• Cisco first introduced numbered ACLs in the late 1980s
• With IOS 11.2, named ACLs were introduced
• With IOS 12.3, the ability to edit existing ACLs were improved

Standard IP Access Control Lists

IP Standard ACL Concepts

• IP ACLs filter traffic based on criteria defined by a network engineer
• Examines only the source IP
• Other uses
  • Filter routing updates
  • Match packets for prioritization
  • Match packets for VPN tunneling
  • Match packets for QoS implementation
  • Used as part of NAT configuration
• To filter packets, an engineer needs to consider:
  • Which packets to filter
  • Where on the network to place the filter
• An ACL’s filtering logic applies to packets either as they enter and interface or as they exit.
  • So to find where to put the ACL, decide what router to apply it on and decide whether to put in on that router’s incoming interface or the outgoing interface.
• ACLs key features:
  • Filter packets as they enter and interface
  • Filter packets as they exit an interface
  • Use Deny to filter a packet
  • Use Permit to allow a packet
  • Create an access list to configure the filtering logic
  • At the end of every access list, there is an implied “deny all traffic” statement. Therefore a packet is blocked if it doesn’t match any statements of the access list.
• Matching and Action
  • Each packet that traverses the interfaces that has the ACL defined is examined and compared to the statements in the access-list command.
  • If it matches the packet, the IP ACL will tell the router what to do with the packet. Either deny the packet and discard it, or permit the packet and let it go through.
• Access Control Lists
  • A list of multiple entries that the received packets are compared against.
  • The logic is done sequentially until the first statement is matched.
  • If not match is made, the deny action is performed

Wildcard Masks

• The configuration of IP ACL allows the router to decide whether to match the whole IP address or just a part of the IP address.
  • That is, you can define a specific IP to be matched (such as 10.2.11.10) or you can specify to match all hosts on a subnet (such as all hosts in subnet 10.2.11.0)
• The wildcard mask is used to decide what part of the address should be examined. It is similar to what a subnet mask does.
• The wildcard mask, though similar to what a subnet mask does, is different. The 0 bits in the mask tell the router that that bit part of the address should be compared to the logic. The 1 bits tell the router to ignore that corresponding bit in the address being matched.
  • For example, a wildcard mask of 0.0.0.255 tells the router to examine the first 24 bits for matching and ignore the last 8 bits.
  • 0.0.15.255 (00000000.00000000.00001111.11111111) tells the router to match the first 20 bits and ignore the last 12.
  • 0.0.15.255 is the wildcard mask to match a whole subnet with subnet mask 255.255.240.0. In order to get the wildcard value, simply invert the binary 1s and 0s of the subnet mask. That is 255.255.240.0 (11111111.11111111.11110000.00000) inverted yields 0.0.15.255 (or 00000000.00000000.00001111.11111111)

A Quicker Alternative for Interpreting Wildcard Masks

• Use the subnet number as the address value in the access-list command.
• Use a wildcard mask found by subtracting the subnet mask from 255.255.255.255

255.255.255.255
-255.255.240.0
+0. 0. 15.255

• In order to find the subnet mask from the wildcard mask, just reverse the order:

255.255.255.255
- 0. 0. 15.255 .
255.255.240.0

Standard IP Access List Configuration

• The syntax to configure a standard IP ACL:
  • access-list access-list-number {deny | permit} source [source-wildcard]
• You can configure a series of access-list commands using the same number. The access list statements will be added in the list in the same order that they are configured into the router.
• The number range for ACLs is 1 to 99 and 1300 to 1999.
• Standard ACLs should be placed near the destination of the packets.
• Configure on or more access-list global commands to create the ACL.
• The list is searched sequentially. If the packet is matched on the list, the search is done, and will not go on to other list even if there’s a subsequent statement that would’ve matched the packet.
• If the packet does not match anything on the list, the packet is discarded (deny).
• To enable the ACL, configure the interface subcommand:
  • ip access-group number {in | out}

Standard IP ACL: Example

interface Ethernet0
ip address 172.16.1.1 255.255.255.0
ip access-group 1 out
!
access-list 1 remark stop all traffic whose source IP is 172.16.3.10
access-list 1 deny 172.16.3.10 0.0.0.0
access-list 1 permit 0.0.0.0 255.255.255.255

• The output of the above configuration changes slightly in IOS when the show running-config command is issued.

