Day 7 ACL Concepts and Configurations
CCNA 640-802 Exam Topics
Describe the purpose and types of ACLs.
Configure and apply ACLs based on network filtering requirements.
Configure and apply an ACL to limit Telnet and SSH access to the router using CLI and SDM.
Key Topics
One of the most important skills a network administrator needs is mastery of access control lists (ACLs). Administrators use ACLs to stop traffic or permit only specified traffic while stopping all other traffic on their networks. Standard and extended ACLs can be used to apply a number of security features, including policy-based routing, quality of service (QoS), Network Address Translation (NAT), and Port Address Translation (PAT).
You can also configure standard and extended ACLs on router interfaces to control the type of traffic that is permitted through a given router. Today, we review the purpose and types of ACLs as well as configuration and application of ACLs to filter traffic.
ACL Concepts
A router’s default operation is to forward all packets as long as a route exists for the packet and the link is up. ACLs can be used to implement a basic level of security. They are not, however, the only security solution a large organization would want to implement. In fact, ACLs increase the latency of routers. So if the organization is very large with routers managing the traffic of hundreds or thousands of users, you more than likely will use a combination of other security implementations, such as a Cisco PIX firewall and authentication services.
Defining an ACL
An ACL is a router configuration script (a list of statements) that controls whether a router permits or denies packets to pass based on criteria found in the packet header. To determine whether a packet is to be permitted or denied, it is tested against the ACL statements in sequential order. When a statement matches, no more statements are evaluated. The packet is either permitted or denied. There is an implicit deny any statement at the end of the ACL. If a packet does not match any of the statements in the ACL, it is dropped.
Processing Interface ACLs
ACLs can be applied to an interface for inbound and outbound traffic. However, you need a separate ACL for each direction.
For inbound traffic, the router checks for an inbound ACL applied to the interface before doing a route table lookup. Then, for outbound traffic, the router makes sure that a route exists to the destination before checking for ACLs. Finally, if an ACL statement results in a dropped packet, the router sends an ICMP destination unreachable message.
Types of ACLs
ACLs can be configured to filter any type of protocol traffic including other network layer protocols such as AppleTalk and IPX. For the CCNA exam, we focus on IPv4 ACLs, which come in the following types:
Standard ACLs: Filters traffic based on source address only
Extended ACLs: Can filter traffic based on source and destination address, specific protocols, as well as source and destination TCP and UDP ports
You can use two methods to identify both standard and extended ACLs:
Numbered ACLs use a number for identification.
Named ACLs use a descriptive name or number for identification.
Although named ACLs must be used with some types of IOS configurations that are beyond the scope of the CCNA exam topics, they do provide two basic benefits:
By using a descriptive name (such as BLOCK-HTTP), a network administrator can more quickly determine the purpose of an ACL. This is particularly helpful in larger networks where a router can have many ACLs with hundreds of statements.
Reduce the amount of typing you must do to configure each statement in a named ACL, as you will see in the section “Configuring Named ACLs.”
Both numbered and named ACLs can be configured for both standard and extended ACL implementations.
ACL Identification
Table 7-1 lists the different ACL number ranges for the IPv4 protocol as well as a few other protocols. The table is not exhaustive.
Named IP ACLs give you more flexibility in working with the ACL entries. In addition to using more memorable names, the other major advantage of named ACLs over numbered ACLs is that you can delete individual statements in a named IP access list.
With Cisco IOS Software Release 12.3, IP access list entry sequence numbering was introduced for both numbered and named ACLs. IP access list entry sequence numbering provides the following benefits:
You can edit the order of ACL statements.
You can remove individual statements from an ACL.
You can use the sequence number to insert new statements into the middle of the ACL.
Sequence numbers are automatically added to the ACL if not entered explicitly at the time the ACL is created. No support exists for sequence numbering in software versions earlier than Cisco IOS Software Release 12.3; therefore, all the ACL additions for earlier software versions are placed at the end of the ACL.
ACL Design Guidelines
Well-designed and well-implemented ACLs add an important security component to your network. Follow these general principles to ensure that the ACLs you create have the intended results:
Based on the test conditions, choose a standard or extended, numbered, or named ACL.
Only one ACL per protocol, per direction, and per interface is allowed.
Organize the ACL to enable processing from the top down. Organize your ACL so that the more specific references to a network or subnet appear before ones that are more general. Place conditions that occur more frequently before conditions that occur less frequently.
All ACLs contain an implicit deny any statement at the end.
Create the ACL before applying it to an interface.
Depending on how you apply the ACL, the ACL filters traffic either going through the router or going to and from the router, such as traffic to or from the vty lines.
