UEEN2013/UEEN2423

TCP/IP Network Fundamentals

(Topic 05)

Access Control Lists (ACL)

 Advantages of subnetting
– To reduce the size of broadcast domain for better
network performance
– To improve network security, ex: implement ACL for the
subnets.
– To ease administration since networks are smaller in
size
– Efficient use of IP

We will focus on ACL.

 What is ACL?
• ACL = Access Control List.
– essentially a list of conditions that categorize packets.
• It is a form of packet filtering in Cisco router.
• ACL is used in:
– exercising control over network traffic.
– filtering unwanted packets when implementing security
policies.
 “Applying” ACLs
• There are two steps for applying ACL:
• 1st step:
– Create the Access Control List

• 2nd step:
– Place the Access Control List at the Interface

• There 3 types of ACL:

– Standard Access List
– Extended Access List
– Named Access List
 Syntax of Standard ACLs Explained
• Example: Part 3:
Can either be permit or deny

R1(config)#access-list 10 deny host 192.168.1.1

Part 1: Part 4:
You must have A host
Create ACL this to create a A LAN / IP subnets
in global standard ACL Any Host
configuration
mode Part 2: Source IP/source IP Subnet
Access list number.
Use 1-99 for
standard ACL.
 Introduction to Wildcard Mask
• As you’ve observed, a portion of “part 4” in defining the IP
subnet in ACL contain:
– A wildcard mask: 0.0.0.255
– Instead of a subnet mask: 255.255.255.0
• For example: An IP subnet of 172.16.1.0 to 172.16.1.255
– With subnet mask (in setting static IP route):
• R1(config)#ip route 172.16.1.0 255.255.255.0 10.1.1.2
– With wildcard mask (in setting access list):
• R1(config)#access-list 9 permit 172.16.1.0 0.0.0.255
• The first step to know wildcard mask is:
– Wildcard mask IS NOT subnet mask.
– Wildcard mask have inverse relation with subnet mask.
– Wildcard mask use a different set of rules compared to subnet mask.
 Difference Between Subnet mask and
Wildcard mask
• Unlike subnet mask, wildcard mask:
– Does not restrict to left all ‘0’ and right all ‘1’
– That means, there can be 232 wildcard mask
• versus only 32 valid subnet mask
– Hence, this is allow:
• 01001000.10001111.11111111.00000001
– Does not perform “bitwise and” process with IP
address
 Wildcard Mask
• A wildcard mask is a string of binary digits telling the router
which parts of the subnet number to look at.
• A wildcard mask is simply the inverse of a subnet mask
• 255.255.255.255
- 255.255.255.240 (SM)
---------------------------
0. 0. 0. 15 (WM)
or
00000000.00000000.00000000.00001111(WM in binary form)

• Binary 0 signifies a match, and binary 1 signifies ignore (can

be anything).

8
 Wildcard Mask

All match

All ignore

First 3 octet
must match
till
192.168.1.255

9
 Wildcard Mask

2 keywords used in ACL:

any – it means an IP with SM 0.0.0.0 or WM 255.255.255.255
host – it means an IP with SM 255.255.255.255 or WM 0.0.0.0
10
 More Rules for Standard ACLs
• The “part 4” of Standard ACL works on the source
IP address.
• 1 ACL list represent by 1 ACL number.
• You can assign as many “conditions” into a list
• Every Standard ACL list has a hidden “deny all”
statement at the last of the list.
• Use this command to see the access list
– Router#show access-list 5
• Use this command to erase a access list
– Router(config)#no access-list 15
Multi-condition Standard ACL
Router#config t
Router(config)#access-list 5 deny host 172.16.10.1
Router(config)#access-list 5 deny host 172.16.10.2
Router(config)#access-list 5 deny host 172.16.10.3
Router(config)#access-list 5 permit any
Router(config)#access-list 7 deny host 172.16.10.3
Router(config)#access-list 7 deny host 192.168.1.4
Router(config)#access-list 7 permit any
Router(config)#exit
Router#show access-list
Standard IP access list 5
deny host 172.16.10.1
deny host 172.16.10.2
deny host 172.16.10.3
permit any
Standard IP access list 7
deny host 172.16.10.3
deny host 192.168.1.4
permit any
 Placing Standard ACLs - 1
Fa0/0 in Fa0/1 out

Fa0/0 out Fa0/1 in

• Example:
R1(config)#int fa0/0
R1(config-if)#ip access-group 10 in
R1(config-if)#ip access-group 12 out

• The ip access-group command links an

existing ACL to an interface
 Placing Standard ACLs - 2
• You can place
– same Access List at different interface
Router(config)#int fa0/0
Router(config-if)#ip access-group 10 in
Router(config)#int fa0/1
Router(config-if)#ip access-group 10 in

– only 2 Access Lists at same interface for both in and out

Router(config)#int fa0/0
Router(config-if)#ip access-group 10 in
Router(config-if)#ip access-group 97 out
 Checking and Unbind the “Placement” of ACLs

• Use the following commands to verify the

placement of ACLs on the interfaces of router.
– Router#show ip interface
– Router#show running-config

