All Cisco routers and switches cannot be accessed remotely via a terminal program like PuTTy and Tera Term by default. There are two methods of remote connectivity, either vty connection or SSH connection. The SSH provides encrypted connectivity, and Cisco recommends it for remote administration.
But, if your router’s Cisco IOS does not support SSH, we can use the vty connection. We can improve the security of administrative lines by restricting VTY port access.
VTY port access restriction allows you to define which IP addresses are allowed Telnet access to the router EXEC process. We can also control administrative workstations using an ACL and an access-class statement configured on VTY lines.
The access-class command configured in line configuration mode restricts connections between a particular VTY/SSH and the addresses in an access list. Both standard and extended access lists apply to packets that travel through a router. An outbound Telnet extended ACL does not prevent router-initiated Telnet sessions by default.
Filtering Telnet traffic is usually considered an extended IP ACL function because it filters a higher-level protocol. However, a standard ACL can be used because the access-class command filters incoming or outgoing Telnet/SSH sessions by source address. The access-class command syntax is the following:
Router(config-line)# access-class <access-list-number> { in |out }
The parameter “in” restricts incoming connections, and “out” restricts outgoing connections between the addresses in the access list and the Cisco device. We can allow a range of addresses or specific hosts.
The example below allows a range of addresses to access VTY lines 0-4 to router 3. Network 192.168.1.0 is permitted in the ACL to access VTY lines 0-4, and all other networks are denied access to the VTY port.
Verifying a Standard ACL used to secure a VTY Port
After configuring and applying ACL to VTY lines, verifying it is working as expected is important. The figure below shows a computer attempting to access R3 using telnet. Access list 2 has been configured on the VTY lines on R3. PC0 cannot access R3, but the attempt of PC1 successfully accessed the R3.
This is the expected result as we configured it. We can also use the show access-lists command after PC0 and PC1’s telnet attempts. The ACL statistics will show the match between the permit and deny lines.
After ACL has configured and applied to an interface and block some traffic then we can check the ACL statistics using theshow access-listscommand. The command will show ACL statistics for each statement that has been matched. The figure below illustrates some configured ACL statistics.
Examine that some match has been found. So when traffic is matched to ACL and ACL take action on that traffic. The ACL will display the match state here. The matches shown at the output of the show access-listscommand increased when traffic increased.
For example, the above ACL is configured for network 192.168.30.0/24. If someone other than PC1 sends a ping to this network. The ACL will drop the packets and the match to deny state will increase. If host 192.168.10.10 sends a ping to this network the state to permit statement will increased.
Now examine the following configuration of ACLs
Both the permit and deny statements will track information for matches but, the ACL has an implied deny any as the last statement. This statement will not appear in the show access-lists command, therefore, statistics for that statement will not appear.
To view statistics for the implied deny any statement, the statement can be configured manually and will appear in the output. If deny any statement is not configured as the last statement in the ACL, it could cause unexpected results.
We can clear the ACL statement counters using the clear access-list counters command. We can use this command alone or with the number or name of a specific ACL. The figure below illustrates the clear state of the ACL.
Network administrators sometimes want to edit standard ACLs. As you know, each new entry you add to the Access Control List (ACL) appears at the bottom of the list, and the router assigns a sequence number to that entry automatically. Standard ACL statements are added to running-config files, but there is no built-in way to edit standard ACL entries. We can edit standard ACLs using the following two methods.
How to Edit standard ACLs containing Numbers
Method 1: Using a Text Editor
If you are familiar with creating and editing ACLs, writing the ACLs statements using a text editor such as Notepad is not difficult. When constructing an ACL using a text editor, you can easily edit it and then paste it into the router. For an existing ACL editing, you can use the show running-config command to display the ACL, copy and paste it into the text editor, make the necessary changes, and paste it back in. For example, if the host IPv4 address was incorrectly entered. Instead of the 192.168.3.2 host, you entered 192.168.2.2. The steps for editing the IP address in ACL are as follows:
Display the ACL entries using the show running-config
Select the ACL, copy it into Microsoft Notepad, and edit the list as required. After editing the ACL in Microsoft Notepad, select and copy it.
Remove the access list using access-list 1 Because without removing it, the new statements would be appended to the existing ACL. Then, paste the newly edited ACL into global configuration mode.
Again, verify the ACL Using the show running-config
The no access-list command behaves differently in different IOS releases. If the deleted ACL is still applied to an interface, some IOS versions act as if no ACL protects your network, while others deny all traffic. So, it is good to unlink the access list from the interface before deleting it.