interface Ethernet0
ip address 172.16.1.1 255.255.255.0
ip access-group 1 out

access-list 1 remark stop all traffic whose source IP is 172.16.3.10
access-list 1 deny host 172.16.3.10
access-list 1 permit any

• Notice the changes (in blue) the IOS does on the output. That is the newer style of configuration versus the older style used in the original example.
• You can pick any ACL number from 1-99 and 1300-1999 to represent the list. In this example we simply used ACL number 1.
• The access-list commands are global configuration commands
• The ip access-group command is enabled on interface ethernet0 and it is applied no the outbound direction of the interface (as it leaves e0).
• We can refer to this access list as ACL 1.
• The logic denies the whole ip 172.16.3.10 (as all bits are matched by 0.0.0.0) from going out of the interface.
• The last statement permits all other (0.0.0.0) IP addresses and to ignore them all (255.255.255.255)

Extended IP Access Control Lists

Extended IP ACL Concepts

• As opposed to standard IP ACL, which can only match source IP addresses or portion of the source IP using wildcard mask, Extended IP Access Control List can match:
  • Destination IP address
  • Portion of the destination IP using wildcard mask
  • Protocol type (TCP, UDP, ICMP, IGRP, IGMP, and others)
  • Source Port
  • Destination Port
  • All TCP flows except the first
  • IP TOS
  • IP Precedence

Matching TCP and UDP Port Numbers

• The access-list command must use the protocol keyword tcp to be able to match TCP ports and the udp keyword to match UDP ports. The ip keyword does not allow for matching the port numbers
• The source port and destination port parameters on the access-list command are positional. Meaning, their location in the command determines if the parameter examines the source or destination port.
• ACLs can match packets sent to a server by comparing the destination port to the well-known port number, but ACLs need to match the source port for packets sent by the server.

Extended IP ACL Configuration

• Extended ACLs should be placed as close to the source packet being filtered as possible.
• The command can use numbers between 100-199 and 2000 – 2699.
• Operators that can be used with the commands:
  • eq – equal to
  • neq - not equal to
  • lt - less than
  • gt – greater than
  • range – range of port numbers
• Command syntax:
  • access-list access-list-number {deny|permit} protocol source-ip source-port dest-ip dest-port
  • access-list 101 deny tcp any gt1023 host 10.1.1.1 eq 23

Advances in Managing ACL Configuration

Named IP Access Lists

• Introduced with IOS version 11.2
• Instead of numbers, named words are used to identify the ACLs
• With the introduction of named ACLs also came the ability to delete individual lines in a named IP access list. (Eventually, IOS 12.3 also allowed numbered lists to be deleted individually)
• Before IOS 12.3, when you delete a single line on a numbered ACL, the whole list is deleted. Not with named ACL.
• Two important configuration differences between old-style numbered ACLs and the newer named access lists:
  • The global command used for named access list puts the user in a named IP access list submode. From there the matching permit/deny logic is configured.
  • The second is that when a named statement is deleted, only that statement is deleted – not the whole list.
  • Example configuration:

Router(config)#ip access-list extended barney
Router(config-ext-nacl)#permit tcp host 10.1.1.2 eq www any
Router(config-ext-nacl)#deny udp host 10.1.1.1 10.1.2.0 0.0.0.255
Router(config-ext-nacl)#deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255

Editing ACLs Using Sequence Numbers

• Before IOS 12.3, in order to delete a single line on a numbered ACL, you had to delete the entire access list. This caused a lot of issues becuase of the steps involved. You had to disable the ACL from any interfaces that uses it, delete the ACL, reconfigure the ACL, then enable it again on the pertinent interfaces.
• With named ACL (introduced in IOS 11.2) the engineer is allowed to delete a line from an ACL.
  • One drawback is that you were not allowed to insert a new permit or deny statement in between the list. Any new commands were added to the end of the list.
• With IOS 12.3, the feature sequence number is added. This applied to both named and numbered ACLs
  • This new feature added sequence numbers to each permit or deny statements, representing each sequence of statements in the ACL.
  • More features:
    • A single ACL statement can be deleted from the list simply by referencing the sequence number, while leaving the rest of the list intact
    • Any new permit or deny statements can be configured with a sequence number that tells the IOS where to place the statement.
    • If a new statement is added without a sequence number, IOS will give it a sequence number and automatically place it at the end of the list.

Miscellaneous ACL Topics

Controlling Telnet and SSH Access with ACLs

ACL Implementation Considerations

Reflexive Access Lists

Dynamic ACLs

Time-Based ACLs