Access Control List ACL’s 5/26/2016 1
What Is an ACL? An ACL is a sequential collection of permit or deny statements that apply to addresses or upper-layer protocols. Routers provide basic traffic filtering capabilities, such as blocking internet traffic, with access control lists (ACLs. ACLs are lists of instructions you apply to a router's interface. These lists tell the router what kinds of packets to accept and what kinds of packets to deny. 5/26/2016 2
ACL’s Acceptance and denial can be based on certain specifications, such as source address, destination address, and port number. ACLs can be created for all routed network protocols, such as internet protocol (IP) and Internetwork packet exchange (IPX). Can be configured at the router to control access to a network or subnet. Must be defined on a per-protocol basis. 5/26/2016 3
Reasons to Create ACL’s Limit network traffic and increase network performance. Provide traffic flow control. ACLs can restrict or reduce the contents of routing updates. Provide a basic level of security for network access. Decide which types of traffic are forwarded or blocked at the router interfaces. 5/26/2016 4
Access Control Lists (ACLs) The order in which you place ACL statements is important. (IOS) software tests the packet against each condition statement, in the order in which the statements were created. After a match is found, no more condition statements are checked. Once created, if you need additional statements, in a standard or extended ACL you must delete the ACL and re-create it with the new condition statements. 5/26/2016 5
How ACL’s Work You can create an ACL for each protocol you want to filter for each router interface. 5/26/2016 6
How ACL’s Work An ACL is a group of statements that define how packets: enter inbound interfaces, relay through the router, exit outbound interfaces of the router. As a packet enters an interface, the router checks to see whether the packet is routable or bridgeable. Now, the router checks whether the inbound interface has an ACL. If one exists, the packet is now tested against the conditions in the list. 5/26/2016 7
How ACL’s Work ACL statements operate in sequential, logical order. If a condition match is true, the packet is permitted or denied and the rest of the ACL statements are not checked. If all the ACL statements are unmatched, an implicit "deny any" statement is imposed. This means that even though you will not see the "deny any" as the last line of an ACL, it is there. 5/26/2016 8
Creating ACLs You create ACLs by using the global configuration mode. Specifying an ACL number from 1 to 99 instructs the router to accept standard ACL statements. Specifying an ACL number from 100 to 199 instructs the router to accept extended ACL statements. You must carefully select and logically order the ACL. 5/26/2016 9
Creating ACLs Two steps: 1. define the ACL Example, router(config)#access-list access list number permit/deny {test conditions} 2. Apply ACL to an interface (ex. E0, s0, s1) by using the access-group command. Router(config-if) protocol access-group access-list number in/out 5/26/
Deleting an ACL If you want to alter an ACL containing numbered ACL statements, you need to delete all the statements in the numbered ACL by using the command no access- list list-number. If you have already applied the access-group to an interface, use the command no access- group list-number in/out before the no access- list list-number command. 5/26/
Wildcard Masks A wildcard mask is a 32-bit quantity that is divided into four octets, with each octet containing 8 bits. A wildcard mask bit 0 means "check the corresponding bit value" and a wildcard mask bit 1 means "do not check (ignore) that corresponding bit value". A wildcard mask is paired with an IP address. 5/26/
Wildcard Masks The zero and one bits in an ACL wildcard mask cause the ACL to either check or ignore the corresponding bit in the IP address. Say you want to test an IP address for subnets that will be permitted or denied. You want to use IP wildcard mask bits to permit all packets from any host in the to subnets. Example will be done on board. 5/26/
Wildcard Any To indicate any IP address, you would enter ; Then, to indicate that the ACL should ignore (that is, allow without checking) any value, the corresponding wildcard mask bits for this address would be all ones (that is, ). Instead of typing , you can use the word any by itself as the keyword. 5/26/
The Host Command Say you want to specify that a specific IP host address will be permitted in an ACL test. To indicate a host IP address, you would enter the full address (for example, ); Then, to indicate that the ACL should check all the bits in the address. That is in wildcard mask form. You can use the abbreviation host to communicate this same test condition to Cisco IOS ACL software. 5/26/
Standard ACLs You use standard ACLs when you want to block all traffic from a network, allow all traffic from a specific network, or deny protocol suites. Standard ACLs check the source address of packets that could be routed. The result permits or denies output for an entire protocol suite, based on the network, subnet, and host addresses. 5/26/
Standard Access-list Example Router(config)# access-list access-list-number {deny | permit} source [source-wildcard ] [log] Access-list 33 permit log (permits all traffic from ) Access-list 44 deny log (denies traffic from host ) Access-list 55 deny any log (denies all traffic from network ) 5/26/
How to Verify Access Lists You use the show access-lists EXEC command to display the contents of all ACLs. In addition, you use the show access- lists EXEC command followed by the name or number of an ACL to display the contents of one ACL. 5/26/
Standard Access-lists The ip access-group command groups an existing ACL to an interface. Remember that only one ACL per port per protocol per direction is allowed. Router(config-if)#ip access-group access-list-number {in | out}. 5/26/
Extended Access-list Provide a greater range of control than standard ACLs. Extended ACLs check for both source and destination packet addresses. They also can check for specific protocols, port numbers, and other parameters. 5/26/
Extended Access-list Packets can be permitted or denied output based on where the packet originated and based on its destination. Router(config)# access-list access-list- number {permit | deny} protocol source [source-mask destination destination- mask operator operand] [established] 5/26/
Extended Access-list For more precise traffic-filtering control, you use extended ACLs. Extended ACL statements check for source address and for destination address. In addition, at the end of the extended ACL statement, you gain additional precision from a field that specifies the optional TCP or user Datagram protocol (UDP) protocol port number.. Extended ACLs use a number in the range 100 to /26/
Extended Access-group The ip access-group command links an existing extended ACL to an interface. Remember that only one ACL per interface, per direction, per protocol is allowed. Router(config-if)# ip access-group access-list-number {in | out} 5/26/
Placing ACL’s The rule is to put the extended ACLs as close as possible to the source of the traffic denied. Standard ACLs do not specify destination addresses, so you have to put the standard ACL as near the destination as possible. ACLs should be used in firewall routers, which are often positioned between the internal network and an external network, such as the internet. 5/26/
Placing ACL’s To provide the security benefits of ACLs, you should at a minimum configure ACLs on border routers, which are routers situated on the boundaries of the network. This provides basic security from the outside network, or from a less controlled area of the network, into a more private area of the network. 5/26/