Chapter 20 - Module 11

Access Control Lists

By
Denise Ross

What are ACLs

An ACL is a list of instructions that tells a router what type
of packets to permit or deny.
You must configure an ACL before a router will deny packets.
Otherwise, the router will accept and forward all packets as long as
the link is up.
You can permit or deny packets based upon such things as:
Source address
Destination address
Upper Layer protocols (e.g. TCP & UDP port numbers)

ACLs can be written for all supported routed protocols. However,

each routed protocol configured on an interface would need a
different ACL to filter traffic.

What are ACLs

To control traffic flow on an interface, an ACL must
be defined for each protocol enabled on the
interface.
ACLs control traffic in one direction at a time on an
interface.
A separate ACL would need to be created for each
direction, one for inbound and one for outbound
traffic.

The following are some of the

primary reasons to create ACLs:
Limit network traffic and increase network
performance.
Provide traffic flow control.
Provide a basic level of security for network access.
Decide which types of traffic are forwarded or
blocked at the router interfaces.
Allow an administrator to control what areas a client
can access on a network.
Screen certain hosts to either allow or deny access to
part of a network.

How ACLs work

An ACL is a
group of
statements
that define
whether
packets are
accepted or
rejected at
inbound and
outbound
interfaces

Creating ACLs
There are many different types of ACLs including
standard, extended, IPX, AppleTalk, and others.
When configuring ACLs on a router, each ACL must
be uniquely identified by assigning a number to it.
This number identifies the type of access list created
and must fall within the specific range of numbers that
is valid for that type of list.

Creating ACLs
There are many different types of ACLs including
standard, extended, IPX, AppleTalk, and others.
When configuring ACLs on a router, each ACL must
be uniquely identified by assigning a number to it.
This number identifies the type of access list created
and must fall within the specific range of numbers that
is valid for that type of list.

TCP & UDP

These basic rules should be followed when creating and applying access lists:
One access list per protocol per direction.
Standard access lists should be applied closest to the destination.
Extended access lists should be applied closest to the source.
Use the inbound or outbound interface reference as if looking at the port from inside
the router.
Statements are processed sequentially from the top of list to the bottom until a match
is found, if no match is found then the packet is denied.
There is an implicit deny at the end of all access lists. This will not appear in the
configuration listing.
Access list entries should filter in the order from specific to general. Specific hosts
should be denied first, and groups or general filters should come last.
The match condition is examined first. The permit or deny is examined ONLY if the
match is true.
Never work with an access list that is actively applied.
Use a text editor to create comments outlining the logic, then, fill in the statements
that perform the logic.
New lines are always added to the end of the access list. A no access-list x
command will remove the whole list. It is not possible to selectively add and remove
lines with numbered ACLs.
An IP access list will send an ICMP host unreachable message to the sender of the
rejected packet and will discard the packet in the bit bucket.
Care should be used when removing an access list. If the access list is applied to a
production interface and the access list is removed, depending on the version of the
IOS, there may be a default deny any applied to the interface, and all traffic will be
halted.
Outbound filters do not affect traffic originating from the local router.

The function of a wildcard mask

Use to match a specific address or range of
addresses
A wildcard mask is a 32-bit quantity that is divided
into four octets NOT A SUBNET MASK !
Basically an inverted subnet mask
A wildcard mask is written to tell the router what bits in
the address to match and what bits to ignore.
A 0 bit means means check this bit position. A 1
means ignore this bit position.

Default subnet masks types

0.0.0.0
255.255.255.255

Wildcard Masking Exercise

Write an ip mask and wildcard mask for the
subnet 172.16.128.0 with a subnet mask of
255.255.128.0?
Write an ip mask and wildcard mask for the
subnet 172.16.16.0 with a subnet mask of
255.255.252.0?
Write an ip mask and wildcard mask for the
subnet 10.0.8.0 with a subnet mask of
255.255.248.0?
By now, you should have the hang of ip mask
and wildcard masks when dealing with a
subnet.

Wildcard Challenge
What bits will be checked and what bits will
be ignored?

0.0.0.7

Verifying ACLs
The show ip interface command displays IP
interface information and indicates whether any
ACLs are set.
The show access-lists command displays the
contents of all ACLs on the router. To see a
specific list, add the ACL name or number as an
option for this command.
The show running-config command will also
reveal the access lists on a router and the
interface assignment information.

Standard ACLs (1-99)

Simple and easy to configure
Filters based only on the source IP address
Standard ACLs do not have a destination
parameter and should be place close to the
destination as possible
Router(config)#access-list access-list-number {deny | permit}
source [source-wildcard ] [log]
Router(config-if)#ip access-group access-list-number {in |
out}

Placing ACLs
At the end of the IP-access group command,
you must specify which ACL you are
activating and in which direction
In : traffic coming into the interface
Out : traffic leaving the interface

Standard ACL Example

Blocks host from

accessing the subnetwork

Example 2

Create a standard ACL that will deny traffic from 192.5.5.25 to

the 210.93.105.0 network but will allow traffic from all other
hosts.

Extended ACLs (100-199)

Much more flexible in what you can match than the
standard ACL but complicated
Extended ACLs can match on the following:
Source & destination IP addresses
IP protocol IP, TCP, UDP, ICMP and so on
Protocol information, such as port numbers for TCP
and UDP, or message types for ICMP
The general rule is to put the extended ACLs as close
as possible to the source of the traffic denied.

Extended ACLs (100-199)

Write the ACL statements sequentially in global
configuration mode.
Router(config)# access-list access-list-number
{permit|deny} {protocol|protocol-keyword}{source
source-wildcard} {destination destinationwildcard} [protocol-specific options] [log]
Lab-A(config)#access-list 101 deny tcp 192.5.5.0
0.0.0.255 210.93.105.0 0.0.0.255 eq telnet log

Extended ACL Example

Block host from accessing Web

services on server 172.22.2.2

Example 2

Create an access list that will prevent only the host 192.5.5.148 from
accessing a web site located at 210.93.105.50.

Firewalls
Architectural structure that exists between the user and
the outside world to protect the internal network from
intruders
ACLs should be used in firewall routers, which are often
positioned between the internal network and an external
network, such as the Internet.
The firewall router provides a point of isolation so that the
rest of the internal network structure is not affected.
ACLs can be used on a router positioned between the two
parts of the network
Control traffic entering or exiting a specific part of the
internal network.

Restricting virtual terminal

access
The purpose of restricted vty access is increased network
security.
The following should be considered when configuring access
lists on vty lines:
When controlling access to an interface, a name or number can be used.
Only numbered access lists can be applied to virtual lines.
Set identical restrictions on all the virtual terminal lines, because a user
can attempt to connect to any of them.

Named ACLs
One nice feature in the Cisco IOS (v 11.2 or higher) is the
ability to name ACLs. Eliminates limitations of 99 standard and 100
extended ACLs

Manageability
Identified as descriptions instead of numbers
Once you name an ACL, the prompt changes and you no
longer have to enter the access-list and access-listnumber parameters.
In the example below, the ACL is named over_and as a hint
to how it should be placed on the interface--out
Lab-A(config)# ip access-list standard over_and
Lab-A(config-std-nacl)#deny host 192.5.5.10
.........
Lab-A(config-if)#ip access-group over_and out