- Filtering traffic entering and existing an interface
- Controlling access to VTY lines
- Route update filtering
- As a traffic classification tool when used with QoS
- Dial-on-demand routing (DDR) with ISDN
- Restricting output of debug commands
This tutorial however, concentrates only the packet filtering using ACLs.
What is an ACL?
An ACL is sequence of command(s) called the Access Control Entry (ACE) that are entered in specific sequence. The specifics of sequence determine how ACL will behave, so it recommended to include the most relevant ACE in the beginning of the ACL.
When ACL is used as packet filter, these ACEs are called packet filtering rules or conditions. Condition look for matches on the content of the packet including:
- Source and destination address
- Layer-2 protocol information such as Ethernet frame type
- Layer-3 protocol including IP, IPX, etc….
- Layer-3 protocol information such as ICMP, OSPF, EIGRP
- Layer-4 protocol and information such TCP or UDP and port numbers
Direction of ACL
An access list can be applied in one direction per interface. For example: you have created an internet filtering ACL to drop ICMP traffic. This ACL can only be applied on internet facing interface in inbound direction not both. If bi-directional filtering is required, a separate ACL in reverse direction can be configured.
The IMPLICIT DENY Condition
At the end of every ACL, there exists an IMPLICIT DENY. It means that for any traffic not permitted explicitly, will be denied. We will look at an example later when configuring an example of standard ACL.
The Wildcard Mask
Also known as the reverse mask. The logic is based on logical AND operation. If there is binary zero, check the corresponding bit and it must match. If a binary one, ignore the corresponding bit value, they don’t need to match. Example: We have a network with 192.168.1.0 with a subnet mask of 255.255.255.0 (or simply 192.168.1.0/24). The wild card mask is created by subtracting from mask: 255.255.255.255. In this case:
255.255.255.255 – 255.255.255.0 = 0.0.0.255.
|
Decimal |
192 |
168 |
1 |
0 |
|
Binary |
11000000 |
10101000 |
00000001 |
0000000 |
|
Wildcard |
00000000 |
00000000 |
00000000 |
1111111 |
It means that for the ACE condition to be true or false, the three octets must be 192, 168 and 1. Consider Table-1 for more examples.
TABLE-1: Wildcard Mask
|
Address |
||
|
Matches any even-numbered network in the range of 10.1.2.0 to 10.1.254.0 |
Types of ACLs
There are two types of ACLS.
1. Standard Access List
Standard Access List allows filtering based on the source address of an entity. Since the standard access list test the source addresses, they are efficient at blocking traffic close to destination. There are two expectations to when an address in a standard access list is not the source:
2. One outbound VTY, access list, the address is the destination address rather than source address.
3. When route filtering, network being advertised to you rather than the source address.
The standard access list can either named or numbered. Numbered ACL ranges from: 01-to-99 and 1300-to-1999. Named ACLs allows to ACL to be created using (meaning full) names rather than number. Also human are good in remembering names than numbers.
Configuration
Numbered Standard ACL:
Step-1: configure terminal
Step-2: access-list Step-3: interface Step-4 ip access-group Named Standard ACL: Step-1: configure terminal Step-2: ip access-list standard Step-3: [permit|deny] Step-4: interface Step-5 ip access-group [in|out] Verification: show access-list or show ip access-list Warning: In case of numbered ACLs (Standard or Extended), if reconfiguration is required, the entire ACL must be removed and re-entered. If “no access-list ” is issued, the whole ACL is lost. Therefore, it is advisable to backup the configuration before removing an ACE from standard ACL. NOTE: This document explains only basic option of creating and using ACLs. Refer to Configuration Guide and Command Reference for complete syntax detail. Example-1: Let us assume that traffic from ISP-1 and host 192.168.1.1 must be dropped. ISP-1 uses the address range: 172.16.1.0/22. A host address uses a subnet mask 255.255.255.255 Step-1: configure terminal Step-2: access-list 1 deny 172.16.1.0 0.0.252.255 Step-3: access-list 1 deny 192.168.1.1 0.0.0.0 Step-4: access-list 1 permit 0.0.0.0 255.255.255.255 ß note: to avoid the implicit deny condition every other host expect for 192.168.1.1 or ISP-1 address 172.16.1.0/22 is allowed. Step-5: interface fa0/0 Step-6: ip access-group 1 in Example-2: the above example using named ACL Step-1: configure terminal Step-2: ip access-list ISP1-Traffic Step-3: deny 172.16.1.0 0.0.252.255 Step-4: deny host 192.168.1.1 Step-5: permit any Step-6 interface fa0/0 Step-7: ip access-group ISP1-Traffic in 2. Extended Access List Extended ACL are good for filtering traffic anywhere. Moreover, it allow to filter on enhance filtering capabilities, that standard ACL don’t support, including: filtering IP options, filtering on TCP flags, source and destination IP addresses, upper layer protocols (TCP/UDP) and source and destination port numbers and type of service (ToS) bits. Extended ACLs can be either numbered, ranges from 100-to-199 and 2000-to-2699 or named. Configuration: Numbered: Step-1: configure terminal Step-2: access-list [permit|deny] Step-3: interface Step-4 ip access-group Numbered: Step-1: configure terminal Step-2: ip access-list extended Step-3: [permit|deny] Step-4: interface Step-5: ip access-group Example-1: Let us consider the example from standard access list section. This time only ICMP traffic should be blocked form ISP-1. ICMP traffic should be logged. The host 192.168.1.1 now hosts a secure web application. Local LAN users are only allowed access either using http or https when accessing 192.168.1.1. Step-1: configure terminal Step-2: access-list 101 deny icmp 172.16.1.0 0.0.252.255 any log Step-3: access-list 101 permit tcp 192.168.1.1 0.0.0.0 80 any gt 1024 Step-4: access-list 101 permit tcp 192.168.1.1 0.0.0.0 443 any gt 1024 Step-5: access-list 101 permit ip any any Step-6: interface fa0/0 Step-7: ip access-group 101 in