Access Control Lists

(ACLs)

ACL Concepts
Lecture – Access Control Lists

 To properly understand the lecture and to prepare for the quiz

on Access Control Lists in your next class, you should have
completed the following before coming to class:

1. Watched the video(s) and pre-read the remaining lecture

slides for the class.
2. Read the relevant Chapters.
3. Read the summary at the end of the chapter.
4. Reviewed all of the Exam Essentials.
5. Answered all the chapter review questions.

COMP10023 2
Packet Filtering
 Packet filtering, sometimes called static packet filtering, controls access
to a network by analyzing the incoming and outgoing packets and
passing or halting them based on stated criteria.
 A router acts as a packet filter when it forwards or denies packets
according to filtering rules.
 When a packet arrives at the packet-filtering router, the router extracts
certain information from the packet header and makes decisions
according to the filter rules as to whether the packet can pass through
or be discarded. Packet filtering works at the Network layer of the Open
Systems Interconnection (OSI) model, or the Internetwork layer of
TCP/IP.
 As a Layer 3 device, a packet-filtering router uses rules to determine
whether to permit or deny traffic based on source and destination IP
addresses, source port and destination port, and the protocol of the
packet. These rules are defined using access control lists or ACLs.

COMP10023 3
What is an ACL? – It is a Matching
Mechanism!
 An ACL is a router configuration script that controls whether a router
permits or denies packets to pass based on criteria found in the
packet header.
 ACLs are among the most commonly used objects in Cisco IOS
software. ACLs are also used for selecting types of traffic to be
analyzed, forwarded, or processed in other ways.
 As each packet comes through an interface with an associated ACL,
the ACL is checked from top to bottom, one line at a time, looking for
a pattern matching the incoming packet.

COMP10023 4
What is an ACL? – It is a Matching
Mechanism!
 The ACL enforces one or more security policies by applying a permit
or deny rule to determine the fate of the packet. ACLs can be
configured to control access to a network or subnet.
 By default, a router does not have any ACLs configured and
therefore does not filter traffic. Traffic that enters the router is routed
according to the routing table. If you do not use ACLs on the router,
all packets that can be routed through the router pass through the
router to the next network segment.

ACLs Define Interesting Traffic!!!

 An ACL will also define interesting traffic. This means that the ACL
will tell the router to act upon, or not act upon traffic as it relates to
the action that you are configuring on the router. (i.e. NAT)

COMP10023 5
ACL Basics
 ACLs can be configured on a
router to permit or deny a
packet based on a list of
conditions.
 This list of conditions is read
sequentially, top to bottom,
by the router until a match is
made.
 The last condition is always
an implied “deny any”
 You can permit or deny
packets based upon such
thing as:
 Source address
 Destination address
 TCP & UDP ports
COMP10023 6
How a Router Uses an ACL
(outbound)
 Check to see if packet is
routable. If so, look up
route in routing table.
 Check for an ACL for the
outbound interface
 If no ACL, switch the
packet out the
destination interface
 If an ACL, check the
packet against the
ACL statements
sequentially--denying
or permitting based
on a matched
condition.
 If no statement matches, COMP10023 7
what happens?
How a Router Uses an ACL
(inbound)

 If an ACL is configured
to filter inbound traffic,
the route table lookup
is done only if the
packet is permitted.

COMP10023 8
ACL Processing Inbound and
Outbound

COMP10023 9
The Three P’s

The Three Ps for using ACLs

You can only have one ACL per protocol, per interface, and per direction
• One ACL per protocol (e.g., IP or IPX)
• One ACL per interface (e.g., FastEthernet0/0)
• One ACL per direction (i.e., IN or OUT)
COMP10023 10
Basic ACL Rules

 Standard ACLs should be applied closest to the

destination.
 Extended ACLs should be applied as close to the source as
possible.
 Statements are processed sequentially until a match is found
 If no match is found then the packet is denied (implied “deny
any”).
 Specific hosts should be filtered first, and groups or general
filters should come last.

