists are numbered between 1 and 99.
| The following commands create a standard IP access list that permits all outgoing traffic except the traffic from network 10.0.0.0, and applies to the Ethernet0 interface E0 |
| Router (config) #access-list 1 deny 10.0.0.0 0.255.255.255
Router (config) #access-list 1 permit any Router (config) #int e0 Router (config-if) #ip access-group 1 out |
| The following commands create a standard IP access list that rejects all traffic except traffic from host 10.12.12.16, and applies the list to the Serial0 interface – S0 |
| Router (config) #access-list 2 permit 10.12.12.16
Router (config) # int s0 Router (config-if) #ip access-group 2 in |
Extended IP access lists (standard capabilities plus)
- Filter on protocol
- Filter on destination address
- Filter on port number (both source and destination)
Remember that the Extended IP access lists are numbered between 100 and 199
| The following commands create an extended IP access list that rejects packets from host 10.1.1.1 sent to host 15.1.1.1, and applies the list to the second serial interface. |
| Router (config) #access-list 101 permit ip any any
Router (config) #access-list 101 deny ip 10.1.1.1 0.0.0.0 15.1.1.1 0.0.0.0 Router (config) #int s1 Router (config-if) # ip access-group 101 in |
| The following commands create an extended IP access list that does not forward TCP packets from any host on network 10.0.0.0 to network 11.12.0.0, and applies the list to the first serial interface S1 |
| Router (config-if) #access-list 111 permit ip any any
Router (config-if) #access-list 111 deny tcp 10.0.0.0 0.255.255.255 11.12.0.0 0.0.255.255 Router (config)#int s0 Router (config-if)# ip access-group 111 in |
Note that you can only have one incoming and one outgoing IP access lists for each interface. Remember that each access list contain an explicit “deny any” entry. When created, the access list denies all traffic except traffic explicitly permitted by permit statement in the list.
The following list summarizes the command to use for viewing specific access list information on the router.
| If you want to view | Use the command below |
| All access list that exist on the router | Show run
Show access-list |
| All access lists applied to the interface | Show ip int
Show run |
| Rejected traffic information | Show log |
| IP access lists configured on the router | Show run
Show ip access-lists |
| IPX access lists configured on the router | Show run
Show ipx access-lists |
Once we understand how the access list work, configuring the router based on the policy we have developed would be easier and fun. In addition of securing the corporate network, the deployment of the Corporate Security Software is also recommended solution to help proactively protect the corporate network.
Se also:
Recent Comments