Access Control Lists

Access Control List (ACL) is a set of rules defined

for controlling network traffic and reducing
network attacks.
 ACLs are used to filter traffic based on the set of
rules defined for the incoming or outgoing of the
network.
 ACL Features

The set of rules defined are matched serial wise

i.e. matching starts with the first line, then 2nd,
then 3rd, and so on.
The packets are matched only until it matches the
rule. Once a rule is matched then no further
comparison takes place and that rule will be
performed.
 ACL Features

There is an implicit denial at the end of every ACL,

i.e., if no condition or rule matches then the
packet will be discarded.
Once the access-list is built, then it should be
applied to inbound or outbound of the interface.
 ACL Features

Inbound Interface:
When an access list is applied on inbound packets of
the interface then first the packets will be processed
according to the access list and then routed to the
outbound interface.
Outbound Interface
When an access list is applied on outbound packets
of the interface then first the packet will be routed
and then processed at the outbound interface.
 ACL Types
Standard Access-list
These are the Access-list that are made using the
source IP address only.
These ACLs permit or deny the entire protocol
suite.
They don’t distinguish between the IP traffic such
as TCP, UDP, HTTPS, etc.
By using numbers 1-99 or 1300-1999, the router
will understand it as a standard ACL and the
specified address as the source IP address.
 ACL Types

Extended Access-list
These are the ACL that uses source IP, Destination
IP, source port, and Destination port.
Generally permits or denies specific protocols
These use range 100-199 and 2000-2699.
 ACL Types

Also, there are two categories of access-list:

1. Numbered access-list
These are the access list that cannot be deleted
specifically once created i.e. if we want to remove
any rule from an Access-list then this is not
permitted in the case of the numbered access list.
If we try to delete a rule from the access list then
the whole access list will be deleted. The
numbered access-list can be used with both
standard and extended access lists.
 ACL Types

Also, there are two categories of access-list:

2. Named access list
In this type of access list, a name is assigned to
identify an access list.
It is allowed to delete a named access list, unlike
numbered access list. Like numbered access lists,
these can be used with both standards and
extended access lists.
 ACL Rules
 The standard Access-list is generally applied close to
the destination (but not always).
 The extended Access-list is generally applied close to
the source (but not always).
 We can assign only one ACL per interface per protocol
per direction, i.e., only one inbound and outbound
ACL is permitted per interface.
 We can’t remove a rule from an Access-list if we are
using numbered Access-list. If we try to remove a rule
then the whole ACL will be removed. If we are using
named access lists then we can delete a specific rule.
 ACL Rules
Every new rule which is added to the access list
will be placed at the bottom of the access list
therefore before implementing the access lists,
analyses the whole scenario carefully.
As there is an implicit deny at the end of every
access list, we should have at least a permit
statement in our Access-list otherwise all traffic
will be denied.
Standard access lists and extended access lists
cannot have the same name.
 ACL Advantages
Improve network performance.
Provides security as the administrator can
configure the access list according to the needs
and deny the unwanted packets from entering the
network.
Provides control over the traffic as it can permit or
deny according to the need of the network.
Testing Packets with
Standard Access Lists
 Testing Packets with
Extended Access Lists
 Outbound ACL Operation

• If no access list statement matches, then discard the packet.

A List of Tests: Deny or Permit
 Wildcard Bits: How to Check the
Corresponding Address Bits

– 0 means check value of corresponding address bit.

– 1 means ignore value of corresponding address bit.
 Wildcard Bits to Match a Specific IP Host
Address
• Check all the address bits (match all).
• Verify an IP host address, for example:

– For example, 172.30.16.29 0.0.0.0 checks all the

address bits.
– Abbreviate this wildcard mask using the IP address preceded
by the keyword host (host 172.30.16.29).
 Wildcard Bits to Match Any IP Address

• Test conditions: Ignore all the address bits (match any).

• An IP host address, for example:

– Accept any address: any

– Abbreviate the expression using the
keyword any.
 Wildcard Bits to Match IP Subnets

• Check for IP subnets 172.30.16.0/24 to 172.30.31.0/24.

– Address and wildcard mask:
172.30.16.0 0.0.15.255
 Summary

– Access lists offer a powerful tool for network control. These lists
add the flexibility to filter the packet flow into or out of router
interfaces. Such control can help limit network traffic and restrict
network use by certain users or devices.
– An IP access list is a sequential list of permit and deny conditions
that apply to IP addresses or upper-layer IP protocols. Access lists
filter traffic going through the router, but they do not filter traffic
originated from the router.
– Access lists are optional mechanisms in Cisco IOS software that
you can configure to filter or test packets to determine whether
to forward them to their destination or discard them.
 Summary (Cont.)

– Inbound access lists process incoming packets before they are

routed to an outbound interface, while outbound access lists
process packets to an outbound interface.
– The Cisco IOS software executes access list statements in
sequential order, so the first statement is processed, then the
next, and so on.
– Address filtering occurs using access list address wildcard
masking to identify how to check or ignore corresponding IP
address bits.