Method 2: Using the Sequence Number
We can also edit the ACL using sequence numbers. As shown in the figure below, ACL 1 included a permit statement for network 192.168.3.0. This was in error. The permit statement only allows the network 192.168.3.0, but we want to block only the host 192.168.3.2 and allow all other traffic. So, to edit the ACL using sequence numbers using the three steps:
Show the current ACL using the show access-lists <access-list-number>command as shown in the above figure step 1. The sequence number is displayed at the beginning of each statement. The IOS automatically assigns a sequence number when entering the access list statement. You can see the wrong configured statement with sequence number 20.
Enter the ip access-lists standard <access-list-number> command used to configure named ACLs. The access list- number 1, is used as the name. So, the first misconfigured statement must be deleted using the no 20. 20 is the sequence number of the ACE. After deleting, a new sequence number 20 statement is added using the command 20 deny permit any. The statements cannot be overwritten using the same sequence number as an existing statement. It is important to delete the current statement before entering the new statement with the current sequence number.
Again, verify the changes using the show access-lists
How to Edit Standard ACLs with Name
As we edit the numbered standard ACL using the sequence number in the previous example, we can also edit the standard-named ACLs using this method. The steps for editing the named standard ACL is the following:
First, enter the show access-list command; you can see that the ACL named {No_ACCESS} has two numbered lines indicating access rules for a host with the IPv4 addresses 192.168.2.4.
Use the ip access-list standard <access-list-name> command to enter an ACL configuration mode. From named access-list configuration mode statements can be inserted or removed just like the previous example. The no <sequence-number> command is used to delete individual statements.
To add a statement with sequence number <sequence-number> deny or permit statement
Finally, use the show access-list command to verify the configuration. The figure illustrates the editing steps, which are named standard ACL.
Standard ACLs permit or deny traffic based on source addresses. They differentiate routes on a network using the IP address. The port and destination of the packet are not evaluated. Standard ACLs only contain a list of addresses or address ranges and a statement as to whether access to or from that address is permitted or denied.
The range of the standard ACLs is from 1 to 99. Cisco IOS Release 12.0.1 extended the range of standard ACLs by allowing 1300 to 1999. This means that we can configure a maximum of 798 standard ACLs.
To Configure and use numbered standard ACLs on a Cisco router. We must first create the standard ACL and then activate the ACL on a specific interface. The “access-list” global configuration command defines a standard ACL. The full syntax of the standard ACL command is as follows:
The detailed explanation of the syntax for a standard ACL.is follows:-
access-list-number – This is a decimal number from 1 to 99 or 1300 to 1999 for standard ACL.
deny – This should deny the traffic if the condition is matched.
Permit – This should permit traffic if the condition matches.
remark – Add a remark about entries in an IP access list to make it easier to understand and scan.
source – There are two ways to specify the source of the packet
Use of 32-bit IP address in dotted-decimal format
Use of keyword “any” as an abbreviation for source and source wildcard of 0.0.0.0 255.255.255.255.
Wildcard –Wildcard is an optional 32-bit value. It is applied to the source. It should be “one” in the bit position, which we want to ignore.
log-log is an optional value. It presents the information logging message about the packet that matches the entry to be sent to the console. The level of the message can be controlled using the logging console command.
The log message includes the number of ACLs, the source address, and the number of the packet. It is generated for the first packet that matches and then it is guaranteed after the interval of each 5 minutes included the packets permitted in the previous 5 minutes.
The Access Control Entry (ACE) is responsible for denying or permitting an individual host or a range of host addresses. To create a host statement in numbered ACL 1 that permits a specific host with the IP address 192.168.1.10, you would enter:
To create a statement that will permit a range of IPv4 addresses in a numbered ACL 1 that permits all IPv4 addresses in the network 192.168.1.0/24, the command would be like this:
We can remove the ACL using the no access-list <access-list-number> command in global configuration mode. We can verify the access list using the show access-list command.
Before entering and creating an ACL, it is necessary to understand the purpose of each statement. However, the statement and remarks should be included to recall and understand the purpose of the ACL. The remark keyword is also used to document ACLs. Each remark is limited to 100 characters
The logic of Standard ACLs
Packets that enter the router through interface any interface are checked for their source addresses based on the entries of access control entries, for example:
access-list 1 deny 192.168.10.10
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 deny 192.168.0.0 0.0.255.255
access-list 1 permit 192.0.0.0 0.255.255.255
If packets are permitted, they are routed through the router to an output interface. If packets are denied, they are dropped at the incoming interface.