COMP10023 11
Basic ACL Rules

 Never work with an access list that is actively applied

 Use a text editor first.
 New lines are always added to the end of the numbered
access list
 It is possible to selectively add and remove lines. (old IOS

did not allow this)

 You can change the sequence number or leave the default

increments of 10.
 An IP access list will send an ICMP host unreachable
message to the sender of the rejected packet.
 Outbound filters do not affect traffic originating from the local
router.

COMP10023 12
 Access List Rules

 Always look through the

eyes of the “person in S0/0

the router” to determine

how to apply the ACL
 Traffic coming into the Fa0/1 Fa0/0
person in the router is
considered inbound Inbound Traffic
 Traffic being pushed out
one of the interfaces by
the person in the router Fa1/0

is considered outbound Outbound Traffic

COMP10023 13
 Types of IOS Access Lists

Type of ACL Sample ACL Purpose of ACL

Router (config)# access-list 1 permit host
Standard • Permits a specific IP address
172.16.2.88
• Denies access from the
Router (config)# access-list 100 deny tcp 172.16.2.0 172.16.2.0/24 subnet to any
Extended
0.0.0.255 any eq telnet other host if they are attempting
to use telnet
• Creates a standard access list
named permit-ip
Router (config)# ip access-list standard permit-ip • Allows access from IP address
Named 192.168.5.47
Router (config-ext-nacl)# permit host 192.168.5.47
• The first command puts the
router into NACL subcommand
mode

COMP10023 14
Types of ACL’s - Standard

 Standard ACLs allow you to permit or deny traffic from source IP addresses.
The destination of the packet and the ports involved do not matter.
 The example above allows all traffic from network 192.168.30.0/24 network.
 Because of the implied "deny any" at the end, all other traffic is blocked with
this ACL. Standard ACLs are created in global configuration mode.

COMP10023 15
Types of ACL’s - Extended

 Extended ACLs filter IP packets based on several attributes, for example,

protocol type, source and destination IP address, destination IP address,
source TCP or UDP ports, destination TCP or UDP ports, and optional
protocol type information for finer granularity of control.
 In the figure above, ACL 103 permits traffic originating from any address on
the 192.168.30.0/24 network to any destination host port 80 (HTTP).
 Extended ACLs are created in global configuration mode.

COMP10023 16
Identifying ACL’s – Numbering &
Naming
Numbered ACL:
You assign a number based on which protocol you want filtered:
• (1 to 99) and (1300 to 1999): Standard IP ACL
• (100 to 199) and (2000 to 2699): Extended IP ACL
• You can add or delete entries within the ACL

Named ACL:
You assign a name by providing the name of the ACL:
• Names can contain alphanumeric characters
• Names cannot contain spaces or punctuation and must begin with a letter
• You can add or delete entries within the ACL

COMP10023 17
Configuring Standard
ACLs
 Packets that come in Fa0/0 are
Checked for their source addresses:
access-list 2 deny host 192.168.10.1
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 2 deny 192.168.0.0 0.0.255.255
access-list 2 permit 192.0.0.0
0.255.255.255

• If packets are permitted, they are routed

through the router to an output interface.
• If packets are not permitted, they are
dropped at the incoming interface.

COMP10023 19
 Syntax for Writing a Standard ACL
Parameter Description
Number of an ACL. This is a decimal number from 1 to 99, or 1300 to 1999 (for
access-list –number
standard ACL)
deny Denies access if the conditions are matched

permit Permits access if the conditions are matched

Add a remark about entries in an IP access list to make the list easier to understand
remark
and scan
Number of the network or host from which the packet is being sent. There are two
ways to specify the source:
source • Use a 32-bit quantity in four-part, dotted-decimal format.
• Use the keyword any as an abbreviation for a source and source-wildcard of
0.0.0.0 255.255.255.255
(Optional) Wildcard bits to be applied to the source. There are two ways to specify
the source wildcard:
• Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit
source-wildcard
positions you want to ignore.
• Use the keyword any as an abbreviation for a source and source-wildcard of
0.0.0.0 255.255.255.255
(Optional) Causes an informational logging message about the packet that matches
log the entry to be sent to the console. (The level of messages logged to the console is
controlled by the logging console command)

COMP10023 20
Documenting an ACL
 The remark keyword is used for documentation and makes
access lists a great deal easier to understand. Each remark is
limited to 100 characters. The ACL in the figure, although
fairly simple, is used to provide an example. When reviewing
the ACL in the configuration, the remark is also displayed.

