Access Lists on the OS2400/L3 Introduction Integral to the task of managing IP traffic is eliminating unwanted traffic while still allowing appropriate user-access to necessary services. The OS2400/L3 provides mechanisms for reducing unwanted traffic and restricting network use to only authorized users. IP Access Lists An IP access list is a sequential collection of permit and deny conditions that apply to IP addresses or upper-layer IP protocols. Access lists are not necessarily secure when used by themselves, however, they may be used as part of network security strategy. Access lists can be applied to an IP interface or virtual terminal line, they can be used to control the transmission of packets on an interface or even to restrict contents of routing rules. Access List Processing Once an Access list is applied to an interface, the router tests each packet received on this interface against the conditions in the access list one by one. The first match determines whether the router accepts or rejects the packet. Because the router stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the router rejects the packet. Wildcard Mask IP access lists use wildcard mask for specifying IP addresses ranges and TCP/UDP ports ranges. The wildcard mask is a prefix length, which is equal to the number of contiguous one-bits in the traditional mask. Address bits corresponding to wildcard mask bits set to 1 are used in comparisons, address bits corresponding to wildcard mask bits set to 0 are ignored in comparisons. This is similar to the operation used in subnet masking. An alternative way to think of the wildcard mask is as follows: If a 1 bit appears in a mask the corresponding bit location in the access list address (or TCP/UDP port) and the same location in the packet address (or TCP/UDP port) must match (either both 0 or both 1). If a 0 bit appears in the mask, the bit location in the packet will match whether it is 0 or 1, and the bit location in the access list address (or TCP/UDP port) is ignored. For this reason, 0 bits in the mask are sometimes called "don't care" bits. Here are some examples for IP addresses ranges Address/Mask 0.0.0.0 130.108.10.0/24 194.90.140.100/32 194.90.141.0/24 194.90.142.16/30 Matches Any address Subnet 131.108.10.0 Host 194.90.140.100 Network 194.90.141.0 Subnet 194.90.141.16 Here are some examples for ports ranges Port/Mask 20/15 16/12 21/16 0/7 16/8 Matches ports 20,21 16-31 21 0-511 0-255 Upstream and downstream traffic filtering For performance optimization and efficiency, the router should know whether the access list is applied in order to filter upstream traffic or downstream traffic. Upstream traffic are packets that originates from hosts on a local subnet, and bounded to the internet or to hosts on a different local subnet. This kind of traffic is characterized by IP source addresses that belong to the local subnet. Downstream traffic are packets that originates from the internet, and bounded to hosts on the local subnet. This traffic is characterized by IP destination addresses that belong to the local subnet. When creating an access-lists, it is highly recommended to separate the rules that filter upstream traffic from those that filter downstream traffic by inserting them into different rules, and then apply them according to their nature, 'up' for upstream traffic, 'down' for downstream traffic. Configuring Principles for Access Lists The following four general principles help ensure that the access list you create have the intended results: Top Down processing – Organize your access list so that more specific references in the network or subnet appear before more general ones. Place more frequently occuring conditions before less frequent conditions to optimize performance. Implicit deny any – Unless you end your access list with an explicit permit any, it will deny by default all traffic that fails to match any of the access list lines. New lines added to the end – Subsequent additions are always added to the end of the access list. Undefined access list means permit any – If you apply an access list with the access-group command to an interface before any access list lines have been created, the result will be permit any. Access List Configuration Tasks Whenever you are creating an access list, you need to complete the following tasks: 1. Create an access list in global configuration mode by specifing an access list name and access conditions. 2. Apply the access list in interface configuration mode to interfaces or terminal lines. After an access list is created, you can apply it to one or more interfaces. Access List commands Use the access-list command to create an IP entry in a traffic filter list: access-list name {permit | deny} { source/wildcard-mask | any} { destination/wildcard-mask | any} Use the access-list tcp command to create a TCP entry in the traffic filter list: access-list name {permit | deny} tcp { source/wildcard-mask | any} src-ports source-port/wildcard-mask { destination/wildcard-mask | any} dst-ports destination-port/wildcard-mask The configuration for UDP is similar to TCP: access-list name {permit | deny} udp { source/wildcard-mask | any} src-ports source-port/wildcard-mask { destination/wildcard-mask | any} dst-ports destination-port/wildcard-mask Configuration of other protocols is also allowed: access-list name {permit | deny} protocol { source/wildcard-mask | any} { destination/wildcard-mask | any} You can also add a remark or a comment to an access-list access-list name remark line In the following table you can find explaination regarding the parameters: Parameter name permit | deny protocol Source & destination wildcard-mask Description Accesss list identifier Whether this entry is used to allow or block the specific address(es) Number in the range of 0 through 255 indicating the protocol (e.g icmp, igmp, ospf) IP addresses Wildcard mask of address or port bits that must match. 1s indicate any source-port & destination-port bits that must match. 0s are "don't care". Any address TCP/UDP ports Use the access-class command to link an existing access list to an interface. An interface can have only one access list active, however a single access list may be applied to more then one interface at a time. Once an access-list was applied the router makes validity checks on all the rules and verify that internal resources are available for that access list. If not the command failes and all the access list rules are removed. access-class access-list-name {up | down} Parameter name up down Description Indicating the accesss list to be linked to the interface Optimize for upstream traffic Optimize for downstream traffic All the above commands have a “no” notion like any other cli configuration command. Use the show access-list to view previously configured access list and verify configuration show access-list [name] Parameter name Description (Optional) Shows a specific list. If this option is not specified, all IP access list are displayed.