What are ACLs?
- ACLs have multiple uses. For now, though, this page will focus on ACLs from a security perspective
- ACLs function as a packet filter, instructing the router to permit or discard specific traffic
- ACLs can filter traffic based on source/destination IP addresses, source/destination Layer 4 ports, etc.
How They Work
- ACLs are designed with one or more requirements that they must meet
- Ex.: Hosts in
192.168.1.0/24can access the10.0.1.0/24network
- Ex.: Hosts in
- ACLs are configured globally for the entire router (in global config mode)
- Configuring an ACL alone will not make it take effect; it must be applied an interfaces
- ACLs are an ordered sequence of Access Control Entries (ACEs)
- These entries basically enforce the ACL’s requirements
- The order matters! The ACEs are processed in order, so you should generally put the most specific ACEs first or you may inadvertently permit or deny traffic improperly
- ACLs are either inbound or outbound — they either filter the traffic going into or the traffic going out of an interface
- ACLs are processed per packet. If the router matches an ACE, then the router performs the associated action and stops processing the ACL. Any remaining entries will be ignored.
- A maximum of one ACL can be applied to a single interface per direction
Example
ACL 1:
ACE 1) If source IP = 192.168.1.0/24, then permit
ACE 2) if source IP = 192.168.2.0/24, then deny
ACE 3) if source IP = any, then permit
Note the order; if ACE 3 were processed first then all traffic would be permitted.
A Note On ACE Ordering
While this is most certainly beyond the purview of the CCNA, it may be handy to know that a router may automatically re-order ACEs in an ACL, even if you’ve manually configured their order. It will only ever do this for /32 (host) entries. This is to improve processing efficiency of the ACL, and shouldn’t ever change the routing decisions the router makes. In other words, it may be confusing if you don’t expect it, but it doesn’t affect the function of the ACL.
- Also note that Cisco Packet Tracer doesn’t simulate this behavior, it is only present in real distributions of Cisco IOS
Implicit Deny
What happens if a packet doesn’t match any of the entries in an ACL? It is denied/not forwarded by default. It’s easy to see how this is the more secure option.
- There is an ‘implicit deny’ at the end of all ACLs
- The implicit deny tells the router to deny all traffic that doesn’t match any of the configured entries of the ACL
ACL Types
- Standard ACLs: Match based on Source IP address only
- Extended ACLs: Match based on Source/Destination IP, Source/Destination port, etc.
Standard ACLs
Standard ACLs match traffic based only on the source IP address of the packet. They can be either numbered or named.
Standard Numbered ACLs
- Numbered ACLs are identified with a number (i.e. ACL 1, ACL 2, etc.)
- Different types of ACLs have a different range of numbers that can be used
- Standard ACLs can use 1-99 and 1300-1999.
- As a rule of thumb, Standard ACLs should be applied as close to the destination as possible
Basic Configuration
- The basic command to configure a standard numbered ACL is;
(config)#access-list number {deny | permit} ip wildcard-mask- ex.:
(config)#access-list 1 deny 1.1.1.1 0.0.0.0(denies 1.1.1.1/32)- You can also write this as
(config)#access-list 1 deny 1.1.1.1, you don’t need to specify the wildcard mask if its /32
- You can also write this as
- Use this command to assign the ACL to an interface:
(config-if)#ip access-group number {in | out}
- You can use </\code>(config)#access-list number remark remarks to leave a message/description attached to the ACL which can be seen in the running config
- (use
show running-config | include access-listto see all ACLs and their remarks; remarks are not displayed in the ACL-specific show commands)
- (use
- Show all configured access lists with
show access-listsor show only IP access lists withshow ip access-lists
Standard Named ACLs
- Named ACLs are identified with a name rather than a number
- Standard named ACLs are configured by entering ‘standard named ACL config mode’, and then configuring each entry within that config mode
- Note: you can use named ACL config mode to configure existing numbered ACLs as well. In fact, in the case that you need to edit an ACL with a lot of entries it may be easier than trying to make changes from global config mode.
Basic Configuration
- Enter Std. Named ACL config mode:
(config)#ip access-list standard acl-name
- While in Std. Named ACL config mode, use this to create ACEs:
(config-std-nacl)#[entry-number] {deny | permit} ip wildcard-mask
Extended ACLs
Extended ACLs function mostly the same as standard ACLs. They can also be either numbered or named. Like standard ACLs, entries are processed top-to-bottom (first-to-last).
The primary difference between extended and standard ACLs is that extended ACLs can match traffic based on destination IPs, Layer 4 protocols, and port numbers in addition to source IPs, so they can be more precise in permitting/denying traffic, at the cost of being more complicated to configure.
The as-close-to-the-source-as-possible rule for standard ACLs doesn’t apply here. Because Extended ACLs can be so much more specific than standard ACLs there is less risk that unintended traffic will be denied. The rule of thumb here is Extended ACLs should be applied as close to the source as possible. This helps limit how far they can travel in the network before being denied. (It is better to deny packets earlier both for security and congestion)
Extended Numbered ACLs
- Extended Numbered ACLs use a different range of numbers from standard ACLs:
- Ext. Numbered ACLs use 100 - 199, 2000 - 2699
(config)#access-list number [permit | deny] protocol src-ip dest-ip- Make sure the
numberis within the extended range, the router will understand that you’re trying to configure an extended ACL
- Make sure the
Extended Named ACLs
- Like with Standard ACLs, Extended Numbered ACLs must be configured from a separate configuration mode:
(config)#access-list extended {name | number}- Enter Extended Named ACL config mode
(config-ext-nacl)#[seq-num] [permit | deny] protocol src-ip dest-ip- Configure an ACE
Basic Configuration
I’m combining the basic configuration sections of both Extended Numbered and Named ACLs as the differences in configuration between the two are identical to those in Standard ACLs. For the most part I’ll show example commands from named configuration mode, but the principles should work the same with numbered ACLs.