COMP10023 21
The “Wildcard Mask” Explained

 The “wildcard mask” has no functional relationship with the

subnet mask.
 However, in many cases the subnet mask can be used to
derive the wildcard mask.
 For example, you want to filter traffic from all hosts on
the 192.168.1.0/24 subnet.
 The subnet mask is 255.255.255.0
 To find the wildcard mask, take the inverse of the
subnet mask.
 The wildcard mask is 0.0.0.255.

COMP10023 22
Wildcard Mask Calculation

Subnet Mask

Wildcard or Inverted Subnet Mask

Subnet Mask

Wildcard or Inverted Subnet Mask

Subnet Mask

Wildcard or Inverted Subnet Mask

COMP10023 23
Wildcard Masking

COMP10023 24
Examples of Wildcard Masking -
simple Decimal Binary

IP Address 192.168.1.1 11000000.10101000.00000001.00000001

Wildcard Mask 0.0.0.0 00000000.00000000.00000000.00000000

Result 192.168.1.1 11000000.10101000.00000001.00000001

Decimal Binary

IP Address 192.168.1.1 11000000.10101000.00000001.00000001

Wildcard Mask 255.255.255.255 11111111.11111111.11111111.11111111

Result 0.0.0.0 00000000.00000000.00000000.00000000

Decimal Binary

IP Address 192.168.1.1 11000000.10101000.00000001.00000001

Wildcard Mask 0.0.0.255 00000000.00000000.00000000.1111111

Result 192.168.1.0 11000000.10101000.00000001.00000000

COMP10023 25
Examples of Wildcard Masking –
complex
Decimal Binary

IP Address 192.168.16.0 11000000.10101000.00010000.00000000

Wildcard Mask 0.0.15.255 00000000.00000000.00001111.11111111

192.168.16.0 11000000.10101000.00010000.00000000
Result Range to to
192.168.31.0 11000000.10101000.00011111.00000000

Decimal Binary

IP Address 192.168.1.0 11000000.10101000.00000001.00000000

Wildcard Mask 0.0.254.255 00000000.00000000.11111110.111111111

192.168.1.0 11000000.10101000.00000001.00000000
Result Range
All odd numbered subnets in the 192.168.0.0 major network

COMP10023 26
The any and host Keywords

COMP10023 27
What range of addresses would
this affect?

The first 27 bits of each packet match the first 27 bits of the comparison address. The overall range of
addresses that this statement permits is from 192.168.77.33 to 192.168.77.63, which is the range of all
addresses on the 192.168.77.32 subnet.

COMP10023 28
Procedure for configuring
Standard ACL’s

COMP10023 29
Recall that there is an unseen
implicit deny all statement at
the that is equivalent to adding
the line access-list 1 deny
0.0.0.0 255.255.255.255

COMP10023 30
This ACL replaces the
previous example, but
also blocks traffic from
a specific address.

The first command

deletes the previous
version of ACL 1.

The next ACL

statement, denies the
PC1 host located at
192.168.10.10. Every
other host on the
192.168.10.0 /24
network is permitted.

Again the implicit

deny statement
matches every other
network.

COMP10023 31
The first command
deletes the previous
version of ACL 1 and
the next ACL
statement denies the
PC1 host located at
192.168.10.10.

The third line is new

and permits all hosts
from the
192.168.x.x /16
networks.

This now means that

all hosts from the
192.168.10.0 /24
network still match
but now the hosts
from the 192.168.11.0
network also match.

COMP10023 32
Removing an IP access list from an
interface

COMP10023 33
Correct Placement of a Standard
ACL
 Standard ACLs are simple to create and implement.
 However, standard ACLs only filter based on the source
address and will filter all traffic without regard to the type or
the destination of the traffic.
 With routes to multiple networks, a standard ACL placed too
close to the source may unintentionally block traffic that
should be permitted.
 Therefore, it is important to place standard ACLs as close to
the destination as possible.