You should typically place extended ACLs as close as possible to the source of the traffic that you want to deny. Because standard ACLs do not specify destination addresses, you must put the standard ACL as close as possible to the destination of the traffic you want to deny so the source can reach intermediary networks.
Configuring Standard Numbered ACLs
Standard IPv4 ACLs, which are numbered ACLs in the range of 1 to 99 and 1300 to 1999 or are named ACLs, filter packets based on a source address and mask, and they permit or deny the entire TCP/IP protocol suite. Configuring an ACL requires two steps:
Let’s use the simple topology shown in Figure 7-2 to demonstrate how to configure both standard and extended ACLs.
Standard Numbered ACL: Permit Specific Network
Create an ACL to prevent traffic that is not part of the internal networks (172.16.0.0/16) from traveling out either of the Ethernet interfaces.
Step 1 Create the ACL.
Use the access-list global configuration command to create an entry in a standard IPv4 ACL:
The sample statement matches any address that starts with 172.16.x.x. You can use the remark option to add a description to your ACL.
Step 2 Apply the ACL.
Use the interface configuration command to select an interface to which to apply the ACL. Then use the ip access-group interface configuration command to activate the existing ACL on an interface for a specific direction (in or out).
RouterX(config)#interface ethernet 0
RouterX(config-if)#ip access-group 1 out
RouterX(config)#interface ethernet 1
RouterX(config-if)#ip access-group 1 out
This step activates the standard IPv4 ACL 1 on both the interfaces as an outbound filter.
This ACL allows only traffic from source network 172.16.0.0 to be forwarded out on E0 and E1. Traffic from networks other than 172.16.0.0 is blocked with the implied “deny any”.
Standard Numbered ACL: Deny a Specific Host
Create an ACL to prevent traffic that originates from host 172.16.4.13 from traveling out Ethernet interface E0. Create and apply the ACL with the commands shown in Example 7-1.
This ACL is designed to block traffic from a specific address, 172.16.4.13, and to allow all other traffic to be forwarded on interface Ethernet 0. The first statement can also be written with the keyword host replacing the 0.0.0.0 wildcard mask as follows:
RouterX(config)#access-list 1 deny host 172.16.4.13
In fact, starting with Cisco IOS Software Release 12.3, you can enter the following:
RouterX(config)#access-list 1 deny 172.16.4.13
The second statement can be written with the keyword any replacing the source address 0.0.0.0 and wildcard mask 255.255.255.255 as follows:
RouterX(config)#access-list 1 permit any
Standard Numbered ACL: Deny a Specific Subnet
Create an ACL to prevent traffic that originates from the subnet 172.16.4.0/24 from traveling out Ethernet interface E0. Create and apply the ACL with the commands shown in Example 7-2.
This ACL is designed to block traffic from a specific subnet, 172.16.4.0, and to allow all other traffic to be forwarded out E0.
Standard Numbered ACL: Deny Telnet Access to the Router
To control traffic into and out of the router (not through the router), deny Telnet access to the router by applying an ACL to the vty ports. Restricting vty access is primarily a technique for increasing network security and defining which addresses are allowed Telnet access to the router EXEC process. Create and apply the ACL with the commands shown in Example 7-3.
In this example, only host 172.16.4.13 is allowed to Telnet into RouterX. All other IP addresses are denied implicitly.
Configuring Extended Numbered ACLs
For more precise traffic-filtering control, use extended IP ACLs, which are numbered ACLs in the range of 100 to 199 and 2000 to 2699 or are named ACLs, which check for the source and destination IP address. In addition, at the end of the extended ACL statement, you can specify the protocol and optional TCP or UDP application to filter more precisely. To configure numbered extended IPv4 ACLs on a Cisco router, create an extended IP ACL and activate that ACL on an interface. For CCNA exam purposes, the extended ACL command syntax is as follows:
Router(config)#access-listaccess-list-number {permit | deny}protocol source
source-wildcard [operator port] destination destination-wildcard [operator
port] [established] [log]
Table 7-2 explains the syntax of the command.
Extended Numbered ACL: Deny FTP from Subnets
For the network in Figure 7-2, create an ACL to prevent FTP traffic originating from the subnet 172.16.4.0/24 and going to the 172.16.3.0/24 subnet from traveling out Ethernet interface E0. Create and apply the ACL with the commands shown in Example 7-4.
Example 7-4 Access List Preventing FTP Traffic from Specific Subnets
RouterX(config)#access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0
0.0.0.255 eq 21
RouterX(config)#access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0
0.0.0.255 eq 20
RouterX(config)#access-list 101 permit ip any any
RouterX(config)#interface ethernet 0
RouterX(config-if)#ip access-group 101 out
The deny statements deny FTP traffic from subnet 172.16.4.0 to subnet 172.16.3.0. The permit statement allows all other IP traffic out interface E0. Two statements must be entered for the FTP application because port 20 is used to establish, maintain, and terminate an FTP session while port 21 is used for the actual file transfer task.