• Remember to “unbind” an ACL at the interface

level by typing the following commands

R1(config)#int fa0/0
R1(config-if)#no ip access-group list_number in
 Show running-config
R1#show run
version 12.2
hostname R1
interface FastEthernet0/0
ip address 192.168.14.1 255.255.255.0
ip access-group 23 in
duplex auto
speed auto
!
• Show running-config command display the binding or
placement of access list on a particular interface.
• It is also a good practice to test the access lists with
sample traffic to ensure that the access list logic is
correct.
 Show IP Interface
R1#show ip interface
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 192.168.14.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is not set
Inbound access list is 1
Proxy ARP is enabled
Security level is default
Split horizon is enabled
…
• The show ip interface command displays IP interface
information and indicates whether any ACLs are set.
 While you delete Access List
• When you delete a particular ACLs,
– Only the content of the ACL is empty
– The binding ACLs is still at the interface
– Meaning the Interface still has the ACL
– Problem occurs if you “unintentionally” re-use the deleted ACL…

Example:
R1(config)#no access-list 2
R1(config)#exit
R1#show run
version 12.2
hostname R1
interface FastEthernet0/0
ip address 192.168.14.1 255.255.255.0
ip access-group 2 in
!
 Placing ACL at VTY
• Here is an example of allowing only host 172.16.10.3 to
telnet into a router:

Lab_A(config)#access-list 50 permit 172.16.10.3

Lab_A(config)#line vty 0 4
Lab_A(config-line)#access-class 50 in

• Because of the implied deny any at the end of the list, the
access list stops any host from telnetting into the router
except the host 172.16.10.3, regardless of which individual
IP address on the router is used as a target.
• For VTY line, use access-class to bind the ACL
– instead of ip access-group for other type of interfaces.
 Creating IP Extended List
R1(config)#access-list 114 permit tcp 172.16.6.0 0.0.0.255 any eq telnet
R1(config)#access-list 114 permit tcp 172.16.6.0 0.0.0.255 any eq ftp
R1(config)#access-list 114 permit tcp 172.16.6.0 0.0.0.255 any eq ftp-data

Part 1 Part 2 Part 3 Part 4 Part 5 Part 6 Part 8

Part 7

• In Extended Access List

– We have both source IP and destination IP
– We have layer-4 protocols and layer-5 protocols
– We have a different access-list number range
– Instead of “4 parts” in standard ACL, we have 8 parts in
extended ACL
 Extended ACL – Part 1-4
• Part 1: The command “access-list”
is still the same.
• Part 2: The access-list number
range or extended ACL
is 100 to 199.

• Part 3:
– deny or permit
• Part 4:
– Layer 3 protocol
– Layer 4 protocol
 Extended ACL – Part 5-8
• Part 5:
– Source address • Part 8:
• Host, any, IP subnet
• Same as standard ACL
– Port numbers
• Part 6: – Port number
– “Normally” Destination equivalent network
address service
• Part 7 • telnet (port 22)
– Normally conditional
phrase
• gt = greater than
• eq = equal
• lt = less than
• neq = not equal
 Extended List Placement

R1(config-if)#ip access-group 110 in

R1(config-if)#ip access-group 110 out

R1#show ip interface
R1#show run

• Same rules applied as standard ACL.

– For placement or assigning
– For unbinding
– For checking placement
 Case Study: Apply Extended ACL in
Security Policy
• Can the configuration
below stop Telnet access
to the networks attached
to the Ethernet 1 and
Ethernet 2?
Router(config)#access-list 110 deny tcp any
172.16.48.0 0.0.15.255 eq 23
Router(config)#access-list 110 deny tcp any
172.16.192.0 0.0.63.255 eq 23
Router(config)#access-list 110 permit ip any any
Router(config)#interface Ethernet 1
Router(config-if)#ip access-group 110 out
Router(config-if)#interface Ethernet 2
Router(config-if)#ip access-group 110 out
 Answer to the last slide
• ip: 10101100.00010000.0011#0000.00000000 (172.16.48.0)
wm: 00000000.00000000.0000#1111.11111111 (0.0.15.255)
=====================================================
10101100.00010000.0011#0000.00000000 (172.16.48.0)
…
10101100.00010000.0011#1111.11111111 (172.16.63.255)

• ip: 10101100.00010000.11#000000.00000000 (172.16.192.0)

wm: 00000000.00000000.00#111111.11111111 (0.0.63.255)
=====================================================
10101100.00010000.11#000000.00000000 (172.16.192.0)
• 10101100.00010000.11#000000.00000000 (172.16.192.0)
…
• 10101100.00010000.11#111111.11111111 (172.16.255.255)
 Editing Numbered ACLs
• There is no built-in editing feature that allows
you to edit a change in an ACL.
• You cannot selectively insert or delete lines.
• It is strongly recommended that any ACL be
constructed in a text editor such as Microsoft
Notepad.
• For an existing ACL, you could use the show
running-config command to display the ACL,
copy and paste it into the text editor.
• Make the necessary changes, remove the
existing ACL, and paste it onto router.