Cisco IOS processed standard Access Control Entries sequentially. Therefore, the order in which Access Control Entries (ACEs) are entered is significant. For example, in Figure below ACL 2 contains two ACEs. The first ACE denies a range of addresses with the help of wildcard mask, The ACE denies hosts in the 192.168.11.0/24 network. The second ACE is for a specific host.
The statement examines a specific host: 192.168.11.10. The host is also in the range of the first entry. In other words, 192.168.11.10 is a host in the 192.168.11.0/24 network. So, the internal logic for standard access lists rejects the second statement and returns an error message because it is a subset of the previous statement. This is a conflict of the ACL statement.
Now look at the figure below. The configuration contains the same two statements but in reverse order. This is a valid sequence of statements because the first statement refers to a specific host, not a range of hosts. So, now the host 192.168.11.10 can access the network outside where the access-list 2 has applied.
Now look to ACL Configured with a host statement that is not in the range of a previous statement. The 192.168.30.10 host address is not a member of the 192.168.11.0/24 network, so this is a valid statement because there is no conflict between these two statement addresses.
Applying Standard ACLs to Interfaces
When standard ACL is configured, it is linked to an interface using the “ip access-group” command in interface configuration mode. The command syntax is the following:
Router(config-if)# ip access-group <access-list-number| access-list-name> <in| out>
To remove an ACL, enter the “no ip access-group” command on the interface, and then enter the “no access-list” command to remove the entire ACL.
Example 1 of Standard ACL
The figure below lists the steps and syntax to configure and apply a numbered standard ACL on a router. This ACL allows only traffic from source network 192.168.2.0 to be forwarded out of interface FastEthernet 0/0. Traffic from other networks is blocked.
The first line identifies the ACL as access-list 2. It permits traffic that matches the selected parameters. In this case, the 192.168.2.0 0.0.0.255 is allowed to access the network 192.168.4.0/24. The entry is an implicit deny all statement that is equivalent to adding the lineaccess-list 2 deny 0.0.0.0 255.255.255.255 or access-list 2 deny any. The “ip access-group 2 out” interface configuration command links and ties ACL 2 to the FastEthernet 0/0 interface as an outbound filter.
So, ACL 2 only permits hosts from the 192.168.2.0/24 network to exit router R2. It denies any other network including the 192.168.2.0 network.
Example 2 of Standard ACL
The figure below illustrates an example of an ACL that permits a specific subnet except for a specific host on that subnet.
This ACL blocks traffic from all subnets, including specific addresses in the subnet that allow accessing the network. The first ACE denies the host 192.168.2.2 from accessing the network 192.168.3.0.
The second ACE permits all other hosts on the network 192.168.2.0/24 to access the network 192.168.3.0/24. Again, the implicit deny statement matches every other network. The ACL is applied and linked to the Fast Ethernet interface 0/0 in an outbound direction.
Example 3 of Standard ACL
The figure below is an example of an ACL that denies a specific host. This ACL replaces the previous example. This example still blocks traffic from host PC1 but permits all other traffic.
The first commands deny the host 192.168.2.2 from accessing the network 192.168.3.0/24. All other hosts are permitted to follow the following line. This means that all hosts from the 192.168.1.0/24, 192.168.2.0/24, and 192.168.4.0/24 networks will be allowed except host 192.168.2.2, which was denied in the first statement.
We have applied this ACL to interface FastEthernet 0/0 in the outbound direction. This ACL only affects network 192.168.2.0/24, So we can place this ACL inbound on interface FastEthernet 0/1 on Router3. I think this is the best place for this type of ACL.
Creating Named Standard ACLs
Naming an ACL is the best practice because naming makes ACL easier to understand. For example, an ACL configured to deny could be called NO_Telnet. The named ACL configuration mode and command syntax are slightly different then numbered ACL.
Use the ip access-list command in global configuration mode to create a named ACL. ACL names are alphanumeric, case-sensitive, and must be unique. The ip access-list standard <name> is used to create a standard named ACL, whereas the command ip access-list extended <name> is for an extended access list.
After entering the command, the router is in the named standard ACL configuration mode as indicated by the prompt. The difference between numbered and named ACLs is that the Numbered ACLs use the global configuration command access-list, whereas named IPv4 ACLs use the ip access-list command.
After entering the named ACL configuration mode, use permit or deny statements to specify one or more conditions for determining whether a packet is forwarded or dropped. Apply the ACL to an interface using the ip access-group <in | out> command.
