Building and maintaining a network involves more than just making sure that packets can flow between devices on the network. As a network administrator, you also want to ensure that only the right people can access resources on your network, and that your network will continue to run even if parts of that network fail or are configured incorrectly. Your organization may have directives that you need to implement, like using cheaper network paths whenever possible. In short, while maintaining connectivity is important, you also need to implement security, robustness, and business policies with your network.
This book is about network policies and how to implement those policies using Cisco IOS access lists. I present a way to think about access lists and network policy, describe how access lists are built, and give examples of how to apply those access lists in different situations. Along the way, there are a number of sidebars and notes about concepts and information important to using access lists, and at the end of the book, there are appendixes with useful reference material.
A brief note about what I cover: the access lists in this book deal only with the Internet Protocol (IP), though you could probably use many of the same techniques with other network protocols as well. While all the examples involve Cisco IOS access lists, many of the concepts are generic and can be applied to other router vendors’ equipment. I’ve tried to make the examples in this book applicable to as many IOS versions as possible; most examples should work with Versions 10.* and above. If a feature is only available later or is known to fail with certain platforms and versions, I try to point that out. Please note, also, that the terms “access list” and “access control list” are used interchangeably throughout the book.
It is unfortunate that the general policy mechanism for Cisco routers is known as an access list. The term access connotes that access lists apply only to the area of security, while in fact access lists are used for a whole range of policies, not just for security concerns. I envision this book as a guide and reference for implementing network policies with access lists on Cisco routers.
Chapter 1, motivates our discussion of access lists by giving examples of why you need to implement network policies. It then describes a framework for thinking about access lists and provides an idea of how we use access lists and the tools for implementing policy.
Chapter 2, describes access list fundamentals: the format of the basic types, masking, and ways to maintain access lists. It also discusses some tricks and traps of access lists (like the difference between network masks and access list masks), some common mistakes, and ways to reduce the number of access list entries and access list changes you may need to make.
Chapter 3, shows how to use access lists to implement security policies. It has examples of access lists that control access to router resources and to hosts, and discusses the tradeoffs of different kinds of access lists. The chapter includes explanations of how certain protocols work and ends with a discussion of access list alternatives.
Chapter 4, describes using access lists to control routing. Network administrators typically use access lists for routing to make sure that their networks are robust and to implement business policy decisions; I include a number of examples demonstrating these tasks.
Chapter 5, is about (what else?) debugging access lists. It first goes over how to check that your access lists are correct, and then shows what to do if you discover that they are wrong.
Chapter 6, describes more advanced forms of access lists, including community lists, AS path access lists, and route maps. The chapter goes over policy routing and ends with a discussion of using access lists and routes with BGP, the Border Gateway Protocol.
Chapter 7, concludes the book with some case studies of how different types and applications of access lists are used together in a variety of scenarios. There are three cases: an example of routers that connect sites within an organization, a firewall example, and a BGP routing example.
Appendix A, has a number of tables listing keywords and qualifiers for extended access lists.
Appendix B, contains a decimal/binary conversion chart and a table of prefix lengths and their corresponding network masks, access list masks, and valid networks.
Appendix C, contains a table of commonly used application ports.
Get Cisco IOS Access Lists now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
