- Filtering traffic entering and exiting an interface
- Controlling access to VTY lines
- Route update filtering
- As a traffic classification tool when used with QoS
- Dial-on-demand routing (DDR) with ISDN
- Restricting output of debug commands
This tutorial however, concentrates only the packet filtering using ACLs.
What is an ACL?
An ACL is a sequence of command(s) called the Access Control Entry (ACE) that are entered in a specific sequence. The specifics of the sequence determine how ACL will behave, so it recommended to include the most relevant ACE in the beginning of the ACL.
When an ACL is used as a packet filter, these ACEs are called packet filtering rules or conditions. Condition look for matches on the content of the packet including:
- Source and destination address
- Layer-2 protocol information such as Ethernet frame type
- Layer-3 protocol including IP, IPX, etc….
- Layer-3 protocol information such as ICMP, OSPF, EIGRP
- Layer-4 protocol and information such as TCP or UDP and port numbers
Direction of ACL
An access list can be applied in one direction per interface. For example: you have created an internet filtering ACL to drop ICMP traffic. This ACL can only be applied on internet-facing interface in inbound direction, not both. If bi-directional filtering is required, a separate ACL in reverse direction can be configured.
The IMPLICIT DENY Condition
At the end of every ACL, there exists an IMPLICIT DENY. It means that for any traffic not permitted explicitly, it will be denied. We will look at an example later when configuring an example of standard ACL.
The Wildcard Mask
Also known as the reverse mask. The logic is based on logical AND operation. If there is binary zero, check the corresponding bit and it must match. If a binary one, ignore the corresponding bit value, they don’t need to match. Example: We have a network with 192.168.1.0 with a subnet mask of 255.255.255.0 (or simply 192.168.1.0/24). The wild card mask is created by subtracting from mask: 255.255.255.255. In this case:
255.255.255.255 – 255.255.255.0 = 0.0.0.255.
Decimal | 192 | 168 | 1 | 0 |
Binary | 11000000 | 10101000 | 00000001 | 0000000 |
Wildcard | 00000000 | 00000000 | 00000000 | 1111111 |
It means that for the ACE condition to be true or false, the three octets must be 192, 168 and 1. Consider Table-1 for more examples.
TABLE-1: Wildcard Mask
Address | Wildcard Mask | Match Results |
0.0.0.0 | 255.255.255.255 | All addresses will match the access list conditions. |
172.18.0.0/16 | 0.0.255.255 | Network 172.18.0.0 |
172.18.5.2/16 | 0.0.0.0 | Only host 172.18.5.2 matches |
172.18.8.0 | 0.0.0.7 | Only subnet 172.18.8.0/29 matches |
172.18.8.8 | 0.0.0.7 | Only subnet 172.18.8.8/29 matches |
172.18.8.15 | 0.0.0.3 | Only subnet 172.18.8.15/30 matches |
10.1.2.0 | 0.0.254.255 (noncontiguous bits in mask) | Matches any even-numbered network in the range of 10.1.2.0 to 10.1.254.0 |
Types of ACLs
There are two types of ACLS.
- Standard Access List
Standard Access Lists allow filtering based on the source address of an entity. Since the standard access list tests the source addresses, they are efficient at blocking traffic close to the destination. There are two expectations to when an address in a standard access list is not the source:
- One outbound VTY, access list, the address is the destination address rather than source address.
- When route filtering, the network being advertised to you rather than the source address.
The standard access list can either named or numbered. Numbered ACL ranges from: 01-to-99 and 1300-to-1999. Named ACLs allows to ACL to be created using (meaning full) names rather than number. Also humans are good at remembering names rather than numbers.
Configuration
Numbered Standard ACL:
Step-1: configure terminal
Step-2: access-list
[permit|deny]
Step-3: interface
Step-4 ip access-group
Named Standard ACL:
Step-1: configure terminal
Step-2: ip access-list standard
Step-3: [permit|deny]
Step-4: interface
Step-5 ip access-group [in|out]
Verification: show access-list or show ip access-list
Warning: In case of numbered ACLs (Standard or Extended), if reconfiguration is required, the entire ACL must be removed and re-entered. If “no access-list ” is issued, the whole ACL is lost. Therefore, it is advisable to backup the configuration before removing an ACE from standard ACL.
NOTE: This document explains only basic options for creating and using ACLs. Refer to Configuration Guide and Command Reference for complete syntax detail.
Example-1: Let us assume that traffic from ISP-1 and host 192.168.1.1 must be dropped. ISP-1 uses the address range: 172.16.1.0/22. A host address uses a subnet mask 255.255.255.255
Step-1: configure terminal
Step-2: access-list 1 deny 172.16.1.0 0.0.252.255
Step-3: access-list 1 deny 192.168.1.1 0.0.0.0
Step-4: access-list 1 permit 0.0.0.0 255.255.255.255 ß note: to avoid the implicit deny condition every other host expect for 192.168.1.1 or ISP-1 address 172.16.1.0/22 is allowed.
Step-5: interface fa0/0
Step-6: ip access-group 1 in
Example-2: the above example using named ACL
Step-1: configure terminal
Step-2: ip access-list ISP1-Traffic
Step-3: deny 172.16.1.0 0.0.252.255
Step-4: deny host 192.168.1.1
Step-5: permit any
Step-6 interface fa0/0
Step-7: ip access-group ISP1-Traffic in
- Extended Access List
Extended ACLs are good for filtering traffic anywhere. Moreover, it allows you to filter using enhanced filtering capabilities that standard ACLs don’t support including: filtering IP options, filtering on TCP flags, source and destination IP addresses, upper-layer protocols (TCP/UDP) and source and destination port numbers and type of service (ToS) bits.
Extended ACLs can be either numbered, ranges from 100-to-199 and 2000-to-2699 or named.
Configuration:
Numbered:
Step-1: configure terminal
Step-2: access-list [permit|deny]
Step-3: interface
Step-4 ip access-group
Numbered:
Step-1: configure terminal
Step-2: ip access-list extended
Step-3: [permit|deny]
Step-4: interface
Step-5: ip access-group
Example-1: Let us consider the example from the standard access list section. This time only ICMP traffic should be blocked form ISP-1. ICMP traffic should be logged. The host 192.168.1.1 now hosts a secure web application. Local LAN users are only allowed access either using http or https when accessing 192.168.1.1.
Step-1: configure terminal
Step-2: access-list 101 deny icmp 172.16.1.0 0.0.252.255 any log
Step-3: access-list 101 permit tcp 192.168.1.1 0.0.0.0 80 any gt 1024
Step-4: access-list 101 permit tcp 192.168.1.1 0.0.0.0 443 any gt 1024
Step-5: access-list 101 permit ip any any
Step-6: interface fa0/0
Step-7: ip access-group 101 in