Access Control Lists

Understanding Access Control Lists is an important role for moving up into the CCNA area. ACLs can get confusing and cause network problems if not implemented correctly. I think what I outlined below explains in a nutshell of what you can expect from ACLs. I would still read and find more information about ACLs on the web and or reading material. By securing networks with ACLs you are adding another barrier to your network although ACLs can’t fool-proof your network they add additional level of security from the outside world.

The simple definition of an ACL (access control list) is a sequential list of permit or deny statements that apply to the IP address and or upper-layer protocols. ACLs are a powerful way to control network traffic into and out of your network. Packet filtering sometimes called static filtering, controls access to a network by analyzing the incoming and outgoing packets. A router is considered a packet filter when it forwards or denies packets according to filtering rules. Packet filtering works at the network layer of the OSI model.

The ACL can get the following information from the packer header:

  • Source IP address
  • Destination IP address
  • ICMP message type

An ACL can also get information from upper-layer protocols:

  • TCP/UDP source port
  • TCP/UDP destination port

Remember the three Ps Per protocol, Per direction, and Per interface

  • One ACL per protocol- To control traffic flow on an interface an ACL must be defined for each protocol enabled on the interface (example IP, IPX, AppleTalk)
  • One ACL per direction- ACLs control traffic in one direction at one time on an interface. You must create two separate ACLs to control traffic in both inbound and outbound connections.
  • One ACL per interface- ACLs control traffic for an interface such as Fast Ethernet.

Types of Cisco ACLs

  • Standard ACLs filter packets based on source IP addresses only.
  • Extended ACLs filter packets based on:
    • Source and destination IP address
    • Source and destination TCP and UDP ports
    • Protocol type (IP, ICMP, UDP, TCP or protocol number)

Standard ACLs

Standard ACLs allow you to permit or deny traffic from a source IP address. The packet’s destination and ports involved do not matter. (Example the following ACL statement allows all traffic from the network

Router(config)#access-list 10 permit

Remember there is ALWAYS an implied “deny all” at the end of each ACL statement. (This example is blocking all other network traffic besides what is allowed) Also remember that Standard ACLs are created in global configuration mode.

Extended ACLs

Extended ACLs filter IP packets based on protocol type, source and destination IP address, source TCP or UDP ports, destination TCP or UDP ports and optional protocol type information for finger granularity control. (Example in the following ACL statement, ACL 103 permits traffic originating from any address on the network to any destination host using port 80 (HTTP)

Router(config)#access-list 103 permit tcp any eq 80

Extended ACLs are created in global configuration mode.

Dynamic ACLs

Dynamic or lock-and-key ACLs are available for Internet Protocol traffic only. Dynamic ACLs starts with the application of an extended ACL to block traffic through the router.

Common reasons to use Dynamic ACLs are:

  • When you want a specific remote user or group of remote users to access a host within your network.
  • Connecting to the outside of your network (Internet) Lock-and-key authenticates the user and then permits limited access through your firewall router.
  • You want a subset of hosts on a local network to access a host from a remote network that is protected by a firewall.

Lock-and-key requires users to authenticate through an AAA, TACACS server or other security server before it allows access.

Reflexive ACLs

Reflexive ACLs allow IP packets to be filtered based on upper-layer session information. Generally are used to allow outbound traffic and to limit inbound traffic by using sessions that originate inside the router. When a router sees a new outbound connection it adds an entry to a temporary ACL to allow replies back into the network. Reflexive ACLs can be defined only with an extended named IP ACL. They cannot be defined with numbered or standard named ACLs or with other protocols.

Time-Based ACLs

Time-Based ACLs are like extended ACLs in function, but they allow access control based on time. To use time-based ACLs you create a time range that defines specific times of the day and days of the week. You use the time range with a name and then refer to it by a function. The time range relies on the router system clock. This feature works with NTP (Network Time Protocol) synchronization, but the router clock can also be used.

Numbered ACL

You can assign a number based on whether your ACL is standard or extended

  • 1 to 99 and 1300 to 1999 are Standard IP ACL
  • 100 to 199 and 2000 to 2699 are Extended IP ACL

You cannot add or delete entries within the ACL (You have to totally delete the ACL in order to edit it)

Named ACL

You can assign names to the ACL instead of numbers.

  • Names can contain alphanumeric characters
  • Recommended to type the name in all CAPITAL LETTERS
  • Names cannot contain spaces or punctuation and must begin with an alphabetic character
  • You can add or delete entries within the ACL
  • You can specify whether the ACL is standard or extended

The remark keyword is used for documentation and makes the access lists easier to understand. Each remark is limited to 100 characters. (Example)

R1#config t
Enter configuration commands one per line. End with CTRL/Z
R1(config)#access-list 10 remark Permit hosts from the LAN
R1(config)#access-list 10 permit
R1# *Oct 25 20:34:23:13: %SYS-5-CONFIG_I: configured from console by console
R1# show run
Building configuration…
!<output omitted>!
access-list 10 remark Permit hosts from the LAN access-list 10 permit
!<output omitted>!

Creating a Named ACL

Naming an ACL makes it easier to understand its function. (Example shows the commands used to configure a standard named ACL on router R1) Keep in mind this is the same command you would use if you wanted an extended ACL just substitute standard for extended. Interface fa0/0 denies hosts on the network access to the network is as follows:

R1(config)#ip access-list standard NO_ACCESS
R1(config-std-nacl)#deny host
R1(config-std-nacl)#interface fa0/0
R1(config-if)#ip access-group NO_ACCESS out

That’s my view on Access Control Lists, if you want to have more documentation about ACLs you can check out these two links below from Cisco

Configuring IP Access Lists

Access Control Lists: Overview and Guidelines

I hope this tutorial was helpful.