Extended Numbered ACL: Deny Only Telnet from Subnet
Create an ACL to prevent Telnet traffic that originates from the subnet 172.16.4.0/24 from traveling out Ethernet interface E0. Create and apply the ACL with the commands shown in Example 7-5.
This example denies Telnet traffic from 172.16.4.0 that is being sent out interface E0. All other IP traffic from any other source to any destination is permitted out E0.
Configuring Named ACLs
The named ACL feature allows you to identify standard and extended ACLs with an alphanumeric string (name) instead of the current numeric representations.
Because you can delete individual entries with named ACLs, you can modify your ACL without having to delete and then reconfigure the entire ACL. With Cisco IOS Software Release 12.3 and later, you can insert individual entries using an appropriate sequence number.
Standard Named ACL Steps and Syntax
The following are the steps and syntax used to create a standard named ACL:
Step 1 Name the ACL.
Starting from global configuration mode, use the ip access-list standard name command to name the standard ACL. ACL names are alphanumeric and must be unique:
Router(config)ip access-list standard name
Step 2 Create the ACL.
From standard named ACL configuration mode, use the permit or deny statements to specify one or more conditions for determining whether a packet is forwarded or dropped. If you do not specify a sequence number, IOS will increment the sequence number by 10 for every statement you enter:
Router(config-std-nacl)#[sequence-number] {permit | deny}sourcesource-
wildcard [log]
Step 3 Apply the ACL.
Activate the named ACL on an interface with the ip access-group name command:
Router(config-if)#ip access-group name [in | out]
Standard Named ACL: Deny a Single Host from a Given Subnet
For the network shown previously in Figure 7-2, create a standard ACL named “troublemaker” to prevent traffic that originates from the host 172.16.4.13 from traveling out Ethernet interface E0. Create and apply the ACL with the commands shown in Example 7-6.
Example 7-6 Named ACL Preventing Traffic from a Specific Host
RouterX(config)#ip access-list standard troublemaker
RouterX(config-std-nacl)#deny host 172.16.4.13
RouterX(config-std-nacl)#permit 172.16.4.0 0.0.0.255
RouterX(config-std-nacl)#interface e0
RouterX(config-if)#ip access-group troublemaker out
Extended Named ACL Steps and Syntax
The following are the steps and syntax used to create an extended named ACL:
Step 1 Name the ACL.
Starting from global configuration mode, use the ip access-list extended name command to name the extended ACL:
Router(config)ipaccess-list extended name
Step 2 Create the ACL.
From extended named ACL configuration mode, use the permit or deny statements to specify one or more conditions for determining whether a packet is forwarded or dropped:
Router(config-ext-nacl)#[sequence-number] {deny | permit}protocolsource
source-wildcard [operator port] destination destination-wildcard [operator port]
[established] [log]
Step 3 Apply the ACL.
Activate the named ACL on an interface with the ip access-group name command:
Router(config-if)#ip access-group name [in | out]
Extended Named ACL: Deny a Telnet from a Subnet
Using Figure 7-2 again, create an extended ACL named “badgroup” to prevent Telnet traffic that originates from the subnet 172.16.4.0/24 from traveling out Ethernet interface E0. Create and apply the ACL with the commands shown in Example 7-7.
Example 7-7 Access List Preventing Telnet Traffic from a Specific Subnet
RouterX(config)#ip access-list extended badgroup
RouterX(config-ext-nacl)#deny tcp 172.16.4.0 0.0.0.255 any eq 23
RouterX(config-ext-nacl)#permit ip any any
RouterX(config-ext-nacl)#interface e0
RouterX(config-if)#ip access-group badgroup out
Adding Comments to Named or Numbered ACLs
You can add comments to ACLs using the remark argument in place of the permit or deny. Remarks are descriptive statements you can use to better understand and troubleshoot either named or numbered ACLs.
Example 7-8 shows how to add a comment to a numbered ACL.
Example 7-9 shows how to add a comment to a named ACL.
Complex ACLs
Standard and extended ACLs can become the basis for other types of ACLs that provide additional functionality. These other types of ACLs include the following:
Dynamic ACLs (lock-and-key)
Reflexive ACLs
Time-based ACLs
Configuration of these ACL types is beyond the scope of the CCNA exam, but you should at least be familiar with the concepts behind them. You can review the concepts and configurations in your Study Resources.