Example of Named Standard ACL
The figure below illustrates the commands configuring a standard ACL on router R3, interface FE0/0, that denies host 192.168.2.2 access to the 192.168.4.0/24 network. The ACL is named NO_ACCESS_Net4. Recall that the name is case-sensitive.
Commenting ACLs
We can comment on the ACL using the remark keyword about the ACE in any IP standard or extended ACL. The remarks make the ACL easier to understand. Each remark line is restricted to 100 characters. We can enter the comment before or after a permit or deny statement. The command syntax for remarks is as:
access-list <access-list_number>remark <remark> in global configuration mode. We can remove the remark using the noaccess-list <access-list_number> remark <remark> command in global configuration mode.
Example 4 Using Remarks with Numbered ACL
The numbered ACL 5 denies the 192.168.2.2 PC from accessing the network 192.168.4.0/24 but permits all other devices. The remarks are used in the ACL.
Example 5 Using Remarks with Named ACL
In this example, you can see a standard named ACL configuration. The remarks indicate that PC1 is not authorized to access PC0, but devices from all other networks are permitted.
Verifying ACLs
Using the show ip interface command, we can verify the ACL on the interface. The output of this command displays the number or name of the access list and the direction in which the ACL was applied.
We can also verify the ACL by issuing the show access-lists command on the router. The output of the command displays all ACL output. We can also view an individual access list using the show access-lists command followed by the access list number or name. We can also verify the ACL from a starting-config file.
Finally, the video below is the answer to Cisco Routing Switching “9.2.1.10 Packet Tracer Configuring Standard ACLs.” The video is essential for the students of CCNA as well as for those who want to learn standard ACLs
Are you often puzzled by the differences between standard and extended access lists? You’re not alone. Understanding these two types of access lists is crucial for network security management. In this article, we dive deep into the world of access lists to unravel the secrets behind their functionalities.
As the name suggests, standard access lists are basic filters that allow or deny traffic based on source IP addresses. On the other hand, extended access lists offer more advanced features, allowing you to filter traffic based on source and destination IP addresses and other parameters such as protocols and port numbers.
By delving into the intricacies of these access lists, you’ll understand how each works and how to implement them effectively in your network infrastructure. Whether you’re an IT professional or a networking enthusiast, this article will provide you with the knowledge you need to enhance your network security.
So, let’s get started and unlock the secrets of standard and extended access lists!
Standard ACLs Placement
As the name suggests, standard access lists are basic filters that allow or deny traffic based on source IP addresses. When configuring a standard access list, you can specify a range of source IP addresses you want to permit or deny access to certain network resources. The main advantage of using standard access lists is their simplicity and ease of implementation.
Unlike extended access lists, standard access lists do not consider the destination IP address, protocols, or port numbers, which limits their filtering capabilities. Standard access lists are generally used for simple filtering tasks, such as blocking specific IP addresses or allowing access from a specific range of IP addresses.
To create a standard access list, you must assign a number, typically 1 to 99 or 1300 to 1999. The lower the number, the higher the priority of the access list. Each access list entry consists of a permit or deny statement followed by the source IP address or a wildcard mask. The wildcard mask specifies the range of IP addresses you want to permit or deny.
We know that standard ACLs only filter traffic based on a source address. The basic rule of standard ACLs requires placement that is possibly close to the destination network. This allows the traffic to arrive at all other networks except those where the packets will be filtered. In the figure below, we want to prevent traffic from the 192.168.2.0/24 network from reaching the 192.168.4.0/24 network.
If we place the standard ACL on the inbound interface of Router0, this will stop the 192.168.2.0/24 network traffic from reaching any other network. If we place ACL on the outbound interface towards Router1, this will stop 192.168.2.0/24 traffic from reaching any network of Router1.
If we place the ACL on the router’s inbound or outbound interface, this will also prevent traffic from the 192.168.2.0/24 network from reaching any of Router1 and Router2’s networks. If we place the ACL inbound on interface Fa1/0 of Router2, this will also stop all traffic from the 192.168.2.0 network from reaching any of Router2’s networks.
So, the best place to place the ACL is Router 1’s Eth 1/0 interface. This is the closest interface to the destination. Therefore, we would apply a standard Ethernet 1/0 outbound interface ACL. This will prevent traffic from 192.168.2.0/24 from entering the Ethernet 1/0 interface and reaching 192.168.4.0/24 and all other networks reachable to the 192.168.4.0/24 network.
