An ACL consists of a sequential series of statements known as an Access Control Entry (ACE). Each ACE specifies matching criteria and an action that can be either Permit or deny. The matching criteria can be various things such as source/destination address or protocol such as TCP or UDP. For an individual ACE all configured matching values must match in order for that ACE to be considered as a match. For example, if an ACE is configured to match the source IP address of 10.1.1.1 and destination IP address 172.16.1.1 then a packet must match against both of these for the ACE to be considered as a match. When the first match occurs, Access-List processing stops, and the specified action is taken.
As shown in the figure above, a packet with a source address 10.1.1.1 and destination address 172.16.1.1 enters Ethernet 0/0 interface. An access-list with an identification number 101 applied inbound on the interface so the packet must pass through the ACL; we will discuss the identification, direction, and application of ACL later on. The processing of ACL occurs sequentially and the match criteria of the first sequence are checked against the packet since it does not match the next ACE (sequence 2) is considered. The match criterion of sequence 2 is matched and the specified action is taken which is to permit the packet.
Note that if a packet does not match any of the access control entries in an ACL then it matches an Implicit Deny ACE that is present at the bottom in all ACLs. The Implicit Deny ACE is a deny all statement that denies all packets. In case this behavior is not required and packets that do not match any ACE must be forward, an ACE must be specified at the bottom of ACL that permits all packets. This type of ACE is known as explicit permit.
Wildcard Masks
You must have noticed 0.0.0.0 after source and destination addresses in the ACL in the diagram shown above, these are 32-Bit numbers called Wildcard masks also known as inverse marks, and are used to define a portion of IP address that should be examined. The 32 bits of wildcard mask are compared to 32 bits of IP Address, a wildcard bit of 0 means to match the corresponding bit value in IP address and wildcard bit of 1 means to ignore or not check the corresponding bit value in the IP address. The table below lists a few examples of wildcard masks and their meanings
0.0.0.0 | match the entire IP Address |
0.0.0.255 | match the first 24 bits of IP Address |
0.255.255.255 | match the first 8 bits of IP Address |
0.0.3.255 | match the first 22 bits of IP Address |
Cisco IOS allows a simple method of matching a single host or entire 32-bit IP address range by using keywords instead of wildcards. A wildcard mask 0.0.0.0 means to match an entire IP address, this can be replaced in an ACE with the keyword host, thus 10.1.1.1 0.0.0.0 can be written as host 10.1.1.1 in an ACE. Likewise, a wildcard mask to match entire IP address range is specified by any keyword instead of 0.0.0.0 255.255.255.255 thus an ACE that matches a source address of 10.1.1.1 and any destination address will be as access-list 101 deny ip host 10.1.1.1 any
Types of ACLs
An ACL can be classified into two categories mentioned below
- Standard ACLs: Standard IP ACLs follow a simple logic and can only filter traffic based on IP source address, network or subnet. The command syntax to define a Standard ACL is mentioned below
access-list access-list-number {deny | permit} source-address
In Cisco IOS the Standard ACLs can have numbers in a range of 1-99 and 1300-1999
Tip – Standard ACLs should be applied close to the destination of the packets so that It does not unintentionally discard packets that should not be discarded |
- Extended ACLs: Extended IP ACLs follow a more complex logic and can filter based on source/destination IP Addresses, specific protocols, and port numbers.
access-list access-list-number {deny | permit} protocol source-address [source-wildcard] destination-address [destination-wildcard] [log | log-input]
Generic syntax of an Extended ACL for Protocol TCP is as follows
access-list access-list-number {deny | permit} tcp source [source-wildcard] [operator [port]] destination [destination- wildcard] [operator [port]] [established] [precedence precedence] [tos tos] [log | log-input]
In Cisco IOS the Extended ACLs can have numbers in range of 100-199 and 2000-2699
Tip – Extended ACLs should be applied close to the source of the packets so that a packet is denied near the source to save router resources and bandwidth rather then it being forwarded close to the destination and eventually being denied |
Identification of ACLs
Cisco IOS allows two methods to identify standard and extended ACLs
- Numbered ACLs: Use a number for identification
The table below lists different ACL number ranges for different protocol
Protocol | Range |
Standard IP | 1-99 and 1300-1999 |
Extended IP | 100-199 and 2000-2999 |
Ethernet Type Code | 200-299 |
48-bit MAC ACL | 700-799 |
- Named ACLs: Use a name or number for identification
Named ACLs have several benefits over Numbered ACLs. Before the introduction of Named ACLs, editing access control entries was really a headache for network administrators. Named ACL allows editing the order and removing individual access control entries.
Named ACLs have a more granular and flexible syntax mentioned as below
config)# ip access-list [standard | extended] name
config-ext-nacl)# sequence-number {deny | permit} protocol source-address [source-wildcard] destination-address [destination-wildcard] [log | log-input]
As shown in the example above Named ACL will have sub configuration mode for specifying access control entries with sequence number. With the use of sequence numbers, different ACEs can be added, removed, and edited.
Applying ACL to an Interface
After an ACL is configured it must be applied to an Interface for traffic filtering purposes. An ACL can be applied in an inbound direction or an outbound direction.
- Inbound: Incoming packets are processed before they are routed to an outbound interface.
- Outbound: Traffic that has already been processed through the router and exiting the interface are processed by the ACL.
Note – Outbound ACLs applied on the router interfaces do not filter traffic that originates from the router
To apply an ACL to an interface the following command syntax is used.
Config-if)# ip access-group {access-list-number | access-list-name} {in | out}