Access Control Lists

- ACL -
Introduction
Access Control Lists (ACLs) for IP enable a router to suppress certain packets according to
pre-defined criteria. The purpose of these lists, known as filters, is to protect the network from
unwanted traffic. They can be used for a variety of purposes:

• Filter network traffic according to addresses and higher layer protocols (allow e-mail
traffic, block telnet traffic, etc.);
• Control traffic flow by preventing routing update information from a particular
network from propagating anywhere;
• Provide a basic level of network access security.

An access-list involves a two-step process: matching and action. In the first stage, each packet
is examined to determine whether it corresponds to one of the access-list instructions in the
list. If a match is found, two actions are possible: permit the packet or deny it.
The comparison criteria specified in ACLs can be based on IP, TCP and UDP header fields.
There are two main categories of access control lists for IP: standard and extended. Extended
ACLs can examine source and destination IP addresses, as well as source and destination port
numbers, and several other fields. Standard ACLs can only examine the source IP address.
Cisco uses generic masks to specify which part of an IP address to examine. Such a mask is
associated with an IP address in the access list instructions (see appendix). A generic mask is
similar to a subnet mask, but does not have the same functionality. In a generic mask, bits set
to 0 tell the router to compare the bits located at the corresponding positions in a packet's
address. Bits set to 1 indicate that the corresponding bits should be ignored.
When a router applies an ACL to traffic, it associates the ACL with an interface, specifically
for inbound or outbound traffic.

Objectives
Consider scenarios 1, 2 and 3 to be implemented on the figure given below, with access
restriction rules for each scenario. In each case, configure the appropriate access lists to meet
the requirements specified in each scenario. Place the access lists in the router that filters the
packets to be discarded (rejected) as quickly as possible.

Scenario 1 - The filtering criteria are :

1. PC3 must be able to access machines on the LAN3.

2. All other machines on LAN1 are not authorized to access the LAN3.
3. All other accesses are authorized.

1/5
Scenario 2 - The filtering criteria are :
1. Machines on the LAN2 are not allowed to communicate with machines on the LAN1.
2. PC3 and PC4 machines are not authorized to access machines on the LAN3.
3. Other accesses between machines on the LAN1 and LAN3 are authorized.
4. All other accesses are authorized.

Scenario 3 - The filtering criteria are :

1. PC3 and PC4 machines have the right to connect to any Web server on LAN3.
2. PC3 and PC4 machines are not allowed to connect to other servers on LAN3 using
TCP.
3. PC1 can only access Web services (and not other services) on the LAN3.
4. Machines on LAN1 can access machines on LAN3 unless otherwise specified.
5. Web clients on LAN2 are not allowed to connect to the Web server on LAN3 unless
mentioned elsewhere in these criteria.
6. All other unspecified communication should be prohibited.

2/5
 Appendix: Definition and use of access control lists

A. Standard ACLs :
The standard access list allows you to accept or reject all traffic on a particular network.
However, it can only compare the source IP address with a particular bit arrangement (called
a generic mask).
1) ACL configuration :
• List definition :
Router (config.)# access-list "number-access-list between 1 and 99" {permit|deny} "@ source IP/generic mask"
Router (config.)# access-list "number-access-list between 1 and 99" remark "text" : Defines a comment
to remind you of the effect of the access list.
Once the access control list has been created, it must be assigned to an interface (to activate it)
as follows:
• Assigning the list to an interface :
Router (config-if)# ip access-group <n°-list> [in|out]
- in|out indicates whether the list is to be applied for inbound or outbound traffic.

• Show access list contents:

The show access-lists command displays the contents of all access lists. To view a
particular list, specify its list number (<list-n°>).

• Generic mask bits:

Access control lists use the generic mask to specify which part of an IP address to
examine (for the purpose of granting or denying access) as follows:
- 32-bit mask divided into 4 bytes
➢ 0 means "check the value of the corresponding bit".
➢ 1 means "ignore the value of the corresponding bit".
- Example : Router (config.)# access-list 1 permit 5.6.0.0 0.0.255.255 ;
Only the first 16 bits are checked

• Command « any » :
This command is used to specify any address (equivalent to 0.0.0.0 255.255.255.255):
- Example: Router (config.)# access-list 1 permit 0.0.0 0 255.255.255.255 ;
Equivalent to :
- Router (config.)# access-list 1 permit any ;

• Commande « host » :
This command is used to specify a specific address:
- Example: Router (config.)# access-list 1 permit 172.30.16.29 0.0.0 0 ;
Equivalent to :
- Router (config.)# access-list 1 permit host 172.30.16.29 ;

B. Extended ACLs :
Extended ACLs filter packets at the transport layer of the OSI model (checking source and
destination protocols and port numbers), while specifying the destination IP address and other
parameters.
3/5
 1) Configuring ACLs :
The procedure is the same as for the standard access list, with the following syntax:
• Syntax :
Router (config.)# access-list "access list number" {permit|deny} "protocol over IP"
"@ IP source/generic mask" ["operator" ["port"] ] "@ IP destination/generic mask"
["operator" ["port"] ] [established] [log]

Parameter Description
list N° from 100 to 199
protocol over IP Identifies the protocol concerned: IP, TCP, UDP, ICMP, IGRP, OSPF,
EIGRP
operator Conditional fonction : eq, lt, gt, ne, range
port Port number (can be replaced by its name)
established Allows TCP traffic to pass if the packet uses an established connection
log Specifies whether matches found for the access list should be logged

Note: Only protocols that use IP directly are taken into account. For example, RIP does not
appear because it uses UDP.
• Exemple :
Routeur (config.)# access-list 101 deny tcp any host 172.16.4.1 range 20 23
access-list 101 permit tcp any host 172.16.4.1 eq smtp
 So, we block TCP services (20 to 23) to 172.16.4.1, and allow only the mail service
(SMTP) to this same machine.

2) IP Accounting :
IP accounting is a debugging tool for checking whether an extended ACL is correct. It
keeps track of the source and destination addresses of matches found for the access list, as
well as those that violate the same list.
IP accounting allows you to check which packets are authorized and which are blocked.

• Syntax : (interface configuration mode) :

Routeur (config-if)# ip accounting output-packets
Routeur (config-if)# ip accounting access-violations

• Display trace content :

Router # show ip accounting
Routeur # show ip accounting access-violations

3) Loggings :
This is another technique (log keyword) for checking whether an extended ACL is correct. It
allows you to specify whether the matches found for the access list should be logged in the
router buffer.

4/5
Access to router logs is via the show logging command.
• Example:
Router (config)# access-list 101 deny tcp any host 172.16.4.1 range 20 23 log

C. Controlling routing updates with ACLs :

Access lists can also be used to filter routing information. To do this, proceed as follows:

1. Create the standard or extended access list as described above.

2. In router configuration mode, apply the defined list with the command :
distribute-list <list-n°> [in|out] <interface>, to the interface given as an argument.
The keywords in (input) and out (output) are used to determine the direction of the
filter.

5/5