Extended ACLs Placement
On the other hand, extended access lists offer more advanced features. They allow you to filter traffic based on source and destination IP addresses and other parameters such as protocols and port numbers. Extended access lists provide a higher level of granularity and flexibility compared to standard access lists.
With extended access lists, you can specify the source IP address and the destination IP address. This allows you to control access to specific network resources based on source and destination. In addition, extended access lists consider the protocols and port numbers associated with the traffic, giving you even more control over the types of traffic allowed or denied.
To create an extended access list, you must assign it a number between 100 and 199 or 2000 and 2699. Similar to standard access lists, the lower the number, the higher the priority. Each entry in an extended access list consists of a permit or deny statement followed by the source and destination IP addresses, protocols, and port numbers.
It can filter traffic based on the source address, destination address, protocol type, and port number. Extended ACL gives more flexibility in filtering the kind of traffic and where to place the ACL. The basic rule for identifying an extended ACL is to put it close to the traffic’s source. Extended ACL filters unnecessary traffic from being sent across multiple networks.
The network administrator places extended ACLs on devices that they can easily control. In the figure, the administrator wants to control FTP and telnet traffic from the 192.168.1.0/24 and 192168.2.0/24 networks. At the same time, all other traffic from both networks must be permitted to leave Router3 without any restriction.
There are several ways to accomplish these goals. We can configure an extended ACL inbound to Router3 Fa0/0 and Fa0/1 networks. However, this is not a best practice because we should configure an extended ACL inbound for both ACLs.
A best practice is to place an extended ACL on Router3 interface Fa0/1 outbound. The extended ACL specifies both source and destination addresses and enforces the rule, “Telnet and FTP traffic from the 192.168.1.0/24 and 192.168.2.0/24 network is not allowed to go to the 192.168.3.0/24 network.
The above type of ACL may also depend on the following:
Ease of configuration– If we want to deny traffic coming from several networks, The first option is to use a single standard ACL on the closest to the destination. However, the main disadvantage of this ACL is the unnecessary use of bandwidth. So, we can configure an extended ACL on each router source router. This will save bandwidth by filtering the traffic at the source, but this requires creating extended ACLs for several routers.
The extent of the network administrator’s control– Placement of the ACL also depend on the network administrator. He can control both the source and destination networks using an ACLs.
The bandwidth of the networks – Filtering unwanted traffic at the source prevents consumption of the bandwidth. This is important in low bandwidth networks.
Entering Criteria Statements. Then router receives traffic, the traffic is compared to all the access control entries in the order that the entries listed. The router continues comparing the access control entries until it finds the first match. The router will process the packet based on the first match found, and it will terminate by comparing more access control entries.
If no matches are found in the access control entries and the router reaches the end of the list, the traffic is denied. This is because, by default, there is an implied deny at the end of all access control lists for traffic that was not matched to a configured entry. A single-entry access control list with only one denied entry has the effect of banning all traffic. So, one permit entry must be configured in an access control list.
Key Differences Between SACLs and EACLs
Now that we have a basic understanding of standard and extended access lists let’s explore their key differences.
The first major difference is that standard access lists only consider the source IP address, while extended access lists consider both the source and destination IP addresses. This means standard access lists are limited in controlling access to specific network resources based on the destination.
The second difference is that extended access lists provide more granular control over the types of traffic allowed or denied. With extended access lists, you can filter traffic based on protocols and port numbers, allowing you to have fine-grained control over the types of traffic that are permitted or denied.
Another important difference is the range of access list numbers that can be used. Standard access lists typically use numbers ranging from 1 to 99 or 1300 to 1999, while extended access lists use numbers ranging from 100 to 199 or 2000 to 2699. Choosing the appropriate range when creating access lists is important to avoid conflicts and ensure proper functionality.
Understanding the Syntax and Structure of SACLs
To effectively configure and implement standard access lists, it is crucial to understand their syntax and structure. Standard access lists are created using the access-list command, followed by the access list number and the permit or deny statement. The source IP address or wildcard mask is then specified to define the range of IP addresses allowed or denied.
For example, to create a standard access list that denies access from a specific IP address, you would use the following syntax:
It’s important to note that standard access lists are processed top-down, meaning that the first match determines the outcome. Therefore, it’s crucial to carefully consider the order of the access list entries to ensure that they are applied correctly.
