ACL (Access Control List)

� These are the “rules”, on the routers.

� Set of permits and denies or allow and deny.
� It is also known as “packet filtering firewall”.
� It is used to block website, subnet, traffic, network, hosts.
� It is Layer-3 security, means block and permit to IPs only.
� ACL is a set of rules which will allow or deny the specific traffic moving through
the router, and which controls the flow of traffic from one router to another
router.

Types of ACL

1) Standard ACLs
 Apply to the router which is nearest to the destination.
 It can block particular subnet, host, network.
 All services are blocked, no option to block a specific services.
 Two way communication is stopped.
 The access-list number range <1-99>.

2) Extended ACLs
 Apply to the router which is nearest to the source.
 It can also block particular subnet, host, network.
 Any specific service can be block, linke only TELNET, FTP, HTTP, etc. Means
selected service can be blocked.
 One way communication is stopped.
 The access-lsit number range <100-199>.

In this
topolgy
if we
want,
192.16
8.1.2 is
not
allowed
to
ping/IC
MP to
server
192.16
8.3.3.
In this Source is 192.168.1.0 network and Destination is 192.168.3.0 network. As we
know Standard ACL is apply to the nearest to the destination, so ACLs will be apply
to R3 router. Also if we want to apply Extended ACLs then it will apply to the nearest
to the source, so ACLs will be apply to R1.

More About ACLs

Purpose of an access-list is to identify traffic. Sometimes reffered to “Packet Filters”.

 How we apply an ACL determines its effect.

Apply an ACL to
 Interface ? Matched traffic is permitted through
 NAT ? Matched traffic is translated.
 VPN ? Matched traffic is encrypted and sent through tunnel.
 Route-Map ? Matched advertisements are accepted.
 QoS ? Matched traffic is prioritized (or de-prioritized)
 ......and many other applications.

� Two Types of Access Control Lists :

 Standard – Matches on Source IP
 Extended – Matches on Source IP, Destination IP, Source Port, Destination
Port, Protocol.

Packet Filter ACL can be applied :

� Per Interface
Means actual physical interface in the router, like – fastEthernet, Ethernet,
gigEthernet, serial, etc.

� Per Direction
Going out from the interface, and going in to the interface of the router.
In = getting into the interface of the router.
Out = getting out from the interface of the router.

� Per IP Protocol
IPv4 or IPv6, one ACL can never be contain both IPs (Ipv4 and Ipv6).

There are 2 ways to configure the ACLs:

� Numbered ACL
 Syntax for a Numbered Standard ACL:
access-list <ID#> <action> <Source>

 Syntax for a Numbered Extended ACL:

access-list <ID#> <action> <protocol> <source > <destination>

access-list
command to configure Numbered ACL

ID#

ID number which links multiple entries together. It allows us to links multiple entries
into the same access-list number. This is how we will refer to the ACL elsewhere in
the configuration. The number we choose is very significant.
Standard ACL = 1-99 or 1300 - 1999
Extended ACL = 100-199 or 2000-2699

ACL Number Entries

10 Permit 10.10.10.1
10 Deny 10.10.10.2
10 Permit Telnet for 192.168.2.2
10 Permit FTP for 192.168.2.3
156 Deny FTP for 192.168.3.3

Each individual entry is reffered to as ACE (Access Control Entry), and series of
ACEs creates an ACL or access-list.

action

This field defines, about permit, deny and remark. It can be one of these three items.
Relative to how ACL is applied 1) and 2)
1) permit = Accept Traffic
2) deny = Rejet Traffic
3) remark = Comment, ignore in packet processing.

# access-list 10 remark “String”

protocol

There is no protocol in Standard ACL, the Standard ACL can only filters, the IP
protocol. Whereas in the Extended ACL, we can filters different type of protocol. We
can match :
 IP Match ip traffic (all Ipv4 traffic)
 TCP Match tcp traffic (ports specified later)
 UDP Match udp traffic (ports specified later)
 ICMP Match icmp traffic (ping, traceroute, etc....)
 Lots more : gre, esp, ahp, etc....

source or destination

Either are defined with : <IP Address> [Port]

 To match a subnet
<Network ID> <Wildcard Mask>
 To match a single IP address
host <#.#.#.#>
 To match all IP addresses
 any
 To match a specific port
eq <#> (eq = equal)
 To match a range of ports
range <#> <#>
This is a inclusive range,
 Other qualifiers
gt <#>, lt<#>, neq <#>

Numbered ACL Configuration Demostration

#do show run | section access-list

� Named ACL

These ACLs are defined as Standard or Extended, order of entries in ACL is

significant and by default new entries are appear at the end, this creates a limitation
when we want to add some etries between two entries. Named ACLs provide
additional features over Numbered ACLs.

 Removing the individual entry from the access-list.

 Allow us to insert lines at desired location
 Allow us to remove individual lines
 Allow us to modify numbered ACL
 Allow us to renumber ACL sequence numbers.
 Allow us to configure IPv6 ACLs

ip access-list standard <ID# or name> [sequence#] <action> <source>

ip access-list extended <ID# or name> [sequnce#] <action> <source> <destination>

sequence#

this allow us to where exactly we want to add new entry, we can specify that the
new entry should appear at any number we want. It is optional if we dont put it that
means the entries are going to append at end.

Configuration

R(#) config terminal

R(config)# ip access-list extended <NAME>
R(config-ext-nacl)# remark My First ACL!!
R(config-ext-nacl)# permit ip host <IP> host <IP>
R(config-ext-nacl)# deny ip host <IP> host <IP>

R(#) show run | section access-list

Now if we want to remove any of the entry, then complete ACL will not be removed.
R(#) config terminal
R(config)# ip access-list extended <NAME>
R(config-ext-nacl)# no permit ip host <IP> host <IP>

We can remove any entry by just sequence number.

R(#) show access-list

Extended IP access list <Name>
10 Permit statement
20 Permit Statement_2
30 Deny Statement

To remove :

R(config)# ip access-list extended <Name>

R(config-ext-nacl)# no 20

By applying, this command 20 sequence number statement will removed.

We can add entry at any place by just sequence number.

R(#) config terminal

R(config)# ip access-list extended <NAME>
R(config-ext-nacl)# <any number between 20-30> permit/deny statement

By applying, this command new entry will come after 20 and before 30 sequnce
entry.

We can re-sequence the number by default is 10, we can change it.

R(config)# ip access-list resequence <NAME> <Starting> <Increment>

R(config)# ip access-list extended <NAME> 10 20

starting from 10, and increment by 20. like = 10, 30, 50, 70, .....

IPv6 ACLs

# ipv6 access-list <Name or ID>

[sequence <#>] <action> <protocol> <source> <destination>
  all ipv6 ACLs are Extended ACLs.
 Here we need to use “sequence” command to give sequence number.

Configuration:

R(#) config terminal

R(config)# ipv6 access-list <Name>
R(config-ipv6-acl)# remark My First IPv6 ACL !!
R(config-ipv6-acl)# permit IP host 2001:1234::a host 2001:1254::a
R(config-ipv6-acl)# deny IP host 2001:1546::1 host 2001:1523::b
R(config-ipv6-acl)# permit IP 2001:1234::/64 host 2001:1563::b