Note
Don’t forget to use the
’?’contextual command to view the possible inputs for a command. There are a lot of possible values you can use to configure Extended ACLs, too many to write here, so let the router do some of the work for you!
(config-ext-nacl)#[seq-num] [permit | deny] protocol src-ip dest-ipprotocolcan reference any of a number of protocols. Most noteworthy are tcp, udp, and ip. You can deny or permit any packets with any of these protocols. As you might expect, denying by ip alone would block any IP packet — effectively blocking all traffic on the interface.- When matching some protocols (ex. tcp and udp) you can optionally specify source and/or destination port numbers to match as well. In this case, you specify the source port after the source IP but before the destination IP, and the destination port after the destination IP:
(config-ext-nacl)#[seq-num] [permit | deny] {tcp | udp} src-ip [comparison] src-port-num dest-ip [comparison] dst-port-num- The
comparisoncan be a number of options that tell the ACL which ports to block using the specified port. Options include:eq= equal to portgt= greater than portlt= less than portneq= NOT portrange= from port-1 to port-2 (you need to specify two ports for this)
- The
src-ip&dest-ipcan take a number of different inputs (any, for instance), but if you choose to define an IP address or range of addresses you will also need to include a wildcard mask afterward to define the range.
Warning
A packet must match ALL of the parameters to match an entry. Even if it meets all but one, it won’t match and will be passed to the next ACE.
Note
There are many, many more ways to configure this command. You can even match traffic by TCP flags, specific TTL values, and many more. Feel free to look into them, but this is probably all you’ll need for the CCNA
Why Named ACLs?
- You can easily delete individual ACEs with
no entry-number- When you try this using numbered ACLs (running
no access-list number {permit | deny} ip wildcard-mask) it will delete the entire ACL, not just the entry corresponding to the input IP/mask - You cannot edit numbered ACLs from global config mode — only delete them entirely and rebuild them from scratch!
- If you prefer, you can create a numbered ACL, then edit it in named ACL config mode
- When you try this using numbered ACLs (running
- You can insert new entries in-between existing entries by specifying the sequence number
- numbered ACLs will only add entries to the end of the list, with sequence increments of 10
Resequencing
There is a powerful resequencing function that helps edit ACLs:
(config)#ip access-list resequence acl-id starting-seq-num incrementacl-id- the id of the ACL to be resequencedstarting-seq-num- the new sequence number of that entry — this will also be the first entry in the ACLincrement- how much to increment the sequence numbers of every remaining entry
Example
flowchart LR OrigACL["`**Original ACL 1:** 1 deny 192.168.1.1 2 deny 192.168.3.1 3 deny 192.168.2.1 4 deny 192.168.4.1 5 permit any`"] NewACL["`**Resquenced ACL 1:** 10 deny 192.168.1.1 20 deny 192.168.3.1 30 deny 192.168.2.1 40 deny 192.168.4.1 50 permit any`"] OrigACL--ip access-list resequence 1 10 10-->NewACL
- Generally you would resequence with an increment greater than 1 so that you can easily add new entries to any point in the ACL
- Resequencing is performed from global config mode, and works for all types of ACLs
Configuration
(config)#access-list number {deny | permit} ip wildcard-mask- Basic configuration command for an ACL - adds an ACE to the end of the specified Standard Numbered ACL. It will create an ACL of the specified number if one doesn’t already exist.
- The
numbermust be within the standard range, or it will create an Extended numbered ACL
(config)#access-list number [permit | deny] protocol src-ip dest-ip- Configure an ACE in an Extended Numbered ACL (and create the ACL if it doesn’t already exist)
numbermust be within the Extended range, or there may be an error or the entry will be added to a Standard Numbered ACL.
(config-if)#ip access-group number {in | out}- Assign an ACL to an interface in incoming/outgoing mode
(config)#access-list number remark remarks- Leave a remark (a message) attached to an ACL - visible only in the running/startup configs
(config)#ip access-list standard acl-name- Enter Standard Named ACL configuration mode
- Enter a numbered ACL’s number in place of
acl-nameto edit a numbered ACL in Named config mode.
(config-std-nacl)#[entry-number] {deny | permit} ip wildcard-mask- Add an ACE to a standard ACL; Run while in standard named ACL configuration mode. entry-number can be used to specify the order that the entry will be executed at. Leave blank and it will be added to the bottom of the list of ACEs.
(config)#access-list extended {name | number}- Enter Extended Named ACL configuration mode.
- Like with Standard ACLs, you can edit either a named or numbered ACL in named config mode.
(config-ext-nacl)#[seq-num] [permit | deny] protocol src-ip dest-ip- Add an ACE to an extended numbered ACL.
(config-std-nacl)#remark remarks- Add a remark (a message) to a named ACL. Must be run from standard named ACL configuration mode
show access-lists- Show all ACLs on the router
show ip access-lists- Show all IP ACLs on the router