Common use cases for Standard Access Control Lists (SACLs)
Standard Access Control Lists (SACLs) are the simpler of the two types of access lists. They are used primarily for filtering traffic based on source IP addresses. Let’s explore some common use cases for SACLs:
1. Restricting access to internal resources
One main use case for SACLs is restricting access to internal resources within a network. For example, you may want to allow access to a specific server from only a certain range of IP addresses. By configuring a SACL with the appropriate source IP addresses, you can effectively control access to the server and prevent unauthorized access from other IP ranges.
2. Blocking specific IP addresses
Another common use case for SACLs is blocking specific IP addresses or ranges from accessing your network. This can be useful when dealing with known malicious IP addresses or when you want to block traffic from a specific country or region. By creating a SACL that denies traffic from the specified IP addresses, you can effectively block unwanted traffic and enhance the security of your network.
3. Prioritizing network traffic
SACLs can also prioritize network traffic based on source IP addresses. This can be particularly useful in scenarios where you have limited bandwidth and must ensure that critical traffic gets priority over non-critical traffic. By configuring a SACL that allows traffic from necessary IP addresses while denying or limiting traffic from other IP addresses, you can effectively manage your network resources and ensure optimal performance.
In summary, SACLs are primarily used to filter traffic based on source IP addresses. They can also restrict access to internal resources, block specific IP addresses, and prioritize network traffic. Now, let’s explore the common use cases for Extended Access Control Lists (EACLs).
Common use cases for Extended Access Control Lists (EACLs)
Extended Access Control Lists (EACLs) offer more advanced filtering capabilities than SACLs. In addition to source IP addresses, EACLs can filter traffic based on destination IP addresses, protocols, and port numbers. Let’s dive into some common use cases for EACLs:
1. Controlling traffic based on source and destination IP addresses
One of the key advantages of EACLs is the ability to filter traffic based on source and destination IP addresses. This allows for more granular control over network traffic. For example, you may want to allow traffic from a specific source IP address to a specific destination IP address while denying traffic from other combinations of source and destination IP addresses. EACLs can be configured to achieve this level of control and enhance network security.
2. Filtering traffic based on protocols and port numbers
EACLs also allow traffic to be filtered based on protocols and port numbers. This is particularly useful when dealing with specific applications or services that use well-known port numbers. For example, you may want to allow traffic on port 80 for web browsing but block traffic on port 23 for Telnet access. By configuring an EACL with the appropriate protocol and port number restrictions, you can effectively control the flow of network traffic and ensure the security of your network.
3. Implementing access control for different network segments
EACLs can be used to implement access control between different network segments. For example, if you have a network with multiple VLANs, you may want to allow communication between specific VLANs while blocking communication between others. By configuring EACLs on the router or switch connecting the VLANs, you can control traffic flow between the different segments and enforce network segmentation for improved security.
In summary, EACLs offer advanced filtering capabilities compared to SACLs. They can control traffic based on source and destination IP addresses, filter traffic based on protocols and port numbers, and implement access control between network segments. Now, let’s conclude our exploration of standard and extended access lists.
Conclusion
This article has unlocked the secrets behind standard and extended access lists (SACLs and EACLs). We have explored the everyday use cases for both and understand how each type of access list can enhance network security.
Standard access lists are primarily used for filtering traffic based on source IP addresses. In contrast, extended access lists offer more advanced features, such as filtering based on source and destination IP addresses, protocols, and port numbers. By understanding the differences between these two types of access lists, you can effectively implement access control measures in your network infrastructure.
Whether you’re restricting access to internal resources, blocking specific IP addresses, prioritizing network traffic, controlling traffic based on source and destination IP addresses, filtering traffic based on protocols and port numbers, or implementing access control for different network segments, access lists play a crucial role in network security management.
Create an ACLs and configuration is not an easy task. There may be multiple policies required to create an ACLs and Its management. Suppose we have a router with two interfaces. Both interfaces configured with IPv4 and IPv6.
If we required ACLs for both IPv4 and IPv6, on both interfaces and in both directions (inbound and outbound), each interface required four ACLs: one ACL for IPv4, one ACL for IPv6, one ACL for inbound traffic, and one ACL for outbound traffic.
These are a total of eight separate ACLs. ACLs do not have to be configured for both inbound and outbound directions. The number of ACLs and their direction applied to the interface generally depend on the requirements of the network. The general guidelines for using ACLs are the following:
Use an Access Control List (ACL) in routers positioned between an internal network and an external network, generally in a firewall router.
Use an Access Control List (ACL) on a router positioned between two parts of your network to control traffic entering or exiting a specific part.
We can also configure the Access Control List (ACL) on border routers positioned at the edges of the networks.
Configure the Access Control List (ACL) for all network protocols using the border router interfaces.
