An ACL consists of sequential series of statements known as an Access Control Entry (ACE). Each ACE specifies a matching criteria and an action which can be either Permit or deny. The matching criteria can be various things such as source/destination address or protocol such as TCP or UDP. For an individual ACE all configured matching values must match in order for that ACE to be considered as match. For example if an ACE is configured to match source IP address of 10.1.1.1 and destination IP address 172.16.1.1 then a packet must match against both of these for the ACE to be considered as a match. When the first match occurs, Access-List processing stops and the specified action is taken.

 

 

As shown in the figure above, a packet with a source address 10.1.1.1 and destination address 172.16.1.1 enters Ethernet 0/0 interface. An access-list with an identification number 101 applied inbound on the interface so the packet must pass through the ACL; we will discuss the identification, direction and application of ACL later on. The processing of ACL occurs sequentially and the match criteria of first sequence are checked against the packet, since it does not match the next ACE (sequence 2) is considered. The match criterion of sequence 2 is matched and the specified action is taken which is to permit the packet.

Note that if a packet does not match any of the access control entries in an ACL then it matches an Implicit Deny ACE that is present at the bottom in all ACLs. The Implicit Deny ACE is a deny all statement that denies all packets. In case this behavior is not required and packets that do not match any ACE must be forward, an ACE must be specified at the bottom of ACL that permits all packets. This type of ACE is known as explicit permit.

Wildcard Masks

You must have noticed 0.0.0.0 after source and destination addresses in the ACL in the diagram shown above, these are 32-Bit numbers called Wildcard masks also known as inverse marks and are used to define a portion of IP address that should be examined. The 32 bits of wildcard mask are compared to 32 bits of IP Address, a wildcard bit of 0 means to match the corresponding bit value in IP address and wildcard bit of 1 means to ignore or not check the corresponding bit value in the IP address. The table below lists a few examples of wildcard masks and their meanings

0.0.0.0

match the entire IP Address

0.0.0.255

match the first 24 bits of IP Address

0.255.255.255

match the first 8 bits of IP Address

0.0.3.255

match the first 22 bits of IP Address

Cisco IOS allows a simple method of matching a single host or entire 32-bit IP address range by using keywords instead of wildcards. A wildcard mask 0.0.0.0 means to match an entire IP address, this can be replaced in an ACE with the keyword host, thus 10.1.1.1 0.0.0.0 can be written as host 10.1.1.1 in an ACE. Likewise a wildcard mask to match entire IP address range is specified by any keyword instead of 0.0.0.0 255.255.255.255 thus an ACE that matches a source address of 10.1.1.1 and any destination address will be as access-list 101 deny ip host 10.1.1.1 any

Types of ACLs

An ACL can be classified into two categories mentioned below

  • Standard ACLs: Standard IP ACLs follow a simple logic and can only filter traffic based on IP source address, network or subnet. The command syntax to define a Standard ACL is mentioned below

access-list access-list-number {deny | permit} source-address

[source-wildcard] [log]

The log keyword is used for informational purposes. When a packet is matched against an ACL a message is generated

In Cisco IOS the Standard ACLs can have numbers in range of 1-99 and 1300-1999

 

Tip – Standard ACLs should be applied close to the destination of the packets so that It does not
unintentionally discard packets that should not be discarded

 

  • Extended ACLs: Extended IP ACLs follow a more complex logic and can filter based on source/destination IP Addresses, specific protocols and port numbers.

 

access-list access-list-number {deny | permit} protocol source-address [source-wildcard] destination-address [destination-wildcard] [log | log-input]

Generic syntax of an Extended ACL for Protocol TCP is as follows

access-list access-list-number {deny | permit} tcp source [source-wildcard] [operator [port]] destination [destination- wildcard] [operator [port]] [established] [precedence precedence] [tos tos] [log | log-input]

In Cisco IOS the Extended ACLs can have numbers in range of 100-199 and 2000-2699

Tip – Extended ACLs should be applied close to the source of the packets so that a packet is denied near the
source to save router resources and bandwidth rather then it being forwarded close to the destination and
eventually being denied

 

Identification of ACLs

Cisco IOS allows two methods to identify standard and extended ACLs

  • Numbered ACLs: Use a number for identification

 

Table below lists different ACL number ranges for different protocol

Protocol

Range

Standard IP

1-99 and 1300-1999

Extended IP

100-199 and 2000-2999

Ethernet Type Code

200-299

48-bit MAC ACL

700-799

 

  • Named ACLs: Use a name or number for identification

Named ACLs has several benefits over Numbered ACLs. Before the introduction of Named ACLs, editing access control entries was really headache for network administrators. Named ACL allows editing the order and removing individual access control entries.

Named ACLs have a more granular and flexible syntax mentioned as below

config)# ip access-list [standard | extended] name

config-ext-nacl)# sequence-number {deny | permit} protocol source-address [source-wildcard] destination-address [destination-wildcard] [log | log-input]

As shown in the example above Named ACL will have sub configuration mode for specifying access control entries with sequence number. With the use of sequence numbers different ACEs can be added, removed and edited.

Applying ACL to an Interface

After an ACL is configured it must be applied to an Interface for traffic filtering purpose. An ACL can be applied in an inbound direction or an outbound direction.

  • Inbound: Incoming packets are processed before they are routed to an outbound interface.

 

  • Outbound: Traffic that has already been processed through the router and exiting the interface are processed by the ACL.

Note – Outbound ACLs applied on the router interfaces do not filter traffic that originates from the router

To apply an ACL to an interface the following command syntax is used.

Config-if)# ip access-group {access-list-number | access-list-name} {in | out}