• Filtering traffic entering and existing an interface
  • Controlling access to VTY lines
  • Route update filtering
  • As a traffic classification tool when used with QoS
  • Dial-on-demand routing (DDR) with ISDN
  • Restricting output of debug commands

This tutorial however, concentrates only the packet filtering using ACLs.

What is an ACL?

An ACL is sequence of command(s) called the Access Control Entry (ACE) that are entered in specific sequence. The specifics of sequence determine how ACL will behave, so it recommended to include the most relevant ACE in the beginning of the ACL.

When ACL is used as packet filter, these ACEs are called packet filtering rules or conditions. Condition look for matches on the content of the packet including:

  • Source and destination address
  • Layer-2 protocol information such as Ethernet frame type
  • Layer-3 protocol including IP, IPX, etc….
  • Layer-3 protocol information such as ICMP, OSPF, EIGRP
  • Layer-4 protocol and information such TCP or UDP and port numbers

Direction of ACL

An access list can be applied in one direction per interface. For example: you have created an internet filtering ACL to drop ICMP traffic. This ACL can only be applied on internet facing interface in inbound direction not both. If bi-directional filtering is required, a separate ACL in reverse direction can be configured.

The IMPLICIT DENY Condition

At the end of every ACL, there exists an IMPLICIT DENY. It means that for any traffic not permitted explicitly, will be denied. We will look at an example later when configuring an example of standard ACL.

The Wildcard Mask

Also known as the reverse mask. The logic is based on logical AND operation. If there is binary zero, check the corresponding bit and it must match. If a binary one, ignore the corresponding bit value, they don’t need to match. Example: We have a network with 192.168.1.0 with a subnet mask of 255.255.255.0 (or simply 192.168.1.0/24). The wild card mask is created by subtracting from mask: 255.255.255.255. In this case:

255.255.255.255 – 255.255.255.0 = 0.0.0.255.

Decimal

192

168

1

0

Binary

11000000

10101000

00000001

0000000

Wildcard

00000000

00000000

00000000

1111111

It means that for the ACE condition to be true or false, the three octets must be 192, 168 and 1. Consider Table-1 for more examples.

TABLE-1: Wildcard Mask

Address

Wildcard Mask

Match Results

0.0.0.0

255.255.255.255

All addresses will match the access list conditions.

172.18.0.0/16

0.0.255.255

Network 172.18.0.0

172.18.5.2/16

0.0.0.0

Only host 172.18.5.2 matches

172.18.8.0

0.0.0.7

Only subnet 172.18.8.0/29 matches

172.18.8.8

0.0.0.7

Only subnet 172.18.8.8/29 matches

172.18.8.15

0.0.0.3

Only subnet 172.18.8.15/30 matches

10.1.2.0

0.0.254.255 (noncontiguous bits in mask)

Matches any even-numbered network in the range of 10.1.2.0 to 10.1.254.0

 

Types of ACLs

There are two types of ACLS.

1. Standard Access List

Standard Access List allows filtering based on the source address of an entity. Since the standard access list test the source addresses, they are efficient at blocking traffic close to destination. There are two expectations to when an address in a standard access list is not the source:

2. One outbound VTY, access list, the address is the destination address rather than source address.

3. When route filtering, network being advertised to you rather than the source address.

 

The standard access list can either named or numbered. Numbered ACL ranges from: 01-to-99 and 1300-to-1999. Named ACLs allows to ACL to be created using (meaning full) names rather than number. Also human are good in remembering names than numbers.

Configuration

Numbered Standard ACL:

Step-1: configure terminal

Step-2: access-list

[permit|deny]

Step-3: interface

Step-4 ip access-group

 

Named Standard ACL:

Step-1: configure terminal

Step-2: ip access-list standard

Step-3: [permit|deny]

Step-4: interface

Step-5 ip access-group [in|out]

Verification: show access-list or show ip access-list

Warning: In case of numbered ACLs (Standard or Extended), if reconfiguration is required, the entire ACL must be removed and re-entered. If “no access-list ” is issued, the whole ACL is lost. Therefore, it is advisable to backup the configuration before removing an ACE from standard ACL.

NOTE: This document explains only basic option of creating and using ACLs. Refer to Configuration Guide and Command Reference for complete syntax detail.

Example-1: Let us assume that traffic from ISP-1 and host 192.168.1.1 must be dropped. ISP-1 uses the address range: 172.16.1.0/22. A host address uses a subnet mask 255.255.255.255

Step-1: configure terminal

Step-2: access-list 1 deny 172.16.1.0 0.0.252.255

Step-3: access-list 1 deny 192.168.1.1 0.0.0.0

Step-4: access-list 1 permit 0.0.0.0 255.255.255.255 ß note: to avoid the implicit deny condition every other host expect for 192.168.1.1 or ISP-1 address 172.16.1.0/22 is allowed.

Step-5: interface fa0/0

Step-6: ip access-group 1 in

 

Example-2: the above example using named ACL

Step-1: configure terminal

Step-2: ip access-list ISP1-Traffic

Step-3: deny 172.16.1.0 0.0.252.255

Step-4: deny host 192.168.1.1

Step-5: permit any

Step-6 interface fa0/0

Step-7: ip access-group ISP1-Traffic in

 

2. Extended Access List

Extended ACL are good for filtering traffic anywhere. Moreover, it allow to filter on enhance filtering capabilities, that standard ACL don’t support, including: filtering IP options, filtering on TCP flags, source and destination IP addresses, upper layer protocols (TCP/UDP) and source and destination port numbers and type of service (ToS) bits.

Extended ACLs can be either numbered, ranges from 100-to-199 and 2000-to-2699 or named.

Configuration:

Numbered:

Step-1: configure terminal

Step-2: access-list [permit|deny]

Step-3: interface

Step-4 ip access-group

 

Numbered:

Step-1: configure terminal

Step-2: ip access-list extended

Step-3: [permit|deny]

Step-4: interface

Step-5: ip access-group

 

Example-1: Let us consider the example from standard access list section. This time only ICMP traffic should be blocked form ISP-1. ICMP traffic should be logged. The host 192.168.1.1 now hosts a secure web application. Local LAN users are only allowed access either using http or https when accessing 192.168.1.1.

 

Step-1: configure terminal

Step-2: access-list 101 deny icmp 172.16.1.0 0.0.252.255 any log

Step-3: access-list 101 permit tcp 192.168.1.1 0.0.0.0 80 any gt 1024

Step-4: access-list 101 permit tcp 192.168.1.1 0.0.0.0 443 any gt 1024

Step-5: access-list 101 permit ip any any

Step-6: interface fa0/0

Step-7: ip access-group 101 in