The Three P’s
The three P’s are important in ACL guidelines. We can configure one ACL Per protocol, Per direction, Per interface:
One ACL per protocol – To control traffic flow on an interface an ACL must be defined for each protocol enabled on the interface, for example, IP, IPX, AppleTalk.
One ACL per direction– ACLs can control traffic only in one direction at a time on an interface. So, two separate ACLs must be configured to control inbound and outbound traffic.
One ACL per interface– ACLs control traffic for an interface, for example, GigabitEthernet 0/0 or FastEthernet 0/1.
ACLs Wildcard Mask is a string of 32 binary digits used by the router to determine which bits of the address to examine for a match. We use wildcard masking in several places, for example, To indicate the size of a network or subnet for some routing protocols, such as OSPF. The IPv6 ACLs use prefix length to indicate how much of an IPv6 source or destination address should be matched.
We identify the network portion, host portion, and subnet of IP address using the subnet mask bits 0s and 1s. However, in the wildcard masking binary 1s and 0s, particular IP addresses or groups of IP addresses are filtered to permit or deny access to resources. Wildcard masks use the following rules to match binary 1s and 0s:
Bit 0 – Match the corresponding bit value in the address.
Bit 1 – Ignore the corresponding bit value in the address.
Wildcard masking usually referred to as an inverse of the subnet mask. Because binary 1 is equal to a match and binary 0 is not a match in the subnet mask, but in a wildcard mask, it is reverse. Figure 1 illustrates the results of applying a 0.0.255.255 wildcard mask to a 32-bit IPv4 address. Remember the rules mentioned above.
Wildcard Masking Calculation
The shortcut method of calculating a wildcard mask is to subtract the subnet mask of the network or IP from 255.255.255.255.
Example 1
If we have a network 172.16.0.0 with subnet mask 255.255.255.0. We want to permit access to all users. So we can subtract the subnet mask from 255.255.255.255 as shown in figure 2. This is the easiest and shortest way of calculating the wildcard mask for any network.
Example 2
If we have a network 172.16.1.0 with sub subnet mask 255.255.255.224. So in this network, we have 32 network users and want to permit network access for all the users. Therefore take 255.255.255.255 and subtract the subnet mask 255.255.255.224. The solution this time produces the wildcard mask 0.0.0.31. Figure 3 illustrates the example-2 calculation.
Example 3
In this example, the network address is 172.16.4.0 with a subnet mask of 255.255.252.0 and we want to calculate the wildcard mask for the network, so again take the 255.255.255.255 and subtract the subnet mask of the network. This time the wildcard mask is 0.0.3.255. Figure 4 illustrates the example-3 calculation.
How Wildcard Masking Works
For understanding the wildcard masking see the following examples. In the first example, the wildcard mask stipulates that every bit in the IPv4 address 172.16.10.10 must match exactly. In the second example, the wildcard mask stipulates that anything will match and in the third example, the wildcard mask stipulates that any host within the 172.16.10.0/24 network will match.
The fourth example is a little complex. Where the first two octets and the first two bits of the third octet must match exactly, the last six bits in the third octet and the last octet can be any valid number. This results in a mask that checks for networks 172.16.64.0 to 172.16.127.255.
Use of Wildcard Masking Keywords
The any and host Keywords
We can use key words any and host, for example, we can use the “any” keyword to substitute the IPv4 address 0.0.0.0 with a wildcard mask of 255.255.255.255.
There are many different IPv4 ACL types, for example, access control lists for IP version 4, IP version 6, IPX, DECnet, AppleTalk, etc. In this lesson, we are going to discuss IPv4 ACLs for Cisco. IPv4 ACLs have two types: a standard access list and an extended access list.
Standard access-list
Standard access lists permit or deny traffic only based on source addresses. They are usually used for server-based filtering. Standard access lists differentiate routes on a network using the IP address. The port and destination of the packet are not evaluated.
Standard access lists only contain a list of addresses or address ranges and a statement as to whether access to or from that address is permitted or denied. The command syntax for configuring the standard access list is the following:
The range of the standard access list is from 1 to 99. So, the first value {1-99} specifies the standard ACL number range.
{permit | deny} specifies whether to permit or deny the configured source IP address traffic.
The third value is the source IP address of the traffic.
The last parameter is the wildcard mask, which will be applied to the previously configured IP address to indicate the range. We will discuss the wildcard mask in detail later.