27
 Creating Named ACLs - 1
• A named ACL is created with the ip access-list command.
• The advantages that a named access list provides are:
– Intuitively identify an ACL using an alphanumeric name.
• Named ACLs provide the ability to modify ACLs without
deleting and then reconfiguring them.
• It is important to note that a named access list will allow the
deletion of statements but will only allow for statements to
be inserted at the end of a list. Even with named ACLs it is
a good idea to use a text editor to create them.
• Consider the following before implementing named ACLs.
– Named ACLs are not compatible with Cisco IOS releases prior to
Release 11.2.
– The same name may not be used for multiple ACLs. For example, it
is not permissible to specify both a standard and extended ACL
named George.
 Creating Named ACLs (Standard)
• IP named ACLs were introduced in Cisco IOS Software
Release 11.2, allowing standard and extended ACLs to be
given names instead of numbers.

continue
 Standard Named ACLs

30
 Monitoring and Verifying ACL

31
 Editing Named ACLs
• Named ACLs have a big advantage over numbered ACLs in that
they are easier to edit.
• Starting with Cisco IOS Software Release 12.3, named IP ACLs
allow you to delete individual entries in a specific ACL.
• You can use sequence numbers to insert statements anywhere in
the named ACL

To remove line 15,

key in command no 15

32
Inserting a line in Named ACL - 1
Inserting a line in Named ACL - 2
 Where to Place ACLs?
• The basic rules are:
- Locate extended ACLs as close as possible to the
source of the traffic denied. This way, undesirable traffic is
filtered without crossing the network infrastructure.
- Because standard ACLs do not specify destination
addresses, place them as close to the destination as
possible.
Best Practices

38
 Access-List Grouping in a Router

• ACLs must be defined on a per-protocol, per direction, or per port basis.

• To control traffic flow on an interface, an ACL must be defined for each
protocol enabled on the interface.
• ACLs control traffic in one direction at a time on an interface.
• A separate ACL would need to be created for each direction, one for
inbound and one for outbound traffic.
• Finally every interface can have multiple protocols and directions
defined.
• If the router has two interfaces configured for IP, AppleTalk, and IPX,
12 separate ACLs would be needed.
– One ACL for each protocol, times two for direction in and out, times two for
the number of ports.
 ACL and Firewall

• A firewall is an architectural structure that exists

between the user and the outside world to protect
the internal network from intruders.
 Other Uses of ACLs
• Blocking Routing Protocols Advertisement.
• Limit network traffic and improve network performance. By restricting video
traffic, for example, ACLs could greatly reduce the network load and
consequently increase network performance.
• Provide traffic flow control. ACLs can restrict the delivery of routing updates. If
updates are not required because of network conditions, bandwidth is
preserved.
• Provide a basic level of security for network access. ACLs can allow one host
to access a part of the network and prevent another host from accessing the
same area. For example, Host A is allowed to access the Human Resources
network and Host B is prevented from accessing it.
• Decide which types of traffic are forwarded or blocked at the router interfaces.
Permit e-mail traffic to be routed, but block all telnet traffic.
• Allow an administrator to control what areas a client can access on a network.
• Screen certain hosts to either allow or deny access to part of a network. Grant
or deny user permission to access only certain types of files, such as FTP or
HTTP.
• If ACLs are not configured on the router, all packets passing through the router
will be allowed onto all parts of the network.
Summary: Monitoring ACL
 Summary: ACL at Router Interface
• ACLs are lists of conditions that are applied to traffic traveling across a
router's interface.
• These lists tell the router what types of packets to accept or deny at the
Interface.
• ACLs can be created for all routed network protocols, such as Internet
Protocol (IP) and Internetwork Packet Exchange (IPX). ACLs can be
configured at the router to control access to a network or subnet.
 Summary: IP Standard and Extended List
• IP Standard access lists
– Use only the source IP address in an IP packet as the condition test.
– All decisions are made based on source IP address. This means
that standard access lists basically permit or deny an entire suite of
protocols.
– They don’t distinguish between any of the many types of IP traffic
such as WWW, Telnet, UDP, etc.
• IP Extended access lists
– Extended access lists can evaluate many of the other fields in the
layer 3 and layer 4 headers of an IP packet.
– They can evaluate source and destination IP addresses, the
protocol field in the Network layer header, and port number at the
Transport layer header.
– This gives extended access lists the ability to make much more
granular decisions when controlling traffic.
 Summary: How ACL “Logic” Works
• An ACL is a group of statements that define whether
packets are accepted or rejected at inbound and outbound
interfaces.
• These decisions are made by matching a condition
statement in an access list and then performing the accept
or reject action defined in the statement.
• The order in which ACL statements are placed is important.
• The Cisco IOS software tests the packet against each
condition statement in order from the top of the list to the
bottom.
• Once a match is found in the list, the accept or reject action
is performed and no other ACL statements are checked.
• If a condition statement that permits all traffic is located at
the top of the list, no statements added below that will ever
be checked.
 ACL “Logic”
• ACLs are configured either to apply to inbound traffic or to
apply to outbound traffic.
• An inbound ACL is efficient because it saves the overhead
of routing lookups if the packet is discarded.

Inbound ACL

48
 ACL “Logic”

Outbound ACL

49