COMP10023 34
Correct Placement of a Standard
ACL

COMP10023 35
Configuring Extended
ACLs
Extended ACL Overview

 Extended ACLs are used more often than standard ACLs because
they provide a greater range of control and, therefore, add to your
security solution.
 Like standard ACLs, extended ACLs check the source packet
addresses, but they also check the destination address, protocols
and port numbers (or services).
 This gives a greater range of criteria on which to base the ACL.
 For example, an extended ACL can simultaneously allow e-mail
traffic from a network to a specific destination while denying file
transfers and web browsing.

COMP10023 37
Extended ACL Overview

 Unlike standard IP access lists, an extended ACL does not

have a default wildcard mask of 0.0.0.0.
 You must specify the wildcard mask for the source IP
address.
 You can use the typical wildcard mask or use shortcuts.
 The host keyword is short for a wildcard mask of 0.0.0.0.
 The line will only be applied to packets that match the one
source address specified with the host keyword.
 The host keyword is placed before the IP address rather
than after it like the wildcard mask would be.

COMP10023 38
 Parameter Description
Identifies the access list using a number in the range 100 to 199 (for an extended
access-list number
IP ACL) and 2000 to 2699 (expanded IP ACLs).
deny Denies access if the conditions are matched.

permit Permits access if the conditions are matched.

Indicates whether this entry allows or blocks the specified address. Could also be
remark
used to enter a remark.
Name or number of an Internet protocol. Common keywords include icmp, ip, tcp,
protocol or udp. To match any Internet protocol (including ICMP, TCP, and UDP) use the ip
keyword.
source Number of the network or host from which the packet is being sent.

source-wildcard Wildcard bits to be applied to source.

destination Number of the network or host to which the packet is being sent.

destination-wildcard Wildcard bits to be applied to the destination.

(Optional) Compares source or destination ports. Possible operands include lt
operator (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive
range).
port (Optional) The decimal number or name of a TCP or UDP port.

established (Optional) For the TCP protocol only: Indicates an established connection.

COMP10023 39
Extended ACL Examples

COMP10023 40
Configuring Extended ACL’s

COMP10023 41
Applying an Extended ACL
S0/0/0 has two
ACL’s applied to it,
but they are in
different directions.

COMP10023 42
Denying FTP

COMP10023 43
Denying Telnet

COMP10023 44
Correct Placement of Extended
ACLs
 Since an extended ACL has destination information, place it
as close to the source as possible.
 This reduces unnecessary network traffic when a packet
will just be denied when it reaches the destination.
 Place an extended ACL on the first router interface the
packet enters and specify inbound in the access-group
command.

COMP10023 45
Correct Placement of Extended
ACL

COMP10023 46
 Naming ACLs - IOS Software

Release
Named IP ACLs12.3
allow you to delete individual entries in a specific ACL.
You can use sequence numbers to insert statements anywhere in the
named ACL. If you are using an earlier Cisco IOS software version, you
can add statements only at the bottom of the named ACL. Because you
can delete individual entries, you can modify your ACL without having to
delete and then reconfigure the entire ACL.

COMP10023 47
Standard Named ACL

COMP10023 48
Standard Named ACL

COMP10023 49
Extended Named ACL

COMP10023 50
Standard ACL’s & VTY Ports

COMP10023 51
 Controlling VTY Line Access
 Restricting access to telnet
 Access control examples
 Individual hosts
 RouterA(config)# access-list 12 permit 192.168.12.12 0.0.0.0
 RouterA(config)# access-list 12 permit host 192.168.12.12
 Network access
 RouterA(config)# access-list 12 permit 192.168.12.0 0.0.0.255
 Apply access list to interface
 RouterA(config)# line vty 0 4
 RouterA(config-line)# access-class 12 in

COMP10023 52
Verifying ACLs
 show access-lists
 shows all access-lists configured on the router

 show [protocol] access-lists {name|number}

 shows the identified access list

 show ip interface
 shows the access-lists applied to the interface--both

inbound and outbound.

 show running-config
 shows all access lists and what interfaces they are applied

on

COMP10023 53
Resource material for PowerPoints
from:

Rick Graziani

Todd Lammle

COMP10023 54