Extended access lists
Extended access lists permit or deny traffic based on source IPv4 addresses, destination IPv4 addresses, protocol type, port (TCP, UDP, etc) and other features and are used for packet-based filtering for packets that traverse the network. The command syntax for configuring an extended numbered IPv4 ACLs are:
As I discussed the Access Control List (ACL) in my previous articles that it is a technique used for monitoring outgoing traffic as well as incoming traffic and allowing them to pass or deny based on the source IP address, destination IP addresses, service protocols and ports.
The rules give control to packets that enter the router, packets that relay through the router, and packets that exit from the router interface. Access Control List does not act on the packets originating from the router. We can configure and apply ACL operation to inbound and or outbound directions:-
Inbound ACL
In this type of Access Control List, analyze incoming packets before routing them to the outbound interface. An inbound Access Control List is efficient because it reduces the load of routing lookups. If packet not matched to the criteria; It is discarded before routing table lookup.
If ACL permits the packet for outbound then router processed it for routing. Inbound Access Control List is especially perfect to filter packets when the only a single inbound interface is the source of the packets.
Outbound ACL
In this type of Access Control List, the router receives incoming packets and routes the packets to an outbound interface. After route lookup, they are processed through the outbound Access Control List to exit the interface. It is best when packets come from multiple inbound interfaces, and the same filter requires all incoming traffic before exiting the same outbound interface.
The end statement for both inbound and outbound Access Control List is always an implicit deny, which is automatically inserted at the end of each ACL. The implicit deny blocks all types of traffic because of implicit deny. The figure below illustrates the inbound and outbound Access Control List.
An Access Control List (ACL) refers to a set of rules usually used to filter network traffic. The rules specify which users are granted access to that object and the operations it is allowed to perform. We can configure the Access Control List (ACL) on network devices with packet filtering compatibilities, such as routers and firewalls.
An Access Control List (ACL) contains a list of specific conditions and categories that help you determine when to allow or deny network traffic. We can also apply these conditions on the interface basis to packets leaving or entering an interface. There are two types of Access Control Lists (ACL) available on a Cisco device:
Standard Access Control List
Extended Access Control List
An Access Control List (ACL) is the most commonly used feature of Cisco IOS software, and the ACL can perform the following tasks in our network:
Increase Network Performance
The ACLs increase network performance due to reducing the network load. For example, if company policy does not allow video traffic on the network, it uses ACLs to block video traffic and increase its network performance.
Provide traffic flow control.
We can use ACLs to limit the delivery of routing updates when updates not required. This can preserved network bandwidth.
Network Security
An Access Control List (ACL) can also provide a basic level of network security. It can allow one host to access a part of the network and stop another host from accessing the same area.
Filtering Network Traffic
We can also use ACLs to filter network traffic based on the traffic type. For example, an ACL can permit email traffic but block all Telnet traffic. We can also use ACL to permit or deny hosts access to network services. ACLs can permit or deny a user to access file types, such as FTP or HTTP.
By default, a router does not have ACLs configured, so a router does not filter traffic by default. Traffic enters the router and is routed exclusively using the information within the routing table.
But, when an ACL is configured and applied to an interface, the router filters and checks each packet to determine if the packet can be forwarded or not. We can also use ACLs to classify traffic to enable priority processing. We can use ACL to permit or deny a specific type of network traffic.
Packet Filtering with Access Control List (ACL)
ACL is a technique that monitors outgoing and incoming packets and allows them to pass or halt based on the source and destination IP address protocols and ports. Packet filtering is also known as static filtering.
We can configure a filter rule on the network, and then the router acts as a packet filter during sending, receiving, forwarding, and denying packets according to filtering rules. The router is configured with packet filtering rules to open, read, and extract specific information from the packet header. The router makes routing decisions from this information based on configured rules on whether the packet can pass through or be required to be discarded.
Packet filtering can work at the transport layer, the network layer of the OSI model, and the internet layer of the TCP/IP model. Rules configured on the router determine whether to permit or deny traffic. A router also performs packet filtering at the transport layer. It can filter packets based on the source and destination port of the TCP or UDP segment.
An ACL contains a list of permit or deny statements, also known as access control entries. Access Control Entries (ACEs), commonly known as ACL statements. We configure the ACL statements to filter traffic based on specific criteria, such as the packet’s source address, destination address, protocol, and port numbers.
When a packet passes through an interface configured with an ACL, the router compares the information within the packet with every ACE in chronological order to decide on statement matching. In case of a founding match, the router processed the packet accordingly. So, the ACLs control access to a network or subnet using the rules. The ACLs extracts the following information from the packet:
